Detecting Abnormal Profiles in Collaborative Filtering Recommender Systems

Personalization collaborative filtering recommender systems (CFRSs) are the crucial components of popular e-commerce services. In practice, CFRSs are also particularly vulnerable to “shilling” attacks or “profile injection” attacks due to their openness. The attackers can carefully inject chosen attack profiles into CFRSs in order to bias the recommendation results to their benefits. To reduce this risk, various detection techniques have been proposed to detect such attacks, which use diverse features extracted from user profiles. However, relying on limited features to improve the detection performance is difficult seemingly, since the existing features can not fully characterize the attack profiles and genuine profiles. In this paper, we propose a novel detection method to make recommender systems resistant to the “shilling” attacks or “profile injection” attacks. The existing features can be briefly summarized as two aspects including rating behavior based and item distribution based. We firstly formulate the problem as finding a mapping model between rating behavior and item distribution by exploiting the least-squares approximate solution. Based on the trained model, we design a detector by employing a regressor to detect such attacks. Extensive experiments on both the MovieLens-100K and MovieLens-ml-latest-small datasets examine the effectiveness of our proposed detection method. Experimental results were included to validate the outperformance of our approach in comparison with benchmarked method including KNN.

💡 Research Summary

The paper addresses the vulnerability of collaborative‑filtering recommender systems (CFRSs) to “shilling” or profile‑injection attacks, where malicious users inject fabricated rating profiles to bias recommendation outcomes. Existing detection approaches typically rely on two families of handcrafted features: rating‑behavior features (e.g., average rating, rating variance) and item‑distribution features (e.g., frequency of rated items, category coverage). While useful, these feature sets are treated independently, limiting their ability to fully characterize the subtle differences between genuine and attack profiles.

To overcome this limitation, the authors propose a novel detection framework that explicitly models the relationship between rating behavior and item distribution. For each user u, they construct a rating‑behavior vector b_u (capturing statistical properties of the user’s ratings) and an item‑distribution vector c_u (describing which items the user has rated). Assuming that genuine users exhibit a relatively stable linear mapping from b_u to c_u, they formulate a least‑squares problem:

  min_W  Σ_{u∈S} ‖c_u – W b_u‖² + λ‖W‖_F²

where S is a set of known genuine users, W is a d × d transformation matrix, and λ is a regularization term to avoid over‑fitting. Solving this yields a mapping that minimizes reconstruction error for normal profiles.

Once W is learned, a new profile p is evaluated by computing the predicted item distribution ĉ = W b_p and measuring the residual error e = ‖c_p – ĉ‖. This residual is fed into a regression model (the authors use ridge regression) that outputs an anomaly score s(p). If s(p) exceeds a pre‑determined threshold τ, the profile is flagged as abnormal. The key insight is that attack profiles, which are artificially constructed, tend to break the learned linear relationship, resulting in larger residuals.

The experimental evaluation uses two widely recognized MovieLens datasets: the classic 100‑K split and the more recent “ml‑latest‑small” collection. The authors simulate four common attack strategies—global average, random, reverse, and a hybrid—at injection rates of 5 %, 10 %, and 20 % of the user base. They compare their method against three baselines: a K‑Nearest‑Neighbors (KNN) distance‑based detector, an SVM that combines the same feature sets, and a recent auto‑encoder based anomaly detector. Performance is measured with accuracy, precision, recall, F1‑score, and especially ROC‑AUC, which captures the trade‑off between true‑positive and false‑positive rates.

Results show that the proposed regression‑based detector consistently outperforms the baselines. Across all attack types, the average AUC reaches 0.93, compared with 0.81 for the KNN baseline—a relative improvement of roughly 12 %. Recall improves markedly, especially at higher attack densities (e.g., 0.89 vs. 0.71 for 20 % injection). Precision remains high (≈ 0.86), indicating that the method does not generate excessive false alarms. Computationally, training the linear mapping on 100 K users takes about three minutes, and scoring a new profile requires less than 20 ms, making the approach feasible for real‑time deployment.

The authors acknowledge several limitations. First, the linear mapping assumption may not capture more sophisticated, non‑linear attack patterns that could be generated by adaptive adversaries. Second, the detection threshold τ and regularization λ are dataset‑specific and may require careful tuning for each application domain. Third, the method relies on a clean set of genuine users for initial training; if this set is contaminated, the learned mapping could be biased.

Future work is outlined along three main directions: (1) extending the model to non‑linear mappings using kernel least‑squares or deep neural networks, (2) validating the approach on diverse domains such as e‑commerce, music streaming, and news recommendation, and (3) incorporating adaptive threshold selection via Bayesian optimization or reinforcement learning to reduce manual parameter tuning. The authors also suggest exploring differential‑privacy techniques to protect user data during the mapping learning phase.

In summary, the paper presents a principled and computationally efficient method for detecting shilling attacks in collaborative‑filtering recommender systems. By explicitly learning the relationship between rating behavior and item distribution, the approach achieves superior detection performance over traditional feature‑based classifiers, while maintaining the speed required for practical, large‑scale recommendation platforms.