Shilling attacks against recommender systems: a comprehensive survey

Gunes I., KALELİ C., BİLGE A., Polat H.

ARTIFICIAL INTELLIGENCE REVIEW, vol.42, no.4, pp.767-799, 2014 (SCI-Expanded) identifier identifier

  • Publication Type: Article / Article
  • Volume: 42 Issue: 4
  • Publication Date: 2014
  • Doi Number: 10.1007/s10462-012-9364-9
  • Journal Indexes: Science Citation Index Expanded (SCI-EXPANDED), Scopus
  • Page Numbers: pp.767-799
  • Keywords: Shilling, Profile injection, Push/nuke attacks, Collaborative filtering, Robustness, Attack detection, ROBUSTNESS, MANIPULATION, STRATEGIES, TRUST
  • Anadolu University Affiliated: Yes


Online vendors employ collaborative filtering algorithms to provide recommendations to their customers so that they can increase their sales and profits. Although recommendation schemes are successful in e-commerce sites, they are vulnerable to shilling or profile injection attacks. On one hand, online shopping sites utilize collaborative filtering schemes to enhance their competitive edge over other companies. On the other hand, malicious users and/or competing vendors might decide to insert fake profiles into the user-item matrices in such a way so that they can affect the predicted ratings on behalf of their advantages. In the past decade, various studies have been conducted to scrutinize different shilling attacks strategies, profile injection attack types, shilling attack detection schemes, robust algorithms proposed to overcome such attacks, and evaluate them with respect to accuracy, cost/benefit, and overall performance. Due to their popularity and importance, we survey about shilling attacks in collaborative filtering algorithms. Giving an overall picture about various shilling attack types by introducing new classification attributes is imperative for further research. Explaining shilling attack detection schemes in detail and robust algorithms proposed so far might open a lead to develop new detection schemes and enhance such robust algorithms further, even propose new ones. Thus, we describe various attack types and introduce new dimensions for attack classification. Detailed description of the proposed detection and robust recommendation algorithms are given. Moreover, we briefly explain evaluation of the proposed schemes. We conclude the paper by discussing various open questions.