TY - GEN
T1 - Adversarial atacks on an oblivious recommender
AU - Christakopoulou, Konstantina
AU - Banerjee, Arindam
N1 - Publisher Copyright:
© 2019 Association for Computing Machinery.
PY - 2019/9/10
Y1 - 2019/9/10
N2 - Can machine learning models be easily fooled? Despite the recent surge of interest in learned adversarial attacks in other domains, in the context of recommendation systems this question has mainly been answered using hand-engineered fake user profles. This paper attempts to reduce this gap. We provide a formulation for learning to attack a recommender as a repeated general-sum game between two players, i.e., an adversary and a recommender oblivious to the adversary's existence. We consider the challenging case of poisoning attacks, which focus on the training phase of the recommender model. We generate adversarial user profles targeting subsets of users or items, or generally the top-K recommendation quality. Moreover, we ensure that the adversarial user profles remain unnoticeable by preserving proximity of the real user rating/interaction distribution to the adversarial fake user distribution. To cope with the challenge of the adversary not having access to the gradient of the recommender's objective with respect to the fake user profles, we provide a non-trivial algorithm building upon zero-order optimization techniques. We ofer a wide range of experiments, instantiating the proposed method for the case of the classic popular approach of a low-rank recommender, and illustrating the extent of the recommender's vulnerability to a variety of adversarial intents. These results can serve as a motivating point for more research into recommender defense strategies against machine learned attacks.
AB - Can machine learning models be easily fooled? Despite the recent surge of interest in learned adversarial attacks in other domains, in the context of recommendation systems this question has mainly been answered using hand-engineered fake user profles. This paper attempts to reduce this gap. We provide a formulation for learning to attack a recommender as a repeated general-sum game between two players, i.e., an adversary and a recommender oblivious to the adversary's existence. We consider the challenging case of poisoning attacks, which focus on the training phase of the recommender model. We generate adversarial user profles targeting subsets of users or items, or generally the top-K recommendation quality. Moreover, we ensure that the adversarial user profles remain unnoticeable by preserving proximity of the real user rating/interaction distribution to the adversarial fake user distribution. To cope with the challenge of the adversary not having access to the gradient of the recommender's objective with respect to the fake user profles, we provide a non-trivial algorithm building upon zero-order optimization techniques. We ofer a wide range of experiments, instantiating the proposed method for the case of the classic popular approach of a low-rank recommender, and illustrating the extent of the recommender's vulnerability to a variety of adversarial intents. These results can serve as a motivating point for more research into recommender defense strategies against machine learned attacks.
KW - Learned Adversarial Attacks
KW - Recommender Systems
UR - http://www.scopus.com/inward/record.url?scp=85073369280&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85073369280&partnerID=8YFLogxK
U2 - 10.1145/3298689.3347031
DO - 10.1145/3298689.3347031
M3 - Conference contribution
AN - SCOPUS:85073369280
T3 - RecSys 2019 - 13th ACM Conference on Recommender Systems
SP - 322
EP - 330
BT - RecSys 2019 - 13th ACM Conference on Recommender Systems
PB - Association for Computing Machinery
T2 - 13th ACM Conference on Recommender Systems, RecSys 2019
Y2 - 16 September 2019 through 20 September 2019
ER -