Precision Profile Pollution Attack on Sequential Recommenders via Influence Function

TL;DR

This work investigates profile pollution attacks on sequential recommender systems and introduces INFAttack, an influence-function based method to estimate and maximize the impact of injected items on promoting a target item. By formulating the attack through influence functions and efficiently approximating Hessian inverses, INFAttack greedily selects the most influential polluted sequences without retraining, achieving superior target-item promotion while maintaining plausible overall recommendations. Extensive experiments on five real-world datasets across four backbones show that INFAttack consistently outperforms gradient-based and heuristic baselines, with robust performance for both popular and unpopular items. The study provides a principled, scalable framework for attack evaluation and identifies avenues for defense against influence-based poisoning in sequential recommendations.

Abstract

Sequential recommendation approaches have demonstrated remarkable proficiency in modeling user preferences. Nevertheless, they are susceptible to profile pollution attacks (PPA), wherein items are introduced into a user's interaction history deliberately to influence the recommendation list. Since retraining the model for each polluted item is time-consuming, recent PPAs estimate item influence based on gradient directions to identify the most effective attack candidates. However, the actual item representations diverge significantly from the gradients, resulting in disparate outcomes.To tackle this challenge, we introduce an INFluence Function-based Attack approach INFAttack that offers a more accurate estimation of the influence of polluting items. Specifically, we calculate the modifications to the original model using the influence function when generating polluted sequences by introducing specific items. Subsequently, we choose the sequence that has been most significantly influenced to substitute the original sequence, thus promoting the target item. Comprehensive experiments conducted on five real-world datasets illustrate that INFAttack surpasses all baseline methods and consistently delivers stable attack performance for both popular and unpopular items.

Figures (8)

• Figure 1: Disadvantages of the FGSM attack method. The white circle, green circle, and red circle indicate the initial item, the optimal item found by the current gradient method, and the real optimal item, respectively.
• Figure 2: Profile pollution attack problem defined in this work for sequential recommendation: an attacker injects certain items into a user's interaction sequence to create polluted sequences, such that the model trained on the polluted data could enhance the recommendation of a target item compared to the model trained on the clearing data.
• Figure 3: The overall framework of the proposed INFAttack method, which mainly includes two parts: 1) candidate polluted sequence generation; and 2) polluted sequence screening.
• Figure 4: Illustration of generating candidate polluted sequences: (a) the case of injecting $1$ item, resulting in $m$ candidate polluted sequences; (b) the case of injecting $2$ items, resulting in $m$ candidate polluted sequences.
• Figure 5: The performance change of attack methods compared to the 'Clean' model regarding recommending the target items (i.e., attack method - clean model)