Poisoning GNN-based Recommender Systems with Generative Surrogate-based Attacks
With recent advancements in graph neural networks (GNN), GNN-based recommender systems (gRS) have achieved remarkable success in the past few years. Despite this success, existing research reveals that gRSs are still vulnerable to poison attacks, in which the attackers inject fake data to manipulate...
Gespeichert in:
| Veröffentlicht in: | ACM transactions on information systems 2023-02, Vol.41 (3), p.1-24, Article 58 |
|---|---|
| Hauptverfasser: | , , , , , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 24 |
|---|---|
| container_issue | 3 |
| container_start_page | 1 |
| container_title | ACM transactions on information systems |
| container_volume | 41 |
| creator | Nguyen Thanh, Toan Quach, Nguyen Duc Khang Nguyen, Thanh Tam Huynh, Thanh Trung Vu, Viet Hung Nguyen, Phi Le Jo, Jun Nguyen, Quoc Viet Hung |
| description | With recent advancements in graph neural networks (GNN), GNN-based recommender systems (gRS) have achieved remarkable success in the past few years. Despite this success, existing research reveals that gRSs are still vulnerable to poison attacks, in which the attackers inject fake data to manipulate recommendation results as they desire. This might be due to the fact that existing poison attacks (and countermeasures) are either model-agnostic or specifically designed for traditional recommender algorithms (e.g., neighborhood-based, matrix-factorization-based, or deep-learning-based RSs) that are not gRS. As gRSs are widely adopted in the industry, the problem of how to design poison attacks for gRSs has become a need for robust user experience. Herein, we focus on the use of poison attacks to manipulate item promotion in gRSs. Compared to standard GNNs, attacking gRSs is more challenging due to the heterogeneity of network structure and the entanglement between users and items. To overcome such challenges, we propose GSPAttack—a generative surrogate-based poison attack framework for gRSs. GSPAttack tailors a learning process to surrogate a recommendation model as well as generate fake users and user-item interactions while preserving the data correlation between users and items for recommendation accuracy. Although maintaining high accuracy for other items rather than the target item seems counterintuitive, it is equally crucial to the success of a poison attack. Extensive evaluations on four real-world datasets revealed that GSPAttack outperforms all baselines with competent recommendation performance and is resistant to various countermeasures. |
| doi_str_mv | 10.1145/3567420 |
| format | Article |
| fullrecord | <record><control><sourceid>acm_cross</sourceid><recordid>TN_cdi_crossref_primary_10_1145_3567420</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>3567420</sourcerecordid><originalsourceid>FETCH-LOGICAL-a244t-5efa4305f9c7c97fb4450a09d903ea9d45abc246b64812207ed96b7a5debe2d13</originalsourceid><addsrcrecordid>eNo9kDFPwzAQRi0EEqUgdqZsTAbbsR17rCoISFWLKMzRxb6UAEmQbUD99wS1MN13-t7d8Ag55-yKc6muc6ULKdgBmXClDBVGm8MxM6mp4cYck5MYXxkbd80mZPUwtHHo236TlcslrSGizx7RDV2HvceQrbcxYRez7za9ZCX2GCC1X5itP0MYNpBwfzNLCdxbPCVHDbxHPNvPKXm-vXma39HFqryfzxYUhJSJKmxA5kw11hXOFk0tpWLArLcsR7BeKqidkLrW0nAhWIHe6roA5bFG4Xk-JZe7vy4MMQZsqo_QdhC2FWfVr4dq72EkL3YkuO4f-it_APkcWDg</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Poisoning GNN-based Recommender Systems with Generative Surrogate-based Attacks</title><source>ACM Digital Library Complete</source><creator>Nguyen Thanh, Toan ; Quach, Nguyen Duc Khang ; Nguyen, Thanh Tam ; Huynh, Thanh Trung ; Vu, Viet Hung ; Nguyen, Phi Le ; Jo, Jun ; Nguyen, Quoc Viet Hung</creator><creatorcontrib>Nguyen Thanh, Toan ; Quach, Nguyen Duc Khang ; Nguyen, Thanh Tam ; Huynh, Thanh Trung ; Vu, Viet Hung ; Nguyen, Phi Le ; Jo, Jun ; Nguyen, Quoc Viet Hung</creatorcontrib><description>With recent advancements in graph neural networks (GNN), GNN-based recommender systems (gRS) have achieved remarkable success in the past few years. Despite this success, existing research reveals that gRSs are still vulnerable to poison attacks, in which the attackers inject fake data to manipulate recommendation results as they desire. This might be due to the fact that existing poison attacks (and countermeasures) are either model-agnostic or specifically designed for traditional recommender algorithms (e.g., neighborhood-based, matrix-factorization-based, or deep-learning-based RSs) that are not gRS. As gRSs are widely adopted in the industry, the problem of how to design poison attacks for gRSs has become a need for robust user experience. Herein, we focus on the use of poison attacks to manipulate item promotion in gRSs. Compared to standard GNNs, attacking gRSs is more challenging due to the heterogeneity of network structure and the entanglement between users and items. To overcome such challenges, we propose GSPAttack—a generative surrogate-based poison attack framework for gRSs. GSPAttack tailors a learning process to surrogate a recommendation model as well as generate fake users and user-item interactions while preserving the data correlation between users and items for recommendation accuracy. Although maintaining high accuracy for other items rather than the target item seems counterintuitive, it is equally crucial to the success of a poison attack. Extensive evaluations on four real-world datasets revealed that GSPAttack outperforms all baselines with competent recommendation performance and is resistant to various countermeasures.</description><identifier>ISSN: 1046-8188</identifier><identifier>EISSN: 1558-2868</identifier><identifier>DOI: 10.1145/3567420</identifier><language>eng</language><publisher>New York, NY: ACM</publisher><subject>Computing methodologies ; Information retrieval ; Information systems ; Information systems applications ; Neural networks ; Recommender systems ; Security and privacy ; Social engineering attacks ; Social networks</subject><ispartof>ACM transactions on information systems, 2023-02, Vol.41 (3), p.1-24, Article 58</ispartof><rights>Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-a244t-5efa4305f9c7c97fb4450a09d903ea9d45abc246b64812207ed96b7a5debe2d13</citedby><cites>FETCH-LOGICAL-a244t-5efa4305f9c7c97fb4450a09d903ea9d45abc246b64812207ed96b7a5debe2d13</cites><orcidid>0000-0002-3099-2712 ; 0000-0002-6050-0774 ; 0000-0002-9687-1315 ; 0000-0001-6547-7641 ; 0000-0003-2027-5362 ; 0000-0002-4940-0422 ; 0000-0002-4605-6275 ; 0000-0002-2586-7757</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktopdf>$$Uhttps://dl.acm.org/doi/pdf/10.1145/3567420$$EPDF$$P50$$Gacm$$H</linktopdf><link.rule.ids>314,780,784,2282,27924,27925,40196,76228</link.rule.ids></links><search><creatorcontrib>Nguyen Thanh, Toan</creatorcontrib><creatorcontrib>Quach, Nguyen Duc Khang</creatorcontrib><creatorcontrib>Nguyen, Thanh Tam</creatorcontrib><creatorcontrib>Huynh, Thanh Trung</creatorcontrib><creatorcontrib>Vu, Viet Hung</creatorcontrib><creatorcontrib>Nguyen, Phi Le</creatorcontrib><creatorcontrib>Jo, Jun</creatorcontrib><creatorcontrib>Nguyen, Quoc Viet Hung</creatorcontrib><title>Poisoning GNN-based Recommender Systems with Generative Surrogate-based Attacks</title><title>ACM transactions on information systems</title><addtitle>ACM TOIS</addtitle><description>With recent advancements in graph neural networks (GNN), GNN-based recommender systems (gRS) have achieved remarkable success in the past few years. Despite this success, existing research reveals that gRSs are still vulnerable to poison attacks, in which the attackers inject fake data to manipulate recommendation results as they desire. This might be due to the fact that existing poison attacks (and countermeasures) are either model-agnostic or specifically designed for traditional recommender algorithms (e.g., neighborhood-based, matrix-factorization-based, or deep-learning-based RSs) that are not gRS. As gRSs are widely adopted in the industry, the problem of how to design poison attacks for gRSs has become a need for robust user experience. Herein, we focus on the use of poison attacks to manipulate item promotion in gRSs. Compared to standard GNNs, attacking gRSs is more challenging due to the heterogeneity of network structure and the entanglement between users and items. To overcome such challenges, we propose GSPAttack—a generative surrogate-based poison attack framework for gRSs. GSPAttack tailors a learning process to surrogate a recommendation model as well as generate fake users and user-item interactions while preserving the data correlation between users and items for recommendation accuracy. Although maintaining high accuracy for other items rather than the target item seems counterintuitive, it is equally crucial to the success of a poison attack. Extensive evaluations on four real-world datasets revealed that GSPAttack outperforms all baselines with competent recommendation performance and is resistant to various countermeasures.</description><subject>Computing methodologies</subject><subject>Information retrieval</subject><subject>Information systems</subject><subject>Information systems applications</subject><subject>Neural networks</subject><subject>Recommender systems</subject><subject>Security and privacy</subject><subject>Social engineering attacks</subject><subject>Social networks</subject><issn>1046-8188</issn><issn>1558-2868</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2023</creationdate><recordtype>article</recordtype><recordid>eNo9kDFPwzAQRi0EEqUgdqZsTAbbsR17rCoISFWLKMzRxb6UAEmQbUD99wS1MN13-t7d8Ag55-yKc6muc6ULKdgBmXClDBVGm8MxM6mp4cYck5MYXxkbd80mZPUwtHHo236TlcslrSGizx7RDV2HvceQrbcxYRez7za9ZCX2GCC1X5itP0MYNpBwfzNLCdxbPCVHDbxHPNvPKXm-vXma39HFqryfzxYUhJSJKmxA5kw11hXOFk0tpWLArLcsR7BeKqidkLrW0nAhWIHe6roA5bFG4Xk-JZe7vy4MMQZsqo_QdhC2FWfVr4dq72EkL3YkuO4f-it_APkcWDg</recordid><startdate>20230207</startdate><enddate>20230207</enddate><creator>Nguyen Thanh, Toan</creator><creator>Quach, Nguyen Duc Khang</creator><creator>Nguyen, Thanh Tam</creator><creator>Huynh, Thanh Trung</creator><creator>Vu, Viet Hung</creator><creator>Nguyen, Phi Le</creator><creator>Jo, Jun</creator><creator>Nguyen, Quoc Viet Hung</creator><general>ACM</general><scope>AAYXX</scope><scope>CITATION</scope><orcidid>https://orcid.org/0000-0002-3099-2712</orcidid><orcidid>https://orcid.org/0000-0002-6050-0774</orcidid><orcidid>https://orcid.org/0000-0002-9687-1315</orcidid><orcidid>https://orcid.org/0000-0001-6547-7641</orcidid><orcidid>https://orcid.org/0000-0003-2027-5362</orcidid><orcidid>https://orcid.org/0000-0002-4940-0422</orcidid><orcidid>https://orcid.org/0000-0002-4605-6275</orcidid><orcidid>https://orcid.org/0000-0002-2586-7757</orcidid></search><sort><creationdate>20230207</creationdate><title>Poisoning GNN-based Recommender Systems with Generative Surrogate-based Attacks</title><author>Nguyen Thanh, Toan ; Quach, Nguyen Duc Khang ; Nguyen, Thanh Tam ; Huynh, Thanh Trung ; Vu, Viet Hung ; Nguyen, Phi Le ; Jo, Jun ; Nguyen, Quoc Viet Hung</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a244t-5efa4305f9c7c97fb4450a09d903ea9d45abc246b64812207ed96b7a5debe2d13</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2023</creationdate><topic>Computing methodologies</topic><topic>Information retrieval</topic><topic>Information systems</topic><topic>Information systems applications</topic><topic>Neural networks</topic><topic>Recommender systems</topic><topic>Security and privacy</topic><topic>Social engineering attacks</topic><topic>Social networks</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Nguyen Thanh, Toan</creatorcontrib><creatorcontrib>Quach, Nguyen Duc Khang</creatorcontrib><creatorcontrib>Nguyen, Thanh Tam</creatorcontrib><creatorcontrib>Huynh, Thanh Trung</creatorcontrib><creatorcontrib>Vu, Viet Hung</creatorcontrib><creatorcontrib>Nguyen, Phi Le</creatorcontrib><creatorcontrib>Jo, Jun</creatorcontrib><creatorcontrib>Nguyen, Quoc Viet Hung</creatorcontrib><collection>CrossRef</collection><jtitle>ACM transactions on information systems</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Nguyen Thanh, Toan</au><au>Quach, Nguyen Duc Khang</au><au>Nguyen, Thanh Tam</au><au>Huynh, Thanh Trung</au><au>Vu, Viet Hung</au><au>Nguyen, Phi Le</au><au>Jo, Jun</au><au>Nguyen, Quoc Viet Hung</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Poisoning GNN-based Recommender Systems with Generative Surrogate-based Attacks</atitle><jtitle>ACM transactions on information systems</jtitle><stitle>ACM TOIS</stitle><date>2023-02-07</date><risdate>2023</risdate><volume>41</volume><issue>3</issue><spage>1</spage><epage>24</epage><pages>1-24</pages><artnum>58</artnum><issn>1046-8188</issn><eissn>1558-2868</eissn><abstract>With recent advancements in graph neural networks (GNN), GNN-based recommender systems (gRS) have achieved remarkable success in the past few years. Despite this success, existing research reveals that gRSs are still vulnerable to poison attacks, in which the attackers inject fake data to manipulate recommendation results as they desire. This might be due to the fact that existing poison attacks (and countermeasures) are either model-agnostic or specifically designed for traditional recommender algorithms (e.g., neighborhood-based, matrix-factorization-based, or deep-learning-based RSs) that are not gRS. As gRSs are widely adopted in the industry, the problem of how to design poison attacks for gRSs has become a need for robust user experience. Herein, we focus on the use of poison attacks to manipulate item promotion in gRSs. Compared to standard GNNs, attacking gRSs is more challenging due to the heterogeneity of network structure and the entanglement between users and items. To overcome such challenges, we propose GSPAttack—a generative surrogate-based poison attack framework for gRSs. GSPAttack tailors a learning process to surrogate a recommendation model as well as generate fake users and user-item interactions while preserving the data correlation between users and items for recommendation accuracy. Although maintaining high accuracy for other items rather than the target item seems counterintuitive, it is equally crucial to the success of a poison attack. Extensive evaluations on four real-world datasets revealed that GSPAttack outperforms all baselines with competent recommendation performance and is resistant to various countermeasures.</abstract><cop>New York, NY</cop><pub>ACM</pub><doi>10.1145/3567420</doi><tpages>24</tpages><orcidid>https://orcid.org/0000-0002-3099-2712</orcidid><orcidid>https://orcid.org/0000-0002-6050-0774</orcidid><orcidid>https://orcid.org/0000-0002-9687-1315</orcidid><orcidid>https://orcid.org/0000-0001-6547-7641</orcidid><orcidid>https://orcid.org/0000-0003-2027-5362</orcidid><orcidid>https://orcid.org/0000-0002-4940-0422</orcidid><orcidid>https://orcid.org/0000-0002-4605-6275</orcidid><orcidid>https://orcid.org/0000-0002-2586-7757</orcidid></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 1046-8188 |
| ispartof | ACM transactions on information systems, 2023-02, Vol.41 (3), p.1-24, Article 58 |
| issn | 1046-8188 1558-2868 |
| language | eng |
| recordid | cdi_crossref_primary_10_1145_3567420 |
| source | ACM Digital Library Complete |
| subjects | Computing methodologies Information retrieval Information systems Information systems applications Neural networks Recommender systems Security and privacy Social engineering attacks Social networks |
| title | Poisoning GNN-based Recommender Systems with Generative Surrogate-based Attacks |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-02T12%3A18%3A10IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-acm_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Poisoning%20GNN-based%20Recommender%20Systems%20with%20Generative%20Surrogate-based%20Attacks&rft.jtitle=ACM%20transactions%20on%20information%20systems&rft.au=Nguyen%20Thanh,%20Toan&rft.date=2023-02-07&rft.volume=41&rft.issue=3&rft.spage=1&rft.epage=24&rft.pages=1-24&rft.artnum=58&rft.issn=1046-8188&rft.eissn=1558-2868&rft_id=info:doi/10.1145/3567420&rft_dat=%3Cacm_cross%3E3567420%3C/acm_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |