Security and Privacy issues

in Recommender Systems

By
Ayush Sharma

What is a Recommender System?

Recommender systems are a subclass of information filtering
system that seek to predict the 'rating' or 'preference' that user
would give to an item.
Recommender systems have become extremely common in recent
years, and are applied in a variety of applications. The most
popular ones are probably movies, music, news, books, research
articles, search queries, social tags, and products in general.
However, there are also recommender systems for experts, jokes,
restaurants, financial services.

Users trust on Recommender

Systems
Recommender systems require two types of trust
from their users.
First, the users must trust that the system will
protect their information appropriately.
Second, the user must trust that the
recommendations are accurate.

Violation of users trust

Violations of users trust in a recommender
system comes in three flavors:
Exposure: Undesired access to personal user
information.
Bias: Manipulation of users recommendations to
inappropriately change the items that are
recommended.
Sabotage: Intentionally reducing the
recommendation accuracy of a recommender.

Value and Privacy Risks of

Information
A personalized recommendation algorithm requires input
from the user population in order to make
recommendations. Providing more input potentially
increases recommendation accuracy, but also increases the
risk of unwanted exposure of personal information.
When a user provides information to a recommender, two
broad questions arise.
1) What value is gained?
2) What exposure is risked?

Gain in Value
The purpose of information collected by a
recommender is to differentiate a user from her peers.
Some pieces of data are inherently more valuable than
others thus, are better at differentiating among users.
Providing a recommender with data may produce
diminishing returns. That is, perhaps once a certain
amount is known about a user, obtaining further
information is only marginally useful.

Exposure Risk
When a user divulges his personal information, there is
a direct risk that someone will learn information that
the user wished to keep private.
Combinations of attributes may be highly identifying.
Such combinations are sometimes called a quasiidentifier to differentiate them from directly identifying
information like social security number. Personal
preferences like those expressed to many recommender
systems may also turn out to be a quasi-identifier.

Recommendation Bias
Bias may be to increase (push) or decrease
(nuke) the visibility of other items. There are
many ways to bias a recommender system.
One such attack is Shilling attack which attempts
to manipulate the systems recommendations for a
particular item by submitting misrepresented
opinions to the system.

Motivation for Shilling Attacks

One of the primary uses for a recommender system
is to help people make decisions. Naturally, this
makes recommender systems very interesting to
people with vested interests in what people choose.
An underhanded and perhaps cheaper way to
increase recommendation frequency is to
manipulate the system into doing so by executing a
shilling attack.

Random Bot and Average Bot

A Random Bot attacker rates all the items in the
system with the mean x out of y and a z deviation.
The intuition behind this is that making random
ratings within a certain average interval will allow the
attacker to have a high influence in making
predictions for other users. Depending on the
objective of the attack, the items in the target set are
rated with the minimum rating (for nuke attack) or
maximum rating (for push attack).

Average Bot
An Average Bot attacker is more effective but
requires knowledge of the average rating for each
item in the system.
Each Average Bot attacker rates the items outside
the target set randomly, following a normal
distribution with a mean equal to the average
rating for that item, thus becoming more similar
to the real users than the Random Bot.

Detecting Profile Injection Attacks

Time series
Vulnerability
Clustering
Profile Characteristics

References
Do You Trust Your Recommendations? An Exploration Of
Security and Privacy Issues in Recommender Systems by
Shyong K Tony Lam, Dan Frankowski, and John Riedl
http://files.grouplens.org/papers/lam-etrics2006-security.pdf
Towards the Next Generation of Recommender Systems:A
Survey of the State-of-the-Art and Possible Extensions by
Gediminas Adomavicius and Alexander Tuzhilin
Preventing shilling attacks in online recommender systems
by Paul-Alexandru Chirita Wolfgang Nejdl Cristian Zamfir(
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.
1.60.1540&rep=rep1&type=pdf
)

References
Profile Injection Attack Detection for Securing
Collaborative Recommender Systems by Chad
Williams.(
http://citeseerx.ist.psu.edu/viewdoc/downlo
ad?doi=10.1.1.162.2966&rep=rep1&type=pdf
)
Detecting Profile Injection Attacks in
Collaborative Recommender Systems by Robin
Burke, Bamshad Mobasher, Chad Williams,
Runa Bhaumik(
http://citeseerx.ist.psu.edu/viewdoc/downlo
ad?rep=rep1&type=pdf&doi=10.1.1.87.2235
)