Robustness Enhancement of Recommender Systems Based on a Two-Stage Defense Framework

doi:10.19678/j.issn.1000-3428.0252806

Abstract

Abstract: Sequential recommender systems excel at capturing users' dynamic interests, yet their open nature makes them highly vulnerable to data poisoning attacks. Attackers can effectively manipulate recommendation outcomes by altering the textual descriptions of items, posing a severe challenge to model robustness. Existing defense strategies, which primarily rely on static rules or fixed-intensity perturbations, struggle to counter the growing complexity and variability of semantic-level textual attacks.To address this challenge, we propose RADAR, a two-stage collaborative defense framework. This framework synergizes robustness enhancement at the training stage with real-time protection at the inference stage. First, during training, it employs dynamic adversarial training to bolster the model's intrinsic resilience against unknown textual perturbations. Second, at inference, it leverages a Large Language Model (LLM) for precise semantic-level anomaly detection and content restoration.Experimental results demonstrate the superior defense performance of RADAR. In attack tests on the Scientific dataset, compared to the strongest baseline model（Cert-LLM）, RADAR reduces the exposure increase of malicious items from 3.1796% to just 0.9921%. This powerfully validates the framework's effectiveness in enhancing the security and robustness of sequential recommender systems.

摘要： 序列推荐系统在捕捉用户动态兴趣方面表现出色，但其开放性使其极易遭受数据投毒攻击。攻击者通过篡改物品的文本描述，能有效操纵推荐结果，这对模型的鲁棒性构成了严峻挑战。现有防御策略大多依赖静态规则或固定强度的扰动，难以应对语义层面日益复杂和多变的文本攻击。为解决此问题，本文提出了一个名为RADAR的双阶段协同防御框架。该框架有机融合了训练时鲁棒性增强与推理时实时防护：首先，在训练阶段引入动态对抗训练，提升模型抵御未知文本扰动的内在能力；其次，在推理阶段利用大语言模型（LLM）进行精准的语义级异常检测与内容修复。实验结果表明，RADAR框架防御性能卓越。在Scientific数据集的攻击测试中，相较于最强的基准模型（Cert-LLM），RADAR能将恶意项目曝光的增幅从3.1796%锐减至0.9921%，有力地证明了该框架在增强序列推荐系统安全性与鲁棒性方面的有效性。

YAO Xun, HE Yuan, HU Xinrong, YANG Jie. Robustness Enhancement of Recommender Systems Based on a Two-Stage Defense Framework[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0252806.

姚迅, 何园, 胡新荣, 杨捷. 基于双阶段防御的推荐系统鲁棒性增强研究[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0252806.

/ Recommend / Download Citations

URL: https://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0252806

References

[1] Zhou K, Yu H, Zhao W X, et al. Filter-enhanced MLP is All You Need for Sequential Recommendation[C]//Proceedings of the ACM Web Conference 2022. New York: ACM, 2022: 2388–2399.
[2] Huang H, Mu J, Gong N Z, et al. Data Poisoning Attacks to Deep Learning Based Recommender Systems[C]//Proceedings of the 2021 Network and Distributed System Security Symposium. San Diego: Internet Society, 2021.
[3] Jiaxi T, Hongyi W, Ke W. Revisiting adversarially learned injection attacks against recommender systems[C]//Proceedings of the 14th ACM Conference on Recommender Systems. New York: ACM, 2020.
[4] Yang Z, Xu L, Cai Z, et al. Re-scale AdaBoost for Attack Detection in Collaborative Filtering Recommender Systems[J]. Knowledge-Based Systems, 2016, 100: 74–88.
[5] Zhang F, Zhou Q. HHT–SVM: An Online Method for Detecting Profile Injection Attacks in Collaborative Recommender Systems[J]. Knowledge-Based Systems, 2014, 65: 96–105.
[6] Zhang S, Yin H, Chen T，et al. GCN-Based User Representation Learning for Unifying Robust Recommendation and Fraudster Detection[C]//Proceedings of the 43rd International ACM SIGIR Conference on Research and Development in Information Retrieval. New York: ACM, 2020: 689–698.
[7] Wang S, Ding L, Zhan Y, et al. Fuzzy-Assisted Contrastive Decoding Improving Code Generation of Large Language Models[J]. IEEE Transactions on Fuzzy Systems, 2025, 33(8): 2689-2703.
[8] Li J T, Liu Y Q, Fan W Q, et al. Empowering Molecule Discovery for Molecule-Caption Translation with Large Language Models: A ChatGPT Perspective [EB/OL]. (2024-04-22)/[2025-04-22]. https://doi.org/10.48550/arXiv.2306.06615
[9] Zhao Z H, Fan W Q, Li J T, et al. Recommender Systems in the Era of Large Language Models (LLMs)[J]. IEEE Transactions on Knowledge and Data Engineering (IEEE TKDE), 2024, 36(11): 6889-6907.
[10] Hu Y, Xia L, Qin Y, et al. Learning Vector-Quantized Item Representation for Transferable Sequential Recommenders[C]//Proceedings of the ACM Web Conference 2023. New York: ACM, 2023.
[11] He R, Fang C, Wang Z, et al. Vista: A Visually, Socially, and Temporally-aware Model for Artistic Recommendation[C]//Proceedings of the 10th ACM Conference on Recommender Systems. New York: ACM, 2016: 309–316.
[12] He R, McAuley J. Fusing Similarity Models with Markov Chains for Sparse Sequential Recommendation[C]//Proceedings of the 16th International Conference on Data Mining. New York: IEEE, 2016: 191–200.
[13] Beutel A, Covington P, Jain S, et al. Latent Cross: Making Use of Context in Recurrent Recommender Systems[C]//Proceedings of the 11th ACM International Conference on Web Search and Data Mining. New York: ACM, 2018: 46–54.
[14] Hidasi B, Karatzoglou A, Baltrunas L, et al. Session-based Recommendations with Recurrent Neural Networks [EB/OL]. (2016-03-29)/[2025-04-22]. https://doi.org/10.48550/arXiv.1511.06939.
[15] Tang J, Wang K. Personalized Top-n Sequential Recommendation via Convolutional Sequence Embedding[C]//Proceedings of the 11th ACM International Conference on Web Search and Data Mining. New York: ACM, 2018: 565–573.
[16] Vaswani A, Shazeer N, Parmar N, et al. Attention Is All You Need[C]//Advances in Neural Information Processing Systems 30. Red Hook, NY: Curran Associates, Inc., 2017.
[17] Kang W C, McAuley J. Self-Attentive Sequential Recommendation[C]//Proceedings of the 18th International Conference on Data Mining. New York: IEEE, 2018.
[18] Sun F, Liu J, Wu J, et al. BERT4Rec: Sequential Recommendation with Bidirectional Encoder Representations from Transformer[C]//Proceedings of the 28th ACM International Conference on Information and Knowledge Management. New York: ACM, 2019: 1441–1450.
[19] Zhang Z, Huang Z, Hu Z, et al. MLPST: MLP is All You Need for Spatio-Temporal Prediction[C]//Proceedings of the 32nd ACM International Conference on Information and Knowledge Management. New York: ACM, 2023: 3381–3390.
[20] Si Z, Han X, Zhang X, et al. A Model-Agnostic Causal Learning Framework for Recommendation using Search Data[C]//Proceedings of the ACM Web Conference 2022. New York: ACM, 2022.
[21] Chen Y, Liu Z, Li J, et al. Intent Contrastive Learning for Sequential Recommendation[C]//Proceedings of the ACM Web Conference 2022. New York: ACM, 2022: 2172–2182.
[22] Xu X, Xia L, Hu Y, et al. Contrastive Learning for Sequential Recommendation[C]//Proceedings of the 38th International Conference on Data Engineering. New York: IEEE, 2022.
[23] 姜妍，张立国.面向深度学习模型的对抗攻击与防御方法综述［J］.计算机工程，2021，47（1）：1-11. JIANG Yan, ZHANG Liguo. A Survey on Adversarial Attacks and Defense Methods for Deep Learning Models [J]. Computer Engineering, 2021, 47(1): 1-11.
[24] He X, He Z, Du X, et al. Adversarial Personalized Ranking for Recommendation[C]//The 41st International ACM SIGIR Conference on Research and Development in Information Retrieval. New York: ACM, 2018: 355–364.
[25] Chuang C, Huang P, Huang S. A Novel Approach to Filter Out Malicious Rating Profiles from Recommender Systems[J]. Decision Support Systems, 2013, 55(1): 314–325.
[26] Zhang J, Liu Y, Liu Q, et al. Stealthy Attack on Large Language Model based Recommendation[C]//Proceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (ACL 2024). Bangkok: ACL, 2024: 5839–5857.
[27] Wang C, Wang Y, Cai Y, et al. Tricking Retrievers with Influential Tokens: An Efficient Black-Box Corpus Poisoning Attack [EB/OL]. (2025-03-27)/[2025-05-24]. https://doi.org/10.48550/arXiv.2503.21315.
[28] Li J, Wang M, Li J. Text Is All You Need: Learning Language Representations for Sequential Recommendation[C]//Proceedings of the ACM SIG KDD Conference on Knowledge Discovery and Data Mining (KDD 2023). New York: ACM, 2023.
[29] Lyu Z, Yuan L, Chen Y, et al. RePAR: A Black-Box Defense against Adversarial Text Sequence[C]//Proceedings of the 2023 Conference on Empirical Methods
in Natural Language Processing. Singapore: Association for Computational Linguistics, 2023: 8033–8047. [30] Kumar A, Agarwal C, Lakkaraju H. Certifying the Robustness of Large Language Models to Adversarial Word Substitutions[EB/OL]. (2024-02-14)/[2025-09-28]. https://doi.org/10.48550/arXiv.2402.09144.
[31] Ding H, Ma Y, Deoras A, et al. Zero-Shot Recommender Systems [EB/OL]. (2021-10-12)/[ 2025-5-22]. https://doi.org/10.48550/arXiv.2105.08318.

Please choose a citation manager

Content to export