ML Security PapersSharpness-Aware Poisoning: Enhancing Transferability of Injective Attacks on Recommender Systems
Junsong Xie 1, Yonghui Yang 2,1, Pengyang Shao 1, Le Wu 1
Published on arXiv
2604.22170
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
Significantly enhances attack transferability across victim models by optimizing against approximately worst-case model using sharpness-aware minimization
SharpAP
Novel technique introduced
Recommender Systems~(RS) have been shown to be vulnerable to injective attacks, where attackers inject limited fake user profiles to promote the exposure of target items to real users for unethical gains (e.g., economic or political advantages). Since attackers typically lack knowledge of the victim model deployed in the target RS, existing methods resort to using a fixed surrogate model to mimic the potential victim model. Despite considerable progress, we argue that the assumption that \textit{poisoned data generated for the surrogate model can be used to attack other victim models} is wishful. When there are significant structural discrepancies between the surrogate and victim models, the attack transferability inevitably suffers. Intuitively, if we can identify the worst-case victim model and iteratively optimize the poisoning effect specifically against it, then the generated poisoned data would be better transferred to other victim models. However, exactly identifying the worst-case victim model during the attack process is challenging due to the large space of victim models. To this end, in this work, we propose a novel attack method called Sharpness-Aware Poisoning (\textit{SharpAP}). Specifically, it employs the sharpness-aware minimization principle to seek the approximately worst-case victim model and optimizes the poisoned data specifically for this worst-case model. The poisoning attack with SharpAP is formulated as a min-max-min tri-level optimization problem. By integrating SharpAP into the iterative process for attacks, our method can generate more robust poisoned data which is less sensitive to the shift of model structure, mitigating the overfitting to the surrogate model. Comprehensive experimental comparisons on three real-world datasets demonstrate that \name~can significantly enhance the attack transferability.
Key Contributions
- Sharpness-aware minimization framework to generate poisoned data robust to victim model variations
- Tri-level optimization formulation (min-max-min) to identify worst-case victim model and optimize attack transferability
- Empirical demonstration of significantly improved attack transferability across different recommender model architectures
🛡️ Threat Analysis
Injective attack that corrupts training data by injecting fake user profiles to manipulate recommender system behavior — classic data poisoning at training time.