CN117668857A

CN117668857A - Recommendation system security test method and system based on simulated data poisoning attack

Info

Publication number: CN117668857A
Application number: CN202311675503.4A
Authority: CN
Inventors: 曹婍; 伍云帆; 沈华伟; 陶舒畅; 孙飞; 程学旗
Original assignee: Institute of Computing Technology of CAS
Current assignee: Institute of Computing Technology of CAS
Priority date: 2023-12-07
Filing date: 2023-12-07
Publication date: 2024-03-08

Abstract

The invention provides a recommendation system security test method and system based on simulated data poisoning attack. The training process of the surrogate recommendation system can be accelerated by gradient transfer techniques to obtain a more accurate surrogate model in a limited time. Gradient transfer techniques can enhance the accuracy of existing simulated attack samples. By accelerating the substitution model training to obtain a more accurate substitution model, better optimization guidance can be obtained from the substitution model, so that the accuracy of the existing simulation attack sample is enhanced. Gradient transfer can widely enhance attack methods based on alternative systems, including simulation of poisoning attacks by most existing recommendation systems, which provides a basis for subsequent development. Meanwhile, the method can help to find out the weakness of the recommendation system and provide a hint for designing a more reliable defense method.

Description

Recommendation system security test method and system based on simulated data poisoning attack

Technical Field

The invention relates to the technical field of safety test of a recommendation system, in particular to the field of safety test and evaluation of the recommendation system.

Background

With the vigorous development of the internet, a recommendation system has become a key component of various network services, and can provide personalized commodity or content recommendation services for users according to the historical behaviors of the users. Currently, collaborative filtering-based recommendation techniques are a hotspot of research, where matrix decomposition and deep learning-based methods are widely used. These methods typically employ a double tower structure of user and item towers, learning the characteristic representations of the user and item, respectively, and finally calculating the similarity between the characteristics as a prediction of the user's preference for the item.

However, recommendation systems also face various security threat challenges, particularly data poisoning attacks. An attacker may inject a small number of elaborate dummy users into the system such that certain target items are incorrectly recommended to a large number of real users. Such attacks are also known as recommended systems that simulate a poisoning attack or a data poisoning attack. Therefore, the recommendation system needs to consider the safety of the recommendation system under the simulated poisoning attack during design, and a developer is required to simulate and generate data to simulate the poisoning attack as a training or test sample during the design of the recommendation system. The recommendation system needs to be subjected to the test of the data simulation poisoning attack, the training data is the data simulation poisoning attack mode, so that the recommendation system can be helped to find weaknesses of the recommendation system, the recommendation system is trained to continuously improve the defending level of the recommendation system, and a hint is provided for designing a more reliable defending method.

Early simulated poisoning attacks have relied on manually set heuristic rules such as random attacks, bandwagon attach, etc. In recent years, optimization-guided simulation poisoning attack methods are mature, and can be divided into attack model-based methods and non-attack model-based simulation methods: attack model-based methods typically employ reinforcement learning models or countering generation networks (GAN) to generate attacks; methods that are not based on attack models directly use gradients or other a priori information to optimize injection into the user.

Wherein the attack method based on the attack model learns a single attack model to generate the injection user; and the method not based on the attack model directly optimizes the injection users. A common challenge they face is that an alternative recommendation system needs to be retrained frequently to evaluate the effect of the current attack and drive further optimization. This results in extremely high computational costs, severely limiting the efficiency of testing the safety of the recommendation system.

Three existing typical recommendation system simulation poisoning attack methods not based on attack models are presented below:

1) PGA attack: paper "Data Poisoning Attacks on Factorization-Based Collaborative Filtering" from NeurIPS2020, which derives an analytical form of the optimization parameters of the poisoning model for false injection user behavior gradients under the scoring recommendation system of matrix factorization, and uses this gradient information and the projection gradient descent approach to generate the injection user.

2) RevAdv attack: paper "Revisiting Adversarially Learned Injection Attacks Against Recommender Systems" from RecSys 2020, which expands the poisoning model training process, records intermediate parameters in each step of training the poisoning model, and uses an automatic derivative tool to calculate gradients in the process.

3) DPA2DL attack: paper "Data Poisoning Attacks to Deep Learning Based Recommender Systems" from RecSys 2021, which uses the attack loss function directly to train a post-poisoning recommendation model and uses the prediction of this poisoning model to reverse predict the behavior of the injected user, avoiding high-level computations.

The three typical modern recommendation system simulation poisoning attack methods all have a common point, namely rely on an alternative recommendation system. Because they all require a model after poisoning to guide the optimization of the injected user, such guiding information can only originate from a local alternative recommendation system, because it is difficult for an attacker to obtain parameters of the real recommendation system or control its training process.

The main problems in the prior art are: when the recommended system is used for simulating the attack, the alternative system needs to be trained repeatedly for a plurality of times, which is very time-consuming and severely limits the efficiency of testing the training recommended system. The following problems are presented in detail:

(1) The substitution system needs to simulate the real recommendation system as accurately as possible to accurately evaluate the current simulated poisoning attack effect, and provides correct feedback for the generation or optimization of subsequent false users. However, a single training for a large-scale recommendation system dataset is itself a very time-consuming process, often requiring days or even weeks. This results in an attacker requiring a significant amount of time to train an alternative system that closely approximates the original system.

(2) Existing attack methods typically require multiple iterations to gradually optimize false users. Each round of optimization requires retraining the replacement system based on the training data injected with the current false user to evaluate the attack effects of the false user and drive the next round of optimization. Therefore, the repeated training is frequently performed, and the whole attack process is greatly tired.

(3) Because of the high cost of training time, existing attack methods often use only simple alternative systems that are severely time limited. This reduces the practical effect of the final attack, since there is some deviation of behaviour between the replacement system and the real system.

Disclosure of Invention

Aiming at the problem that the simulation of the poisoning attack method of the recommendation system in the prior art is very time-consuming in the repeated training of the substitution system, the invention aims to provide a gradient transfer technology capable of remarkably accelerating the training of the substitution system, thereby accelerating the generation speed of an attack sample set for testing or updating the recommendation system, improving the accuracy of the test recommendation system, improving the efficiency of the training recommendation system and improving the safety of the recommendation system after the training is finished.

Specifically, aiming at the defects of the prior art, the invention provides a recommendation system security testing method based on simulated data poisoning attack, which comprises the following steps:

step 1, according to the commodity interaction matrix of the userComponents needed in the method for initializing simulated attack generation, including a user set U ^r Number n of users ^r Number of commodity m and number of injected users n ^f Action budget τ, target commodity i _t Model structure and loss function of the substitution recommendation system;

step 2, randomly initializing an interaction matrix of the injection userAnd the interaction quantity of the injected user is smaller than or equal to the behavior budget tau;

step 3, training the alternative recommendation system;

step 4: calculating attack gradient of injected user according to output of the trained substitution system

Step 5: according to the attack gradientPerforming projection gradient descent, and updating the interaction matrix I injected into the user ^f ；

Step 6: repeating the steps 3-5 until the preset iteration round number is reached;

step 7: preserving current injection user behavior I ^f As a simulation data poisoning attack sample, injecting the simulation data poisoning attack sample into a security recommendation system to be evaluated to simulate attack, analyzing the change degree of the security recommendation system to be evaluated for a normal user recommendation list before and after the attack, and as a security test result of the security recommendation system to be evaluated, if the security test result is smaller than a threshold value, executing a recommendation task by the security recommendation system to be evaluated to obtain recommended commodities of a user;

wherein step 3 comprises:

step 31, initializing model parameters Θ of the alternative recommendation system;

step 32, according to the model structure, based on the model parameters Θ forward calculation, obtaining feature representation matrix of n users and m commodities

Step 33, based on the poisoning data setCalculating a loss function->

Step 34, obtaining the gradient matrix of the characteristic representation matrix R through back propagation calculation of the automatic deriving tool

Step 35, selecting the user commodity characteristic pairs with interaction from the characteristic representation matrix R according to the interaction matrix I, and selecting the similarity between the user characteristic and the commodity characteristic in all the user commodity characteristic pairsUser commodity feature pairs greater than threshold value xi are taken as target feature pairs, and gradient matrix is adopted>The gradient of the target feature pair is propagated to obtain the gradient of the user with the explicit transmission interaction and the commodity feature representation>

Step 36, using the gradientGradient descent is carried out on the substitution recommendation system so as to update the model parameter theta;

and 37, repeating the steps 33-36 until the number of training rounds is met, and obtaining the replacement recommendation system with the training completed.

According to the recommended system safety test method based on simulated data poisoning attack, a matrix decomposition MF structure is adopted by the alternative system structure, and the loss function is a mean square error MSE loss function.

The recommended system security testing method based on simulated data poisoning attack, wherein the step 35 includes:

according to the transfer matrixGradient matrix using L gradient transfer layers +.>The information transmission method specifically comprises the following steps: gradient matrix of layer 0 gradient transfer layer-> Each layer thereafter is used +>Transfer it:

changing the gradient of the feature representation matrix R to the sum of the gradient matrices of all layers

The recommendation system safety test method based on simulated data poisoning attack comprises the steps of constructing a transfer matrixWhen the characteristic representation R of the user in the matrix R is represented according to the vector _u And characteristic representation r of commodity _i By->Obtaining the similarity of their current feature representation, according to which the similarity is only +.>Information transfer is performed between the user commodity pairs, and ζ is a preset threshold, that is,

i and j are subscripts, d is the dimension represented by the feature vector, and id to (i+1) d, jd to (j+1) d form a submatrix, the size of which is d multiplied by d, to obtainWherein-> Is a diagonalized degree matrix, and the diagonal elements represent the number of interactions of the user or commodity corresponding to the row.

The invention also provides a recommendation system security test system based on simulated data poisoning attack, which comprises:

module 1, according to user commodity interaction matrixComponents needed in the method for initializing simulated attack generation, including a user set U ^r Number n of users ^r Number of commodity m and number of injected users n ^f Action budget τ, target commodity i _t Model structure and loss function of the substitution recommendation system;

module 2, random initialization of interaction matrix injected into userAnd the interaction quantity of the injected user is smaller than or equal to the behavior budget tau;

module 3, training the alternative recommendation system;

module 4: calculating attack gradient of injected user according to output of the trained substitution system

Module 5: according to the attack gradientPerforming projection gradient descent, and updating the interaction matrix I injected into the user ^f ；

And (6) module 6: repeatedly calling the modules 3-5 until the preset iteration round number is reached;

module 7: preserving current injection user behavior I ^f As a simulation data poisoning attack sample, injecting the simulation data poisoning attack sample into a security recommendation system to be evaluated to simulate attack, analyzing the change degree of the security recommendation system to be evaluated for a normal user recommendation list before and after the attack, and as a security test result of the security recommendation system to be evaluated, if the security test result is smaller than a threshold value, executing a recommendation task by the security recommendation system to be evaluated to obtain recommended commodities of a user; specifically, the Jaccard distance is used for analyzing the change degree of a recommendation list of a recommendation system to be evaluated before and after attack to a normal user. Acquiring the safety of the safety recommendation system to be evaluated, and if the Jacquard distance is smaller than a certain threshold value, executing a recommendation task by the safety recommendation system to be evaluated to acquire recommended commodities of a user; if the Jaccard distance of the normal user recommendation list before and after the attack of the system to be evaluated is too large, the safety of the recommendation system is not strong, the influence of the injected user on the recommendation system can be further analyzed, and finally, a more robust recommendation algorithm model or an abnormality detection mechanism is introduced, so that the safety of the recommendation system is enhanced.

Wherein the module 3 comprises:

a module 31 for initializing the model parameters Θ of the alternative recommendation system;

a module 32 for obtaining the feature representation matrix of the n users and the m commodities based on the forward calculation of the model parameters Θ according to the model structure

Module 33 based on the poisoning data setCalculating a loss function->

A module 34 for obtaining the gradient matrix of the characteristic representation matrix R by back propagation calculation of the automatic deriving tool

A module 35 for selecting the user commodity feature pairs with the interaction from the feature representation matrix R according to the interaction matrix I, and selecting the similarity between the user features and the commodity features from all the user commodity feature pairsUser commodity feature pairs greater than threshold value xi are taken as target feature pairs, and gradient matrix is adopted>The gradient of the target feature pair is propagated to obtain the gradient of the user with the explicit transmission interaction and the commodity feature representation>

Module 36, using the gradientGradient descent is carried out on the substitution recommendation system so as to update the model parameter theta;

and a module 37, wherein the modules 33-36 are repeated until the number of training rounds is met, so that the replacement recommendation system with the training completed is obtained.

The recommended system safety test system based on simulated data poisoning attack adopts a matrix decomposition MF structure, and the loss function is a mean square error MSE loss function.

The recommended system security test system based on simulated data poisoning attack, wherein the module 35 includes:

The recommendation system safety test system based on simulated data poisoning attack comprises a transmission matrix constructedWhen the characteristic representation R of the user in the matrix R is represented according to the vector _u And characteristic representation r of commodity _i By->Obtaining the similarity of their current feature representation, according to which the similarity is only +.>Information transfer is carried out between commodity pairs of users, and xi is a preset threshold value, namely

The invention also provides a server, which comprises the recommendation system safety testing device based on the simulated data poisoning attack.

The invention also provides a storage medium for storing a computer program for executing the recommendation system security testing method based on the simulated data poisoning attack.

The advantages of the invention are as follows:

compared with the prior art, the training process of the substitution recommendation system can be accelerated through the gradient transfer technology, so that a more accurate substitution model can be obtained in a limited time. Gradient transfer techniques can enhance the accuracy of existing simulated attack samples. By accelerating the substitution model training to obtain a more accurate substitution model, better optimization guidance can be obtained from the substitution model, so that the accuracy of the existing simulation attack sample is enhanced. Gradient transfer can widely enhance attack methods based on alternative systems, including simulation of poisoning attacks by most existing recommendation systems, which provides a basis for subsequent development. Meanwhile, the method can help to find out the weakness of the recommendation system and provide a hint for designing a more reliable defense method.

Drawings

Fig. 1 is a flow chart of PGA attack of the integrated gradient transfer technique of the present invention.

Detailed Description

Aiming at the problem that the repeated training of a substitution system process by a recommendation system simulation poisoning attack method in the prior art is too time-consuming, the invention aims to provide a gradient transfer technology capable of remarkably accelerating the substitution system training, thereby enhancing the simulation poisoning attack effect and efficiency of the recommendation system based on substitution system training, enhancing the test efficiency of a safety system, or taking an attack scheme as training data for improving the safety of the safety system and enhancing the safety of the safety system.

In a typical recommender training process, the characteristics of the interacted users and products should remain highly similar. The gradient information is transmitted to accelerate the characteristic adjustment of the interactive user and the commodity towards the similar direction, so that the learning effect of the positive sample in training is enhanced, and the whole training process is accelerated. The gradient transfer technology can be integrated into the existing attack sample simulation method, so that the retraining speed of the substitution model is greatly increased, a more accurate substitution model is obtained, and the generation efficiency and the accuracy of a simulation toxin-throwing scheme of a recommendation system are improved.

In order to achieve the technical effects, the invention comprises the following key technical points:

the key point 1, in the back propagation process of the alternative recommendation system training, explicitly transmits gradient information between the interacted user and the commodity characteristic representation.

In a recommendation system of a double tower structure, a recommendation model first generates a feature representation for each user and commodity to form a representationMatrix arrayWhere n and m are the number of users and the number of items in the recommendation system, respectively, and d is the dimension representing the feature. />Is a loss function of a recommendation system to measure commodity recommendation accuracy, I epsilon {0,1} ^n×m Is observed recommendation system training data, I _i,j Indicating that the ith user interacted with (clicked or purchased) the jth item. The user in the system of the observation finger may only purchase apples, but he may also like bananas in his mind, but not be observed in the system. Wherein I is _i,j =1 indicates that the ith user has an interaction with the jth article. The training process of the recommendation system is to optimize R according to the training data I so that +.>Minimum. Taking the MSE loss function as an example:

wherein the method comprises the steps ofThe feature representation for the ith user and the jth commodity corresponds to two rows in R.

In most existing optimization guided attack methods, an attacker needs to train a surrogate model based on existing training data and the current behavior of the injected user. Adding parameters theta of the substitution model according to the interaction data of the real user and the current injection user behavior _s User commodity characteristic representation matrix capable of being presumed to recommended systemR is a key intermediate calculation process required by the recommendation result obtained by the substitution model, and the recommendation result can be obtained by obtaining R.

Overage in training alternative recommendation modelsGradient matrix of user and commodity characteristic representation matrix can be obtained in the course

This gradient matrix is used in a gradient descent algorithm to optimize the surrogate feature representation matrix R and model parameters Θ _s 。

In order to accelerate the training process of the substitution model, the invention provides a transfer matrix By->To communicate information to the original gradient matrix. Transfer matrix->Is +.>Is a matrix of (a) transfer matrix->Similar to I, the difference is two points, firstly, the interaction behavior is needed, meanwhile, the similarity of the characteristic representation r is larger than a set threshold value xi, the corresponding commodity position of the user in the transmission matrix is 1, and otherwise, the commodity position of the user in the transmission matrix is 0; second, transfer matrix->Is one dimension d more than I, so the position of the user and the product is no longer a scalar but a +.>Diagonal matrix of (2), if the condition is satisfied, the diagonal is 1, noThen 0.

In particular, we use L gradient transfer layers to transfer information of the original gradient matrix. Wherein the gradient matrix of layer 0 is defined as the original gradientEach layer thereafter is used +>To transfer it

Finally we change the gradient of the feature representation matrix R to the sum of the gradient matrices of all layers

And using modified gradientsSubsequent gradient descent training is performed. Taking the most basic random gradient descent algorithm SGD as an example, the iterative optimization at step t+1 can be expressed as

Wherein R is _t+1 ，R _t The feature representation matrices of steps t+1 and t, respectively, alpha being the learning rate,is based on a loss function on training data I after poisoning of an alternative recommendation system>And currently represents R _t The gradient of R obtained by calculation is GP, which represents the gradient transfer operation proposed by the invention.

The technical effects are as follows: matrix ladder for representing characteristics compared with original characteristicsDegree ofThe invention obtains new gradient after gradient transfer>The training of the alternative recommendation model can be accelerated, and the number of training rounds required for convergence is greatly shortened.

Key point 2: according to the training mechanism of the recommendation system, only users and commodities with high feature representation similarity are selected for gradient transfer.

The reason for this is that if the similarity between a pair of user and merchandise feature representations is low, then their distance in the feature space is far. In this case, the transfer of gradient information to each other does not bring about a too large gain, but rather introduces extraneous noise.

Specifically, in constructing the transfer matrixWhen we selectively gradient transfer the interactive user u and commodity i, it should be noted that the real user and the injected user do not overlap. Consider the characteristic representation r of u _u And i is characterized by r _i ，r _u ，/>From the vector representation matrix->Two rows of users u and commodity i, we passCalculate them r _u And r _i Similarity of the current feature representation, according to which only +.>Information is transferred between commodity pairs of users, and xi is a preset threshold value. Expressed by the formula of the formula,

with the following componentsReconstruction structure

i and j are subscripts and d is the dimension of the vector representation. id to (i+1) d, jd to (j+1) d constitute a sub-matrix of size d by d.

Finally obtainWherein->Is a diagonalized degree matrix, the elements of which represent the number of interactions of the user or commodity to which the row corresponds.

The technical effects are as follows: and the optimization dynamics of the substitution recommendation system are considered, so that the interference caused by the introduction of excessive ineffective gradients is avoided.

Key point 3: the gradient transfer technology is seamlessly integrated into the existing attack method to perform alternative system training.

In most existing optimization guided attack methods, an attacker needs to train a surrogate model based on existing training data and the current behavior of the injected user. Most of the conventional attack methods adopt the same mode as the training of a normal recommendation system for training the alternative model, however, under the situation of poisoning attack, the alternative model needs to be repeatedly trained under different training data, and higher requirements are put on the convergence speed of the alternative model training. The gradient transfer method provided by the method can be directly applied to the existing attack framework, only the alternative model training part is changed, and the alternative model training is accelerated, so that the generation of the injection user is better guided. The technical effects are as follows: under the same attack framework and execution time, the accuracy of generating the existing simulation attack sample is enhanced.

In order to make the above features and effects of the present invention more clearly understood, the following specific examples are given with reference to the accompanying drawings. The present specification discloses one or more embodiments that incorporate the features of the invention. The disclosed embodiments are merely illustrative. The scope of the invention is not limited to the disclosed embodiments, but is defined by the appended claims.

Fig. 1 shows an example of combining the gradient propagation technique proposed by the present invention with a classical PGA attack algorithm.

Taking PGA attack in the currently recommended system poisoning attack method as an example, the specific flow of the integrated gradient transfer technology is described:

step 1, obtaining a real user-commodity interaction matrix according to real user behaviors recorded in a recommendation systemInitializing components required in PGA attack method, including a real user set U ^r Number n of real users ^r Number of commodity m and number of injected users n ^f Action budget τ, target commodity i _t Alternative system architecture and loss functions, etc. Wherein the replacement system structure and loss function may be chosen from any existing recommended system algorithm, such as a matrix factorization MF structure and a mean square error MSE loss function.

Step 2, randomly initializing a group of interaction matrixes injected into usersI ^f Wherein 0 represents no interaction between the user and the merchandise and 1 represents interaction. To meet the attack budget constraint, the number of interactions per injection user is not greater than τ, i.e ^f Number of non-zero items per line +.>

Step 3, retraining the replacement recommendation system:

a) Randomly initializing a substitute system model parameter theta;

b) Through thetaForward computing user and commodity feature representation matrixThe forward calculation process is related to a model structure, for example, in a matrix decomposition model MF, Θ is the same as R, and in a graph neural network recommendation model LightGCN, Θ is calculated through a plurality of layers of linear graph neural networks to obtain R;

c) Poisoning data set based on real user and injected user behavior Calculating a loss function->

d) Counter-propagating computational gradients through an automated deriving tool

e) Gradient for explicit delivery of interactive user and merchandise feature representationsSpecifically, if a certain user interacts with a certain commodity, and the similarity between their presentation features +.>Above a certain threshold value xi, the gradients represented by the user and the commodity feature are mutually transferred;

f) Using transferred gradientsGradient descent is carried out, and model parameters theta are updated;

g) Repeating the steps b-f until the training round number is met.

Step 4: according to the parameter theta of the substitution system, calculating the attack gradient of the current injection userSpecifically, the method comprises the step of assuming that the purpose of an attacker promotes a certain target commodity. Then the real user is recommended based on parameters of the alternative system. The recommendation system calculates the preference score of each real user for the malicious commodities to be promoted, and the higher the score is, the lower the attack loss function is. Minimizing the attack loss function is to increase the score of the real user to the target commodity. After the loss function is obtained, the gradient is automatically calculated by the tool.

Step 5: projection gradient descent is carried out according to the attack gradient, and interaction behavior I of the injected user is updated ^f 。

Step 6: repeating the steps 3-5 until the preset iteration round number is reached.

Step 7: injection user behavior after output optimization I ^f Training data injected into the target system simulates an attack.

The gradient transfer matrix is constructed in a similar manner to the message transfer in the Graph Neural Network (GNN), but is unique in that gradient information is transferred and applied to the back propagation phase of training. By integrating gradient transfer technology in the process of training the substitution system, the training convergence speed of the substitution model can be remarkably accelerated. This allows a more accurate surrogate model to be obtained in a limited time so that the injection user can better optimize for the real system, thereby improving the attack.

The gradient transfer technology can be widely integrated into various recommendation system simulation poisoning attack methods based on the double-tower structure substitution model, including methods based on the attack model and methods not based on the attack model. The prior attack methods all depend on repeated training of the alternative recommendation model in the implementation process, and the technology provided by the invention can accelerate the training process, so that the attack success rate is improved under the condition of spending the same time cost, and a foundation is provided for developing more efficient attack and more reliable defense.

The following is a system example corresponding to the above method example, and this embodiment mode may be implemented in cooperation with the above embodiment mode. The related technical details mentioned in the above embodiments are still valid in this embodiment, and in order to reduce repetition, they are not repeated here. Accordingly, the related technical details mentioned in the present embodiment can also be applied to the above-described embodiments.

module 3, training the alternative recommendation system;

module 7: preserving current injection user behavior I ^f As a simulation data poisoning attack sample, the simulation data poisoning attack sample is injected into a security recommendation system to be evaluated to simulate an attack, and the degree of change of the security recommendation system to be evaluated in a recommendation list of a normal user before and after the attack is analyzed to be used as the security recommendation system to be evaluatedIf the safety test result is smaller than the threshold value, executing a recommendation task by the safety recommendation system to be evaluated to obtain recommended commodities of the user; specifically, the Jaccard distance is used for analyzing the change degree of a recommendation list of a recommendation system to be evaluated before and after attack to a normal user. Acquiring the safety of the safety recommendation system to be evaluated, and if the Jacquard distance is smaller than a certain threshold value, executing a recommendation task by the safety recommendation system to be evaluated to acquire recommended commodities of a user; if the Jaccard distance of the normal user recommendation list before and after the attack of the system to be evaluated is too large, the safety of the recommendation system is not strong, the influence of the injected user on the recommendation system can be further analyzed, and finally, a more robust recommendation algorithm model or an abnormality detection mechanism is introduced, so that the safety of the recommendation system is enhanced.

Wherein the module 3 comprises:

Module 33 based on the poisoning data setCalculating a loss function->

Although embodiments of the present invention have been disclosed above, it is not limited to the details and embodiments shown and described, it is well suited to various fields of use for which the invention would be readily apparent to those skilled in the art, and accordingly, the invention is not limited to the specific details and illustrations shown and described herein, without departing from the general concepts defined in the claims and their equivalents.

Claims

1. A recommendation system security test method based on simulated data poisoning attack is characterized by comprising the following steps:

step 3, training the alternative recommendation system;

step 4: completion according to the trainingIs used for calculating the attack gradient of the injected user according to the output of the alternative system

wherein step 3 comprises:

Step 33, based on the poisoning data setCalculating a loss function->

2. The recommended system security test method based on simulated data poisoning attacks of claim 1, wherein the alternative system architecture employs a matrix factorization MF architecture, the loss function being a mean square error MSE loss function.

3. The recommended system security testing method based on simulating a data poisoning attack of claim 1, wherein the step 35 includes:

according to the transfer matrixGradient matrix using L gradient transfer layers +.>The information transmission method specifically comprises the following steps: gradient matrix of layer 0 gradient transfer layer-> Each layer thereafter usesTransfer it:

4. The recommendation system security testing method based on simulated data poisoning attacks of claim 3, wherein the transfer matrix is constructedWhen the characteristic representation R of the user in the matrix R is represented according to the vector _u And characteristic representation r of commodity _i By->Obtaining the similarity of their current feature representation, according to which the similarity is only +.>Information transfer is performed between the user commodity pairs, and ζ is a preset threshold, that is,

5. A recommendation system security test system based on simulated data poisoning attacks, comprising:

module 3, training the alternative recommendation system;

module 7: preserving current injection user behavior I ^f As a simulation data poisoning attack sample, injecting the simulation data poisoning attack sample into a security recommendation system to be evaluated to simulate attack, analyzing the change degree of the security recommendation system to be evaluated for a normal user recommendation list before and after the attack, and as a security test result of the security recommendation system to be evaluated, if the security test result is smaller than a threshold value, executing a recommendation task by the security recommendation system to be evaluated to obtain recommended commodities of a user;

wherein the module 3 comprises:

Module 33 based on the poisoning data setCalculating a loss function->

6. The recommendation system security test system based on simulated data poisoning attacks of claim 1, wherein the alternative system architecture employs a matrix factorization MF architecture, the loss function being a mean square error MSE loss function.

7. The recommendation system security test system based on simulating a data poisoning attack of claim 1, wherein the module 35 comprises:

8. Such asThe recommendation system security test system based on simulated data poisoning attacks of claim 7, wherein the transfer matrix is constructedWhen the characteristic representation R of the user in the matrix R is represented according to the vector _u And characteristic representation r of commodity _i By->Obtaining the similarity of their current feature representation, according to which the similarity is only +.>Information transfer is carried out between commodity pairs of users, and xi is a preset threshold value, namely

9. A server comprising a recommendation system security testing apparatus based on simulated data poisoning attacks according to claims 5-8.

10. A storage medium storing a computer program for executing the recommendation system security testing method based on simulated data poisoning attacks of claims 1-4.