ClusterPoison: Poisoning Attacks on Recommender Systems with Limited Fake Users

Numerous prior studies on poisoning recommender systems have demonstrated that with access to a user's historical data, an attacker can significantly influence the decision-making process of the recommendation model. However, these studies often assume that the attacker can control fake users amounting to 1% of the real users on the recommendation platform. When dealing with real-world large-scale recommendation platforms hosting millions of users, manipulating such a vast number of fake users without detection by the platform becomes exceedingly challenging. This limitation implies that large-scale recommendation platforms can ignore the impact of poisoning attacks. Motivated by this observation, our article aims to explore the potential impact of an attacker when the number of fake users is extremely limited. Specifically, assuming the attacker controls only one fake user, we design a clustering-based scheme for generating fake users. Our scheme serves as a flexible widget that can be integrated into various poisoning attacks against deep learning-based recommender systems, enhancing their effectiveness when dealing with limited fake users. We demonstrate that combining our approach with two different poisoning attacks results in improved performance under the constraint of minimal fake users. Through experimentation on the Amazon Beauty dataset (22,363 users) and Amazon Sports dataset (35,598 users), we highlight the poisoning impact of this seemingly negligible single fake user. Our findings emphasize the threat of poisoning attacks with a very small set of fake users and call for their stronger defense in real-world recommender systems. Our code is publicly available at https://github.com/yanling02/ClusterPoison.