On the Vulnerability of Graph Learning-based Collaborative Filtering
Authors: 
Senrong Xu, 
Liangyue Li, Zenan Li, Yuan Yao, Feng Xu, 
Zulong Chen, Quan Lu, Hanghang TongAuthors Info & Claims
Senrong Xu, Liangyue Li, Zenan Li, Yuan Yao, Feng Xu, Zulong Chen, Quan Lu, Hanghang TongAuthors Info & ClaimsArticle No.: 87, Pages 1 - 28
Abstract
Graph learning-based collaborative filtering (GLCF), which is built upon the message-passing mechanism of graph neural networks (GNNs), has received great recent attention and exhibited superior performance in recommender systems. However, although GNNs can be easily compromised by adversarial attacks as shown by the prior work, little attention has been paid to the vulnerability of GLCF. Questions like can GLCF models be just as easily fooled as GNNs remain largely unexplored. In this article, we propose to study the vulnerability of GLCF. Specifically, we first propose an adversarial attack against CLCF. Considering the unique challenges of attacking GLCF, we propose to adopt the greedy strategy in searching for the local optimal perturbations and design a reasonable attacking utility function to handle the non-differentiable ranking-oriented metrics. Next, we propose a defense to robustify GCLF. The defense is based on the observation that attacks usually introduce suspicious interactions into the graph to manipulate the message-passing process. We then propose to measure the suspicious score of each interaction and further reduce the message weight of suspicious interactions. We also give a theoretical guarantee of its robustness. Experimental results on three benchmark datasets show the effectiveness of both our attack and defense.
1 Introduction
Recommender systems have been widely studied and used in many platforms such as e-commerce and social media [12, 31, 62]. The core concern of recommender systems is to precisely understand users’ preferences and infer the items that users might be interested in. As such, collaborative filtering (CF) addresses it based on the historical interactions (e.g., purchases and clicks) in view of the fact that users having similar behaviors would exhibit similar preferences on items [15, 20, 23]. The most common paradigm of CF is to learn the latent representations (a.k.a. embeddings) for users and items from the historical interactions, and then make predictions with the corresponding representations (e.g., by inner product [27], nonlinear neural networks [23]).
In view of the fact that user-item interactions naturally form a user-item graph, a recent trend of CF is to leverage the power of the message-passing mechanism used in graph neural networks (GNNs) [56] for modeling graph-structured data [21, 38, 43, 49, 51, 52, 54, 61, 63, 64]. We name such methods as graph learning-based collaborative filtering (GLCF) in this work. One advantage of GLCF lies in the fact that it enables the iterative and wide-range message-passing between users and items to explicitly model the user-item interactions and better derive the complex semantics within the user-item interactions [49].
Although GLCF has shown great success in recommendation, its vulnerability aspect remains largely unexplored, especially considering the fact that the foundation (i.e., GNNs) of GLCF has been shown to be vulnerable against adversarial attacks [72, 73]. This is highly significant, since recommender systems usually reside in online environments where attackers can easily inject fake data. For example, it has been observed that malicious invaders frequently manipulate online product websites [24]. Additionally, deliberate perturbations for GLCF models can spread their effects over a wide range of users and items due to its message-passing nature, resulting in many false predictions and thus compromising the overall reliability and applicability of recommender systems.
In this article, we propose to study the vulnerability of GLCF from two aspects of adversarial attack and robustness defense. Specifically, we first propose an adversarial attack against CLCF. We consider the attacking scenario where the attackers aim to prompt/degrade an item (i.e., raising/lowering the ranking) for a given user by perturbing the interactions (e.g., inserting/deleting interactions in the user-item graph) within a given budget. This is not an easy task mainly due to the following two challenges: First, the space of feasible perturbations is very large, since the effect can be propagated by GLCF, making the optimal solution difficult to find especially under a limited budget; second, the ranking metric of recommendation is non-differentiable, which cannot be directly optimized. To address these challenges, we propose a greedy strategy iteratively searching for the local optimal perturbations and design a reasonable attacking utility function to handle the non-differentiable issue.
With the observation that GLCF can also be compromised, we further propose a defense against adversarial attacks to robustify GCLF. Our key observation is that, compared with normal interactions, the interactions introduced by the attackers tend to violate the homophily theory [39] and thus yield larger differences between the user embeddings and item embeddings. In view of this, we propose to measure the suspicious score of each interaction via computing the distance between the corresponding user and item and then reduce the message weight if the item’s embedding is rather different from that of the user. We also theoretically show that the proposed defense can limit the embedding deviation brought by adversarial attacks, proportional to the allowed attacking budget.
We conduct experiments on three real-world datasets to evaluate the effectiveness of our proposed methods (both the attack and the defense). Specifically, the proposed attack can significantly shift the item rankings (e.g., changing the ranking from 10th to 2nd, on average) for a given user. It also improves the baseline competitor by 10.5%, 10.8%, and 7.9% on the three datasets, respectively, in terms of the attacking utility. For the proposed defense, it reduces the ranking deviation caused by adversarial attacks to below 20.0%, which is only 13.6%–22.0% of the original ranking deviation without defenses. Furthermore, we observe that theoretical robustness guarantees are reliable even when numerous interactions in the graph are under attack.
In summary, the main contributions of this article include:
•
We propose an adversarial attack against graph learning-based collaborative filtering. Our attack can manipulate the graph structure to push/pull the embedding of the target user to/from the target item, thus changing the ranking results outputted by GLCF models. To the best of our knowledge, this is the first attack against ranking-oriented GLCF.
•
We propose a defense for making GLCF more robust against adversarial attacks. The basic idea is to limit the message-passing of suspicious interactions. We also provide a theoretical guarantee of the proposed defense against adversarial attacks.
•
Comprehensive experiments conducted on three public real datasets demonstrate the remarkable effectiveness of our attack and defense. The results reveal that GLCF models can be easily compromised by adversarial attacks, and the robustness of GLCF has large room for improvement. This highlights the need of further investigations on the vulnerability of GLCF.
The rest of this article is organized as follows: In Section 2, we first introduce the main notations and the background knowledge including typical GLCF models and adversarial attacks against GNNs. The definition of adversarial attacks against GLCF and the proposed attacking method are described in Section 3. Section 4 presents our defense for GLCF models against attacks and analyzes its theoretical guarantee. In Section 5, we conduct extensive experiments and discuss the experimental results. We then review the related work in Section 6 and conclude this article in Section 7.
2 Preliminaries
In this section, we introduce some preliminary knowledge about GLCF and GNN attacks.
2.1 Notations
Before presenting the background knowledge, we first list the main notations used throughout the article in Table 1. Following conventions, we use bold capital letters for matrices and vectors and calligraphic font to indicate set. For example, we use \(\mathcal {U}\) and \(\mathcal {I}\) to denote the sets of users and items, respectively. Suppose we have a user-item interaction matrix \({\bf R}\in \lbrace 0,1\rbrace ^{M\times N}\) where \(M=|\mathcal {U}|\) and \(N=|\mathcal {I}|\), where each entry \({\bf R}_{ui} = 1\) if user \(u\) has interacted with item \(i\) and \({\bf R}_{ui} = 0\) otherwise. \(\mathcal {E}\) denotes the set of user-item interactions in \({\bf R}\). Then, for the purpose of message-passing, we obtain the adjacency matrix \({\bf A}\in \lbrace 0,1\rbrace ^{(M+N)\times (M+N)}\) as follows:where \({\bf R}^T\) denotes the transpose of \({\bf R}\). We denote the corresponding graph of \({\bf A}\) as the user-item propagation graph \(G\). Let \({\bf D}\) denote the degree matrix of \({\bf A}\) and we can further obtain the symmetric normalized version of \({\bf A}\) as
\begin{equation} {\bf A} = \begin{pmatrix}{\bf 0}&{\bf R}\\ {\bf R}^T&{\bf 0} \end{pmatrix}, \end{equation}
(1)
\begin{equation} \tilde{{\bf A}}_{{\it sym}}={\bf D}^{-1/2}{\bf A}{\bf D}^{-1/2}. \end{equation}
(2)
Table 1.
| Symbol | Description |
|---|---|
| \(\mathcal {U},\mathcal {I}\) | the set of users, items |
| \(M,N\) | the number of users, items |
| \({{\bf R}}\) | the user-item interaction matrix of size \({M\times N}\) |
| \(\mathcal {E}\) | the set of user-item interactions |
| \(G\) | the propagation graph constructed based on \({{\bf R}}\) |
| \({{\bf A}}\) | the adjacency matrix of \(G\) |
| \(\mathcal {N}_k^j\) | the \(j\)th order neighbor set of node \(k\), \(k\) is a user or an item and \(j=1\) by default |
| \(L\) | the number of message-passing layers of GLCF models |
| \({\bf E}^{(l)}\) | the embedding matrix in the \(l\)th layer of the GLCF model |
| \({\bf E}^{(l)}_{k\cdot }\) or \({\bf e}_k^{(l)}\) | the \(k\)th row of \({\bf E}^{(l)}\) |
| \(\varepsilon\) | allowed perturbation rate of adversarial attacks |
| \(\lambda\) | the norm threshold for robust GLCF models |
2.2 Graph Learning-based Collaborative Filtering
GLCF models have achieved great success in recommendation tasks. The basic idea of GLCF is to learn the vector representation \({\bf e}_u\) (\({\bf e}_i\)) for each user (item) by message-passing on the user-item graph \(G\). Here, we first introduce two typical GLCF models: NGCF [51] and LightGCN [21]. Specifically, NGCF defines the message-passing for the \(l\)th layer on the graph \(G\) as follows:where \(\sigma (\cdot)\) is the nonlinear activation function, \(\mathcal {N}_u\) and \(\mathcal {N}_i\) denote the one-hop neighbor set of user \(u\) and item \(i\), \(\odot\) denotes the Hadamard product, and \({\bf W}_1^{(l)},{\bf W}_2^{(l)}\) are trainable feature transformation matrices for each layer. In the initial step, we use \({\bf e}_u^{(0)}\) and \({\bf e}_i^{(0)}\) to denote the ID embeddings for user \(u\) and item \(i\), respectively. After \(l\) layers of propagation, the updated embeddings of user \(u\) and item \(i\) become \({\bf e}_u^{(l)}\) and \({\bf e}_i^{(l)}\), respectively. In the matrix form, Equation (3) can be rewritten as:where \({\bf E}^{(l)}\in \mathbb {R}^{(M+N)\times d_l}\) denotes the embeddings of users and items in the \(l\)th layer, \({\bf P}=\tilde{{\bf A}}_{{\it sym}}\) is the embedding propagation matrix, and \({\bf I}\in \mathbb {R}^{(M+N)\times (M+N)}\) is an identity matrix.
\begin{equation} \begin{split}{\bf e}_u^{(l+1)} &= \sigma \left({\bf W}_1^{(l)}{\bf e}_u^{(l)}+\sum _{i\in \mathcal {N}_u} \frac{1}{\sqrt {\left|\mathcal {N}_u \right| \left|\mathcal {N}_i \right|}}\left({\bf W}_1^{(l)}{\bf e}_i^{(l)}+{\bf W}_2^{(l)}\left({\bf e}_i^{(l)}\odot {\bf e}_u^{(l)}\right)\right)\right)\!,\\ {\bf e}_i^{(l+1)} &= \sigma \left({\bf W}_1^{(l)}{\bf e}_i^{(l)}+\sum _{u\in \mathcal {N}_i} \frac{1}{\sqrt {\left|\mathcal {N}_u \right| \left|\mathcal {N}_i \right|}}\left({\bf W}_1^{(l)}{\bf e}_u^{(l)}+{\bf W}_2^{(l)}\left({\bf e}_u^{(l)}\odot {\bf e}_i^{(l)}\right)\right)\right)\!, \end{split} \end{equation}
(3)
\begin{equation} {\bf E}^{(l+1)} = \sigma \left(({\bf P}+{\bf I}){\bf E}^{(l)}{\bf W}_1^{(l)} + ({\bf P}{\bf E}^{(l)})\odot {\bf E}^{(l)}{\bf W}_2^{(l)}\right)\!, \end{equation}
(4)
After \(L\) layers of propagation where \(L\) is the maximum propagation depth, NGCF obtains \(({\bf e}_u^{(0)},{\bf e}_u^{(1)},\dots ,{\bf e}_u^{(L)})\) and \(({\bf e}_i^{(0)},{\bf e}_i^{(1)},\dots ,{\bf e}_i^{(L)})\) for each user \(u\) and item \(i\). It then concatenates the above \(L+1\) embeddings to obtain \({\bf e}_u\) and \({\bf e}_i\) for user \(u\) and item \(i\), and uses the inner-product between them to get the final prediction score of the preference from user \(u\) to item \(i\):
\begin{equation} y_{ui} = \left\langle {\bf e}_u, {\bf e}_i \right\rangle . \end{equation}
(5)
Later, LightGCN [21] observes that although nonlinear activation function \(\sigma (\cdot)\) and feature transformation matrices \({\bf W}_1\) and \({\bf W}_2\) work in the standard GCN [74], which NGCF follows, these two operations are not as useful for collaborative filtering on graphs. Thus, LightGCN proposes to simplify the graph aggregation operation as follows:Similarly, we have the matrix form of Equation (6) as:
\begin{equation} \begin{split}{\bf e}_u^{(l+1)}&=\sum _{i\in \mathcal {N}_u}\frac{1}{\sqrt {\left| \mathcal {N}_u \right|}\sqrt {\left| \mathcal {N}_i \right|}}{\bf e}_i^{(l)},\\ {\bf e}_i^{(l+1)}&=\sum _{u\in \mathcal {N}_i}\frac{1}{\sqrt {\left| \mathcal {N}_i \right|}\sqrt {\left| \mathcal {N}_u \right|}}{\bf e}_u^{(l)}.\\ \end{split} \end{equation}
(6)
\begin{equation} {\bf E}^{(l+1)} = {\bf P}{\bf E}^{(l)}. \end{equation}
(7)
Then, LightGCN obtains the final embeddings for user \(u\) and item \(i\) as follows:where \(\alpha _l\) is a hyperparameter that is set as \(1/(L+1)\) by default. The preference is then predicted using Equation (5).
\begin{equation} {\bf e}_u=\sum _{l=0}^L \alpha _l {\bf e}_u^{(l)},\quad {\bf e}_i=\sum _{l=0}^L \alpha _l {\bf e}_i^{(l)}, \end{equation}
(8)
With the above message-passing results, both NGCF and LightGCN use the Bayesian Personalized Ranking (BPR) [44] as their loss function, i.e.,where \(\sigma (\cdot)\) is the sigmoid function, \(\beta\) controls the strength of regularization, and \(\theta\) denotes the trainable parameters (i.e., the embedding matrix \({\bf E}^{(0)}\)) in the model.
\begin{equation} L_{BPR} = -\sum _{u=1}^M\sum _{i\in \mathcal {N}_u}\sum _{j\notin \mathcal {N}_u}\ln \sigma (y_{ui}-y_{uj}) + \beta \Vert \theta \Vert _F^2, \end{equation}
(9)
2.3 Adversarial Attacks against GNNs
GLCF is built upon GNNs. However, GNNs are known to be vulnerable to adversarial attacks. Suppose we have a graph \(G\) with adjacency matrix \({\bf A}\) and a label set \(\mathcal {C}\) for each node in the graph. The attackers aim to fool the GNN model to misclassify the target node \(t\) as the target label \(c\in \mathcal {C}\). Therefore, the adversarial attack problem against GNNs can be defined as follows:
Given a clean graph \(G\) with adjacency matrix \({\bf A}\), a GNN model \(f_\theta (\cdot)\) trained on \(G\), a target node \(t\), and a target class \(c\) (\(c\) is not the original label \(c_{old}\) of node \(t\)), the goal of attackers is to change the label prediction of node \(t\) from the original one to the target \(c\) by finding an adversarial graph \(\hat{G}\) with perturbed adjacency matrix \(\hat{{\bf A}}={\bf A}+\Delta\).
In the above definition, we consider only the case when the graph structure is attacked to launch a targeted attack [60]. Specifically, the problem can be formulated as
where the GNN model \(f_\theta (\hat{G})_{tc}\) outputs the predicted possibility of node \(t\) belonging to label \(c\), and \(\mathbb {A}\) is the feasible perturbation space of \(\Delta\). We ignore the constraint of the attacking budget for brevity.
(10)
3 The Proposed Attack
In this section, we present the proposed adversarial attack against the GLCF models. We start with the problem definition and then describe the proposed solution for solving the problem.
3.1 Problem Definition
Different from adversarial attacks against GNNs that mainly aim to change the prediction labels, the goal of our adversarial attack is to change the recommendation result for a given user. Specifically, for a given user \(u\), the attackers aim to manipulate (e.g., raise or lower) the final predicted ranking of a target item \(i\) in the recommendation list for user \(u\). In practice, the attackers usually have a budget within which they can perturb the user-item graph. We assume a direct attack that the attackers can directly perturb the neighborhood of user \(u\) and item \(i\) and denote the number of perturbations around user \(u\) and item \(i\) as \(\delta _{u}\) and \(\delta _{i}\), respectively. We then limit the perturbation budget by a relative rate \(\varepsilon\) as follows:where \(d_u\) and \(d_i\) denote the degree of user \(u\) and item \(i\), respectively. In other words, the attacking budget is defined based on the current degree of users/items.
\begin{equation} \frac{\delta _{u}}{d_u} \le \varepsilon \quad \text{and} \quad \frac{\delta _{i}}{d_i} \le \varepsilon , \end{equation}
(11)
Based on the above attacking goal and constraint, we define the adversarial attack problem against GLCF as follows:
Given a clean user-item graph \(G\) with adjacency matrix \({\bf A}\), a GLCF model \(f_\theta (\cdot)\) trained on \(G\), and a target user-item interaction \((u,i)\) satisfying \({\bf A}_{ui}=0\), the goal is to maximize or minimize the ranking of item \(i\) to user \(u\) by finding an adversarial graph \(\hat{G}\) with adjacency matrix \(\hat{{\bf A}}={\bf A}+{\bf \Delta }\) where \({\bf \Delta }\) denotes the perturbation matrix.
In the following, we only consider the situation of prompting items for brevity. Specifically, if the attacker aims to prompt item \(i\), the problem can be formulated as maximizing the attacking utility function (AUF),
where \(Irank(\cdot)\) outputs the recommendation ranking of item \(i\) for user \(u\), \(\mathbb {A}\) is the feasible perturbation region for an attacker, and \({\bf A}_{k\cdot }\) denotes the \(k\)th row of \({\bf A}\). In the above equation, AUF is defined as the difference of two \(Irank(\cdot)\) terms, meaning the effect of the perturbations in terms of promoting the ranking of target item \(i\). Note that \(Irank(\cdot)\) is computed based on the trained GLCF model \(f_\theta (\cdot)\) for both the cases of with and without perturbations. In other words, our attack is launched after the GLCF model is trained and does not require to re-train the model. Additionally, the \(Irank(f_\theta ({G}), (u,i))\) term in the above equation is a fixed value as long as the GLCF model is trained. Therefore, we can directly minimize the second term \(Irank(f_\theta (\hat{G}), (u,i))\) in practice. For the feasible perturbation region \(\mathbb {A}\), we exclude the trivial solution of inserting the interaction \((u,i)\) directly. We also strengthen the attacking budget by constraining that the perturbation will not significantly change the neighborhood of any node (user/item) in the graph. The case of degrading the ranking of item \(i\) can be similarly obtained by switching the two terms as \(Irank(f_\theta (\hat{G}), (u,i)) - Irank(f_\theta ({G}), (u,i))\) in the above equation.
(12)
Compared with Problem 1, there are three differences between adversarial attacks against GLCF models and GNNs. First, although GLCF is built upon GNNs, the objective functions are quite different (see Equation (9)). Second, the goal of Problem 1 is to mislead the prediction of certain target nodes, while the goal of Problem 2 is to change the ranking of an unknown user-item interaction. Third, Problem 2 imposes a constraint that has not been studied by existing work. The above three differences prevent the existing attacks against GNNs from being directly applied in our problem setup.
Next, we show how we solve the problem via generating an adversarial user-item graph and providing a fast computation method to reduce the time cost of recomputing AUF.
3.2 Adversarial Graph Generation
Note that our attack is applicable to both white-box and black-box settings. In the white-box setting, the attacker is allowed to access any information of the target model, including the model parameters, gradient information, and so on. In the black-box setting, attackers cannot obtain any state of the target model. In the following, we consider the more general black-box case for Problem 2, although our solution can also be used for the white-box case when the model and parameters are known (we will evaluate both black-box and white-box settings in our experiments). For the black-box case, a surrogate model is usually adopted [72]. Here, we also adopt this strategy by first training our attack on a surrogate GLCF model and then performing the generated perturbations on the target black-box GLCF model.
3.2.1 Surrogate Objective.
In this work, we choose the simple LightGCN [21] model as the surrogate model. For a 2-layer LightGCN, using Equations (7)–(8), we can have the following matrix form:where \({\bf E}\) contains the embeddings for both users and items:with \({\bf E}_{\mathcal {U}}\in \mathbb {R}^{M\times d}, {\bf E}_{\mathcal {I}}\in \mathbb {R}^{N\times d}\) being the final embedding matrices for users and items, respectively. Thus, the predicted score matrix \({\bf Z}\in \mathbb {R}^{M\times N}\) can be computed aswhere each entry \({\bf Z}_{ui}\) denotes the predicted score for the user-item interaction \((u,i)\).
\begin{equation} {\bf E} = \sum _{l=0}^2\alpha _l {\bf E}^{(l)} = (\alpha _0+\alpha _1{\bf P}+\alpha _2{\bf P}^2){\bf E}^{(0)}, \end{equation}
(13)
\begin{equation} {\bf E} = \begin{pmatrix}{\bf E}_{\mathcal {U}}\\ {\bf E}_{\mathcal {I}} \end{pmatrix}, \end{equation}
(14)
\begin{equation} {\bf Z}=\sigma ({\bf E}_{\mathcal {U}}{\bf E}_{\mathcal {I}}^T), \end{equation}
(15)
Based on the above surrogate model, the AUF in Equation (12) can be rewritten aswhere \(\hat{{\bf Z}}^*\) and \(\theta ^*\) are from the surrogate model. Here, we omit the original ranking for brevity. Then, our goal becomes to solve
\begin{equation} \mathcal {T}(\hat{G};(u,i),\theta ^*) = -Irank(\hat{{\bf Z}}^*,(u,i)), \end{equation}
(16)
(17)
3.2.2 Optimization.
Directly solving Equation (17) is difficult due to the following two reasons: First, the feasible perturbation region \(\mathbb {A}\) is extremely large for attacks, and thus, we cannot traverse the complete space due to efficiency concerns. Second, the ranking process is not differentiable and cannot be efficiently and precisely evaluated. For example, the computation of rankings is very time-consuming and different perturbations may result in the same ranking change.
Therefore, considering the size of the \(\mathbb {A}\), we first search for the suitable perturbation \({\bf \Delta }\) with a greedy strategy following existing adversarial attacks [53, 72] against standard GNNs. Specifically, during each iteration, we only insert/delete one interaction and repeat this process until the perturbation budget is fulfilled. Thus, our optimization goal in each iteration becomes to search for a local optimum \((u,j)\) with the largest attacking utility,where \(s\) denotes the \(s\)th iteration, and \(\hat{G}^{s}\) (\(\hat{{\bf A}}^s={\bf A}+{\bf \Delta }^{s}\)) and \({\bf \Delta }^{s}\) denote the current perturbed graph and the current perturbation matrix after \(s\) iterations. Note that we search for the local optimum \((u,j)\) over all the items. If \((u,j)\) is an existing observation, then we simply delete the edge; if \((u,j)\) is unobserved, we then add the edge. Recall that we apply a direct attack by searching for perturbations around the target user \(u\).
\begin{equation} \begin{aligned}& \mathop {\arg \max }_{(u,j)\in \mathcal {U}\times \mathcal {I}} && \mathcal {T}(\hat{G}^{s};(u,i),\theta ^*) \\ & \qquad s.t. \quad && {\bf \Delta }^s = {\bf \Delta }^{s-1} \pm {(u,j)},\\ & &&\Vert {\bf \Delta }_{k\cdot }^s \Vert _1 / \Vert {\bf A}_{k\cdot } \Vert _1 \le \varepsilon , \forall k \in [1,M+N], \end{aligned} \end{equation}
(18)
To deal with the computational issue in optimizing the rankings, we transform the \(s\)th step AUF into continuous prediction scores aswhere \(\hat{{\bf Z}}_{ui}^{*s}\) is the predicted score computed with \(\hat{G}^s\) and \(\theta ^*\) in the \(s\)th iteration, and we call it continuous AUF (C-AUF). In other words, we directly maximize the predicted score of the target user-item interaction instead of minimizing its ranking.
\begin{equation} \mathcal {T}_C(\hat{G}^s;(u,i),\theta ^*) = \hat{{\bf Z}}_{ui}^{*s}, \end{equation}
(19)
However, the score of one interaction cannot completely reflect its ranking, and maximizing it may also maximize the scores of other interactions. Therefore, we not only consider the predicted score of \((u,i)\), but also include the interactions of \(\mathcal {B}_{(u,i)}^{*s}=\lbrace (u,k) \mid {\bf Z}_{uk}^{*s}\ge {\bf Z}_{ui}^{*s}, k\in \mathcal {I}\rbrace\) into consideration, where \(\mathcal {B}_{(u,i)}^{*s}\) is the set of interactions whose rankings are higher than \((u,i)\) in the score matrix \({\bf Z}^{*s}\). Specifically, when we minimize the distance between \(u\) and \(i\), we had better increase the distance between \(u\) and the items in \(\mathcal {B}_{(u,i)}^{*s}\) simultaneously. Then, we can obtain a new AUF (named D-AUF) as
\begin{equation} \mathcal {T}_D(\hat{G}^s;(u,i),\theta ^*) = \hat{{\bf Z}}_{ui}^{*s} - \frac{1}{|\mathcal {B}_{(u,i)}^{*s}|} \sum _{(u,k)\in \mathcal {B}_{(u,i)}^{*s}} \hat{{\bf Z}}_{uk}^{*s}. \end{equation}
(20)
The intuitive explanation of C-AUF and D-AUF is shown in Figure 1. Suppose the attacker aims to promote item \(i\) for user \(u\). Through C-AUF, the attacker may manipulate some edges in the graph and push the embedding of \(u\) towards item \(i\). However, it is possible that \(u\) also comes closer to item \(a\) or item \(b\). For example, in the middle figure, the ranking becomes \([b,i,a]\) as user \(u\) is more closer to item \(b\) compared to item \(i\). With D-AUF, we can further constrain the distance of user \(u\) to items \(a\) and \(b\) and thus obtain the target ranking.
Fig. 1.
3.2.3 Fast Computation of Attacking Utility.
Each time we insert/delete one interaction in \(G\), we need to recompute Equation (13) to obtain the embeddings \({\bf E}\) and its time complexity is \(\mathcal {O}(|{\bf R}|dL)\) using sparse-dense matrix multiplications, where \(|{\bf R}|\) denotes the number of observed interactions in the graph. This is unacceptable for large recommendation datasets.
To improve the efficiency, we first simplify the computation by fixing the embeddings for all items and only perturbing the target user \(u\)’s embedding. Namely, the only thing we need to recompute is \({\bf e}_u\) after perturbations. Further, \(\mathcal {O}(|{\bf R}|d)\) time of recomputing two layers propagation \({\bf P}^2{\bf E}^{(0)}=\tilde{{\bf A}}^2_{{\it sym}}{\bf E}^{(0)}\) is also not practicable. Actually, for the target interaction \((u,i)\), only the \(u\)th row in \({\bf P}^2\) is necessary for us and here we propose a simple method to update each entry of \({\bf P}^2\) in constant time. According to definition of \(\tilde{{\bf A}}_{{\it sym}}\), each entry in \({\bf P}^2\) can be written asSimilarly, we have the above equation for \(\hat{{\bf P}}^2\) and then we havewhere \(\hat{{\bf A}}\) is perturbed from \({\bf A}\) after inserting or deleting one interaction \((m,n)\), \(\hat{d}_k=d_k+\mathbb {I}[k\in \lbrace m,n\rbrace ]\cdot (1-2{\bf A}_{mn})\), \(\hat{{\bf A}}_{ik} = {\bf A}_{ik}+\mathbb {I}[\lbrace i,k\rbrace =\lbrace m,n\rbrace ]\cdot (1-2{\bf A}_{ik})\), and \(\hat{{\bf A}}_{kj} = {\bf A}_{kj}+\mathbb {I}[\lbrace k,j\rbrace =\lbrace m,n\rbrace ]\cdot (1-2{\bf A}_{kj})\). Here, \(\mathbb {I}[\cdot ]\) is the Iverson bracket. Deriving from the above equation, we have
\begin{equation} [{\bf P}^2]_{ij} = \sum _{k=1}^{M+N} \tilde{{\bf A}}_{ik}\tilde{{\bf A}}_{kj} = \frac{1}{\sqrt {d_id_j}} \sum _{k=1}^{M+N}\frac{{\bf A}_{ik}{\bf A}_{kj}}{d_k}. \end{equation}
(21)
\begin{equation} \begin{split}\sqrt {\hat{d}_i\hat{d}_j}[\hat{{\bf P}}^2]_{ij}-\sqrt {d_id_j}[{\bf P}^2]_{ij} &= \sum _{k=1}^{M+N}\left(\frac{\hat{{\bf A}}_{ik}\hat{{\bf A}}_{kj}}{\hat{d}_k} - \frac{{\bf A}_{ik}{\bf A}_{kj}}{d_k}\right)\\ &= \frac{\hat{{\bf A}}_{im}\hat{{\bf A}}_{mj}}{\hat{d}_m} + \frac{\hat{{\bf A}}_{in}\hat{{\bf A}}_{nj}}{\hat{d}_n} - \frac{{\bf A}_{im}{\bf A}_{mj}}{d_m} - \frac{{\bf A}_{in}{\bf A}_{nj}}{d_n}, \end{split} \end{equation}
(22)
\begin{equation} [\hat{{\bf P}}^2]_{ij} = \frac{1}{\sqrt {\hat{d}_i\hat{d}_j}}\left(\sqrt {d_id_j}[\tilde{{\bf A}}^2]_{ij}+\frac{\hat{{\bf A}}_{im}\hat{{\bf A}}_{mj}}{\hat{d}_m} + \frac{\hat{{\bf A}}_{in}\hat{{\bf A}}_{nj}}{\hat{d}_n} - \frac{{\bf A}_{im}{\bf A}_{mj}}{d_m} - \frac{{\bf A}_{in}{\bf A}_{nj}}{d_n}\right)\!. \end{equation}
(23)
3.2.4 Algorithm and Analysis.
The algorithm of our attack is described in Algorithm 1. In detail, we first train a surrogate model with parameters \(\theta ^*\) on the user-item graph. Then, we start to search for the perturbations following the greedy strategy in Equation (18). Specifically, to maximize the D-AUF as defined in Equation (20), we first test each possible \((u,j)\) in the graph (where \(u\) is given) and choose the \((u,j)\) with the locally best performance during each iteration. That is, we choose the \((u,j)\) with the maximum D-AUF value when prompting an item, and with the minimum D-AUF value when degrading an item. Note that when computing the D-AUF for each \((u,j)\), we use Equations (21)–(23) for fast computation. Next, if the chosen \((u,j)\) is an observed interaction, then we delete it; otherwise, we insert this interaction. We repeat this process until the budget is fulfilled. Finally, we merge previous perturbations and obtain the adversarial user-item graph.
We next analyze the time complexity of Algorithm 1. Given a target interaction \((u,i)\), the time cost of one AUF computation for one candidate interaction \((u,j)\) is \(\mathcal {O}((|\mathcal {N}_u^1|+|\mathcal {N}_u^2|+|\mathcal {B}_{(u,i)}^*|)d)\) where \(|\mathcal {N}_u^1|\), \(|\mathcal {N}_u^2|\) stand for the number of the first-order, second-order neighbor sets of user \(u\), \(d\) is the dimension of user/item embeddings, and \(|\mathcal {B}_{(u,i)}^*|\) is the number of interactions having higher rankings contrasted with \((u,i)\) on an average of all iterations. Therefore, this complexity can be rewritten as \(\mathcal {O}((M+N)d)\). To obtain \(\hat{{\bf e}}_u\), we need \(\mathcal {O}((|\mathcal {N}_u^1|+|\mathcal {N}_u^2|)d)\) time with the above fast computation method during the run of the algorithm. Then, it requires \(\mathcal {O}(|\mathcal {B}_{(u,i)}^*|d)\) time to compute the score for the target user \(u\) with items that have higher rankings. In total, we need to consider all feasible edges in the perturbation space \(\mathbb {A}\) during one iteration and perform perturbations \(T\le \varepsilon d_u\) times, which is limited by the budget constraint. For efficiency concerns, we only consider direct attacks here, and \(\mathbb {A}\) consists of the interactions between target user \(u\) and other items. Therefore, the overall time complexity is \(\mathcal {O}(T N (M+N)d)\) in the worst case. In practice, since \(|\mathcal {N}_u^1|+|\mathcal {N}_u^2|\ll M\) and \(|\mathcal {B}_{(u,i)}^{*}|\ll N\) under most situations, the actual time complexity is \(\mathcal {O}(T N (|\mathcal {N}_u^1|+|\mathcal {N}_u^2|+|\mathcal {B}_{(u,i)}^{*}|)d)\), which can be simplified as \(\mathcal {O}(T N d)\).
4 The Proposed Defense
In this section, we present our robust defense against attacks on GLCF models. First, we improve the robustness of GLCF models by redefining the embedding propagation matrix and explaining the related reasons. Second, we provide an upper bound for the deviation led by adversarial attacks as a theoretical guarantee of our defense.
4.1 Robust GLCF via Propagation Reweighting
There are two requirements for defending GLCF models against adversarial attacks. First, the robust GLCF model \(f_\theta ^*(\cdot)\) should control the predicted ranking deviation between \(f_\theta ^*(\hat{G})\) and \(f_\theta ^*(G)\) in an acceptable interval when the model is under attack. Second, it can be applied to various GLCF models.
In this work, we achieve the above requirements by proposing to robustify GLCF models based on reweighting the messages during embedding propagation. Empirically, it has been shown that adversarial attacks against GNNs tend to connect the target node with nodes that have very different features and labels [53]. We conjecture that similar observations also hold in GLCF attacks, as they are built upon GNNs. Specifically, to perturb the ranking of the target interaction, attackers usually have to connect the target user to items that are quite different from his/her normal preferences. To verify this conjecture, we conduct an experiment here by analyzing the distribution of normalized L2-norm distance between target users and its connected items after perturbations. The results are shown in Figure 2. We can observe that the attacker interactions (i.e., interactions inserted or deleted by the attacker) tend to have larger distance than normal ones (the original interactions in the dataset). Therefore, a natural idea is to reweight the propagated messages from such items. An additional advantage of this reweighting technique is that it can be potentially applied in many GLCF models as long as they are built upon the message-passing mechanism.
Fig. 2.
In our defense, the embedding propagation matrix is defined as \({\bf P}=({\bf D}+{\bf I})^{-1}({\bf A}+{\bf I})\) with random walk normalization. Recall that existing GLCF models usually use symmetric normalized adjacency matrix \(\tilde{{\bf A}}_{{\it sym}}={\bf D}^{-1/2}{\bf A}{\bf D}^{-1/2}\) as the embedding propagation matrix \({\bf P}\). Here, we use another random walk normalization form (with self-loop), and it has been observed that these two normalization forms have similar performance in GNNs [50]. For GLCF, we also test two normalizations on the LastFM dataset in Section 5.3.2, and they also perform very close to each other. The reason that we add self-loop is that we need to measure the distance between user \(u\) and item \(i\) with explicit interaction in the user-item graph. Thus, for user \(u\) and item \(i\), the embedding propagation process in Equation (6) becomes
\begin{equation} \begin{split}{\bf e}_u^{(l+1)} &= \frac{1}{d_u}{\bf e}_u^{(l)} + \frac{1}{d_u}\sum _{i\in \mathcal {N}_u} {\bf e}_i^{(l)} = {\bf e}_u^{(l)} + \frac{1}{d_u}\sum _{i\in \mathcal {N}_u} \left({\bf e}_i^{(l)}-{\bf e}_u^{(l)}\right)\!,\\ {\bf e}_i^{(l+1)} &= \frac{1}{d_i}{\bf e}_i^{(l)} + \frac{1}{d_i}\sum _{u\in \mathcal {N}_i} {\bf e}_u^{(l)} = {\bf e}_i^{(l)} + \frac{1}{d_i}\sum _{u\in \mathcal {N}_i} \left({\bf e}_u^{(l)}-{\bf e}_i^{(l)}\right)\!. \end{split} \end{equation}
(24)
We next conduct reweighting on the the above propagation matrix. Taking a closer look at the above equation, we can find that no matter how far \({\bf e}_i^{(l)}\) is from \({\bf e}_u^{(l)}\) in computing \({\bf e}_u^{(l+1)}\), they all have the same influence on \({\bf e}_u^{(l)}\), i.e., \(1/d_u\), which is only related with the structure of the graph. For reweighting purpose, we use L2-norm \(\Vert \cdot \Vert _2\) to measure the distance between \({\bf e}_u^{(l)}\) and \({\bf e}_i^{(l)}\) and compute the penalty coefficient \(\eta\) in the \(l\)th layer as follows:where \(\lambda \ge 0\) is the norm threshold that controls the maximum distance escaping from penalty. If \(\Vert {\bf e}_j^{(l)}-{\bf e}_k^{(l)} \Vert _2 \le \lambda\), then \(\eta _{kj}^{(l)} = 1\) means that \({\bf e}_j^{(l)}\) has the total influence on \({\bf e}_k^{(l)}\). Otherwise, when \(\Vert {\bf e}_j^{(l)}-{\bf e}_k^{(l)} \Vert _2\) increases, \(\eta _{kj}^{(l)}\) becomes smaller and gives more penalty.
\begin{equation} \eta _{kj}^{(l)} = \frac{\lambda }{\max (\lambda ,\Vert {\bf e}_j^{(l)}-{\bf e}_k^{(l)} \Vert _2)}, \end{equation}
(25)
Based on the penalty coefficient \(\eta\), we have our reweighted embedding propagation matrix \({\bf P}\) in the \(l\)th layer as
\begin{equation} {\bf P}_{kj}^{(l)} = {\left\lbrace \begin{array}{ll}\eta _{kj}^{(l)}/d_k, & \text{if}\quad j\in \mathcal {N}_k \\ 1-\sum _{j\in \mathcal {N}_k}\eta _{kj}^{(l)}/d_k, & \text{if}\quad j=k \\ 0,& \text{otherwise}. \\ \end{array}\right.} \end{equation}
(26)
4.2 Provable Robustness
Next, we present the theoretical analysis showing that our design of robust GLCF models can limit the perturbations brought by adversarial attacks within an interval proportional to the norm threshold \(\lambda\) and the perturbation rate \(\varepsilon\). The possible reason for the robustness is that we use the norm threshold \(\lambda\) to reduce the influence from attacks. Here, we first introduce a lemma based on the Hilbert Projection Theorem [68].
Let \(\mathcal {C}\) be a nonempty closed convex set, and denote the projection of vector \({\bf x}\) onto \(\mathcal {C}\) by \(P_\mathcal {C}({\bf x})\). The mapping \(P_\mathcal {C} : \mathbb {R}^d \rightarrow \mathcal {C}\) is a contraction, i.e., for any \({\bf x}_1,{\bf x}_2 \in \mathbb {R}^d\), we have
\begin{equation} \Vert P_\mathcal {C}({\bf x}_1) - P_\mathcal {C}({\bf x}_2) \Vert _2 \le \Vert {\bf x}_1-{\bf x}_2 \Vert _2. \end{equation}
(27)
Since \(\mathcal {C}\) is a nonempty closed convex set, for any \({\bf y} \in \mathcal {C}\), we haveNote that \(P_\mathcal {C}({\bf x}_2)\in \mathcal {C}\), and thus, we haveSimilarly, we also getAdding the above two inequalities, rearranging, and finally applying the Cauchy-Schwarz inequality, we can obtain thatHence, we havewhich completes the proof.□
\begin{equation} \left\langle {\bf x}_1-P_\mathcal {C}({\bf x}_1), {\bf y}-P_\mathcal {C}({\bf x}_1) \right\rangle \le 0. \end{equation}
(28)
\begin{equation} \left\langle {\bf x}_1-P_\mathcal {C}({\bf x}_1), P_\mathcal {C}({\bf x}_2)-P_\mathcal {C}({\bf x}_1) \right\rangle \le 0. \end{equation}
(29)
\begin{equation} \left\langle {\bf x}_2-P_\mathcal {C}({\bf x}_2), P_\mathcal {C}({\bf x}_1)-P_\mathcal {C}({\bf x}_2) \right\rangle \le 0. \end{equation}
(30)
\begin{equation} \begin{split}\left\langle P_\mathcal {C}({\bf x}_1)-P_\mathcal {C}({\bf x}_2), P_\mathcal {C}({\bf x}_1)-P_\mathcal {C}({\bf x}_2) \right\rangle &\le \left\langle {\bf x}_1-{\bf x}_2, P_\mathcal {C}({\bf x}_1)-P_\mathcal {C}({\bf x}_2) \right\rangle \\ &\le \Vert {\bf x}_1-{\bf x}_2 \Vert _2\Vert P_\mathcal {C}({\bf x}_1)-P_\mathcal {C}({\bf x}_2) \Vert _2 . \end{split} \end{equation}
(31)
\begin{equation} \begin{split}& \Vert P_\mathcal {C}({\bf x}_1)-P_\mathcal {C}({\bf x}_2) \Vert _2 \le \Vert {\bf x}_1-{\bf x}_2 \Vert _2, \end{split} \end{equation}
(32)
Next, we define the Maximum Row Euclidean norm (i.e., \(MRE\)-norm) asWe can directly derive the triangle inequality for \(MRE\)-norm, i.e.,
\begin{equation} \Vert {\bf X} \Vert _{MRE} = \max _k \left(\sum _j {\bf X}_{kj}^2\right)^{\frac{1}{2}}. \end{equation}
(33)
\begin{equation} \Vert {\bf X}+{\bf Y} \Vert _{MRE} \le \Vert {\bf X} \Vert _{MRE} + \Vert {\bf Y} \Vert _{MRE}. \end{equation}
(34)
Based on the above \(MRE\)-norm, we can give the upper bound for the deviation of \(\hat{{\bf E}}^{(l+1)}\) and \({\bf E}^{(l+1)}\), i.e., \(\Vert \hat{{\bf E}}^{(l+1)}-{\bf E}^{(l+1)}\Vert _{MRE}\). For each user (item) node \(k\), assume there are \(\delta _k\) perturbations around it and then we have the following lemma:
Given the norm threshold \(\lambda \gt 0\) and the perturbation rate \(\varepsilon\) satisfying \(\delta _k/d_k \le \varepsilon\), the deviation of \({\bf E}^{(l+1)}\) is bounded by:
\begin{equation} \Vert \hat{{\bf E}}^{(l+1)}-{\bf E}^{(l+1)}\Vert _{MRE} \le 2\lambda \varepsilon + 3\Vert \hat{{\bf E}}^{(l)}-{\bf E}^{(l)}\Vert _{MRE}. \end{equation}
(35)
The MRE-norm of the \(k\)th row in \(\hat{{\bf E}}^{(l+1)}-{\bf E}^{(l+1)} = \hat{{\bf P}}^{(l)}\hat{{\bf E}}^{(l)}-{\bf P}^{(l)}{\bf E}^{(l)}\) is:We can further decompose it by using the upper bound.
\begin{equation} \Vert \hat{{\bf e}}_k^{(l+1)} - {\bf e}_k^{(l+1)}\Vert _2 = \Bigg \Vert \hat{{\bf e}}_k^{(l)}-{\bf e}_k^{(l)} + \sum _{j \in \hat{\mathcal {N}}_k} \frac{\hat{\eta }_{kj}^{(l)}}{\hat{d}_k}\left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right) - \sum _{j \in \mathcal {N}_k} \frac{\eta _{kj}^{(l)}}{d_k}\left({\bf e}_j^{(l)}-{\bf e}_k^{(l)}\right)\!\Bigg \Vert _2. \end{equation}
(36)
\begin{equation} \begin{split}\Vert \hat{{\bf e}}_k^{(l+1)} - {\bf e}_k^{(l+1)}\Vert _2 \le & \Bigg \Vert \sum _{j \in \hat{\mathcal {N}}_k} \frac{\hat{\eta }_{kj}^{(l)}}{\hat{d}_k}\left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right) - \sum _{j \in \mathcal {N}_k} \frac{\hat{\eta }_{kj}^{(l)}}{d_k}\left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right)\!\Bigg \Vert _2 \\ &\quad + \Bigg \Vert \sum _{j \in \mathcal {N}_k} \frac{\hat{\eta }_{kj}^{(l)}}{d_k}\left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right) - \sum _{j \in \mathcal {N}_k} \frac{\eta _{kj}^{(l)}}{d_k}\left({\bf e}_j^{(l)}-{\bf e}_k^{(l)}\right)\!\Bigg \Vert _2 + \left\Vert \hat{{\bf e}}_k^{(l)}-{\bf e}_k^{(l)}\right\Vert _2. \end{split} \end{equation}
(37)
We use \(\delta _k\) to denote the number of edges perturbed around node \(k\), where \(\delta _k^+, \delta _k^-\) are inserting or deleting parts, respectively, and \(\delta _k = \delta _k^+ + \delta _k^-\). Then, we can achieve the upper bound for the first term in Equation (37) as follows:Generally speaking, compared with deleting edges, attackers are more inclined to insert edges (i.e., \(\hat{d}_k \gt d_k\)) [53] and then we have \(\min (\hat{d}_k,d_k)=d_k\) and
\begin{equation} \begin{split}& \Bigg \Vert \sum _{j \in \hat{\mathcal {N}}_k} \frac{\hat{\eta }_{kj}^{(l)}}{\hat{d}_k}\left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right) - \sum _{j \in \mathcal {N}_k} \frac{\hat{\eta }_{kj}^{(l)}}{d_k}\left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right)\!\Bigg \Vert _2 \\ & \quad = \Bigg \Vert \sum _{j \in \hat{\mathcal {N}}_k\backslash \mathcal {N}_k} \frac{\hat{\eta }_{kj}^{(l)}}{\hat{d}_k}\left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right) + \sum _{j \in \hat{\mathcal {N}}_k \cap \mathcal {N}_k} \frac{\hat{\eta }_{kj}^{(l)}(d_k-\hat{d}_k)}{\hat{d}_kd_k}\left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right) - \sum _{j \in \mathcal {N}_k\backslash \hat{\mathcal {N}}_k} \frac{\hat{\eta }_{kj}^{(l)}}{d_k}\left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right)\!\Bigg \Vert _2 \\ & \quad \le \sum _{j \in \hat{\mathcal {N}}_k\backslash \mathcal {N}_k} \Bigg \Vert \frac{\hat{\eta }_{kj}^{(l)}}{\hat{d}_k}\left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right)\!\Bigg \Vert _2 + \sum _{j \in \hat{\mathcal {N}}_k\cap \mathcal {N}_k} \Bigg \Vert \frac{\hat{\eta }_{kj}^{(l)}\delta _k}{\hat{d}_kd_k}\left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right)\!\Bigg \Vert _2 + \sum _{j \in \mathcal {N}_k\backslash \hat{\mathcal {N}}_k}\Bigg \Vert \frac{\hat{\eta }_{kj}^{(l)}}{d_k}\left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right)\!\Bigg \Vert _2 \\ & \quad \le \sum _{j \in \hat{\mathcal {N}}_k\backslash \mathcal {N}_k} \frac{\lambda }{\hat{d}_k} + \sum _{j \in \hat{\mathcal {N}}_k \cap \mathcal {N}_k} \frac{\lambda \delta _k}{\hat{d}_kd_k} + \sum _{j \in \mathcal {N}_k\backslash \hat{\mathcal {N}}_k} \frac{\lambda }{d_k} \\ & \quad \le \frac{\lambda (\delta _k^+ + \delta _k+\delta _k^-)}{\min (\hat{d}_k,d_k)} = \frac{2\lambda \delta _k}{\min (\hat{d}_k,d_k)}. \end{split} \end{equation}
(38)
\begin{equation} \Bigg \Vert \sum _{j \in \hat{\mathcal {N}}_k} \frac{\hat{\eta }_{kj}^{(l)}}{\hat{d}_k}\left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right) - \sum _{j \in \mathcal {N}_k} \frac{\hat{\eta }_{kj}^{(l)}}{d_k}\left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right)\!\Bigg \Vert _2 \le \frac{2\lambda \delta _k}{d_k}. \end{equation}
(39)
Next, we have the second term in Equation (37) as:
\begin{equation} \begin{split}\Bigg \Vert \sum _{j \in \mathcal {N}_k} \frac{\hat{\eta }_{kj}^{(l)}}{d_k}\left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right) - \sum _{j \in \mathcal {N}_k} \frac{\eta _{kj}^{(l)}}{d_k}\left({\bf e}_j^{(l)}-{\bf e}_k^{(l)}\right)\!\Bigg \Vert _2 \le \sum _{j \in \mathcal {N}_k} \frac{1}{d_k} \Bigg \Vert \hat{\eta }_{kj}^{(l)}\left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right) - \eta _{kj}^{(l)}\left({\bf e}_j^{(l)}-{\bf e}_k^{(l)}\right)\!\Bigg \Vert _2. \end{split} \end{equation}
(40)
Since the penalty coefficient \(\eta\) is equivalent to a projection operator defined in Equation (25), we can use Lemma 1 here. For any index \(j\) in \(\mathcal {N}_k\), we haveLet \(p_{kj}^{(l)}=\Vert (\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}) - ({\bf e}_j^{(l)}-{\bf e}_k^{(l)}) \Vert _2\). Then, we can get the upper bound for the second term as:Putting Equations (39) and (42) together, we get the upper bound for \(\Vert \hat{{\bf E}}^{(l+1)}-{\bf E}^{(l+1)}\Vert _{MRE}\) in the case of inserting edges:
\begin{equation} \left\Vert \hat{\eta }_{kj}^{(l)}\left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right) - \eta _{kj}^{(l)}\left({\bf e}_j^{(l)}-{\bf e}_k^{(l)}\right)\right\Vert _2 \le \left\Vert \left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right) - \left({\bf e}_j^{(l)}-{\bf e}_k^{(l)}\right)\!\right\Vert _2. \end{equation}
(41)
\begin{equation} \Bigg \Vert \sum _{j \in \mathcal {N}_k} \frac{\hat{\eta }_{kj}^{(l)}}{d_k}\left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right) - \sum _{j \in \mathcal {N}_k} \frac{\eta _{kj}^{(l)}}{d_k}\left({\bf e}_j^{(l)}-{\bf e}_k^{(l)}\right)\!\Bigg \Vert _2 \le \frac{1}{d_k}\sum _{j \in \mathcal {N}_k}p_{kj}^{(l)}. \end{equation}
(42)
\begin{equation} \begin{split}\Vert \hat{{\bf E}}^{(l+1)}-{\bf E}^{(l+1)}\Vert _{MRE} &= \Vert \hat{{\bf P}}^{(l)}\hat{{\bf E}}^{(l)}-{\bf P}^{(l)}{\bf E}^{(l)}\Vert _{MRE} \\ &= \max _k \Bigg \Vert \hat{{\bf e}}_k^{(l)}-{\bf e}_k^{(l)} + \sum _{j \in \hat{\mathcal {N}}_k} \frac{\hat{\eta }_{kj}^{(l)}}{\hat{d}_k}\left(\hat{{\bf e}}_j^{(l)}-\hat{{\bf e}}_k^{(l)}\right) - \sum _{j \in \mathcal {N}_k} \frac{\eta _{kj}^{(l)}}{d_k}\left({\bf e}_j^{(l)}-{\bf e}_k^{(l)}\right)\!\Bigg \Vert _2 \\ &\le \frac{2\lambda \delta _k}{d_k} + \frac{1}{d_k}\sum _{j \in \mathcal {N}_k}p_{kj}^{(l)} + \left\Vert \hat{{\bf e}}_k^{(l)}-{\bf e}_k^{(l)}\right\Vert _2. \end{split} \end{equation}
(43)
Since \(\delta _k / d_k \le \varepsilon\), \(p_{kj}^{(l)}\le 2\Vert \hat{{\bf E}}^{(l)}-{\bf E}^{(l)}\Vert _{MRE}\) and \(\Vert \hat{{\bf e}}_k^{(l)}-{\bf e}_k^{(l)} \Vert _2 \le \Vert \hat{{\bf E}}^{(l)}-{\bf E}^{(l)}\Vert _{MRE}\), we finally have the upper bound for \(\Vert \hat{{\bf E}}^{(l+1)}-{\bf E}^{(l+1)}\Vert _{MRE}\) as:which completes the proof.□
\begin{equation} \begin{split}\Vert \hat{{\bf E}}^{(l+1)}-{\bf E}^{(l+1)}\Vert _{MRE} &\le \frac{2\lambda \delta _k}{d_k} + \frac{1}{d_k}\sum _{j \in \mathcal {N}_k}p_{kj}^{(l)} + \Vert \hat{{\bf e}}_k^{(l)}-{\bf e}_k^{(l)} \Vert _2 \\ &\le 2\lambda \varepsilon + 3\Vert \hat{{\bf E}}^{(l)}-{\bf E}^{(l)}\Vert _{MRE}, \end{split} \end{equation}
(44)
With Lemma 2, the upper bound for \(\Vert \hat{{\bf E}}-{\bf E} \Vert _{MRE}\) is summarized in the following theorem:
Given the norm threshold \(\lambda\), the perturbation rate \(\varepsilon\), and hyperparameter set \(\lbrace \alpha _l\rbrace _L\), we have
\begin{equation} \Vert \hat{{\bf E}}-{\bf E} \Vert _{MRE} \le \lambda \varepsilon \sum _{l=0}^L (3^l-1)\alpha _l . \end{equation}
(45)
We first have
\begin{equation} \begin{split}\Vert \hat{{\bf E}}-{\bf E}\Vert _{MRE} &= \left\Vert \sum _{l=0}^L\alpha _l(\hat{{\bf E}}^{(l)}-{\bf E}^{(l)})\right\Vert _{MRE} \\ &\le \sum _{l=0}^L\alpha _l \Vert \hat{{\bf E}}^{(l)}-{\bf E}^{(l)}\Vert _{MRE}. \end{split} \end{equation}
(46)
For each \(\Vert \hat{{\bf E}}^{(l)}-{\bf E}^{(l)}\Vert _{MRE}\) in Equation (46), we can iteratively apply Lemma 2 and derive thatwhich completes the proof.□
\begin{equation} \begin{split}\Vert \hat{{\bf E}}-{\bf E}\Vert _{MRE} \le & \sum _{l=0}^L\alpha _l \Vert \hat{{\bf E}}^{(l)}-{\bf E}^{(l)}\Vert _{MRE} \\ \le & \lambda \varepsilon \sum _{l=0}^L (3^l-1)\alpha _l, \end{split} \end{equation}
(47)
Theorem 1 tells us the deviation of representations before and after attacks. Finally, we obtain the upper bound for the predicted score as follows:
The adversarial perturbation of log score for the user-item interaction \((u,i)\) is bounded by:
\begin{equation} \begin{split}\left| \log \hat{{\bf Z}}_{ui} - \log {\bf Z}_{ui} \right| &\le \left| \hat{y}_{ui}-y_{ui} \right| \\ &\le \Vert {\bf e}_i \Vert _2\cdot \lambda \varepsilon \sum _{l=0}^L (3^l-1)\alpha _l. \end{split} \end{equation}
(48)
Without loss of generality, let \(\hat{{\bf Z}}_{ui} \ge {\bf Z}_{ui}\) and then we havewhere we use a simple inequality that \((1+a)/(1+b)-a/b\le 0\) holds, when \(a,b \gt 0\) and \(a\ge b\). Further, applying Cauchy–Schwarz inequality and Theorem 1, we can have□
\begin{equation} \log \frac{\hat{{\bf Z}}_{ui}}{{\bf Z}_{ui}} = \log \frac{1 + e^{-y_{ui}}}{1 + e^{-\hat{y}_{ui}}} \le \log \frac{e^{-y_{ui}}}{e^{-\hat{y}_{ui}}} = \hat{y}_{ui}-y_{ui}, \end{equation}
(49)
\begin{equation} \begin{split}\hat{y}_{ui}-y_{ui} &= \left\langle \hat{{\bf e}}_u^T-{\bf e}_u^T, {\bf e}_i \right\rangle \\ &\le \Vert \hat{{\bf e}}_u^T-{\bf e}_u^T \Vert _2 \cdot \Vert {\bf e}_i \Vert _2 \\ &\le \Vert \hat{{\bf E}}-{\bf E}\Vert _{MRE}\cdot \Vert {\bf e}_i \Vert _2 \\ &\le \Vert {\bf e}_i \Vert _2\cdot \lambda \varepsilon \sum _{l=0}^L (3^l-1)\alpha _l. \end{split} \end{equation}
(50)
In practice, when \(\alpha _l=1/(L+1)\), \(L=2\) and \(\Vert {\bf e}_i \Vert _2=1\) holds, for each interaction \((u,i)\), Equation (50) is equal toThat is to say that the deviation of \({\bf Z}_{ui}\) before and after perturbation with \(\varepsilon\) is limited in the constraint of \(\mathcal {O}(\lambda \varepsilon)\). When \(\lambda \rightarrow 0\) or \(\varepsilon \rightarrow 0\), perturbations brought by attacks tend to be close to 0, which is reasonable in that smaller \(\lambda\) hinders more attacks and lower perturbation rate induces less deviation.
\begin{equation} \left| \log \hat{{\bf Z}}_{ui} - \log {\bf Z}_{ui} \right| \le \frac{\lambda \varepsilon }{L+1}\sum _{l=0}^L (3^l-1) = \frac{10}{3}\lambda \varepsilon . \end{equation}
(51)
4.3 Complexity Analysis
Finally, we analyze the complexity for our defense and compare it with the previous methods, such as NGCF [51] and LightGCN [21]. We first consider the space complexity. Since our defense does not introduce additional trainable parameters, our space complexity is the same with LightGCN and is better than NGCF, which uses additional trainable transformation parameters.
As for the time complexity, Table 2 shows the time complexity for each component of GLCF models during a single training epoch, where \(|\mathcal {E}|\) denotes the number of user-item interactions, \(d_l\) is the embedding dimension of \(l\)th layer, and \(L\) is the number of message-passing layers. Note that embedding dimension \(d\) is a constant in LightGCN and our defense. For more information about the time complexity of NGCF and LightGCN, please refer to original papers [21, 51]. In the following, we give a brief explanation for each component of our defense:
Table 2.
| Component | NGCF | LightGCN | Our Defense |
|---|---|---|---|
| Propagation Matrix | - | - | \(\mathcal {O}(|\mathcal {E}|dL)\) |
| Graph Convolution | \(\mathcal {O}(\sum _{l=1}^L|\mathcal {E}|d_ld_{l-1})\) | \(\mathcal {O}(|\mathcal {E}|dL)\) | \(\mathcal {O}(|\mathcal {E}|dL)\) |
| Score Prediction | \(\mathcal {O}(\sum _{l=1}^L|\mathcal {E}|d_l)\) | \(\mathcal {O}(|\mathcal {E}|dL+|\mathcal {E}|d)\) | \(\mathcal {O}(|\mathcal {E}|dL+|\mathcal {E}|d)\) |
| Overall | \(\mathcal {O}(\sum _{l=1}^L|\mathcal {E}|d_ld_{l-1}+\sum _{l=1}^L|\mathcal {E}|d_l)\) | \(\mathcal {O}(|\mathcal {E}|dL+|\mathcal {E}|d)\) | \(\mathcal {O}(|\mathcal {E}|dL+|\mathcal {E}|d)\) |
•
Propagation Matrix. For the \(l\)th propagation layer, we need to compute the penalty coefficient \(\eta\) for each non-zero entries in propagation matrix \({\bf P}\), as shown in Equations (25)–(26). Its time cost is \(\mathcal {O}(|\mathcal {E}|d)\). With \(L\) layers in total, we need \(\mathcal {O}(|\mathcal {E}|dL)\) time.
•
Graph Convolution. The matrix multiplication has time complexity \(\mathcal {O}(|\mathcal {E}|d)\) according to Equation (7), and the overall complexity is \(\mathcal {O}(|\mathcal {E}|dL)\) after \(L\) layers.
•
Score Prediction. First, we obtain the final embeddings for users/items using Equation (8), for which the computational complexity in a whole training epoch is \(\mathcal {O}(|\mathcal {E}|dL)\) considering the negative sampling strategy in BPR loss. Then, inner product is involved to calculate the score as shown in Equation (5), which costs \(\mathcal {O}(|\mathcal {E}|d)\) time during each epoch. The overall time complexity for this step is \(\mathcal {O}(|\mathcal {E}|dL+|\mathcal {E}|d)\).
From Table 2, we can observe that the time complexity of our defense remains the same order as LightGCN and significantly outperforms NGCF. In addition, we find that during the training step, only using \(\eta\) in the first batch of each epoch does not lower the final performance of model, which can further improve the training efficiency.
5 Experiments
In this section, we evaluate the effectiveness of the proposed attack and defense. The experiments are mainly designed to answer the following questions:
•
RQ1. How effective is the proposed attack to manipulate GLCF models?
•
RQ2. How robust is the proposed defense against the adversarial attacks?
5.1 Experimental Setup
5.1.1 Datasets.
We conduct experiments on three real-world datasets: LastFM [29], Gowalla [31], and Yelp2018 [51]. The statistics of the datasets are listed in Table 3. Following the previous work [21, 51], we split the historical interactions of the user-item graph into training set (70%), validation set (10%), and test set (20%).
Table 3.
| Datasets | #User | #Item | #Interaction | Density |
|---|---|---|---|---|
| LastFM | 1,892 | 4,489 | 52,658 | 0.00620 |
| Gowalla | 29,858 | 40,981 | 1,027,370 | 0.00084 |
| Yelp2018 | 31,668 | 38,048 | 1,561,406 | 0.00130 |
5.1.2 Protocols.
In our experiments, we use NGCF [51] and LightGCN [21] as the underlying GLCF model. For adversarial attacks, we first train our surrogate model on the user-item graph. Next, we randomly select 60 users and 60 corresponding items as the target interactions to attack. Among these 60 target interactions, we select (i) 20 interactions with relatively high rankings (i.e., higher than 20th), (ii) 20 interactions with relatively middle rankings (i.e., from 100th to 20th), and (iii) 20 interactions with relatively low rankings (i.e., from 500th to 100th). We denote these three sets as “high-ranking,” “middle-ranking,” and “low-ranking” interactions, respectively. Our goal is to prompt these items to users, i.e., raising their rankings.
5.1.3 Baselines.
Since there are no other competitors of GLCF attacks, to the best of our knowledge, we compare the performance of our attack against two baselines that we propose by ourselves: (i) Random Attacks (RND), which randomly modifies the interaction around the target user until the perturbation budget is fulfilled; (ii) Fast Gradient Sign Method (FGSM) [18, 72], which is a gradient-based adversarial attack. Specifically, given the target interaction \((u,i)\), FGSM computes the perturbation gradient \(g\) as follows:and then chooses the perturbation interaction \((k,j)\) subject to \(\arg \max g_{k,j}\) repeatedly when attackers intend to prompt item \(i\) to user \(u\). For defense, we compare our defense with a traditional denoising method, SGL [54]. SGL is a recent GLCF model that uses data augmentation to learn a robust model, and we adopt the default edge dropping version as suggested in the original paper.
\begin{equation} g_{kj} = \frac{1}{2}(-2{\bf A}_{kj}+1)\left(\frac{\partial {\bf Z}_{ui}}{\partial {\bf A}_{kj}} + \frac{\partial {\bf Z}_{ui}}{\partial {\bf A}_{jk}}\right)\!, \end{equation}
(52)
5.1.4 Evaluation Metrics.
The evaluation metrics of GLCF models are Recall@20 and NDCG@20 computed by the predicted rankings. All unobserved items are the candidates for prediction. To evaluate the effectiveness of adversarial attacks and defenses, we report the deviation rate (DR) and success rate (SR) as the metrics. For the target interaction \((u,i)\), the DR \(\in [-1,1]\) of adversarial attacks is defined aswhich measures the shifting ratio of rankings after perturbations. We compute the average value of DR for multiple target interactions. For promoting an item, smaller DR value means better attacking utility. For SR, we define it as follows: Suppose we have a threshold \(\tau \in [0,1]\) given by the attacker. We consider the case of \(|DR_{ui}| \ge \tau\) as a successful attack, and SR measures the ratio of successful attacks. In this work, we fix this threshold as \(\tau =0.8\).
\begin{equation} DR_{ui} = \frac{ Irank(\hat{{\bf Z}},(u,i)) - Irank({\bf Z},(u,i))}{\max (Irank(\hat{{\bf Z}},(u,i)), Irank({\bf Z},(u,i)))}, \end{equation}
(53)
5.1.5 Parameter Settings.
In our experiments, we set the perturbation budget’s relative rate \(\varepsilon = 0.6\) and the norm threshold \(\lambda = 2\) by default. As for the AUFs in adversarial attacks, we use D-AUF in our method by default. The embedding size is fixed to 64, and the number of layers is 2 for all models. The other parameters in GLCF models are following the default settings in NGCF [51] and LightGCN [21]. All attack and defense methods are implemented with Python, and all the experiments are run on a desktop with six CPU cores at 2.6 GHz.
5.2 Attack Performance
5.2.1 Effectiveness of Attacks.
We first compare the overall effectiveness of different adversarial attacks, and the results are shown in Table 4, with box plots on the LastFM dataset further shown in Figure 3. In the table, we report the DR results of attacks on different datasets and GLCF models, and the best results are marked in bold. In the first column, white-box means we directly use the gradient of the underlying GLCF model, and black-box means we use the gradient of the surrogate model. For both FGSM and our attack, we only run LightGCN as the underlying model and further test their transferability on NGCF in the black-box setting.
Fig. 3.
Table 4.
| Dataset | LastFM | Gowalla | Yelp2018 | |||
|---|---|---|---|---|---|---|
| Method | lightGCN | NGCF | lightGCN | NGCF | lightGCN | NGCF |
| RND | \(-\)0.003 | \(-\)0.001 | +0.064 | \(-\)0.013 | \(-\)0.001 | \(-\)0.040 |
| FGSM (white-box) | \(-\)0.802 | - | \(-\)0.694 | - | \(-\)0.733 | - |
| Ours (white-box) | \(-\)0.886 | - | \(-\)0.846 | - | \(-\)0.834 | - |
| FGSM (black-box) | \(-\)0.756 | \(-\)0.388 | \(-\)0.629 | \(-\)0.255 | \(-\)0.606 | \(-\)0.223 |
| Ours (black-box) | \(-\)0.817 | \(-\)0.470 | \(-\)0.697 | \(-\)0.375 | \(-\)0.654 | \(-\)0.326 |
Table 4. DR Results of Our Attacks
Smaller is better. Our attack is better than the competitors under both white-box and black-box settings.
We can first observe from Table 4 that, no matter in the white-box or black-box settings, our attack significantly outperforms other competitors. For example, on the LastFM dataset, our attack achieves 10.5% and 8.0% improvement over the competitor FGSM under white-box setting and black-box setting, respectively. The first baseline RND performs relatively poorly. The reason is that RND only perturbs the embedding of the target user randomly without a suitable direction to the target item. For FGSM, we believe that the gradient-based methods are not optimal for discrete data (i.e., the adjacency matrix \(A\)) and gradients usually cannot approximate the objective well. In contrast, the core advantage of our attack is the precise and efficient computation of the objective function.
We can also observe from the table that there is an effectiveness gap between white-box and black-box settings. This is consistent with our intuition that more effective attacks can be launched if we have more knowledge about the underlying model. We notice that even when the surrogate model is LightGCN (which is the same with the underlying model), our black-box attack is still less effective than the while-box one. This is due to the fact that different training procedures (e.g., starting from different initial points) may result in quite different models. Overall, our black-box attack still maintains nearly 0.7 of DR in this case. That is to say, we can improve the ranking of one item from top 10 to top 3, on average, which is rather meaningful in business to prompt items.
Finally, we observe that the effectiveness of our attack relatively decreases on the NGCF model. This is due to the fact that both our attack and FGSM are built upon the LightGCN surrogate model, and thus transferring their results to NGCF may incur some effectiveness loss. Still, the proposed attack is more effective than FGSM in this case.
5.2.2 C-AUF vs. D-AUF.
Next, we evaluate the proposed two attacking utility functions, i.e., C-AUF and D-AUF, as described in Section 3.2.2. Here, we substitute the default D-AUF with C-AUF and show the results in Table 5. We list the DR results of C-AUF and D-AUF on all the three datasets. We can observe that D-AUF performs better than C-AUF, which conforms to our analysis in Section 3.2.2. For example, on the LastFM dataset, D-AUF has absolute advantages (6.0%–8.0% improvement) over C-AUF no matter in the white-box or black-box settings.
Table 5.
| Dataset | LastFM | Gowalla | Yelp2018 |
|---|---|---|---|
| C-AUF (white-box) | \(-\)0.820 | \(-\)0.723 | \(-\)0.746 |
| D-AUF (white-box) | \(-\)0.886 | \(-\)0.846 | \(-\)0.834 |
| C-AUF (black-box) | \(-\)0.762 | \(-\)0.638 | \(-\)0.627 |
| D-AUF (black-box) | \(-\)0.817 | \(-\)0.697 | \(-\)0.654 |
Table 5. C-AUF vs. D-AUF
The proposed attacking utility function D-AUF is better.
5.2.3 Attack Results w.r.t. Perturbation Rate.
Next, we analyze the sensitivity of the proposed attack against the perturbation rate \(\varepsilon\). We vary \(\varepsilon\) in the range of [0.2, 1.4], and the results on the LastFM dataset are shown in Figure 4. We report the results of “high-ranking,” “middle-ranking,” and “low-ranking” interactions, as well as the average results.
Fig. 4.
First, we can observe that while the perturbation rate \(\varepsilon\) increases, the effectiveness of adversarial attacks becomes better in all four figures (i.e., DR decreases and SR increases). The results become stable when the perturbation rate \(\varepsilon\) is around 0.8–1.0. We fix \(\varepsilon =0.6\) by default. With larger \(\varepsilon\), the DR and SR results can be further improved. For example, the DR goes blow \(-\)0.95 and the SR achieves nearly 90% in the white-box setting, on average. Meanwhile, it is not hard to find that perturbing the high-ranking interactions is generally easier than perturbing low-ranking ones. This is due to the fact that we need to make the target item outrank more items in the low-ranking case. We also notice that the DR values of high-ranking interactions do not have obvious advantage over low-ranking interactions in Figure 4(c). The possible hypothesis is that there exists a gap between the surrogate objective and real objective in the black-box setting, and a few high-ranking interactions are more significantly influenced by this gap. Still, Figure 4(d) shows that high-ranking interactions have higher SR values.
In summary, to answer RQ1 , the proposed attack can significantly improve the ranking of a given item in both white-box and black-box settings, and it outperforms the two competitor attacks. Further, the proposed attacking utility function D-AUF is better than C-AUF; the attacking utility increases as the perturbation rate increases, and it becomes stable when the rate is around 0.8 to 1.
5.3 Defense Performance
5.3.1 Effectiveness of Defenses.
In the following, we study the effectiveness of the proposed defense technique under different attacks. In this experiment, all the adversarial attacks are in the black-box setting, and we drop the RND attack whose performance is relatively poor. The DR and SR results after applying our defense are shown in Table 6.
Table 6.
| Datasets | Attacks | DR | SR | ||||
|---|---|---|---|---|---|---|---|
| w/o defense | w/denoise | w/our defense | w/o defense | w/denoise | w/our defense | ||
| LastFM | FGSM | \(-\)0.756 | \(-\)0.379 | \(-\)0.162 | 0.483 | 0.133 | 0.00 |
| our attack | \(-\)0.817 | \(-\)0.412 | \(-\)0.180 | 0.650 | 0.167 | 0.00 | |
| Gowalla | FGSM | \(-\)0.629 | \(-\)0.251 | \(-\)0.098 | 0.200 | 0.033 | 0.00 |
| our attack | \(-\)0.697 | \(-\)0.286 | \(-\)0.106 | 0.233 | 0.083 | 0.00 | |
| Yelp2018 | FGSM | \(-\)0.606 | \(-\)0.232 | \(-\)0.074 | 0.167 | 0.017 | 0.00 |
| our attack | \(-\)0.654 | \(-\)0.249 | \(-\)0.089 | 0.217 | 0.067 | 0.00 | |
Table 6. Results of Our Defense
Our defense can significantly shrink the deviation rate and lower down the success rate of attacks.
First, the DR results can be significantly reduced to under 20% and even below 10% on the Yelp2018 dataset after applying our defense. Although a few interactions are still slightly affected by perturbations, all SR results become 0, which means none of DR is over 80%. This shows remarkable robustness improvement of our defense against adversarial attacks. Additionally, we can observe that the proposed defense is better than the denoising method SGL (denoted as “w/ denoise” in the table). For example, our defense improves SGL by 56.3%–57.2% in terms of the DR metric on the LastFM dataset. The possible reason for this improvement is that SGL as a traditional denoising technique is designed for natural noise and lacks the capability of identifying the manual perturbations from adversarial attacks.
We also plot the tendency of DR when the perturbation rate \(\varepsilon\) varies.1 The results with LightGCN as the underlying model are shown in Figure 5. In this figure, we show the results of the LastFM and Gowalla datasets. We find that our defense significantly outperforms LightGCN in terms of defending against adversarial attacks. Additionally, the DR tendency after applying our defense is linear to \(\varepsilon\), which is consistent with our theoretical analysis.
Fig. 5.
5.3.2 Normalization of Propagation Matrix.
As mentioned in Section 4.1, we use random walk normalization instead of the symmetric normalization. Here, we compare their results in Figure 6. We can see that the training process of GLCF models with the propagation matrix \({\bf P}\) using the two different normalizations shows little difference. In fact, random walk normalization can speed up the convergence of the model without hurting the effectiveness.
Fig. 6.
5.3.3 Tradeoff between Accuracy and Robustness.
Finally, since robustness is usually achieved by the cost of accuracy loss, we study their tradeoffs here. The results are shown in Figure 7. We plot the DR and accuracy of the robust GLCF model (after applying our defense) with various norm threshold \(\lambda\) on LastFM and Gowalla datasets. It is easy to see the tradeoff between accuracy and robustness of GLCF models. That is to say, with \(\lambda\) increasing, the accuracy (i.e., Recall@20 and NDCG@20) of the robust GLCF model tends to increase while the model robustness declines (DR value becomes smaller). This is consistent with our expectation that larger \(\lambda\) punishes less on the suspicious interactions and thus makes the model easier to be manipulated by the attacks. In the other extreme (i.e., \(\lambda =0\)), all the interactions will be punished by the distance between their users and items, and the model robustness reaches its maximum. For example, in Figure 7(a), the DR value is near to 0 when \(\lambda =0\). To balance accuracy and robustness, we choose \(\lambda =2\) by default. In addition, we observe that DR value decreases linearly with respect to \(\lambda\), which is also consistent with our analysis of of the upper bound \(\mathcal {O}(\lambda \varepsilon)\) in Equation (51).
Fig. 7.
In summary, to answer RQ2 , the proposed defense significantly improves the robustness of GLCF models under both the FGSM attack and the proposed attack. Additionally, the proposed defense essentially introduces a tradeoff between the accuracy and robustness, which is controlled by the norm threshold \(\lambda\). Generally speaking, \(\lambda =2\) is a balance point where both accuracy and robustness are kept at a relatively high level.
6 Related Work
In this section, we first briefly review the related work, including the recent progress of graph learning-based collaborative filtering, as well as the existing attacks and defenses for previous collaborative filtering-based recommender systems and graph neural networks.
6.1 GNN-based Recommender Systems
GLCF has received much recent attention. Essentially, GLCF employs the recent progress of graph neural networks (e.g., GCN [74]) to learn the complex semantics within the user-item interactions [6, 21, 33, 38, 45, 51, 52, 54, 61, 63, 64, 69]. For example, NGCF [51] mimics the message propagation and message aggregation of GCN and adapts it into the recommendation scenario. LCF [64] removes noises and improves the efficiency of graph convolution for recommendation. LightGCN [21] further makes the model more efficient with the observations that removing the transformation matrices and nonlinear activation functions in GCN affects little on the recommendation accuracy. EGLN [61] proposes to simultaneously learn the user/item embeddings and the graph structure in a mutual way. Built upon LightGCN, SGL [54] adopts contrastive learning based on the structure perturbations to further improve the performance.
In addition to the above work, applying GLCF into more complicated scenarios, such as cross-domain recommendation [25, 34], multi-behavior recommendation [58], session-based recommendation [8, 42, 55], and sequential recommendation [2, 17], has also been studied. For example, Chang et al. [2] combine sequential recommendation with GNNs to capture implicit and dynamic user patterns behind the user historical behavior sequences. Hsu and Li [25] propose RetaGNN to transfer the knowledge from the source domain with rich data to the target domain and provide embeddings for new-coming users without re-training. Wu et al. [55] model session sequences with graph structure and leverage attention networks to represent both global preferences and current interests. Chen and Wong [8] propose to use a lossless encoding scheme based on GRU and a shortcut graph attention mechanism to solve information loss problems in session-based recommendation.
6.2 GNN Attacks and Defenses
The vulnerability of GNNs has been extensively studied by existing work [4, 13, 37, 46, 59, 71, 72, 73]. For example, Zügner et al. [72] propose to mislead node classification results of certain nodes by adding and deleting edges, and they further extend the attack to degenerate the overall classification performance of GNNs [73]. Sun et al. [46] and Zou et al. [71] propose to inject some fake nodes into the graphs to launch the attacks.
To defend against GNN attacks, several defense methods have been proposed [5, 16, 26, 35, 53, 67, 70]. For example, Wu et al. [53] propose to remove suspicious edges by computing the similarities between nodes; Entezari et al. [16] use a low-rank approximation to drop noisy and malicious information, as existing attacks tend to be high-rank attacks. Zhu et al. [70] use Gaussian distributions to represent the hidden node representations, which help to absorb the attacking effect; Jin et al. [26] jointly denoise the graph structure while training the graph neural networks.
Although several GNN attacks have been proposed, they cannot be directly applied to GLCF, as its problem setup and optimization objective are quite different from traditional GNNs. As for defenses, we borrow the idea of lowering the weights of suspicious edges based on the similarity computation between users/items and further provide theoretical guarantees for the proposed method.
6.3 Attacks and Defenses on Previous Collaborative Filtering
Many researchers have studied the robustness of collaborative filtering [14], with a majority of them focusing on the shilling attacks against collaborative filtering [10, 11, 19, 28, 32, 41]. For example, O’Mahony et al. [41] propose push and nuke attacks to promote and fabricate against certain items, respectively. Lam et al. [28] propose the average attack, which assigns the mean rating (across all the ratings) for an item. Lin et al. [32] employ Generative Adversarial Network to attack deep recommendation models. Zhang et al. [66] design a bi-level optimization framework to craft fake user-item interactions using only a limited set of training data. Different from the above work, Li et al. [30] propose to maximize the prediction deviation on the unobserved ratings through poisoning the existing ratings.
Accompanied with attacks, many defending techniques or anomalies/outlier detection methods have also been studied. For example, Mehta [40] uses PLSA and PCA to detect the push and nuke attacks [41]. Wu et al. [57] propose a semi-supervised method to detect the mixture of random attack and average attack. Tong and Lin [48] propose non-negative residual matrix factorization to detect anomalies against general attacks. Toledo et al. [47] and Bag et al. [1] cluster the users and items to identify noisy ratings. Chen et al. [7] debug the suspicious ratings through bi-level optimization. Recently, He et al. [22] propose an adversarial learning framework for robust recommendation, which is followed by several later proposals [3, 65]. Other techniques such as distillation [9] and certification [36] have also been studied.
Different from the above work [3, 28, 30, 32, 65], we are first to study the attacks and defenses for the recent trend of graph learning-based collaborative filtering. The most obvious difference is that the target models of prior works are traditional CF methods (i.e., linear and neural networks), but ours are graph-based learning CF models. To be specific, GLCF model learns the message-passing mechanism between users and items from GNNs, which makes it more vulnerable to the deliberate perturbation of interactions just as GNNs, while traditional CF methods only use interactions in objective function, which usually does not have great influence.
7 Conclusions and Discussions
In this article, we have pioneered the investigation of the vulnerability aspect of graph learning-based collaborative filtering. Specifically, we first propose an adversarial attack against GLCF models with a greedy strategy and fast computation method based on the surrogate objective. We then develop a robust GLCF by proposing a defense to reweight the message during propagation and further provide a theoretical guarantee for the defense. Experimental results demonstrate that the proposed attack can effectively shift the predicted rankings of GLCF models within a limited budget constraint, and the proposed defense can remarkably shrink the ranking shift caused by adversarial attacks.
We hope this work can well push forward the relevant robustness study and offer more insight into trustworthy GLCF-based recommender systems. Focusing on the vulnerability aspect, we point out several future directions that need further investigations.
First, in this work, we study the targeted, direct attacks that aim to manipulate the ranking results for a given user. Other types of attacks such as global or untargeted attacks that aim to degenerate the overall performance of the recommender system, indirect attacks that cannot add perturbations in the victim’s neighborhood, and node injection attacks that allow only the registration of new users may also significantly impact GLCF’s vulnerability.
Second, our attack is based on the iterative search of the local perturbations. Such attacking strategy can be further improved by, e.g., considering the perturbation noticeability to evade human inspection or using reinforcement learning to explore the global optimal solutions, especially in the black-box setting.
Third, for the defense, various techniques such as transfer learning have been applied to strengthen the robustness of deep models. These techniques may also be useful for improving the robustness of GLCF models. In addition, how to detect deliberate attackers and identify the attacking behaviors is also worth further investigations.
Acknowledgment
We thank the anonymous reviewers for their helpful comments.
Footnote
1
We vary \(\varepsilon\) from 0.0 to 1.0, as larger perturbations are usually impractical in the real-world applications [26].
References
[1]
Sujoy Bag, Susanta Kumar, Anjali Awasthi, and Manoj Kumar Tiwari. 2019. A noise correction-based approach to support a recommender system in a highly sparse rating environment. Decis. Supp. Syst. 118 (2019), 46–57.
[2]
Jianxin Chang, Chen Gao, Yu Zheng, Yiqun Hui, Yanan Niu, Yang Song, Depeng Jin, and Yong Li. 2021. Sequential recommendation with graph neural networks. In Proceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval. 378–387.
[3]
Huiyuan Chen and Jing Li. 2019. Adversarial tensor factorization for context-aware recommendation. In Proceedings of the 13th ACM Conference on Recommender Systems. 363–367.
[4]
Jinyin Chen, Yangyang Wu, Xuanheng Xu, Yixian Chen, Haibin Zheng, and Qi Xuan. 2018. Fast gradient attack on network embedding. arXiv preprint arXiv:1809.02797 (2018).
[5]
Liang Chen, Jintang Li, Qibiao Peng, Yang Liu, Zibin Zheng, and Carl Yang. 2021. Understanding structural vulnerability in graph convolutional networks. arXiv preprint arXiv:2108.06280 (2021).
[6]
Lei Chen, Le Wu, Richang Hong, Kun Zhang, and Meng Wang. 2020. Revisiting graph-based collaborative filtering: A linear residual graph convolutional network approach. In Proceedings of the AAAI Conference on Artificial Intelligence. 27–34.
[7]
Long Chen, Yuan Yao, Feng Xu, Miao Xu, and Hanghang Tong. 2020. Trading personalization for accuracy: Data debugging in collaborative filtering. In Advances in Neural Information Processing Systems, Vol. 33. 159–169.
[8]
Tianwen Chen and Raymond Chi-Wing Wong. 2020. Handling information loss of graph neural networks for session-based recommendation. In Proceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 1172–1180.
[9]
Xu Chen, Yongfeng Zhang, Hongteng Xu, Zheng Qin, and Hongyuan Zha. 2018. Adversarial distillation for efficient recommendation with external knowledge. ACM Trans. Inf. Syst. 37, 1 (2018), 1–28.
[10]
Zunping Cheng and Neil Hurley. 2009. Effective diverse and obfuscated attacks on model-based recommender systems. In Proceedings of the 3rd ACM Conference on Recommender Systems. 141–148.
[11]
Konstantina Christakopoulou and Arindam Banerjee. 2019. Adversarial attacks on an oblivious recommender. In Proceedings of the 13th ACM Conference on Recommender Systems. 322–330.
[12]
Paul Covington, Jay Adams, and Emre Sargin. 2016. Deep neural networks for YouTube recommendations. In Proceedings of the 10th ACM Conference on Recommender Systems. 191–198.
[13]
Hanjun Dai, Hui Li, Tian Tian, Xin Huang, Lin Wang, Jun Zhu, and Le Song. 2018. Adversarial attack on graph structured data. In Proceedings of the International Conference on Machine Learning. PMLR, 1115–1124.
[14]
Yashar Deldjoo, Tommaso Di Noia, and Felice Antonio Merra. 2021. A survey on adversarial recommender systems: From attack/defense strategies to generative adversarial networks. ACM Comput. Surv. 54, 2 (2021), 1–38.
[15]
Travis Ebesu, Bin Shen, and Yi Fang. 2018. Collaborative memory network for recommendation systems. In Proceedings of the 41st International ACM SIGIR Conference on Research & Development in Information Retrieval. 515–524.
[16]
Negin Entezari, Saba A. Al-Sayouri, Amirali Darvishzadeh, and Evangelos E. Papalexakis. 2020. All you need is low (rank) defending against adversarial attacks on graphs. In Proceedings of the 13th International Conference on Web Search and Data Mining. 169–177.
[17]
Ziwei Fan, Zhiwei Liu, Jiawei Zhang, Yun Xiong, Lei Zheng, and Philip S. Yu. 2021. Continuous-time sequential recommendation with temporal graph collaborative transformer. In Proceedings of the 30th ACM International Conference on Information & Knowledge Management. 433–442.
[18]
Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).
[19]
Ihsan Gunes, Cihan Kaleli, Alper Bilge, and Huseyin Polat. 2014. Shilling attacks against recommender systems: A comprehensive survey. Artif. Intell. Rev. 42, 4 (2014), 767–799.
[20]
Ruining He and Julian McAuley. 2016. Ups and downs: Modeling the visual evolution of fashion trends with one-class collaborative filtering. In Proceedings of the 25th International Conference on World Wide Web. 507–517.
[21]
Xiangnan He, Kuan Deng, Xiang Wang, Yan Li, Yongdong Zhang, and Meng Wang. 2020. LightGCN: Simplifying and powering graph convolution network for recommendation. In Proceedings of the 43rd International ACM SIGIR Conference on Research and Development in Information Retrieval. 639–648.
[22]
Xiangnan He, Zhankui He, Xiaoyu Du, and Tat-Seng Chua. 2018. Adversarial personalized ranking for recommendation. In Proceedings of the 41st International ACM SIGIR Conference on Research and Development in Information Retrieval. 355–364.
[23]
Xiangnan He, Lizi Liao, Hanwang Zhang, Liqiang Nie, Xia Hu, and Tat-Seng Chua. 2017. Neural collaborative filtering. In Proceedings of the 26th International Conference on World Wide Web. 173–182.
[24]
Bryan Hooi, Neil Shah, Alex Beutel, Stephan Günnemann, Leman Akoglu, Mohit Kumar, Disha Makhija, and Christos Faloutsos. 2016. BirdNest: Bayesian inference for ratings-fraud detection. In Proceedings of the SIAM International Conference on Data Mining. SIAM, 495–503.
[25]
Cheng Hsu and Cheng-Te Li. 2021. RetaGNN: Relational temporal attentive graph neural networks for holistic sequential recommendation. In Proceedings of the 30th International Conference on World Wide Web. 2968–2979.
[26]
Wei Jin, Yao Ma, Xiaorui Liu, Xianfeng Tang, Suhang Wang, and Jiliang Tang. 2020. Graph structure learning for robust graph neural networks. In Proceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 66–74.
[27]
Yehuda Koren, Robert Bell, and Chris Volinsky. 2009. Matrix factorization techniques for recommender systems. Computer 42, 8 (2009), 30–37.
[28]
Shyong K. Lam and John Riedl. 2004. Shilling recommender systems for fun and profit. In Proceedings of the 13th International Conference on World Wide. 393–402.
[29]
Mark Levy and Klaas Bosteels. 2010. Music recommendation and the long tail. In Proceedings of the 1st Workshop On Music Recommendation And Discovery (WOMRAD), ACM Conference on Recommender Systems. Citeseer.
[30]
Bo Li, Yining Wang, Aarti Singh, and Yevgeniy Vorobeychik. 2016. Data poisoning attacks on factorization-based collaborative filtering. Adv. Neural Inf. Process. Syst. 29 (2016).
[31]
Dawen Liang, Laurent Charlin, James McInerney, and David M. Blei. 2016. Modeling user exposure in recommendation. In Proceedings of the 25th International Conference on World Wide Web. 951–961.
[32]
Chen Lin, Si Chen, Hui Li, Yanghua Xiao, Lianyun Li, and Qian Yang. 2020. Attacking recommender systems with augmented user profiles. In Proceedings of the 29th ACM International Conference on Information & Knowledge Management. 855–864.
[33]
Fan Liu, Zhiyong Cheng, Lei Zhu, Zan Gao, and Liqiang Nie. 2021. Interest-aware message-passing GCN for recommendation. In Proceedings of the 30th International Conference on World Wide Web. 1296–1305.
[34]
Meng Liu, Jianjun Li, Guohui Li, and Peng Pan. 2020. Cross domain recommendation via bi-directional transfer graph collaborative filtering networks. In Proceedings of the 29th ACM International Conference on Information & Knowledge Management. 885–894.
[35]
Xiaorui Liu, Wei Jin, Yao Ma, Yaxin Li, Hua Liu, Yiqi Wang, Ming Yan, and Jiliang Tang. 2021. Elastic graph neural networks. In Proceedings of the International Conference on Machine Learning. PMLR, 6837–6849.
[36]
Yang Liu, Xianzhuo Xia, Liang Chen, Xiangnan He, Carl Yang, and Zibin Zheng. 2020. Certifiable robustness to discrete adversarial perturbations for factorization machines. In Proceedings of the 43rd International ACM SIGIR Conference on Research and Development in Information Retrieval. 419–428.
[37]
Yao Ma, Suhang Wang, Tyler Derr, Lingfei Wu, and Jiliang Tang. 2021. Graph adversarial attack via rewiring. In Proceedings of the 27th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 1161–1169.
[38]
Kelong Mao, Jieming Zhu, Xi Xiao, Biao Lu, Zhaowei Wang, and Xiuqiang He. 2021. UltraGCN: Ultra simplification of graph convolutional networks for recommendation. In Proceedings of the 30th ACM International Conference on Information & Knowledge Management. 1253–1262.
[39]
Miller McPherson, Lynn Smith-Lovin, and James M. Cook. 2001. Birds of a feather: Homophily in social networks. Ann. Rev. Sociol. 27, 1 (2001), 415–444.
[40]
Bhaskar Mehta. 2007. Unsupervised shilling detection for collaborative filtering. In Proceedings of the AAAI Conference on Artificial Intelligence. 1402–1407.
[41]
Michael P. O’Mahony, Neil J. Hurley, and Guenole Silvestre. 2002. Promoting recommendations: An attack on collaborative filtering. In Proceedings of the International Conference on Database and Expert Systems Applications. Springer, 494–503.
[42]
Yitong Pang, Lingfei Wu, Qi Shen, Yiming Zhang, Zhihua Wei, Fangli Xu, Ethan Chang, Bo Long, and Jian Pei. 2022. Heterogeneous global graph neural networks for personalized session-based recommendation. In Proceedings of the 15th ACM International Conference on Web Search and Data Mining. 775–783.
[43]
Ruihong Qiu, Zi Huang, Jingjing Li, and Hongzhi Yin. 2020. Exploiting cross-session information for session-based recommendation with graph neural networks. ACM Trans. Inf. Syst. 38, 3 (2020), 1–23.
[44]
Steffen Rendle, Christoph Freudenthaler, Zeno Gantner, and Lars Schmidt-Thieme. 2012. BPR: Bayesian personalized ranking from implicit feedback. arXiv preprint arXiv:1205.2618 (2012).
[45]
Jianing Sun, Zhaoyue Cheng, Saba Zuberi, Felipe Pérez, and Maksims Volkovs. 2021. HGCF: Hyperbolic graph convolution networks for collaborative filtering. In Proceedings of the 30th International Conference on World Wide Web. 593–601.
[46]
Yiwei Sun, Suhang Wang, Xianfeng Tang, Tsung-Yu Hsieh, and Vasant Honavar. 2020. Adversarial attacks on graph neural networks via node injections: A hierarchical reinforcement learning approach. In Proceedings of the 29th International Conference on World Wide Web. 673–683.
[47]
Raciel Yera Toledo, Yailé Caballero Mota, and Luis Martínez. 2015. Correcting noisy ratings in collaborative recommender systems. Knowl.-based Syst. 76 (2015), 96–108.
[48]
Hanghang Tong and Ching-Yung Lin. 2011. Non-negative residual matrix factorization with application to graph anomaly detection. In Proceedings of the SIAM International Conference on Data Mining. SIAM, 143–153.
[49]
Shoujin Wang, Liang Hu, Yan Wang, Xiangnan He, Quan Z. Sheng, Mehmet A. Orgun, Longbing Cao, Francesco Ricci, and Philip S. Yu. 2021. Graph learning-based recommender systems: A review. In Proceedings of the 30th International Joint Conference on Artificial Intelligence (IJCAI Survey Track). 4644–4652.
[50]
Xiaoyun Wang, Minhao Cheng, Joe Eaton, Cho-Jui Hsieh, and Felix Wu. 2018. Attack graph convolutional networks by adding fake nodes. arXiv preprint arXiv:1810.10751 (2018).
[51]
Xiang Wang, Xiangnan He, Meng Wang, Fuli Feng, and Tat-Seng Chua. 2019. Neural graph collaborative filtering. In Proceedings of the 42nd International ACM SIGIR Conference on Research and Development in Information Retrieval. 165–174.
[52]
Xiang Wang, Hongye Jin, An Zhang, Xiangnan He, Tong Xu, and Tat-Seng Chua. 2020. Disentangled graph collaborative filtering. In Proceedings of the 43rd International ACM SIGIR Conference on Research and Development in Information Retrieval. 1001–1010.
[53]
Huijun Wu, Chen Wang, Yuriy Tyshetskiy, Andrew Docherty, Kai Lu, and Liming Zhu. 2019. Adversarial examples for graph data: Deep insights into attack and defense. In Proceedings of the 28th International Joint Conference on Artificial Intelligence (IJCAI’19). 4816–4823.
[54]
Jiancan Wu, Xiang Wang, Fuli Feng, Xiangnan He, Liang Chen, Jianxun Lian, and Xing Xie. 2021. Self-supervised graph learning for recommendation. In Proceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval. 726–735.
[55]
Shu Wu, Yuyuan Tang, Yanqiao Zhu, Liang Wang, Xing Xie, and Tieniu Tan. 2019. Session-based recommendation with graph neural networks. In Proceedings of the AAAI Conference on Artificial Intelligence. 346–353.
[56]
Zonghan Wu, Shirui Pan, Fengwen Chen, Guodong Long, Chengqi Zhang, and S. Yu Philip. 2020. A comprehensive survey on graph neural networks. IEEE Trans. Neural Netw. Learn. Syst. 32, 1 (2020), 4–24.
[57]
Zhiang Wu, Junjie Wu, Jie Cao, and Dacheng Tao. 2012. HySAD: A semi-supervised hybrid shilling attack detector for trustworthy product recommendation. In Proceedings of the 18th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 985–993.
[58]
Lianghao Xia, Yong Xu, Chao Huang, Peng Dai, and Liefeng Bo. 2021. Graph meta network for multi-behavior recommendation. In Proceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval. 757–766.
[59]
Kaidi Xu, Hongge Chen, Sijia Liu, Pin-Yu Chen, Tsui-Wei Weng, Mingyi Hong, and Xue Lin. 2019. Topology attack and defense for graph neural networks: An optimization perspective. In Proceedings of the 28th International Joint Conference on Artificial Intelligence (IJCAI’19). 3961–3967.
[60]
Senrong Xu, Yuan Yao, Liangyue Li, Wei Yang, Feng Xu, and Hanghang Tong. 2022. Detecting topology attacks against graph neural networks. arXiv preprint arXiv:2204.10072 (2022).
[61]
Yonghui Yang, Le Wu, Richang Hong, Kun Zhang, and Meng Wang. 2021. Enhanced graph learning for collaborative filtering via mutual information maximization. In Proceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval. 71–80.
[62]
Rex Ying, Ruining He, Kaifeng Chen, Pong Eksombatchai, William L Hamilton, and Jure Leskovec. 2018. Graph convolutional neural networks for web-scale recommender systems. In Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 974–983.
[63]
Junliang Yu, Hongzhi Yin, Jundong Li, Qinyong Wang, Nguyen Quoc Viet Hung, and Xiangliang Zhang. 2021. Self-supervised multi-channel hypergraph convolutional network for social recommendation. In Proceedings of the 30th International Conference on World Wide Web. 413–424.
[64]
Wenhui Yu and Zheng Qin. 2020. Graph convolutional network for recommendation with low-pass collaborative filters. In Proceedings of the International Conference on Machine Learning. PMLR, 10936–10945.
[65]
Feng Yuan, Lina Yao, and Boualem Benatallah. 2019. Adversarial collaborative neural network for robust recommendation. In Proceedings of the 42nd International ACM SIGIR Conference on Research and Development in Information Retrieval. 1065–1068.
[66]
Hengtong Zhang, Changxin Tian, Yaliang Li, Lu Su, Nan Yang, Wayne Xin Zhao, and Jing Gao. 2021. Data poisoning attack against recommender system using incomplete and perturbed data. In Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery & Data Mining. 2154–2164.
[67]
Xiang Zhang and Marinka Zitnik. 2020. GNNGuard: Defending graph neural networks against adversarial attacks. Adv. Neural Inf. Process. Syst. 33 (2020), 9263–9275.
[68]
Zhenliang Zhang, Yuan Wang, Edwin K. P. Chong, and Ali Pezeshki. 2016. Subspace selection for projection maximization with matroid constraints. IEEE Trans. Sig. Process. 65, 5 (2016), 1339–1351.
[69]
Yu Zheng, Chen Gao, Liang Chen, Depeng Jin, and Yong Li. 2021. DGCN: Diversified recommendation with graph convolutional networks. In Proceedings of the 30th International Conference on World Wide Web. 401–412.
[70]
Dingyuan Zhu, Ziwei Zhang, Peng Cui, and Wenwu Zhu. 2019. Robust graph convolutional networks against adversarial attacks. In Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 1399–1407.
[71]
Xu Zou, Qinkai Zheng, Yuxiao Dong, Xinyu Guan, Evgeny Kharlamov, Jialiang Lu, and Jie Tang. 2021. TDGIA: Effective injection attacks on graph neural networks. In Proceedings of the 27th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining.2461–2471.
[72]
Daniel Zügner, Amir Akbarnejad, and Stephan Günnemann. 2018. Adversarial attacks on neural networks for graph data. In Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 2847–2856.
[73]
Daniel Zügner and Stephan Günnemann. 2019. Adversarial attacks on graph neural networks via meta learning. In Proceedings of the International Conference on Learning Representations (ICLR).
[74]
Thomas N. Kipf and Max Welling. 2017. Semi-supervised classification with graph convolutional networks. In International Conference on Learning Representations (ICLR).
Index Terms
- On the Vulnerability of Graph Learning-based Collaborative Filtering
Recommendations
Resisting Graph Adversarial Attack via Cooperative Homophilous Augmentation
Machine Learning and Knowledge Discovery in DatabasesAbstractRecent studies show that Graph Neural Networks (GNNs) are vulnerable and easily fooled by small perturbations, which has raised considerable concerns for adapting GNNs in various safety-critical applications. In this work, we focus on the emerging ...
Defending against adversarial attacks on graph neural networks via similarity property
Graph Neural Networks (GNNs) are powerful tools in graph application areas. However, recent studies indicate that GNNs are vulnerable to adversarial attacks, which can lead GNNs to easily make wrong predictions for downstream tasks. A number of works aim ...
Single-User Injection for Invisible Shilling Attack against Recommender Systems
CIKM '23: Proceedings of the 32nd ACM International Conference on Information and Knowledge ManagementRecommendation systems (RS) are crucial for alleviating the information overload problem. Due to its pivotal role in guiding users to make decisions, unscrupulous parties are lured to launch attacks against RS to affect the decisions of normal users and ...
Comments
Information & Contributors
Information
Published In
October 2023
958 pages
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 23 March 2023
Online AM: 24 November 2022
Accepted: 14 November 2022
Revised: 18 September 2022
Received: 30 May 2022
Published in TOIS Volume 41, Issue 4
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- National Natural Science Foundation of China
- Collaborative Innovation Center of Novel Software Technology and Industrialization
- NSF
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 1,134Total Downloads
- Downloads (Last 12 months)494
- Downloads (Last 6 weeks)64
Reflects downloads up to 02 Mar 2025
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in