Method for Detecting Shilling Attacks Based on Implicit Feedback in Recommender Systems

The problem of identifying shilling attacks, which are aimed at forming false ratings of objects in the recommender system, is considered. The purpose of such attacks is to include in the recommended list of items the goods specified by the attacking user. The recommendations obtained as a result of the attack will not correspond to customers' real preferences, which can lead to distrust of the recommender system and a drop in sales. The existing methods for detecting shilling attacks use explicit feedback from the user and are focused primarily on building patterns that describe the key characteristics of the attack. However, such patterns only partially take into account the dynamics of user interests. A method for detecting shilling attacks using implicit feedback is proposed by comparing the temporal description of user selection processes and ratings. Models of such processes are formed using a set of weighted temporal rules that define the relationship in time between the moments when users select a given object. The method uses time-ordered input data. The method includes the stages of forming sets of weighted temporal rules for describing sales processes and creating ratings, calculating a set of ratings for these processes, and forming attack indicators based on a comparison of the ratings obtained. The resulting signs make it possible to distinguish between nuke and push attacks. The method is designed to identify discrepancies in the dynamics of purchases and ratings, even in the absence of rating values at certain time intervals. The technique makes it possible to identify an approach to masking an attack based on a comparison of the rating values and the received attack indicators. When applied iteratively, the method allows to refine the list of profiles of potential attackers. The technique can be used in conjunction with pattern-oriented approaches to identifying shilling attacks.


Introduction
Recommender systems are one of the key elements of e-commerce systems. They are designed to personalize the offered goods and services in accordance with the interests of a particular user [1]. For example, the streaming service Netflix receives a significant number of views based on personal recommendations [2]. The recommendation system "predicts" the interests of the target user based on information about the similarity of goods, the choice of users with similar interests, and ratings of objects received from clients. Recommendations building algorithms use Original Research Article: full paper (2020), «EUREKA: Physics and Engineering» Number 5 Computer Sciences implicit and explicit feedback from the user. Implicit feedback is presented by purchases and confirmed by the user's financial spending. Explicit feedback is given by ratings and reflects the user's impressions of the offered goods [3]. If the consumer behaves in bad faith, the use of explicit feedback leads to the vulnerability of the recommendation system. A malicious user can distort the ratings of objects to change the sales of the target group. For example, to increase the demand for a specific manufacturer's goods or reduce the interest in the goods of its competitors. Therefore, when constructing recommendations, it is necessary to take into account user attacks or shilling attacks [4]. Such attacks are based on the ability to influence the user's interests using recommendations [5]. A shilling attack creates a set of fake user profiles. These profiles are used to generate artificial product ratings in the recommender system. As a result, clients of such systems receive a personalized list of objects that reflect attackers' interests. Shilling attacks provide a short-term boost in sales of goods and services important to cybercriminals. However, distorted ratings undermine the recommendations' credibility as a whole, which can lead to the long-term sales decline.
When conducting an attack, a malicious user solves two problems: falsifying ratings and masking an attack. Within the framework of the first task, the maximum possible rating without disclosing the attack is set for the target objects and the minimum rating for competing products [6]. The attack is masked by assigning ratings that are similar to those of other users. In works [1,4], a classification of attacks is presented, taking into account the knowledge used about the recommender subsystem's work. According to the method of masking, it is advisable to combine these types of attacks into three groups: concealment based on data on existing ratings of objects (1); masking using information about popular items (2); the cover-up of an attack based on product segmentation (3).
The existing methods for detecting shilling attacks are focused mainly on the formation of attack patterns using the results of explicit feedback [7]. Statistical methods and machine learning are used to build such patterns. Statistical methods are primarily focused on identifying attacks of the first group. Such methods reveal the key characteristics of the attacker's profile that distinguish it from the average user. For example, uncharacteristic high or low ratings that do not match ratings from other users. To assess compliance, such indicators as the degree of similarity with the nearest neighbors [8], the deviation from the average rating value, taking into account the number of ratings and the number of users who posted these ratings [9] are used. Machine learning methods [10] make it possible to recognize attacks from all three groups, but they are very resource-intensive. Therefore, to identify complex attacks, work [11] uses a comparison of ratings at fixed time intervals. Work [12] proposes to dynamically change the duration of time intervals at which the attack profile will be detected. In general, the first group's approaches are focused on building patterns describing the differences between fake users and real ones, depending on the type of attack. The resulting templates only partially consider the changing interests of users over time. At the same time, in practice, the priorities of consumers change dynamically, for example, with a change in social status, workplace, or study. As a result, the patterns of their behavior change and, as a result, differences with fake users, which does not allow promptly detecting an attack on ratings.
In [13], when detecting attacks, it was proposed to take into account the temporal rules [14] to describe the dynamics of sales or ratings. Such rules can set both implicit constraints on the consumer's choice [15] and the conditions for this choice. The approach based on the comparison of individual temporal rules for purchases and ratings is focused primarily on shilling attacks of the second group since users are constantly rating such objects. However, during attacks of the first group, ratings may be set irregularly. In such cases, there are no temporal rules for ratings at individual time intervals, which do not allow comparing the change in sales and ratings and detecting an attack. In [16], it is proposed to present the dynamics of forming recommendations for a given period in the form of a multilayer temporal graph. However, such a graph model does not provide a comparison of the selection and presentation of ratings.
To take into account the results of implicit feedback within the selected time period, it is advisable to describe the processes of choosing a product and setting its ratings at several successive intervals, linking them with temporal rules. Thus, to detect shilling attacks based on the identification of discrepancies between object selection processes and ratings, temporal models can be used to take into account the dynamics of the user's interests.
This study aimed to develop a method for the rapid detection of shilling attacks, taking into account the dynamics of user preferences.
To achieve the aim of research, the following objectives were set: -develop a temporal model of the process of changing of the recommender system users' preferences; -develop a method for detecting shilling attacks based on comparing the results of explicit and implicit feedback from the user; -evaluate the effectiveness of the developed method for detecting shilling attacks.

A temporal model of the process of changing of the recommender system users' preferences
Changes in the users' preferences of the recommender system with a given item are reflected in the processes of purchasing this product and setting its ratings. In order to describe the temporal order of these processes' events, the adapted temporal rules of two types are proposed: "Next" and "Future". Each of these rules sets the order in time for a pair of facts Ф m and Ф s , reflecting the choice (purchase) of a product or setting its rating. The fact becomes true when given events occur, such as the choice of a given object at a given time τ; selection of multiple instances of an item on a given subset of purchases.
Each temporal rule ( ) , j m s r specifies a relative temporal order of the early-later type. The rule ( ) , j m s r determines that after the fact Ф m of purchase of goods i j on the interval ∆τ m , the fact Ф s purchase of goods i j on the interval ∆τ s will be true. Therefore, such rules can specify temporal relationships between intervals or points in time and between subsets of facts ordered in time. The "Next" rule uses the temporal operator X, which links two successive selection/rating events [13]. When this rule is fulfilled, no true intermediate facts can exist between the facts Ф m and Ф s . The rule of type "Future" uses the temporal operator F, which connects two non-consecutive events. Between the facts Ф m and Ф s in the F-rule composition, there must be at least one intermediate fact.
The expression rule ( ) 1,2 j r (2) contains the temporal operator X since it connects the facts Ф 1 and Ф 2 of purchases (or rating assignments) on two adjacent intervals ∆τ 1 and ∆τ 2 . Dependency ( ) 1,3 j r is an example of a rule with a temporal operator F linking facts Ф 1 Ф 3 .
In addition to redefining the facts, the adaptation of temporal rules consists of setting their weights, taking into account the dynamics of the user's interests. The weight ( ) The sequence of selection of goods or setting their ratings is represented by an ordered set of normalized weights of the П W rules: Based on the sequence of weights (3)  This example presents a sequence of facts ordered in áФ 1 , Ф 2 , Ф 3 , Ф 4 , Ф 5 ñ. Such facts describe the process of choosing a given item (or setting its ratings) by various users on a continuous sequence of intervals In the example, the index j of the item is not specified for the sake of simplicity. The evaluation is formed for the current fact Ф 4 . This fact is connected with the previous facts by F-rules Ф 1 FФ 4 and Ф 2 FФ 4 , as well as the X-rule Ф 3 XФ 4 . The weights of these rules ( ) 1,4 , Thus, estimate (4) on each current interval ∆τ s shows how users' preferences have changed to the product i j compared with all previous time intervals.
Then the model M ( j) of the process of changing the user's preferences for the subject i j is a sequence of evaluations ( ) j s W ordered by intervals ∆τ s This model describes the change in sales or ratings for each interval ∆τ s , which makes it possible to reveal the falsification of ratings by step-by-step comparison of the corresponding evaluations ( ) .

Method for detecting shilling attacks based on comparing the results of explicit and implicit feedback from the user
The presented method, when detecting shilling attacks, compares the models of the processes of changing user preferences (5), obtained as a result of implicit (sales) and explicit (ratings) feedback. The method forms a quantitative assessment of the discrepancies between these processes. The initial data of the method are: sales list L; list of Q ratings; analysis period T; object of possible attack i j ; a subset of users -potential attackers U={u k }; the level of time detail (hour, day, week, month), represented by the length of the interval ∆τ s . The original sales and rating lists include the following elements: u k user id; the moment of choosing/setting the rating τ s ; the number n k of goods i j sold to the user n k ; rating ρ k of product i j , set by user n k .

Computer Sciences
The method includes the following stages. are taken into account.
Step 5. 1. Formation of a set of quantitative discrepancies D ( j) between the purchasing and rating processes: are summed up modulo in the case of oppositely directed changes in demand and rating, since such a multidirectionalness may indicate a possible attack.
Step 5. 2. Formation of the set of features A ( j) of a possible attack of fake users based on the discrepancies D ( j) : The condition of equality of the ratings The algorithm implementing this method is shown in Fig. 2. The algorithm includes the following steps. Computer Sciences Step 1. The input of initial data. At this step, it is necessary to enter data on sales L, rating Q, period T, subject i j ; users U, and the granularity levels of the time. The granularity of time depends on the format of timestamps in sales and rating logs.
Step 2. Dividing the period T into time intervals ∆τ s . At this step, a time granularity level is selected that provides the highest value of the weights of the sales process rules , , for all intervals from period T. The result of this step is a set of intervals ∆τ s for period T.
Step 3. Implementation of the developed method for detecting shilling attacks.
Step 4. Clarification of the list of users. From the set U at n iterations, users ( ) , n k u are removed who did not set ratings at intervals ∆τ s with a sign ( ) 0, ≠ j s a since these users did not take part in distorting ratings. The result of the step is a subset of users U (n) , containing potential attackers.
Step 5. Checking the algorithm's termination condition ( ) according to which the number of users at the current n iteration has not changed compared to iteration n-1. When this condition is met, the operation of the algorithm ends. Otherwise, step 6 is performed.
Step 6. Refinement of the set of Q ratings. User ratings are removed from this set since these users ( ) , n k u are not attackers. Next, the transition to the execution of the method at step 3 of the algorithm is performed.

Results of experimental evaluation of the method for detecting shilling attacks
The experiment's goal was to test the effectiveness of the method for detecting shilling attacks on a time-ordered dataset of ratings and sales without information about absolute values of points in time. The basic assumption was that using a relative time scale and taking into account the use of F-rules, it is possible to distinguish intervals by the number of purchases of goods or services. In [17], it was shown that it is possible to form a description of the process by ordering events on the "earlier-later" time scale, taking into account their attributes, which makes it possible to justify this assumption.
The experiment included two phases. In the first phase, attacks were detected on the initial data set and an analysis of ways to conceal an attack. In the second phase, the proposed method's effectiveness is compared with the methods [11,12], which, similarly to the proposed method, implement the partitioning of the initial data set into time intervals.
During the experiment, a dataset was used with information about the reading and ratings of several million books [18]. Read, and rating entries are ordered by time, but there are no absolute 1. The іnput of initial data 2. Dividing the time period T into intervals ∆τs. were formed on subsets of the input data from a fixed number of records.
The first phase looked at detecting attacks over long periods, represented by a large number of purchases. When constructing facts, subsets of 100,000 consecutive items (reading, ratings) were used. Such subsets correspond to the original intervals of the method and are denoted by ∆ s . The results of the method's key steps for the target i 10000 (book with id=10000) are presented in Table 1. Table 1 Method implementation results Step number The results of steps 4. 1 and 4. 2 in the Table 1 contains a description of the process of selecting an i 10000 object by users, as well as the process of forming ratings for this object. For example, according to the results of step 4.1, for the second subset ∆ 2 , only one temporal rule ( ) , a in turn, indicates a possible attack aimed at increasing the rating. The indicators of the rating dynamics for ∆ 5 and ∆ 6 were formed using the rules for ∆ 4 , since the rating for the i 10000 object was not presented in the indicated subsets.
The experiment results with the selected object make it possible to analyze approaches to masking an attack. Revealing a method of concealing a possible attack is carried out based on a comparison of the signs of a shilling attack: ( )  greater than 50 % of the maximum indicates possible concealment of an attack using popular items. A check was carried out on popular properties (with a large number of purchases) to confirm this. For example, the popular i 10 has been selected over 91,000 times. The rating of this object increases on sets ∆ 9 and ∆ 10 , which confirms the hypothesis about masking the attack using the rating of popular items.
Thus, this method allows to identify ways to mask an attack in conditions of incomplete rating data using data ordered on an "earlier-later" timeline.
The second phase of the experiment is devoted to comparing the proposed method's effectiveness with those of [11,12]. These methods perform splitting into intervals under the condition of a sharp change in rating values over a limited period. The accuracy evaluation was used for comparing the methods. The accuracy evaluation is defined as the number of detected attacks to the number of all attacks. Attacks have been generated to downgrade (nuke attacks) and increase (push attacks) ratings of three targeted items. In the first case, the rating was set equal to zero, and in the secondequal to 5. These attacks were included in the set of Q ratings. Previously, in accordance with the algorithm in Fig. 2, the division into intervals was performed using evaluation of changes in user preferences for three books. The interval with the maximum weight value (4), taking into account rounding, was 9000 purchases. The results of the second phase of the experiment are shown in Fig. 4, 5.   Fig. 4. Comparison of the detection accuracy of nuke attacks for different methods The method [12] for detecting anomalies based on dynamic division for time series is represented by the abbreviation DP. The method [11] for detecting anomalous elements based on time intervals is represented by abbreviating TI. The developed method is represented by the abbreviation EF (Explicit Feedback).
At the initial stage of rating falsification, when forming up to 10 attacks to increase the rating (push attacks), the developed EF method allows increasing the accuracy from 8 % to 23 % compared to the DP method, and by more than 30 % compared to the TI method. In nuke (downgrade) attacks, the increase in accuracy at the initial stage ranged from 5 to 23 % compared to the DP method and over 30 % for the TI method. However, in the future, as the number of attacks increases, DP, TI methods show similar or higher accuracy compared to EF. Such characteristics determine that the scope of the developed method is the initial stage of actions of an attacking user.

Discussion of the results of developing a method for detecting shilling attacks
The result of the work is a method for identifying shilling attacks of users based on a quantitative assessment of inconsistencies in the temporal characteristics of the purchasing processes and rating, reflecting the results of objective and subjective feedback from the user. The method uses temporal rules (1), which describe the change in sales or ratings of the same object for arbitrary pairs of time intervals. A set (2) of such rules describes the general temporal characteristics of the processes of selecting a target product and setting its ratings.
The method builds models (5) of the processes of changing user preferences, using weighted temporal rules. The difference from interval methods [11,12] is that the signs of shilling attacks are revealed by comparing the elements (4) of the models of processes of purchasing and forming ratings. The result of the method is a list of possible attack intervals for a given list of users.
The difference between the proposed method and [13] in detecting a shilling attack consists in the use of a set of temporal rules that associate all previous intervals with the current one (Fig. 1), which makes it possible to obtain a generalized estimate of the discrepancies between sales and rating.
The advantage of the method is the ability to identify discrepancies between the dynamics of purchases and ratings at the initial stages of the attack (Fig. 4). Also, in the case of the incompleteness of the latter ( Table 1). When implemented iteratively, the method allows a detailed list of potential attackers. Comparative analysis of the attack indicators obtained as a result of the method execution allows to classify the used approaches to attack masking (Fig. 2).
The method allows increasing the accuracy by at least 8 % for attacks to increase the rating (Fig. 5) and 5 % in attacks to downgrade (Fig. 4) at the very beginning of the actions of attacking users, with a small number of attacks. Therefore, it is advisable to use the method online in order to identify changes in the behavior of attacking users quickly.
The disadvantage of this method is that the detection of an attack does not take into account the possible partial time shift between purchases and ratings. The bias is due to the fact that some users give a rating after a purchase with a delay. The effect of this bias depends on the granularity of time. The longer the length of the time intervals, the less the impact of the rating lag.
The method imposes a time ordering constraint on the input. The additional requirement for timestamps in the input allows to identify the intervals of the attack more accurately.
The developed method is intended for iterative refinement of both the time intervals for carrying out shilling attacks and the list of possible attackers under conditions of periodic changes in real users' interests, including online. The method forms a process description of user actions and, therefore, can be applied to identify abnormal situations in process-oriented systems after adaptation.
Further development of the method is associated with the use of rules with the temporal operator "Until," which will allow formalizing the change of interests of user groups as a result of external events, for example, large presentations of new goods and services. Combining the considered temporal rules will make it possible to take into account both periodic and seasonal changes in user requirements when detecting shilling attacks.

Conclusions
1. A temporal model of changing the preferences of the users of the recommender system has been developed. The model is characterized by using a time-ordered sequence of numerical evaluations of changes in user preferences for the target item. Each evaluation specifies the change for the current interval concerning the previous time intervals. The model allows to estimate the increase or decrease in the user's interest in the target subject in the current range compared to all previous time intervals. A comparison of models obtained based on explicit and implicit feedback makes it possible to identify attacks aimed at artificially changing items' ratings.
2. A method for detecting shilling attacks based on a comparison of the processes of changing user preferences in sales and rating assignments for a given period is proposed. This method differs from the existing ones by using a temporally ordered set of generalized evaluations of the discrepancies between these processes to detect shilling attacks.
The proposed method allows for detecting shilling attacks at the initial stage of rating falsification in the absence of ratings at certain intervals within a given period. The method allows Original Research Article: full paper (2020), «EUREKA: Physics and Engineering» Number 5 Computer Sciences identifying approaches to masking an attack taking into account the current combination of rating values and attack indicators, as well as iteratively refining the list of fake user profiles. 3. Experimental evaluation of the method was carried out on data sets obtained as a result of implicit and explicit communication from users. The experimental results showed an increase in the detection accuracy at the initial stages of a push attack by at least 5 %, and a nuke attack by at least 8 %, which makes it possible to apply the method in the online mode of the recommender system.