temporal defenses for robust recommendations neal lathia, s. hailes, l. capra PSDML @ ECML/PKDD, Sept 24 2010 email: [email protected] twitter: @neal_lathia http://www.cs.ucl.ac.uk/staff/n.lathia
Jul 07, 2015
temporal defenses for robust recommendations
neal lathia, s. hailes, l. capraPSDML @ ECML/PKDD, Sept 24 2010
email: [email protected]: @neal_lathia
http://www.cs.ucl.ac.uk/staff/n.lathia
what are recommender systems?
● web portals that (try to) connect you with the content (movies, music, books,...) that interests you
● many, many examples (netflix, last.fm, love film, amazon)
how do they work?
● collaborative fltering: reasoning on the user-item rating matrix; many techniques available (kNN, SVD)
● ranking based on predicted interest
u1
u2
u3
u4
u5
1*
4*
4*
5*
3*
2*
5*
5*
2*
3*
?
3*
3*
1*
i1 i2 i3 i4 i5
1*
2*
2*
1*
wisdom of the (anonymous) crowds
● “based on the premise that people looking for information should be able to make use of what others have already found and evaluated”
wisdom of the (anonymous) crowds
● “based on the premise that people looking for information should be able to make use of what others have already found and evaluated”
+ you don't have to know who rated what to receive recommendations
– who are they? are they rating honestly? are they human?
...a sybil attack...shilling attack, profile injection attack
...when an attacker tries to subvert the system by creating a large number of sybils—pseudonymous
identities—in order to gain a disproportionate amount of influence...
incentive to attack?
attacks?
random targetted
inject noise structured attack
structured attacks: how?
target: item that attacker wants promoted/demoted
selected: similar items, to deceive the algorithm
filler: other items, to deceive humans
how can we defendrecommender systems?
prior work: static classification
u1
u2
u3
u4
u5
i1 i2 i3 i4 i5
honest
sybil
problems with static classification
u1
u2
u3
u4
u5
i1 i2 i3 i4 i5
honest
sybil
when to run classifier?
when is system under attack?
when are sybils damaging recommendations?
proposal: temporal defenses
1. force sybils to draw out their attack2. learn normal temporal behaviour
3. monitor & detect a wide range of attacks
~ and then ~4. force sybils to attack more intelligently
1. distrusting newcomers
→ time →
prediction shift
1. distrusting newcomers
prediction shift
→ time →
1. distrusting newcomers
prediction shift
→ time →
1. force sybils to draw out their attackhow? distrust newcomers
sybils are forced to appear more than once
2. sybil group dynamicssingle sybil = not an effective attack
sybils need to collude: how?
2. examine sybil group dynamics
how many sybils are there?
how many ratings per sybil?
2. examine sybil group dynamics
how many sybils are there?
how many ratings per sybil?
(few, many) (many, many)
(many, few)(few, few)
how does this affect data? (attack impact)
how many sybils are there?
how many ratings per sybil?
how to detect these attacks? (monitor!)
how many sybils are there?
how many ratings per sybil?
system-level
user-level
item-level
overview of methodology
● monitor: learn how data changes over time● what data to look at?
● flag: anomalous changes due to attack● when to flag?
● this work: simple anomaly-detection; flag when time series is > a variance-adjusted threshold above an exponentially weighted moving average
a) system-level
a) system-level
how to evaluate our simple technique?
● a) simulation● simulate stream of “average user ratings”● play with mean/variance of time series● measure precision/recall
● b) real data + injected attacks● measure attack impact
evaluation
● a) simulation
evaluation
● a) real data – before
evaluation
● a) real data – after
b) user-level
● similar approach; look at different data:● how many high volume raters?● how much do high-volume raters rate?
evaluation
● a) real data – before
evaluation
where we stand
c) item-level: slightly different context
1. the item is rated by many usersdefine many? using how other items were rated
2. the item is rated with extreme ratingsdefine extreme? what is avg item mean?
3. (from a + b) the item mean ratings shiftsnuke or promote?
flag: if all three conditions broken. Why?1 � popular item. 2 � few extreme ratings. 3 � cold start item
1 + 2 but not 3 � attack doesn't change anything
evaluation
future work: how to defeat these defenses?
future work: how to defeat these defenses?
contributions
1. force sybils to draw out their attack2. learn normal temporal behaviour
3. monitor & detect a wide range of attacks
~ and then ~4. force sybils to attack more intelligently
temporal defenses for robust recommendations
n. lathia, s. hailes, l. capraPSDML @ ECML/PKDD, Sept 24 2010
[email protected]@neal_lathia
http://www.cs.ucl.ac.uk/staff/n.lathia