TY - JOUR
T1 - Understanding the Manipulation on Recommender Systems through Web Injection
AU - Zhang, Yubao
AU - Xiao, Jidong
AU - Hao, Shuai
AU - Wang, Haining
AU - Zhu, Sencun
AU - Jajodia, Sushil
N1 - Funding Information:
Manuscript received April 24, 2019; revised September 14, 2019 and November 1, 2019; accepted November 2, 2019. Date of publication November 20, 2019; date of current version July 17, 2020. This work was supported in part by the Army Research Office under Grant W911NF-13-1-0421 and Grant W911NF-19-1-0049 and in part by the National Science Foundation under Grant CNS-1618117 and Grant CNS-1822094. The associate editor coordinating the review of this manuscript and approving it for publication was Prof. Wei Yu. (Corresponding author: Yubao Zhang.) Y. Zhang is with the Department of Electrical and Computer Engineering, University of Delaware, Newark, DE 19716 USA (e-mail: ybzhang@udel.edu).
Publisher Copyright:
© 2005-2012 IEEE.
PY - 2020
Y1 - 2020
N2 - Recommender systems have been increasingly used in a variety of web services, providing a list of recommended items in which a user may have an interest. While important, recommender systems are vulnerable to various malicious attacks. In this paper, we study a new security vulnerability in recommender systems caused by web injection, through which malicious actors stealthily tamper any unprotected in-transit HTTP webpage content and force victims to visit specific items in some web services (even running HTTPS), e.g., YouTube. By doing so, malicious actors can promote their targeted items in those web services. To obtain a deeper understanding on the recommender systems of our interest (including YouTube, Yelp, Taobao, and 360 App market), we first conduct a measurement-based analysis on several real-world recommender systems by leveraging machine learning algorithms. Then, web injection is implemented in three different types of devices (i.e., computer, router, and proxy server) to investigate the scenarios where web injection could occur. Based on the implementation of web injection, we demonstrate that it is feasible and sometimes effective to manipulate the real-world recommender systems through web injection. We also present several countermeasures against such manipulations.
AB - Recommender systems have been increasingly used in a variety of web services, providing a list of recommended items in which a user may have an interest. While important, recommender systems are vulnerable to various malicious attacks. In this paper, we study a new security vulnerability in recommender systems caused by web injection, through which malicious actors stealthily tamper any unprotected in-transit HTTP webpage content and force victims to visit specific items in some web services (even running HTTPS), e.g., YouTube. By doing so, malicious actors can promote their targeted items in those web services. To obtain a deeper understanding on the recommender systems of our interest (including YouTube, Yelp, Taobao, and 360 App market), we first conduct a measurement-based analysis on several real-world recommender systems by leveraging machine learning algorithms. Then, web injection is implemented in three different types of devices (i.e., computer, router, and proxy server) to investigate the scenarios where web injection could occur. Based on the implementation of web injection, we demonstrate that it is feasible and sometimes effective to manipulate the real-world recommender systems through web injection. We also present several countermeasures against such manipulations.
UR - http://www.scopus.com/inward/record.url?scp=85088867095&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85088867095&partnerID=8YFLogxK
U2 - 10.1109/TIFS.2019.2954737
DO - 10.1109/TIFS.2019.2954737
M3 - Article
AN - SCOPUS:85088867095
SN - 1556-6013
VL - 15
SP - 3807
EP - 3818
JO - IEEE Transactions on Information Forensics and Security
JF - IEEE Transactions on Information Forensics and Security
M1 - 8907865
ER -