IndirectAD: Practical Data Poisoning Attacks against Recommender Systems for Item Promotion
Zihao Wang, Tianhao Mao, XiaoFeng Wang, Di Tang, Xiaozhong Liu
TL;DR
This work tackles the practicality gap in data poisoning of recommender systems by introducing IndirectAD, a Trojan-inspired attack that uses a trigger item to indirectly promote a target item. By training a substitute model, selecting an easily promotable trigger, and enforcing co-occurrence with the target via adversarial optimization and PGD data injections, IndirectAD achieves measurable HR@20 gains at poisoning ratios as low as $\gamma=0.0005$ in multiple datasets and models. The method demonstrates transferability across victim models and remains effective under realistic constraints, underscoring a serious security risk for today’s recommendation pipelines. The study also analyzes the influence of item popularity, user-group diversity, trigger selection, display window, and defenses, and discusses countermeasures including detection and adversarial-robust training to improve resilience.
Abstract
Recommender systems play a central role in digital platforms by providing personalized content. They often use methods such as collaborative filtering and machine learning to accurately predict user preferences. Although these systems offer substantial benefits, they are vulnerable to security and privacy threats, especially data poisoning attacks. By inserting misleading data, attackers can manipulate recommendations for purposes ranging from boosting product visibility to shaping public opinion. Despite these risks, concerns are often downplayed because such attacks typically require controlling at least 1% of the platform's user base, a difficult task on large platforms. We tackle this issue by introducing the IndirectAD attack, inspired by Trojan attacks on machine learning. IndirectAD reduces the need for a high poisoning ratio through a trigger item that is easier to recommend to the target users. Rather than directly promoting a target item that does not match a user's interests, IndirectAD first promotes the trigger item, then transfers that advantage to the target item by creating co-occurrence data between them. This indirect strategy delivers a stronger promotion effect while using fewer controlled user accounts. Our extensive experiments on multiple datasets and recommender systems show that IndirectAD can cause noticeable impact with only 0.05% of the platform's user base. Even in large-scale settings, IndirectAD remains effective, highlighting a more serious and realistic threat to today's recommender systems.