Upload
phamnhan
View
216
Download
0
Embed Size (px)
Citation preview
Proceedings of the 2012 International Conference on Machine Learning and Cybernetics, Xian, 15-17 July, 2012
COLLABORATIVE FILTERING RECOMMENDER SYSTEM IN ADVERSARIAL ENVIRONMENT
HUI YU, FEI ZHANG
Machine Learning and Cybernetics Research Center, School of Computer Science and Engineering, South China University of Technology, Guangzhou 510006, China E-MAIL: [email protected]@qq.com
Abstract: Collaborative tIltering recommender system is wildly
used in e-commerce system. According to the pro tIles of user
or items, a collaborative tIltering recommender system
recommends items to targeted customers according to the
preferences of their similar customers. It provides customer
useful relevant information. Unfortunately, the recommender
system is vulnerable to protIle injection attacks. In the pro tIle
inject attack, the similar user protIles are manipulated by
injecting a large number of fake protIles into the system. In this paper, four new attributes for the injection attack
detection are proposed. We also discuss the protIle injection attacks in adversarial learning environment. By applying the
Localized Generalization Error Model (L-GEM), a more
robustness attack protIle detection system is proposed.
Experimental results show that L-GEM based detection
classifier has better robustness.
Keywords: Collaborative tIltering recommender; protIle injection
attack; Localized Generalization Error Model (L-GEM);
adversarial leaning; robustness
1. Introduction
Collaborative filtering recommender systems are wildly applied in e-commerce systems, for example, eBay and Amazon. A profile is created for each customer (item) according to the similarity of other customers (item) in the system. According to the profiles, collaborative filtering recommender system recommends items to target customers according to the preferences of their similar customers. The systems not only help users to find preferred items conveniently but are also beneficial to companies by generating profits.
There are two major types of algorithms for collaborative filtering (CF): the user-based and the item-based. User-based algorithms find out the most similar neighbors of a target user based on the similarity of ratings. The products having the highest ratings from the neighbors
978-1-4673-1487-9/12/$31.00 ©2012 IEEE
are recommended to the target user. For item-based algorithms, when a customer is interested in an item, its similar items are also be introduced to the customer.
As anyone can register as an user in collaborative filtering recommender systems, malicious users can attack systems by injecting a number of biased profiles, which is named the "shilling" attack or the "profile injecting" attack. In 2001, Sony Pictures admitted that it used fake quotes from non-existent movie critics to promote a number of newly released films[l]. Amazon. com, the online retailer, has found that its recommenders are prone to some levels of abuse [I].
Different detection methods of profile injection attacks are proposed recently. Chirita et al. [2] propose an attack user profile statistical characteristics based unsupervised detection algorithm. Robin Burke et al. [3] further analyze the difference of statistical characteristics between real user profiles and attack user profiles and proposed the detection algorithm basing classification methods. Runa Bhaumik et al. [4] propose the detection algorithm basing SPC (Statistical Process Control). The time series based detection method which using the item ratings' entropy to make detection is proposed by Sheng Zhang et al. [5]. Bhaskar Mehta[6] proposed two unsupervised detection algorithms, one is basing PCA (Principal Component Analysis) and the other is basing PLSA (Probabilistic Latent Semantics Analysis).
In this paper, we focus on increasing the robustness of the recommender attack detection system. Robustness is the same important as the detection accuracy. Four new detection features is proposed and a L-GEM based classifier construction method is used to make the detection classifier more robustness.
The rest of the paper is organized as follows. Section 2 introduces the attack models. Adversarial learning is described in Section 3. Section 4 introduces the Localized Generalization Error Model (L-GEM). Section 5 proposes the new detection features. Section 6 discusses the
400
Proceedings of the 2012 International Conference on Machine Learning and Cybernetics, Xian, 15-17 July, 2012
experiments and the results.
2. Attack Models
An attack model is an approach to construct attack profile. An attack profile is an m-dimensional vector with elements being the ratings of items in recommender system and m is the total number of items in the system. The general form of attack profile is shown in figure 1.
t' , ... ·s 'k
8 (ij') ... 8(i;)
Ralings for k selected items
·F ·F ·0 i� i, " ... " " . ..
a (it) ... a(it) "ull null null y (i,)
Rarings for J Unraled items in Rating for the Jiller items tbe attack profile target item
Figure 1. The geueral form of au attack profile [7]
The profile consists of four parts, Is, IF' 10 and
it. Is represents the selected item set which contains the
ratings specified by function o. IF is the filler item set
which stores the ratings specified by function u. 10 is
the null item set representing the items not be rated in the
profile. it represents the target item which contains a
rating is specified by function r. A specific attack model
is a strategy to select the items in Is and IF and the
functions r, 0, u.
The random attack[12] is a simple attack model. In
random attack, Isis empty, IF is selected randomly and
the ratings assigned to IF is based on the overall
distribution of user ratings in the database. The average attack[12] is similar to the random attack but he ratings
assigned to IF is based on the distribution of ratings for
each item in the average attack. The bandwagon attack[13] is also similar to the random attack. The difference is that the Isis not empty and contains a few of most popular items
in a particular domain and be given high ratings. The Reverse bandwagon attack[14] is a variation of the
bandwagon attack. Is contains a few of most not popular
items in a particular domain and be given low ratings.
401
3. Adversarial Learning
Pattern classification systems are currently applied in security applications like intrusion detection in computer networks, spam filtering and biometric identity recognition. Such problems may be attacked by adversaries by maliciously modifying the data to evade the classifier system. Adversarial learning research content could be divided into three aspects: 1. Identifying vulnerabilities of pattern recognition
systems which can be exploited by an adversary to make them ineffective.
2. Evaluating the performance of a classifier in terms of generalization capability and robustness against attacks.
3. Designing robust pattern recognition systems in adversarial environments. Barreno et al. [8] summary the different attacks shown
in Table 1. The attacks are classified according to the following three distinct aspects: 1. Causative or exploratory: attack influence on the
classifier. 2. Integrity or availability: adversary's security violation. 3. Targeted or indiscriminate: specificity of the attack.
TABLE 1. THE ATTACK MODEL PROPOSED IN [8)
Integrity Availability Targeted Pennit a Create
specific sufficient intrusion errors to make
system unusable for
Causative one person or service
Indiscriminate Pennit at least Create one intrusion sufficient
errors to make classifier unusable
Targeted Find a Find a set of permitted points intrusion from misclassified
Exploratory a small set of by the possibilities classifier
Indiscriminate Find a permitted intrusion
Under the point of the influence of the classifier, attacks could be causative or exploratory. In causative attack, the adversaries attack the classifier in the training phase, while the adversaries carry out attacks at operation phase to gain further knowledge about the classifier for exploratory attack,. On the other hand, in integrity attack, the goal adversary is to cause the classification system
Proceedings of the 2012 International Conference on Machine Learning and Cybernetics, Xian, 15-17 July, 2012
misclassifies malicious samples. The goal of availability s to let the system generates a lot of false alarms. According to the attack target of adversary, attacks can be separated into targeted or indiscriminate type. Adversaries focus on a set of malicious samples in targeted attack. In indiscriminate attack, adversary focuses on all malicious samples.
4. Localized Generalization Error Model (L-GEM)
Localized Generalization Error Model was proposed in [9]. Instead of computing the generalization error of unseen samples in the entire space, the L-GEM computes it in the Q-neighborhoods of the training samples and provides an upper bound. The definition of the Q-neighbor of a training
sample (Xb ) is depicted as follows:
The fundamental idea of L-GEM is that one cannot expect a classifier to make a good classification of the unseen samples completely different from the training samples.
The definition of Localized Generalization Error of a continuous-output valued classifier is depicted is below:
RSM (Q) = r (iii ( X ) - F ( x ) r P ( x ) dx JSQ (2)
where X is the input vector, F (x) is the true output,
p( x) IS true unknown probability density function of
input X and SQ is the union of all SQ(Xb)' For the
RSM (Q), the L-GEM could give an upper bound R;M' With a probability 1-17 , we have:
RSM(Q) � ( �Remp + �EsQ ((! .. y)2 ) + A )2 + c = R;MCQ) (3)
where [; = B �ln 17 / ( -2N), Remp is the training MSE
and ESQ (( �y)2) is the stochastic sensitivity measure
(ST-SM) of the classifier; A is the difference between the maximum and minimum values of the outputs and B is the maximum possible value of the MSE.
ST-SM ofRBFNN is calculated as follows:
where rpj = (Wj)2 exp ( (Var(s) I (2v; ))-(E(s) I vJ)) N
Sj=rpjlv;,Sj=llx-UJ, E(s)=L (O";,+(,uXi -UjY) , i=l Vj =rpj (t(O";, + (,uXi -ujir) /V; )
�[EV[(Xi-,uxY]+ 40";(,ux -ujY 1 Var(s)= L. '
" , i=1 +4Ev[(Xi -,uxY](,uxi -ujJ -(0";')2 where UXj and (J"� denote the average value and the
variance of the ith feature, respectively. Table 2 gives the algorithm of L-GEM based RBFNN
training algorithm[91. In this algorithm, the number of
hidden neurons yielding the minimum RSM is adopted.
TABLE 2. L-GEM BASED RBFNN TRAINING
1) M=2; 2) Train a RBFNN with M hidden neurons;
3) Compute its R;M; 4) If M<N, M=M+1, go to step 2;
5) Output the RBFNN yielding the minimum R;M
5. Proposed Detection Attributes
In this section, the detection attributes for the reverse bandwagon attack model are proposed. The reason of using the reverse bandwagon attack model is due to its effective attack effect.
5.1. Mean Time Interval (MTI)
Time interval between ratings for generic users usually is larger since the generic users need time to consider before making decisions. On the other hand, as attackers need to generate a big number of attack profiles in a short time, time interval between ratings is relative short.
MTI (Mean Time Interval) detection attribute is proposed to capture the rating time interval between two consecutive ratings to distinguish generic and attack profiles. The formula of MTI is shown as follows:
MT1u = log L _i=
"-.j
+_t ---[ 3 I ('z; -'I;-j)j j=1 nu (5)
(4) where nu denotes the number of rating of user u; I;
402
Proceedings of the 2012 International Conference on Machine Learning and Cybernetics, Xian, 15-17 July, 2012
denotes the time of the ith rating.
5.2. Weighted User Rating Distribute (WURD)
According to the defmition of reverse bandwagon attack model, items of low rating are relative more than items with high rating. WURD attribute uses a weighting function to high emphasize the probability of low ratings. The formula of WURD is shown as follows:
WURDu = t,(/(i) N';v�i) J . 1
1(/)= -1 '-1 +e
(6)
where n IS the highest rating score, f(i) IS the
weighting function, Nu is the number of ratings of user U
and Nu (i) is number of items with rating score i for user
u .
5.3. User Similarity Distribution Center (USDC)
For a specific user u, the similarities between u and all other users follow the Gaussian distribution. As the attack users are always generated randomly, they may deviate from the distribution of normal users. USDC detection attribute computes the center of the Gaussian distribution for users. The formula of US DC is shown as follows:
USDCu = wu•v p(wu" ::s; wu,v) = 0.5 i E U (7)
where wu,v denotes the similarity of user U and v,
wu,v is computed used cosine function.
5.4. Improved Weighted Degree of Similarity with Top-N Neighbors (IDegSim')
IDegSim' detection attribute is an improved version of the Weighted Degree of the Similarity with Top-N Neighbors (DegSim') [10]. In DegSim', the absolute threshold cannot distinguish high filler profiles and low filler profiles. In IDegSim', an improved ratio threshold is proposed. The formula of IDegSim' is shown as follows:
n
where wu,v denotes the similarity of user U and v,
wu,v is computed used cosine function; n is the number
of the neighbors of user u; neighbor( u) denotes the
neighbors of the user U; IIu,v I denotes the numbers of
items common rated by user U and V.
6. Experiments
6.1. Dataset
MovieLens lOOK database which was obtained by GroupLens research project[15] is used to evaluate the prop sed method. MovieLens lOOK dataset contains 100,000 movie ratings for 1682 items from 943 users. All ratings are integer values between one and five (one for "most dislike" and 5 for "most like").
6.2. Injection Attack Simulation
Attack user profiles are simulated according to the reverse bandwagon attack model introduced in section 2. The simulation is controlled by four parameters: 1) the attack size which indicates how many attack profiles to simulate, 2) the filler size which indicates how many rated items in an attack profile, 3) the filler ratio which indicates
the ratio between Is and IF' and 4) the target item.
Based on the above four parameters, a profile can be divided into four parts. The ratings assigned to each part can be simulated. According to the definition of reverse
bandwagon attack model, the target item and items in Is are given the lowest rating while the items in IF are
assigned ratings generated from a Gaussian distribution with mean 3.
6.3. New Detection Features Experiment
In this experiment, the proposed detection attributes are evaluated and compared by using eight common detection attributes[2,1O,1l].The eight attributes are:.
1. Standard Deviation in User's Ratings, SDUR 2. Degree of Agreement the Other Users, DAOU 3. Rating Deviation from Mean Agreement, RDMA 4. Weighted Degree of Agreement, WDA 5. Weighted Deviation from Mean Agreement, WDMA 6. Degree of Similarity with Top-N Neighbors, DegSim 7. Weighted Degree of Similarity with Top-N Neighbors,
DegSim'
403
Proceedings of the 2012 International Conference on Machine Learning and Cybernetics, Xian, 15-17 July, 2012
8. Length Variance, Length Var
Two different datasets with different feature set are generated: 1) a dataset with the eight features mentioned above only. and 2) a dataset with the eight features mentioned above and the 4 proposed features. The classifiers are denoted by Ds and DS+4. Five different types of classifiers, including KNN, DT, LDF, SVM and MLP, are included in the experiment. Each type of classifiers are trained both datasets (Ds and DS+4) separately.
100.00
98.00 96 . 97 74 97 6 � 97:,5 .... 96.22
96.00
94.00
92.00
90.00
88.00
86.00
94.93 93.
.... 92. - �
--
- I--- -
KNN SVM MIP
93. 65 93 . 92.
90. - I-- I-- f-- - I-- f-
Dr IDF
Figure 2. Detection accuracy for different classifiers
Figure 2 shows the result of the experiment. The X and Y axis represent the type of classifiers and the detection accuracy. The proposed features improve 3% accuracy in
�verage of a!l c.lassifiers. For DT, the improvement (4.7%) IS the most sIgmficant among other classifiers.
6.4. Robustness Comparison
In the adversarial learning, an adversary misleads a classi�er to make a wrong decision on malicious sample by changmg the features value in the malicious sample. The adversary environment is simulated in this section.
TABLE 3. ATTACK PROCEDURE
Input: X - [x], X2, ... , Xi] (malicious sample), Y = [x], X2, ... , Xi] (normal sample)
Output: X'(one change of X according to Y)
1) I_max = argmaxC lxi - Yi l) i 2) Randomly select a value G) from I_max; 3) if (Xi > yj} then Xi =xi -1; else Xi =xi + 1; 4) Return X;
Table 3 shows the algorithm of modifying a sample in a collaborative filtering recommender system. X and Y are a mali�iou� sample and � legitimate sample respectively. The objectIve of the algonthm is to make X get close to Y.
The most difference values between X and Yare selected as I_max. One of these values is selected randomly. The corresponding value in X is changed to get near to Y.
In the experiment, the 12 feamres mentioned in the previous experiment are applied. Traditional RBFNN is used to compare the performance of RBFNN with L-GEM in term of the robustness. Figure 3 shows the result.
004 ,�-�-�-��-�-�-��----'
0.035 • T A1EM ha�e.rl RRFNN
003 • Normal RRFNN
Figure 3. Robustness curves
. I� Figure 3, x-axis represents the times of changes in malIcIOus sample attack. The larger value means bigger attack strength .For example, 100 in the x-axis denote all the malicious samples are changed 100 times using the the algorithm mentioned in table 3. The y-axis denotes the decline of the detection accuracy. The blue line denotes the L-GEM based RBFNN, and the red line denotes the normal RBFNN.
When the attack size is between 0 to 250, the robustness of the RBFNN with L-GEM achieve smaller accuracy decline than the traditional RBFNN. However, the performances are similar when the attack size increases. The experimental result shows that L-GEM is helpful to resist the small intensity of attack.
7. Conclusions
This paper proposes four novel feamres for
�ollaborative filtering. The features are useful for Improving the accuracy of collaborative filtering recommender systems. Moreover, RBFNN with L-GEM has been applied. Experimental result shows that RBFNN with L-GEM is more robustness than RBFNN m adversarial environment when the attack size is small.
Acknowledgements
This work is supported by National Natural Science
404
Proceedings of the 2012 International Conference on Machine Learning and Cybernetics, Xian, 15-17 July, 2012
Foundation of China (61003171 and 61003172), the Fundamental Research Funds for the Central Universities 2011ZM0066 and a Program for New Century Excellent Talents in University (No. NCET-ll-0162).
References
[1] S. K. Lam and J. Riedl, "Shilling Recommender Systems for Fun and Profit", Proceeding of the 13th
international conference on World Wide Web, New York, pp. 393-402, 2004.
[2] P. A. Chirita, W. Nejdl, and C. Zamfir, "Preventing Shilling Attacks in On-line Recommender System", Proceeding of the 7th Annual ACM International Workshop on Web Information and Data Management, pp. 67-74, 2005.
[3] R. Burke, B. Mobasher, C. Williams et aI., "Detecting Profile Attacking in Collaborative Recommender System", Proceedings of the 8th IEEE International Conference on E-Commerce Technology and the 3rd
IEEE International Conference on Enterprise Computing, pp. 23-30, 2006.
[4] R. Bhaumik, C. Williams, B. Mobasher et aI., "Securing Collaborative Filtering Against Malicious Attacks Through Anomaly Detection", Proceedings of the 4th Workshop on Intelligent Techniques for Web Personalization, Boston, pp. 50-59, 2006.
[5] S. Zhang, A. Chakrabarti, J. Ford et aI., "Attack Detection in Time Series for Recommender Systems", Proceedings of the 12th ACM SiGKDD International Conference on Knowledge Discovery and Data Mining, pp. 809-814, 2006.
[6] B. Mehta, "Unsupervised Shilling Detection for Collaborative Filtering", Association for the Advancement of Artificial Intelligence, pp. 1402-1407, 2007.
405
[7] C. A. Williams, B. Mobasher, R. Burke et aI., "Detecting Profile Injection Attacks in Collaborative Filtering: A Classification-Based Approach", Advances in Web Mining and Web Usage Analysis, pp. 167-186, 2007.
[8] M. Barreno, B. Nelson, R. Sears, et aI., "Can Machine Learning be Secure?", Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, New York, pp. 16-25, 2006.
[9] D. S. Yeung, W. W. Y. Ng, D. Wang, et aI., "Localized Generalization Error and Its Application to Architecture Selection for Radial Basis Function Neural Network", IEEE Trans. On Neural Network, Vol. 18, pp. 1294-1305, 2007.
[10] R. Burke, B. Mobasher, C. Williams, et aI., "Classification Features for Attack Detection in Collaborative Recommender Systems", Proceeding of the 12th ACM SIGKDD International Conference, pp. 542-547, 2006.
[11] A. M. Rashid, J. Riedl, "Influence in Ratings-based Recommender Systems: An Algorithms-Independent Approach", Proceedings of SIAM International Conference on Data Mining, 2005.
[12] S. K. Lam, J. Riedl, "Shilling recommender systems for fun and profit", Proceeding of the 13th International Conference on World Wide Web, pp. 393-402, 2004:
[13] R. Burker, B. Mobasher, I. R. Zabick, et aI., "Identifying attack models for secure recommendation", Proceeding of the International Conference on Intelligent User Interfaces, pp.347-361, 2005.
[14] B. Mobasher, R. Burke, R. Bhaumik, et aI., "Attacks and Remedies in Collaborative Recommendation", IEEE Intelligent Systems, pp. 56-63, 2007.
[15] http://www.grouplens.org/node/73