DIFshilling: A Diffusion Model for Shilling Attacks
Recommender systems (RSs) are widely used in various domains, such as e-commerce, social media, and online content platforms, to guide users’ decision-making by suggesting items that match their preferences and interests. However, these systems are highly vulnerable to shilling attacks, where malici...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2025-03-01
|
| Series: | Applied Sciences |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2076-3417/15/6/3412 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | Recommender systems (RSs) are widely used in various domains, such as e-commerce, social media, and online content platforms, to guide users’ decision-making by suggesting items that match their preferences and interests. However, these systems are highly vulnerable to shilling attacks, where malicious users create fake profiles to manipulate the recommendation results, thereby influencing users’ decisions. Such attacks can severely degrade the quality and reliability of recommendations, undermining the trust in RSs. A comprehensive understanding of shilling attacks is critical not only for improving the robustness of RSs but also for designing effective countermeasures to mitigate their impact. Existing shilling attack methods often face significant challenges in achieving both invisibility (i.e., making fake profiles indistinguishable from legitimate ones) and transferability (i.e., the ability to work across different RSs). Many current approaches either fail to capture the natural distribution of real user data or are highly tailored to specific RS algorithms, limiting their general applicability and effectiveness. To overcome these limitations, we propose DIFshilling, a novel diffusion-based model for shilling attacks. DIFshilling leverages forward noising and reverse denoising techniques to better model the distribution of real user data, allowing it to generate fake users that are statistically similar to legitimate users, thus enhancing the invisibility of the attack. Unlike traditional methods, DIFshilling is independent of the specific recommendation algorithm, making it highly transferable across various RSs. We evaluate DIFshilling through extensive experiments on seven different victim RS models, demonstrating its superior transferability. The experimental results show that DIFshilling not only achieves outstanding effectiveness in terms of attack success but also exhibits strong adversarial defense capabilities, effectively evading detection mechanisms. Specifically, in experiments conducted on the ML100K dataset with the DGCF victim model, DIFshilling was able to increase the frequency of the targeted item by a factor of 15 while maintaining the lowest detection precision and recall, illustrating its ability to remain undetected by common defense techniques. These results underscore the potential of DIFshilling as a powerful tool for both evaluating the vulnerabilities of RS and designing more robust countermeasures. |
|---|---|
| ISSN: | 2076-3417 |