TY - GEN
T1 - Defending Substitution-Based Profile Pollution Attacks on Sequential Recommenders
AU - Yue, Zhenrui
AU - Zeng, Huimin
AU - Kou, Ziyi
AU - Shang, Lanyu
AU - Wang, Dong
N1 - Publisher Copyright:
© 2022 ACM.
PY - 2022/9/12
Y1 - 2022/9/12
N2 - While sequential recommender systems achieve significant improvements on capturing user dynamics, we argue that sequential recommenders are vulnerable against substitution-based profile pollution attacks. To demonstrate our hypothesis, we propose a substitution-based adversarial attack algorithm, which modifies the input sequence by selecting certain vulnerable elements and substituting them with adversarial items. In both untargeted and targeted attack scenarios, we observe significant performance deterioration using the proposed profile pollution algorithm. Motivated by such observations, we design an efficient adversarial defense method called Dirichlet neighborhood sampling. Specifically, we sample item embeddings from a convex hull constructed by multi-hop neighbors to replace the original items in input sequences. During sampling, a Dirichlet distribution is used to approximate the probability distribution in the neighborhood such that the recommender learns to combat local perturbations. Additionally, we design an adversarial training method tailored for sequential recommender systems. In particular, we represent selected items with one-hot encodings and perform gradient ascent on the encodings to search for the worst case linear combination of item embeddings in training. As such, the embedding function learns robust item representations and the trained recommender is resistant to test-time adversarial examples. Extensive experiments show the effectiveness of both our attack and defense methods, which consistently outperform baselines by a significant margin across model architectures and datasets.
AB - While sequential recommender systems achieve significant improvements on capturing user dynamics, we argue that sequential recommenders are vulnerable against substitution-based profile pollution attacks. To demonstrate our hypothesis, we propose a substitution-based adversarial attack algorithm, which modifies the input sequence by selecting certain vulnerable elements and substituting them with adversarial items. In both untargeted and targeted attack scenarios, we observe significant performance deterioration using the proposed profile pollution algorithm. Motivated by such observations, we design an efficient adversarial defense method called Dirichlet neighborhood sampling. Specifically, we sample item embeddings from a convex hull constructed by multi-hop neighbors to replace the original items in input sequences. During sampling, a Dirichlet distribution is used to approximate the probability distribution in the neighborhood such that the recommender learns to combat local perturbations. Additionally, we design an adversarial training method tailored for sequential recommender systems. In particular, we represent selected items with one-hot encodings and perform gradient ascent on the encodings to search for the worst case linear combination of item embeddings in training. As such, the embedding function learns robust item representations and the trained recommender is resistant to test-time adversarial examples. Extensive experiments show the effectiveness of both our attack and defense methods, which consistently outperform baselines by a significant margin across model architectures and datasets.
UR - http://www.scopus.com/inward/record.url?scp=85139558321&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85139558321&partnerID=8YFLogxK
U2 - 10.1145/3523227.3546770
DO - 10.1145/3523227.3546770
M3 - Conference contribution
AN - SCOPUS:85139558321
T3 - RecSys 2022 - Proceedings of the 16th ACM Conference on Recommender Systems
SP - 59
EP - 70
BT - RecSys 2022 - Proceedings of the 16th ACM Conference on Recommender Systems
PB - Association for Computing Machinery
T2 - 16th ACM Conference on Recommender Systems, RecSys 2022
Y2 - 18 September 2022 through 23 September 2022
ER -