Chad Williams

Toward trustworthy recommender systems: An analysis of attack models and algorithm robustness

Publicly accessible adaptive systems such as collaborative recommender systems present a security problem. Attackers, who cannot be readily distinguished from ordinary users, may inject biased profiles in an attempt to force a system to “adapt” in a manner advantageous to them. Such attacks may lead to a degradation of user trust in the objectivity and accuracy of the system. Recent research has begun to examine the vulnerabilities and robustness of different collaborative recommendation techniques in the face of “profile injection” attacks. In this article, we outline some of the major issues in building secure recommender systems, concentrating in particular on the modeling of attacks and their impact on various recommendation algorithms. We introduce several new attack models and perform extensive simulation-based evaluations to show which attacks are most successful and practical against common recommendation techniques. Our study shows that both user-based and item-based algorithms are highly vulnerable to specific attack models, but that hybrid algorithms may provide a higher degree of robustness. Using our formal characterization of attack models, we also introduce a novel classification-based approach for detecting attack profiles and evaluate its effectiveness in neutralizing attacks.

Classification features for attack detection in collaborative recommender systems

Collaborative recommender systems are highly vulnerable to attack. Attackers can use automated means to inject a large number of biased profiles into such a system, resulting in recommendations that favor or disfavor given items. Since collaborative recommender systems must be open to user input, it is difficult to design a system that cannot be so attacked. Researchers studying robust recommendation have therefore begun to identify types of attacks and study mechanisms for recognizing and defeating them. In this paper, we propose and study different attributes derived from user profiles for their utility in attack detection. We show that a machine learning classification approach that includes attributes derived from attack models is more successful than more generalized detection algorithms previously studied.

An automated GPS-based prompted recall survey with learning algorithms

Abstract Using GPS technology in the collection of household travel data has been gaining importance as the technology matures. This paper documents recent developments in the field of GPS travel surveying and ways in which GPS has been incorporated into or even replaced traditional household travel survey methods. A new household activity survey is presented which uses automated data reduction methods to determine activity and travel locations based on a series of heuristics developed from land-use data and travel characteristics. The algorithms are used in an internet-based prompted recall survey which utilizes advanced learning algorithms to reduce the burden placed on survey respondents. Initial results of a small pilot study are discussed and potential areas of future work are presented.

Defending recommender systems: detection of profile injection attacks

Collaborative recommender systems are known to be highly vulnerable to profile injection attacks, attacks that involve the insertion of biased profiles into the ratings database for the purpose of altering the system’s recommendation behavior. Prior work has shown when profiles are reverse engineered to maximize influence; even a small number of malicious profiles can significantly bias the system. This paper describes a classification approach to the problem of detecting and responding to profile injection attacks. A number of attributes are identified that distinguish characteristics present in attack profiles in general, as well as an attribute generation approach for detecting profiles based on reverse engineered attack models. Three well-known classification algorithms are then used to demonstrate the combined benefit of these attributes and the impact the selection of classifier has with respect to improving the robustness of the recommender system. Our study demonstrates this technique significantly reduces the impact of the most powerful attack models previously studied, particularly when combined with a support vector machine classifier.

Analysis and detection of segment-focused attacks against collaborative recommendation

Significant vulnerabilities have recently been identified in collaborative filtering recommender systems. These vulnerabilities mostly emanate from the open nature of such systems and their reliance on user-specified judgments for building profiles. Attackers can easily introduce biased data in an attempt to force the system to “adapt” in a manner advantageous to them. Our research in secure personalization is examining a range of attack models, from the simple to the complex, and a variety of recommendation techniques. In this chapter, we explore an attack model that focuses on a subset of users with similar tastes and show that such an attack can be highly successful against both user-based and item-based collaborative filtering. We also introduce a detection model that can significantly decrease the impact of this attack.

Detecting Profile Injection Attacks in Collaborative Recommender Systems

Collaborative recommender systems are known to be highly vulnerable to profile injection attacks, attacks that involve the insertion of biased profiles into the ratings database for the purpose of altering the systems recommendation behavior. In prior work, we and others have identified a number of models for such attacks and shown their effectiveness. This paper describes a classification approach to the problem of detecting and responding to profile injection attacks. This technique significantly reduces the effectiveness of the most powerful attack models previously studied

Detecting profile injection attacks in collaborative filtering: a classification-based approach

Collaborative recommender systems have been shown to be vulnerable to profile injection attacks. By injecting a large number of biased profiles into a system, attackers can manipulate the predictions of targeted items. To decrease this risk, researchers have begun to study mechanisms for detecting and preventing profile injection attacks. In prior work, we proposed several attributes for attack detection and have shown that a classifier built with them can be highly successful at identifying attack profiles. In this paper, we extend our work through a more detailed analysis of the information gain associated with these attributes across the dimensions of attack type and profile size. We then evaluate their combined effectiveness at improving the robustness of user based recommender systems.

Mining sequential association rules for traveler context prediction

Recent work has focused on creating models for generating traveler behavior for micro simulations. With the increase in hand held computers and GPS devices, there is likely to be an increasing demand for extending this idea to predicting an individuals future travel plans for devices such as a smart travelers assistant. In this work, we introduce a technique based on sequential data mining for predicting multiple aspects of an individuals next activity using a combination of user history and their similarity to other travelers. The proposed technique is empirically shown to perform better than more traditional approaches to this problem.

Attribute Constrained Rules for Partially Labeled Sequence Completion

Sequential pattern and rule mining have been the focus of much research, however predicting missing sets of elements within a sequence remains a challenge. Recent work in survey design suggests that if these missing elements can be inferred with a higher degree of certainty, it could greatly reduce the time burden on survey participants. To address this problem and the more general problem of missing sensor data, we introduce a new form of constrained sequential rules that use attribute presence to better capture rule confidence in sequences with missing data than previous constraint based techniques. Specifically we examine the problem of given a partially labeled sequence of sets, how well can the missing attributes be inferred. Our study shows this technique significantly improves prediction robustness when even large amounts of data are missing compared to traditional techniques.