Sequential recommendation models excel at capturing the temporal dynamics of user behavior and are widely used in domains such as e-commerce and media streaming. However, their reliance on learned interaction patterns makes them especially vulnerable to data poisoning attacks, where adversaries craft and inject malicious profiles to distort recommendations. Despite this risk, the security aspects of sequential recommenders remain largely underexplored, particularly in realistic scenarios. To address this lack, we propose the first cross-domain black-box poisoning attack for sequential recommenders. Our method transfers real user sequences from a source domain so as to craft realistic adversarial profiles for the target system. A recency-aware autoencoder generates user embeddings that capture influential interactions, while an SD-SAC reinforcement learning agent selects which profiles to inject, using a surrogate recommendation model, i.e., without accessing the target system. Experiments on MovieLens-100K (source) and a sampled version of Netflix Prize dataset (target) show that our method outperforms four strong state-of-the-art baselines, achieving up to a 60% relative improvement in Hit Ratio while maintaining high stealth.

Agate, V., Barreca, V.P., Lo Re, G., Morana, M., Virga, A. (2026). Black-Box Poisoning Attacks on Sequential Recommender Systems via Cross-Domain Profiles. In Research Challenges in Information Science 20th International Conference, RCIS 2026, Toulouse, France, May 26–29, 2026, Proceedings (pp. 456-472) [10.1007/978-3-032-26836-5_28].

Black-Box Poisoning Attacks on Sequential Recommender Systems via Cross-Domain Profiles

Agate, Vincenzo
;
Barreca, Vincenzo Pio;Lo Re, Giuseppe;Morana, Marco;Virga, Antonio
2026-05-01

Abstract

Sequential recommendation models excel at capturing the temporal dynamics of user behavior and are widely used in domains such as e-commerce and media streaming. However, their reliance on learned interaction patterns makes them especially vulnerable to data poisoning attacks, where adversaries craft and inject malicious profiles to distort recommendations. Despite this risk, the security aspects of sequential recommenders remain largely underexplored, particularly in realistic scenarios. To address this lack, we propose the first cross-domain black-box poisoning attack for sequential recommenders. Our method transfers real user sequences from a source domain so as to craft realistic adversarial profiles for the target system. A recency-aware autoencoder generates user embeddings that capture influential interactions, while an SD-SAC reinforcement learning agent selects which profiles to inject, using a surrogate recommendation model, i.e., without accessing the target system. Experiments on MovieLens-100K (source) and a sampled version of Netflix Prize dataset (target) show that our method outperforms four strong state-of-the-art baselines, achieving up to a 60% relative improvement in Hit Ratio while maintaining high stealth.
mag-2026
Settore IINF-05/A - Sistemi di elaborazione delle informazioni
9783032268358
9783032268365
Agate, V., Barreca, V.P., Lo Re, G., Morana, M., Virga, A. (2026). Black-Box Poisoning Attacks on Sequential Recommender Systems via Cross-Domain Profiles. In Research Challenges in Information Science 20th International Conference, RCIS 2026, Toulouse, France, May 26–29, 2026, Proceedings (pp. 456-472) [10.1007/978-3-032-26836-5_28].
File in questo prodotto:
File Dimensione Formato  
RCIS 2026 - paper + TOC.pdf

Solo gestori archvio

Descrizione: Paper + TOC
Tipologia: Versione Editoriale
Dimensione 1.77 MB
Formato Adobe PDF
1.77 MB Adobe PDF   Visualizza/Apri   Richiedi una copia

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/10447/708084
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 0
  • ???jsp.display-item.citation.isi??? ND
social impact