Table of Contents
Fetching ...

LLM-Based User Simulation for Low-Knowledge Shilling Attacks on Recommender Systems

Shengkang Gu, Jiahao Liu, Dongsheng Li, Guangping Zhang, Mingzhe Han, Hansu Gu, Peng Zhang, Ning Gu, Li Shang, Tun Lu

TL;DR

Agent4SR introduces LLM-based fake-user agents to execute low-knowledge shilling attacks on recommender systems by jointly generating ratings and reviews. The framework combines target-aware profile construction, hybrid memory retrieval, and a target feature propagation strategy to maximize the target item’s exposure while maintaining realism. Empirical results across rating-only and rating+review RS show that Agent4SR outperforms baselines in effectiveness and detection resistance, with notable vulnerability observed for long-tail items and low-activity users. The work underscores emergent security risks posed by LLM-driven agents in RS and suggests defense directions based on retrieval-augmented generation and enhanced anomaly detection.

Abstract

Recommender systems (RS) are increasingly vulnerable to shilling attacks, where adversaries inject fake user profiles to manipulate system outputs. Traditional attack strategies often rely on simplistic heuristics, require access to internal RS data, and overlook the manipulation potential of textual reviews. In this work, we introduce Agent4SR, a novel framework that leverages Large Language Model (LLM)-based agents to perform low-knowledge, high-impact shilling attacks through both rating and review generation. Agent4SR simulates realistic user behavior by orchestrating adversarial interactions, selecting items, assigning ratings, and crafting reviews, while maintaining behavioral plausibility. Our design includes targeted profile construction, hybrid memory retrieval, and a review attack strategy that propagates target item features across unrelated reviews to amplify manipulation. Extensive experiments on multiple datasets and RS architectures demonstrate that Agent4SR outperforms existing low-knowledge baselines in both effectiveness and stealth. Our findings reveal a new class of emergent threats posed by LLM-driven agents, underscoring the urgent need for enhanced defenses in modern recommender systems.

LLM-Based User Simulation for Low-Knowledge Shilling Attacks on Recommender Systems

TL;DR

Agent4SR introduces LLM-based fake-user agents to execute low-knowledge shilling attacks on recommender systems by jointly generating ratings and reviews. The framework combines target-aware profile construction, hybrid memory retrieval, and a target feature propagation strategy to maximize the target item’s exposure while maintaining realism. Empirical results across rating-only and rating+review RS show that Agent4SR outperforms baselines in effectiveness and detection resistance, with notable vulnerability observed for long-tail items and low-activity users. The work underscores emergent security risks posed by LLM-driven agents in RS and suggests defense directions based on retrieval-augmented generation and enhanced anomaly detection.

Abstract

Recommender systems (RS) are increasingly vulnerable to shilling attacks, where adversaries inject fake user profiles to manipulate system outputs. Traditional attack strategies often rely on simplistic heuristics, require access to internal RS data, and overlook the manipulation potential of textual reviews. In this work, we introduce Agent4SR, a novel framework that leverages Large Language Model (LLM)-based agents to perform low-knowledge, high-impact shilling attacks through both rating and review generation. Agent4SR simulates realistic user behavior by orchestrating adversarial interactions, selecting items, assigning ratings, and crafting reviews, while maintaining behavioral plausibility. Our design includes targeted profile construction, hybrid memory retrieval, and a review attack strategy that propagates target item features across unrelated reviews to amplify manipulation. Extensive experiments on multiple datasets and RS architectures demonstrate that Agent4SR outperforms existing low-knowledge baselines in both effectiveness and stealth. Our findings reveal a new class of emergent threats posed by LLM-driven agents, underscoring the urgent need for enhanced defenses in modern recommender systems.
Paper Structure (39 sections, 16 equations, 7 figures, 4 tables, 1 algorithm)

This paper contains 39 sections, 16 equations, 7 figures, 4 tables, 1 algorithm.

Figures (7)

  • Figure 1: Overview of Agent4SR. As shown, injecting fake user profiles generated by LLM-based user agents manipulates recommendations and substantially boosts the target item’s ranking.
  • Figure 2: The overall framework of Agent4SR. It starts with target item analysis and profile inference, followed by profile validation and diversification. Fake user agents interact with filler items using hybrid memory retrieval, while a target feature propagation strategy embeds key target attributes into reviews on filler items.
  • Figure 3: Heatmaps of RMSE/MAE shift ($\Delta$Value) across attacks and datasets. Lighter colors indicate smaller shifts. Red denotes increased RMSE/MAE (performance drop), blue denotes decreased RMSE/MAE (performance gain). Scales are normalized per subplot.
  • Figure 4: Precision-Recall results under two detectors. Lower values indicate better stealthiness of the attack.
  • Figure 5: Attack effectiveness at different injection rates. Each subfigure corresponds to a victim RS.
  • ...and 2 more figures