Tutorial on Robustness of Recommender Systems

  • View
    2.975

  • Download
    3

Embed Size (px)

DESCRIPTION

Tutorial given at ACM RecSys 2011 on robustness of recommender algorithms to profile injection / sybil attacks.

Text of Tutorial on Robustness of Recommender Systems

  • 1.Tutorial on Robustness of Recommender Systems Tutorial on Robustness of RecommenderSystems Neil HurleyComplex Adaptive System Laboratory Computer Science and Informatics University College DublinClique Strategic Research Cluster clique.ucd.ieOctober 2011RecSys 2011: Tutorial on Recommender Robustness

2. Tutorial on Robustness of Recommender SystemsOutline 1 What is Robustness? Prole Injection Attacks Relevance of Robustness Measuring RobustnessRecSys 2011: Tutorial on Recommender Robustness 3. Tutorial on Robustness of Recommender SystemsOutline 1 What is Robustness?Prole Injection AttacksRelevance of RobustnessMeasuring Robustness 2 Attack StrategiesAttacking kNN AlgorithmsRecSys 2011: Tutorial on Recommender Robustness 4. Tutorial on Robustness of Recommender SystemsOutline 1 What is Robustness?Prole Injection AttacksRelevance of RobustnessMeasuring Robustness 2 Attack StrategiesAttacking kNN Algorithms 3 Attack DetectionPCA-based Attack DetectionStatistical Attack DetectionCost-Benet AnalysisRecSys 2011: Tutorial on Recommender Robustness 5. Tutorial on Robustness of Recommender SystemsOutline 1 What is Robustness?Prole Injection AttacksRelevance of RobustnessMeasuring Robustness 2 Attack StrategiesAttacking kNN Algorithms 3 Attack DetectionPCA-based Attack DetectionStatistical Attack DetectionCost-Benet Analysis 4 Robustness of Model-based AlgorithmsRecSys 2011: Tutorial on Recommender Robustness 6. Tutorial on Robustness of Recommender SystemsOutline 1 What is Robustness?Prole Injection AttacksRelevance of RobustnessMeasuring Robustness 2 Attack StrategiesAttacking kNN Algorithms 3 Attack DetectionPCA-based Attack DetectionStatistical Attack DetectionCost-Benet Analysis 4 Robustness of Model-based Algorithms 5 Attack Resistant Recommendation AlgorithmsProvably Manipulation Resistant AlgorithmsRecSys 2011: Tutorial on Recommender Robustness 7. Tutorial on Robustness of Recommender SystemsOutline 1 What is Robustness? Prole Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms 3 Attack Detection PCA-based Attack Detection Statistical Attack Detection Cost-Benet Analysis 4 Robustness of Model-based Algorithms 5 Attack Resistant Recommendation Algorithms Provably Manipulation Resistant Algorithms 6 Stability, Trust and PrivacyRecSys 2011: Tutorial on Recommender Robustness 8. Tutorial on Robustness of Recommender SystemsWhat is Robustness?Outline 1 What is Robustness? Prole Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms 3 Attack Detection PCA-based Attack Detection Statistical Attack Detection Cost-Benet Analysis 4 Robustness of Model-based Algorithms 5 Attack Resistant Recommendation Algorithms Provably Manipulation Resistant Algorithms 6 Stability, Trust and PrivacyRecSys 2011: Tutorial on Recommender Robustness 9. Tutorial on Robustness of Recommender SystemsWhat is Robustness? Prole Injection AttacksOutline 1 What is Robustness?Prole Injection AttacksRelevance of RobustnessMeasuring Robustness 2Attack StrategiesAttacking kNN Algorithms 3Attack DetectionPCA-based Attack DetectionStatistical Attack DetectionCost-Benet Analysis 4Robustness of Model-based Algorithms 5Attack Resistant Recommendation AlgorithmsProvably Manipulation Resistant Algorithms 6Stability, Trust and PrivacyRecSys 2011: Tutorial on Recommender Robustness 10. Tutorial on Robustness of Recommender SystemsWhat is Robustness? Prole Injection AttacksDening the ProblemRecommender Systems use personal information aboutend-users to make useful personalised recommendations.When ratings are provided explicitly, recommender algorithmshave been designed on the assumption that the providedinformation is correct.However . . .One can have, some claim, as many electronic per-sonas as one has time and energy to createJudith Donath (1998) as quoted in Douceur (2002)How does the system perform if multiple identities are used totry to deliberately bias the recommender output?RecSys 2011: Tutorial on Recommender Robustness 11. Tutorial on Robustness of Recommender SystemsWhat is Robustness? Prole Injection AttacksDening the ProblemIn 2002, John Douceur of Microsoft Research coined the termSybil Attack to refer to an attack against identity onpeer-to-peer systems in which an individual entitymasquerades as multiple separate entitiesIf the local entity has no direct physical knowledge of remote entities, it perceives them onlyas informational abstractions that we call identities. The system must ensure that distinctidentities refer to distinct entities; otherwise, when the local entity selects a subset of identitiesto redundantly perform a remote operation, it can be duped into selecting a single remoteentity multiple times, thereby defeating the redundancyIn the same year, the rst paper (OMahony et al. 2002)appeared on the vulnerability of Recommender Systems tomalicious strategies for recommendation promotion laterdubbed prole injection attacks.RecSys 2011: Tutorial on Recommender Robustness 12. Tutorial on Robustness of Recommender SystemsWhat is Robustness? Prole Injection AttacksDening the ProblemRobustness refers to the ability of a system to operate understressful conditions.While there are many possible stresses that can be applied toRecommender Systems, research on RS robustness hasfocused on performance when the dataset is stressedspecically whenthe dataset is full of noisy, erroneous data;typically, imagined to have been corrupted through a concertedsybil attack, with an aim of biasing the recommender output.RecSys 2011: Tutorial on Recommender Robustness 13. Tutorial on Robustness of Recommender SystemsWhat is Robustness? Prole Injection AttacksRobust RS ResearchThe goal of robust recommendation is to prevent attackersfrom manipulating an RS through large-scale insertion of falseuser proles: a prole injection attackRecSys 2011: Tutorial on Recommender Robustness 14. Tutorial on Robustness of Recommender SystemsWhat is Robustness? Prole Injection AttacksRobust RS ResearchThe goal of robust recommendation is to prevent attackersfrom manipulating an RS through large-scale insertion of falseuser proles: a prole injection attackAn attack is a concerted eort to bias the results of arecommender system by the insertion of a large number ofproles using false identities or sybils.RecSys 2011: Tutorial on Recommender Robustness 15. Tutorial on Robustness of Recommender SystemsWhat is Robustness? Prole Injection AttacksRobust RS ResearchThe goal of robust recommendation is to prevent attackersfrom manipulating an RS through large-scale insertion of falseuser proles: a prole injection attackAn attack is a concerted eort to bias the results of arecommender system by the insertion of a large number ofproles using false identities or sybils.Each identity is referred to as an attack prole.RecSys 2011: Tutorial on Recommender Robustness 16. Tutorial on Robustness of Recommender SystemsWhat is Robustness? Prole Injection AttacksRobust RS ResearchThe goal of robust recommendation is to prevent attackersfrom manipulating an RS through large-scale insertion of falseuser proles: a prole injection attackAn attack is a concerted eort to bias the results of arecommender system by the insertion of a large number ofproles using false identities or sybils.Each identity is referred to as an attack prole.Research has concentrated on attacks designed to achieve aparticular recommendation outcomeRecSys 2011: Tutorial on Recommender Robustness 17. Tutorial on Robustness of Recommender SystemsWhat is Robustness? Prole Injection AttacksRobust RS ResearchThe goal of robust recommendation is to prevent attackersfrom manipulating an RS through large-scale insertion of falseuser proles: a prole injection attackAn attack is a concerted eort to bias the results of arecommender system by the insertion of a large number ofproles using false identities or sybils.Each identity is referred to as an attack prole.Research has concentrated on attacks designed to achieve aparticular recommendation outcomeA Product Push attack: attempt to secure positiverecommendations for an item or items;RecSys 2011: Tutorial on Recommender Robustness 18. Tutorial on Robustness of Recommender SystemsWhat is Robustness? Prole Injection AttacksRobust RS ResearchThe goal of robust recommendation is to prevent attackersfrom manipulating an RS through large-scale insertion of falseuser proles: a prole injection attackAn attack is a concerted eort to bias the results of arecommender system by the insertion of a large number ofproles using false identities or sybils.Each identity is referred to as an attack prole.Research has concentrated on attacks designed to achieve aparticular recommendation outcomeA Product Push attack: attempt to secure positiverecommendations for an item or items;A Product Nuke attack: attempt to secure negativerecommendations for an item or items.RecSys 2011: Tutorial on Recommender Robustness 19. Tutorial on Robustness of Recommender SystemsWhat is Robustness? Prole Injection AttacksRobust RS ResearchThe goal of robust recommendation is to prevent attackersfrom manipulating an RS through large-scale insertion of falseuser proles: a prole injection attackAn attack is a concerted eort to bias the results of arecommender system by the insertion of a large number ofproles using false identities or sybils.Each identity is referred to as an attack prole.Research has concentrated on attacks designed to achieve aparticular recommendation outcomeA Product Push attack: attempt to secure positiverecommendations for an item or items;A Product Nuke attack: attempt to secure negativerecommendations for an item or items.We can also think of attacks that aim to simply destroy theaccuracy of the system.RecSys 2011: Tutorial on Recommender Robustness 20. Tutorial on Robustness of Recommender SystemsWhat is Robustness? Prole Injection AttacksRobust RS ResearchWe assume that t