Balancing Imperceptible and Aggressive Poisoning Attack for Recommender Systems: A Simple Multinomial Diffusion Model

Online platforms’ openness makes recommender systems (RSs) susceptible to data poisoning attacks, where malicious user profiles are injected into the training dataset to distort recommendation outcomes. However, existing poisoning attack methods often struggle to achieve an optimal effectiveness on both imperceptibility and aggressiveness. To address this issue, we propose a novel poisoning attack method for RSs, named MDPAttack, which consists of three key modules, each focusing on imperceptibility and aggressiveness. Specifically, we first train a Multinomial Diffusion Model (MDM) to model discrete rating data, effectively minimizing information loss during data processing and thereby enhancing the imperceptibility of the generated profiles. Then, we combine the influence function with the Fast Gradient Sign Method (FGSM) to iteratively improve the aggressiveness of poisoning profiles by leveraging template profiles. Finally, these two properties are seamlessly integrated within the MDPAttack framework. Extensive experiments on both classic and modern deep learning-based RSs demonstrate that MDPAttack generates highly imperceptible profiles while maintaining attack performance comparable to state-of-the-art methods.