Skip to content

Yueeeeeeee/RecSys-Extraction-Attack

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits

adversarial

adversarial

 
 

dataloader

dataloader

 
 

datasets

datasets

 
 

model

model

 
 

pics

pics

 
 

trainer

trainer

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

attack.py

attack.py

 
 

config.py

config.py

 
 

distill.py

distill.py

 
 

requirements.txt

requirements.txt

 
 

retrain.py

retrain.py

 
 

train.py

train.py

 
 

utils.py

utils.py

 
 

Repository files navigation

Introduction

The RecSys-Model-Extraction-Attack repository is the PyTorch Implementation of RecSys 2021 Paper Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction

We propose an data-free model extraction and adversarial attack framework against sequential recommender systems. We perform attacks in two stages. (1) Model extraction: with the proposed autoregressive synthetic data, we extract the black-box model to a white-box recommender via distillation. (2) Downstream attacks: we attack the black-box model with adversarial samples generated by the white-box recommender. Experiments show the effectiveness of our data-free model extraction and downstream attacks on sequential recommenders in both profile pollution and data poisoning settings.

Citing

Please cite the following paper if you use our methods in your research:

@inproceedings{yue2021black,
  title={Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction},
  author={Yue, Zhenrui and He, Zhankui and Zeng, Huimin and McAuley, Julian},
  booktitle={Proceedings of the 15th ACM Conference on Recommender Systems},
  year={2021}
}

Requirements

PyTorch, pandas, wget, libarchive-c, faiss-cpu, tqdm, tensorboard. For our running environment see requirements.txt

Train Black-Box Recommender Models

python train.py

Excecute the above command (with arguments) to train a black-box model, select datasets from Movielens 1M/20M, Beauty, Games, Steam and Yoochoose. Availabel models are NARM, SASRec and BERT4Rec. Trained black-box recommenders could be found under ./experiments/model-code/dataset-code/models/best_acc_model.pth

Extract trained Black-Box Recommender Models

python distill.py

Excecute the above command (with arguments) to extract a white-box model, white-box model can also be chosen from NARM, SASRec and BERT4Rec. Trained models could be found under ./experiments/distillation_rank/distillation-specification/dataset-code/models/best_acc_model.pth

Attack trained Black-Box Recommender Models

python attack.py

Run the above command (with arguments) to perform profile pollution attacks, logs will be save under ./experiments/attack_rank/distillation-specification/dataset-code/attack_bb_metrics.json

Poison trained Black-Box Recommender Models

python retrain.py

Run the above command (with arguments) to perform data poisoning attacks, retrained model and logs will be save under ./experiments/retrained/distillation-specification/dataset-code/

Performance

Recommender systems are first trained as black-box models, these are used to generate sythetic data for white-box model distillation, followed by profile pollution and data poisoning attacks based on white-box model weights, for training details please refer to our paper.

Black-Box and Extracted Models

Profile Pollution Performance

Data Poisoning Performance

Acknowledgement

During the implementation we base our code mostly on Transformers from Hugging Face and BERT4Rec by Jaewon Chung. Many thanks to these authors for their great work!

About

[RecSys 2021] PyTorch Implementation of Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction

Resources

Readme
Activity

Stars

33 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages