Influence-Driven Data Poisoning for Robust Recommender Systems

Chenwang Wu, Defu Lian, Yong Ge, Zhihao Zhu, Enhong Chen

Research output: Contribution to journalArticlepeer-review

3 Scopus citations


Recent studies have shown that recommender systems are vulnerable, and it is easy for attackers to inject well-designed malicious profiles into the system, resulting in biased recommendations. We cannot deprive these data's injection right and deny their existence's rationality, making it imperative to study recommendation robustness. Despite impressive emerging work, threat assessment of the bi-level poisoning problem and the imperceptibility of poisoning users remain key challenges to be solved. To this end, we propose Infmix, an efficient poisoning attack strategy. Specifically, Infmix consists of an influence-based threat estimator and a user generator, Usermix. First, the influence-based estimator can efficiently evaluate the user's harm to the recommender system without retraining, which is challenging for existing attacks. Second, Usermix, a distribution-agnostic generator, can generate unnoticeable fake data even with a few known users. Under the guidance of the threat estimator, Infmix can select the users with large attacking impacts from the quasi-real candidates generated by Usermix. Extensive experiments demonstrate Infmix's superiority by attacking six recommendation systems with four real datasets. Additionally, we propose a novel defense strategy, adversarial poisoning training (APT). It mimics the poisoning process by injecting fake users (ERM users) committed to minimizing empirical risk to build a robust system. Similar to Infmix, we also utilize the influence function to solve the bi-level optimization challenge of generating ERM users. Although the idea of 'fighting fire with fire' in APT seems counterintuitive, we prove its effectiveness in improving recommendation robustness through theoretical analysis and empirical experiments.

Original languageEnglish (US)
Pages (from-to)11915-11931
Number of pages17
JournalIEEE Transactions on Pattern Analysis and Machine Intelligence
Issue number10
StatePublished - Oct 1 2023
Externally publishedYes


  • Adversarial training
  • poisoning attacks
  • recommender systems

ASJC Scopus subject areas

  • Software
  • Artificial Intelligence
  • Applied Mathematics
  • Computer Vision and Pattern Recognition
  • Computational Theory and Mathematics


Dive into the research topics of 'Influence-Driven Data Poisoning for Robust Recommender Systems'. Together they form a unique fingerprint.

Cite this