temporal defenses for robust recommendations

temporal defenses for robust recommendations

neal lathia, s. hailes, l. capraPSDML @ ECML/PKDD, Sept 24 2010

email: n.lathia@cs.ucl.ac.uktwitter: @neal_lathia

http://www.cs.ucl.ac.uk/staff/n.lathia

what are recommender systems?

● web portals that (try to) connect you with the content (movies, music, books,...) that interests you

● many, many examples (netflix, last.fm, love film, amazon)

how do they work?

● collaborative fltering: reasoning on the user-item rating matrix; many techniques available (kNN, SVD)

● ranking based on predicted interest

u1

u2

u3

u4

u5

1*

4*

4*

5*

3*

2*

5*

5*

2*

3*

?

3*

3*

1*

i1 i2 i3 i4 i5

1*

2*

2*

1*

wisdom of the (anonymous) crowds

● “based on the premise that people looking for information should be able to make use of what others have already found and evaluated”

wisdom of the (anonymous) crowds

● “based on the premise that people looking for information should be able to make use of what others have already found and evaluated”

+ you don't have to know who rated what to receive recommendations

– who are they? are they rating honestly? are they human?

...a sybil attack...shilling attack, profile injection attack

...when an attacker tries to subvert the system by creating a large number of sybils—pseudonymous

identities—in order to gain a disproportionate amount of influence...

incentive to attack?

attacks?

random targetted

inject noise structured attack

structured attacks: how?

target: item that attacker wants promoted/demoted

selected: similar items, to deceive the algorithm

filler: other items, to deceive humans

how can we defendrecommender systems?

prior work: static classification

u1

u2

u3

u4

u5

i1 i2 i3 i4 i5

honest

sybil

problems with static classification

u1

u2

u3

u4

u5

i1 i2 i3 i4 i5

honest

sybil

when to run classifier?

when is system under attack?

when are sybils damaging recommendations?

proposal: temporal defenses

1. force sybils to draw out their attack2. learn normal temporal behaviour

3. monitor & detect a wide range of attacks

~ and then ~4. force sybils to attack more intelligently

1. distrusting newcomers

→ time →

prediction shift

1. distrusting newcomers

prediction shift

→ time →

1. distrusting newcomers

prediction shift

→ time →

1. force sybils to draw out their attackhow? distrust newcomers

sybils are forced to appear more than once

2. sybil group dynamicssingle sybil = not an effective attack

sybils need to collude: how?

2. examine sybil group dynamics

how many sybils are there?

how many ratings per sybil?

2. examine sybil group dynamics

how many sybils are there?

how many ratings per sybil?

(few, many) (many, many)

(many, few)(few, few)

how does this affect data? (attack impact)

how many sybils are there?

how many ratings per sybil?

how to detect these attacks? (monitor!)

how many sybils are there?

how many ratings per sybil?

system-level

user-level

item-level

overview of methodology

● monitor: learn how data changes over time● what data to look at?

● flag: anomalous changes due to attack● when to flag?

● this work: simple anomaly-detection; flag when time series is > a variance-adjusted threshold above an exponentially weighted moving average

a) system-level

a) system-level

how to evaluate our simple technique?

● a) simulation● simulate stream of “average user ratings”● play with mean/variance of time series● measure precision/recall

● b) real data + injected attacks● measure attack impact

evaluation

● a) simulation

evaluation

● a) real data – before

evaluation

● a) real data – after

b) user-level

● similar approach; look at different data:● how many high volume raters?● how much do high-volume raters rate?

evaluation

● a) real data – before

evaluation

where we stand

c) item-level: slightly different context

1. the item is rated by many usersdefine many? using how other items were rated

2. the item is rated with extreme ratingsdefine extreme? what is avg item mean?

3. (from a + b) the item mean ratings shiftsnuke or promote?

flag: if all three conditions broken. Why?1 � popular item. 2 � few extreme ratings. 3 � cold start item

1 + 2 but not 3 � attack doesn't change anything

evaluation

future work: how to defeat these defenses?

future work: how to defeat these defenses?

contributions

1. force sybils to draw out their attack2. learn normal temporal behaviour

3. monitor & detect a wide range of attacks

~ and then ~4. force sybils to attack more intelligently

temporal defenses for robust recommendations

n. lathia, s. hailes, l. capraPSDML @ ECML/PKDD, Sept 24 2010

n.lathia@cs.ucl.ac.uk@neal_lathia

http://www.cs.ucl.ac.uk/staff/n.lathia