attack 2025

Shilling Recommender Systems by Generating Side-feature-aware Fake User Profiles

Yuanrong Wang , Yingpeng Du

Nanyang Technological University

0 citations · 23 references · arXiv
α

Published on arXiv

2509.17918

Data Poisoning Attack

OWASP ML Top 10 — ML02

Key Finding

Side-feature-aware fake profiles achieve strong attack success in promoting target items while maintaining stealthiness against detection on recommendation benchmarks.

Side-feature-aware Leg-UP

Novel technique introduced

Recommender systems (RS) greatly influence users' consumption decisions, making them attractive targets for malicious shilling attacks that inject fake user profiles to manipulate recommendations. Existing shilling methods can generate effective and stealthy fake profiles when training data only contain rating matrix, but they lack comprehensive solutions for scenarios where side features are present and utilized by the recommender. To address this gap, we extend the Leg-UP framework by enhancing the generator architecture to incorporate side features, enabling the generation of side-feature-aware fake user profiles. Experiments on benchmarks show that our method achieves strong attack performance while maintaining stealthiness.

Key Contributions

  • Extends the Leg-UP profile-generation framework to jointly model both user ratings and side features (e.g., gender, age, occupation) for fake profile generation
  • Proposes a side-feature-aware generator architecture enabling gray-box shilling attacks on recommenders that leverage user attributes
  • Demonstrates strong attack performance and stealthiness on benchmark datasets against modern side-feature-aware recommender systems

🛡️ Threat Analysis

Data Poisoning Attack

Core contribution is injecting fake user profiles (fabricated ratings + side features) into recommender system training data to bias model outputs toward a target item — this is a targeted data poisoning attack. There is no hidden trigger-based activation mechanism, distinguishing it from ML10.

Details

Domains
tabular
Model Types
traditional_ml
Threat Tags
grey_boxtraining_timetargeted
Applications
recommender systemscollaborative filteringe-commerce
Read PDF arXiv DOI

Similar Papers

attack

Stealthy Poisoning Attacks Bypass Defenses in Regression Settings

2026 0 cit.
Data Poisoning Attack
82%
benchmark

On Robustness of Linear Classifiers to Targeted Data Poisoning

2025 0 cit.
Data Poisoning Attack
82%
attack

IndirectAD: Practical Data Poisoning Attacks against Recommender Systems for Item Promotion

2025 0 cit.
Data Poisoning Attack
82%
attack

Mathematical Foundations of Poisoning Attacks on Linear Regression over Cumulative Distribution Functions

2026 0 cit.
Data Poisoning Attack
82%
attack

Fairness-Constrained Optimization Attack in Federated Learning

2025 0 cit.
Data Poisoning Attack
77%
attack

Adversarial Bias: Data Poisoning Attacks on Fairness

2025 0 cit.
Data Poisoning Attack
75%
defense

ANML: Attribution-Native Machine Learning with Guaranteed Robustness

2026 0 cit.
Data Poisoning Attack
64%
defense

UTOPIA: Unlearnable Tabular Data via Decoupled Shortcut Embedding

2026 0 cit.
Data Poisoning Attack
58%