Attacks and Remedies in Collaborative ... - Semantic Scholar

6 downloads 776 Views 793KB Size Report
Collaborative-filtering recommender systems are an electronic extension of every- ...... her MS in mathematics and computer information systems from the Uni-.
R e c o m m e n d e r

S y s t e m s

Attacks and Remedies in Collaborative Recommendation Bamshad Mobasher, Robin Burke, Runa Bhaumik, and J.J. Sandvig, DePaul University

C

ollaborative-filtering recommender systems are an electronic extension of everyday social recommendation behavior: people share opinions and decide whether

or not to act on the basis of what they hear.1 Collaborative filtering lets you scale such

Publicly accessible interactions to groups of thousands or even millions. However, everyday social

user-adaptive systems such as collaborative recommender systems introduce security issues that must be solved if users are to perceive these systems as objective, unbiased, and accurate.

56

recommendation has an advantage over collaborative systems: the recommender has a known stable identity that receivers of recommendations can rely on. Over time, you might come to discount the recommendations of a friend whose tastes have proven incompatible. Anonymous or pseudonymous users of an online system, on the other hand, can multiply their profiles and identities nearly indefinitely. Consider, for example, the most common form of collaborative recommendation, the user-based knearest-neighbor algorithm, using rating profiles. Each user is represented by a set of item ratings, indicating how well the user likes a given item. The system forms a neighborhood of peer users with similar tastes. It then extrapolates the user’s predicted rating for a target item from the ratings of his or her peer users. Because such adaptive systems depend on user profiles, they’re subject to manipulation. Consider a hypothetical book recommender system employing a userbased collaborative algorithm.1 A user profile in this system might consist of that user’s ratings (on a 1–5 scale) of various books. Alice, having built up a profile from previous visits, returns for new recommendations. Table 1 shows Alice’s profile along with profiles of seven genuine users. An attacker, Eve, has inserted attack profiles (attack 1–attack 3) into the system. These attack profiles give high ratings to a particular target item—the book labeled item 6. 1541-1672/07/$25.00 © 2007 IEEE Published by the IEEE Computer Society

Suppose the system is using a simplified userbased collaborative-filtering approach that obtains the predicted ratings for Alice on item 6 by finding Alice’s closest neighbor. Without the attack profiles, the most similar user to Alice, using correlationbased similarity, is user 6. The prediction associated with item 6 is 2, essentially stating that Alice will dislike item 6. After the attack, however, the attack 1 profile (a push attack) is most similar to Alice, yielding a predicted rating of 5 for item 6. So, in this example, attack 1 is successful, and the system recommends item 6 to Alice. Alternatively, Eve might seek to prevent the system from recommending an item—a competitor’s product, for example. An attack with this aim is called a nuke attack. Such an attack looks similar to the push attack, but the target item instead receives a low score. Recent research has tried to quantify collaborative recommender systems’ vulnerabilities and to devise more secure approaches.2,3 In this article, we survey some of these results.

Attacks To analyze an algorithm’s vulnerability, we must first understand the nature of the attacks against it. We’re primarily interested in attacks that aim to produce some economic advantage to the attacker. This might be in the form of more recommendaIEEE INTELLIGENT SYSTEMS

tions for the attacker’s product or fewer recommendations for a competitor. For simplicity, we assume a single target item that will receive either the attacker’s highestpossible rating (a push attack) or the lowest (a nuke attack). A user profile consists of some number of ratings assigned to products. An attacker will insert multiple profiles under false identities to create an attack, as in the previous example. These attack profiles will include a rating for the target item and some number of other ratings. We measure attack size as a percentage of the number of profiles in the database before the attack. For example, if the database contains approximately 1,000 users, an attack size of 1 percent corresponds to 10 added attack profiles. Figure 1 shows a generic attack profile. We can think of each profile as assigning ratings to four sets of items: • a singleton target item, it , together with a rating function  assigning it a rating value; • a set of selected items, IS, with particular characteristics determined by the attacker, together with a rating function  mapping IS to rating values; • a set of filler items, IF, usually chosen randomly, together with a rating function  mapping IF to rating values; and • a set of unrated items, I. We characterize attack types by how they identify the selected items, what proportion of the remaining items they choose as filler items, and how they assign specific ratings to each set of items. Because the selected item set is small, the filler item set’s size mostly determines each profile’s size (the total number of ratings). In an attack profile, filler items are chosen randomly and, except in the average attack (described later), are rated randomly around the system mean. The filler items aim to decrease the attack profiles’ sparsity so that they’re more likely to match users in the database. In our experiments, we report filler size as a proportion of the size of I (that is, the set of all items). Several common attack types are of both theoretical and practical interest. Random attack This attack generates profiles that randomly choose the items to rate and their ratings, except for the target item. This attack is obviously simple to implement but has limited effectiveness. MAY/JUNE 2007

Table 1. An example of a push attack favoring the target item, item 6. Item 1

Item 2

Item 3

Item 4

Alice

5

2

3

3

User 1

2

User 2

3

1

3

User 3

4

2

3

1

User 4

3

3

2

User 6

4

User 7 Attack 1

5

Attack 2

5

Attack 3 Correlation with item 6

Item 6

Correlation with Alice

?

4

User 5

Item 5

4

1

1

–1.00

2

0.76

1

0.72

1

3

3

1

2

3

3

3

2

0.94

5

1

5

1

–1.00

3

2

5

1.00

4

2

5

0.89

5

0.93

1

5

2

2

2

0.85

–0.55

0.00

0.48

IS

1

0.21 –1.00

–0.59

IF

I∅

i1S

...

ikS

i1F

...

il F

i1∅

...

iv∅

it

 (i1S )

...

 (ikS )

 (i1F )

...

 (il F )

null

null

null

 (it )

Rating for k selected items

Rating for l filler items

Unrated items in the attack profile

Rating for the target item

Figure 1. A generic attack profile. An attacker can inject a number of attack profiles targeting an item it, by providing ratings for a specific combination of items.

Average attack An average attack creates profiles sharing the central tendencies of the system’s users by drawing its ratings from the rating distribution associated with each item. This attack is effective but requires that the attacker has fairly detailed and complete knowledge of the data set underlying the recommendation algorithm. Probe attack If a recommender system is configured to produce predicted ratings for items, attackers can fill out their profiles by asking the system to generate predicted ratings for some item set. These ratings will naturally be similar to those given by users in a particular peer neighborhood and will increase the similarity between the attack profiles and those of its neighbors. www.computer.org/intelligent

Bandwagon attack Often, an attacker can determine an item’s popularity independently of the recommender system. In a bandwagon attack (also known as a popular attack4), the attacker associates the attacked item with a handful of well-known popular items. So, the attacker need not know the ratings distribution required by the average attack. This achieves many of the average attack’s benefits without the knowledge requirement. Segment attack An attacker might be interested primarily in a particular set of users—a product’s likely buyers, for example. A segment attack, which increases recommendations of the target product to these specific users, might be just as valuable as an attack that raises the overall recommendation rate. 57

R e c o m m e n d e r

S y s t e m s

Experimental Methodology and Evaluation Metrics Our experiments used the publicly available MovieLens 100K data set (www.cs.umn.edu/research/GroupLens/data). The data set consists of 100,000 ratings on 1,682 movies by 943 users. All ratings are integer values between 1 and 5, where 1 is the lowest and 5 is the highest. Our data included all the users who rated at least 20 movies. To ensure the results’ generality, we randomly selected 50 movies representing a wide range of average and number of ratings. We attacked each movie individually and determined the average for all experiments. The experiments, in fact, underestimated an attacker’s likely impact on a recommender system, because an attacker probably wouldn’t push an item that already has a high average rating or nuke one that most users already dislike. For prediction shift experiments, we used a neighborhood size of k = 20 in the k-nearest-neighbor algorithm. In our experiments with attack profile classification, we discarded neighbors classified as attack profiles. The experiments used a 50user sample mirroring the overall distribution of users in terms of number of movies seen and ratings provided. The following results represent averages over the combinations of test users and test movies. The prediction shift metric measures the change in an item’s predicted rating before and after attack.1 Let p(u, i) be the rating predicted by the system for a given user/item pair, and let p(u, i) be the prediction for the same pair after the system has been attacked:

Reverse-bandwagon and love/hate attacks You could adapt the attacks we’ve just described to “nuke” a target item. However, reverse-bandwagon and love/hate attacks are designed especially for nuke attacks. The reverse-bandwagon attack is a variation of the bandwagon attack. In this attack type, the selected items tend to be rated poorly by many users. The attack assigns low ratings to these items and the target item. This tactic associates the target item with widely disliked items, increasing the probability that the system will generate low predicted ratings for it. A love/hate attack also has no knowledge requirements. It consists of attack profiles in which the target item receives the minimum rating while filler items in the set receive the maximum rating. Surprisingly, this simple profile-generation method is extremely effective as a nuke attack.

Vulnerabilities Collaborative-recommendation algorithms typically share some vulnerabilities, which we measure using prediction shift and hit ratio. These metrics measure an attack’s impact on predicted ratings and recommendation fre58

PredShift(u, i) = p(u, i) – p(u, i) We average this quantity over all the test users to arrive at an average prediction shift for that item. We average these values once again over all items to derive a measure of the attack’s effectiveness. The hit ratio metric is the average likelihood that a top N recommender will recommend the pushed item. Let Ru be the set of top N recommendations for user u. For each push attack on item i, we evaluate the value of a recommendation hit for user u denoted by Hui, as 1 if i  Ru; as 0 otherwise. We define hit ratio as the number of hits across all users in the test set divided by the number of users in the test set: HitRatioi =

∑ Hui

U

u∈U

We then calculate the average hit ratio as the sum of the hit ratios for attacks on each item i across all items divided by the number of items.

Reference 1. M. O’Mahony et al., “Collaborative Recommendation: A Robustness Analysis,” ACM Trans. Internet Technology, vol. 4, no. 4, 2004, pp. 344–377.

quency, respectively, for the target item. (See the sidebar for a discussion of our experimental methodology and evaluation metrics.) Figure 2a shows the results of an experiment comparing the prediction shift resulting from various attacks against the k-nearest neighborbased collaborative-recommendation algorithm.5 The attacks include the average attack (a 3-percent filler size), the bandwagon attack (using one frequently rated item and a 3percent filler size), the random attack (a 6percent filler size), and the segmented attack (using popular horror movies as selected items and a 3-percent filler size). We chose these filler sizes because they’re the most powerful versions of each attack. Although the average attack works well, several other attacks, such as the bandwagon and segment attacks, work as well without the system-specific knowledge required by the average attack. Item-based collaborative filtering is an alternative formulation of the collaborativerecommendation concept.6 This algorithm computes predictions based on similarity between items rather than between users. The technique can improve collaborative filtering’s scalability, and it’s more robust against attack than the user-based formulation.2 This is because in the average attack, the injected www.computer.org/intelligent

profiles aim to maximize the similarity between real and attack users. However, the segment attack is specifically designed to maximize the similarity between the target item and items that the attacker anticipates the likely buyers will prefer. So, the attacker targets the biased recommendation at precisely those users who might be susceptible to it. Although the segment attack has an effect (on the basis of its average impact on all users), it doesn’t approach the average attack’s effectiveness. However, the segment attack assumes that recommendations made to insegment users are more useful to the attacker than recommendations to other users. So, we must focus on the in-segment users—that is, users who have rated the segment items highly and presumably are desirable customers for similar pushed items. For example, an attacker using a “horror” segment in a movie recommender system would presumably be interested in pushing a new horror movie. Figure 2b compares the segment attack’s impact within the targeted user segment and within the set of all users. Although the segment attack was designed specifically as an attack against the item-based algorithm, it’s also effective against the user-based algorithm. IEEE INTELLIGENT SYSTEMS

Type of attack Average (3% filler size) Bandwagon (3% filler size) Random (6% filler size) Segment (all users) Segment (in-segment users)

Prediction shift

Figure 3 shows experimental results for various types of nuke attacks on the userbased algorithm. Despite the minimal knowledge required for the love/hate attack, it’s the most effective against the user-based algorithm. For the item-based algorithm, the average and reverse-bandwagon nuke attacks are the most effective (results not shown).7 This is interesting because the average push attack isn’t particularly effective against the item-based algorithm. The initial research on collaborative systems’ security properties demonstrated conclusively that attackers could manipulate these systems’ results.2,3,7 Michael O’Mahony and his colleagues take this analysis one step further to show that such results can yield economic gains for attackers, even if the system requires that users purchase items before they rate them.4

1.8 1.6 1.4 1.2 1.0 0.8 0.6 0.4 0.2 0 0

• try to develop more robust alternatives to memory-based collaborative-filtering algorithms, • base neighborhood formation on properties less susceptible to attack (such as explicit trust judgments), or • try to detect and defeat attackers before they cause harm. Recommender system researchers have explored each of these approaches. Algorithmic approaches These approaches aim not to prevent biased profiles but to minimize their effects. We focus on two distinct approaches: • Model-based algorithms build a model of the user profiles for recommendation. • Hybrid algorithms combine knowledgebased and collaborative-recommender MAY/JUNE 2007

6 9 Attack size (%)

12

15

Type of attack Average (3% filler size) Bandwagon (3% filler size) Random (6% filler size) Segment (in-segment users) Segment (all users)

Responses 1.0 Prediction shift

What’s an appropriate response to collaborative recommendation’s security vulnerabilities? You could make creating a profile more difficult or expensive. This would be counterproductive in many cases, because a collaborative system depends on a large, diverse profile database. Squeezing out all but the most dedicated users will limit the recommendations’ effectiveness. Such a move might not deter attackers in any case, because their expected return on investment increases when the database is sparse. You can respond in several other ways to profile injection attacks. You could

3

(a)

0.8 0.6 0.4 0.2 0 0

3

(b)

6 9 Attack size (%)

12

15

Figure 2. A comparison of push attacks against the (a) user-based and (b) item-based algorithms.

components using semantic knowledge to augment the social network. Neither approach relies strictly on user profiles to generate predictions. Model based. Traditionally, researchers and practitioners have used model-based algorithms to alleviate scalability problems associated with memory-based recommender systems. Building a model of the data set allows offline processing for the most rigorous similarity calculations. Because model-based approaches focus on aggregate abstractions of detailed user profiles, they might improve stability and robustness against profile injection attacks. Elsewhere, we considered recommendation algorithms that cluster similar users into user www.computer.org/intelligent

segments.8 The algorithm represents a user segment as an aggregate profile that it compares to an active user. It generates a recommendation based on each aggregate profile rather than the original profile data. Although such techniques don’t classify a particular segment as an attack, the hope is that an aggregate profile dominated by an attack won’t be highly similar to any active user. So, this approach isolates the attack from the system and diminishes the attack’s effectiveness. A standard model-based collaborativefiltering algorithm uses a clustering algorithm such as k-means to partition users into k groups that are close to each other based on a similarity measure. Our results have shown that k-means slightly improves stability and robustness. We’ve developed a 59

R e c o m m e n d e r

S y s t e m s

0

Average (3% filler size) Random (6% filler size) Reverse bandwagon

Prediction shift

–0.5

Bandwagon (3% filler size) Love/hate (3% filler size)

–1.0 –1.5 –2.0 –2.5 0

3

6 9 Attack size (%)

12

15

Figure 3. A comparison of nuke attacks against the user-based algorithm.

1.2 1.0

Hit ratio

0.8 0.6

k-nearest neighbor PLSA

0.4

k-means Baseline

0.2 0

1

5

10 15 20 No. of recommendations

30

40

50

Figure 4. The hit ratio for an average attack using a 5-percent filler size and 15-percent attack size. PLSA stands for probabilistic latent semantic analysis.

second algorithm to infer hidden relationships among groups of users using probabilistic latent semantic analysis. PLSA is a fuzzy approach, in that each user has a degree of association with every user segment.7 This lets authoritative users exercise greater influence on recommendation. Our results show that PLSA significantly improves stability and robustness against all attack types. In addition, the PLSA-based algorithm achieves recommendation accuracy comparable to the k-nearest-neighbor algorithm. Figure 4 presents the hit ratio for an average attack using a 5-percent filler size and 15percent attack size. Clearly, PLSA is more robust than k-means or k-nearest neighbor. Even with a recommendation size of 50 items, PLSA doesn’t recommend an attacked item more than 25 percent of the time, compared to nearly 100 percent for each of the other algorithms. Other clustering algorithms (such as unsupervised niche clustering9) might offer still greater protection against attack. 60

Hybrid. We can also minimize an attack’s influence by de-emphasizing the collaborative component. Hybrid recommendation combines multiple types of recommenders and is a promising approach for stable, robust recommender systems. Several classes of recommender systems are compatible with collaborative filtering. A content-based recommender induces a classifier based on an active user’s ratings, producing recommendations on that basis.10 A knowledge-based recommender reasons about the fit between a user’s need and the available products’ features.11 We’ve proposed a semantically enhanced collaborative hybrid algorithm integrating semantic information with item-based collaborative recommendation.12 This hybrid approach extends item-based similarity by using two separate item-similarity measures. One measure uses the standard item-based collaborative-filtering approach of measuring item similarities on the basis of user ratings. www.computer.org/intelligent

The second measure uses structured semantic knowledge about items, such as item attributes, concept labels, and textual features, to calculate content similarities. The resulting similarity measure is a linear combination of the collaborative and semantic similarities. Such an approach can attain comparable prediction accuracy to item-based k-nearest neighbor while dramatically reducing the impact of profile injection attacks.7 Incorporating trust Several recent studies focus on trust in recommendation from different perspectives. One perspective involves the explicit calculation and integration of trust and reputation in the recommendation framework, as recent work on trust-aware collaborative filtering has demonstrated.13 This study considers a framework allowing for eliciting trust values among users. User reputation, computed by propagating trust values, informs the filtering process. This study shows that a trade-off exists between recommendation coverage and recommendation accuracy, but it lacks a comparison with a standard collaborative-filtering algorithm. In addition, it doesn’t investigate the trust-based algorithm’s robustness in the face of attack. John O’Donovan and Barry Smyth introduce trust models in collaborative filtering to improve accuracy.14 They show that trustbased collaborative-filtering algorithms can be even more susceptible to profile injection attacks because attacking profiles can actually reinforce mutual opinions during the trust-building process. In a later study, they propose solving this problem by modifying the trust-building process.15 Their new approach reduces prediction shift by 75 percent, compared to standard collaborative-filtering algorithms. Still, trust approaches suffer from the problem of coverage. Part of a collaborative system’s appeal is that it can provide serendipity—that is, it can find unexpected recommendations that users wouldn’t discover on their own. Collaborative recommender systems need large populations of potential peers to increase the probability that users will find others that share their tastes and can provide interesting and unexpected recommendations. If peers are restricted to those that can be highly trusted, the system can’t form large neighborhoods. However, if the system needs to form large neighborhoods, it’s difficult to prevent attackers from creeping in. IEEE INTELLIGENT SYSTEMS

Profile classification. This approach involves identifying suspicious profiles and discounting their contribution toward predictions. Such an approach’s success depends entirely on how you define a “suspicious” profile. Paul-Alexandru Chirita and his colleagues proposed several metrics for analyzing malicious users’rating patterns and introduced an algorithm for detecting such attacks.16 We’ve examined techniques that improve on this approach to detect attacks conforming to the attack models we discussed earlier.17 If we can reliably detect attacks conforming to our models of effective attacks, attackers will have to use attacks of lower effectiveness. We use a supervised classification approach to detect and respond to profile injection attacks. We compute statistics over the profile data and use attribute-reduction techniques to create a lower-dimensional training set. This training set combines user profile data and the attack profiles generated using our attack models. We label each profile as being part of an attack or as coming from a genuine user. We then create a binary classifier based on this set of training data using three types of attributes: • Generic attributes, modeled on basic descriptive statistics, attempt to capture some of the characteristics that will tend to make an attacker’s profile look different from a genuine user’s. • Model-specific attributes attempt to detect characteristics of profiles that are generated by specific attack models. • Intraprofile attributes aim to detect concentrations across profiles. Details on these attributes appear elsewhere.18 We omit any profile classified as an attack from the predictions. Figure 5 shows our classifier’s precision in detecting attacks using model-specific features. Additional experiments (not shown here) indicate that the detection algorithm produced high recall values across all attack types. The classifier misclassified few auMAY/JUNE 2007

60

Precision (%)

50 40 30 20 10

Average model detection

Random model detection

Bandwagon model detection

Segment model detection

0 0

20

40 60 Filler size (%)

80

100

Figure 5. The precision of a model-specific classifier for different attack types, with an attack size of 1 percent.

3.5 Item’s average rating

Attack detection Because collaborative-recommender systems must be open to user input, it’s difficult to design a system that can’t be attacked. So, it’s necessary to detect malicious users as well as to identify items that are under attack. Recent research has aimed at detecting and preventing profile injection attacks’ effects.

*

3.0

New item

Upper limit

2.5 2.0 1.5

Lower limit

1.0 0.5 0 1

5

9

13 17 21 25 29 33 37 41 45 49 53 57 61 65 No. of items

Figure 6. A control chart showing a new item’s average ratings. Where an item’s ratings fall outside the upper limit, an attack involving the item might be taking place.

thentic users as attacks. Excluding such misclassified users from collaborative filtering could reduce the predictions’ accuracy. The overall results show that classifiers built using the features Robin Burke and his colleagues described18 can effectively detect attacks, and that this detection approach can improve the recommender’s stability under most attack scenarios. Anomaly detection. An alternative approach is to use anomaly-detection techniques to focus on items with suspicious trends. One such technique is based on statistical process control. SPC is used for long-term monitoring of feature values related to a process. Once you’ve chosen or constructed a feature of interest, you can estimate the feature’s distribution and automatically monitor future observations. Control charts are used routinely to monitor quality in SPC. Figure 6 shows a control chart for an item’s average www.computer.org/intelligent

ratings. A new item’s average rating falling outside the upper limit might indicate a possible attack involving the item. We’ve shown that this approach can detect items that are likely to be under attack.19 However, not all items share the same rating distribution. Intuitively, items with few ratings or a low average rating are easier for attackers to manipulate. On the other hand, attacks against items with many ratings and a high average rating are harder to detect because users have already rated these items highly. To account for these variances, we categorize items (movies, in our experiments) on the basis of two statistical characteristics: density (number of ratings) and average rating, as table 2 shows for the MovieLens data. We then partition our data set into five subcategories: • low density, low average rating; • low density, high average rating; 61

R e c o m m e n d e r

S y s t e m s

Table 2. Characteristics of movies used in our experiments.

WWW Conf. (WWW 04), ACM Press, 2004, pp. 393–402.

Characteristic

Description

Low density

The number of ratings is between 25 and 40.

Medium density

The number of ratings is between 80 and 120.

High density

The number of ratings is between 200 and 300.

Low average rating

The average rating is less than 3.0.

High average rating

The average rating is greater than 3.0.

4. M.P. O’Mahony et al., “Attacking Recommender Systems: The Cost of Promotion,” Proc. Workshop on Recommender Systems at the 17th European Conf. Artificial Intelligence (ECAI 06), 2006, pp. 24–28.

1.0

5. J. Herlocker et al., “An Algorithmic Framework for Performing Collaborative Filtering,” Proc. 22nd ACM Conf. Research and Development in Information Retrieval (SIGIR 99), ACM Press, 1999, pp. 230–237.

Precision

0.8 0.6 Low density, low average rating Low density, high average rating Medium density, low average rating Medium density, high average rating High density, high average rating

0.4 0.2

6. B. Sarwar et al., “Item-Based Collaborative Filtering Recommendation Algorithms,” Proc. 10th Int’l World Wide Web Conf. (WWW 01), ACM Press, 2001, pp. 285–295.

0 0

2

4 6 Attack size (%)

8

10

Figure 7. The precision for all movie categories, using the control limit algorithm to vary push attack sizes.

• medium density, low average rating; • medium density, high average rating; and • high density, high average rating. We didn’t analyze a high-density, low-averagerating items because the MovieLens data set contained insufficient examples. Figure 7 shows the detection algorithm’s overall precision against all movie categories for push attacks. The results suggest that detecting push attacks for high-density, highly rated items is difficult but that the approach effectively identifies attacks against the more vulnerable low-density items. The results from various detection methods show that no single method completely eliminates the threat from attacks. We envision combining these techniques to create a comprehensive detection framework.

I

n some sense, the operators of large ecommerce sites have known of collaborative recommendation’s vulnerabilities all along. They’ve introduced additional mechanisms on top of user ratings, such as written reviews and trust measures in particular users, as well as mechanisms to establish reviewers’ identities more securely. The pro-

62

3. M. O’Mahony et al., “Collaborative Recommendation: A Robustness Analysis. ACM Trans. Internet Technology, vol. 4, no. 4, 2004, pp. 344–377.

fusion of these measures should tell us both that these sites believe their recommendation components are extremely important and that they’re aware of how that capability might be misused. Recent research has quantified this intuitive notion of the vulnerabilities and explored how we might secure these systems. Algorithmic approaches, trust measures, and attack detection all show promise for building more secure recommender systems.

Acknowledgments The US National Science Foundation Cyber Trust program supported this research in part under grant IIS-0430303.

References

7. B. Mobasher et al., “Towards Trustworthy Recommender Systems: An Analysis of Attack Models and Algorithm Robustness,” to be published in ACM Trans. Internet Technology, vol. 7, 2007. 8. B. Mobasher, R. Burke, and J.J. Sandvig, “Model-Based Collaborative Filtering as a Defense against Profile Injection Attacks,” Proc. 21st Nat’l Conf. Artificial Intelligence (AAAI 06), AAAI Press, 2006, pp. 1388– 1393. 9. O. Narsaoui and R. Krishnapuram, “An Evolutionary Approach to Mining Robust Multi-Resolution Web Profiles and Context Sensitive URL Associations,” Int’l J. Computational Intelligence and Applications, vol. 2, no. 3, 2002, pp. 1–10. 10. R.J. Mooney and L. Roy, “Content-Based Book Recommending Using Learning for Text Categorization,” Proc. 5th ACM Conf. Digital Libraries (DL 00), ACM Press, 2000, pp. 195–204. 11. R. Burke, “Knowledge-Based Recommender Systems,” Encyclopedia of Library and Information Systems, vol. 69, A. Kent, ed., Marcel Dekker, 2000, pp. 331–370. 12. B. Mobasher, X. Jin, and Y. Zhou, “Semantically Enhanced Collaborative Filtering on the Web,” Web Mining: From Web to Semantic Web, B. Berendt et al., eds., LNAI 3209, Springer, 2004, pp. 57–76.

1. J.B. Schafer et al., “Collaborative Filtering Recommender Systems,” to be published in The Adaptive Web: Methods and Strategies of Web Personalization, P. Brusilovsky, A. Kobsa, and W. Nejdl, eds., LNCS 4321, Springer, 2007.

13. P. Massa and P. Avesani, “Trust-Aware Collaborative Filtering for Recommender Systems,” On The Move to Meaningful Internet Systems 2004: CoopIS, DOA, and ODBASE, LNCS 3290, Springer, 2004, pp. 492–508.

2. S. Lam and J. Riedl, “Shilling Recommender Systems for Fun and Profit,” Proc. 13th Int’l

14. J. O’Donovan and B. Smyth, “Trust in Recommender Systems,” Proc. 10th Int’l Conf.

www.computer.org/intelligent

IEEE INTELLIGENT SYSTEMS

T h e

F E AT U R I N G

A u t h o r s Bamshad Mobasher is an associate professor of computer science and the

director of the Center for Web Intelligence at DePaul University’s School of Computer Science. His research areas include data mining, Web mining, intelligent agents, machine learning, and computational logic. He received his PhD in computer science from Iowa State University. He serves on the editorial boards of several journals, including User Modeling and UserAdapted Interaction and the Journal of Web Semantics. Contact him at DePaul Univ., School of Computer Science, Telecommunications & Information Systems, 243 S. Wabash Ave., Chicago, IL 60604, [email protected].

Robin Burke is an associate professor in DePaul University’s School of Computer Science, Telecommunications, and Information Systems. His current research is in security and robustness of recommendation algorithms. He received his PhD in computer science from Northwestern University’s Institute for the Learning Sciences. Contact him at DePaul Univ., School of Computer Science, Telecommunications & Information Systems, 243 S. Wabash Ave., Chicago, IL 60604, [email protected].

IN 2007 • Healthcare • Building a SensorRich World • Urban Computing • Security & Privacy

IEEE Pervasive Computing delivers the latest developments in pervasive, mobile,

Runa Bhaumik is a PhD student in DePaul University’s School of Com-

puter Science, Telecommunications, and Information Systems, where she works as a research assistant at the Center for Web Intelligence. Her research focuses on security and robustness of recommender systems. She received her MS in mathematics and computer information systems from the University of South Alabama. Contact her at DePaul Univ., School of Computer Science, Telecommunications & Information Systems, 243 S. Wabash Ave., Chicago, IL 60604, [email protected].

and ubiquitous computing. Wi t h c o n t e n t t h a t ’s a c c e s s i b l e a n d u s e f u l t o d a y, t h e q u a r t e r l y publication acts as a catalyst for realizing the vision of pervasive (or ubiquitous)

J.J. Sandvig is a PhD student in DePaul University’s School of Computer

Science, Telecommunications, and Information Systems and a senior software architect at Insurance Noodle. His research interests include recommender systems, case-based reasoning, and machine learning. He received his MS in computer science from DePaul University. Contact him at DePaul Univ., School of Computer Science, Telecommunications & Information Systems, 243 S. Wabash Ave., Chicago, IL 60604, [email protected].

c o m p u t i n g M a r k We i s e r described more than a decade ago—the creation of environments saturated with computing and wireless communication yet gracefully

Intelligent User Interfaces (IUI 05), ACM Press, 2005, pp. 167–174. 15. J. O’Donovan and B. Smyth, “Is Trust Robust? An Analysis of Trust-Based Recommendation,” Proc. 5th ACM Conf. Electronic Commerce (EC 04), ACM Press, 2006, pp. 101–108. 16. P.-A. Chirita, W. Nejdl, and C. Zamfir, “Preventing Shilling Attacks in Online Recommender Systems,” Proc. 7th Ann. ACM Int’l Workshop Web Information and Data Management (WIDM 05), ACM Press, 2005, pp. 67–74. 17. R. Burke et al., “Detecting Profile Injection Attacks in Collaborative Recommender Systems,” Proc. IEEE Joint Conf. E-Commerce Technology and Enterprise Computing, ECommerce, and E-Services (CEC/EEE 06), IEEE CS Press, 2006, pp. 23–30. MAY/JUNE 2007

18. R. Burke et al., “Classification Features for Attack Detection in Collaborative Recommender Systems,” Proc. 12th ACM SIGKDD Conf. Knowledge Discovery and Data Mining (KDD 06), ACM Press, 2006, pp. 542–547. 19. R. Bhaumik et al., “Securing Collaborative Filtering against Malicious Attacks through Anomaly Detection,” Proc. 4th Workshop Intelligent Techniques for Web Personalization (ITWP 06), AAAI Press, 2006, pp. 50–59.

For more information on this or any other computing topic, please visit our Digital Library at www.computer.org/publications/dlib. www.computer.org/intelligent

Subscribe N ow!

integrated with human users.

V I S I T www.computer.org/ pervasive/subscribe.htm 63