Presentation is loading. Please wait.

Presentation is loading. Please wait.

Machine learning approaches to Attack Detection in Collaborative Recommender Systems Runa Bhaumik College of Computing and Digital Media DePaul University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Machine learning approaches to Attack Detection in Collaborative Recommender Systems Runa Bhaumik College of Computing and Digital Media DePaul University."— Presentation transcript:

1 Machine learning approaches to Attack Detection in Collaborative Recommender Systems Runa Bhaumik College of Computing and Digital Media DePaul University Chicago, Illinois Runa Bhaumik College of Computing and Digital Media DePaul University Chicago, Illinois

2 2 Outline Vulnerabilities in collaborative recommendation – Background, types of attacks and examples – Basic attack models – Effectiveness of different attacks against common CF algorithms Possible solutions – Attack Detection and Response

3 Motivation and Objectives “UserSubmitter.com” website that once operated as a “pay-per-digg” service allowed publishers to promote their content on Digg.com by paying other Digg users to “digg” the submitted article

4 Motivation and Objectives Several real-world examples of suspicious behavior related to recommender systems and social tagging networks. – Amazon. COM – Spur.NET

5 Introduction User-Adaptive Systems – Ex. collaborative recommender systems, social tagging networks – Depend on user input Problem we are addressing – User-Adaptive systems present a security problem Malicious users may try to distort the system's behavior Solution – Understanding different kinds of attack is crucial to evaluate the system – Investigating how such public systems can be made more robust through algorithmic solutions and detection

6

7 Example Collaborative System Item1Item 2Item 3Item 4Item 5Item 6Correlation with Alice Alice5233? User 12441 User 2213120.33 User 342321.90 User 4332310.19 User 53222 User 6531320.65 User 75151 Best match Prediction  Using k-nearest neighbor with k = 1

8 A Successful Push Attack Item1Item 2Item 3Item 4Item 5Item 6Correlatio n with Alice Alice5233? User 12441 User 2213120.33 User 342321.90 User 4332310.19 User 53222 User 6531320.65 User 75151 Attack 12325 Attack 2323250.76 Attack 3322250.93 Prediction  Best Match “user-based” algorithm using k-nearest neighbor with k = 1

9 Profile Injection Attacks Goal: To learn an attacker’s behavior Profile Injection Attacks – Consists of a number of "attack profiles" – profiles engineered to bias the system's recommendations Called “Shilling” in some previous work "Push attack" – designed to promote a particular product – attack profiles give a high rating to the pushed item – includes other ratings as necessary Other attack types – “nuke” attacks

10 Previous Work O'Mahoney, et al. 2004 – Theoretical basis for vulnerability; upper bound on prediction shift – Assumes full knowledge of rating data Lam & Riedl, 2004 – Empirical study of simple attack types – Impact on user-based and item-based algorithms – Assumes knowledge of average & std. dev. of ratings for all items General conclusion: – Substantial vulnerabilities exist

11 A Generic Attack Profile Previous work considered simple attack profiles: – No selected items, i.e., I S =  – No unrated items, i.e., I  =  – Attack models differ based on ratings assigned to filler items, e.g., random attack, average attack ……… itit …… null Ratings for k selected items Rating for the target item ISIS IFIF II Ratings for l filler items Unrated items in the attack profile

12 Vulnerabilities Against Collaborative Filtering Systems (2005 -2006) Random  Random ratings drawn from overall rating distribution among all items Average  Random ratings drawn from overall rating distribution among individual items Bandwagon /AOP  Target popular items (e.g., “blockbuster” movies) Segment Attack  Target a particular segment of users (fans of Harrison Ford or fans of horror)

13 Experimental Methodology Data Set – MovieLens 100K data set – 943 users and 1682 movies Evaluation Metrics – Prediction shift How much the rating of the pushed movie differs before and after the attack Attack Size – Percentage of the number of profiles in the database before the attack (3% means 28 attack users) Profile Size – Number of filler items in attack profile filler size as a proportion of the set of all items ( 3% means 50 items) Algorithms – User-based collaborative filtering – Item-based collaborative filtering

14 Effectiveness of Push and Nuke Attacks

15 Possible Solutions 15 Algorithmic Solutions – Design algorithms that are less susceptible to the types of attacks Hybrid Approach, model-based Detection and Response – Identify fake user profiles and remove them from the system Implement Captcha – A program that protects websites against bots

16 16 Approaches to Detection & Response Single Profile Classification Classification model to identify attack profiles and exclude these profiles in computing predictions Group Profile Classification Clustering Model to identify a group of attack profiles Anomaly Detection Classify Items (as being possibly under attack) – Not dependent on known attack models – Can shed some light on which type of items are most vulnerable to which types of attacks But, what if the attack does not closely correspond to known attack signature

17 17 Classification-Based Approach to Detection Profile Classification – Automatically identify attack profiles and exclude them from predictions – Reverse-engineered profiles likely to be most damaging – Increase cost of attacks by detecting most effective attacks – Characteristics of known attack models are likely to appear in other effective attacks as well Basic Approach – Create attributes that capture characteristics of suspicious profiles – Use attributes to build classification models – Apply model to user profiles to identify and discount potential attacks Type of Detection Attributes – Generic – modeled on basic descriptive statistics – Model-specific- attempt to detect characteristics of profiles that are generated by specific attack models.

18 18 Examples of Generic Attributes Weighted Deviation from Mean Agreement (WDMA) – Average difference in profile’s rating from mean rating on each item weighted by the item’s inverse rating frequency squared Weighted Degree of Agreement (WDA) – Sum of profile’s rating agreement with mean rating on each item weighted by inverse rating frequency Average correlation of the profile's k nearest neighbors – Captures rogue profiles that are part of large attacks with similar characteristics Variance in the number of ratings in a profile compared to the average number of ratings per user – Few real users rate a large # of items

19 19 Methodological Note for Detection Results Data set – Using MovieLens 100K data set – Data split 50% training, 50% test Profile classifier - Supervised training approach – kNN classifier, k=9 – Training data Half of actual data labeled as “Authentic” Insert a mix of attack profiles built from several attack models labeled as “Attack” – Test data Start with second half of actual data Insert test attack profiles targeting different movies than targeted in training data Recommendation Algorithm – User based kNN, k = 20 Evaluating results – 50 different target movies selected randomly but mirroring overall distribution – 50 users randomly pre-selected Results were averaged over all runs for each movie-user pair

20 20 Evaluation Metrics Detection attribute value: – Information Gain – attack profile vs. authentic profile Classification performance: True positive = # of attack profiles correctly identified False positive = # of authentic profiles misclassified as attacks False negatives = # of attack profiles misclassified as authentic – Precision = true positives / (true pos. + false pos.) Percent of profiles identified as attacks that are attacks – Recall = true positives / (true pos. + false negatives) Percent of attack profiles that were identified correctly Recommender robustness: – Prediction shift – change in recommender’s prediction resulting from the attack

21 Classification Effectiveness: Bandwagon and Segment Push Attacks 21 1. Detecting Profile Injection Attacks in Collaborative Recommender Systems in Proceedings of the IEEE Joint Conference on E-Commerce Technology and Enterprise Computing (2006) 2. Toward trustworthy recommender systems: An analysis of attack models and algorithm robustness in ACM Transactions on Internet Technology (TOIT) (2007)

22 Classification Approach Limitations – Didn’t perform well when the spam profiles are obfuscated – Ignored the combined effect of malicious users – Exploited signatures of attack profile With million users in the database it is not possible to label the users

23 Possible Solutions Unsupervised Approaches – Clustering based on principal component analysis ( Mehta et.al. 2007) – UnRAP algorithm based on residue-based metric used in gene expression analysis ( Bryan et.al. 2008) – N-P detection algorithm, a statistical approach ( Hurley et.al. 2009) Limitations – Model-based, parameterized, high false alarms, not suitable for all attack models

24 Clustering Approach – Unsupervised Detection Technique Trains on unlabeled data Creates attributes that capture characteristics of suspicious profiles – Generic attributes – RDMA, WDA, WDMA, Profile variance – Residue-Based Attribute (Bryan et.al. 2008) Divides the dataset into clusters – k-means clustering – Plot within-groups sum of squares against the number of clusters – Run several times and select the lowest squared error value as the final clustering Identifies anomalous clusters based on cluster statistics – Select clusters with highest RDMA,WDA and coefficient of variation

25 Information Gain Results

26 Cluster Entropy Our conjecture: smaller cluster will have higher entropy 943 real profiles and 47 attack profiles Our conjecture: smaller cluster will have higher entropy 943 real profiles and 47 attack profiles

27 Obfuscated Attacks Noise Injection – involves adding a noise to ratings according to a standard normal distribution multiplied by a constant User Shifting – involves incrementing or decrementing (shifting) all ratings for a subset of items per attack profile by a constant Target Shifting – simply shifting the rating given to the target item from the maximum rating to a rating one step lower, or in the case of nuke attacks increasing the target rating to one step above the lowest rating. Mixed Attack – involves attacking the same target item and producing from different – attack models.

28 Clustering Effectiveness:

29

30 Clustering Effectiveness Average Over Popular (AOP 20%) Attack (Hurley et.al. 2009)

31 Summary of Clustering Results Advantages – Scalable – High degree of accuracy – Detection is effective against “segment” and “AOP” attack – Does not depend on attack models Disadvantages – Detection of the wrong cluster can bias the predicting accuracy – Real attackers might employ strategies fooling the system

Download ppt "Machine learning approaches to Attack Detection in Collaborative Recommender Systems Runa Bhaumik College of Computing and Digital Media DePaul University."

Similar presentations

Recommender System A Brief Survey.

Recommender System A Brief Survey.
- 1 -. - 2 - Agenda  Introduction  Charactarization of Attacks  Attack models  Effectivness analysis  Countermeasures  Privacy aspects  Discussion.

Agenda  Introduction  Charactarization of Attacks  Attack models  Effectivness analysis  Countermeasures  Privacy aspects  Discussion.
Item Based Collaborative Filtering Recommendation Algorithms

Item Based Collaborative Filtering Recommendation Algorithms
DECISION TREES. Decision trees  One possible representation for hypotheses.

DECISION TREES. Decision trees  One possible representation for hypotheses.
1 Machine Learning: Lecture 10 Unsupervised Learning (Based on Chapter 9 of Nilsson, N., Introduction to Machine Learning, 1996)

1 Machine Learning: Lecture 10 Unsupervised Learning (Based on Chapter 9 of Nilsson, N., Introduction to Machine Learning, 1996)
Bamshad Mobasher Center for Web Intelligence School of Computing, DePaul University, Chicago, Illinois, USA.

Bamshad Mobasher Center for Web Intelligence School of Computing, DePaul University, Chicago, Illinois, USA.
Jeff Howbert Introduction to Machine Learning Winter 2012 1 Collaborative Filtering Nearest Neighbor Approach.

Jeff Howbert Introduction to Machine Learning Winter Collaborative Filtering Nearest Neighbor Approach.
1 RegionKNN: A Scalable Hybrid Collaborative Filtering Algorithm for Personalized Web Service Recommendation Xi Chen, Xudong Liu, Zicheng Huang, and Hailong.

1 RegionKNN: A Scalable Hybrid Collaborative Filtering Algorithm for Personalized Web Service Recommendation Xi Chen, Xudong Liu, Zicheng Huang, and Hailong.
Application of Stacked Generalization to a Protein Localization Prediction Task Melissa K. Carroll, M.S. and Sung-Hyuk Cha, Ph.D. Pace University, School.

Application of Stacked Generalization to a Protein Localization Prediction Task Melissa K. Carroll, M.S. and Sung-Hyuk Cha, Ph.D. Pace University, School.
COLLABORATIVE FILTERING Mustafa Cavdar Neslihan Bulut.

COLLABORATIVE FILTERING Mustafa Cavdar Neslihan Bulut.
- 1 -. - 2 - Agenda  Introduction and background  Attacks: dimension and Classification  Attack Types  Effectiveness analysis  Countermeasures 

Agenda  Introduction and background  Attacks: dimension and Classification  Attack Types  Effectiveness analysis  Countermeasures 
Active Learning and Collaborative Filtering

Active Learning and Collaborative Filtering
The Wisdom of the Few A Collaborative Filtering Approach Based on Expert Opinions from the Web Xavier Amatriain Telefonica Research Nuria Oliver Telefonica.

The Wisdom of the Few A Collaborative Filtering Approach Based on Expert Opinions from the Web Xavier Amatriain Telefonica Research Nuria Oliver Telefonica.
Mutual Information Mathematical Biology Seminar 23.5.2005.

Mutual Information Mathematical Biology Seminar
1 Application of Metamorphic Testing to Supervised Classifiers Xiaoyuan Xie, Tsong Yueh Chen Swinburne University of Technology Christian Murphy, Gail.

1 Application of Metamorphic Testing to Supervised Classifiers Xiaoyuan Xie, Tsong Yueh Chen Swinburne University of Technology Christian Murphy, Gail.
1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.

1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.
Personalizing the Web: Building effective recommender systems

Personalizing the Web: Building effective recommender systems
1 Jun Wang, 2 Sanjiv Kumar, and 1 Shih-Fu Chang 1 Columbia University, New York, USA 2 Google Research, New York, USA Sequential Projection Learning for.

1 Jun Wang, 2 Sanjiv Kumar, and 1 Shih-Fu Chang 1 Columbia University, New York, USA 2 Google Research, New York, USA Sequential Projection Learning for.
Ensemble Learning: An Introduction

Ensemble Learning: An Introduction
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Similar presentations

Ads by Google