TY - JOUR
T1 - Meet Trick With Trick
T2 - Revealing Collusion Intentions in Highly Concealed Poisoning Behavior
AU - Yang, Zhihai
AU - Feng, Yan
AU - Li, Jianxin
AU - Wang, Pinghui
AU - Liu, Zhiquan
N1 - Publisher Copyright:
© 2004-2012 IEEE.
PY - 2025
Y1 - 2025
N2 - Recommender systems (RSs), as a high data-driven application, have been extensively developed and widely deployed in various web services, in order to help users locate products or services that they may be interested in. Meanwhile, the openness and vulnerability of RSs have given rise to the development of data poisoning attacks. However, defending these evolving threats presents potential challenges: (a) faced with highly concealed or small-scale data poisoning, the attack behavior is very difficult to characterize; (b) the identification area of attack target is difficult to be determined for highly concealed injection attacks; and (c) the prior knowledge for detecting fake injection attacks in real scenarios is very limited. Complementary to existing works, this paper proposes METT, a divide-and-conquer detection method that addresses these fundamental yet underexplored issues. We first propose to exploit causality inference based on both group-level and individual-level unfairness sequences to enhance the reliability of user-item symbiotic associations. We then develop a novel method for early detection of attack target, named ideaT. Finally, we further discriminate fake injections using a disturbance tolerance mechanism in ambiguous boundaries of behavior. Extensive experiments based on synthetic and real data demonstrate that METT outperforms competing baselines in different cases. Specifically, METT can reduce the false alarm rate (FAR) by an average of 21% for detecting S-attacks, an average of 18% for detecting profile injection attacks, an average of 26% for detecting reverse attacks, and an average of 17% for detecting optimal-injection attacks compared with competing benchmarks. Moreover, METT also has an average advantage of 10% and 20% in FARs for spotting hybrid promotion and demotion attacks, respectively. According to prior knowledge learned from synthetic data, additionally, we discover interesting findings on real data, such as suspicious duplicate behavior, benign users with duplicate behavior, and identified shilling behavior. Importantly, we reveal that the specificities of data poisoning attacks or fake injections in real-world scenarios entail important implications from a defense perspective.
AB - Recommender systems (RSs), as a high data-driven application, have been extensively developed and widely deployed in various web services, in order to help users locate products or services that they may be interested in. Meanwhile, the openness and vulnerability of RSs have given rise to the development of data poisoning attacks. However, defending these evolving threats presents potential challenges: (a) faced with highly concealed or small-scale data poisoning, the attack behavior is very difficult to characterize; (b) the identification area of attack target is difficult to be determined for highly concealed injection attacks; and (c) the prior knowledge for detecting fake injection attacks in real scenarios is very limited. Complementary to existing works, this paper proposes METT, a divide-and-conquer detection method that addresses these fundamental yet underexplored issues. We first propose to exploit causality inference based on both group-level and individual-level unfairness sequences to enhance the reliability of user-item symbiotic associations. We then develop a novel method for early detection of attack target, named ideaT. Finally, we further discriminate fake injections using a disturbance tolerance mechanism in ambiguous boundaries of behavior. Extensive experiments based on synthetic and real data demonstrate that METT outperforms competing baselines in different cases. Specifically, METT can reduce the false alarm rate (FAR) by an average of 21% for detecting S-attacks, an average of 18% for detecting profile injection attacks, an average of 26% for detecting reverse attacks, and an average of 17% for detecting optimal-injection attacks compared with competing benchmarks. Moreover, METT also has an average advantage of 10% and 20% in FARs for spotting hybrid promotion and demotion attacks, respectively. According to prior knowledge learned from synthetic data, additionally, we discover interesting findings on real data, such as suspicious duplicate behavior, benign users with duplicate behavior, and identified shilling behavior. Importantly, we reveal that the specificities of data poisoning attacks or fake injections in real-world scenarios entail important implications from a defense perspective.
KW - Attack detection
KW - behavior association
KW - performance analysis
KW - poisoning attack
UR - https://www.scopus.com/pages/publications/105017301698
U2 - 10.1109/TDSC.2025.3613425
DO - 10.1109/TDSC.2025.3613425
M3 - 文章
AN - SCOPUS:105017301698
SN - 1545-5971
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
ER -