Shilling Attacks on Recommender Systems

30 snips

Nov 5, 2025

In this discussion, Aditya Chichani, a senior machine learning engineer at Walmart with a master's in data science from UC Berkeley, dives into the intriguing world of shilling attacks on recommender systems. He explains how malicious actors manipulate these systems using fake profiles to either promote items or sabotage competitors. Aditya details various attack strategies, like segmented and bandwagon attacks, revealing the alarming prevalence of fake reviews and the vulnerabilities in collaborative filtering. The conversation also highlights detection methods and the ongoing cat-and-mouse dynamics between attackers and system defenders.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

Shilling Attacks Manipulate Recommendations

A shilling attack uses many fake profiles to manipulate recommender outputs by promoting or downvoting items.
Attackers scale influence by puppeteering accounts to amplify signals across the system.

INSIGHT

Collaborative Filtering Basics

Collaborative filtering predicts preferences from a user-item ratings matrix using user-user or item-item similarity.
Item-item focuses on item co-occurrence while user-user finds similar users to recommend unseen items.

INSIGHT

User-User Filtering Is Fragile

User-user collaborative filtering is vulnerable because user signals are sparse relative to catalog size.
Fake profiles can cheaply join small user neighborhoods and distort recommendations.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

In this episode of Data Skeptic's Recommender Systems series, Kyle sits down with Aditya Chichani, a senior machine learning engineer at Walmart, to explore the darker side of recommendation algorithms. The conversation centers on shilling attacks—a form of manipulation where malicious actors create multiple fake profiles to game recommender systems, either to promote specific items or sabotage competitors. Aditya, who researched these attacks during his undergraduate studies at SPIT before completing his master's in computer science with a data science specialization at UC Berkeley, explains how these vulnerabilities emerge particularly in collaborative filtering systems. From promoting a friend's ska band on Spotify to inflating product ratings on e-commerce platforms, shilling attacks represent a significant threat in an industry where approximately 4% of reviews are fake, translating to $800 billion in annual sales in the US alone.

The discussion delves deep into collaborative filtering, explaining both user-user and item-item approaches that create similarity matrices to predict user preferences. However, these systems face various shilling attacks of increasing sophistication: random attacks use minimal information with average ratings, while segmented attacks strategically target popular items (like Taylor Swift albums) to build credibility before promoting target items. Bandwagon attacks focus on highly popular items to connect with genuine users, and average attacks leverage item rating knowledge to appear authentic. User-user collaborative filtering proves particularly vulnerable, requiring as few as 500 fake profiles to impact recommendations, while item-item filtering demands significantly more resources. Aditya addresses detection through machine learning techniques that analyze behavioral patterns using methods like PCA to identify profiles with unusually high correlation and suspicious rating consistency. However, this remains an evolving challenge as attackers adapt strategies, now using large language models to generate more authentic-seeming fake reviews. His research with the MovieLens dataset tested detection algorithms against synthetic attacks, highlighting how these concerns extend to modern e-commerce systems. While companies rarely share attack and detection data publicly to avoid giving attackers advantages, academic research continues advancing both offensive and defensive strategies in recommender systems security.