Defending Substitution-Based Profile Pollution Attacks on Sequential Recommenders

Zhenrui Yue, Huimin Zeng, Ziyi Kou, Lanyu Shang, Dong Wang

Research output: Chapter in Book/Report/Conference proceedingConference contribution


While sequential recommender systems achieve significant improvements on capturing user dynamics, we argue that sequential recommenders are vulnerable against substitution-based profile pollution attacks. To demonstrate our hypothesis, we propose a substitution-based adversarial attack algorithm, which modifies the input sequence by selecting certain vulnerable elements and substituting them with adversarial items. In both untargeted and targeted attack scenarios, we observe significant performance deterioration using the proposed profile pollution algorithm. Motivated by such observations, we design an efficient adversarial defense method called Dirichlet neighborhood sampling. Specifically, we sample item embeddings from a convex hull constructed by multi-hop neighbors to replace the original items in input sequences. During sampling, a Dirichlet distribution is used to approximate the probability distribution in the neighborhood such that the recommender learns to combat local perturbations. Additionally, we design an adversarial training method tailored for sequential recommender systems. In particular, we represent selected items with one-hot encodings and perform gradient ascent on the encodings to search for the worst case linear combination of item embeddings in training. As such, the embedding function learns robust item representations and the trained recommender is resistant to test-time adversarial examples. Extensive experiments show the effectiveness of both our attack and defense methods, which consistently outperform baselines by a significant margin across model architectures and datasets.

Original languageEnglish (US)
Title of host publicationRecSys 2022 - Proceedings of the 16th ACM Conference on Recommender Systems
PublisherAssociation for Computing Machinery
Number of pages12
ISBN (Electronic)9781450392785
StatePublished - Sep 12 2022
Event16th ACM Conference on Recommender Systems, RecSys 2022 - Seattle, United States
Duration: Sep 18 2022Sep 23 2022

Publication series

NameRecSys 2022 - Proceedings of the 16th ACM Conference on Recommender Systems


Conference16th ACM Conference on Recommender Systems, RecSys 2022
Country/TerritoryUnited States

ASJC Scopus subject areas

  • Hardware and Architecture
  • Software


Dive into the research topics of 'Defending Substitution-Based Profile Pollution Attacks on Sequential Recommenders'. Together they form a unique fingerprint.

Cite this