Sequential recommendation models excel at capturing the temporal dynamics of user behavior and are widely used in domains such as e-commerce and media streaming. However, their reliance on learned interaction patterns makes them especially vulnerable to data poisoning attacks, where adversaries craft and inject malicious profiles to distort recommendations. Despite this risk, the security aspects of sequential recommenders remain largely underexplored, particularly in realistic scenarios. To address this lack, we propose the first cross-domain black-box poisoning attack for sequential recommenders. Our method transfers real user sequences from a source domain so as to craft realistic adversarial profiles for the target system. A recency-aware autoencoder generates user embeddings that capture influential interactions, while an SD-SAC reinforcement learning agent selects which profiles to inject, using a surrogate recommendation model, i.e., without accessing the target system. Experiments on MovieLens-100K (source) and a sampled version of Netflix Prize dataset (target) show that our method outperforms four strong state-of-the-art baselines, achieving up to a 60% relative improvement in Hit Ratio while maintaining high stealth.
Agate, V., Barreca, V.P., Lo Re, G., Morana, M., Virga, A. (2026). Black-Box Poisoning Attacks on Sequential Recommender Systems via Cross-Domain Profiles. In Research Challenges in Information Science 20th International Conference, RCIS 2026, Toulouse, France, May 26–29, 2026, Proceedings (pp. 456-472) [10.1007/978-3-032-26836-5_28].
Black-Box Poisoning Attacks on Sequential Recommender Systems via Cross-Domain Profiles
Agate, Vincenzo
;Barreca, Vincenzo Pio;Lo Re, Giuseppe;Morana, Marco;Virga, Antonio
2026-05-01
Abstract
Sequential recommendation models excel at capturing the temporal dynamics of user behavior and are widely used in domains such as e-commerce and media streaming. However, their reliance on learned interaction patterns makes them especially vulnerable to data poisoning attacks, where adversaries craft and inject malicious profiles to distort recommendations. Despite this risk, the security aspects of sequential recommenders remain largely underexplored, particularly in realistic scenarios. To address this lack, we propose the first cross-domain black-box poisoning attack for sequential recommenders. Our method transfers real user sequences from a source domain so as to craft realistic adversarial profiles for the target system. A recency-aware autoencoder generates user embeddings that capture influential interactions, while an SD-SAC reinforcement learning agent selects which profiles to inject, using a surrogate recommendation model, i.e., without accessing the target system. Experiments on MovieLens-100K (source) and a sampled version of Netflix Prize dataset (target) show that our method outperforms four strong state-of-the-art baselines, achieving up to a 60% relative improvement in Hit Ratio while maintaining high stealth.| File | Dimensione | Formato | |
|---|---|---|---|
|
RCIS 2026 - paper + TOC.pdf
Solo gestori archvio
Descrizione: Paper + TOC
Tipologia:
Versione Editoriale
Dimensione
1.77 MB
Formato
Adobe PDF
|
1.77 MB | Adobe PDF | Visualizza/Apri Richiedi una copia |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.


