Proceedings of the 2012 International Conference on Machine Learning and Cybernetics, Xian, 15-17 July, 2012

COLLABORATIVE FILTERING RECOMMENDER SYSTEM IN ADVERSARIAL ENVIRONMENT

HUI YU, FEI ZHANG

Machine Learning and Cybernetics Research Center, School of Computer Science and Engineering, South China University of Technology, Guangzhou 510006, China E-MAIL: l10266139@qq.com.604660937@qq.com

Abstract: Collaborative tIltering recommender system is wildly

used in e-commerce system. According to the pro tIles of user

or items, a collaborative tIltering recommender system

recommends items to targeted customers according to the

preferences of their similar customers. It provides customer

useful relevant information. Unfortunately, the recommender

system is vulnerable to protIle injection attacks. In the pro tIle

inject attack, the similar user protIles are manipulated by

injecting a large number of fake protIles into the system. In this paper, four new attributes for the injection attack

detection are proposed. We also discuss the protIle injection attacks in adversarial learning environment. By applying the

Localized Generalization Error Model (L-GEM), a more

robustness attack protIle detection system is proposed.

Experimental results show that L-GEM based detection

classifier has better robustness.

Keywords: Collaborative tIltering recommender; protIle injection

attack; Localized Generalization Error Model (L-GEM);

adversarial leaning; robustness

1. Introduction

Collaborative filtering recommender systems are wildly applied in e-commerce systems, for example, eBay and Amazon. A profile is created for each customer (item) according to the similarity of other customers (item) in the system. According to the profiles, collaborative filtering recommender system recommends items to target customers according to the preferences of their similar customers. The systems not only help users to find preferred items conveniently but are also beneficial to companies by generating profits.

There are two major types of algorithms for collaborative filtering (CF): the user-based and the item-based. User-based algorithms find out the most similar neighbors of a target user based on the similarity of ratings. The products having the highest ratings from the neighbors

978-1-4673-1487-9/12/$31.00 ©2012 IEEE

are recommended to the target user. For item-based algorithms, when a customer is interested in an item, its similar items are also be introduced to the customer.

As anyone can register as an user in collaborative filtering recommender systems, malicious users can attack systems by injecting a number of biased profiles, which is named the "shilling" attack or the "profile injecting" attack. In 2001, Sony Pictures admitted that it used fake quotes from non-existent movie critics to promote a number of newly released films[l]. Amazon. com, the online retailer, has found that its recommenders are prone to some levels of abuse [I].

Different detection methods of profile injection attacks are proposed recently. Chirita et al. [2] propose an attack user profile statistical characteristics based unsupervised detection algorithm. Robin Burke et al. [3] further analyze the difference of statistical characteristics between real user profiles and attack user profiles and proposed the detection algorithm basing classification methods. Runa Bhaumik et al. [4] propose the detection algorithm basing SPC (Statistical Process Control). The time series based detection method which using the item ratings' entropy to make detection is proposed by Sheng Zhang et al. [5]. Bhaskar Mehta[6] proposed two unsupervised detection algorithms, one is basing PCA (Principal Component Analysis) and the other is basing PLSA (Probabilistic Latent Semantics Analysis).

In this paper, we focus on increasing the robustness of the recommender attack detection system. Robustness is the same important as the detection accuracy. Four new detection features is proposed and a L-GEM based classifier construction method is used to make the detection classifier more robustness.

The rest of the paper is organized as follows. Section 2 introduces the attack models. Adversarial learning is described in Section 3. Section 4 introduces the Localized Generalization Error Model (L-GEM). Section 5 proposes the new detection features. Section 6 discusses the

400

Proceedings of the 2012 International Conference on Machine Learning and Cybernetics, Xian, 15-17 July, 2012

experiments and the results.

2. Attack Models

An attack model is an approach to construct attack profile. An attack profile is an m-dimensional vector with elements being the ratings of items in recommender system and m is the total number of items in the system. The general form of attack profile is shown in figure 1.

t' , ... ·s 'k

8 (ij') ... 8(i;)

Ralings for k selected items

·F ·F ·0 i� i, " ... " " . ..

a (it) ... a(it) "ull null null y (i,)

Rarings for J Unraled items in Rating for the Jiller items tbe attack profile target item

Figure 1. The geueral form of au attack profile [7]

The profile consists of four parts, Is, IF' 10 and

it. Is represents the selected item set which contains the

ratings specified by function o. IF is the filler item set

which stores the ratings specified by function u. 10 is

the null item set representing the items not be rated in the

profile. it represents the target item which contains a

rating is specified by function r. A specific attack model

is a strategy to select the items in Is and IF and the

functions r, 0, u.

The random attack[12] is a simple attack model. In

random attack, Isis empty, IF is selected randomly and

the ratings assigned to IF is based on the overall

distribution of user ratings in the database. The average attack[12] is similar to the random attack but he ratings

assigned to IF is based on the distribution of ratings for

each item in the average attack. The bandwagon attack[13] is also similar to the random attack. The difference is that the Isis not empty and contains a few of most popular items

in a particular domain and be given high ratings. The Reverse bandwagon attack[14] is a variation of the

bandwagon attack. Is contains a few of most not popular

items in a particular domain and be given low ratings.

401

3. Adversarial Learning

Pattern classification systems are currently applied in security applications like intrusion detection in computer networks, spam filtering and biometric identity recognition. Such problems may be attacked by adversaries by maliciously modifying the data to evade the classifier system. Adversarial learning research content could be divided into three aspects: 1. Identifying vulnerabilities of pattern recognition

systems which can be exploited by an adversary to make them ineffective.

2. Evaluating the performance of a classifier in terms of generalization capability and robustness against attacks.

3. Designing robust pattern recognition systems in adversarial environments. Barreno et al. [8] summary the different attacks shown

in Table 1. The attacks are classified according to the following three distinct aspects: 1. Causative or exploratory: attack influence on the

classifier. 2. Integrity or availability: adversary's security violation. 3. Targeted or indiscriminate: specificity of the attack.

TABLE 1. THE ATTACK MODEL PROPOSED IN [8)

Integrity Availability Targeted Pennit a Create

specific sufficient intrusion errors to make

system unusable for

Causative one person or service

Indiscriminate Pennit at least Create one intrusion sufficient

errors to make classifier unusable

Targeted Find a Find a set of permitted points intrusion from misclassified

Exploratory a small set of by the possibilities classifier

Indiscriminate Find a permitted intrusion

Under the point of the influence of the classifier, attacks could be causative or exploratory. In causative attack, the adversaries attack the classifier in the training phase, while the adversaries carry out attacks at operation phase to gain further knowledge about the classifier for exploratory attack,. On the other hand, in integrity attack, the goal adversary is to cause the classification system

Proceedings of the 2012 International Conference on Machine Learning and Cybernetics, Xian, 15-17 July, 2012

misclassifies malicious samples. The goal of availability s to let the system generates a lot of false alarms. According to the attack target of adversary, attacks can be separated into targeted or indiscriminate type. Adversaries focus on a set of malicious samples in targeted attack. In indiscriminate attack, adversary focuses on all malicious samples.

4. Localized Generalization Error Model (L-GEM)

Localized Generalization Error Model was proposed in [9]. Instead of computing the generalization error of unseen samples in the entire space, the L-GEM computes it in the Q-neighborhoods of the training samples and provides an upper bound. The definition of the Q-neighbor of a training

sample (Xb ) is depicted as follows:

The fundamental idea of L-GEM is that one cannot expect a classifier to make a good classification of the unseen samples completely different from the training samples.

The definition of Localized Generalization Error of a continuous-output valued classifier is depicted is below:

RSM (Q) = r (iii ( X ) - F ( x ) r P ( x ) dx JSQ (2)

where X is the input vector, F (x) is the true output,

p( x) IS true unknown probability density function of

input X and SQ is the union of all SQ(Xb)' For the

RSM (Q), the L-GEM could give an upper bound R;M' With a probability 1-17 , we have:

RSM(Q) � ( �Remp + �EsQ ((! .. y)2 ) + A )2 + c = R;MCQ) (3)

where [; = B �ln 17 / ( -2N), Remp is the training MSE

and ESQ (( �y)2) is the stochastic sensitivity measure

(ST-SM) of the classifier; A is the difference between the maximum and minimum values of the outputs and B is the maximum possible value of the MSE.

ST-SM ofRBFNN is calculated as follows:

where rpj = (Wj)2 exp ( (Var(s) I (2v; ))-(E(s) I vJ)) N

Sj=rpjlv;,Sj=llx-UJ, E(s)=L (O";,+(,uXi -UjY) , i=l Vj =rpj (t(O";, + (,uXi -ujir) /V; )

�[EV[(Xi-,uxY]+ 40";(,ux -ujY 1 Var(s)= L. '

" , i=1 +4Ev[(Xi -,uxY](,uxi -ujJ -(0";')2 where UXj and (J"� denote the average value and the

variance of the ith feature, respectively. Table 2 gives the algorithm of L-GEM based RBFNN

training algorithm[91. In this algorithm, the number of

hidden neurons yielding the minimum RSM is adopted.

TABLE 2. L-GEM BASED RBFNN TRAINING

1) M=2; 2) Train a RBFNN with M hidden neurons;

3) Compute its R;M; 4) If M<N, M=M+1, go to step 2;

5) Output the RBFNN yielding the minimum R;M

5. Proposed Detection Attributes

In this section, the detection attributes for the reverse bandwagon attack model are proposed. The reason of using the reverse bandwagon attack model is due to its effective attack effect.

5.1. Mean Time Interval (MTI)

Time interval between ratings for generic users usually is larger since the generic users need time to consider before making decisions. On the other hand, as attackers need to generate a big number of attack profiles in a short time, time interval between ratings is relative short.

MTI (Mean Time Interval) detection attribute is proposed to capture the rating time interval between two consecutive ratings to distinguish generic and attack profiles. The formula of MTI is shown as follows:

MT1u = log L _i=

"-.j

+_t ---[ 3 I ('z; -'I;-j)j j=1 nu (5)

(4) where nu denotes the number of rating of user u; I;

402

Proceedings of the 2012 International Conference on Machine Learning and Cybernetics, Xian, 15-17 July, 2012

denotes the time of the ith rating.

5.2. Weighted User Rating Distribute (WURD)

According to the defmition of reverse bandwagon attack model, items of low rating are relative more than items with high rating. WURD attribute uses a weighting function to high emphasize the probability of low ratings. The formula of WURD is shown as follows:

WURDu = t,(/(i) N';v�i) J . 1

1(/)= -1 '-1 +e

(6)

where n IS the highest rating score, f(i) IS the

weighting function, Nu is the number of ratings of user U

and Nu (i) is number of items with rating score i for user

u .

5.3. User Similarity Distribution Center (USDC)

For a specific user u, the similarities between u and all other users follow the Gaussian distribution. As the attack users are always generated randomly, they may deviate from the distribution of normal users. USDC detection attribute computes the center of the Gaussian distribution for users. The formula of US DC is shown as follows:

USDCu = wu•v p(wu" ::s; wu,v) = 0.5 i E U (7)

where wu,v denotes the similarity of user U and v,

wu,v is computed used cosine function.

5.4. Improved Weighted Degree of Similarity with Top-N Neighbors (IDegSim')

IDegSim' detection attribute is an improved version of the Weighted Degree of the Similarity with Top-N Neighbors (DegSim') [10]. In DegSim', the absolute threshold cannot distinguish high filler profiles and low filler profiles. In IDegSim', an improved ratio threshold is proposed. The formula of IDegSim' is shown as follows:

n

where wu,v denotes the similarity of user U and v,

wu,v is computed used cosine function; n is the number

of the neighbors of user u; neighbor( u) denotes the

neighbors of the user U; IIu,v I denotes the numbers of

items common rated by user U and V.

6. Experiments

6.1. Dataset

MovieLens lOOK database which was obtained by GroupLens research project[15] is used to evaluate the prop sed method. MovieLens lOOK dataset contains 100,000 movie ratings for 1682 items from 943 users. All ratings are integer values between one and five (one for "most dislike" and 5 for "most like").

6.2. Injection Attack Simulation

Attack user profiles are simulated according to the reverse bandwagon attack model introduced in section 2. The simulation is controlled by four parameters: 1) the attack size which indicates how many attack profiles to simulate, 2) the filler size which indicates how many rated items in an attack profile, 3) the filler ratio which indicates

the ratio between Is and IF' and 4) the target item.

Based on the above four parameters, a profile can be divided into four parts. The ratings assigned to each part can be simulated. According to the definition of reverse

bandwagon attack model, the target item and items in Is are given the lowest rating while the items in IF are

assigned ratings generated from a Gaussian distribution with mean 3.

6.3. New Detection Features Experiment

In this experiment, the proposed detection attributes are evaluated and compared by using eight common detection attributes[2,1O,1l].The eight attributes are:.

1. Standard Deviation in User's Ratings, SDUR 2. Degree of Agreement the Other Users, DAOU 3. Rating Deviation from Mean Agreement, RDMA 4. Weighted Degree of Agreement, WDA 5. Weighted Deviation from Mean Agreement, WDMA 6. Degree of Similarity with Top-N Neighbors, DegSim 7. Weighted Degree of Similarity with Top-N Neighbors,

DegSim'

403

Proceedings of the 2012 International Conference on Machine Learning and Cybernetics, Xian, 15-17 July, 2012

8. Length Variance, Length Var

Two different datasets with different feature set are generated: 1) a dataset with the eight features mentioned above only. and 2) a dataset with the eight features mentioned above and the 4 proposed features. The classifiers are denoted by Ds and DS+4. Five different types of classifiers, including KNN, DT, LDF, SVM and MLP, are included in the experiment. Each type of classifiers are trained both datasets (Ds and DS+4) separately.

100.00

98.00 96 . 97 74 97 6 � 97:,5 .... 96.22

96.00

94.00

92.00

90.00

88.00

86.00

94.93 93.

.... 92. - �

--

- I--- -

KNN SVM MIP

93. 65 93 . 92.

90. - I-- I-- f-- - I-- f-

Dr IDF

Figure 2. Detection accuracy for different classifiers

Figure 2 shows the result of the experiment. The X and Y axis represent the type of classifiers and the detection accuracy. The proposed features improve 3% accuracy in

�verage of a!l c.lassifiers. For DT, the improvement (4.7%) IS the most sIgmficant among other classifiers.

6.4. Robustness Comparison

In the adversarial learning, an adversary misleads a classi�er to make a wrong decision on malicious sample by changmg the features value in the malicious sample. The adversary environment is simulated in this section.

TABLE 3. ATTACK PROCEDURE

Input: X - [x], X2, ... , Xi] (malicious sample), Y = [x], X2, ... , Xi] (normal sample)

Output: X'(one change of X according to Y)

1) I_max = argmaxC lxi - Yi l) i 2) Randomly select a value G) from I_max; 3) if (Xi > yj} then Xi =xi -1; else Xi =xi + 1; 4) Return X;

Table 3 shows the algorithm of modifying a sample in a collaborative filtering recommender system. X and Y are a mali�iou� sample and � legitimate sample respectively. The objectIve of the algonthm is to make X get close to Y.

The most difference values between X and Yare selected as I_max. One of these values is selected randomly. The corresponding value in X is changed to get near to Y.

In the experiment, the 12 feamres mentioned in the previous experiment are applied. Traditional RBFNN is used to compare the performance of RBFNN with L-GEM in term of the robustness. Figure 3 shows the result.

004 ,�-�-�-��-�-�-��----'

0.035 • T A1EM ha�e.rl RRFNN

003 • Normal RRFNN

Figure 3. Robustness curves

. I� Figure 3, x-axis represents the times of changes in malIcIOus sample attack. The larger value means bigger attack strength .For example, 100 in the x-axis denote all the malicious samples are changed 100 times using the the algorithm mentioned in table 3. The y-axis denotes the decline of the detection accuracy. The blue line denotes the L-GEM based RBFNN, and the red line denotes the normal RBFNN.

When the attack size is between 0 to 250, the robustness of the RBFNN with L-GEM achieve smaller accuracy decline than the traditional RBFNN. However, the performances are similar when the attack size increases. The experimental result shows that L-GEM is helpful to resist the small intensity of attack.

7. Conclusions

This paper proposes four novel feamres for

�ollaborative filtering. The features are useful for Improving the accuracy of collaborative filtering recommender systems. Moreover, RBFNN with L-GEM has been applied. Experimental result shows that RBFNN with L-GEM is more robustness than RBFNN m adversarial environment when the attack size is small.

Acknowledgements

This work is supported by National Natural Science

404

Proceedings of the 2012 International Conference on Machine Learning and Cybernetics, Xian, 15-17 July, 2012

Foundation of China (61003171 and 61003172), the Fundamental Research Funds for the Central Universities 2011ZM0066 and a Program for New Century Excellent Talents in University (No. NCET-ll-0162).

References

[1] S. K. Lam and J. Riedl, "Shilling Recommender Systems for Fun and Profit", Proceeding of the 13th

international conference on World Wide Web, New York, pp. 393-402, 2004.

[2] P. A. Chirita, W. Nejdl, and C. Zamfir, "Preventing Shilling Attacks in On-line Recommender System", Proceeding of the 7th Annual ACM International Workshop on Web Information and Data Management, pp. 67-74, 2005.

[3] R. Burke, B. Mobasher, C. Williams et aI., "Detecting Profile Attacking in Collaborative Recommender System", Proceedings of the 8th IEEE International Conference on E-Commerce Technology and the 3rd

IEEE International Conference on Enterprise Computing, pp. 23-30, 2006.

[4] R. Bhaumik, C. Williams, B. Mobasher et aI., "Securing Collaborative Filtering Against Malicious Attacks Through Anomaly Detection", Proceedings of the 4th Workshop on Intelligent Techniques for Web Personalization, Boston, pp. 50-59, 2006.

[5] S. Zhang, A. Chakrabarti, J. Ford et aI., "Attack Detection in Time Series for Recommender Systems", Proceedings of the 12th ACM SiGKDD International Conference on Knowledge Discovery and Data Mining, pp. 809-814, 2006.

[6] B. Mehta, "Unsupervised Shilling Detection for Collaborative Filtering", Association for the Advancement of Artificial Intelligence, pp. 1402-1407, 2007.

405

[7] C. A. Williams, B. Mobasher, R. Burke et aI., "Detecting Profile Injection Attacks in Collaborative Filtering: A Classification-Based Approach", Advances in Web Mining and Web Usage Analysis, pp. 167-186, 2007.

[8] M. Barreno, B. Nelson, R. Sears, et aI., "Can Machine Learning be Secure?", Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, New York, pp. 16-25, 2006.

[9] D. S. Yeung, W. W. Y. Ng, D. Wang, et aI., "Localized Generalization Error and Its Application to Architecture Selection for Radial Basis Function Neural Network", IEEE Trans. On Neural Network, Vol. 18, pp. 1294-1305, 2007.

[10] R. Burke, B. Mobasher, C. Williams, et aI., "Classification Features for Attack Detection in Collaborative Recommender Systems", Proceeding of the 12th ACM SIGKDD International Conference, pp. 542-547, 2006.

[11] A. M. Rashid, J. Riedl, "Influence in Ratings-based Recommender Systems: An Algorithms-Independent Approach", Proceedings of SIAM International Conference on Data Mining, 2005.

[12] S. K. Lam, J. Riedl, "Shilling recommender systems for fun and profit", Proceeding of the 13th International Conference on World Wide Web, pp. 393-402, 2004:

[13] R. Burker, B. Mobasher, I. R. Zabick, et aI., "Identifying attack models for secure recommendation", Proceeding of the International Conference on Intelligent User Interfaces, pp.347-361, 2005.

[14] B. Mobasher, R. Burke, R. Bhaumik, et aI., "Attacks and Remedies in Collaborative Recommendation", IEEE Intelligent Systems, pp. 56-63, 2007.

[15] http://www.grouplens.org/node/73