One-step Reconstruction Diffusion Model for Poisoning Attack on QoS-aware cloud API Recommender System
-
摘要: 服务质量(QoS)感知云应用程序编程接口(API)推荐系统通过指导用户发现高质量云API,有效缓解了云API数量持续增长导致的信息过载挑战。然而,现有QoS感知云API推荐系统的研究主要聚焦于提升推荐精准性,忽略了投毒攻击带来的安全风险。为此,本研究从以攻学防的角度提出基于一步重构扩散模型的偏好引导投毒攻击框架(PDPA)模拟投毒攻击,揭示云API推荐系统的脆弱性。首先,PDPA使用一步重构扩散模型分别建模真实用户关于云API的QoS和调用分布,生成与真实用户相似的虚假用户QoS和调用行为。接着,PDPA选择对目标云API具有调用偏好的虚假用户模拟投毒攻击,有效降低目标云API对虚假用户隐蔽性的干扰并且确保了虚假用户的攻击效果。最后,在真实世界的数据集中进行了广泛实验,实验结果证明了QoS感知云API推荐系统在投毒攻击下的脆弱性,以及PDPA生成的虚假用户有着优于基线方法的攻击效果和隐蔽性。Abstract:
Objective In the cloud era, cloud Application Programming Interface (cloud API), as the best carrier for data output, capability replication and service delivery, has become an indispensable core element for service-oriented software development and operation. With the rapid increase in the number of cloud APIs, it is difficult for users to choose from a large number of cloud APIs with the same functions. For this purpose, researchers introduced Quality of Service (QoS) to effectively differentiate cloud APIs based on their non-functional attributes. Therefore, QoS-aware cloud API recommender systems (QARS) are gradually playing an increasingly important role in guiding users to choose the most suitable cloud API. However, existing research mainly focuses on improving the accuracy of QARS, ignoring the security risks brought about by the economic benefits of cloud APIs and the openness of the network environment. These risks are especially evident in the threats posed by poisoning attacks. Attackers manipulate the recommendations by injecting fake users, causing serious damage to the fairness and credibility of the QoS-aware cloud API recommender system. To counter the threat of poisoning attacks, this paper reveals the attack mechanisms of diffusion model-based attack methods from the perspective of learning defense through attacking, inspiring the design of corresponding defense methods. Methods This paper systematically defines the attack process of poisoning attacks and fake user profiles, and proposes attack scales to flexibly simulate poisoning attacks. Then, to reveal the attack principle of the diffusion model-based attack method, this paper further proposes a Preference guided one-step reconstruction Diffusion model-based Poisoning Attack framework (PDPA) to simulate poisoning attacks. Following the collaborative principle that similar users may have similar preferences toward cloud APIs, the fake users generated by the attack method need to ensure that both their QoS values and the distribution of cloud API invocations remain similar to those of real users, thereby exploiting the collaborative influence of fake users to interfere with the QARS's modeling of user preferences. Therefore, to effectively carry out poisoning attacks, PDPA aims to generate fake users that are similar to real users. Firstly, PDPA uses the One-step reconstruction Diffusion Model (ODM) to model the QoS data and the invocation distribution of real users, respectively. ODM avoids the error accumulation that occurs during the iterative denoising process caused by the noise dependence of standard diffusion models, enabling ODM to generate fake user cloud API invocation behaviors similar to those of real users, thereby ensuring that fake users can effectively have a collaborative influence. Subsequently, in order to improve the attack performance, PDPA systematically selects fake users with a preference for invoking the target cloud API to fill the maximum QoS value. This not only enhances the aggressiveness of fake users, but also alleviates the interference of the target cloud API's addition on the invocation behavior of fake users, ensuring the concealment of fake users. Results and Discussions The experiment was conducted in the real-world QoS dataset WS-DREAM. Firstly, this paper uses six recommendation methods as target recommender systems, and six baseline attack methods to simulate poisoning attacks. The experimental results ( Table 3 ) reveal the vulnerability of the recommender system to poisoning attacks. Each attack method can cause damage to the accuracy of the recommender system. PDPA achieves the best attack performance in most experimental settings, which is attributed to its sufficient modeling of user invocation preferences, thereby enabling fake users to effectively exert collaborative influence on the QARS. Secondly, the comparison of the F1 and distribution in latent space of fake users generated by ODM and the standard diffusion model was conducted. The experimental results (Figure 2 ) verify that ODM is superior to the standard diffusion model not only in terms of stealth but also as reflected in low-dimensional visualization. Subsequently, the ablation study on each module of PDPA was conducted. The experimental results (Tables 4 and5 ) verify that each module of PDPA is a necessary guarantee for the attack performance and concealment of fake users. Finally, the comparison of MAE and F1 on various attack scales was conducted to verify the impact of attack scale on the attack effect and concealment of fake users. The experimental results (Figure 3 andTable 6 ) indicate that increasing the attack scale could effectively enhance the attack performance, but it would also lead to an increase in the number of detected fake users.Conclusions To counter the threat of poisoning attacks, this paper explores the attack process and key attack parameters of poisoning attacks, and reveals the vulnerability of the QoS-aware cloud API recommender system by simulating poisoning attacks. This paper simulates poisoning attacks on QARS by constructing the PDPA, which demonstrates the significant potential of diffusion models in poisoning attacks and validates the necessity of separately modeling QoS data and cloud API invocations through ablation studies. Furthermore, PDPA reveals the underlying mechanism of generating fake users via diffusion models, providing insights for designing targeted countermeasures. -
Key words:
- Recommender System /
- Poisoning Attack /
- Quality of Service /
- Diffusion Model /
- Preference Guidance
-
表 2 不同投毒攻击方法的云API配置策略
方法 均值 潮流 随机 AUSH DDPM LDM PDPA $ {A}^{S} $ − r潮流 − r潮流 − − − $ {A}^{R} $ r均值 r潮流 r随机 rAUSH rDDPM rLDM rPDPA $ {A}^{\phi } $ − − − − − − − $ {A}^{T} $ rmax rmax rmax rmax rmax rmax rmax 
下载: 导出CSV
表 3 攻击效果对比
攻击方法 LR MLP DeepFM AFM DCN XSimGCL None 0.6631 0.5217 0.5079 0.7707 0.5403 0.9081 均值 0.6798 0.5218 0.5196 0.7727 0.5464 0.9091 潮流 0.6759 0.5250 0.5270 0.7878 0.5498 0.9088 随机 0.6702 0.5240 0.5247 0.7565 0.5434 0.9083 AUSH 0.6788 0.5328 0.5279 0.8287 0.5526 0.9108 DDPM 0.6675 0.5240 0.5234 0.8230 0.5534 0.9110 LDM 0.6921 0.5383 0.5273 0.8528 0.5502 0.9227 PDPA 0.6987 0.5420 0.5386 0.8378 0.5602 0.9122 提升率(%) 0.95 0.69 2.02 −1.79 1.22 −0.15 注:加粗表示最佳攻击效果,下划线表示次优。
下载: 导出CSV
表 4 攻击效果对比
攻击方法 LR MLP DeepFM AFM DCN XSimGCL W/O-G 0.6748 0.5339 0.5363 0.8130 0.5521 0.9050 W/O-P 0.6730 0.5379 0.5366 0.8037 0.5530 0.9070 W/O-ALL 0.6631 0.5240 0.5234 0.8078 0.5502 0.9010 PDPA 0.6987 0.5420 0.5386 0.8378 0.5602 0.9122
下载: 导出CSV
表 5 隐蔽性对比
攻击方法 DegreeSAD FAP SemiSAD PCA W/O-G 0.8415 0.7858 0.8599 0.8816 W/O-P 0.8662 0.7912 0.8635 0.8681 W/O-ALL 0.8541 0.7771 0.8651 0.8513 PDPA 0.8167 0.7592 0.8522 0.8502
下载: 导出CSV
表 6 不同攻击规模下的隐蔽性对比
攻击方法 攻击规模 DegreeSAD FAP SemiSAD PCA 均值 0.1 0.9378 0.9207 0.8993 0.9012 0.2 0.9426 0.9175 0.8978 0.9181 潮流 0.1 0.9154 0.9113 0.9426 0.8911 0.2 0.8654 0.9039 0.9603 0.9102 随机 0.1 0.9414 0.9211 0.8983 0.9213 0.2 0.9133 0.8745 0.8843 0.8954 AUSH 0.1 0.8534 0.7653 0.8652 0.8427 0.2 0.8562 0.7665 0.8768 0.8827 DDPM 0.1 0.8654 0.7575 0.8874 0.8868 0.2 0.8547 0.7825 0.8737 0.8823 LDM 0.1 0.8741 0.7586 0.8564 0.8789 0.2 0.8597 0.7653 0.8696 0.8724 PDPA 0.1 0.8267 0.7552 0.8532 0.8416 0.2 0.8289 0.7606 0.8592 0.8723
下载: 导出CSV
-
[1] SUN Mengmeng, XU Yueshen, TAN Zeyu, et al. Multi-level graph contrastive learning for cold-start recommendation in mashup development[J]. Information Sciences, 2025, 717: 122319. doi: 10.1016/J.INS.2025.122319. [2] CHEN Zhen, LIAO Haonan, YANG Jingkun, et al. Correction is all you need: Towards high-order complementary cloud API recommendation correction with abductive reasoning[J]. Future Generation Computer Systems, 2026, 175: 108072. doi: 10.1016/J.FUTURE.2025.108072. [3] CHEN Zhen, YU Jianqiang, FAN Shuang, et al. Latent diffusion model-based data poisoning attack against QoS-aware cloud API recommender system[J]. Computer Networks, 2025, 260: 111120. doi: 10.1016/j.comnet.2025.111120. [4] 孙梦梦, 刘啸威, 陈文辉, 等. 基于个性化张量分解的高阶互补云API推荐方法[J]. 电子与信息学报, 2025, 47(8): 2859–2871. doi: 10.11999/JEIT250003.SUN Mengmeng, LIU Xiaowei, CHEN Wenhui, et al. Personalized tensor decomposition based high-order complementary cloud API recommendation[J]. Journal of Electronics & Information Technology, 2025, 47(8): 2859–2871. doi: 10.11999/JEIT250003. [5] NAZARY F, DELDJOO Y, and DI NOIA T. Poison-RAG: Adversarial data poisoning attacks on retrieval-augmented generation in recommender systems[C]. Proceedings of the 47th European Conference on Information Retrieval, Lucca, Italy, 2025: 239–251. doi: 10.1007/978-3-031-88717-8_18. [6] 陈真, 刘伟, 吕瑞民, 等. 基于代理生成对抗网络的服务质量感知云API推荐系统投毒攻击[J]. 通信学报, 2025, 46(3): 174–186. doi: 10.11959/j.issn.1000-436x.2025056.CHEN Zhen, LIU Wei, LV Ruimin, et al. Poisoning attack on quality of service aware cloud API recommender system via surrogate generative adversarial network[J]. Journal on Communications, 2025, 46(3): 174–186. doi: 10.11959/j.issn.1000-436x.2025056. [7] GUNES I, KALELI C, BILGE A, et al. Shilling attacks against recommender systems: A comprehensive survey[J]. Artificial Intelligence Review, 2014, 42(4): 767–799. doi: 10.1007/s10462-012-9364-9. [8] ZHANG Fuguo. Analysis of bandwagon and average hybrid attack model against trust-based recommender systems[C]. 2011 Fifth International Conference on Management of e-Commerce and e-Government, Wuhan, China, 2011: 269–273. doi: 10.1109/ICMeCG.2011.10. [9] LIN Chen, CHEN Si, ZENG Meifang, et al. Shilling black-box recommender systems by learning to generate fake user profiles[J]. IEEE Transactions on Neural Networks and Learning Systems, 2024, 35(1): 1305–1319. doi: 10.1109/TNNLS.2022.3183210. [10] CHEN Zhen, BAO Taiyu, QI Wenchao, et al. Poisoning QoS-aware cloud API recommender system with generative adversarial network attack[J]. Expert Systems with Applications, 2024, 238: 121630. doi: 10.1016/j.eswa.2023.121630. [11] HO J, JAIN A, and ABBEEL P. Denoising diffusion probabilistic models[C]. Proceedings of the 34th International Conference on Neural Information Processing Systems, Vancouver, Canada, 2020: 574. [12] CROITORU F A, HONDRU V, IONESCU R T, et al. Diffusion models in vision: A survey[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2023, 45(9): 10850–10869. doi: 10.1109/TPAMI.2023.3261988. [13] TAN Zeyu, SUN Mengmeng, QI Mingyang, et al. Compensation as defense: Trusted user guided representation correction learning for poisoned GNN-based recommender systems[J]. Information Processing & Management, 2026, 63(2): 104464. doi: 10.1016/j.ipm.2025.104464. [14] NGUYEN T T, QUOC VIET HUNG N, NGUYEN T T, et al. Manipulating recommender systems: A survey of poisoning attacks and countermeasures[J]. ACM Computing Surveys, 2025, 57(1): 3. doi: 10.1145/3677328. [15] WANG Zongwei, YU Junliang, GAO Min, et al. Unveiling vulnerabilities of contrastive recommender systems to poisoning attacks[C]. Proceedings of the 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, Barcelona, Spain, 2024: 3311–3322. doi: 10.1145/3637528.3671795. [16] WANG Wenjie, XU Yiyan, FENG Fuli, et al. Diffusion recommender model[C]. Proceedings of the 46th International ACM SIGIR Conference on Research and Development in Information Retrieval, Taipei, China, 2023: 832–841. doi: 10.1145/3539618.3591663. [17] CHEN Jianqi, CHEN Hao, CHEN Keyan, et al. Diffusion models for imperceptible and transferable adversarial attack[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2025, 47(2): 961–977. doi: 10.1109/TPAMI.2024.3480519. [18] WANG Yihao, SU Jiajie, CHEN Chaochao, et al. Sim4Rec: Data-free model extraction attack on sequential recommendation[C]. Proceedings of the 39th AAAI Conference on Artificial Intelligence, Philadelphia, USA, 2025: 12766–12774. doi: 10.1609/aaai.v39i12.33392. [19] SU Jiajie, CHEN Chaochao, WANG Yihao, et al. DuAda: Adaptive targeted model poisoning attack framework via dummy user simulation on federated recommendation[J]. ACM Transactions on Information Systems, 2025, 43(6): 161. doi: 10.1145/3757059. [20] LI Jiahui, WU Hao, CHEN Jiapei, et al. Topology-aware neural model for highly accurate QoS prediction[J]. IEEE Transactions on Parallel and Distributed Systems, 2022, 33(7): 1538–1552. doi: 10.1109/TPDS.2021.3116865. [21] SHEN Limin, PAN Maosheng, LIU Linlin, et al. Contexts enhance accuracy: On modeling context aware deep factorization machine for web API QoS prediction[J]. IEEE Access, 2020, 8: 165551–165569. doi: 10.1109/ACCESS.2020.3022891. [22] ZHANG Yiwen, YIN Chunhui, WU Qilin, et al. Location-aware deep collaborative filtering for service recommendation[J]. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 2021, 51(6): 3796–3807. doi: 10.1109/TSMC.2019.2931723. [23] SHAN Ying, HOENS T R, JIAO Jian, et al. Deep crossing: Web-scale modeling without manually crafted combinatorial features[C]. Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Francisco, USA, 2016: 255–262. doi: 10.1145/2939672.2939704. [24] YU Junliang, XIA Xin, CHEN Tong, et al. XSimGCL: Towards extremely simple graph contrastive learning for recommendation[J]. IEEE Transactions on Knowledge and Data Engineering, 2024, 36(2): 913–926. doi: 10.1109/TKDE.2023.3288135. [25] ZHANG Fei, DENG Zijun, HE Zhimin, et al. Detection of shilling attack in collaborative filtering recommender system by PCA and data complexity[C]. 2018 International Conference on Machine Learning and Cybernetics (ICMLC), Chengdu, China, 2018: 673–678. doi: 10.1109/ICMLC.2018.8526965. [26] ZHANG Yongfeng, TAN Yunzhi, ZHANG Min, et al. Catch the black sheep: Unified framework for shilling attack detection based on fraudulent action propagation[C]. Proceedings of the 24th International Conference on Artificial Intelligence, Buenos Aires, Argentina, 2015: 2408–2414. [27] LI Wentao, GAO Min, LI Hua, et al. Shilling attack detection in recommender systems via selecting patterns analysis[J]. IEICE TRANSACTIONS on Information and Systems, 2016, E99. D(10): 2600–2611. doi: 10.1587/TRANSINF.2015EDP7500. [28] CAO Jie, WU Zhiang, MAO Bo, et al. Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system[J]. World Wide Web, 2013, 16(5/6): 729–748. doi: 10.1007/s11280-012-0164-6. -
图(3) / 表(6)
计量
- 文章访问数: 21
- HTML全文浏览量: 15
- PDF下载量: 3
- 被引次数: 0
下载:
