Review-Based Recommender Systems (RBRS) have attracted increasing research interest due to their ability to alleviate well-known cold-start problems. RBRS utilizes reviews to construct the user and items representations. However, in this paper, we argue that such a reliance on reviews may instead expose systems to the risk of being shilled. To explore this possibility, in this paper, we propose the first generation-based model for shilling attacks against RBRSs. Specifically, we learn a fake review generator through reinforcement learning, which maliciously promotes items by forcing prediction shifts after adding generated reviews to the system. By introducing the auxiliary rewards to increase text fluency and diversity with the aid of pre-trained language models and aspect predictors, the generated reviews can be effective for shilling with high fidelity. Experimental results demonstrate that the proposed framework can successfully attack three different kinds of RBRSs on the Amazon corpus with three domains and Yelp corpus. Furthermore, human studies also show that the generated reviews are fluent and informative. Finally, equipped with Attack Review Generators (ARGs), RBRSs with adversarial training are much more robust to malicious reviews.

翻译：基于评论的推荐系统（RBRS）因其缓解冷启动问题的能力而日益受到研究关注。RBRS利用评论构建用户和物品的表示。然而，本文指出，这种对评论的依赖反而可能使系统面临被恶意攻击的风险。为探究这一可能性，本文提出首个面向RBRS的基于生成的攻击模型。具体而言，我们通过强化学习训练一个虚假评论生成器，通过向系统添加生成的评论强制改变预测结果，从而恶意推广商品。通过引入辅助奖励机制，借助预训练语言模型和方面预测器提升文本流畅性与多样性，生成的评论能够实现高保真度的欺骗攻击。实验结果表明，所提出的框架能在Amazon语料库的三个领域以及Yelp语料库上成功攻击三种不同类型的RBRS。此外，人类评估显示生成的评论既流畅又信息丰富。最后，配备攻击评论生成器（ARG）后，采用对抗训练的RBRS对恶意评论具有更强的鲁棒性。