Data Poisoning Attacks to Recommender Systems
Recommender system is an essential component of web services to engage users. Popular recommender systems model user preferences and item properties using a large amount of crowdsourced user-item interaction data, e.g., rating scores; then top-N items that match the best with a user's preference are recommended to the user. In our work, we show that an attacker can launch a data poisoning attack to a recommender system to make recommendations as the attacker desires via injecting fake users with carefully crafted user-item interaction data. Specifically, an attacker can trick a recommender system to recommend a target item to as many normal users as possible. We focus on matrix-factorization-based recommender systems because they have been widely deployed in the industry. Given the number of fake users the attacker can inject, we formulate the crafting of rating scores for the fake users as an optimization problem, solving which determines the rating scores for the fake users. We also propose techniques to solve the optimization problem. Our results on real-world datasets show that our attacks are effective and outperform existing methods.
Committee: Jia Liu (major professor), Hridesh Rajan (major professor), Qi Li, Wensheng Zhang, Hongyang Gao, and Yong Guan