Using the beta distribution technique to detect attacked items from collaborative filtering

Abstract

A recommendation system is based on the user and the items, providing appropriate items to the user and effectively helping the user to find items that may be of interest. The most commonly used recommendation method is collaborative filtering. However, in this case, the recommendation system will be injected with false data to create false ratings to push or nuke specific items. This will affect the user’s trust in the recommendation system. After all, it is important that the recommendation system provides a trusted recommendation item. Therefore, there are many algorithms for detecting attacks. In this article, it proposes a method to detect attacks based on the beta distribution. Different researchers in the past assumed that the attacker only attacked one target item in the user data. This research simulated an attacker attacking multiple target items in the experiment. The result showed a detection rate of more than 80%, and the false rate was within 16%.

Keywords

Shilling attacks recommendation systems beta distribution push attack nuke attack

1. Introduction

E-commerce has substantially changed the business environments by introducing applications that strive to provide a wide variety of products and information to consumers. However, information overload makes choosing the right products difficult for consumers. Fortunately, the development of data analysis techniques has enabled researchers to find efficient ways to help consumers to identify their preference by utilizing recommendation systems [25, 35].

With the prevalence of recommendation systems, people have become accustomed to recommendation lists, but because these systems usually collect ratings data from the public, some users may manipulate the ratings to promote or demote certain products. For example, many companies hire employees to monitor the ratings and comments posted on websites to emphasize their products’ strengths or to distinguish their products from those of their rivals. Rivals may also unscrupulously use false ratings, opinions, or comments to degrade their competitors’ products. As a result, these artificial manipulations may cause consumers to develop biased opinions on certain products, which can further affect their friends [17, 32]. Some famous examples have been publicized recently. Amazon updated its commodity evaluation system in order to maintain credibility and fight back false ratings [2]. As the world’s largest PC game trading platform, Steam was affected by false comments and ratings [22].

The artificial manipulation of recommendation systems based on collaborative filtering has been classified into shilling attacks and profile injection attacks [15]. Shilling attacks consist of two techniques: push attacks that promote a particular product by providing high ratings, and nuke attacks that deliberately provide low ratings. Both push and nuke attacks encourage the recommendation systems to recommend certain products, which influences the customers’ purchasing intention [15].

To cope with these types of malicious attacks, researcher use several algorithms to detect shilling attacks. They can be categorized as user-based and item-based methods [20]. User-based detection algorithms view user rating profiles as rater – item matrices to identify abnormal raters [15, 30]. These methods aim to identify malicious users, but not the items under attack. Therefore, the systems may know that some users are suspicious, but do not know which items are under attack. In contrast, item-based methods detect the attacked items according to an item – rater matrix. Bhaumik et al. [30] proposed an item-based method based on statistical process control (SPC) to calculate the upper and lower bounds of ratings for each item. Items with ratings above the upper bound or below the lower bound were identified as being attacked. However, this method requires a homogenous distribution and density of the rating data to produce the correct answer. As a result, SPC-based methods have to partition data into several categories according to the rating distributions. Detection accuracy is very sensitive to the appropriateness of the partition. To make things worse, categories without a sufficient amount of data have to be given up.

Lam and Riedl [33] proposed that the impact of attacks on the item-based is more robust than that on the user-based [24]. This present research presents a method for detecting an attacked item without dividing the data. This method is based on the beta distribution of the item ratings. The proposed method does not require any data partitioning and does not give up any category due to low data volume. The experiment results showed that the recall can exceed 80%, while keeping the false rate as low as 16%. For comparison, the detection rate of SPC can reach 80%, but the false rate can exceed 60% in some categories.

The remainder of this paper is organized as follows. Section 2 provides a review of the existing literature concerning malicious attacks on recommender systems. Section 3 describes the proposed method in detail. Section 4 outlines the experimental procedure and results. Finally, Section 5 offers a discussion and conclusion.

2. Literature review

2.1 Modes of shilling attack

The term shilling attack was first proposed in 2002 [33]. It is used to falsify a user’s rating data through some attack models, allowing the data of fake users to mix in with the normal data in the rating matrix. Figure 1 shows the format of typical attacking data [1, 5, 10, 21, 30]. Given m items in the targeted recommender system, the attack data consist of ${\bm{m}}$ -dimensional score vectors [31]. The contents of the attack mode are composed of $i_{t}$ , $I_{S}$ , $I_{F}$ and $I_{{\o}}$ . The target item of the attack is denoted as $i_{t}$ . $I_{S}$ forms the set of selected items which is filled with scores similar to those given by the target customers. $I_{F}$ is a set of filler items, which are randomly nominated and the set is filled with the average score of the items. The purpose of $I_{F}$ is to confuse the attack detection methods. $I_{{\o}}$ is the set of unscored items. $\delta$ , $\theta$ , and $\gamma$ are the scoring assignment functions for $I_{S}$ , $I_{F}$ , and $i_{t}$ , respectively. A different attack mode will provide items from $I_{S}$ , $I_{F}$ , and $i_{t}$ for different ratings.

Figure 1.

An attack profile.

Shilling attacks may incorporate two types of profile injections: push and nuke. Push attacks promote scores of $i_{t}$ , while nuke attacks demote them. According to how $I_{S}$ and $I_{F}$ are selected and how $\delta$ and $\theta$ are defined, several attack modes have been proposed [1, 8, 9, 10, 14, 21, 24, 30, 34].

2.1.1 Random attack mode

$I_{F}$ is randomly chosen and filled with the average value of the entire system. The average value of the system can be obtained without difficulty. Thus, this attack is easier to conduct than other types of attacks, but its overall effect is limited.

2.1.2 Average attack mode

The average attack mode randomly selects $I_{F}$ , but fills in the average rating of each item to the selected items. Because the means of the items’ ratings are relatively more difficult to obtain, the implementation of this type of attacks is challenging and requires more domain knowledge than other modes. However, this attack mode is the most effective among all such modes.

2.1.3 Bandwagon attack mode

With a bandwagon attack, popular items are chosen for $I_{S}$ to simulate the profile generated by ordinary users. Maximum rates are assigned to items in $I_{S}$ . Items in $I_{F}$ are randomly chosen just as in the average attack mode but the scores are filled with the average grade of the entire system. This attack is easy to implement as not much knowledge of rates is needed.

2.1.4 Segment attack mode

Instead of affecting the general public, segment attacks are designed to affect a specific group preferring particular items collected in $I_{S}$ . Items in $I_{F}$ are again randomly chosen. A segment attack only needs to know the preference but not the scores of these items.

2.1.5 Love/hate attack mode

A love/hate attack is simpler than the previous attack mode, given the highest (lowest) rating for the target item and the highest (lowest) rating for the other items for push (nuke) attacks. Items in $I_{F}$ are randomly chosen.

Among these types of attacks, the most commonly utilized are the random and average attack modes. As the average attack mode is more efficient and difficult to detect than the other modes [9, 23], in this study we dealt with the push and pull attack, which assigns an irregular volume of positive and negative ratings in $\gamma$ , respectively.

2.2 Detection method

Numerous studies have been proposed to detect fake user selection [5, 11, 15, 21, 27, 30]. Chung et al. [15] used the beta distribution of the probability method to detect attackers However, this present paper uses the same beta distribution method to find out which item was attacked. O’Mahony et al. [27] proposed the detection of attackers using proximity selection in order to filter suspicious users through clustering. The cluster center is regularly checked for changes, and if any abnormal data affect the cluster center, then they are regarded as attack data [27]. Furthermore, a PCA based method was proposed to filter anomaly profiles [5]. The ratings of items in the user profiles were interpreted as features. As the outliers (namely, the attack profiles) and the general profiles shared low commonality, their correlation should be zero [5, 15, 28]. Another approach utilizes classification techniques to classify profiles [21]. In addition, Zhang et al. [18] adopted the concept of LDA (latent Dirichlet allocation) to group users’ rating data and to find out the attacker. However, attacker profiles are difficult to obtain because attacker information is a small fraction of the total user information.

Item-based approaches strive to detect items under attack. Bhaumik et al. [30] utilized statistical process control (SPC) to detect outliers which were attach profiles. Items are separated into five groups according to the sparsity and rates received. Sparsity is classified into low, medium, or high density. Rates received are classed as low or high average. The combinations of sparsity and rates received create six possible groups. After discarding the group of high density and low average, the remaining five groups are preserved from outlier detection. The average ratings of normal items are assumed to be within the range of three deviations centered at the average ratings of the group to which the items belong.

Many current research studies cover the detection of false review comments with the text mining approach. This is because consumers use reviews to understand products as the basis for their consumption decisions, and so reviews of products on e-commerce websites have become important [32]. According to research, there are many spam reviews on websites such as Amazon.com and hopZilla.com [17]. This not only affects the brand manufacturers, but also the recommender system provided by e-commerce vendors. However, the identification of false comments is not the subject of this study. This research aims to detect items under attack without having to collect balanced numbers of training cases for classification purposes.

3. Proposed methodology

3.1 Beta distribution

In this research, a beta distribution was used to detect the attack items in the system. A beta distribution is a probability distribution based on past events that uses a statistical approach to predict future behavior [29].

The following formula shows the probability density function (PDF) of beta distributions [3, 4]:

$\displaystyle f(x|\alpha,\beta)=\left(\frac{\Gamma\left({\alpha+\beta}\right)}% {\Gamma\left(\alpha\right)\Gamma\left(\beta\right)}\right)p(x)^{\alpha-1}(1-p(% x))^{\beta-1}$ (1)

where 0 $<p<$ 1, $\alpha>$ 0, $\beta>$ 0 and $p$ denotes the prior probability that indeed occur. Through two parameters, namely $\alpha$ and $\beta$ , it is possible to produce various shapes of the distribution plots with a continuous probability density function (PDF) on (0, 1). The expectation of the variable $x$ given the two parameters $\alpha$ and $\beta$ is expressed as follows:

$\displaystyle E(x)=\alpha/(\alpha+\beta)$ (2)

When observed in a randomized trial as binary independent events, p represents the number of successes and q represents the number of failures, $\alpha=p+1$ and $\beta=q+1$ . Then, Eq. (2) can be expressed as follows:

$\displaystyle E(x)=\mu=(p+1)/(p+q+2)$ (3)

Changes in the parameters $\alpha$ and $\beta$ in the beta distribution will affect the shape of the graph. When $\alpha=\beta$ , the graph will show a dome-shaped shape (Fig. 2. show $a=$ 2, $b=$ 2). When $\alpha>\beta$ will be left skewed, the main body of the distribution will be concentrated on the right (Fig. 2. show $a=$ 5, $b=$ 2). Conversely, when $\alpha<\beta$ , a right skewness appears (Fig. 2. show $a=$ 2, $b=$ 5). If both $\alpha$ and $\beta$ are less than 1, then the PDF is U-shaped (Fig. 2. show $a=$ 0.5, $b=$ 0.5). For a further introduction on the application of the beta distribution, please refer to [3, 4]

When applied to recommendation system ratings, a high average rating produces a beta distribution that is skewed to the right. Conversely, when the average rating is low, the beta distribution is skewed to the left. When the numbers of the high and the low scores are approximately equal, the beta distribution is evenly distributed. Figure 2 shows the beta distribution PDF.

Figure 2.

Beta distribution PDF.

An item under attack should have a seriously skewed distribution. That is, the distribution of the item should be very different from the distributions of the others. In other words, the average expected value of all the items should become an extreme value on the distribution of the attacked item. Therefore, in this study, several beta distributions were defined to identify abnormal items that treated the average expected values as outliers.

3.2 Converting user – item matrix to positive and negative matrices

Definition 1: Markings of items.

Let $U=\{u_{1},u_{2},u_{3},\ldots,u_{m}\}$ be a set of users, $I=\{i_{1},i_{2},i_{3},\ldots,i_{n}\}$ be a set of items, $T=\{t_{1},\ldots,t_{z}\}$ be a set of ratings, and $T^{+}=\{t_{1}^{+},\ldots,t_{p}^{+}\}$ and $T^{-}=\{t_{1}^{-},\ldots,t_{q}^{-}\}$ , where $T^{+}\in T$ and $T^{-}\in T$ .

a.
$M_{U\times I}({u,i})=t$ is a user item matrix
b.
$M_{U\times I\times T^{+}}^{+}\left({u,i}\right)=1\ \textit{if}\ M_{U\times I}% \left({u,i}\right)\in T^{+}$
c.
$M_{U\times I\times T^{-}}^{-}\left({u,i}\right)=1\ \textit{if}\ M_{U\times I}% \left({u,i}\right)\in T^{-}$
d.
Let $x_{I}$ be the random variable of binary markings based on $M^{+},M^{-}$ ; the expected marking is as follows:

$\displaystyle E_{M^{+},M^{-}}\left({x_{I}}\right)=\frac{\mathop{\sum}\nolimits% _{i\in I}\mathop{\sum}\nolimits_{u\in U}M_{U\times I\times T^{+}}^{+}\left({u,% i}\right)+1}{\mathop{\sum}\nolimits_{i\in I}\mathop{\sum}\nolimits_{u\in U}M_{% U\times I\times T^{+}}^{+}\left({u,i}\right)+\mathop{\sum}\nolimits_{i\in I}% \mathop{\sum}\nolimits_{u\in U}M_{U\times I\times T^{-}}^{-}\left({u,i}\right)% +2}$ (4)

With the above definition, different beta distributions can be derived from different combinations of $T^{+}$ and $T^{-}$ .

Table 1
Sample use-item matrix

$i_{1}$ $i_{2}$ $i_{3}$ $i_{4}$

$u_{1}$ 3 5 3

$u_{2}$ 3 4 3

$u_{3}$ 5 4 3

$u_{4}$ 5 3

$u_{5}$ 2 3 5

$u_{6}$ 1 3 4

$u_{7}$ 1 5

Table 2
$M_{U\times I}^{{}^{\prime}+}$ positive user-item matrix

$i_{1}$ $i_{2}$ $i_{3}$ $i_{4}$

$u_{1}$ 1 1 1

$u_{2}$ 1 1 1

$u_{3}$ 1 1 1

$u_{4}$ 1 1

$u_{5}$ 1 1

$u_{6}$ 1 1

$u_{7}$ 1

Table 3
$M_{U\times I}^{{}^{\prime}-}$ negative user – item matrix

$i_{1}$ $i_{2}$ $i_{3}$ $i_{4}$

$u_{1}$ 1 1

$u_{2}$ 1 1

$u_{3}$ 1

$u_{4}$ 1

$u_{5}$ 1 1

$u_{6}$ 1 1

$u_{7}$ 1

Example 1. Let $I=\{i_{1},i_{2},i_{3},i_{4}\}$ , $U=\{u_{1},u_{2},u_{3},u_{4},u_{5},u_{6},u_{7}\}$ , $T=\{1,2,3,4,5\}$ , $T^{+}=\{3,4,5\}$ and $T^{-}=\{1,2,3\}$ . Table 1 shows a sample $M^{\prime}_{U\times I}$ . The corresponding $M_{U\times I\times T^{+}}^{{}^{\prime}+}$ and $M_{U\times I\times T^{-}}^{{}^{\prime}-}$ are shown in Tables 2 and 3s respectively.

$\displaystyle E_{M^{{}^{\prime}+},M^{{}^{\prime}-}}\left(x_{I}\right)=\left({1% 6+1}\right)/\left({16+11+2}\right)=0.5862$
3.3 Detecting exceptional items with beta distributions

	$i_{1}$	$i_{2}$	$i_{3}$	$i_{4}$
$u_{1}$		3	5	3
$u_{2}$	3	4	3
$u_{3}$	5		4	3
$u_{4}$		5	3
$u_{5}$	2		3	5
$u_{6}$	1	3		4
$u_{7}$	1			5

	$i_{1}$	$i_{2}$	$i_{3}$	$i_{4}$
$u_{1}$		1	1	1
$u_{2}$	1	1	1
$u_{3}$	1		1	1
$u_{4}$		1	1
$u_{5}$			1	1
$u_{6}$		1		1
$u_{7}$				1

	$i_{1}$	$i_{2}$	$i_{3}$	$i_{4}$
$u_{1}$		1		1
$u_{2}$	1		1
$u_{3}$				1
$u_{4}$			1
$u_{5}$	1		1
$u_{6}$	1	1
$u_{7}$	1

Given a beta distribution of item $i$ , $f_{i}$ , the binary trial result of $p$ and $q$ , the relationship between upper bound, $U B$ , and the upper quantile, QU and the lower bound, LB, and the lower quantile, QL, can be expressed as follows:

$\displaystyle\textit{UB}_{i}=\int_{\textit{QU}}^{1}f(x|p_{i}+1,q_{i}+1)$ (5) $\displaystyle\textit{LB}_{i}=\int_{0}^{\textit{QL}}f(x|p_{i}+1,q_{i}+1)$ (6)

Example 2. Based on Example 1, if the quantile is set at 0.3, the corresponding bounds will be as shown in Table 4.

Table 4

Upper and lower bounds with quantile $=$ 0.3

	$i_{1}$	$i_{2}$	$i_{3}$	$i_{4}$
UB	0.4586	0.7237	0.6873	0.7587
LB	0.2763	0.5415	0.5224	0.5925

In this study, an item is exceptional if the associated rating exhibits an abnormal distribution, which is defined as the expected values of the entire user-item matrix falling outside the upper or lower bounds.

Table 5 shows the two exceptional items that exclude $E_{M^{\prime+},M^{{}^{\prime}-}}\left({x_{I}}\right)$ from their bounds.

Table 5

Identifying exceptional items based on Table 4

	$i_{1}$	$i_{2}$	$i_{3}$	$i_{4}$
$u_{1}$		3	5	3
$u_{2}$	3	4	3
$u_{3}$	5		4	3
$u_{4}$		5	3
$u_{5}$	2		3	5
$u_{6}$	1	3		4
$u_{7}$	1			5
r	2	4	5	5
s	4	2	3	2
UB	0.4586	0.7237	0.6873	0.7587
LB	0.2763	0.5415	0.5224	0.5925
Exceptional item	V			V

3.4 Identifying attacked items using combinations of various beta distributions

Because of the features of a beta distribution, the shape of the beta PDF is different for different $\alpha$ and $\beta$ . When $\alpha>\beta$ , the PDF of the distribution will be concentrated on the right side, and vice versa. The shape of the beta PDF is shown in Fig. 2.

Such features are utilized to describe the skewness of the preference scores with five different combinations. The first one represents the overall ratings. The fourth one tries to catch a bandwagon attack. The second and third attempt to prevent the nuke and push attacks, respectively. The fifth was designed to detect extreme attacks that used the highest and the lowest scores to wedge the attacks.

Definition 2: Five rating mechanisms.

Let $T=\left\{{t_{1},\ldots,t_{z}}\right\}$ be the set of ratings. The five sets of corresponding $T^{+}$ and $T^{-}$ are as follows:

1.
$T_{1}^{+}=\left\{t_{\overline{z/2}},\ldots,t_{z}\right\},T_{1}^{-}=\left\{t_{1% },\ldots,t_{\overline{z/2}}\right\}$
2.
$T_{2}^{+}=\left\{t_{\overline{3z/4}},\ldots,t_{z}\right\},T_{3}^{-}=\left\{t_{% \overline{z/2}},\ldots,t_{\overline{3z/4}}\right\}$
3.
$T_{3}^{+}=\left\{t_{\overline{z/4}},\ldots,t_{\overline{z/2}}\right\},T_{4}^{-% }=\left\{t_{1},\ldots,t_{\overline{{z/4}}}\right\}$
4.
$T_{4}^{+}=\left\{t_{\overline{z/2}},\ldots,t_{z-1}\right\},T_{5}^{-}=\left\{t_% {2},\ldots,\overline{t_{z/2}}\right\}$ ,
5.
$T_{5}^{+}=\left\{t_{\overline{z/2}},\ldots,t_{2}\right\},T_{2}^{-}=\left\{{t_{% 1},t_{\overline{z/2}}}\right\}$

where $\underline{z}$ stands for rounding up the operand to the nearest whole number.

Example 3. Given $T=\{1,2,3,4,5\}$ , the five sets of $T^{+}$ and $T^{-}$ can be listed as follows:

1.
$\textit{TS}_{1}:T=\{1,2,3,4,5\}$ , $T^{+}=\{3,4,5\}$ , $T^{-}=\{1,2,3\}$
2.
$\textit{TS}_{2}:T=\{3,4,5\}$ , $T^{+}=\{4,5\}$ , $T^{-}=\{3,4\}$
3.
$\textit{TS}_{3}:T=\{1,2,3\}$ , $T^{+}=\{2,3\}$ , $T^{-}=\{1,2\}$
4.
$\textit{TS}_{4}:T=\{2,3,4\}$ , $T^{+}=\{3,4\}$ , $T^{-}=\{2,3\}$
5.
$\textit{TS}_{5}:T=\{1,3,5\}$ , $T^{+}=\{3,5\}$ , $T^{-}=\{1,3\}$

The pseudocode of the algorithm, called Detection of Items under Attack (DIA) is given in Fig. 3.

Figure 3.
Pseudo-code of rating scores.

3.5 Quality measurement

To examine the accuracy of the detected results, the detection and false rates are defined as follows. The detection rate is the number of attacked items that are correctly detected divided by the total number of attacked items [15]. The false rate is defined as the number of unattacked items identified as attacked divided by the number of items [15].

Definition 3: Detection rate and false rate.

Let DI be the set of detected items and AI be the set of attacked items.

$\displaystyle\text{Detection rate}=\frac{\left|\textit{DI}\cap\textit{AI}% \right|}{\left|\textit{AI}\right|}$ (7) $\displaystyle\text{False rate}=\frac{\left|{\textit{DI}-\textit{AI}}\right|}{% \left|I\right|}$ (8)

4. Experimental evaluation

4.1 Data description

To evaluate the results of the proposed detection method, the MovieLens dataset [19] published by GroupLens was used. This dataset contains 100,000 ratings of 1682 movies by 943 raters. The sparse rate of the rating data is approximately 93.7%. Each rater reviewed at least 20 movies using the whole number scores of 1 to 5. The minimum score of 1 indicates that the rater dislikes the movie, whereas the maximum score of 5 signals that the rater highly approves of the movie. The average rating of all the users is 3.53. The approximately 7% is average number of users rating the item [15]. On average, each movie was rated by 59 users.

4.2 Attack simulation

Referring to prior works [6, 7, 8, 9, 10, 15, 25, 28, 30, 31], we know that attack profiles are generated with the following parameters: types of attacks, filler size, attack size, and attack numbers. The attack type decides whether the attack is a nuke attack or a push attack. The former tries to destroy while the later tries to enhance the reputation of the items being attacked. The attack size is the number of attack profiles injected and is measured as a percentage of the preattack user count [9, 10, 30]. The filler size is the number of unrated cells that were filled with fake ratings when creating the attacking profiles [28]. As on average, 7% of items are rated in normal profiles, the filler size used in the experiment in this study was set around this number. The attack item numbers decided the number of items under attack at the same time.

Based on previous studies, the attack size was set to range from 1% to 10% and the filler sizes were set between 2% and 12% [7, 8, 15, 28, 31].

4.3 Finding the quantile

The quantile of a beta distribution is critical to the detection and false alarm rates. To decide upon a suitable quantile, three experiments with gradually increasing attack and filler sizes were conducted. In the first experiment, the attack and filler sizes were 3% and 4%, respectively; in the second experiment, the attack and filler sizes were 6% and 7%, respectively; and in the third experiment, the attack and filler sizes were 9% and 10%, respectively. In Fig. 4 readers can see that the false rate gradually increased with an increase in the attack sizes. The detection rate was less stable with a relatively good performance at 0.002. As a result, the quantile was set at 0.002.

Figure 4.

Test quantile from 0.001 to 0.009.

4.4 Experimental results

In a previous study [15], the attack-item contained only one item. After finding the optimal quantile, the researchers used the randomly generated attacked item and filled in the highest or the lowest rating according to whether the attack was a push or a nuke attack, respectively. Then, the filler item was selected according to the filler size, and the average rating was filled in. The number of times to be filled in was determined by the attack size. Under the same parameters, the procedure was performed 10 times, and each metric was averaged to obtain the final result. The following experiments were performed separately for the attack size and the filler size.

In the case of a push attack, Fig. 5 displays the detection rate and the false rates when the attack size was increased from 1% to 10% while the filler size was 6%. The detection rate increased with an increase in the attack size and reaches 100%. At the same time, the false rate gradually increased from 10% to 12%.

Figure 5.

Detection and false rates for attack sizes of 1%–10% in the case of a push attack.

In the case of a push attack, for filler sizes between 2% and 12%, Fig. 6 shows that the detection rate was more than 80% and the false rate was approximately 16%. Compared with the variations in attack size, the detection rate was very good. Therefore, the attack size had a significant effect on the detection rate.

Figure 6.

Detection and false rates for filler sizes of 2%–12% in the case of a push attack.

Previous experiments simulated a push attack; thus, this research also experimented with a nuke attack. Figure 7 shows that when the attack size was low, the detection rate was not high, but as the attack size increased, the detection rate also increased to 100%. Moreover, the false rate was maintained at around 12%.

Figure 7.

Detection and false rates for attack sizes of 1%–10% in the case of a nuke attack.

For filler sizes between 2% and 12%, Fig. 8 shows that the detection rate was more than 90% and the false rate was approximately 16%. The detection rate performance was considerably good.

Figure 8.

Detection and false rates for filler sizes of 2%–12% in the case of a nuke attack.

For all the adjustment parameters, the detection rate was more than 80%, and the false rate was relatively stable at approximately 12%–16%. The experiment results showed that under the two attacks of push and nuke, the results for the nuke attack were more stable and better, indicating that the beta distribution method had a better detection rate for nuke attacks. In a number of such attacked items, the attack size affected the detection result. When the attack size was large, the detection rate usually exhibited better results.

4.5 Performance robust

In order to demonstrate the consistence of the proposed method, additional 9 sets experiments were performed. Both nuke and push attacks were tested 9 more times.

Figures 9 and 10 compared and contrasted detection and false rates of the average of the 10 and the first experiment of push attacks. The dark and gray line shows the performance of the first experiment and the average of all experiment, respectively. As readers can find that performance is quite consistent in all 10 cases.

Figure 9.

Performance comparison of push attack for attack size from 1%–10%.

Figure 10.

Performance comparison of push attack for filler sizes from 2%–12%.

Figures 11 and 12 compared and contrasted the performance of nuke attack for the first experiment and the average of the 10 experiments. The result can showed that the performance of the proposed algorithm is very consistent.

Figure 11.

Performance comparison of nuke attack for attack sizes from 1%–10%.

Figure 12.

Performance comparison of nuke attack for filler sizes from 2%–12%.

4.6 Performance comparison

The performance of the proposed method was compared and contrasted with that of SPC [30]. In the original SPC content, the data were grouped and divided into five groups (HDHR, LDLR, LDHR, MDHR, and MDLR) according to the number of ratings and the average rating. Then, it calculated the average rating, standard deviation, etc., of the items to calculate the upper and lower control limits. Finally, it followed the upper and lower control limits to find out which item was being attacked. The detection and false rates on average were approximately 50% and 16%, respectively.

Even though with data grouping, SPC reached a reasonable performance, the division of data lacked theoretical support. In contrast, the proposed method did not require the additional grouping of data. To make a fair comparison, the following experiment therefore did not include the grouping for the SPC method.

In addition to the observation of the attack size, attacked item number, and filler item size, the effect of the SPC on the detection and false rates was investigated.

The attack size and the filler size were varied to compare the proposed method with the SPC. The results for the push attack and the nuke attack are shown in Figs 13 and 14, respectively. Both the methods had detection rates of 80% and above, and in some situations, the beta distribution method had a higher detection rate than SPC did. However, the false rate had clear differences. The false rate of SPC was approximately 60%. Although the SPC had a high detection rate, it had a seriously high false rate. In contrast, the beta distribution method exhibited more stable detection results and a lower false rate.

Figure 13.

Detection and false rates for attack sizes of 1%–10% and filler sizes of 2%–12% in the case of a push attack.

Figure 14.

Detection and false rates for attack sizes of 1%–10% and filler sizes of 2%–12% in the case of a nuke attack.

5. Conclusion

The e-commerce industry is booming. The recommendation system has been applied in various services, and its recommended content influences users’ purchase behaviors. Moreover, because of the open nature of recommendation systems, malicious users may be tempted to use false information to influence the recommendation list, rendering the system misleading. This is an attack on the recommendation system and in the long term may erode users’ trust in it, leading to the recommendations losing significance and a substantial reduction in business-related interests.

Most research thus far has focused on identifying attacking users through an analysis of the user–item matrix [7, 15, 30]. However, this present research proposes a beta distribution method that can detect the attacked items in order to help the recommendation system filter them and improve the process of building recommendation lists. This study analyzes the user–item matrix to identify the attacked items.

The overall detection rate is higher than 80%, and the false rate is approximately 16%, not to changes in the parameters increased and compared to other detection methods are stable. However, the dataset containing 943 users and 1682 movies is substantially smaller than that of commercially used recommendation systems. Therefore, future research should use a larger amount of ratings data for analysis and consider different time series in the rate changes.

References

Bilge

Ozdemir

and Polat

, A novel shilling attack detection method, Procedia Computer Science 31 (2014), 165–174.

Amazon Files Suit against Individuals Offering Fake Product Reviews on Fiverr.com, Retrieved from https://techcrunch.com/2015/10/16/amazon-files-suit-against-individuals-offering-fake-product-reviews-on-fiverr-com/, 2015.

Jøsang

and Ismail

, The beta reputation system, In Proceedings of the 15th Bled Conference on Electronic Commerce Conference, Bled, Slovenia, 2002.

Whitrby

Jøsang

and Indulska

, Filtering out unfair ratings in Bayesian reputation system, In Proceedings of the Third International Joint Conference on Autonomous Agents and Multi Agent Systems, 2004.

Mehta

Hofmann

and Fankhauser

, Lies and propaganda: Detecting spam users in collaborative filtering, In Proceedings of the 12th International Conference on Intelligent User Interfaces, Honolulu Hi USA, 2007.

Mehta

, Unsupervised shilling detection for collaborative filtering, In Proceedings of the 22nd National Conference on Artificial Intelligence, British Columbia Canada, 2007.

Mehta

and Nejdl

, Unsupervised strategies for shilling detection and robust collaborative filtering, User Modeling and User-Adapted Interaction 19 (2009), 65–97.

Mobasher

, Secure personalization: Building trustworthy recommender system, In 10𝑡ℎ DELOS Thematic Workshop on Personalized Access, Profile Management, and Context Awareness in Digital Libraries, Corfu Greece, 2007.

Mobasher

Burke

Bhaumik

and Williams

, Towards trustworthy recommender systems: an analysis of attack models and algorithm robustness, ACM Transactions on Internet Technology 7(4) (2007), 23–38.

10.

Mobasher

Burke

Bhaumik

and Sandvig

J.J.

, Attacks and remedies in collaborative recommendation, IEEE Intelligent System 22(3) (2007), 56–63.

11.

Sun

Luo

Akiyama

Watanabe

and Mori

, PADetective: A systematic approach to automate detection of promotional attackers in mobile app store, Journal of Information Processing 26 (2018), 212–223.

12.

Williams

C.A.

Mobasher

and Burke

, Defending recommender systems detection of profile injection attacks, Service Oriented Computing and Applications 1 (2007), 157–170.

13.

and Luo

, A hybrid item-based recommendation algorithm against segment attack in collaborative filtering systems, In 2011 International Conference on Information Management, Innovation Management and Industrial Engineering, Shenzhen, China, 2011.

14.

Williams

Mobasher

Burke

Sandvig

and Bhaumik

, Detection of obfuscated attacks in collaborative recommender systems, In ECAI’06 Proceedings of the 17th European Conference on Artificial Intelligence, Riva del Garda Italy, 2006.

15.

Chung

C.-Y

Hsu

P.-Y.

and Huang

S.-H.

, βP: A novel approach to filter out malicious rating profiles from recommender systems, Decision Support Systems, 55 (2013), 314–325.

16.

Ramalingam

and Chinnaiah

, Fake profile detection techniques in large-scale online social networks: A comprehensive review, Computers and Electrical Engineering 65 (2017), 165–177.

17.

Lim

Nguyen

V.-A.

Jindal

Liu

and Lauw

, Detecting product review spammers using rating behaviors, In Proceedings of the 19th ACM International Conference on Information and Knowledge Management CIKM ’10, Toronto Canada, 2010.

18.

Zhang

Ling

and Wang

, Unsupervised approach for detecting shilling attacks in collaborative recommender systems based on user rating behaviours, IET Information Security 13(3) (2019), 174–187.

19.

GroupLens Lab, MovieLens Dataset, https://grouplens.org/datasets/movielens/ accessed 15 January 2019.

20.

and Zhang

, Collaborative filtering recommender system in adversarial environment, In Proceedings of the 2012 International Conference on Machine Learning and Cybernetics, Xian China, 2012.

21.

Gunes

Kaleli

Bilge

and Polat

, Shilling attacks against recommender systems: A comprehensive survey, Artificial Intelligence Review 42 (2012), 767–799.

22.

It’s about ethics in user reviews – how to get a positive Steam critique of your game for $5, Retrieved from http://www.pcgamesn.com/its-about-ethics-in-user-reviews-how-to-get-a-positive-steam-critique-for-$5, 2016.

23.

Zou

and Fekri

, A belief propagation approach of detecting smiling attacks in collaborative filtering, In CIKM’13 Proceedings of the 22nd ACM international conference on information & knowledge management, 2013.

24.

Yang

Huang

and Niu

, Defending shilling attacks in recommender systems using soft co-clustering, IEF Information Security, 11(6) (2017), 319–325.

25.

Gao

Ling

Yuan

Xiong

and Yang

, A robust collaborative filtering approach based on user relationships for recommendation systems, Mathematical Problems in Engineering 2014(1) (2014), 1–8.

26.

Pazzani

M.J.

, A framework for collaborative, content-based and demographic filtering, Artificial Intelligence Review 13(5–6) (1999), 393–408.

27.

O’Mahony

M.P.

Hurley

N.J.

and Silvestre

G.C.M.

, Collaborative filtering – safe and sound? Foundations of Intelligent Systems 2871 (2003), 506–510.

28.

Hurley

Cheng

and Zhang

, Statistical attack detection, In Proceedings of the Third ACM Conference on Recommender Systems, ACM Press, 2009.

29.

Johnson

and Beverlin

, Beta Distribution, 2013.

30.

Bhaumik

Williams

Mobasher

and Burke

, Securing collaborative filtering against malicious attacks through anomaly detection, In Proceedings of the 4th Workshop on Intelligent Techniques for Web Personalization, Boston, MA, 2006.

31.

Burke

Mobasher

Williams

and Bhaumik

, Classification features for attack detection in collaborative recommender systems, KDD ’06 Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, ACM Press, 2006.

32.

Dewang

R.K.

and Singh

A.K.

, State-of-art approaches for review spammer detection: A survey, Journal of Intelligent Information Systems 50(2) (2018), 231–264.

33.

Lam

and Riedl

, Shilling recommender systems for fun and profit, Proc. Int. Conf. World Wide Web WWW’04, (2004), 393–402.

34.

Zhou

Wen

Koh

Y.S.

Alam

and Dobbie

, Attack detection in recommender systems based on target item analysis, 2014 International Joint Conference on Neural Networks (IJCNN) 2014, pp. 332–339.

35.

Luo

Xia

and Zhu

, Incremental collaborative filtering recommender based on regularized matrix factorization, Knowledge-Based Systems 27 (2012), 271–280.

36.

and Khoshgoftaar

T.M.

, A survey of collaborative filtering techniques, Advances in Artificial Intelligence 2009 (2009), 19 pages.