Potent but Stealthy: Rethink Profile Pollution against Sequential Recommendation via Bi-level Constrained Reinforcement Paradigm
Jiajie Su, Zihan Nan, Yunshan Ma, Xiaobo Xia, Xiaohua Feng, Weiming Liu, Xiang Chen, Xiaolin Zheng, Chaochao Chen
TL;DR
This work targets the vulnerability of sequential recommenders to targeted Profile Pollution Attacks (PPA) and introduces CREAT, a bi-level constrained reinforcement framework that leverages Pattern Horizon-informed perturbations. It integrates a Pattern Balanced Rewarding Policy (pattern inversion and distribution-consistency rewards) with a Constrained Group Relative Reinforcement Learning paradigm (localization and constrained inversion stages using a dynamic barrier and group-replay). A Distribution Consistency Reward based on Dual-Level Optimal Transport (DLOT) constrains distributional shifts across global sequences and local patterns, enabling stealthy perturbations. Empirical results across three real-world datasets and two backbones demonstrate CREAT’s superior attack efficacy and stealth, while highlighting the challenge of defending against such sophisticated, pattern-level manipulations.
Abstract
Sequential Recommenders, which exploit dynamic user intents through interaction sequences, is vulnerable to adversarial attacks. While existing attacks primarily rely on data poisoning, they require large-scale user access or fake profiles thus lacking practicality. In this paper, we focus on the Profile Pollution Attack that subtly contaminates partial user interactions to induce targeted mispredictions. Previous PPA methods suffer from two limitations, i.e., i) over-reliance on sequence horizon impact restricts fine-grained perturbations on item transitions, and ii) holistic modifications cause detectable distribution shifts. To address these challenges, we propose a constrained reinforcement driven attack CREAT that synergizes a bi-level optimization framework with multi-reward reinforcement learning to balance adversarial efficacy and stealthiness. We first develop a Pattern Balanced Rewarding Policy, which integrates pattern inversion rewards to invert critical patterns and distribution consistency rewards to minimize detectable shifts via unbalanced co-optimal transport. Then we employ a Constrained Group Relative Reinforcement Learning paradigm, enabling step-wise perturbations through dynamic barrier constraints and group-shared experience replay, achieving targeted pollution with minimal detectability. Extensive experiments demonstrate the effectiveness of CREAT.