Recommender Systems~(RS) have been shown to be vulnerable to injective attacks, where attackers inject limited fake user profiles to promote the exposure of target items to real users for unethical gains (e.g., economic or political advantages). Since attackers typically lack knowledge of the victim model deployed in the target RS, existing methods resort to using a fixed surrogate model to mimic the potential victim model. Despite considerable progress, we argue that the assumption that \textit{poisoned data generated for the surrogate model can be used to attack other victim models} is wishful. When there are significant structural discrepancies between the surrogate and victim models, the attack transferability inevitably suffers. Intuitively, if we can identify the worst-case victim model and iteratively optimize the poisoning effect specifically against it, then the generated poisoned data would be better transferred to other victim models. However, exactly identifying the worst-case victim model during the attack process is challenging due to the large space of victim models. To this end, in this work, we propose a novel attack method called Sharpness-Aware Poisoning (\textit{SharpAP}). Specifically, it employs the sharpness-aware minimization principle to seek the approximately worst-case victim model and optimizes the poisoned data specifically for this worst-case model. The poisoning attack with SharpAP is formulated as a min-max-min tri-level optimization problem. By integrating SharpAP into the iterative process for attacks, our method can generate more robust poisoned data which is less sensitive to the shift of model structure, mitigating the overfitting to the surrogate model. Comprehensive experimental comparisons on three real-world datasets demonstrate that \name~can significantly enhance the attack transferability.

翻译：摘要：研究表明，推荐系统易受注入式攻击威胁，攻击者通过注入少量虚假用户画像，以提升目标物品在真实用户中的曝光度，从而谋取不道德利益（如经济或政治优势）。由于攻击者通常缺乏对目标推荐系统中受害模型的先验知识，现有方法常采用固定替代模型模拟潜在受害模型。尽管已有显著进展，我们认为“为替代模型生成的投毒数据可用于攻击其他受害模型”这一假设存在理想化倾向。当替代模型与受害模型存在显著结构差异时，攻击可迁移性将不可避免地降低。直观而言，若能识别最坏情况下的受害模型，并针对其迭代优化投毒效果，则生成的投毒数据将更有效地迁移至其他受害模型。然而，由于受害模型空间庞大，在攻击过程中精确识别最坏情况模型极具挑战性。为此，本文提出一种名为“锐度感知投毒”(SharpAP)的新型攻击方法。具体而言，该方法利用锐度感知最小化原则搜索近似最坏情况的受害模型，并针对该模型专门优化投毒数据。基于SharpAP的投毒攻击被形式化为一个最小-最大-最小三层优化问题。通过将SharpAP融入攻击迭代过程，本方法可生成对模型结构变化不敏感、更鲁棒的投毒数据，从而缓解针对替代模型的过拟合问题。在三个真实数据集上的全面实验表明，SharpAP能显著提升攻击可迁移性。