Defending Collaborative Filtering Recommenders via Adversarial Robustness Based Edge Reweighting

User based collaborative filtering (CF) relies on a user and user similarity graph, making it vulnerable to profile injection (shilling) attacks that manipulate neighborhood relations to promote (push) or demote (nuke) target items. In this work, we propose an adversarial robustness based edge reweighting defense for CF. We first assign each user and user edge a non robustness score via spectral adversarial robustness evaluation, which quantifies the edge sensitivity to adversarial perturbations. We then attenuate the influence of non robust edges by reweighting similarities during prediction. Extensive experiments demonstrate that the proposed method effectively defends against various types of attacks.

💡 Research Summary

The paper addresses a fundamental vulnerability of user‑based collaborative filtering (CF) systems: their reliance on a user‑user similarity graph makes them susceptible to profile‑injection (shilling) attacks that manipulate neighborhood relations to artificially promote (push) or demote (nuke) target items. Existing defenses fall into two categories: (i) detection and removal of malicious users, which depends on handcrafted assumptions about attack behavior and often requires labeled malicious data, and (ii) adversarial training of the recommender (e.g., APR‑style methods), which can degrade performance on clean data and suffers from a known robustness‑accuracy trade‑off.

To overcome these limitations, the authors propose a graph‑level defense that directly evaluates the robustness of each edge in the user similarity graph and attenuates the influence of edges that are deemed non‑robust. The method consists of four phases:

1. User similarity graph construction (Gₓ) – Build a weighted k‑nearest‑neighbor (k‑NN) graph from training ratings using cosine similarity, clip negative similarities to zero, and apply mean‑centering only on observed entries.

2. Reference manifold construction (Gᵧ) – Compute a user embedding either via spectral embedding of Gₓ’s Laplacian or via truncated SVD of the user‑item matrix. In the embedding space, construct an auxiliary unweighted k‑NN graph that captures a “clean” geometric structure of users.

3. Spectral adversarial robustness evaluation (Spade) – Let Lₓ and Lᵧ be the Laplacians of Gₓ and Gᵧ. Form the generalized Laplacian operator L⁺ᵧLₓ and compute its s largest eigenvalues ζ₁…ζₛ together with the corresponding eigenvectors v₁…vₛ. Assemble the matrix Vₛ =