Improving the Shortest Plank: Vulnerability-Aware Adversarial Training for Robust Recommender System

TL;DR

This paper tackles poisoning attacks in open recommender systems by observing that only a subset of users is vulnerable and that vulnerability fluctuates during model training. It introduces Vulnerability-Aware Adversarial Training (VAT), which estimates user vulnerability via a loss-based function $g(\mathcal{L}(u|\Theta))$ and applies user-adaptive perturbations $\Delta^{\mathrm{VAT}}_{u,i} = \rho g(\mathcal{L}(u|\Theta)) \frac{\Gamma_{u,i}}{\|\Gamma_{u,i}\|}$ within a constrained optimization, aiming to reduce attack success while preserving recommendation quality. Extensive experiments on Gowalla, Yelp2018, and MIND with MF and LightGCN show VAT consistently lowers the attack success ratio (e.g., over 20% on average) and even improves backbone recommendation performance. The method demonstrates robustness across diverse attack types and datasets, making it practical for improving the reliability of real-world recommender systems without relying on attacker priors.

Abstract

Recommender systems play a pivotal role in mitigating information overload in various fields. Nonetheless, the inherent openness of these systems introduces vulnerabilities, allowing attackers to insert fake users into the system's training data to skew the exposure of certain items, known as poisoning attacks. Adversarial training has emerged as a notable defense mechanism against such poisoning attacks within recommender systems. Existing adversarial training methods apply perturbations of the same magnitude across all users to enhance system robustness against attacks. Yet, in reality, we find that attacks often affect only a subset of users who are vulnerable. These perturbations of indiscriminate magnitude make it difficult to balance effective protection for vulnerable users without degrading recommendation quality for those who are not affected. To address this issue, our research delves into understanding user vulnerability. Considering that poisoning attacks pollute the training data, we note that the higher degree to which a recommender system fits users' training data correlates with an increased likelihood of users incorporating attack information, indicating their vulnerability. Leveraging these insights, we introduce the Vulnerability-aware Adversarial Training (VAT), designed to defend against poisoning attacks in recommender systems. VAT employs a novel vulnerability-aware function to estimate users' vulnerability based on the degree to which the system fits them. Guided by this estimation, VAT applies perturbations of adaptive magnitude to each user, not only reducing the success ratio of attacks but also preserving, and potentially enhancing, the quality of recommendations. Comprehensive experiments confirm VAT's superior defensive capabilities across different recommendation models and against various types of attacks.

Figures (8)

• Figure 1: (a) Illustrates that only a minority of users are affected by a given attack. (b) Demonstrates that applying the same magnitude of perturbations can lead to damaged performance for users not vulnerable to attacks or fail to effectively protect those who are vulnerable.
• Figure 2: User's vulnerability is fluctuant. (1) Few users consistently demonstrate vulnerability; (2) Most users who have been successfully attacked have multiple status changes.
• Figure 3: Users with lower losses are more likely to be affected by attacks in comparison to those with higher losses.
• Figure 4: Embeddings of well-fitted user and under-fitted user. The cosine similarities in the original space for the two users to the target item are 0.7570 (well-fitted user) and 0.5309 (under-fitted user).
• Figure 5: Robustness against popular items promotion.