ML Security PapersControllable and Stealthy Shilling Attacks via Dispersive Latent Diffusion
Shutong Qiao 1, Wei Yuan 1, Junliang Yu 1, Tong Chen 1, Quoc Viet Hung Nguyen 2, Hongzhi Yin 1
Published on arXiv
2508.01987
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
DLDA consistently achieves stronger target item promotion while remaining harder to detect than prior shilling attacks across three real-world datasets and five RS models, demonstrating that modern recommender systems are more vulnerable than previously recognized.
DLDA (Dispersive Latent Diffusion Attack)
Novel technique introduced
Recommender systems (RSs) are now fundamental to various online platforms, but their dependence on user-contributed data leaves them vulnerable to shilling attacks that can manipulate item rankings by injecting fake users. Although widely studied, most existing attack models fail to meet two critical objectives simultaneously: achieving strong adversarial promotion of target items while maintaining realistic behavior to evade detection. As a result, the true severity of shilling threats that manage to reconcile the two objectives remains underappreciated. To expose this overlooked vulnerability, we present DLDA, a diffusion-based attack framework that can generate highly effective yet indistinguishable fake users by enabling fine-grained control over target promotion. Specifically, DLDA operates in a pre-aligned collaborative embedding space, where it employs a conditional latent diffusion process to iteratively synthesize fake user profiles with precise target item control. To evade detection, DLDA introduces a dispersive regularization mechanism that promotes variability and realism in generated behavioral patterns. Extensive experiments on three real-world datasets and five popular RS models demonstrate that, compared to prior attacks, DLDA consistently achieves stronger item promotion while remaining harder to detect. These results highlight that modern RSs are more vulnerable than previously recognized, underscoring the urgent need for more robust defenses.
Key Contributions
- DLDA: a conditional latent diffusion framework operating in a pre-aligned collaborative embedding space to synthesize controllable, target-directed fake user profiles
- Dispersive regularization mechanism that promotes behavioral variability across generated fake users to evade detection systems
- Adaptive Poisson-based projection converting dense latent vectors to sparse interaction profiles to mimic real-world user behavior sparsity
🛡️ Threat Analysis
DLDA is a data poisoning attack: it injects synthesized fake user profiles (malicious training data) into a recommender system to corrupt its learned interaction patterns and boost target item rankings. The attack vector is the poisoned training data, not a hidden trigger — making this ML02, not ML10.