LLM-Based User Simulation for Low-Knowledge Shilling Attacks on Recommender Systems

📝 Paper Summary

Adversarial Attacks on Recommender Systems LLM-based User Simulation

Agent4SR employs LLM-based agents to simulate realistic user behaviors (rating and reviewing) to successfully attack recommender systems with minimal knowledge of system internals.

Core Problem

Traditional shilling attacks rely on rigid heuristics or require inaccessible internal system data, making them easy to detect or hard to deploy, while often neglecting the impact of textual reviews.

Why it matters:

Recommender systems drive revenue and exposure; manipulating them hurts fairness and trust
Existing rule-based fake profiles lack behavioral diversity and are easily flagged by anomaly detection
GAN-based methods require internal training data (rating matrices) that real-world attackers rarely possess

Concrete Example: In a standard push attack, a heuristic method might just assign maximum ratings to a target item and random ratings to others. This creates a statistical anomaly (e.g., a 'block' in the rating matrix) that detection algorithms easily spot. Agent4SR instead generates a coherent persona that buys filler items logically and writes plausible reviews, blending in while still boosting the target.

Key Novelty

Agent4SR (Agent for Shilling Recommendation)

Models fake users as autonomous LLM agents with distinct personality traits derived from the target item, rather than just rows in a matrix
Uses a target feature propagation strategy in reviews: the agent subtly mentions the target item's key features (e.g., 'great battery life') in reviews for *other* unrelated products to prime the system's semantic understanding
Operates in a low-knowledge setting, requiring no access to the target system's training data or model weights

Architecture

The overall framework of Agent4SR.

Evaluation Highlights

Outperforms baseline low-knowledge attacks (e.g., Random, Bandwagon) on HR@10 and NDCG@10 across three datasets (Beauty, Toys, Sports)
Maintains high attack effectiveness even when faced with defense mechanisms, degrading less than heuristic baselines
Achieves higher stealth scores (lower detection rates) compared to rule-based attacks due to semantically consistent reviews and realistic rating distributions

Breakthrough Assessment

7/10

Novel application of LLM agents for adversarial purposes in RS. Moves beyond rating-only attacks to include semantic manipulation via reviews, highlighting a new class of security risks.

⚙️ Technical Details

Problem Definition

Setting: Shilling attack on Top-N Recommender Systems

Inputs: Target item i_t, set of genuine items I, minimal knowledge of item popularity

Outputs: Set of fake user profiles U_a with interactions (ratings and reviews) to inject into the RS training data

Pipeline Flow

Profile Module (constructs agent persona)
Memory Module (retrieves past interactions)
Action Module (generates ratings and reviews)

System Modules

Profile Module

Generate consistent personality traits and preferences for the fake user

Model or implementation: GPT-4 (implied, or similar LLM)

Memory Module

Store and retrieve the agent's historical interactions to ensure consistency

Model or implementation: Retrieval mechanism

Action Module

Decide on item selection, rating value, and review content

Model or implementation: LLM-based generator

Novel Architectural Elements

Target Feature Propagation strategy within the Action Module (injecting target-specific semantics into non-target interactions)
Personality inference mechanism in Profile Module driven specifically by the target item to maximize attack impact

Modeling

Base Model: GPT-3.5-turbo (used for agent simulation in experiments)

Comparison to Prior Work

vs. Random/Bandwagon: Agent4SR uses semantic review generation and consistent personas rather than statistical heuristics
vs. AUSH/LegUP: Agent4SR is 'low-knowledge' (requires no rating matrix access), whereas GAN methods require training on internal system data
vs. R-Trojan: R-Trojan relies on internal data for training review generators; Agent4SR uses LLM prompting without internal data access

Limitations

Relies on API access to commercial LLMs (cost and rate limits)
Inference time for generating reviews is significantly higher than heuristic attacks
Effectiveness depends on the RS model using textual reviews (impact is lower on pure CF models)
No statistical significance tests reported for the improvements

📊 Experiments & Results

Evaluation Setup

Inject fake users into training set, retrain RS, measure target item rank

Benchmarks:

Amazon Beauty (Product Recommendation)
Amazon Toys (Product Recommendation)
Amazon Sports (Product Recommendation)

Metrics:

HR@10 (Hit Ratio)
NDCG@10 (Normalized Discounted Cumulative Gain)
Statistical methodology: Not explicitly reported in the paper

Key Results

Benchmark	Metric	Baseline	This Paper	Δ
Main performance comparison showing Agent4SR's attack effectiveness (Push Attack) against baselines on pure Collaborative Filtering (MF) and Review-based (DeepCoNN) models.
Amazon Beauty (DeepCoNN)	HR@10	0.0521	0.0815	+0.0294
Amazon Beauty (MF)	HR@10	0.0412	0.0589	+0.0177
Ablation study demonstrating the contribution of the review generation component.
Amazon Toys (DeepCoNN)	HR@10	0.0650	0.0782	+0.0132

Experiment Figures

Attack performance (HR@10) vs. number of fake users (Attack Size).

Main Takeaways

Agent4SR consistently outperforms heuristic low-knowledge attacks (Random, Bandwagon) across multiple datasets and RS architectures.
The attack is most effective against review-aware recommender systems (e.g., DeepCoNN) because it exploits the semantic channel, but still works on pure rating systems due to high-quality rating patterns.
The generated fake profiles are stealthier (harder to detect) than rule-based profiles because the reviews and rating distributions more closely resemble human behavior.
Ablation studies confirm that the 'Target Feature Propagation' strategy (mentioning target features in filler reviews) is a key driver of performance.

📚 Prerequisite Knowledge

Prerequisites

Basics of Recommender Systems (Collaborative Filtering)
Shilling Attacks (Push/Nuke strategies)
Large Language Models (LLMs) and Prompting

Key Terms

shilling attack: Injecting fake user profiles into a recommender system to manipulate the ranking of specific items (promote or demote)

push attack: An attack designed to increase the recommendation likelihood/ranking of a target item

nuke attack: An attack designed to decrease the recommendation likelihood/ranking of a target item

low-knowledge attack: An attack scenario where the adversary has no access to the system's training data, model architecture, or parameters

filler items: Items selected by a fake user to rate alongside the target item, chosen to make the profile look genuine and obscure the attack intent

HR@K: Hit Ratio at K—the proportion of test users for whom the target item appears in the top-K recommendations

NDCG@K: Normalized Discounted Cumulative Gain at K—a metric that accounts for the position of the target item in the recommendation list (higher is better)

LLM: Large Language Model—a deep learning model trained on vast text data, capable of generating human-like text and performing reasoning tasks