Diversity-aware Dual-promotion Poisoning Attack on Sequential Recommendation

TL;DR

This work addresses the vulnerability of sequential recommender systems to targeted data poisoning by revealing a conflict between attack objectives and standard recommendation goals. It introduces DDSP, a Diversity-aware Dual-promotion Sequential Poisoning framework that jointly promotes a target item and users' genuine preferences using a dual-promotion objective and a diversity-aware, auto-regressive sequence generator. By optimizing a surrogate model with an attack loss that aligns the target with user-preferred items and a re-ranking strategy to diversify poisoning sequences, DDSP achieves superior attack success while maintaining recommendation quality across real-world datasets and two victim models. The approach reduces detectability through diversification and avoids heavy bi-level optimization, offering practical implications for adversarial risk assessment and defense design in SRS deployments.

Abstract

Sequential recommender systems (SRSs) excel in capturing users' dynamic interests, thus playing a key role in various industrial applications. The popularity of SRSs has also driven emerging research on their security aspects, where data poisoning attack for targeted item promotion is a typical example. Existing attack mechanisms primarily focus on increasing the ranks of target items in the recommendation list by injecting carefully crafted interactions (i.e., poisoning sequences), which comes at the cost of demoting users' real preferences. Consequently, noticeable recommendation accuracy drops are observed, restricting the stealthiness of the attack. Additionally, the generated poisoning sequences are prone to substantial repetition of target items, which is a result of the unitary objective of boosting their overall exposure and lack of effective diversity regularizations. Such homogeneity not only compromises the authenticity of these sequences, but also limits the attack effectiveness, as it ignores the opportunity to establish sequential dependencies between the target and many more items in the SRS. To address the issues outlined, we propose a Diversity-aware Dual-promotion Sequential Poisoning attack method named DDSP for SRSs. Specifically, by theoretically revealing the conflict between recommendation and existing attack objectives, we design a revamped attack objective that promotes the target item while maintaining the relevance of preferred items in a user's ranking list. We further develop a diversity-aware, auto-regressive poisoning sequence generator, where a re-ranking method is in place to sequentially pick the optimal items by integrating diversity constraints.

Figures (7)

• Figure 1: A toy example illustrating the comparison of a user’s recommendation lists across three scenarios: non-attack, existing attack, and ideal attack (proposed method).
• Figure 2: The framework of our proposed DDSP.
• Figure 3: (Left) Comparison of the training curves for two recommendation objectives -- $\mathcal{L}_{rec-BPR}$ and $\mathcal{L}_{rec-BCE}$ (green lines) and two attack objectives -- $\mathcal{L}_{atk-list}$ and $\mathcal{L}_{atk-pair}$ (purple lines), as the positive item score $y_{ui^+}$ increases. We assume non-negativity of all embeddings. For visualization purpose, we set one each for positive, negative, and target items, and we fix the scores of target and negative items respectively to $\hat{y}_{ut}=1$ and $\hat{y}_{ui^-}=0$. (Right) A toy example showing how the user, target item, and user‐preferred items move in the feature space under the influence of the recommendation objective and the attack objective.
• Figure 4: Performance comparison w.r.t. HR@10 of CW loss and DPAO across three datasets on two backbones.
• Figure 5: Attack and recommendation performance w.r.t. HR@10 across two datasets under various attack sizes. Bar charts show attack metrics, while line charts indicate recommendation metrics.