Sequential recommendation models excel at capturing the temporal dynamics of user behavior and are widely used in domains such as e-commerce and media streaming. However, their reliance on learned interaction patterns makes them especially vulnerable to data poisoning attacks, where adversaries craft and inject malicious profiles to distort recommendations. Despite this risk, the security aspects of sequential recommenders remain largely underexplored, particularly in realistic scenarios. To address this lack, we propose the first cross-domain black-box poisoning attack for sequential recommenders. Our method transfers real user sequences from a source domain so as to craft realistic adversarial profiles for the target system. A recency-aware autoencoder generates user embeddings that capture influential interactions, while an SD-SAC reinforcement learning agent selects which profiles to inject, using a surrogate recommendation model, i.e., without accessing the target system. Experiments on MovieLens-100K (source) and a sampled version of Netflix Prize dataset (target) show that our method outperforms four strong state-of-the-art baselines, achieving up to a 60% relative improvement in Hit Ratio while maintaining high stealth.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Black-Box Poisoning Attacks on Sequential Recommender Systems via Cross-Domain Profiles

  • Vincenzo Agate,
  • Vincenzo Pio Barreca,
  • Giuseppe Lo Re,
  • Marco Morana,
  • Antonio Virga

摘要

Sequential recommendation models excel at capturing the temporal dynamics of user behavior and are widely used in domains such as e-commerce and media streaming. However, their reliance on learned interaction patterns makes them especially vulnerable to data poisoning attacks, where adversaries craft and inject malicious profiles to distort recommendations. Despite this risk, the security aspects of sequential recommenders remain largely underexplored, particularly in realistic scenarios. To address this lack, we propose the first cross-domain black-box poisoning attack for sequential recommenders. Our method transfers real user sequences from a source domain so as to craft realistic adversarial profiles for the target system. A recency-aware autoencoder generates user embeddings that capture influential interactions, while an SD-SAC reinforcement learning agent selects which profiles to inject, using a surrogate recommendation model, i.e., without accessing the target system. Experiments on MovieLens-100K (source) and a sampled version of Netflix Prize dataset (target) show that our method outperforms four strong state-of-the-art baselines, achieving up to a 60% relative improvement in Hit Ratio while maintaining high stealth.