Christian Paier

Cheating in Recommender SystemsBachelor’s Thesis

submitted toGraz University of Technology

SupervisorUniv.-Doz. Dipl.-Ing Dr. techn. Martin Ebner

Institute of Interactive Systems and Data Science

Graz, August 2017

This document is set in Palatino, compiled with pdfLATEX2e and Biber.

The LATEX template from Karl Voit is based on KOMA script and can befound online: https://github.com/novoid/LaTeX-KOMA-template

Abstract

Recommender systems support users of online stores to handle the hugeamount of provided items to find an article that might be of interest. Suchsystems are very common and important to ecommerce systems and there-fore get a lot of attention from attackers.

The aim of this thesis is to show how a recommender system can be attackedand furthermore how such an attack can be mitigated. The first part isfocused on a brief overview of the theory and algorithms behind user-basednearest neighbourhood recommendations and how to attack and defend.

The second part shows how to implement a recommender system based onthis knowledge. That implementation delivers a webinterface so that a usercan rate items and view predicted recommendations and a recommendationengine which generates the predictions. Finally some attacks are executed invarious setups to show the effectivity of the attack but also of the mitigationtechnique.

iii

Contents

Abstract iii

1 Introduction 11.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2 Collaborative Filtering 42.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.2 Preprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.3 Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.3.1 kNN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.3.2 Calculate the Predictions . . . . . . . . . . . . . . . . . 9

2.4 Validate Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.4.1 Precision/Recall . . . . . . . . . . . . . . . . . . . . . . 11

2.5 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.5.1 Sparse data . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.5.2 Curse of Dimensionality . . . . . . . . . . . . . . . . . . 12

2.5.3 Cold start . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.5.4 Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.6 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.6.1 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.6.2 Countermeasurements . . . . . . . . . . . . . . . . . . . 18

3 Implementation 213.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3.2 Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.3 User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.4 Recommendation Engine . . . . . . . . . . . . . . . . . . . . . 25

3.5 Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

iv

Contents

3.6 Experimental Setup and Results . . . . . . . . . . . . . . . . . 32

3.6.1 Detailed Evaluation Nuke Attack . . . . . . . . . . . . 33

3.6.2 Detailed Evaluation Push Attack . . . . . . . . . . . . . 34

3.6.3 Detecting an Attacker . . . . . . . . . . . . . . . . . . . 35

4 Discussion 40

Bibliography 42

v

List of Figures

2.1 kNN Simple Example . . . . . . . . . . . . . . . . . . . . . . . 8

3.1 Database Structure . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.2 Movie Overview Page . . . . . . . . . . . . . . . . . . . . . . . 23

3.3 Recommendation Page . . . . . . . . . . . . . . . . . . . . . . . 23

3.4 Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.5 Similarity matrix — standard data . . . . . . . . . . . . . . . . 32

3.6 Similarity Matrix — attacked data (Push attack on movie#163056) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3.7 Average of Similarity(push attack on movie#163056) . . . . . . . . . . . . . . . . . . 36

3.8 Degree of Similarity(push attack on movie#163056) . . . . . . . . . . . . . . . . . . 36

3.9 Rating Deviation from Mean Agreement(push attack on movie#163056) . . . . . . . . . . . . . . . . . . 36

3.10 Standard Deviation(push attack on movie #163056) . . . . . . . . . . . . . . . . . . 36

3.11 Nuke attacks, variable #attacker . . . . . . . . . . . . . . . . . 37

3.12 Push attacks, variable #attacker . . . . . . . . . . . . . . . . . . 37

3.13 Precision of detecting attacking profiles . . . . . . . . . . . . . 38

vi

1 Introduction

The world-wide-web has gone through a lot of development. While inthe early days only static information is accessible via the web, a moreinteractive way of using the Internet is now common, where the web is usedas an platform build upon user generated content. This has been describedby the term “Web 2.0”, a term coined by Tim O’Reilly in 2005 [39].

Nowadays the huge amount of both, information and users, and the ubiqui-tous presence of the web made it necessary to filter and rank the informationbased on the user’s preferences. Therefore recommender systems came up.Based on their preferences or behaviour such systems create predictionswhat each user might like. Therefore each user gets their individual set ofitems ordered by their likes and filtered so that items they will not likeare not presented at all. This approach is often referred as personalized webwhere nearly every aspect of the Internet is targeted towards an invidivdualuser.

Such an approach makes it easier for user to handle the so-called “Infor-mation Overload” [3], to find shoes or clothes they like on Amazon1 orZalando2 or to listen to music on Spotify3 or stream a movie on Netflix4 —just to mention a few companies that make use of recommender systems.However this technology gets a lot of criticism due to the social impacts suchfiltering might have. Especially since the US Presidential Election in 2016

the news get flooded [2, 12, 22] with reports about echo chambers. Therethis recommendation and filtering techniques might disturb a balanced andfair political discourse by only showing the part of the discussion the useralready agrees to.

1https://amazon.com2https://zalando.com3https://spotify.com4https://netflix.com

1

1 Introduction

While the mentioned criticism might be a side-effect solely of filtering andranking, there is also the possibility that such a system is used to falselyrecommend items. There is an (understandable) interest for a product ownerto push the product among the first in a ranking or to decrease the rankingposition of a competitor’s product. As today, there have not been too manypublic reports of real-world cheating in recommender systems, however oneexample should be mentioned here:

In 2002 amazon’s recommender placed a gay anal sex guide besides thebook “Six Steps to Spiritual Revival” by the televangelist Pat Robertson intothe “Customers who shopped for this item also shopped for these items”section [35]. This happend because user first visited the spritual book andthan the sex guide what created a link between those two items. The reasonwhy user did that might have been that Pat Robertson previously blamedgay people for social problems [20] and compared them to satanism [40]many times.

1.1 Overview

A recommender system is a system that uses a set of items and explicitlyor implicitly collected information about a user (ratings, location, etc) tocalculate an ordered set of items that a user might like.

While there are many different ways to generate recommendations, the mainprinciples can be defined as follows [6, 18, 43]:

Collaborative Filtering Generate recommendations by comparing and find-ing similar users or items.

Content-based Analyze the content or metadata and recommend thoseitems with similar content that the user has already liked in the past.

Hybrid Recommender A mixture of one or multiple techniques.

With collaborative filtering the predictions are generated solely by calculat-ing the similarity of users. For an item a user has not rated yet, there mightexist ratings from the individual set of similar users. Those ratings can beused as a basis for predicting whether the specific user likes or dislikes an

2

1 Introduction

item. The big advantage is that the system does not need any metadataabout items or users. The main principle is that two users that agreed in thepast might agree in the future. However this assumption is not completelytrue, as a user tends to change the own taste rather quickly. Neverthelessthe accuracy of the predictions is quite good, as it is shown in chapter 2

where collaborative filtering is described in detail.

Content-based recommendations have one big disadvantage as knowledgeabout the items has to be present or automatically extracted — for exampleby using text-mining techniques. This means that for a book recommenderthat recommends similar books by genre, each book’s genre has to bepresent in the system. Xavier Amatriain, at that time engineering director atNetflix, stated they used more than 40 people hand-tagging movies [50].

Hybrid recommenders combine multiple techniques into one predictionto get rid of problems or improve performance. There are multiple ofcombination possible, they are described in detail in [6]. For example,the predictions of all those techniques can be combined together with aspecific weight. Another idea is to switch the recommender that should beused depending on some parameters, or to generate a mixture within theranking.

The following section describes collaborative filtering in more detail andgives insight into the various algorithms that can be used, describes privacy,and security issues and how to mitigate them. The goal is to understandand build a recommender system, to understand and implement how sucha system can be attacked and to mitigate that attack.

3

2 Collaborative Filtering

2.1 History

The term “Collaborative Filtering” was first mentioned in 1992 for theexperimental mail system “Tapestry” [13]. To reflect if a user has likedor disliked a certain mail, the system uses annotations for each mail andimplicit feedback from the user (for example whether a certain user hasreplied to a document).

In 1994 the GroupLens1 research group at the University of Minnesota de-veloped a usenet client [42], based on the ideas of Tapestry. The collaborativefiltering was automated so that the user does not have to set his own filters,instead the system automatically calculates a rating which is based on theown and other user’s history.

Initial research on this topic was already done in the very early days of theInternet. In the following years, especially during the dot-com boom, webcompanies grew and got bigger and increased the interest in recommenders.Some examples of those first big and commercial recommenders are:

MovieLens2 followed the GroupLens project, and was the first movie rec-ommender. Its datasets3 are very commonly used in research.

Alexa4 offered a toolbar for browsers where a user got web pages recom-mended based on the past browsing behaviour. 5

1https://grouplens.org2https://movielens.org3https://grouplens.org/datasets/movielens4https://alexa.com5A version of this toolbar is still available on http://www.alexa.com/toolbar

4

2 Collaborative Filtering

Firefly helped finding new music by using HOMR (Helpful Online MusicRecommendation Service). In 1998 Microsoft bought Firefly [26] andshut it down in 1999 [32].

Amazon6 introduced item-based collaborative filtering in a patent from1998 [17]. It is nowadays one of the most well-known webpages thatmakes heavy use of recommendation techniques.

In 2006 Netflix started the Netflix Prize7 where they offered 1 million dollarfor major improvements of their movie recommendation technique. To winthe prize one had to be predict movies 10% better than the already existingalgorithm at that time. In September 2009 Netflix announced [10] “BellKor’sPragmatic Chaos” won the prize by mixing many different algorithm forone prediction [21, 25, 49]. This event had major influence on the researchand development of recommender systems and pushed especially collabo-rative filtering techniques. Nowadays Netflix does not use the results fromthis competition directly anymore. A detailed description of their currentapproach can be found in [14].

The next sections describe the algorithms and concepts that build the basisfor a recommender. Many techniques known from data mining and machinelearning are covered: first the user’s data are preprocessed for example toremove bias, then processed by using a classification algorithm, and finallythe result of the processing is evaluated to improve accuracy.

2.2 Preprocessing

A prediction is based on user’s data gathered either via collecting explicitfeedback or implicit feedback [33]. A like/dislike rating8 or a five starrating9 is very common and can be seen all over the Internet. This has thedisadvantage that users have effort to give such a feedback, therefore sucha feature is not used often. Implicit data on the other hand, are collectedby evaluating the user’s behaviour. A movie that has been watched almost

6https://amazon.com7http://netflixprize.com8like on https://netflix.com9like on https://amazon.com

5

2 Collaborative Filtering

completely would be assumed to be rather liked than a movie that wasswitched off after a few minutes. Implicitly and explicitly collected data arethen represented in a user-ratings matrix, where rows represent the completeset of ratings from one specific user, and columns the set of ratings for onemovie. Equation 2.1 shows an example for such a matrix, with a zero valuewhen the movie was not rated by the user.

3. 1. 2. 3. · · · 3.4. 0. 4. 3. · · · 5.3. 3. 0. 5. · · · 4.....

......

... . . . ...1. 5. 5. 2. · · · 1.

(2.1)

These data have to be preprocessed as they tend to be biased, which is oftenreferred to as noise. In [37] two classes of noise are defined: Natural Noiseand Malicious Noise. A malicious noise is a bias inserted into the recom-mender on purpose by an attacker who wants to change the outcome of anrecommender. section 2.6 describes such attacks and how to mitigate them.Natural noise is inserted directly by a user — especially when using explicitfeedback, because different users might have different rating patterns.

Such a bias has to be removed from the ratings as it changes the outcome ofthe recommender. There are various solutions to overcome this bias i.e. [44,52].

Instead of removing bias in the preprocessing it could be prevented by usinga different user interface, for example a simple like/dislike instead of a fivestar rating [1].

Additionally in preprocessing the dimensions of the user-rating matrixmight be reduced, to lower the computation time and to overcome the curseof dimensionality (see subsection 2.5.2). This is done by using PrincipalComponent Analysis (PCA, see [19]) or Singular Value Decomposition (SVD,see [46]).

6

2 Collaborative Filtering

2.3 Prediction

There are two main approaches used in recommender systems: neighbourhood-based where the system tries to determine users with similar taste by usingthe nearest-neighbour classifier. The ratings are held in memory10 and di-rectly used for calculating predictions. model-based is a collection of variousadvanced methods where a model with the data is trained and then usedseparately for the predictions. This thesis will focus on the neighbourhood-based methods as they are very common and deliver good results.

2.3.1 kNN

The main principle of a neighbourhood-based recommender system is tofind similar users and to recommend items to a user based on the taste of theother similar users. This approach is called user-based nearest neighbourhoodas the similarity between users is used.. Using the k-nearest neighbourclassifier is an obvious choice as it directly models the basic idea of findinga group with a similar pattern. Another very similar idea, introduced byAmazon [17], is to find similar items instead of users. This is called item-based nearest neighbourhood. The advantage is that items do not change thesimilarity between each other like users do, they might change their tasterather quick.

In Figure 2.1 an example for only two movies and nine users is given.Assume two types of users ? and ◦. There the knn classifier would determineall the ◦-users to be a neighbour of the ?-user for k = 3 based on their ratingsfor Movie1 and Movie2 because they obviously rated both movies similar tothe ?-user. Including other movies would add further dimensions to thiscalculation.

A drawback for kNN is that the complete user-rating matrix has to be keptin the memory and therefore the amount of used memory is quite high.However, this approach is rather simple to implement and generates quiteaccurate predictions.

10therefore often referred as memory-based

7

2 Collaborative Filtering

Figure 2.1: kNN Simple Example

The quality of the prediction clearly depends on the amount of neighbourstaken into account. Therefore it is important to choose a “good” value for k.A low k might lead to overfitting, where the generated predictions are verygood for the test set, but bad for the trainings set. A high value increasesthe runtime of the algorithm.

When using a nearest neighbour approach one has to decide on a similaritymeasurement first to create a similarity matrix between each pair of users.There are many different ways of calculating the similarity between twousers, but, as [24] states, the choice of a similarity measurement does notinfluence the predictions significantly.

Pearson Correlation

The Pearson correlation was first used for recommender systems in 1994 [42]and is still popular because it is simple to implement and the predictions areaccurate. Equation 2.2 shows how similarity can be calculated by dividingthe covariance of the two rating vectors with the crossproduct of the twovector’s standard deviation.

8

2 Collaborative Filtering

sim(a, b) =cov(a, b)σa × σb

=∑i (ai − a)

(bi − b

)√∑i (ai − a)2

√∑i(bi − b

)2(2.2)

There a, b are the ratings of those items both user rated, where ai, bi representone rating from it, whereas a, b denote the average of the ratings of therespective vectors.

Significance Weighting

[15] proposes to decrease the similarity values between two users basedon the amount of common items. There the predictions are improved bymultiplying the similarity with a weight of n/50 where n is the amount ofcommonly rated items. This lowers the impact of a neighbour onto a user, iftheir set of common items is small, but does not have any impact if thereare more than 50 common items.

2.3.2 Calculate the Predictions

For predicting an user’s rating of a movie in a neighbourhood based rec-ommender it is necessary to take the ratings of the chosen neighbours intoaccount (see [43] chapter 4.2.1). In Equation 2.3 an advanced way of doingthis is shown ([43] chapter 4.3.1.1).

rui = ru +∑v∈Ni(u) wuv · (rvi − rv)

∑v∈Ni(u) |wuv|(2.3)

There the ratings r from every neighbour v of the user u from the set N(u)who has rated a certain item i are summarized. As every user has a differentcentered mean the result has to be normalized first, so in fact the neighboursratings are subtracted from their mean rv, and, as the neighbours mighthave different similarity to the given user, multiplied with the similaritywuv. Because this term might now be much larger than a valid rating (the

9

2 Collaborative Filtering

similarities do nut sum to 1) this value has to be divided by the sum of thesimilarities again. Finally the user’s bias ru has to be added.

2.4 Validate Results

The main task of an recommender is to suggest interesting items to users,therefore it is of high interest to create very accurate predictions. A simplemechanism to compare the results is needed. For classification approaches,where an individual rating is predicted, it is very common to compare theresults of the predictions with the real ratings the user made beforehand.The complete set of data is divided into two sets: a trainings and a test set.The test set is used for evaluating the results from the calculations donewith the trainings set. There are multiple ways to compare the results, twopossibilities are the mean absolute error and the root mean squared error(see [43] Chapter 8.3.2.1). In general, independent from the method that wasused, the optimization goal for the recommender is to get an error that is aslow as possible for the test set.

Equation 2.4 shows how the root mean squared error can be computed,where a given rating rui, from a user u and an item i, gets subtracted fromthe predicted rating ˆrui. This value gets squared and sumarized, subtractedby the amount of ratings and finally the square root is computed.

RMSE =

√1n ∑

u,i∈N(rui − rui)

2 (2.4)

Alternatively the mean squared error, Equation 2.5 can be used as thecalculation is nearly the same.

MAE =

√1n ∑

u,i∈N|rui − rui| (2.5)

The difference between them is that the RMSE increases a lot for a largererror between error and prediction.

10

2 Collaborative Filtering

2.4.1 Precision/Recall

If not dealing with ratings but with a binary classification (for example: anitem was or was not suggested to the user), precision (Equation 2.6) andrecall (Equation 2.7) are often used [16], [43] (Chapter 2.3.8).

Precision =relevant itemsitems selected

=tp

tp + f p(2.6)

Recall =relevant items

total relevant items=

tptp + f n

(2.7)

With:

• tp (True Positive) the amount of items that were correctly classified tobelong to a certain class

• tn (True Negative) the amount of items that were correctly classifiednot being part of a class

• f p (False Positives) the amount of items that where incorrectly classi-fied to belong to the class

• f n (False Negatives) the amount of items that were incorrectly classi-fied not being part of a class

Precision is the probability that a selected item is relevant, while recall isthe probability that a relevant item will be selected.

The accuracy (Equation 2.8) combines both values into one measurement[43]Chapter 2.3.8.

Accuracy =tp + tn

tp + tn + f p + f n(2.8)

11

2 Collaborative Filtering

2.5 Problems

2.5.1 Sparse data

While collaborative filtering uses only the ratings of items that were givenby the users, the lack of these ratings is called “data sparsity”. Looking atreal-world examples one can see that there is a very big dataset of usersand items but very few ratings. The Netflix dataset, as an example, hasaround 480,000 users and 18,000 items but only 100 million ratings [49].This means that from the full set of 8.64 billion possible ratings less than 1%are present.

There are various ways to cope with sparse data, one could either calculatean average rating for an item or an user or assign a default value [5] andassign it to the empty values. Those values might have an significiantinfluence, they might even lead to biased predictions [43].

Another solution is to implement a hybrid recommender and to fill themissing values with information coming from a different technique. In [47]such a hybrid recommender is shown. It combines collaborative filteringwith the results from a content recommendation. This solution predictsunrated items by taking the average rating for a specific set of metadata.

Finally, getting rid of sparse data is possible when reducing the dimensions(see subsection 2.5.2), or using alternative approaches like graph-basedrecommendation techniques which are out of the scope of this document.

2.5.2 Curse of Dimensionality

The “Curse of Dimensionality”, first discussed in [4], describes the problem-atic effects of a matrix with a lot of data which becomes more sparse thelarger it is, therefore useful information might get lost.

Additionally reducing the dimensions might be useful solely by reducingthe calculation time and memory needed for calculating the predictions.

12

2 Collaborative Filtering

There are mainly two solutions that should be used in the preprocessing toreduce the dimensions [43] (Chapter 2.2.3): Principal Component Analysis(PCA) or Singular Value Decomposition (SVD).

2.5.3 Cold start

When creating a new user, a prediction of recommended items is notpossible, simply because there are no information about the taste of theuser yet [47]. Therefore many platforms tend to either suggest items thatare liked by the average of the users as well, or asks the new user to rate afew items at the very beginning.

For a new item this procedure is a bit more complicated, because it couldnever be recommended. Here the system has to provide another way to sug-gest the user this specific item, but in general the already in subsection 2.5.1mentioned solutions work well.

2.5.4 Privacy

A recommender system is very often a web based service, and accessiblevia a web server which has to keep the raw data (for example the plainuser ratings) in a database. As those data are showing some kind of userbehaviour they are very interesting for attackers. Users on the other handoften do not want to provide those personal information.

Therefore feedback of a recommender system might provide reasons for aspecific recommendation (for example: “You liked Item A”) but does notshow any specific detailed information.

[41] uses random data perturbation to implement collaborative filteringthat preserves the user’s privacy. For that a random value is added totheir rating before it is send to the server. On the server the recommendercalculates the predictions with the disguised values. This prediction isapproximately the same as a prediction with the unchanged values. Thisis based on Equation 2.9 which states, that a scalar of two vectors11 A′ · B′

11the ratings of two user

13

2 Collaborative Filtering

where each value is multiplied with an uniformed distributed randomvariable (vi, ri) is approximately the same as the scalar multiplication of theoriginal two vectors.

A′ · B′ =n

∑i=1

(aibi + aivi + ribi + rivi) ≈n

∑i=1

aibi (2.9)

This approach’s problem is that the quality of the predictions is lowered forthe cost of privacy.

As complete privacy can never be guaranteed, the recommendation systemhas to take care of the user ratings and make sure no attacker gets access tothem. Having only the ratings for movies might lead to a disclosure of per-sonal information. This threat even exists if those ratings are anyonmyizedas the next example will show.

In 2010 Netflix wanted to host a sequel of the very successfull first edition ofthe Netflix Prize. However the data from the first run were deanonymized [31]with a very high probability solely by evaluating public ratings and the timethe ratings were given. Comparing this data with public data derived fromthe imdb12 deanoymized 99% of users with only 8 ratings and a 14-day errorbetween the ratings on netflix and imdb. As netflix data are not publiclyavailable those data might contain private information that is not publiclyaccessible via imdb. The paper concludes that it was therefore possible to de-rive personal information like political orientation, religious views or sexualpreferences about users when putting the rated movies into context.

Followed by a lawsuit by users who got deanonymized, Netflix concludedto cancel the second run of the Netflix Prize [48].

2.6 Security

Talking about security in recommender systems has two aspects: first, aweb-based client-server model is very common for such systems, and there-fore the server has to be protected from typical exploits that target web

12https://imdb.com

14

2 Collaborative Filtering

applications like XSS, CSRF, SQL Injections. Second — what is the focusof this section — the system has to be protected from dishonest users whowant to influence the calculation of the predictions to their favour.

In [38] attacks on recommender systems were discussed for the first time.There are multiple scenarios presented: random attack, random productpush/nuke attack and focused product push/nuke attack which will bediscussed among others in the following sections in more depth. One thingthey all have in common, is that they are based solely on inserting userratings with multiple malicious user profiles13. [43] chapter 25.1 mentions,that a site owner might increase the effort for attackers to create such profiles,but they have to keep a balance to not annoy users who should still beencouraged to use the system. Special care has to be given to the correctnessof the recommended items, because “people tend to conform with otheropinions, even if those opions may be incorrect” [23]. Using more than 1%of those attacking profiles is considered infeasible [11], with 3% of fakeprofiles one can shift the ratings 1.5 points [18] in a five star rating, if thesystem is only based on user-based recommendations. Such an attack has avery high probability in getting detected. An item-based recommender isfar more stable: 15% attacking profiles generate a shift of 0.15 points.

Before getting more into detail, push and nuke attacks have to be explainedas well as knowledge and efficiency.

Push/Nuke [36] defines two attack types by their outcome: product push,where an item is pushed to be recommended more often — for example topromote an product even if the recommender would not prefer it. Productnuke where an item gets lower predictions and so gets removed from therankings, for example to damage a rival. The algorithms described in sub-section 2.6.1 are used for both types, but there are several algorithms thatare very efficient on nuking a product. [43], chapter 25.3.3, describes thosein more detail.

Knowledge Depending on the amount of knowledge about the ratings oritems that is needed to launch an attack it can be distinguished between

13often refered as shilling attack

15

2 Collaborative Filtering

low-knowledge attacks basic attacks which are trivial but require a moderateamount of knowledge and informed attacks which need a lot of knowledge([43] Chapter 25.3).

Efficiency Efficency is defined by the costs [23] for that attack. Costs aredetermined by

• the amount of needed profiles and ratings,• the difficulty of creating profiles and ratings,• the required knowledge of the ratings, users, items or algorithms and• other resources for planning or execution.

Of course the site owner wants the effort for an attacker to be as high aspossible, and therefore countermeasures are discussed in subsection 2.6.2.

2.6.1 Attacks

Random and Average Attack

Random and average attacks [8, 23] are an example of basic attacks. Forboth attacks the targeted items are set to the maximum (in a push attack) ora minium (for a nuke attack) rating.

For the random attack additional items (often referred as filler items) are setto a random value by using a normal distribution N (µ, σ2) where µ is themean and σ2 the standard deviation of the system. Those values are oftenavailable directly from the system or might be observed rather easily. Thefiller items imitate common ratings in the system to get the attacker into theneighbourhood of an user.

The average attack [23] sets filler items to the average rating of each item.This data is easily collected because many recommender already providethem. Here the idea is similar as before but with a better imitation of atypical user for a specific item.

In general the average attack is far more effective than the random at-tack [7][29], especially because the average the amount of filler-items, that

16

2 Collaborative Filtering

have to be rated, can be reduced. However, the drawback of both attacks isthe needed knowledge about the ratings in the system. Therefore the nextsection will be about algorithm that do not need that.

Bandwagon and Segment Attack

A bandwagon attack [30] is based on Zipf’s law distribution of popularity inconsumer markets, where a small amount of items gets the most attention.An attacker tries to combine his target items with popular ones by givingthem the maximum (push) or minimum (nuke) rating. The rest of the itemsmight get rated similarily to the random attack. The results are nearly thesame as with the average attack. An advantage to the already mentionedattacks is the low amount of needed knowledge.

Similarily, the segment attack [9] adds a set of common items, for examplethe same movie genre, to the attackers target set. All those items are ratedwith a high rating, for a push attack, or a low rating, for a nuke attack. Therest of the items can be rated like in the random attack. This attack needssome knowledge about the items, as the attacked item should be of rathersimilar type and popular, however this information is gathered rather easily.The advantage is that there is no need to know the system or ratings atall, and that the algorithm is effective against item-based recommenders aswell.

Probe Attack

The probe attack [36] is an example of an informed attack, where a lotof knowledge of the items and the ratings is needed. With this attackan attacker creates user profiles and rate a small number of items. Therating distributions for the items is determined, solely by looking at therecommenders feedback. Then, based on the known distribution, attackingprofiles are generated with a very high similarity to other users, with theexception of the target items that are either pushed or nuked.

17

2 Collaborative Filtering

2.6.2 Countermeasurements

The execution of the attacks is based solely on inserting attacking userprofiles. Therefore it is of urgent interest to avoid having those profilesin the first place. This chapter will evolve around this and how a robustrecommender could be build. A siteowner has high interest in keeping thecost to create profiles for the attackers high but has to avoid annoying theregular users. Therefore one important task is to secure the application freefrom typical security issues like XSS14, CSRF15 or Sql Injections16 becausethose might be an easy way of generating fake profiles. Needless to say,it is impossible to totally secure the system to avoid user profile insertionattacks, therefore other ways of hardening the system are discussed.

Detecting and eliminating attacker

As an attack is executed by inserting multiple profiles it is of urgent interestto detect and eliminate those profiles. [11] proposes a basic detection algo-rithm (Listing 2.1). It combines the output of several metrics and if usershave abnormal values on each one of the metrics they are considered to bean attacker.

Basically there are two types of metrics: MetricsHigh where an attacker isspotted if he has a very high value, and MetricsLow where a low value issuspicious.

Given: MetricsHigh, MetricsLowOutput: Set of Attackers

foreach m in MetricsHigh and MetricsLow:foreach user u:

14Cross-site scripting: Inserting scripts on a web page, so that other users might executethem

15Cross-site request forgery: execute commands, for example a HTTP POST request,without having the proper rights

16Inserting code into a web page to generate a malicious sql command

18

2 Collaborative Filtering

compute m(u)

foreach user u:if u has high values in MetricsHigh and

u has low values in MetricsLow:then u is an attacker

Listing 2.1: Detecting Attackers [11]

Several metrices are defined in [11, 51, 53] of which a selection is explainedhere:

Average Similarity The average similarity of a user j is defined in Equa-tion 2.10, where n is the amount of users and wij is the similarity betweenthose two.

AVGSIMj =∑n

i=1 wij

n(2.10)

Degree of Similarity with Top Neighbours This metric is nearly the sameas the average similarity, but only takes the k neighbours into account(Equation 2.11).

DEGSIMj =∑k

i=1 wij

k(2.11)

Standard Deviation of Ratings The standard deviation of a user j is shownin Equation 2.12. n is the amount of given ratings, rij is one specific ratingand rj the average rating of user j.

STDDEVj =

√1n

n

∑i=1

(rij − rj

)2 (2.12)

19

2 Collaborative Filtering

RDMA The rating deviation from mean agreement (Equation 2.13) of a userj measures, as [53] states, the deviation of agreement from other users ona set of items, combined with the inverse rating frequency for those. ri,j isone rating of user j while ri is the average rating. NRi is the total amount ofratings in the system for item i, and Nj is the amount of ratings given byuser j.

RMDAj =∑

Nji=0|ri,j−ri|

NRi

Nj(2.13)

Other Algorithms

Other countermeasures use other algorithms that are more robust than asimple kNN method. One main idea is to use a hybrid recommender thatcombines collaborative filtering and content recommendations. Besides that,combining a neighbourhood based collaborative filtering with a model-based algorithm has been proven to work quite well [28].

Another way is to use item-based collaborative filtering, which is morerobust to those attacks. [45] uses association rule mining, a technique verycommon in data mining, where a set of rules is used to determine whichitems are very likely to be consumed together. A recommender built thatway is robust to average attacks, but not to segment attacks.

Trust Algorithms

[34] and [27] have introduced a recommender that is trust-aware, by using amechanism to use trust instead of similarity. In such a system a user canstate his trust within the interval [0, 1] where 0 denots no and 1 full trust.With those values a trust network is build. By using a specific trust metricalgorithm, a matrix with all those user-to-user trust values is built andcombined with the similarity matrix from a standard collaborative filteringthat forms the basis for a new rating prediction.

20

3 Implementation

3.1 Overview

In chapter 2 the theory of recommender system has been described. Thischapter describes a possible implementation of a recommender system,including the already described user-based nearest neighbour algorithm(subsection 2.3.1), with the root mean squared error (Equation 2.4) as an eval-uation technique. As attack the average attack is implemented (section 2.6.1)together with detecting attacking profiles to mitigate attacks. The goal is toshow that a simple recommender that was built without considering suchattacks can be easily compromised, but such an attack might be preventedsimple.

The cold start problem (subsection 2.5.3) is not considered, as the testingscenario, which is described in section 3.6, already includes data taken fromthe MovieLens project. To keep things simple, the recommender is not goingto make use of crossfolding and does not split the data set into a trainingsand test set, as described in section 2.2. This is not necessary here as the aimis to show how such a recommender could be structured in a real-worldscenario, where an already good working algorithm is used. The amount ofneighbours for the kNN-Algorithm, k, is the only parameter that we couldoptimize, this parameter will be fixed, as the main focus is to investigatethe use and behaviour of attacks and mitigation techniques.

This recommender system consists of various parts: a webinterface so thatusers can interact with the system, rate items and can see their individualrecommendations, and the recommendation engine itself which takes theuser’s ratings and convert them into a set of predictions. Finally, a databaseis needed to store the ratings, predictions and other data like the movie’smetadata.

21

3 Implementation

Figure 3.1: Database Structure

3.2 Database

As a database system MySQL1 is used, because it is a very common choicefor webprojects.

The database consists of four tables: movies, ratings, predictions,history. A visualization of these, their columns and their relations can beseen in Figure 3.1.

The movies table keeps the id, name and the genres of the users. In theratings table the ratings are stored by keeping userId, movieId therating and a timestamp of a rating. As userId and movieId combined are

1https://www.mysql.com

22

3 Implementation

the primary key of the table, there can only be one such combination, andthere is no possibility of storing the history of a user’s ratings. The ratingsare filled in by the users over the webinterface. The predictions tableconsists of three columns: user, movie and the prediction. It gets filledby the recommendation engine.

The history table is kept solely for testing; the error, timestamp, algorithmand validation algorithm are stored there.

3.3 User Interface

The interface for the recommender consists of two parts: a web frontendand as a backend an implementation of a ReST API which provides onlythose routes that are used in the frontend.

Figure 3.2: Movie Overview Page

Figure 3.3: Recommendation Page

At the frontend side there are mainly two screens provided: an overviewof movies and an overview of the recommendations. The overview of the

23

3 Implementation

Figure 3.4: Login Page

movies can be seen in Figure 3.2 where the name and the id of the movie isshown together with a bar of stars, where the user can see an existing ratingor click on it to rate the movie. The recommendation overview (Figure 3.3)looks nearly the same, but only shows an additional rank, in the very firstcolumn.

As ratings and recommendations are private data, access to those pagesshould be restricted. Therefore a very basic login (Figure 3.4) is providedwhere one can use the user id for both fields, login name and password togain access into the system.

The frontend is build with the JavaScript library React2 which was developedby Facebook and the library Ant Design3 which provides most of the usedUI components.

The backend is written in the programming language Go4 with the httpframework gin5.

The communication between frontend and backend is done via simple JSONmessages. Table 3.1 shows possible routes that are implemented and whatservice they provide. The /login route is used for sending the login data

2https://facebook.github.io/react/3https://ant.design/4https://golang.org/5https://gin-gonic.github.io/gin/

24

3 Implementation

Route HTTP Expected Request/Response/login POST Request: {user: user, password:password}

Response: {status:"loggedin", token:token}/movies GET Request: —

Response: {status:"ok", movies:[...]}/rate PUT Request: {movie:movieid, rating:rating}

Response: {status:"ok"}/rec GET Request: —

Response: {status:"ok", recs:[...]}

Table 3.1: Implemented routes on the API

to the server and the frontend expectes an JSON Web Token6, an securestandard for a login token, and the status “loggedin”. For the /movies and/rec routes no input data has to be provided and both should return thestatus “ok” and the list of movies. A movie from the list should contain therank (the position where the movie should be displayed), the name and theid of the movie, aswell as the rating the user gave, or zero if the rating wasnot rated at all. Listing 3.1 shows an example of such an movie list entry.

The /rate route takes the movie id that should be rated and the rating asan input and plainly deliveres the status “ok” on success.

{rank: 1, id: 1, name: "Toy Story (1995)", rating: 4}Listing 3.1: Movie Message

3.4 Recommendation Engine

The heart of the recommender is implemented in Python 3.67. One challengewas to manually implement most of the algorithms without using a finishedversion, therefore there are only few libraries needed, mainly mysqlclient8 to

6https://jwt.io7https://python.org8https://github.com/PyMySQL/mysqlclient-python

25

3 Implementation

be able to use the mysql database, the pandas library9 to handle the raw datafrom the database, and numpy10 for better and faster matrix calculations.

The recommendation engine provides the prediction of ratings by the user-based nearest neighbour approach like it was described in subsection 2.3.1.

The entrypoint is the Recommender class, where the method recommendshould be called which takes two parameter: k to choose the amountof neighbours that should be taken into account for the prediction, andmitigate which enables the mitigation algorithm.

To generate the predictions following steps are executed:

1. Get the data from the database and build a user-ratings matrix.2. Calculate the similarity matrix between the users.3. For each user save the set of neighbours (according to the parameter

k), the mean of ratings and the number of ratings that were given.4. For each combination of user and movie a rating is predicted.5. Calculate the error of the prediction.6. Store the prediction in the database.

Getting the data For getting the data a simple SQL query is sufficient.Those data should be converted to a user-rating matrix, however, datafrom relational database system are structured in tabular form. Therefore,this structure has to be converted to a matrix by using the pandas library.Additionally, a map of user and movie ids to the corresponding matrixindices has to be created, as shown in Listing 3.2, as the matrix indices arestrictly continuous and user or movie ids do not have to be.

def getAttackData(self):query = ’SELECT userId, movieId, rating from

↪→ ratings GROUP BY movieId HAVING COUNT(1) > 1↪→ ORDER BY userId ASC, movieId ASC’

9http://pandas.pydata.org/10http://numpy.org

26

3 Implementation

self.connection.execute(query)data = self.connection.fetchall()

Listing 3.2: Convert tabular data to a matrix (data.py:114-118)

Generate the similarity matrix Calculating the pearson correlation (see sec-tion 2.3.1) can be done faster by precalculating the normalized rating (ai − a)and the power of it, especially when using matrix operations with python’snumpy library. The implementation of this precalculation step is shownin Listing 3.3.

arr = np.argsort(train_sim, axis=1)[:,::-1]return arr[:,1:max_neighbours+1]

Listing 3.3: Precalculate normalized ratings (neighbour.py:186-187)

Then, for each pair of users, the common ratings are determined andthe divisor and dividend of the pearson correlation is calculated as seenin Listing 3.4.

if len(common_idx) == 0:sim[user1_index][user2_index] = 0.sim[user2_index][user1_index] = 0.continue

div_part1 = ratings_norm[user1_index][common_idx]

Listing 3.4: Calculate pearson correlation (neighbour.py:201-207)

Finally the result of the division has to be calculated and multiplied withthe significance weight, as described in section 2.3.1.

27

3 Implementation

divisor_part2 = np.sum(ratings_norm_pow[↪→ user2_index][common_idx])

divisor = np.sqrt(divisor_part1) * np.sqrt(↪→ divisor_part2)

Listing 3.5: Significance Weighting / Pearson (neighbour.py:212-213)

Only the upper triangular matrix has to be calculated (because sim[i][j] =sim[j][i]).

Calculate the neighbourhood For every user the neighbours are calculatedbased on the previously calculated similarity matrix, simply by extractingthe users with the highest similarity. However, if the mitigation technique isactivated, users with a similarity bigger than 0.90 are clustered together sothat this set of users do not influence one individual too much.

Prediction For every user the rating for every movie is predicted by usingthe algorithm described in subsection 2.3.2. To reduce computation time forthe similarity, the neighbours ratings and the mean of the user’s ratings arecalculated before calling the prediction function, as shown in Listing 3.6. Asthe full user-rating matrix is quite large the amount of stored items to berecommended is restricted to ten, as this might be enough information for asingle user.

return sim

def predict_single(user, u_mean, movie, neighbours):dividend = divisor = 0for (sim, ratings, mean) in neighbours:

if ratings[movie] > 0:dividend += sim * (ratings[movie] - mean)divisor += abs(sim)

if divisor == 0:

28

3 Implementation

return u_mean

Listing 3.6: Predict the ratings (neighbour.py:75-85)

Error As already mentioned in section 2.4 the error of a recommendersystem is described by the difference of the original ratings with the pre-dicted values. This implementation is based on the RMSE (Equation 2.4).Listing 3.7 shows a direct implementation of this equation.

def rmse(prediction, ratings, maxuserid=670):s = s_sum = 0

for (i, j), p in np.ndenumerate(prediction[:maxuserid↪→ , :]):r = ratings[i][j]if math.isnan(r):

continues += (p-r)**2s_sum += 1

return math.sqrt(s/s_sum)

Listing 3.7: Calculate the RMSE (error.py:6-16)

Storing the prediction Storing the prediction is again rather trivial, how-ever, due to the huge amount of ratings the amount of predictions per userhas to be restrict to one hundred.

3.5 Attack

As section 2.6.1 describes, the average attack needs the average rating foreach item as the common behaviour of an user should be simulated as muchas possible.

29

3 Implementation

A big difference to a real-world attack is that the framework uses the alreadyimplemented connection to the database. This should never be possible foran attacker, but is a simplification because the focus is on the algorithm toattack and defend the recommender, and in fact there is no big difference toa framework an attacker would use. The differences are described below inmore detail.

The entrypoint is, similar to the recommender engine, the Recommenderclass, where the method attack should be used to launch the attack. Themethod takes three parameters: users the percentage of new users thatshould be generated, target the movie id that should be attacked andtype the type of the attack — either “push” or “nuke”.

The implemented attack consists of various steps:

1. Evaluate how many users and movies should be generated2. Get the average ratings3. Rate movies for every user

Evaluated amount of needed users and movies In a real-world scenarioan attacker would have to generate many profiles automatically, for exampleby using a scriptable JavaScript/Browser API like phantomjs11. Here theonly necessary step is to evaluate how many users should be generated, asthe input provides a percentage of new users. Similarily, the amount of filleritems are calculated as can be seen in Listing 3.8.

new_user_amount = math.ceil(current_user_amount↪→ /100.0 * users)

#new_user_amount = users

Listing 3.8: Calculate the amount of needed users/movies (recommender.py:57-58)

11http://phantomjs.org

30

3 Implementation

Get the average ratings This implementation uses the already existingratings from the database. In a real-world example the average rating caneither be extracted from the recommender interface (as the rating is veryoften displayed there) or from another webpage with a similar area12. Asthe database restricts rating to have only one decimal place, the average hasto be rounded as well.

Rate movies Similar as before, an attacker that rates a movie would useautomatic procedures to rate movies in a webbrowser environment. Herethis is simplified to directly inserting the ratings into the database. So forevery new user that should be generated first. The filler movies are selectedrandomly and then rating is set to the average. Finally the target moviesare rated to either a value of 5.0 (for a push attack) 0.5 (for a nuke attack).Listing 3.9 shows this procedure. The filler items to be rated are randomlyselected from those movies that are more popular (strictly more than onerating). This increases the quality of the attack in two ways: randomly votingmakes a profile less suspicious and using more popular movies generates amore efficient attack.

for i in range(1, new_user_amount+1):movie_idx = np.random.choice(current_movie_amount

↪→ , new_movie_amount, replace=False)

for movie in movie_idx:movie_id = movies[movie]if movie_id in target:continue

self.data.store_rating(current_user_amount + i,↪→ movie_id, average[movie])

for t in target:

Listing 3.9: Rate movies as an attacker (recommender.py:72-82)

12e.g. https://imdb.com for movies

31

3 Implementation

3.6 Experimental Setup and Results

As a basis data for testing and evaluating the implementation the latestMovieLens small dataset is used. It contains 100.004 ratings by 671 user and9066 movies with an mean rating of ≈ 3.54. These data is imported fromthe csv into the mysql database.

All experiments are executed with k = 20 for the kNN classifier and asignificance weight of 20. The attacks are launched with 5% filler items and5% of generated profiles.

The similarity matrix between the user of the original dataset is shownin Figure 3.5, one example for the similarity matrix including the attackersis Figure 3.6. It is obvious that the attacking profiles can be spotted easily,especially as they tend to be rather similar to each other, as the yellow spotin the lower right corner shows.

Figure 3.5: Similarity matrix — standard dataFigure 3.6: Similarity Matrix — attacked data (Push attack

on movie #163056)

For the push/nuke attacks a few example movies are selected, evaluatedhow many recommendations they get and what their average predictionis. Then for each of the scenarios the attack is launched with and withoutmitigation. Each iteration is followed by an evaluation of the results by

32

3 Implementation

using the precise, recall and accurracy measurements and, furthermore, theamount of recommendations and the average predictions.

3.6.1 Detailed Evaluation Nuke Attack

In Table 3.2 a selection of three choosen movies with their average value andamount of ratings is given. In Table 3.3 the results for the recommendationsbefore and after the attack and after mitigating an attack are given.

MovieId Movie Average/Amount Ratings83318 The Goat Avg: 5.00 1

152081 Zootopia Avg: 4.00 9

122882 Mad Max: Fury Road Avg: 3.79 31

Table 3.2: Selected movies for the nuke attack

MovieId Predictions Average/AmountBefore an attack

83318 Avg: 5.6756 88

152081 Avg: 5.8127 1

122882 Avg: 5.6789 28

After NUKE83318 Avg: 5.6772 71

152081 Avg: 5.8128 1

122882 Avg: 5.6523 21

After NUKE with mitigation83318 Avg: 5.7155 88

152081 Avg: 5.8128 1

122882 Avg: 5.6834 29

Table 3.3: Results for the nuke attack, 5% attacking profiles, 5% filler items

The results show that a nuke attack has an visible impact on the items,especially if no countermeasures are implemented. In Table 3.4 the quality

33

3 Implementation

of the countermeasures is given with the precision, recall and accurracymetrics and the underlying true positive (TP), false positive (FP), truenegative (TN) and false negative (FN) values. Here the results reflect thedata from Table 3.3, as all attacker could be identified successfully and onlyone regular user has been falsely determined to be an attacker as well.

MovieId TP FP TN FN Precision Recall Accurracy83318 34 1 670 0 0.9714 1.0 0.9986

152081 34 1 670 0 0.9714 1.0 0.9986

122882 34 1 670 0 0.9714 1.0 0.9986

Table 3.4: Precision, recall and accurracy values for the push attack

3.6.2 Detailed Evaluation Push Attack

In Table 3.5 a selection of three choosen movies with their average value andamount of ratings is given. In Table 3.6 the results for the recommendations,before and after the attack and after mitigating an attack, are given.

MovieId Movie Average/Amount Ratings356 Forrest Gump Avg: 4.05425 354

272 The Madness of King George Avg: 4.000000 39

163056 Shin Godzilla Avg: — 0

Table 3.5: Selected movies for the push attack

34

3 Implementation

MovieId Predictions Average/AmountBefore an attack

356 Avg: — 0

272 Avg: 5.5092 1

163056 Avg: — 0

After PUSH356 Avg: 4.8626 13

272 Avg: 5.0486 51

163056 Avg: 5.2456 121

After PUSH with Mitigation356 Avg: — 0

272 Avg: 5.5092 1

163056 Avg: — 0

Table 3.6: Results for the push attack

Contrary to the nuke attack, pushing a movie has a bigger impact on thepredictions as it can be seen in Table 3.6. Like before, Table 3.7 showsprecision, recall and accurracy metrics with their underlying data. Equallyto the nuke attack, those results show that the data from the attack andmitigation process are accurate, as all of the attackers have been identifiedsuccessfully and only one regular user has falsely been classified.

MovieId TP FP TN FN Precision Recall Accurracy356 34 1 670 0 0.9714 1.0 0.9986

272 34 1 670 0 0.9714 1.0 0.9986

163056 34 1 670 0 0.9714 1.0 0.9986

Table 3.7: Precision, recall and accurracy values for the push attack

3.6.3 Detecting an Attacker

To visualize how the mitigation mechanism detect an user as an attackeror regular user, Figure 3.7, Figure 3.8, Figure 3.10 and Figure 3.9 show the

35

3 Implementation

results of the implemented classification features for one of the executedattacks. There, blue dots represent regular users, red attackers and a linethat represents the threshold for determining “abnormal” values: lower than10% for rdma, more than 90% for average similarity and degree of similarityand lower than 50% for the standard deviation.

Similar to the plots of the similarity matrix (Figure 3.5, Figure 3.6) theattackers are easy noticeable.

Figure 3.7: Average of Similarity(push attack on movie#163056)

Figure 3.8: Degree of Similarity(push attack on movie#163056)

Figure 3.9: Rating Deviation from Mean Agreement(push attack on movie#163056)

Figure 3.10: Standard Deviation(push attack on movie #163056)

36

3 Implementation

Various amount of attacking profiles

In the previous sections all attacks were executed with 5% of additionallygenerated profiles. This rate is quite high and it should not be possible togenerate such a high amount on platforms with millions of users. Thereforean attacker has a high interest in reducing the amount of needed profiles. Aprovider of such a system, on the other hand, wants to have a mitigationtechnique that works as accurate as possible to classify even small amountsof attacking profiles correctly.

Figure 3.12 shows the recommendations after push attacks and Figure 3.11

after nuke attacks on the same movies as before with 0.1% to 5% of attackers.This supports the intuitive assumption that more attacking profiles havemore influence on the recommendations. Additionally it can be seen that apush attack is far more effective when increasing the amount of attackinguser profiles.

Figure 3.11: Nuke attacks, variable #attacker Figure 3.12: Push attacks, variable #attacker

For an attacker there is a tradeoff to consider: generating more profilesincreases the impact but generating those might need a lot of effort.

The provider of a recommender system wants to detect even small amountsof attacking profiles. Therefore Figure 3.13 shows the precision of mitigat-ing attacks with various amounts of attacking user profiles on one of themovies. Additionally to the previous sections, the MovieLens 1M Dataset

37

3 Implementation

Figure 3.13: Precision of detecting attacking profiles on a push attack for movie #163056

was used 13, with 1.064.085 ratings by 6403 user on 3883 movies to investi-gate the effect the amount of attacking profiles on the mitigation.

Interestingly, for both datasets the mitigation technique delivered similarresults, therefore this procedure should not depend on the total amount ofusers in the system.

For both datasets the precision has logarithmic growth until at around 5%,where both reach 1.0. The recall of all these attacks resulted into 1.0 whichis quite remarkable. Recall behaves this way because an attacking profilewas never falsly classified to be a normal user, while the precision relates tonormal user being classified falsly as attacking profiles, which is done quiteoften. In a scenario with low precision but high recall, most of the attackingprofiles were detected (and eliminated) correctly, but the overall quality ofthe recommender got reduced because valid ratings were removed.

From Figure 3.7 Figure 3.8 Figure 3.9 Figure 3.10 it is shown why individ-ual attacking profiles can be spotted easily, as they are statistically verynoticeable especially in the degree similarity and the rdma value. The

13https://grouplens.org/datasets/movielens/

38

3 Implementation

lower amount of false positives with more attacking profiles is caused bythe threshold of the metrics: with a higher amount of attacking profilesit gets more uncertain that another user will be hit by all of the metric’sthresholds.

For the provider of such a recommender system mitigating an attack isclearly inevitable as it is crucial to defend the recommender even from tinyattacks as neighbourhood-based collaborative filtering without mitigation iseven prone to simple attacks. Such an mitigation comes with the cost thatusers might not be satisfied with the quality of the recommendations.

39

4 Discussion

It is shown how neighbourhood based collaborative filtering recommenderwork and what advantages, disadvantages and dangers might come withthem. Finally, an complete implementation of a recommender is given thatnot only provides users with recommended movies, but also tries to protectthem from attackers. Therefore, two aspects are very predominant: howeasy such an attack can be launched and how easy on the other hand itcould be prevented.

For future work there is a lot to do: one might implement a different rec-ommendation algorithm, that might not be neighbourhood based like SVD,Neural Networks or try to combine the results with a content recommenderto restrict the effect of an attacker even further. In the terms of neighbour-hood based algorithms one might investigate other similarity metrics oritem-based recommendations, and their effect on attacking such a system.

Further research can be done on mitigation of other attacking methods, likea bandwagon or segmented attack.

40

Appendix

41

Bibliography

[1] Gediminas Adomavicius et al. “De-biasing user preference ratingsin recommender systems.” In: CEUR Workshop Proceedings. Vol. 1253.CEUR-WS, 2014, pp. 2–9 (cit. on p. 6).

[2] Brian Barrett. Your Facebook echo chamber just got a whole lot louder.https://www.wired.com/2016/06/facebook-embraces-news-feed-echo-chamber. Accessed: 2017-07-19. June 2016 (cit.on p. 1).

[3] Jordi Mongay Batalla and Maria Ledzinska. “ON REDUCING THEDETRIMENTAL INFORMATION FLOOD IN THE USE OF INTER-NET.” In: Problems of Education in the 21st Century 28 (Apr. 2011). issn:1822-7864. url: http://journals.indexcopernicus.com/abstract.php?icid=939901 (cit. on p. 1).

[4] R.E. Bellman. Adaptive Control Processes: A Guided Tour. PrincetonLegacy Library. Princeton University Press, 1961. url: https://books.google.at/books?id=POAmAAAAMAAJ (cit. on p. 12).

[5] John S. Breese, David Heckerman, and Carl Kadie. “Empirical Anal-ysis of Predictive Algorithms for Collaborative Filtering.” In: Pro-ceedings of the Fourteenth Conference on Uncertainty in Artificial Intel-ligence. UAI’98. Madison, Wisconsin: Morgan Kaufmann PublishersInc., 1998, pp. 43–52. isbn: 1-55860-555-X. url: http://dl.acm.org/citation.cfm?id=2074094.2074100 (cit. on p. 12).

[6] Robin Burke. “Hybrid Recommender Systems: Survey and Experi-ments.” In: User Modeling and User-Adapted Interaction 12.4 (Nov. 2002),pp. 331–370. issn: 0924-1868. doi: 10.1023/A:1021240730564.url: http://dx.doi.org/10.1023/A:1021240730564 (cit. onpp. 2, 3).

42

Bibliography

[7] Robin Burke, Bamshad Mobasher, and Runa Bhaumik. “Limitedknowledge shilling attacks in collaborative filtering systems.” In:In Proceedings of the 3rd IJCAI Workshop in Intelligent Techniques forPersonalization. 2005 (cit. on p. 16).

[8] Robin Burke et al. “Identifying attack models for secure recommenda-tion.” In: Beyond Personalization 2005 (2005) (cit. on p. 16).

[9] Robin Burke et al. “Segment-Based Injection Attacks Against Collab-orative Filtering Recommender Systems.” In: Proceedings of the FifthIEEE International Conference on Data Mining. ICDM ’05. Washington,DC, USA: IEEE Computer Society, 2005, pp. 577–580. isbn: 0-7695-2278-5. doi: 10.1109/ICDM.2005.127. url: http://dx.doi.org/10.1109/ICDM.2005.127 (cit. on p. 17).

[10] Eliot van Buskirk. Bellkor’s pragmatic chaos wins 1 million Netflix prizeby mere minutes. https://www.wired.com/2009/09/bellkors-pragmatic-chaos-wins-1-million-netflix-prize/. Ac-cessed: 2017-07-19. Sept. 2009 (cit. on p. 5).

[11] Paul-Alexandru Chirita, Wolfgang Nejdl, and Cristian Zamfir. “Pre-venting Shilling Attacks in Online Recommender Systems.” In: Proceed-ings of the 7th Annual ACM International Workshop on Web Informationand Data Management. WIDM ’05. Bremen, Germany: ACM, 2005,pp. 67–74. isbn: 1-59593-194-5. doi: 10.1145/1097047.1097061.url: http://doi.acm.org/10.1145/1097047.1097061 (cit. onpp. 15, 18, 19).

[12] Anna Escher. How Facebook can escape the echo chamber. https://techcrunch.com/2016/11/13/how-facebook-can-escape-the-echo-chamber/. Accessed: 2017-07-19. Nov. 2016 (cit. on p. 1).

[13] David Goldberg et al. “Using Collaborative Filtering to Weave anInformation Tapestry.” In: Commun. ACM 35.12 (Dec. 1992), pp. 61–70. issn: 0001-0782. doi: 10.1145/138859.138867. url: http://doi.acm.org/10.1145/138859.138867 (cit. on p. 4).

[14] Carlos A. Gomez-Uribe and Neil Hunt. “The Netflix RecommenderSystem: Algorithms, Business Value, and Innovation.” In: ACM Trans.Manage. Inf. Syst. 6.4 (Dec. 2015), 13:1–13:19. issn: 2158-656X. doi: 10.1145/2843948. url: http://doi.acm.org/10.1145/2843948(cit. on p. 5).

43

Bibliography

[15] Jonathan L. Herlocker et al. “An Algorithmic Framework for Perform-ing Collaborative Filtering.” In: SIGIR. 1999 (cit. on p. 9).

[16] Jonathan L. Herlocker et al. “Evaluating Collaborative Filtering Rec-ommender Systems.” In: ACM Trans. Inf. Syst. 22.1 (Jan. 2004), pp. 5–53. issn: 1046-8188. doi: 10.1145/963770.963772. url: http://doi.acm.org/10.1145/963770.963772 (cit. on p. 11).

[17] Eric A. Jacobi Jennifer A; Benson. “Use of electronic shopping cartsto generate personal recommendations.” Patent US 6317722 (US).Nov. 2001. url: https://www.lens.org/lens/patent/US_6317722_B1 (cit. on pp. 5, 7).

[18] Dietmar Jannach et al. Recommender Systems: An Introduction. 1st. NewYork, NY, USA: Cambridge University Press, 2010. isbn: 0521493366,9780521493369 (cit. on pp. 2, 15).

[19] Ian Jolliffe. Principal component analysis. Springer Verlag, 2002 (cit. onp. 6).

[20] Jemima Kiss. @ SXSWi: Is music recommendation broken? https://www.theguardian.com/media/pda/2009/mar/17/sxswi-recommendation-sites. Accessed: 2017-07-19. Mar. 2009 (cit. onp. 2).

[21] Yehuda Koren. The BellKor Solution to the Netflix Grand Prize. http://www.netflixprize.com/assets/GrandPrize2009_BPC_BellKor.pdf. Accessed: 2017-07-19. 2009 (cit. on p. 5).

[22] Patrick Kulp. Escape the echo chamber: How to fix your Facebook News Feed.https://mashable.com/2016/11/18/facebook-hacking-newsfeed-well-rounded/. Accessed: 2017-07-19. Nov. 2016 (cit.on p. 1).

[23] Shyong K. Lam and John Riedl. “Shilling Recommender Systemsfor Fun and Profit.” In: Proceedings of the 13th International Conferenceon World Wide Web. WWW ’04. New York, NY, USA: ACM, 2004,pp. 393–402. isbn: 1-58113-844-X. doi: 10.1145/988672.988726.url: http://doi.acm.org/10.1145/988672.988726 (cit. onpp. 15, 16).

44

Bibliography

[24] Neal Lathia, Stephen Hailes, and Licia Capra. “The Effect of Correla-tion Coefficients on Communities of Recommenders.” In: Proceedingsof the 2008 ACM Symposium on Applied Computing. SAC ’08. Fortaleza,Ceara, Brazil: ACM, 2008, pp. 2000–2005. isbn: 978-1-59593-753-7. doi:10.1145/1363686.1364172. url: http://doi.acm.org/10.1145/1363686.1364172 (cit. on p. 8).

[25] M. Chabbert M. Piotte. The Pragmatic Theory solution to the Netflix GrandPrize. http://netflixprize.com/assets/GrandPrize2009_BPC_PragmaticTheory.pdf. Accessed: 2017-07-22. 2009 (cit. onp. 5).

[26] John Markoff. Microsoft Joins Debate Over On-Line Privacy by AcquiringFirefly. http://www.nytimes.com/1998/04/10/business/microsoft- joins- debate- over- on- line- privacy- by-acquiring-firefly.html. Accessed: 2017-07-19. Apr. 1998 (cit.on p. 5).

[27] Paolo Massa and Paolo Avesani. “Trust-aware Recommender Sys-tems.” In: Proceedings of the 2007 ACM Conference on RecommenderSystems. RecSys ’07. Minneapolis, MN, USA: ACM, 2007, pp. 17–24.isbn: 978-1-59593-730–8. doi: 10.1145/1297231.1297235. url:http://doi.acm.org/10.1145/1297231.1297235 (cit. onp. 20).

[28] Bamshad Mobasher, Robin Burke, and J. J. Sandvig. “Model-basedCollaborative Filtering As a Defense Against Profile Injection At-tacks.” In: Proceedings of the 21st National Conference on Artificial Intelli-gence - Volume 2. AAAI’06. Boston, Massachusetts: AAAI Press, 2006,pp. 1388–1393. isbn: 978-1-57735-281-5. url: http://dl.acm.org/citation.cfm?id=1597348.1597409 (cit. on p. 20).

[29] Bamshad Mobasher et al. “Attacks and Remedies in CollaborativeRecommendation.” In: IEEE Intelligent Systems 22.3 (May 2007), pp. 56–63. issn: 1541-1672. doi: 10.1109/MIS.2007.45. url: http://dx.doi.org/10.1109/MIS.2007.45 (cit. on p. 16).

[30] Bamshad Mobasher et al. “Toward Trustworthy Recommender Sys-tems: An Analysis of Attack Models and Algorithm Robustness.”In: ACM Trans. Internet Technol. 7.4 (Oct. 2007). issn: 1533-5399. doi:

45

Bibliography

10.1145/1278366.1278372. url: http://doi.acm.org/10.1145/1278366.1278372 (cit. on p. 17).

[31] Arvind Narayanan and Vitaly Shmatikov. “How To Break Anonymityof the Netflix Prize Dataset.” In: CoRR abs/cs/0610105 (2006). url:http://arxiv.org/abs/cs/0610105 (cit. on p. 14).

[32] Chris Oakes. Firefly’s dim light snuffed out. https://www.wired.com/1999/08/fireflys- dim- light- snuffed- out/. Ac-cessed: 2017-07-07. Dec. 1999 (cit. on p. 5).

[33] Douglas Oard and Jinmook Kim. “Implicit Feedback for Recom-mender Systems.” In: in Proceedings of the AAAI Workshop on Rec-ommender Systems. 1998, pp. 81–83 (cit. on p. 5).

[34] John O’Donovan and Barry Smyth. “Trust in Recommender Systems.”In: Proceedings of the 10th International Conference on Intelligent UserInterfaces. IUI ’05. San Diego, California, USA: ACM, 2005, pp. 167–174. isbn: 1-58113-894-6. doi: 10.1145/1040830.1040870. url:http://doi.acm.org/10.1145/1040830.1040870 (cit. onp. 20).

[35] Stefanie Olsen. Amazon blushes over sex link gaffe. https://www.cnet.com/news/amazon-blushes-over-sex-link-gaffe/.Accessed: 2017-07-19. Dec. 2002 (cit. on p. 2).

[36] Michael P. O’Mahony, Neil J. Hurley, and Guenole C. M. Silvestre.“Recommender Systems: Attack Types and Strategies.” In: Proceed-ings of the 20th National Conference on Artificial Intelligence - Volume 1.AAAI’05. Pittsburgh, Pennsylvania: AAAI Press, 2005, pp. 334–339.isbn: 1-57735-236-x. url: http://dl.acm.org/citation.cfm?id=1619332.1619387 (cit. on pp. 15, 17).

[37] Michael P. O’Mahony, Neil J. Hurley, and Guenole C.M. Silvestre.“Detecting Noise in Recommender System Databases.” In: Proceedingsof the 11th International Conference on Intelligent User Interfaces. IUI ’06.Sydney, Australia: ACM, 2006, pp. 109–115. isbn: 1-59593-287-9. doi:10.1145/1111449.1111477. url: http://doi.acm.org/10.1145/1111449.1111477 (cit. on p. 6).

46

Bibliography

[38] Michael P. O’Mahony, Neil Hurley, and Guenole C. M. Silvestre.“Promoting Recommendations: An Attack on Collaborative Filtering.”In: Proceedings of the 13th International Conference on Database and ExpertSystems Applications. DEXA ’02. London, UK, UK: Springer-Verlag,2002, pp. 494–503. isbn: 3-540-44126-3. url: http://dl.acm.org/citation.cfm?id=648315.756187 (cit. on p. 15).

[39] Tim O’Reilly. What is Web 2.0. http://www.oreilly.com/pub/a/web2/archive/what-is-web-20.html. Accessed: 2017-07-19.Sept. 2005 (cit. on p. 1).

[40] Andrew Orlowski. Sodomites overrun Amazon.com. https://www.theregister.co.uk/2002/12/07/sodomites_overrun_amazon_com. Accessed: 2017-07-19. Dec. 2002 (cit. on p. 2).

[41] Huseyin Polat and Wenliang Du. “Privacy-Preserving CollaborativeFiltering Using Randomized Perturbation Techniques.” In: Proceedingsof the Third IEEE International Conference on Data Mining. ICDM ’03.Washington, DC, USA: IEEE Computer Society, 2003, pp. 625–. isbn:0-7695-1978-4. url: http://dl.acm.org/citation.cfm?id=951949.952122 (cit. on p. 13).

[42] Paul Resnick et al. “GroupLens: An Open Architecture for Collabora-tive Filtering of Netnews.” In: Proceedings of the 1994 ACM Conferenceon Computer Supported Cooperative Work. CSCW ’94. Chapel Hill, NorthCarolina, USA: ACM, 1994, pp. 175–186. isbn: 0-89791-689-1. doi:10.1145/192844.192905. url: http://doi.acm.org/10.1145/192844.192905 (cit. on pp. 4, 8).

[43] Francesco Ricci et al. Recommender Systems Handbook. 1st. New York,NY, USA: Springer-Verlag New York, Inc., 2010. isbn: 0387858199,9780387858197 (cit. on pp. 2, 9–13, 15, 16).

[44] Alan Said et al. “Users and Noise: The Magic Barrier of RecommenderSystems.” In: User Modeling, Adaptation, and Personalization: 20th In-ternational Conference, UMAP 2012, Montreal, Canada, July 16-20, 2012.Proceedings. Ed. by Judith Masthoff et al. Berlin, Heidelberg: SpringerBerlin Heidelberg, 2012, pp. 237–248. isbn: 978-3-642-31454-4. doi:10.1007/978-3-642-31454-4_20. url: https://doi.org/10.1007/978-3-642-31454-4_20 (cit. on p. 6).

47

Bibliography

[45] J. J. Sandvig, Bamshad Mobasher, and Robin Burke. “Robustness ofCollaborative Recommendation Based on Association Rule Mining.”In: Proceedings of the 2007 ACM Conference on Recommender Systems.RecSys ’07. Minneapolis, MN, USA: ACM, 2007, pp. 105–112. isbn:978-1-59593-730–8. doi: 10.1145/1297231.1297249. url: http://doi.acm.org/10.1145/1297231.1297249 (cit. on p. 20).

[46] B. M. Sarwar et al. “Application of Dimensionality Reduction inRecommender Systems: A case study.” In: WebKDD Workshop at theACM SIGKKD. 2000 (cit. on p. 6).

[47] Andrew I. Schein et al. “Methods and Metrics for Cold-start Rec-ommendations.” In: Proceedings of the 25th Annual International ACMSIGIR Conference on Research and Development in Information Retrieval.SIGIR ’02. Tampere, Finland: ACM, 2002, pp. 253–260. isbn: 1-58113-561-0. doi: 10.1145/564376.564421. url: http://doi.acm.org/10.1145/564376.564421 (cit. on pp. 12, 13).

[48] Ryan Singel. Netflix cancels recommendation contest after privacy law-suit. https://www.wired.com/2010/03/netflix-cancels-contest/. Accessed: 2017-07-19. Mar. 2010 (cit. on p. 14).

[49] Andreas Toscher, Michael Jahrer, and Robert M. Bell. The BigChaosSolution to the Netflix Grand Prize. http://www.netflixprize.com/assets/GrandPrize2009_BPC_BigChaos.pdf. Accessed:2017-07-19. 2009 (cit. on pp. 5, 12).

[50] Tom Vanderbilt. The science behind the Netflix algorithms that decidewhat you’ll watch next. http://www.wired.com/2013/08/qq_netflix- algorithm/. Accessed: 2017-07-19. Aug. 2013 (cit. onp. 3).

[51] Zhihai Yang. “Detecting Abnormal Profiles in Collaborative FilteringRecommender Systems.” In: CoRR abs/1506.05752 (2015). url: http://arxiv.org/abs/1506.05752 (cit. on p. 19).

[52] Raciel Yera Toledo, Yaile Caballero Mota, and Luis Martinez. “Cor-recting noisy ratings in collaborative recommender systems.” In: 76

(Mar. 2015) (cit. on p. 6).

48

Bibliography

[53] W. Zhou et al. “Attack detection in recommender systems based ontarget item analysis.” In: 2014 International Joint Conference on NeuralNetworks (IJCNN). July 2014, pp. 332–339. doi: 10.1109/IJCNN.2014.6889419 (cit. on pp. 19, 20).

49