融合物品标签信息的推荐系统投毒攻击检测方法研究

梁峰; 郝耀军; 袁高杰; 李菊霞; 冯丽萍

引用本文：

梁峰,郝耀军,袁高杰,李菊霞,冯丽萍.融合物品标签信息的推荐系统投毒攻击检测方法研究[J].信息安全学报,已采用 [点击复制]
liangfeng,haoyaojun,yuangaojie,李菊霞,fengliping.A Study on Poisoning Attack Detection Methods for Rec-ommender Systems Integrating Item Tag Information[J].Journal of Cyber Security,Accept [点击复制]

本文已被：浏览 264次下载 0次
融合物品标签信息的推荐系统投毒攻击检测方法研究
梁峰¹, 郝耀军², 袁高杰¹, 李菊霞¹, 冯丽萍²
0 字体:加大+\|默认\|缩小-
(1.山西农业大学;2.忻州师范学院)

摘要:

推荐系统因其开放性，容易被注入恶意用户概貌，其推荐结果易被有目的地操纵。现有的检测方法主要关注评分行为，忽略项目标签等关键语义信息，难以有效应对复杂或高伪装性的攻击。为此，本文提出了一种融合3D-CNN和多头Performer注意力机制的投毒攻击检测方法3DCPA-PAD。首先，该方法通过构建用户-项目-标签三维张量表示，融合评分行为与项目标签之间的多源语义信息，实现多源异构数据的统一建模。其次，为捕捉局部-全局行为特征，引入三维卷积神经网络提取局部评分模式，并融合多头Performer注意力机制学习评分行为间的全局依赖关系。针对局部与全局特征融合难以自适应的问题，采用门控残差融合策略以增强多维特征间的动态协同。最后，为缓解不同用户类别间的特征模糊问题，引入对比学习以提升模型对虚假用户识别能力；同时结合数据增强与对抗训练策略，缓解评分稀疏与行为扰动带来的鲁棒性不足问题。本文在Movielens-1M和Amazon两个推荐系统数据集上开展对比实验，结果显示所提出的3DCPA-PAD方法可以在多类型数据投毒攻击场景下较基线检测方法提高检测性能。

关键词: 推荐系统投毒攻击检测标签信息三维卷积神经网络注意力机制

DOI：

投稿时间：2025-10-07修订日期：2026-03-13

基金项目:国家自然科学基金项目（面上项目，重点项目，重大项目）

A Study on Poisoning Attack Detection Methods for Rec-ommender Systems Integrating Item Tag Information

liangfeng¹, haoyaojun², yuangaojie¹, 李菊霞¹, fengliping²

(1.Shanxi Agricultural University;2.Xinzhou Normal University)

Abstract:

Recommender systems are vulnerable to malicious user profile injection due to their openness, making their rec-ommendation results susceptible to intentional manipulation. Existing detection methods mainly focus on rating behaviors while neglecting critical semantic information such as item tags, making them less effective against com-plex or highly camouflaged attacks. To address this issue, this paper proposes a poisoning attack detection method named 3DCPA-PAD, which integrates 3D convolutional neural networks (3D-CNN) with the Multi-Head Performer Attention mechanism. Specifically, the proposed method constructs a user–item–tag three-dimensional tensor to fuse multi-source semantic information between rating behaviors and item tags, enabling unified modeling of het-erogeneous data. To capture both local and global behavioral features, a 3D-CNN is utilized to extract local rating patterns, while the Multi-Head Performer Attention mechanism is incorporated to learn global dependencies among rating behaviors. To address the challenge of adaptively fusing local and global features, a gated residual fusion strategy is introduced to enhance dynamic coordination among multi-dimensional features. Furthermore, to allevi-ate the feature ambiguity between different user categories, contrastive learning is employed to improve the model""s ability to identify malicious users. Additionally, data augmentation and adversarial training strategies are incorpo-rated to mitigate the issues of rating sparsity and behavioral perturbations, thereby enhancing model robustness. Comparative experiments conducted on two benchmark recommender system datasets, Movielens-1M and Amazon, demonstrate that the proposed 3DCPA-PAD method outperforms baseline detection approaches under various poi-soning attack scenarios.

Key words: recommender system poisoning attack detection item tag information 3D convolutional neural network attention mechanism