DIFshilling: A Diffusion Model for Shilling Attacks

Abstract

Recommender systems (RSs) are widely used in various domains, such as e-commerce, social media, and online content platforms, to guide users’ decision-making by suggesting items that match their preferences and interests. However, these systems are highly vulnerable to shilling attacks, where malicious users create fake profiles to manipulate the recommendation results, thereby influencing users’ decisions. Such attacks can severely degrade the quality and reliability of recommendations, undermining the trust in RSs. A comprehensive understanding of shilling attacks is critical not only for improving the robustness of RSs but also for designing effective countermeasures to mitigate their impact. Existing shilling attack methods often face significant challenges in achieving both invisibility (i.e., making fake profiles indistinguishable from legitimate ones) and transferability (i.e., the ability to work across different RSs). Many current approaches either fail to capture the natural distribution of real user data or are highly tailored to specific RS algorithms, limiting their general applicability and effectiveness. To overcome these limitations, we propose DIFshilling, a novel diffusion-based model for shilling attacks. DIFshilling leverages forward noising and reverse denoising techniques to better model the distribution of real user data, allowing it to generate fake users that are statistically similar to legitimate users, thus enhancing the invisibility of the attack. Unlike traditional methods, DIFshilling is independent of the specific recommendation algorithm, making it highly transferable across various RSs. We evaluate DIFshilling through extensive experiments on seven different victim RS models, demonstrating its superior transferability. The experimental results show that DIFshilling not only achieves outstanding effectiveness in terms of attack success but also exhibits strong adversarial defense capabilities, effectively evading detection mechanisms. Specifically, in experiments conducted on the ML100K dataset with the DGCF victim model, DIFshilling was able to increase the frequency of the targeted item by a factor of 15 while maintaining the lowest detection precision and recall, illustrating its ability to remain undetected by common defense techniques. These results underscore the potential of DIFshilling as a powerful tool for both evaluating the vulnerabilities of RS and designing more robust countermeasures.

1. Introduction

Recommender systems play a crucial role in recommending popular and personalized items to users, which successfully addresses the issue of information explosion. These systems effectively cater to user preferences and provide tailored recommendations. For instance, YouTube, one of the world’s largest video platforms, leverages recommender systems [1] to offer users personalized video content. Recommender systems not only enhance user experiences but also increase merchants’ profits. Notably, Netflix, an American subscription video streaming service, has a recommender system that accounts for approximately 80% of the total streaming hours, resulting in annual savings of over USD 1 billion [2]. Given the importance of RSs, there is a natural motivation for attackers to corrupt it in pursuit of profits [3].

Many efforts have been devoted to studying how to deceive RS for promoting (or demoting) the targeted item’s ranking, such as unorganized malicious attacks (i.e., several attackers individually attack RS without an organizer) [4] and Sybil attacks (i.e., illegally infer a user’s preference) [5]. Among these attacks, the shilling attack is a widely employed and persistent attack against recommender systems [6]. The shilling attack is also known as the data poisoning attack [7] or the profile injection attack [8]. It involves the injection of unscrupulous “fake user profiles” into the ratings database with the aim of manipulating the system’s recommendations. For example, a random attack assigns random ratings to victim items selected arbitrarily in fake user profiles. Similarly, AUSH [9] utilizes specialized objective functions for generators and discriminators to generate fake user profiles. Understanding these attacks is crucial for improving defenses and ensuring the trustworthiness of RSs. However, these existing shilling attack models suffer from certain drawbacks.

Existing shilling attack methods have notable drawbacks that hinder their effectiveness. One major limitation is the lack of attack invisibility, as many of these methods fail to consider personalization, resulting in the generation of fake user profiles that do not exhibit the behavioral characteristics of actual users in RS. Consequently, these fake users are easily detectable and filtered out before they can significantly impact the ranking of targeted items. Another drawback is the limited transferability of targeted models, as some kinds of shilling attacks are designed for specific RSs. For instance, average attacks and bandwagon attacks are more effective for user-based KNN recommendation algorithms in collaborative filtering but less effective for item-based KNNs [10]. Thus, these tailored attack methods cannot achieve satisfactory results in scenarios where the targeted RS are unavailable or differ in their underlying algorithms.

To address the above challenges, we propose DIFshilling, a novel shilling attack method based on the diffusion model [11]. Originating in physics, the diffusion model has demonstrated great potential in image generation [12] when combined with neural networks. Leveraging the diffusion model’s ability to fit actual data distributions accurately, DIFshilling generates fake user profiles that closely resemble real users. This approach enhances the invisibility of the shilling attack, making it challenging to identify and filter out fake user profiles. The training process of DIFshilling is independent of the specific RS but on the real user dataset, so it can enhance the transferability of the shilling attack for many different victimized RS. To ensure that the generated fake user profiles contain the features of real users and improve the stealthiness of the shilling attack, we add unique designs in DIFshilling. First, we filter out inactive real users and utilize their enriched characteristics as templates. Then, we gradually introduce Gaussian noise to the user–item interaction matrix at each step during the noising phase, resulting in a noised matrix. In the denoising stage, we employ a neural network model to remove noise from the noised matrix progressively to gain fake user profiles. It is worth noting that, unlike in computer vision applications, preserving the personality of real users is essential in RS. Therefore, we carefully control the noise schedule during the noising process and denoise the noised matrix obtained rather than using random Gaussian noise.

In summary, our contributions are as follows:

(1)

We propose DIFshilling, a novel shilling attack method for RSs, based on the diffusion model. DIFshilling leverages the power of diffusion processes to generate fake user profiles that closely resemble real user behavior, significantly enhancing the stealthiness and effectiveness of the attack.

(2)

DIFshilling addresses the issue of low invisibility in traditional shilling attacks. By accurately modeling the data distribution of genuine users, DIFshilling generates fake profiles that are more difficult to detect, making it harder for defensive systems to filter out malicious user profiles.

(3)

DIFshilling is designed to be independent of the targeted RS. This design improves the transferability of the attack, making it effective across a wide range of victim models without requiring prior knowledge of the targeted system’s algorithm.

(4)

Our extensive experiments on five datasets and seven victim RSs demonstrate the outperformance of DIFshilling over eight other baselines, effectively promote the ranks of targeted items, and demonstrate resilience against defense mechanisms.

This paper is organized as follows: Section 2 reviews existing research on shilling attacks. Section 3 presents our proposed threat model, outlining the attacker’s goals, knowledge, and capabilities. Section 4 details the application of the diffusion model to develop our novel approach to shilling attacks. Finally, Section 5 presents comprehensive experimental results to validate the effectiveness of our approach.

2. Related Work

Recommender systems (RSs) have become integral to various online platforms, providing personalized suggestions that enhance user experience and drive commercial success. However, their widespread adoption has also exposed them to significant vulnerabilities, particularly adversarial attacks [13] and shilling attacks [6]. While adversarial attacks are beyond the scope of this paper, we focus on shilling attacks, which involve injecting fake user profiles to manipulate recommendation outcomes. These attacks can degrade recommendation quality, undermine user trust, and cause substantial economic consequences [14]. Addressing these risks is crucial for ensuring the robustness and reliability of RSs. Shilling attacks can be broadly categorized into algorithm-agnostic and algorithm-specific approaches. Recently, generative adversarial networks (GANs) [15] have been increasingly utilized to enhance the effectiveness of shilling attacks, enabling the generation of more sophisticated user profiles that are harder to detect. We review all these categories in detail and show the baselines compared with our approach in the experiments in

Table 1. The benchmark of shilling attack methods used in experiments.

Method Name	Description	Type	References
Random Attack	Chooses items at random, applying ratings from a normal distribution with parameters matching the overall ratings’ mean and variance.	Algorithm-agnostic	[16,17]
Average Attack	Uses a normal distribution for ratings with parameters based on sampled items’ ratings.	Algorithm-agnostic	[16]
Segment Attack	Assigns maximal ratings to selected items and minimal to others, targeting specific system segments.	Algorithm-agnostic	[16]
Bandwagon Attack	Exploits item popularity by assigning maximal ratings to popular items and others randomly.	Algorithm-agnostic	[16,18]
AIA	Generates profiles maximizing an attack objective using a bilevel optimization framework under a black-box scenario.	Algorithm- specific	[19]
DCGAN	Treats shilling attacks as a repeated general-sum game, using DCGAN for fake profile generation.	GAN-based	[20]
AUSH	Trains models considering shilling, reconstruction, and adversarial losses to balance attack impact and detectability.	GANs-based	[9]
Leg-UP	Improves AUSH by focusing on attack transferability and invisibility, leveraging direct loss functions.	GAN-based	[9,21]

.

2.1. Algorithm-Agnostic Shilling Attacks

Algorithm-agnostic attacks do not rely on knowledge of an RS algorithm. These attacks exploit RS’ reliance on user behavior data by generating fake yet seemingly normal data to manipulate recommendation outcomes. As they are not tailored to specific algorithms, they exhibit strong adaptability and can threaten a wide range of RSs [22]. For instance, random attacks [16,17] assign ratings to items randomly based on a normal distribution with mean and variance parameters matching those of the entire system’s ratings. Average attacks [16] apply a similar approach but use parameters derived from the ratings of a sampled item set. Segment attacks [16] involve assigning maximal ratings to selected items and minimal ratings to others, targeting specific segments within the RS. Bandwagon attacks [16,18] exploit item popularity by assigning maximal ratings to popular items, while other ratings are assigned randomly, similar to the random attack. Because algorithm-agnostic shilling attacks are independent of any specific recommendation algorithm, they are highly versatile and pose a threat to various RSs. Given that attackers can employ different strategies, such as random attacks, average attacks, and bandwagon attacks, the detection of these attacks requires a comprehensive analysis of multiple behavioral characteristics and patterns [23].

2.2. Algorithm-Specific Shilling Attacks

Algorithm-specific attacks target particular recommendation algorithms, leveraging their internal mechanisms or data structures to achieve more effective and efficient manipulations. Compared to algorithm-agnostic methods, these attacks require a deeper understanding of the target recommendation system, making them more precise and potentially more destructive. These attacks have been developed for a range of systems, including graph-based [24], association rule-based [25], matrix factorization-based [26,27], and neighborhood-based [28] recommender systems. For example, O’Mahony et al. [18] studied the robustness of user-based collaborative filtering (CF) methods [29] by injecting fake users. Burke et al. [30] analyzed the impact of low-knowledge attack strategies on CF methods, aiming to promote or demote items. Seminario and Wilson [31] developed power user/item attack models that leveraged influential users/items to manipulate the RS. Fang et al. [24] explored shilling attacks in graph-based CF models, and Yang et al. [25] demonstrated the practical feasibility of attacking real-world RSs such as YouTube, Google Search, Amazon, and Yelp. Algorithm-specific attacks are highly targeted and can inflict significant damage on RSs. Since these attacks exploit the algorithm’s internal mechanisms, effective defense strategies must consider both the underlying data structures and computational frameworks. Certain attack methods, such as optimization-based approaches, generate adversarial users that are difficult to detect using traditional identification techniques [32].

2.3. GAN-Based Shilling Attacks

GAN-based shilling attacks exploit the powerful generative capabilities of GANs to create fake user profiles or ratings, manipulating RS outcomes. Through adversarial training between a generator and a discriminator, GANs can synthesize realistic fake user profiles, which are injected into the RS to execute the attack [33]. The generator’s objective is to produce fake data that are statistically similar to real user profiles or ratings, making it difficult for detection systems to identify them. Meanwhile, the discriminator is trained to distinguish between real and generated data. During training, the generator continuously improves its ability to generate indistinguishable data while the discriminator simultaneously enhances its detection accuracy. Recent studies have also integrated GANs for shilling attacks. Christakopoulou et al. [20] modeled shilling attacks as a general-sum game between the RS and fake user generators, utilizing DCGAN [34] to generate fake user profiles. AUSH [9] trained its generator and discriminator using a combination of reconstruction loss, shilling loss, and adversarial loss to consider user segments, attack cost, and detectability. Leg-UP [21] extended AUSH by applying more direct loss functions and leveraging a surrogate model, further enhancing attack transferability and invisibility. Defense mechanisms against GAN-based shilling attacks can be broadly categorized into detection-based defenses, robust learning algorithms, and adversarial training [23]. Detection-based defenses aim to identify and filter out malicious profiles using anomaly detection and behavioral analysis, though increasingly sophisticated attacks challenge their effectiveness. Robust learning algorithms enhance RS resilience by integrating noise-resistant and anomaly-aware techniques, mitigating the impact of adversarial inputs. Adversarial training further strengthens defenses by exposing models to attack-like patterns during training, improving their ability to recognize and counter manipulated data. A combination of these approaches enhances the overall robustness of RS against evolving adversarial threats.

3. Threat Model

Figure 1 illustrates the threat model of a shilling attack. In this attack, a malicious actor creates fake user profiles with fraudulent objectives and inserts them into the user–item interaction data of the targeted RS, referred to as the victim model. As a result, the RS generates recommendation lists based on these manipulated interactions using its specific recommendation algorithms or models. The generated lists are then returned to the legitimate users of the system. We present the threat model from three perspectives:

Attacker’s Goal: The objective of a shilling attack can be either untargeted or targeted. Untargeted attacks aim to degrade the overall usefulness of an RS by forcing it to make inaccurate recommendations. Targeted attacks, which are the focus of this study, seek to influence the ranking of a specific item, either by increasing or decreasing its likelihood of being recommended. This work focuses primarily on push attacks, where the attacker attempts to increase the probability of a targeted item being recommended. Nuke attacks, which are designed to reduce the likelihood of a targeted item being recommended, can be seen as the inverse of push attacks and could utilize similar techniques.

Attacker’s Knowledge: We assume that the attacker has partial knowledge of the dataset used to train the victim model. This assumption is plausible, as attackers can gather user feedback through various means, such as web scraping or collecting data from platforms, which include user interactions like likes and shares. However, it is crucial to note that the attacker does not have direct access to the inner workings of the victim model, such as its parameters or architecture. In practice, the attacker cannot access the RS itself.

Attacker’s Capability: As depicted in Figure 1, the attacker injects fake user profiles into the training set of the victim model. The attack succeeds when the victim model incorporates these profiles into its training process. This indicates that the attack occurs during the training phase of an RS rather than during the testing phase. A test phase attack would involve compromising the accounts of real users and altering their preferences, which lies outside the scope of this work and pertains more to cybersecurity concerns.

4. The Design of DIFshilling

4.1. Overview of DIFshilling

DIFshilling is designed based on the diffusion model framework, leveraging the success of diffusion models in accurately fitting real data distributions. Figure 2 illustrates the framework of DIFshilling. Firstly, DIFshilling identifies and filters out less-active users who rarely rate items in the dataset. These users are not conducive to the generation of fake user profiles, lacking enough characteristics to represent distributions. Then, the remaining active users are passed for the diffusion process. In the diffusion process, random Gaussian noise is incrementally added to the active user–item interaction matrix during the noising process. A neural network model is trained to predict the noise. Unlike in computer vision, it is necessary to safeguard the personalized characteristics of real users. Therefore, the noise schedule is restricted within a specific range. During the denoising phase, DIFshilling utilizes the previously trained model to predict the noise and progressively removes it to obtain a fake rating matrix. Importantly, to protect real users’ personalized features, we utilize the $x_t$ obtained during the noising phase as the initial point for the denoising stage rather than using random Gaussian noise.

4.2. The Noising Process

The noising process corrupts the original data by gradually adding Gaussian noise. Following the filter, we obtain the rating matrix and consider it as the initial point $x_0$. The noising process consists of a total of T steps. Each step adds Gaussian noise to the data from the previous step as follows:

$$x_t=\sqrt{{\alpha }_t}{x}_{t-1}+\sqrt{1-{\alpha }_t}{Z}_t,t\in \{1, \dots , T\},$$

(1)

where $Z_t\sim N(0, \mathbf{I})$ represents standard Gaussian noise, while ${\alpha }_t=1-{\beta }_t$. The noise schedule ${\beta }_t\in (0, 1)$ is a hyperparameter controlling the amount of noise added at step t. Typically, as the step progresses, more noise is added. Therefore, the noise schedule ${\beta }_t$ follows the rule ${\beta }_1<{\beta }_2<\dots <{\beta }_T$. However, in order to preserve the personality of real users, we limit the noise schedule to a certain extent. Since each step of $x_t$ is derived from the previous step $x_{t-1}$, the entire process can be viewed as a Markov chain. Therefore, $x_t$ at each step can be calculated from $x_0$ based on the properties of the Markov chain:

$$\begin{array}{cc}\hfill x_t& =\sqrt{\overline{{\alpha }_t}}{x}_0+\sqrt{1-\overline{{\alpha }_t}}{Z}_t,\hfill \\ \hfill & \mathrm{where}\overline{{\alpha }_t}=\prod _{s=0}^t{\alpha }_s.\hfill \end{array}$$

(2)

Meanwhile, we can derive the intermediate and final distribution of the noising process as follows:

$$q\left({\mathbf{x}}_t\mid {\mathbf{x}}_{t-1}\right):=\mathcal{N}\left({\mathbf{x}}_t; \sqrt{1-{\beta }_t}{\mathbf{x}}_{t-1}, {\beta }_t\mathbf{I}\right),$$

(3)

$$\begin{array}{cc}\hfill q\left({\mathbf{x}}_{1:T}\mid {\mathbf{x}}_0\right)& =\prod _{t=1}^{T}q\left({\mathbf{x}}_t\mid {\mathbf{x}}_{t-1}\right)\hfill \\ \hfill & =\mathcal{N}\left({\mathbf{x}}_t; \sqrt{{\overline{\alpha }}_t}{\mathbf{x}}_0, \left(1-{\overline{\alpha }}_t\right)\mathbf{I}\right).\hfill \end{array}$$

(4)

During the noising phase, the objective is to train a deep neural network to predict the real noise added to the data. As the neural network’s primary objective is to predict the noise at each step rather than restoring the original data, we utilize the mean square error (MSE) as the loss function for training the network. Thus, we define the loss function of this deep neural network as follows:

$${\mathcal{L}}_{loss}={\parallel Z_t-\widehat{Z_t}\parallel }_2^2,$$

(5)

where $Z_t$ is the real noise added to the data, and $\widehat{Z_t}$ is the noise predicted by the neural network. Compared with other GAN-based shilling attack methods’ loss functions [9,19,21], our loss function is simpler and converges faster. Additionally, employing a more straightforward loss function avoids the need to design complex loss functions for shilling purposes.

4.3. The Denoising Process

The noising process adds noise to the original data, while the denoising process aims to strip the noise out. Suppose we know the actual distribution $q\left({\widehat{\mathbf{x}}}_{t-1}\mid {\widehat{\mathbf{x}}}_t\right)$ for each step, then starting from a random noise ${\widehat{\mathbf{x}}}_T\sim \mathcal{N}\left(0, \mathbf{I}\right)$ and gradually denoising, we can generate an actual sample with the same distribution as the original. However, as the noise at each step is not accurately predicted, it adds uncertainty to the denoising process, which is why the new data generated by the diffusion model have a rich diversity in matching the original data. Unlike in computer vision [35], if we start from random Gaussian noise, we will lose the personalized characteristics of real users. In order to prevent it, we set the noise ${\mathbf{x}}_T$ obtained from the noising process as the beginning of the reverse process $\widehat{{\mathbf{x}}_T}$.

We construct a neural network model to estimate the distribution $q\left({\widehat{x}}_{t-1}\mid {\widehat{x}}_t\right)$. Since the data at the current moment are only related to the data at the last step, the reverse process can also be regarded as a Markov chain composed of a series of Gaussian distributions parameterized by the neural network. Thus, these distributions can be expressed as follows:

$$p_{\theta }\left({\widehat{x}}_{t-1}\mid {\widehat{x}}_t\right)=\mathcal{N}\left({\widehat{x}}_{t-1}; {\mathit{\mu }}_{\theta }\left({\widehat{x}}_t,t\right), {\mathsf{\Sigma }}_{\theta }\left({\widehat{x}}_t,t\right)\right),$$

(6)

$$p_{\theta }\left({\widehat{x}}_{0:T}\right)=p\left({\widehat{x}}_T\right)\prod _{t=1}^T{p}_{\theta }\left({\widehat{x}}_{t-1}\mid {\widehat{x}}_t\right),$$

(7)

where ${\mathit{\mu }}_{\theta }\left({\widehat{x}}_t, t\right)$ and ${\mathsf{\Sigma }}_{\theta }\left({\widehat{x}}_t, t\right)$ are the mean and variance provided by the neural network, respectively.

Although the distribution $q\left({\widehat{x}}_{t-1}\mid {\widehat{x}}_t\right)$ is not directly computable, the conditional posterior $q\left({\widehat{x}}_{t-1}\mid {\widehat{x}}_t, x_0\right)$ is workable as follows:

$$q\left({\widehat{\mathbf{x}}}_{t-1}\mid {\widehat{\mathbf{x}}}_t, {\mathbf{x}}_0\right)=\mathcal{N}\left({\widehat{\mathbf{x}}}_{t-1}; \tilde{\mathit{\mu }}\left({\widehat{\mathbf{x}}}_t, {\mathbf{x}}_0\right), {\tilde{\sigma }}_t\mathbf{I}\right),$$

(8)

where $\tilde{\mathit{\mu }}\left({\widehat{\mathbf{x}}}_t, {\mathbf{x}}_0\right)$ is the estimated mean based on ${\widehat{\mathbf{x}}}_t$ and ${\mathbf{x}}_0$. From the Bayesian rules, $q\left({\widehat{\mathbf{x}}}_{t-1}\right|{\widehat{\mathbf{x}}}_t, x_0)$ can be formulated as follows:

$$q\left({\widehat{\mathbf{x}}}_{t-1}\mid {\widehat{\mathbf{x}}}_t, {\mathbf{x}}_0\right)=q\left({\widehat{\mathbf{x}}}_t\mid {\widehat{\mathbf{x}}}_{t-1}, {\mathbf{x}}_0\right){\displaystyle \frac{q\left({\widehat{\mathbf{x}}}_{t-1}\mid {\mathbf{x}}_0\right)}{q\left({\widehat{\mathbf{x}}}_t\mid {\mathbf{x}}_0\right)}}.$$

(9)

From the properties of the Markov chain, $q\left({\widehat{\mathbf{x}}}_t\right|{\widehat{\mathbf{x}}}_{t-1}, x_0)$ can be formulated as follows:

$$\begin{array}{cc}\hfill q\left({\widehat{\mathbf{x}}}_t\mid {\widehat{\mathbf{x}}}_{t-1}, {\mathbf{x}}_0\right)& =q\left({\widehat{\mathbf{x}}}_t\mid {\widehat{\mathbf{x}}}_{t-1}\right)\hfill \\ & =\mathcal{N}\left({\widehat{\mathbf{x}}}_t; \sqrt{1-{\beta }_t}{\widehat{\mathbf{x}}}_{t-1}, {\beta }_t\mathbf{I}\right).\hfill \end{array}$$

(10)

Taking Equation (4) into account, we can obtain the following:

$$q\left({\widehat{\mathbf{x}}}_{t-1}\mid {\mathbf{x}}_0\right)=\mathcal{N}\left({\widehat{\mathbf{x}}}_{t-1}; \sqrt{{\overline{\alpha }}_{t-1}}{\mathbf{x}}_0, \left(1-{\overline{\alpha }}_{t-1}\right)\mathbf{I}\right),$$

(11)

$$q\left({\widehat{\mathbf{x}}}_t\mid {\mathbf{x}}_0\right)=\mathcal{N}\left({\widehat{\mathbf{x}}}_t; \sqrt{{\overline{\alpha }}_t}{\mathbf{x}}_0, \left(1-{\overline{\alpha }}_t\right)\mathbf{I}\right).$$

(12)

Combining Equations (10)–(12) and the normal distribution density function, we can modify Equation (8) as follows:

$$\begin{array}{cc}\hfill q\left({\widehat{\mathbf{x}}}_{t-1}\mid {\widehat{\mathbf{x}}}_t, {\mathbf{x}}_0\right)& =exp(-{\displaystyle \frac{1}{2}}(({\displaystyle \frac{{\alpha }_t}{{\beta }_t}}+{\displaystyle \frac{1}{1-{\overline{\alpha }}_{t-1}}}){\widehat{\mathbf{x}}}_{t-1}^2\hfill \\ \hfill & -({\displaystyle \frac{2\sqrt{{\alpha }_t}}{{\beta }_t}}{\widehat{\mathbf{x}}}_t+{\displaystyle \frac{2\sqrt{{\overline{\alpha }}_{t-1}}}{1-{\overline{\alpha }}_{t-1}}}{\mathbf{x}}_0){\widehat{\mathbf{x}}}_{t-1}\hfill \\ & +C({\widehat{\mathbf{x}}}_t, {\mathbf{x}}_0)\left)\right),\hfill \end{array}$$

(13)

where $C({\widehat{\mathbf{x}}}_t, {\mathbf{x}}_0)$ is irrelevant with ${\widehat{\mathbf{x}}}_{t-1}$, so we can ignore it. According to the definition of the probability density function of the Gaussian distribution and Equation (13), we can derive the mean and variance of the posterior distribution $q\left({\widehat{\mathbf{x}}}_{t-1}\mid {\widehat{\mathbf{x}}}_t, {\mathbf{x}}_0\right)$ as follows:

$$\begin{array}{cc}\hfill \tilde{\mathit{\mu }}\left({\widehat{\mathbf{x}}}_t, {\mathbf{x}}_0\right)& =\left({\displaystyle \frac{\sqrt{{\alpha }_t}}{{\beta }_t}}{\widehat{\mathbf{x}}}_t+{\displaystyle \frac{\sqrt{{\overline{\alpha }}_{t-1}}}{1-{\overline{\alpha }}_{t-1}}}{\mathbf{x}}_0\right)/\left({\displaystyle \frac{{\alpha }_t}{{\beta }_t}}+{\displaystyle \frac{1}{1-{\overline{\alpha }}_{t-1}}}\right)\hfill \\ \hfill & ={\displaystyle \frac{1}{\sqrt{{\alpha }_t}}}({\widehat{\mathbf{x}}}_t-{\displaystyle \frac{{\beta }_t}{\sqrt{1-\overline{{\alpha }_t}}}}\widehat{Z_t}),\hfill \end{array}$$

(14)

$${\tilde{\sigma }}_t=1/\left({\displaystyle \frac{{\alpha }_t}{{\beta }_t}}+{\displaystyle \frac{1}{1-{\overline{\alpha }}_{t-1}}}\right)={\displaystyle \frac{1-{\overline{\alpha }}_{t-1}}{1-{\overline{\alpha }}_t}}·{\beta }_t.$$

(15)

In Equation (15), the variance $\widetilde{{\sigma }_t}$ is quantitative due to the fixed parameters in the noising process. However, the value of the mean $\tilde{\mathit{\mu }}\left({\widehat{\mathbf{x}}}_t, {\mathbf{x}}_0\right)$ related to ${\widehat{\mathbf{x}}}_t$ and the noise $\widehat{Z_t}$ is invisible for the denoising process. Hence, we must use the neural network trained in the noising phase to predict the noise $\widehat{Z_t}$. After the noising and denoising process, we can get the fake user–item interaction matrix $\widehat{x_0}$ that matches the real user distribution. However, to improve the ranking of the targeted item, we need to additionally set the rating represented by the targeted item to the maximum (i.e., in our experiments, we set the rating of targeted items as 5). It is also a common approach to other shilling attack methods. We summarize the algorithms of the noising and denoising process on Algorithm 1.

Algorithm 1 Noising and denoising process.

Input:  active users’ interaction $x_0$; noise steps T; noise schedule $\{{\beta }_1, {\beta }_2, \dots , {\beta }_T\}$; randomly initialized neural network $\theta$ Output:  fake users’ interaction ${\widehat{x}}_0$   1: $t\leftarrow 0$   2: $x_t\sim q\left(x_0\right)$   3: while  $t<T$  do   4:     $t\leftarrow t+1$   5:     $ϵ\sim \mathcal{N}(0, I)$   6:     $x_t\leftarrow \sqrt{{\beta }_t}{x}_{t-1}+\sqrt{1-{\beta }_t}ϵ$   7:     ${\nabla }_{\theta }{∥ϵ-{ϵ}_{\theta }\left(\sqrt{{\overline{\alpha }}_t}{x}_0+\sqrt{1-{\overline{\alpha }}_t}ϵ, t\right)∥}^2$   8: end while   9: End of Noising Process 10: Start Denoising Process 11: ${\widehat{x}}_T\leftarrow x_T$ 12: $t\leftarrow T$ 13: while  $t>0$  do 14:     $t\leftarrow t-1$ 15:     ${\mu }_{t-1}\leftarrow {\displaystyle \frac{1}{\sqrt{{\alpha }_t}}}\left({\widehat{x}}_t-{\displaystyle \frac{{\beta }_t}{\sqrt{1-{\overline{\alpha }}_t}}}{ϵ}_{\theta }({\widehat{x}}_t, t)\right)$ 16:     ${\widehat{x}}_{t-1}\leftarrow {\mu }_{t-1}+\widetilde{{\sigma }_t}\widehat{Z_t}$ 17: end while 18: return  ${\widehat{x}}_0$

4.4. Complexity Analysis of DIFshilling

Evaluating the computational complexity of DIFshilling is essential for assessing its feasibility in the real world. Since diffusion-based models often introduce additional computational overhead, we analyze both the time and space complexity of the proposed approach, focusing on the noising and denoising processes.

Time Complexity: The noising process consists of T steps, where each step adds Gaussian noise to the user–item interaction matrix $x_t$. The primary computational cost at each step arises from matrix operations, including element-wise multiplications and additions, which have a time complexity of $\mathcal{O}\left(nm\right)$. Here, n and m denote the number of users and items, respectively. Consequently, the total complexity of the noising process is $\mathcal{O}\left(Tnm\right)$. Similarly, the denoising process follows the same iterative structure with T steps. At each step, a neural network predicts the noise term $\widehat{Z_t}$, requiring a forward pass through a deep model. Assuming the neural network has L layers, with each layer containing at most h hidden units, the complexity of a single forward pass is $\mathcal{O}\left(h^2\right)$. Given that noise estimation occurs at each of the T steps, the total complexity of the denoising process is $\mathcal{O}(T{h}^2+Tnm)$. Thus, the overall time complexity of DIFshilling is as follows:

$$\mathcal{O}\left(T(nm+h^2)\right).$$

(16)

Space Complexity: The primary memory consumption in DIFshilling arises from storing the user–item interaction matrix and neural network parameters. The matrix $x_t$ requires $\mathcal{O}\left(nm\right)$ space, while the neural network parameters occupy $\mathcal{O}\left(L{h}^2\right)$ space, assuming fully connected layers. Additionally, intermediate variables for backpropagation introduce an extra storage overhead proportional to the batch size B, yielding a total space complexity of the following:

$$\mathcal{O}(nm+L{h}^2+B{h}^2).$$

(17)

Compared to traditional GAN-based shilling attacks, DIFshilling incorporates a diffusion-based mechanism that necessitates an iterative refinement process. While this increases computational cost due to multiple inference steps, it enhances attack stealthiness and flexibility. Optimizations such as reducing the number of noise steps T or employing model compression techniques can alleviate computational overhead while preserving attack efficacy.

5. Experiments

In this section, we present comprehensive experiments conducted on five datasets, seven victim RS models, and eight baseline methods to address the following research questions:

• RQ1: Does DIFshilling outperform state-of-the-art shilling attack methods across various victim RS models?
• RQ2: Is DIFshilling more challenging for detectors to identify compared to other shilling attack methods?
• RQ3: How does the attack size influence the performance of DIFshilling and its detection by anti-shilling mechanisms?
• RQ4: How do the forward noising and reverse denoising components contribute to DIFshilling’s effectiveness?

5.1. Experimental Setup

The benchmark datasets used in our experiments are as follows: ML100K (https://grouplens.org/datasets/movielens/100k/ (accessed on 21 February 2025)), FilmTrust (https://github.com/guoguibing/librec/tree/3.0.0/data/filmtrust (accessed on 21 February 2025)), Amazon Automotive, Amazon Fashion (https://nijianmo.github.io/amazon/index.html (accessed on 21 February 2025)) and Book-crossing (https://www.kaggle.com/datasets/somnambwl/bookcrossing-dataset) (accessed on 21 February 2025). To ensure a comprehensive evaluation, we selected datasets with diverse characteristics. While ML100K and FilmTrust are popular benchmarks, their small and dense nature makes them less representative of real-world recommender system scenarios. Therefore, we included Amazon Fashion and Book-crossing datasets, which are significantly larger and sparser, to better assess the practicality of DIFshilling. The dataset statistics are provided in

Table 2. Statistics, thresholds, and attack sizes of the datasets.

Dataset	Users	Items	Ratings	Sparsity	Threshold	Attack Size
ML100K	943	1682	100,000	93.70%	36	10
FilmTrust	780	721	28,799	94.88%	15	8
Automotive	2928	1835	20,473	99.62%	12	30
Fashion	749,232	186,189	883,636	99.99%	4	7500
Book-crossing	278,858	271,379	1,149,780	99.99%	10	2800

. To filter out cold-start and inactive users, thresholds based on user activity were applied, as shown in Table 2. Each dataset was randomly split into training and testing sets in a 9:1 ratio. Targeted items for shilling attacks were randomly selected, with a default attack size of approximately 1% of each dataset’s real users.

The victim RS models evaluated in our experiments include BPR [36], DGCF [37], DMF [38], GCMC [39], NCL [40], NeuMF [41], and NGCF [42]. These models have been widely adopted in both research and engineering for their effectiveness in various recommendation tasks. A brief summary of their key features is provided below. BPR introduces a maximum posterior estimator derived from Bayesian analysis for personalized ranking optimization, utilizing stochastic gradient descent with bootstrap sampling. DGCF enhances collaborative filtering by disentangling user intents within user–item interactions, thereby refining intent-aware interaction graphs and representations to achieve superior performance. DMF integrates a neural network architecture with a user–item matrix composed of explicit ratings and non-preference implicit feedback to learn a unified low-dimensional space for user and item representations, utilizing a binary cross-entropy-based loss function for enhanced optimization. GCMC employs a graph auto-encoder framework with differentiable message passing on a bipartite user–item graph for matrix completion in recommender systems, effectively utilizing additional structured data such as social networks. NCL enhances graph collaborative filtering by explicitly incorporating potential neighbors into contrastive pairs through a novel structure-contrastive objective for structural neighbors and a prototype-contrastive objective for semantic neighbors, thereby addressing data sparsity and outperforming traditional methods that rely on random sampling. NeuMF introduces a neural network-based framework for collaborative filtering by replacing the traditional inner product in matrix factorization with a neural architecture that leverages a multi-layer perceptron to learn the user–item interaction function from implicit feedback data. NGCF incorporates user–item interactions through bipartite graph structures into the embedding process, effectively propagating embeddings to capture high-order connectivity and explicitly inject collaborative signals. We test all these different victim RS models to prove the transferability of DIFshilling.

The hyperparameters for these models, including hidden layers and learning rates, were configured according to the default settings provided in the RecBole framework [43]. RecBole is a comprehensive library for recommendation system research, supporting 91 algorithms across four categories: general, sequential, context-aware, and knowledge-based recommendations. It provides a unified and efficient platform for algorithm development and reproduction. For DIFshilling, the diffusion model parameters were set as follows: a learning rate of 0.001, 10 noise steps (T), and a noise schedule ($\beta$) ranging from ${10}^{-8}$ to ${10}^{-7}$. A multilayer perceptron was employed to predict noise during the denoising process. The MLP was optimized using the Adam optimizer with a batch size of 512 to ensure stable training and convergence. To enhance invisibility, DIFshilling employs a gradual refinement strategy, where synthetic attack profiles undergo iterative denoising to align with real user behavior patterns.

5.2. Evaluation Metric

Evaluation metrics commonly used in RS, such as hit ratio (HR) and normalized discounted cumulative gain (NDCG), primarily measure the recommendation performance of RS. However, with slight modifications, these metrics can be adapted to quantify the effectiveness of shilling attacks. Let U denote the set of users, and K represent the number of items in the recommendation list $RL$. Under these conditions, HR evaluates whether the targeted item $i_t$ appears in $RL$. For each user $u\in U$, the hit function is defined as follows:

$$\begin{array}{c}hit\left(u\right)=\left\{\begin{array}{cc}1\hfill & , i_t\in RL\hfill \\ 0\hfill & , i_t\notin RL\hfill \end{array}\right..\end{array}$$

(18)

The overall $HR@K$ is then calculated as follows:

$$HR@K={\displaystyle \frac{1}{\left|U\right|}}\sum _{u\in U}hit\left(u\right).$$

(19)

NDCG can be adapted to account for the ranking of the targeted item. The modified formula is expressed as follows:

$$NDCG@K={\displaystyle \frac{1}{\left|U\right|}}\sum _{u=1}^{\left|U\right|}{\displaystyle \frac{1}{{log}_2(p_u^{\prime }+1)}},$$

(20)

where $p_u^{\prime }$ denotes the rank of the targeted item in $RL$ for the u-th user. The term ${log}_2(p_u^{\prime }+1)$ introduces logarithmic scaling based on the ranking position, assigning higher weights to items ranked closer to the top. If the targeted item is not present in $RL$, $p_u^{\prime }$ is considered infinite ($p_u^{\prime }=\infty$), resulting in an NDCG value of 0.

5.3. Baseline Methods

We compare the performance of DIFshilling with eight existing shilling attack methods. The attack methods we consider are as follows:

(1)

A random attack assigns a rating $r\sim \mathcal{N}(\mu , \sigma )$ to an item, where $\mu$ and $\sigma$ are the mean and the variance of all ratings in the system, respectively.

(2)

An average attack assigns a rating $r\sim \mathcal{N}(\mu , \sigma )$ to an item, where $\mu$ and $\sigma$ correspond to the mean and variance of ratings from a sampled set of items within the system.

(3)

A segment attack assigns maximal ratings to selected items and minimal ratings to all others.

(4)

A bandwagon attack utilizes the most popular items as selected targets, assigning maximal ratings to them while assigning ratings to other items in the same manner as a random Attack.

(5)

AIA [19] stands for adversarial injection attack, which builds a bilevel optimization framework to generate fake user profiles by maximizing the attack objective on the surrogate model.

(6)

DCGAN [20] is a GAN adopted in a recent shilling attack method, where the generator takes noise and outputs fake user profiles through convolutional units. We follow the default settings in [20].

(7)

AUSH [9] constructs reconstruction loss, shilling loss, and adversarial loss to train the generator and discriminator, respectively, considering users in the segment, attack cost, and detectability.

(8)

Leg-UP [21] extends AUSH for attack transferability and invisibility by applying more direct loss functions and leveraging the surrogate model.

In all methods, the highest rating is assigned to the targeted item. The effectiveness of attacks is evaluated on the test set using HR@K and NDCG@K at $K=10$. In the push attack scenario, higher HR@K and NDCG@K values indicate greater attack effectiveness.

5.4. Attack Performance (RQ1)

Figure 3 presents heatmaps showing the overall attack performance of various shilling methods across victim RS models and datasets. Concrete values of HR@10 and NDCG@10 are provided in

Table 3. Attack performance in ML100K (%). The best results are marked in bold.

Model	Average	Random	Segment	Bandwagon	AIA	DCGAN	AUSH	Leg-UP	DIFshilling
HR@10 (%)
BPR	0.8484	0.4242	0.8484	0.9544	2.333	2.1209	1.6967	1.2725	5.4083
DGCF	0.4242	0.106	0.2121	0.106	0.106	0.106	0.5302	0.4242	15.6946
DMF	0.8484	0.8484	1.4846	1.9088	2.9692	1.2725	3.9236	3.8176	13.2556
GCMC	0.9544	0.7423	1.0604	1.0604	1.6967	1.6967	2.5451	3.0753	9.1198
NCL	0.4242	0.3181	0.7423	0.3181	1.4846	1.1665	1.5907	1.1665	3.3934
NeuMF	0.3181	0.3181	3.0753	0.3181	0.7423	1.0604	1.9088	1.3786	4.0297
NGCF	1.0604	1.8028	4.3478	6.5748	7.211	4.3478	5.4083	5.1962	11.877
NDCG@10 (%)
BPR	0.1417	0.1417	0.3538	0.322	0.2359	0.224	0.6959	0.5166	1.1624
DGCF	0.1409	0.1409	0.1409	0.2354	0.8863	0.0307	0.307	0.2068	1.0218
DMF	0.9732	0.9732	0.9732	0.7756	0.0948	0.066	0.0849	0.1064	1.6479
GCMC	0.0457	0.0457	0.0457	0.096	0.1064	0.0319	0.3219	0.1824	3.439
NCL	0.1051	0.1436	0.1436	0.1079	0.2864	0.4729	0.5961	0.5816	0.8004
NeuMF	0.1141	0.1141	0.1141	0.1083	0.2814	0.4835	0.8029	0.5628	1.7754
NGCF	0.699	0.7435	1.6512	0.712	2.7664	1.9693	3.0507	3.4434	5.2711

and

Table 4. Attack performance in Fashion (%). The best results are marked in bold.

Models	Average	Random	Segment	Bandwagon	AIA	DCGAN	AUSH	Leg-UP	DIFshilling
HR@10 (%)
BPR	0.0844	0.0562	0.0844	0.0281	0.225	0.0844	0.0562	0.0844	0.5624
DGCF	0.0562	0.0000	0.0281	0.0281	0.0562	0.0281	0.0281	0.0562	0.225
DMF	0.0000	0.0000	0.0000	0.0000	0.0000	0.0000	0.0000	0.0000	0.0844
GCMC	0.0000	0.0000	0.0281	0.0281	0.0000	0.0309	0.0227	0.0281	0.0281
NCL	0.0281	0.0000	0.0281	0.0281	0.0000	0.0281	0.0281	0.0281	0.1687
NeuMF	0.0281	0.0281	0.0281	0.0562	0.0000	0.0000	0.0844	0.0000	0.4218
NGCF	0.0562	0.0844	0.0844	0.1125	0.1125	0.0562	0.3375	0.0000	0.3937
NDCG@10 (%)
BPR	0.0271	0.0271	0.0831	0.1101	0.1083	0.0302	0.037	0.033	0.123
DGCF	0.0173	0.0000	0.01	0.0121	0.0189	0.0089	0.0085	0.0067	0.0906
DMF	0.0000	0.0000	0.0000	0.0000	0.0000	0.0000	0.0000	0.0000	0.0254
GCMC	0.0000	0.0000	0.0081	0.0094	0.0000	0.0423	0.8305	0.7462	0.0085
NCL	0.0085	0.0000	0.0344	0.0302	0.0000	0.5386	0.0109	0.0216	0.177
NeuMF	0.0177	0.0177	0.0345	0.0387	0.0000	0.2106	0.0294	0.0000	0.2433
NGCF	0.1052	0.118	0.1847	0.1536	0.0432	0.0573	0.1503	0.0000	0.2225

for the ML100K and Fashion datasets, respectively, while results for other datasets follow similar patterns. In Figure 3, each cell represents the HR@10 value for a specific attack method targeting a victim RS on a dataset, with lighter colors indicating higher HR@10 values. From the heatmaps, we observe that DIFshilling consistently achieves superior attack performance across all victim RS models and datasets. Examining the rows of the heatmap, it is evident that DIFshilling performs particularly well against DMF and GCMC on the three smaller datasets in the first row. Conversely, for the two larger datasets in the second row, DIFshilling notably increases the frequency of targeted items appearing in the recommendation lists for NeuMF and NGCF. The heatmaps also allow us to differentiate between heuristic-based and GAN-based shilling attack methods, with the dividing line being the row where DIFshilling is located. A comparative analysis reveals that GAN-based methods generally outperform heuristic-based methods against victim RS models. Furthermore, the color bands in the heatmaps highlight that shilling attacks are more effective on smaller and denser datasets, while their impact diminishes on larger and sparser datasets.

From Table 3 and Table 4, we note that shilling attack methods, including DIFshilling, have a more pronounced effect on smaller and denser datasets. On the ML100K dataset, DIFshilling consistently delivers the best attack performance on all victim RS models, as reflected by both HR@10 and NDCG@10. DIFshilling significantly increases the frequency of targeted items appearing in recommendation lists and improves their rankings. For example, when DGCF is the victim RS, DIFshilling increases the average appearance frequency of targeted items by a factor of 15 compared to other attack methods. Similarly, when GCMC is the victim RS, DIFshilling improves the rank of targeted items in the recommendation list by three positions compared to the best alternative shilling methods. Table 4 summarizes the experimental results on the larger and sparser Fashion dataset. DIFshilling maintains its superior performance on most victim RS models, outperforming other methods. However, it is worth noting that the impact of shilling attacks diminishes on large and sparse datasets. For instance, in some cases, such as when the victim RS is GCMC, and the attacker is AUSH, DIFshilling fails to improve the hit ratio of targeted items in recommendation lists.

These results underscore the effectiveness of DIFshilling, particularly in small and dense datasets, while also highlighting the challenges of executing effective shilling attacks in large and sparse environments. More importantly, DIFshilling consistently outperforms existing shilling attack methods across diverse recommender system models and datasets, demonstrating its strong transferability. Unlike heuristic-based and GAN-based attack methods, which exhibit varying levels of effectiveness depending on the dataset and victim model, DIFshilling maintains high attack performance across different RS models and dataset characteristics. This suggests that DIFshilling is not only adaptable to different recommendation environments but also robust in achieving consistent attack success, further validating its transferability across various settings.

5.5. Anti-Detection (RQ2)

To evaluate the quantitative invisibility of DIFshilling in realistic scenarios, we employ a state-of-the-art unsupervised detection technique [44] to identify fake user profiles generated by various shilling attack methods. Figure 4 presents the precision and recall values of the detector in identifying fake profiles, where lower precision and recall values indicate greater difficulty in detecting the attacks. As shown in Figure 4, DIFshilling consistently outperforms other attack methods in evading detection across most scenarios, exhibiting the lowest precision and recall values for fake profile identification on the ML100K and FilmTrust datasets. These results indicate that DIFshilling generates more stealthy fake users, which are significantly harder for detection mechanisms to distinguish. However, we observe that detection performance declines on sparser datasets, such as Automotive and Book-crossing, where precision and recall values approach zero for most attack methods, suggesting that dataset sparsity also plays a role in attack detectability.

To further investigate the qualitative invisibility of DIFshilling, we apply principal component analysis (PCA) to visualize the distributions of real and fake user profiles in the latent space. Since the visualization patterns are consistent across datasets, we present the results for the ML100K dataset in Figure 5. Analyzing Figure 5, we observe that the fake profiles generated by DIFshilling closely approximate the distribution of real users while maintaining a greater dispersion in the latent space. In contrast, other attack methods, particularly heuristic-based ones, tend to cluster tightly in localized areas, making them more susceptible to detection by defense mechanisms. The diffusion model used in DIFshilling effectively preserves the natural variability of real user behavior, enabling it to generate more realistic and indistinguishable fake profiles. This ability to blend into the distribution of real users further enhances DIFshilling’s invisibility, making it significantly harder to detect compared to traditional shilling attack methods.

5.6. Effects of Attack Size (RQ3)

As the number of fake users increases, the recommender system is generally expected to be more affected, but the attack also becomes more detectable. This section investigates the trade-off between attack effectiveness and the system’s ability to detect the attack. To facilitate experimentation across various datasets, we varied the attack size by inserting fake user profiles at 1%, 3%, 5%, and 10% of the original dataset size.

Figure 6a–c shows the attack performance of DIFshilling on each victim RS when different proportions of fake user profiles are inserted into the ML100k, FilmTrust, and Automotive datasets. As expected, the attack effect becomes more pronounced with the increase in the percentage of fake users. However, there are instances where this pattern does not hold. Notably, for the DMF model on the FilmTrust dataset, the attack performance peaks when fake user profiles account for 5% of the dataset. This anomalous result may be due to the noising and denoising process, which operates on the attack size scale of real users without finer granularity. The addition of Gaussian noise might introduce extraneous information, diminishing attack performance as the number of fake profiles grows. This effect is likely influenced by both the specific recommendation model and the algorithm used.

We further assess the performance of the detector in identifying inserted fake user profiles at various attack sizes. As shown in Figure 6d, the precision and recall of the detector increase with the percentage of inserted fake profiles. However, when the fake user profile insertion rate reaches approximately 5%, both precision and recall begin to decrease, reaching their lowest values. Additionally, we analyze the distribution of real and fake user profiles in the latent space for different attack sizes, as shown in Figure 7. The results of the FilmTrust dataset are presented in this figure, highlighting how the fake profiles’ distribution evolves as the attack size changes.

5.7. Ablation Study (RQ4)

To evaluate the necessity and effectiveness of each component in DIFshilling, we conduct an ablation study by isolating the forward noising and reverse denoising mechanisms. Specifically, we analyze the attack performance and adversarial robustness of two DIFshilling variants:

• Forward Process Only: This variant applies the noise-adding step without incorporating any learning or reverse denoising, generating fake users solely through random perturbations.
• Backward Process Only: This variant begins with predefined Gaussian noise and applies the reverse denoising process to recover fake user profiles, without explicitly injecting noise in the forward phase.

We evaluate these variants on two datasets (ML100K and FilmTrust) using seven victim RS models, assessing both attack performance and adversarial robustness. The results are presented in

Table 5. The attack performance of DIFshilling and its two variants on ML100K and FilmTrust.

HR@10 (%)		BPR	DGCF	DMF	GCMC	NCL	NeuMF	NGCF
ML100K	Ours	5.4083	15.6946	13.2556	9.1198	3.3934	4.0297	11.8770
	Forward	1.3786	0.6362	0.1060	0.6363	0.3181	1.6967	2.8632
	Backward	3.4995	0.9544	2.5451	1.3786	1.0604	1.9088	2.9692
FilmTrust	Ours	31.7872	31.2415	33.6971	60.0273	30.8322	30.9686	39.8363
	Forward	0.4093	1.3643	26.4666	0.1364	0.1364	0.1364	0.1364
	Backward	2.7285	1.7735	29.0587	12.0055	0.2729	0.1364	0.2729

and Figure 8. The results from Table 5 indicate that the forward process only variant leads to a more pronounced decline in attack performance compared to backward process only. For instance, in ML100K, SHR@10 drops from 5.4083 in DIFshilling to 1.3786 for BPR, with similarly low values observed across other models. This suggests that noise addition alone is insufficient to generate effective attack profiles. Conversely, backward process only demonstrates moderate attack effectiveness (e.g., SHR@10 reaches 3.4995 for BPR in ML100K), yet it remains significantly weaker than the full DIFshilling model. This finding suggests that initiating the attack from pure noise without a forward noising phase constrains the model’s ability to generate highly effective adversarial users. However, the trend is reversed when considering adversarial robustness. The forward process only variant, which introduces irregular random noise, generates attack profiles that are more difficult to detect. In contrast, the backward process only variant follows a structured denoising process, making the generated attack profiles more identifiable. Ultimately, the full DIFshilling model outperforms both ablation variants across all metrics, demonstrating that the combined use of forward noising and reverse denoising is essential for maximizing attack effectiveness while maintaining stealth against detection mechanisms.

6. Discussion

This paper introduces DIFshilling, a sophisticated attack strategy that leverages diffusion-based models to manipulate user–item interactions. To mitigate the risks posed by such attacks, we propose several countermeasures, focusing on the necessary conditions and procedural strategies required for an effective defense against shilling attacks.

To effectively counter DIFshilling attacks, recommender systems must meet several foundational conditions that enable robust defense. First, the system should employ robust user profiling, integrating diverse and detailed user features such as behavioral data, contextual interactions, and demographic information. This enables a more accurate distinction between legitimate users and synthetic profiles. Additionally, advanced detection mechanisms must be implemented to identify anomalies in user behavior, utilizing anomaly detection algorithms capable of recognizing inconsistencies in rating patterns and user preferences. Furthermore, adaptive learning models are essential for allowing systems to evolve in response to new types of shilling attacks. This requires continuously updating detection algorithms, particularly those leveraging adversarial learning techniques, to stay ahead of emerging attack strategies. By satisfying these conditions, recommender systems can provide effective protection against sophisticated shilling tactics such as DIFshilling.

Mitigating the risks associated with DIFshilling requires the adoption of several key procedural strategies. Anomaly detection plays a crucial role, employing techniques such as clustering, outlier detection, and behavior-based verification to identify user profiles that significantly deviate from established patterns. Another effective strategy is feature regularization, where user profile features are deliberately modified through masking or noise injection to prevent attackers from closely replicating real user distributions. This controlled randomness preserves personalization while reducing the effectiveness of attacks. A hybrid defense model, combining traditional machine learning with deep neural networks, further strengthens resilience by enabling the system to both detect and prevent shilling attacks through a multi-layered approach. Finally, temporal monitoring is necessary to track shifts in user preferences over time, as sudden or irregular changes may indicate an ongoing shilling attack. By implementing these strategies, recommender systems can not only detect but also proactively prevent the impact of DIFshilling, ensuring a more secure and reliable recommendation process.

7. Conclusions

In this paper, we present DIFshilling, a novel shilling attack model for recommender systems that leverages diffusion to enhance both attack effectiveness and evasion of detection. DIFshilling integrates key techniques, including an advanced filtering strategy to generate fake user profiles with rich features while preserving the personalized characteristics of real users. This is achieved by controlling the noise schedule and using the noising process as a foundation for denoising. Extensive experiments on five datasets, including two large and sparse ones, show that DIFshilling outperforms eight mainstream shilling attack methods, achieving state-of-the-art performance. Notably, DIFshilling excels not only in attack potency but also in its ability to evade detection mechanisms and remain inconspicuous in the latent space. The significance of this research extends beyond the development of a novel attack model. Understanding advanced shilling attacks like DIFshilling is crucial for identifying the vulnerabilities of recommender systems and guiding the design of more robust defense mechanisms. Future research could focus on developing adaptive noise schedules to improve generalizability and investigating real-time attack scenarios to further understand and mitigate the risks posed by advanced shilling attacks like DIFshilling. Our findings offer valuable theoretical insights and practical implications, providing a foundation for the development and defense of recommender systems in real-world applications.

Ethical Considerations: This study aims to enhance the understanding of shilling attacks in recommender systems to improve security and defense mechanisms. DIFshilling is presented as a research tool for evaluating vulnerabilities rather than promoting malicious exploitation. The experiments in this study are conducted on publicly available datasets, ensuring no violation of user privacy or ethical concerns. The findings emphasize the necessity of robust detection mechanisms and adversarial defenses to mitigate the risks posed by advanced shilling attacks. Furthermore, this work aligns with ethical research standards by providing insights that contribute to the development of more resilient recommender systems. Future research should explore defensive strategies that counteract the growing sophistication of adversarial attacks in this domain.