research-article

Free access

Shilling Black-box Review-based Recommender Systems through Fake Review Generation

Authors:

Hung-Yun Chiang,

Hong-Han Shuai,

Jason S. ChangAuthors Info & Claims

KDD '23: Proceedings of the 29th ACM SIGKDD Conference on Knowledge Discovery and Data Mining

Pages 286 - 297

https://doi.org/10.1145/3580305.3599502

Published: 04 August 2023 Publication History

Abstract

Review-Based Recommender Systems (RBRS) have attracted increasing research interest due to their ability to alleviate well-known cold-start problems. RBRS utilizes reviews to construct the user and items representations. However, in this paper, we argue that such a reliance on reviews may instead expose systems to the risk of being shilled. To explore this possibility, in this paper, we propose the first generation-based model for shilling attacks against RBRSs. Specifically, we learn a fake review generator through reinforcement learning, which maliciously promotes items by forcing prediction shifts after adding generated reviews to the system. By introducing the auxiliary rewards to increase text fluency and diversity with the aid of pre-trained language models and aspect predictors, the generated reviews can be effective for shilling with high fidelity. Experimental results demonstrate that the proposed framework can successfully attack three different kinds of RBRSs on the Amazon corpus with three domains and Yelp corpus. Furthermore, human studies also show that the generated reviews are fluent and informative. Finally, equipped with Attack Review Generators (ARGs), RBRSs with adversarial training are much more robust to malicious reviews.

Supplementary Material

MP4 File (rtfp0796-2min-promo.mp4)

This video provides an overview of our research, giving a brief introduction to review-based recommender systems and highlighting potential vulnerabilities that may exist within them.

Download
12.07 MB

MP4 File (rtfp0796-20min-video.mp4)

paper representation - Shilling Black-box Review-based Recommender Systems through Fake Review Generation

Download
82.42 MB

References

[1]

Gediminas Adomavicius and Alexander Tuzhilin. 2005. Toward the next generation of recommender systems: A survey of the state-of-the-art and possible extensions. IEEE Trans Knowl Data Eng (2005), 734--749.

Digital Library

[2]

Arthur Brainskas, Mirella Lapata, and Ivan Titov. 2020. Few-Shot Learning for Opinion Summarization. In EMNLP. 4119--4135.

[3]

Arthur Brainskas, Mirella Lapata, and Ivan Titov. 2021. Learning Opinion Summarizers by Selecting Informative Reviews. In EMNLP. 9424--9442.

[4]

Robin Burke, Bamshad Mobasher, Chad Williams, and Runa Bhaumik. 2006. Clas- sification Features for Attack Detection in Collaborative Recommender Systems. In KDD. 542--547.

[5]

Chong Chen, Min Zhang, Yiqun Liu, and Shaoping Ma. 2018. Neural Attentional Rating Regression with Review-Level Explanations. In WWW. 1583--1592.

[6]

Jingfan Chen, Wenqi Fan, Guanghui Zhu, Xiangyu Zhao, Chunfeng Yuan, Qing Li, and Yihua Huang. 2022. Knowledge-Enhanced Black-Box Attacks for Recommendations. In KDD. 108--117.

[7]

Xu Chen, Yali Du, Long Xia, and Jun Wang. 2021. Reinforcement Recommendation with User Multi-Aspect Preference. In WWW. 425--435.

[8]

Zunping Cheng and Neil Hurley. 2009. Effective Diverse and Obfuscated Attacks on Model-Based Recommender Systems. In RecSys. 141--148.

[9]

Rami Cohen, Oren Sar Shalom, Dietmar Jannach, and Amihood Amir. 2021. A black-box attack model for visually-aware recommender systems. In WSDM.

[10]

Nan Ding and Radu Soricut. 2017. Cold-Start Reinforcement Learning with Softmax Policy Gradient. In NeurIPS.

[11]

Pierre Dognin, Inkit Padhi, Igor Melnyk, and Payel Das. 2021. ReGen: Rein-forcement Learning for Text and Knowledge Base Generation using Pretrained Language Models. In EMNLP. 1084--1099.

[12]

Xin Dong, Jingchao Ni, Wei Cheng, Zhengzhang Chen, Bo Zong, Dongjin Song, Yanchi Liu, Haifeng Chen, and Gerard de Melo. 2020. Asymmetrical Hierarchical Networks with Attentive Interactions for Interpretable Review-Based Recommendation. AAAI (2020), 7667--7674.

[13]

Yinpeng Dong, Qi-An Fu, Xiao Yang, Tianyu Pang, Hang Su, Zihao Xiao, and Jun Zhu. 2020. Benchmarking Adversarial Robustness on Image Classification. In CVPR.

[14]

Javid Ebrahimi, Anyi Rao, Daniel Lowd, and Dejing Dou. 2018. HotFlip: White-Box Adversarial Examples for Text Classification. In ACL. 31--36.

[15]

Minghong Fang, Neil Zhenqiang Gong, and Jia Liu. 2020. Influence Function Based Data Poisoning Attacks to Top-N Recommender Systems. In WWW. 3019--3025.

Digital Library

[16]

Minghong Fang, Guolei Yang, Neil Zhenqiang Gong, and Jia Liu. 2018. Poisoning Attacks to Graph-Based Recommender Systems. In ACSAC. 381--392.

[17]

Jingyue Gao, Yang Lin, Yasha Wang, Xiting Wang, Zhao Yang, Yuanduo He, and Xu Chu. 2020. Set-Sequence-Graph: A Multi-View Approach Towards Exploiting Reviews for Recommendation. In CIKM. 395--404.

[18]

Ihsan Gunes, Cihan Kaleli, Alper Bilge, and Huseyin Polat. 2014. Shilling attacks against recommender systems: a comprehensive survey. Artif. Intell. Rev. (2014).

[19]

Bing He, Mustaque Ahamad, and Srijan Kumar. 2021. PETGEN: Personalized Text Generation Attack on Deep Sequence Embedding-Based Classification Models. In KDD. 575--584.

Digital Library

[20]

Ruidan He, Wee Sun Lee, Hwee Tou Ng, and Daniel Dahlmeier. 2017. An Unsupervised Neural Attention Model for Aspect Extraction. In ACL. 388--397.

[21]

Hai Huang, Jiaming Mu, Neil Zhenqiang Gong, Qi Li, Bin Liu, and Mingwei Xu. 2021. Data Poisoning Attacks to Deep Learning Based Recommender Systems. In NDSS.

[22]

Nour Jnoub, Admir Brankovic, and Wolfgang Klas. 2021. Fact-Checking Reasoning System for Fake Review Detection Using Answer Set Programming. Algorithms 14 (2021), 190.

[23]

Parneet Kaur and Shivani Goel. 2016. Shilling attack models in recommender system. In ICICT, Vol. 2. 1--5.

[24]

Shyong K. Lam and John Riedl. 2004. Shilling Recommender Systems for Fun and Profit. In WWW. 393--402.

[25]

Juha Leino and Kari-Jouko Räihä. 2007. Case Amazon: Ratings and Reviews as Part of Recommendations. In RecSys. 137--140.

Digital Library

[26]

Bo Li, Yining Wang, Aarti Singh, and Yevgeniy Vorobeychik. 2016. Data Poisoning Attacks on Factorization-Based Collaborative Filtering. In NeurIPS, Vol. 29.

[27]

Jinfeng Li, Shouling Ji, Tianyu Du, Bo Li, and Ting Wang. 2019. TextBugger: Generating Adversarial Text Against Real-world Applications. In NDSS.

[28]

Chen Lin, Si Chen, Hui Li, Yanghua Xiao, Lianyun Li, and Qian Yang. 2020. Attacking recommender systems with augmented user profiles. In CIKM.

[29]

Chen Lin, Si Chen, Meifang Zeng, Sheng Zhang, Min Gao, and Hui Li. 2022. Shilling Black-Box Recommender Systems by Learning to Generate Fake User Profiles. IEEE Trans. Neural Netw. Learn. Syst. (2022), 1--15.

[30]

Chin-Yew Lin. 2004. ROUGE: A Package for Automatic Evaluation of Summaries. In Text Summarization Branches Out. 74--81.

[31]

Donghua Liu, Jing Li, Bo Du, Jun Chang, and Rong Gao. 2019. DAML: Dual Attention Mutual Learning between Ratings and Reviews for Item Recommendation. In KDD. 344--352.

[32]

Hongtao Liu, Fangzhao Wu, Wenjun Wang, Xianchen Wang, Pengfei Jiao, Chuhan Wu, and Xing Xie. 2019. NRPA: Neural Recommendation with Personalized Attention. In SIGIR. 1233--1236.

Digital Library

[33]

Mingtong Liu, Erguang Yang, Deyi Xiong, Yujie Zhang, Yao Meng, Changjian Hu, Jinan Xu, and Yufeng Chen. 2020. A Learning-Exploring Method to Generate Diverse Paraphrases with Multi-Objective Deep Reinforcement Learning. In CICLing. 2310--2321.

[34]

Yichao Lu, Himanshu Rai, Jason Chang, Boris Knyazev, Guangwei Yu, Shashank Shekhar, Graham W. Taylor, and Maksims Volkovs. 2021. Context-Aware Scene Graph Generation With Seq2Seq Transformers. In ICCV. 15931--15941.

[35]

Songyin Luo, Xiangkui Lu, Jun Wu, and Jianbo Yuan. 2021. Review-Aware Neural Recommendation with Cross-Modality Mutual Attention. In CIKM. 3293--3297.

[36]

Bamshad Mobasher, Robin Burke, Runa Bhaumik, and Chad Williams. 2007. Toward Trustworthy Recommender Systems: An Analysis of Attack Models and Algorithm Robustness. ACM Trans. Internet Technol. (2007), 23--es.

[37]

John X. Morris, Eli Lifland, Jin Yong Yoo, and Yanjun Qi. 2020. TextAttack: A Framework for Adversarial Attacks in Natural Language Processing. CoRR.

[38]

Jianmo Ni and Julian McAuley. 2018. Personalized Review Generation By Expanding Phrases and Attending on Aspect-Aware Representations. In ACL. 706--711.

[39]

John O'Donovan and Barry Smyth. 2006. Is Trust Robust? An Analysis of Trust-Based Recommendation. In IUI. 101--108.

[40]

Ming Pang, Wei Gao, Min Tao, and Zhi-Hua Zhou. 2018. Unorganized Malicious Attacks Detection. In NeurIPS, Vol. 31.

[41]

Himangshu Paul and Alexander Nikolaev. 2021. Fake review detection on online E-commerce platforms: a systematic literature review. Data Min Knowl Discov 35 (2021), 1830--1881.

Digital Library

[42]

Alec Radford, Jeffrey Wu, Rewon Child, David Luan, Dario Amodei, Ilya Sutskever, et al. 2019. Language models are unsupervised multitask learners. OpenAI blog.

[43]

Steven J Rennie, Etienne Marcheret, Youssef Mroueh, Jerret Ross, and Vaibhava Goel. 2017. Self-critical sequence training for image captioning. In CVPR.

[44]

Francesco Ricci, Lior Rokach, and Bracha Shapira. 2015. Recommender systems: introduction and challenges. In Recommender systems handbook. 1--34.

[45]

Jie Shuai, Kun Zhang, Le Wu, Peijie Sun, Richang Hong, Meng Wang, and Yong Li. 2022. A Review-Aware Graph Contrastive Learning Framework for Recommendation. In SIGIR. 1283--1293.

[46]

J. Song, Z. Li, Z. Hu, Y. Wu, Z. Li, J. Li, and J. Gao. 2020. PoisonRec: An Adaptive Data Poisoning Framework for Attacking Black-box Recommender Systems. In ICDE. 157--168.

[47]

Peijie Sun, Le Wu, Kun Zhang, Yu Su, and Meng Wang. 2021. An Unsupervised Aspect-Aware Recommendation Model with Explanation Text Generation. ACM Trans. Inf. Syst. (2021).

[48]

Richard S Sutton, David McAllester, Satinder Singh, and Yishay Mansour. 1999. Policy Gradient Methods for Reinforcement Learning with Function Approximation. In NeurIPS.

[49]

Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N Gomez, Łukasz Kaiser, and Illia Polosukhin. 2017. Attention is All you Need. In NeurIPS, Vol. 30.

[50]

Eric Wallace, Shi Feng, Nikhil Kandpal, Matt Gardner, and Sameer Singh. 2019. Universal Adversarial Triggers for Attacking and Analyzing NLP. In EMNLP-IJCNLP. 2153--2162.

[51]

Jianyu Wang, Rui Wen, Chunming Wu, Yu Huang, and Jian Xiong. 2019. FdGars: Fraudster Detection via Graph Convolutional Networks in Online App Review System. In WWW. 310--316.

[52]

Xinyue Wang, Xianguo Zhang, Chengzhi Jiang, and Haihang Liu. 2018. Identification of fake reviews using semantic and behavioral features. In ICIM. 92--97.

[53]

Zihan Wang, Na Huang, Fei Sun, Pengjie Ren, Zhumin Chen, Hengliang Luo, Maarten de Rijke, and Zhaochun Ren. 2022. Debiasing Learning for Membership Inference Attacks Against Recommender Systems. In KDD. 1959--1968.

[54]

Ronald J. Williams. 1992. Simple Statistical Gradient-Following Algorithms for Connectionist Reinforcement Learning. Mach. Learn. 8 (1992), 229--256.

Digital Library

[55]

Chenwang Wu, Defu Lian, Yong Ge, Zhihao Zhu, and Enhong Chen. 2021. Triple Adversarial Learning for Influence Based Poisoning Attack in Recommender Systems. In KDD. 1830--1840.

[56]

Chuhan Wu, Fangzhao Wu, Tao Qi, Suyu Ge, Yongfeng Huang, and Xing Xie. 2019. Reviews Meet Graphs: Enhancing User and Item Representations for Recommendation with Hierarchical Attentive Graph Neural Network. In EMNLP-IJCNLP. 4884--4893.

[57]

Yan Xu, Baoyuan Wu, Fumin Shen, Yanbo Fan, Yong Zhang, Heng Tao Shen, and Wei Liu. 2019. Exact Adversarial Attack to Image Captioning via Structured Output Learning With Latent Variables. In CVPR.

[58]

Zhenrui Yue, Zhankui He, Huimin Zeng, and Julian McAuley. 2021. Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction. In RecSys.

[59]

Hengtong Zhang, Changxin Tian, Yaliang Li, Lu Su, Nan Yang, Wayne Xin Zhao, and Jing Gao. 2021. Data Poisoning Attack against Recommender System Using Incomplete and Perturbed Data. In KDD. 2154--2164.

[60]

Shuai Zhang, Lina Yao, Aixin Sun, and Yi Tay. 2019. Deep learning based recom-mender system: A survey and new perspectives. CSUR (2019), 1--38.

[61]

Lei Zheng, Vahid Noroozi, and Philip S. Yu. 2017. Joint Deep Modeling of Users and Items Using Reviews for Recommendation. In WSDM. 425--434

Cited By

Oh SVerma GKumar SSerra ESpezzano F(2024)Adversarial Text Rewriting for Text-aware Recommender SystemsProceedings of the 33rd ACM International Conference on Information and Knowledge Management10.1145/3627673.3679592(1804-1814)Online publication date: 21-Oct-2024
https://dl.acm.org/doi/10.1145/3627673.3679592
Zhang JHuang KLang DXu YLi HLi X(2024)Research on Multifeature Fusion False Review Detection Based on DynDistilBERT-BiLSTM-CNNIEEE Internet of Things Journal10.1109/JIOT.2024.341001511:18(30040-30053)Online publication date: 15-Sep-2024
https://doi.org/10.1109/JIOT.2024.3410015

Index Terms

Shilling Black-box Review-based Recommender Systems through Fake Review Generation
1. Information systems
  1. Information retrieval
    1. Retrieval tasks and goals
      1. Recommender systems

Recommendations

Preventing shilling attacks in online recommender systems
WIDM '05: Proceedings of the 7th annual ACM international workshop on Web information and data management

Collaborative filtering techniques have been successfully employed in recommender systems in order to help users deal with information overload by making high quality personalized recommendations. However, such systems have been shown to be vulnerable ...
Strategies for Effective Shilling Attacks against Recommender Systems
Privacy, Security, and Trust in KDD

One area of research which has recently gained importance is the security of recommender systems. Malicious users may influence the recommender system by inserting biased data into the system. Such attacks may lead to erosion of user trust in the ...
Detecting shilling attacks in recommender systems based on analysis of user rating behavior
Abstract
The existing unsupervised methods for detecting shilling attacks are mostly based on the rating patterns of users, ignoring the rating behavior difference between genuine users and attack users, and these methods suffer from low ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

KDD '23: Proceedings of the 29th ACM SIGKDD Conference on Knowledge Discovery and Data Mining

August 2023

5996 pages

ISBN:9798400701030

DOI:10.1145/3580305

General Chairs:
Ambuj Singh
UC Santa Barbara, USA
,
Yizhou Sun
UC Los Angeles, USA
,
Program Chairs:
Leman Akoglu
Carnegie Mellon University, USA
,
Dimitrios Gunopulos
University of Athens, Greece
,
Xifeng Yan
UC Santa Barbara, USA
,
Ravi Kumar
Google, USA
,
Fatma Ozcan
Google, USA
,
Jieping Ye
Alibaba DAMO Academy

Copyright © 2023 ACM.

Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 August 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science and Technology Council of Taiwan

Conference

KDD '23

Sponsor:

KDD '23: The 29th ACM SIGKDD Conference on Knowledge Discovery and Data Mining

August 6 - 10, 2023

CA, Long Beach, USA

Acceptance Rates

Overall Acceptance Rate 1,133 of 8,635 submissions, 13%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
687
Total Downloads

Downloads (Last 12 months)490
Downloads (Last 6 weeks)41

Reflects downloads up to 13 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Oh SVerma GKumar SSerra ESpezzano F(2024)Adversarial Text Rewriting for Text-aware Recommender SystemsProceedings of the 33rd ACM International Conference on Information and Knowledge Management10.1145/3627673.3679592(1804-1814)Online publication date: 21-Oct-2024
https://dl.acm.org/doi/10.1145/3627673.3679592
Zhang JHuang KLang DXu YLi HLi X(2024)Research on Multifeature Fusion False Review Detection Based on DynDistilBERT-BiLSTM-CNNIEEE Internet of Things Journal10.1109/JIOT.2024.341001511:18(30040-30053)Online publication date: 15-Sep-2024
https://doi.org/10.1109/JIOT.2024.3410015

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents