Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Retrieval-Augmented Review Generation for Poisoning Recommender Systems

Shiyi Yang, Xinshu Li, Guanglin Zhou, Chen Wang, Xiwei Xu, Liming Zhu, Lina Yao

TL;DR

This paper proposes a novel practical attack framework named RAGAN to generate high-quality fake user profiles, which can gain insights into the robustness of RSs, and introduces a demonstration retrieval algorithm and a text style transfer strategy to augment the navie ICL.

Abstract

Recent studies have shown that recommender systems (RSs) are highly vulnerable to data poisoning attacks, where malicious actors inject fake user profiles, including a group of well-designed fake ratings, to manipulate recommendations. Due to security and privacy constraints in practice, attackers typically possess limited knowledge of the victim system and thus need to craft profiles that have transferability across black-box RSs. To maximize the attack impact, the profiles often remains imperceptible. However, generating such high-quality profiles with the restricted resources is challenging. Some works suggest incorporating fake textual reviews to strengthen the profiles; yet, the poor quality of the reviews largely undermines the attack effectiveness and imperceptibility under the practical setting. To tackle the above challenges, in this paper, we propose to enhance the quality of the review text by harnessing in-context learning (ICL) capabilities of multimodal foundation models. To this end, we introduce a demonstration retrieval algorithm and a text style transfer strategy to augment the navie ICL. Specifically, we propose a novel practical attack framework named RAGAN to generate high-quality fake user profiles, which can gain insights into the robustness of RSs. The profiles are generated by a jailbreaker and collaboratively optimized on an instructional agent and a guardian to improve the attack transferability and imperceptibility. Comprehensive experiments on various real-world datasets demonstrate that RAGAN achieves the state-of-the-art poisoning attack performance.

Retrieval-Augmented Review Generation for Poisoning Recommender Systems

TL;DR

This paper proposes a novel practical attack framework named RAGAN to generate high-quality fake user profiles, which can gain insights into the robustness of RSs, and introduces a demonstration retrieval algorithm and a text style transfer strategy to augment the navie ICL.

Abstract

Recent studies have shown that recommender systems (RSs) are highly vulnerable to data poisoning attacks, where malicious actors inject fake user profiles, including a group of well-designed fake ratings, to manipulate recommendations. Due to security and privacy constraints in practice, attackers typically possess limited knowledge of the victim system and thus need to craft profiles that have transferability across black-box RSs. To maximize the attack impact, the profiles often remains imperceptible. However, generating such high-quality profiles with the restricted resources is challenging. Some works suggest incorporating fake textual reviews to strengthen the profiles; yet, the poor quality of the reviews largely undermines the attack effectiveness and imperceptibility under the practical setting. To tackle the above challenges, in this paper, we propose to enhance the quality of the review text by harnessing in-context learning (ICL) capabilities of multimodal foundation models. To this end, we introduce a demonstration retrieval algorithm and a text style transfer strategy to augment the navie ICL. Specifically, we propose a novel practical attack framework named RAGAN to generate high-quality fake user profiles, which can gain insights into the robustness of RSs. The profiles are generated by a jailbreaker and collaboratively optimized on an instructional agent and a guardian to improve the attack transferability and imperceptibility. Comprehensive experiments on various real-world datasets demonstrate that RAGAN achieves the state-of-the-art poisoning attack performance.

Paper Structure

This paper contains 35 sections, 15 equations, 6 figures, 6 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Works
  3. Unimodal Attacks on Recommender Systems
  4. Multimodal Attacks on Recommender Systems
  5. Problem Formulation
  6. Preliminaries and Notations
  7. Threat Model
  8. Attacker's Objective
  9. Attacker's Knowledge
  10. Attacker's Capability
  11. Formulate Attacks As An Optimization Problem
  12. RAGAN
  13. Jailbreaker
  14. Fake Numerical Rating Generation
  15. Fake Textual Review Generation
  16. ...and 20 more sections

Figures (6)

  • Figure 1: The practical attack framework RAGAN consists of three modules: 1) a Jailbreaker that is responsible for generating fake user profiles containing both numerical ratings and textual reviews, where the quality of the profiles is strengthened through in-context learning enhanced with multimodal demonstration retrieval and text style transfer; 2) an Instructional Agent that is designed to improve attack transferability; and 3) a Guardian that is aimed at enhancing the imperceptibility of the profiles.
  • Figure 2: An example of a multimodal prompt within the well-crafted prompt template that is fed into a foundation model for fake review generation, where top-$k$ demonstration examples are obtained by our multimodal demonstration retrieval algorithm and our text style transfer strategy is integrated into the chain-of-thought reasoning process.
  • Figure 3: An example of reviews for a target item in the fake user profiles generated by RAGAN.
  • Figure 4: Visualization of RAGAN's fake user profiles and real user profiles on real-world datasets. The attack profiles overlap with normal profiles, reflecting a global semantic alignment and demonstrating the imperceptibility of RAGAN.
  • Figure 5: Average text perplexity of generated reviews from different attacks with varying knowledge on real-world datasets.
  • ...and 1 more figures