The RecSys-Model-Extraction-Attack repository is the PyTorch Implementation of RecSys 2021 Paper Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction
We propose an data-free model extraction and adversarial attack framework against sequential recommender systems. We perform attacks in two stages. (1) Model extraction: with the proposed autoregressive synthetic data, we extract the black-box model to a white-box recommender via distillation. (2) Downstream attacks: we attack the black-box model with adversarial samples generated by the white-box recommender. Experiments show the effectiveness of our data-free model extraction and downstream attacks on sequential recommenders in both profile pollution and data poisoning settings.
Please cite the following paper if you use our methods in your research:
@inproceedings{yue2021black,
title={Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction},
author={Yue, Zhenrui and He, Zhankui and Zeng, Huimin and McAuley, Julian},
booktitle={Proceedings of the 15th ACM Conference on Recommender Systems},
year={2021}
}
PyTorch, pandas, wget, libarchive-c, faiss-cpu, tqdm, tensorboard. For our running environment see requirements.txt
python train.pyExcecute the above command (with arguments) to train a black-box model, select datasets from Movielens 1M/20M, Beauty, Games, Steam and Yoochoose. Availabel models are NARM, SASRec and BERT4Rec. Trained black-box recommenders could be found under ./experiments/model-code/dataset-code/models/best_acc_model.pth
python distill.pyExcecute the above command (with arguments) to extract a white-box model, white-box model can also be chosen from NARM, SASRec and BERT4Rec. Trained models could be found under ./experiments/distillation_rank/distillation-specification/dataset-code/models/best_acc_model.pth
python attack.pyRun the above command (with arguments) to perform profile pollution attacks, logs will be save under ./experiments/attack_rank/distillation-specification/dataset-code/attack_bb_metrics.json
python retrain.pyRun the above command (with arguments) to perform data poisoning attacks, retrained model and logs will be save under ./experiments/retrained/distillation-specification/dataset-code/
Recommender systems are first trained as black-box models, these are used to generate sythetic data for white-box model distillation, followed by profile pollution and data poisoning attacks based on white-box model weights, for training details please refer to our paper.
During the implementation we base our code mostly on Transformers from Hugging Face and BERT4Rec by Jaewon Chung. Many thanks to these authors for their great work!