A Cognitive Distribution and Behavior-Consistent Framework for Black-Box Attacks on Recommender Systems

TL;DR

This work tackles the security of black-box sequential recommender systems by introducing a dual-enhanced framework that couples cognitive distribution-driven distillation with behavior-consistent pollution item generation. It converts discrete ranking signals into continuous value distributions using attention decay (primacy effect and position bias) and couples this with hybrid gradient and collaborative signals to craft semantically coherent adversarial sequences. Empirical results across ML-1M, Steam, and Beauty show superior attack success and evasion rates across multiple architectures, highlighting robustness and stealth. The findings urge defenses that assess semantic plausibility and cognitive consistency of user sequences, not just statistical deviations, to build more secure and trustworthy recommender systems.

Abstract

With the growing deployment of sequential recommender systems in e-commerce and other fields, their black-box interfaces raise security concerns: models are vulnerable to extraction and subsequent adversarial manipulation. Existing black-box extraction attacks primarily rely on hard labels or pairwise learning, often ignoring the importance of ranking positions, which results in incomplete knowledge transfer. Moreover, adversarial sequences generated via pure gradient methods lack semantic consistency with real user behavior, making them easily detectable. To overcome these limitations, this paper proposes a dual-enhanced attack framework. First, drawing on primacy effects and position bias, we introduce a cognitive distribution-driven extraction mechanism that maps discrete rankings into continuous value distributions with position-aware decay, thereby advancing from order alignment to cognitive distribution alignment. Second, we design a behavior-aware noisy item generation strategy that jointly optimizes collaborative signals and gradient signals. This ensures both semantic coherence and statistical stealth while effectively promoting target item rankings. Extensive experiments on multiple datasets demonstrate that our approach significantly outperforms existing methods in both attack success rate and evasion rate, validating the value of integrating cognitive modeling and behavioral consistency for secure recommender systems.

Figures (6)

• Figure 1: Dual-enhanced black-box attack framework.
• Figure 2: Concealment comparison: gradient-based vs our behavior-consistent pollution. Pure gradient attacks select semantically unrelated items (e.g., an intelligent speaker for running headphones), improving ranking but violating user patterns and increasing detectability. Our method achieves higher concealment by introducing items (e.g., object motion headphones) aligning with both gradient effectiveness and historical collaborative behavior.
• Figure 3: Performance comparison of different profile pollution attack methods.
• Figure 4: Results of ablation experiments on the ML-1M dataset.
• Figure 5: Comparison of Different Attenuation Factors Extracted by NARM Structure on ML1M Dataset.