ToDA: Target-oriented Diffusion Attacker against Recommendation System
- URL: http://arxiv.org/abs/2401.12578v3
- Date: Thu, 18 Jul 2024 03:51:34 GMT
- Title: ToDA: Target-oriented Diffusion Attacker against Recommendation System
- Authors: Xiaohao Liu, Zhulin Tao, Ting Jiang, He Chang, Yunshan Ma, Yinwei Wei, Xiang Wang,
- Abstract summary: Recommendation systems (RS) are susceptible to malicious attacks where adversaries can manipulate user profiles, leading to biased recommendations.
Recent research often integrates additional modules using generative models to craft these deceptive user profiles.
We propose a novel Target-oriented Diffusion Attack model (ToDA)
It incorporates a pre-trained autoencoder that transforms user profiles into a high dimensional space, paired with a Latent Diffusion Attacker (LDA)-the core component of ToDA.
- Score: 19.546532220090793
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Recommendation systems (RS) have become indispensable tools for web services to address information overload, thus enhancing user experiences and bolstering platforms' revenues. However, with their increasing ubiquity, security concerns have also emerged. As the public accessibility of RS, they are susceptible to specific malicious attacks where adversaries can manipulate user profiles, leading to biased recommendations. Recent research often integrates additional modules using generative models to craft these deceptive user profiles, ensuring them are imperceptible while causing the intended harm. Albeit their efficacy, these models face challenges of unstable training and the exploration-exploitation dilemma, which can lead to suboptimal results. In this paper, we pioneer to investigate the potential of diffusion models (DMs), for shilling attacks. Specifically, we propose a novel Target-oriented Diffusion Attack model (ToDA). It incorporates a pre-trained autoencoder that transforms user profiles into a high dimensional space, paired with a Latent Diffusion Attacker (LDA)-the core component of ToDA. LDA introduces noise into the profiles within this latent space, adeptly steering the approximation towards targeted items through cross-attention mechanisms. The global horizon, implemented by a bipartite graph, is involved in LDA and derived from the encoded user profile feature. This makes LDA possible to extend the generation outwards the on-processing user feature itself, and bridges the gap between diffused user features and target item features. Extensive experiments compared to several SOTA baselines demonstrate ToDA's effectiveness. Specific studies exploit the elaborative design of ToDA and underscore the potency of advanced generative models in such contexts.
Related papers
- Controllable and Stealthy Shilling Attacks via Dispersive Latent Diffusion [47.012167601128745]
We present DLDA, a diffusion-based attack framework that generates highly effective yet indistinguishable fake users.<n>We show that, compared to prior attacks, DLDA consistently achieves stronger item promotion while remaining harder to detect.
arXiv Detail & Related papers (2025-08-04T01:54:32Z) - Transferable Adversarial Attacks on SAM and Its Downstream Models [87.23908485521439]
This paper explores the feasibility of adversarial attacking various downstream models fine-tuned from the segment anything model (SAM)
To enhance the effectiveness of the adversarial attack towards models fine-tuned on unknown datasets, we propose a universal meta-initialization (UMI) algorithm.
arXiv Detail & Related papers (2024-10-26T15:04:04Z) - FedAT: Federated Adversarial Training for Distributed Insider Threat Detection [4.429657390313629]
We propose an FL-enabled multiclass ITD paradigm that considers non-Independent and Identically Distributed (non-IID) data distribution.
Specifically, we propose a Federated Adversarial Training (FedAT) approach using a generative model to alleviate the extreme data skewness arising from the non-IID data distribution.
arXiv Detail & Related papers (2024-09-19T20:44:33Z) - Watch the Watcher! Backdoor Attacks on Security-Enhancing Diffusion Models [65.30406788716104]
This work investigates the vulnerabilities of security-enhancing diffusion models.
We demonstrate that these models are highly susceptible to DIFF2, a simple yet effective backdoor attack.
Case studies show that DIFF2 can significantly reduce both post-purification and certified accuracy across benchmark datasets and models.
arXiv Detail & Related papers (2024-06-14T02:39:43Z) - Securely Fine-tuning Pre-trained Encoders Against Adversarial Examples [28.947545367473086]
We propose a two-stage adversarial fine-tuning approach aimed at enhancing the robustness of downstream models.
Our experiments, conducted across ten self-supervised training methods and six datasets, demonstrate that Gen-AF attains high testing accuracy and robust testing accuracy against state-of-the-art DAEs.
arXiv Detail & Related papers (2024-03-16T04:23:46Z) - Analyzing Adversarial Inputs in Deep Reinforcement Learning [53.3760591018817]
We present a comprehensive analysis of the characterization of adversarial inputs, through the lens of formal verification.
We introduce a novel metric, the Adversarial Rate, to classify models based on their susceptibility to such perturbations.
Our analysis empirically demonstrates how adversarial inputs can affect the safety of a given DRL system with respect to such perturbations.
arXiv Detail & Related papers (2024-02-07T21:58:40Z) - DALA: A Distribution-Aware LoRA-Based Adversarial Attack against
Language Models [64.79319733514266]
Adversarial attacks can introduce subtle perturbations to input data.
Recent attack methods can achieve a relatively high attack success rate (ASR)
We propose a Distribution-Aware LoRA-based Adversarial Attack (DALA) method.
arXiv Detail & Related papers (2023-11-14T23:43:47Z) - Diffusion Denoising Process for Perceptron Bias in Out-of-distribution
Detection [67.49587673594276]
We introduce a new perceptron bias assumption that suggests discriminator models are more sensitive to certain features of the input, leading to the overconfidence problem.
We demonstrate that the diffusion denoising process (DDP) of DMs serves as a novel form of asymmetric, which is well-suited to enhance the input and mitigate the overconfidence problem.
Our experiments on CIFAR10, CIFAR100, and ImageNet show that our method outperforms SOTA approaches.
arXiv Detail & Related papers (2022-11-21T08:45:08Z) - Shilling Black-box Recommender Systems by Learning to Generate Fake User
Profiles [14.437087775166876]
We present Leg-UP, a novel attack model based on the Generative Adversarial Network.
Leg-UP learns user behavior patterns from real users in the sampled templates'' and constructs fake user profiles.
Experiments on benchmarks have shown that Leg-UP exceeds state-of-the-art Shilling Attack methods on a wide range of victim RS models.
arXiv Detail & Related papers (2022-06-23T00:40:19Z) - Exploring Adversarially Robust Training for Unsupervised Domain
Adaptation [71.94264837503135]
Unsupervised Domain Adaptation (UDA) methods aim to transfer knowledge from a labeled source domain to an unlabeled target domain.
This paper explores how to enhance the unlabeled data robustness via AT while learning domain-invariant features for UDA.
We propose a novel Adversarially Robust Training method for UDA accordingly, referred to as ARTUDA.
arXiv Detail & Related papers (2022-02-18T17:05:19Z) - EvaLDA: Efficient Evasion Attacks Towards Latent Dirichlet Allocation [9.277398460006394]
We study whether Latent Dirichlet Allocation models are vulnerable to adversarial perturbations during inference time.
We propose a novel and efficient algorithm, EvaLDA, to solve it.
Our work provides significant insights into the power and limitations of evasion attacks to LDA models.
arXiv Detail & Related papers (2020-12-09T04:57:20Z) - DAMIA: Leveraging Domain Adaptation as a Defense against Membership
Inference Attacks [22.10053473193636]
We propose and implement DAMIA, leveraging Domain Adaptation (DA) as a defense aginist membership inference attacks.
Our observation is that DA obfuscates the dataset to be protected using another related dataset, and derives a model that underlyingly extracts the features from both datasets.
The model trained by DAMIA has a negligible footprint to the usability.
arXiv Detail & Related papers (2020-05-16T15:24:28Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.