Data poisoning attacks spoof a recommender system to make arbitrary, attacker-desired recommendations via injecting fake users with carefully crafted rating scores into the recommender system. We envision a cat-and-mouse game for such data poisoning attacks and their defenses, i.e., new defenses are designed to defend against existing attacks and new attacks are designed to break them. To prevent such a cat-and-mouse game, we propose PORE, the first framework to build provably robust recommender systems in this work. PORE can transform any existing recommender system to be provably robust against any untargeted data poisoning attacks, which aim to reduce the overall performance of a recommender system. Suppose PORE recommends top-$N$ items to a user when there is no attack. We prove that PORE still recommends at least $r$ of the $N$ items to the user under any data poisoning attack, where $r$ is a function of the number of fake users in the attack. Moreover, we design an efficient algorithm to compute $r$ for each user. We empirically evaluate PORE on popular benchmark datasets.

翻译：数据投毒攻击通过向推荐系统中注入携带精心构造评分数据的虚假用户，诱使推荐系统生成攻击者期望的任意推荐结果。此类数据投毒攻击与防御机制间存在“猫鼠游戏”现象：新型防御策略被设计用于抵御现有攻击，而更先进的攻击手段又随之涌现以突破这些防御。为打破这种循环，本文提出PORE——首个构建可证明鲁棒推荐系统的框架。PORE能够将任意现有推荐系统转化为针对无目标数据投毒攻击（旨在降低推荐系统整体性能）具有可证明鲁棒性的系统。假设在无攻击场景下PORE向用户推荐Top-$N$个物品，我们证明：在任何数据投毒攻击下，PORE仍能保证向用户推荐至少$r$个来自原Top-$N$集合的物品，其中$r$是攻击中虚假用户数量的函数。我们进一步设计了高效算法计算每位用户的$r$值。通过在公开基准数据集上的实验，我们验证了PORE的有效性。