A Survey of Poisoning Attacks and Countermeasures in Recommender Systems
A repository of poison attacks against recommender systems, as well as their countermeasures. This repository is associated with our systematic review, entitled Manipulating Recommender Systems: A Survey of Poisoning Attacks and Countermeasures .
A sortable version is available here: https://awesome-recsys-poisoning.github.io/
📌 We are actively tracking the latest research and welcome contributions to our repository and survey paper. If your studies are relevant, please feel free to create an issue or a pull request.
📰 2024-06-20: Our paper Manipulating Recommender Systems: A Survey of Poisoning Attacks and Countermeasures has been accepted by ACM Computing Surveys (CSUR) (IF 16.6, Top 2%, CORE A*) in 2024.
If you find this work helpful in your research, welcome to cite the paper and give a ⭐.
Please read and cite our paper:
Nguyen, T.T., Nguyen, Q.V.H., Nguyen, T.T., Huynh, T.T., Nguyen, T.T., Weidlich, M. and Yin, H., 2024. Manipulating Recommender Systems: A Survey of Poisoning Attacks and Countermeasures. arXiv preprint arXiv:2404.14942.
@article{nguyen2024manipulating,
title={Manipulating Recommender Systems: A Survey of Poisoning Attacks and Countermeasures},
author={Nguyen, Thanh Toan and Nguyen, Quoc Viet Hung and Nguyen, Thanh Tam and Huynh, Thanh Trung and Nguyen, Thanh Thi and Weidlich, Matthias and Yin, Hongzhi},
journal={arXiv preprint arXiv:2404.14942},
year={2024}
}
Poisoning attacks are the process of tampering with the training data of a machine learning (ML) model in order to corrupt its availability and integrity. Below figure presents the typical process of a poisoning attack compared to the normal learning process. In the latter case, an ML model is trained based on data, which is subsequently used to derive a
recommendation. As such, the quality of the ML model depends on the quality of the data used for training. In a poisoning attack, data is injected into the training process, and hence the model, to produce unintended or harmful conclusions.
Paper
Venue
Year
Type
Data
Code
Poisoning GNN-based recommender systems with generative surrogate-based attacks
ACM TOIS
2023
Model-intrinsic
FR , ML , AMCP , LF
-
Shilling Black-Box Recommender Systems by Learning to Generate Fake User Profiles
IEEE Trans. Neural Netw. Learn. Syst
2022
Model-agnostic
ML , FT , YE , AAT
-
Knowledge enhanced Black-box Attacks for Recommendations
KDD
2022
Model-agnostic
ML , BC , LA
-
LOKI: A Practical Data Poisoning Attack Frameworkagainst Next Item Recommendations
TKDE
2022
Model-agnostic
ABT , St ,GOW
-
Pipattack: Poisoning federated recommender systems for manipulating item promotion
WSDM
2022
Model-intrinsic
ML , AMCP
-
Poisoning Deep Learning based Recommender Model in Federated Learning Scenarios
IJCAI
2022
Model-intrinsic
ML , ADM
Python
FedAttack: Effective and Covert Poisoning Attack on Federated Recommendation via Hard Sampling
Arxiv
2022
Model-intrinsic
ML , ABT
Python
UA-FedRec: Untargeted Attack on Federated News Recommendation
Arxiv
2022
Model-intrinsic
MIND , Feeds
Python
Triple Adversarial Learning for Influence based Poisoning Attack in Recommender Systems
KDD
2021
Model-agnostic
ML , FT
Python
Reverse Attack: Black-box Attacks on Collaborative Recommendation
CSS
2021
Model-agnostic
ML , NF , AMB & ADM , TW , G+ , CIT
-
Attacking Black-box Recommendations via Copying Cross-domain User Profiles
ICDE
2021
Model-agnostic
ML , NF
-
Simulating real profiles for shilling attacks: A generative approach
KBS
2021
Model-agnostic
ML
-
Ready for emerging threats to recommender systems? A graph convolution-based generative shilling attack
IS
2021
Model-agnostic
DB , CI
Python
Data poisoning attacks on neighborhoodbased recommender systems
ETT
2021
Model-intrinsic
FT , ML , AMV
-
Data Poisoning Attack against Recommender System Using Incomplete and Perturbed Data
KDD
2021
Model-intrinsic
ML , AIV
-
Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction
RecSys
2021
Model-intrinsic
ML ,St , ABT
Python
Poisoning attacks against knowledge graph-based recommendation systems using deep reinforcement learning
Neural. Comput. Appl.
2021
Model-intrinsic
ML , FTr
-
Adversarial Item Promotion: Vulnerabilities at the Core of Top-N Recommenders that Use Images to Address Cold Start
WWW
2021
Model-intrinsic
AMMN , TC
Python
Data poisoning attacks to deep learning based recommender systems
arXiv
2021
Model-intrinsic
ML , LA
-
Practical data poisoning attack against next-item recommendation
WWW
2020
Model-intrinsic
ABT
-
Influence function based data poisoning attacks to top-n recommender systems
WWW
2020
Model-intrinsic
YE , ADM
-
Attacking recommender systems with augmented user profiles
CIKM
2020
Model-agnostic
ML , FT , AAT
-
Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems
ICDE
2020
Model-agnostic
St , AMCP , ML
-
Revisiting adversarially learned injection attacks against recommender systems
RecSys
2020
Model-agnostic
GOW
Python
Adversarial attacks on an oblivious recommender
RecSys
2019
Model-intrinsic
ML
-
Targeted poisoning attacks on social recommender systems
GLOBECOM
2019
Model-intrinsic
FT
-
Data poisoning attacks on cross-domain recommendation
CIKM
2019
Model-intrinsic
NF , ML
-
Poisoning attacks to graph-based recommender systems
ACSAC
2018
Model-intrinsic
ML , AIV
-
Fake Co-visitation Injection Attacks to Recommender Systems
NDSS
2017
Model-intrinsic
YT , eB , AMV , YE , LI
-
Data poisoning attacks on factorization-based collaborative filtering
NIPS
2016
Model-intrinsic
ML
Python
Shilling recommender systems for fun and profit
WWW
2004
Model-agnostic
ML
In this section, we review detection methods in more detail, starting with supervised methods, before turning to semi-supervised methods and unsupervised methods
Paper
Venue
Year
Type
Data
Code
Anti-FakeU: Defending Shilling Attacks on Graph Neural Network based Recommender Model
WWW
2023
UnSupervised
GOW , Yelp
-
An unsupervised detection method for shilling attacks based on deep learning and community detection
Soft Comput.
2021
UnSupervised
NF , AMV
-
Identification of Malicious Injection Attacks in Dense Rating and Co-Visitation Behaviors
TIFS
2020
UnSupervised
ML , AMB , LT , Trip
-
Recommendation attack detection based on deep learning
JISA
2020
Supervised
ML
-
Detecting shilling attacks with automatic features from multiple views
Secur. Commun. Netw.
2019
Supervised
NF , ML , AMV
-
Detecting shilling attacks in social recommender systems based on time series analysis and trust features
KBS
2019
Supervised
CI , EP
-
BS-SC: An Unsupervised Approach for Detecting Shilling Profiles in Collaborative Recommender Systems
TKDE
2019
UnSupervised
SYN , AMP
-
Detecting shilling attacks in recommender systems based on analysis of user rating behavior
KBS
2019
UnSupervised
NF , ML , AMP
-
Trustworthy and profit: A new value-based neighbor selection method in recommender systems under shilling attacks
DSS
2019
UnSupervised
BC , AMB
-
Quick and accurate attack detection in recommender systems through user attributes
RecSys
2019
UnSupervised
ML
-
UD-HMM: An unsupervised method for shilling attack detection based on hidden Markov model and hierarchical clustering
KBS
2018
UnSupervised
ML , NF , AMP
-
Shilling attack detection for recommender systems based on credibility of group users and rating time series
Plos One
2018
UnSupervised
ML
-
Spotting anomalous ratings for rating systems by analyzing target users and items
Neurocomputing
2017
UnSupervised
ML , AMP
-
Estimating user behavior toward detecting anomalous ratings in rating systems
KBS
2016
UnSupervised
ML
-
SVM-TIA a shilling attack detection method based on SVM and target item analysis in recommender systems
J. Neucom.
2016
Supervised
ML
-
Re-scale AdaBoost for attack detection in collaborative filtering recommender systems
KBS
2016
Supervised
ML
-
Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation
IJCAI
2015
UnSupervised
AMV
-
Shilling attacks detection in recommender systems based on target item analysis
Plos One
2015
UnSupervised
ML , NF , EM
-
A novel item anomaly detection approach against shilling attacks in collaborative recommendation systems using the dynamic time interval segmentation technique
IS
2015
UnSupervised
ML
-
A novel shilling attack detection method
Procedia Comput. Sci.
2014
UnSupervised
ML
-
Detection of abnormal profiles on group attacks in recommender systems
SIGIR
2014
UnSupervised
NF , ML , EM
-
HHT–SVM: An online method for detecting profile injection attacks in collaborative recommender systems
KBS
2014
Supervised
ML
-
Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system
WWW
2013
Semi Supervised
ML
-
𝛽P: A novel approach to filter out malicious rating profiles from recommender systems
DSS
2013
UnSupervised
ML
-
A Meta-learning-based Approach for Detecting Profile Injection Attacks in Collaborative Recommender Systems
J. Comput.
2012
Supervised
ML
-
HySAD: A semi-supervised hybrid shilling attack detector for trustworthy product recommendation
KDD
2012
Semi Supervised
NF , ML
-
A clustering approach to unsupervised attack detection in collaborative recommender systems
ICDATA
2011
UnSupervised
ML
-
Unsupervised strategies for shilling detection and robust collaborative filtering
User Model. User-Adapt. Interact.
2009
UnSupervised
ML
-
Unsupervised retrieval of attack profiles in collaborative recommender systems
RecSys
2008
UnSupervised
ML
-
Lies and propaganda: detecting spam users in collaborative filtering
IUI
2007
UnSupervised
ML
-
Toward trustworthy recommender systems: An analysis of attack models and algorithm robustness
TOIT
2007
Supervised
ML
-
Classification features for attack detection in collaborative recommender systems
KDD
2006
Supervised
ML
-
Detecting profile injection attacks in collaborative recommender systems
CEC-EEE
2006
Supervised
ML
-
Attack detection in time series for recommender systems
KDD
2006
UnSupervised
ML
-
Preventing shilling attacks in online recommender systems
WIDM
2005
Supervised
ML
-
Dataset
Name
AAT
Amazon Automotive
ABT
Amazon Beauty
ADM
Amazon Digital Music
AIV
Amazon Instant Video
AMB
Amazon Book
AMMN
Amazon Men
AMV
Amazon Movie
AMCP
Amazon Cell-phone
AMP
Amazon Product
BC
Book-Crossing
CI
Ciao
CIT
Citation Network
DB
Douban
eB
eBay
EM
Eachmovie
EP
Epinions
Feeds
Microsoft news App
FR
FRappe - Mobile App Recommendations
FT
Film Trust
Ftr
Fund Transactions
G+
Google+
GOW
Gowalla
MIND
Microsoft News
LA
Last.fm
LI
Linkedin
LT
LibraryThing
ML
MovieLens
NF
Netflix
St
Steam
TC
Tradesy
Trip
TripAdvisor
TW
Twitter [Code]
YE
Yelp
YT
YouTube
SYNC
Synthetic datasets
Disclaimer
Feel free to contact us if you have any queries or exciting news. In addition, we welcome all researchers to contribute to this repository and further contribute to the knowledge of this field.
If you have some other related references, please feel free to create a Github issue with the paper information. We will gladly update the repos according to your suggestions. (You can also create pull requests, but it might take some time for us to do the merge)