Retrieval-Augmented Purifier for Robust LLM-Empowered Recommendation

TL;DR

This work tackles the vulnerability of LLM-empowered recommender systems to small perturbations in user histories. It introduces RETURN, a training-free, retrieval-augmented purifier that leverages external collaborative signals from multi-hop item graphs to locate and cleanse perturbations, followed by a robust ensemble strategy to produce reliable recommendations. Across three real-world datasets and two victim LLMs, RETURN consistently mitigates attack impact, improves performance under adversarial perturbations, and preserves personalization for benign users. The approach demonstrates significant practical potential by enabling robust, plug-and-play defense for LLM-based RecSys through external knowledge integration and ensemble decision fusion.

Abstract

Recently, Large Language Model (LLM)-empowered recommender systems have revolutionized personalized recommendation frameworks and attracted extensive attention. Despite the remarkable success, existing LLM-empowered RecSys have been demonstrated to be highly vulnerable to minor perturbations. To mitigate the negative impact of such vulnerabilities, one potential solution is to employ collaborative signals based on item-item co-occurrence to purify the malicious collaborative knowledge from the user's historical interactions inserted by attackers. On the other hand, due to the capabilities to expand insufficient internal knowledge of LLMs, Retrieval-Augmented Generation (RAG) techniques provide unprecedented opportunities to enhance the robustness of LLM-empowered recommender systems by introducing external collaborative knowledge. Therefore, in this paper, we propose a novel framework (RETURN) by retrieving external collaborative signals to purify the poisoned user profiles and enhance the robustness of LLM-empowered RecSys in a plug-and-play manner. Specifically, retrieval-augmented perturbation positioning is proposed to identify potential perturbations within the users' historical sequences by retrieving external knowledge from collaborative item graphs. After that, we further retrieve the collaborative knowledge to cleanse the perturbations by using either deletion or replacement strategies and introduce a robust ensemble recommendation strategy to generate final robust predictions. Extensive experiments on three real-world datasets demonstrate the effectiveness of the proposed RETURN.

Figures (4)

• Figure 1: The illustration of the robust LLM-empowered RecSys by introducing an external database (i.e., collaborative item graph). The minor perturbations (e.g., item 'Ties') in the user's historical sequence (i.e., adversarial prompt) can mislead LLM-empowered recommender systems to understand the user's preference. With the help of the external data source, LLM-empowered recommender systems can identify the irrelevant item 'Ties' by retrieving relevant collaborative signals (i.e., retrieved subgraphs) from the collaborative item graphs, so as to purify the perturbations for the robust recommendation.
• Figure 2: The overall framework of the proposed RETURN. The user interaction sequences in the external database are first converted to multi-hop collaborative item graphs. The occurrence probability of each item is computed based on the collaborative item graph for perturbation positioning. Finally, we purify the input prompt by retrieving collaborative signals from the collaborative item graphs for robust recommendation generation.
• Figure 3: Defense Performance on TALLRec
• Figure 4: Effect of the hyper-parameters $m$.