One-step Reconstruction Diffusion Model-based Poisoning Attack on QoS-aware Cloud API Recommender Systems
-
摘要: 服务质量(QoS)感知云应用程序编程接口(API)推荐系统通过指导用户发现高质量云API,有效缓解了云API数量持续增长导致的信息过载挑战。然而,现有QoS感知云API推荐系统的研究主要聚焦于提升推荐精准性,忽略了投毒攻击带来的安全风险。为此,该研究从以攻学防的角度提出基于一步重构扩散模型的偏好引导投毒攻击框架(PDPA)模拟投毒攻击,揭示云API推荐系统的脆弱性。首先,PDPA使用一步重构扩散模型分别建模真实用户关于云API的QoS和调用分布,生成与真实用户相似的虚假用户QoS和调用行为。接着,PDPA选择对目标云API具有调用偏好的虚假用户模拟投毒攻击,有效降低目标云API对虚假用户隐蔽性的干扰并且确保了虚假用户的攻击效果。最后,在真实世界的数据集中进行了广泛实验,实验结果证明了QoS感知云API推荐系统在投毒攻击下的脆弱性,以及PDPA生成的虚假用户有着优于基线方法的攻击效果和隐蔽性。Abstract:
Objective In cloud computing, Cloud Application Programming Interfaces (cloud APIs) serve as key carriers for data output, capability reuse, and service delivery. They have become core elements in service-oriented software development and operation. With the rapid growth of cloud APIs, users often find it difficult to select suitable services from many functionally similar candidates. Quality of Service (QoS) is therefore used to differentiate cloud APIs by non-functional attributes. QoS-Aware cloud API Recommender System (QARS) plays an increasingly important role in guiding users toward suitable cloud APIs. However, existing studies mainly focus on improving recommendation accuracy and often ignore security risks caused by the economic value of cloud APIs and the openness of network environments. These risks are particularly evident in poisoning attacks. By injecting fake users, attackers can manipulate recommendation results and reduce the fairness and credibility of QARS. To address this threat from an attack-informed defense perspective, this paper analyzes the attack mechanisms of diffusion model-based poisoning methods and supports the design of targeted defense strategies. Methods The poisoning attack process and fake user profiles are first formally defined. Attack scale is then defined to flexibly simulate poisoning attacks under different settings. To analyze the attack principle of diffusion model-based methods, a One-step reconstruction Diffusion Model (ODM) is adopted, and a Preference guided one-step reconstruction Diffusion model-based Poisoning Attack framework (PDPA) is proposed. According to the collaborative principle that similar users tend to have similar preferences for cloud APIs, fake users generated by an attack method should have QoS values and cloud API invocation distributions similar to those of real users. This similarity allows fake users to exert collaborative influence and interfere with user preference modeling in QARS. PDPA is therefore designed to generate fake users that closely match real users. First, ODM separately models the QoS data and invocation distributions of real users. Unlike standard diffusion models, ODM avoids error accumulation caused by noise-dependent iterative denoising. It can generate fake-user invocation behavior similar to real-user behavior, which helps fake users exert effective collaborative influence. Then, to improve attack effectiveness, PDPA systematically selects fake users with invocation preferences for the target cloud API and assigns the maximum QoS value to the target item. This strategy strengthens the attack while reducing the disturbance caused by adding the target cloud API to fake-user invocation behavior, thereby improving stealthiness. Results and Discussions Experiments are conducted on the real-world WS-DREAM response-time QoS dataset. First, six recommendation methods, namely LR, MLP, DeepFM, AFM, DCN, and XSimGCL, are used as target recommender systems. Six baseline attack methods are used to simulate poisoning attacks. The results in Table 3 reveal the vulnerability of QARS to poisoning attacks. All attack methods reduce recommendation accuracy. PDPA achieves the best attack effectiveness in most experimental settings because it sufficiently models user invocation preferences, enabling fake users to exert stronger collaborative influence on QARS. Second, fake users generated by ODM and those generated by the standard diffusion model are compared in terms of F1 score and latent-space distribution. The results in Figure 2 show that ODM outperforms the standard diffusion model in stealthiness and produces a latent-space distribution closer to that of real users. Third, ablation studies are conducted for each module of PDPA. The results in Tables 4 and 5 verify that each module is necessary for attack effectiveness and fake-user stealthiness. Finally, Mean Absolute Error (MAE) and F1 score are compared under different attack scales to evaluate the effect of attack scale on attack effectiveness and stealthiness. The results in Figure 3 and Table 6 show that increasing the attack scale improves attack effectiveness but also increases the number of detected fake users. Conclusions This paper investigates the threat of poisoning attacks against QARS by analyzing the attack process and key attack parameters. The proposed PDPA simulates poisoning attacks on QARS and reveals their vulnerability. The results show the potential of diffusion models for poisoning attacks and verify the necessity of separately modeling QoS data and cloud API invocations. PDPA also clarifies how diffusion models generate fake users, providing a basis for future targeted countermeasures. -
Key words:
- Recommender system /
- Poisoning attack /
- Quality of Service(QoS) /
- Diffusion model /
- Preference guidance
-
表 2 不同投毒攻击方法的云API配置策略
方法 均值 潮流 随机 AUSH DDPM LDM PDPA $ A^{\mathrm{S}} $ − r潮流 − r潮流 − − − $ A^{\mathrm{R}} $ r均值 r潮流 r随机 rAUSH rDDPM rLDM rPDPA $ {A}^{\phi } $ − − − − − − − $ A^{\mathrm{T}} $ rmax rmax rmax rmax rmax rmax rmax 
下载: 导出CSV
表 3 攻击效果对比
攻击方法 LR MLP DeepFM AFM DCN XSimGCL None 0.6631 0.5217 0.5079 0.7707 0.5403 0.9081 均值 0.6798 0.5218 0.5196 0.7727 0.5464 0.9091 潮流 0.6759 0.5250 0.5270 0.7878 0.5498 0.9088 随机 0.6702 0.5240 0.5247 0.7565 0.5434 0.9083 AUSH 0.6788 0.5328 0.5279 0.8287 0.5526 0.9108 DDPM 0.6675 0.5240 0.5234 0.8230 0.5534 0.9110 LDM 0.6921 0.5383 0.5273 0.8528 0.5502 0.9227 PDPA 0.6987 0.5420 0.5386 0.8378 0.5602 0.9122 提升率(%) 0.95 0.69 2.02 1.79 1.22 –0.15 注:加粗表示最佳攻击效果。
下载: 导出CSV
表 4 攻击效果对比
攻击方法 LR MLP DeepFM AFM DCN XSimGCL W/O-G 0.6748 0.5339 0.5363 0.8130 0.5521 0.9050 W/O-P 0.6730 0.5379 0.5366 0.8037 0.5530 0.9070 W/O-ALL 0.6631 0.5240 0.5234 0.8078 0.5502 0.9010 PDPA 0.6987 0.5420 0.5386 0.8378 0.5602 0.9122
下载: 导出CSV
表 5 隐蔽性对比
攻击方法 DegreeSAD FAP SemiSAD PCA W/O-G 0.8415 0.7858 0.8599 0.8816 W/O-P 0.8662 0.7912 0.8635 0.8681 W/O-ALL 0.8541 0.7771 0.8651 0.8513 PDPA 0.8167 0.7592 0.8522 0.8502
下载: 导出CSV
表 6 不同攻击规模下的隐蔽性对比
攻击方法 攻击规模 DegreeSAD FAP SemiSAD PCA 均值 0.1 0.9378 0.9207 0.8993 0.9012 0.2 0.9426 0.9175 0.8978 0.9181 潮流 0.1 0.9154 0.9113 0.9426 0.8911 0.2 0.8654 0.9039 0.9603 0.9102 随机 0.1 0.9414 0.9211 0.8983 0.9213 0.2 0.9133 0.8745 0.8843 0.8954 AUSH 0.1 0.8534 0.7653 0.8652 0.8427 0.2 0.8562 0.7665 0.8768 0.8827 DDPM 0.1 0.8654 0.7575 0.8874 0.8868 0.2 0.8547 0.7825 0.8737 0.8823 LDM 0.1 0.8741 0.7586 0.8564 0.8789 0.2 0.8597 0.7653 0.8696 0.8724 PDPA 0.1 0.8267 0.7552 0.8532 0.8416 0.2 0.8289 0.7606 0.8592 0.8723
下载: 导出CSV
-
[1] SUN Mengmeng, XU Yueshen, TAN Zeyu, et al. Multi-level graph contrastive learning for cold-start recommendation in mashup development[J]. Information Sciences, 2025, 717: 122319. doi: 10.1016/J.INS.2025.122319. [2] CHEN Zhen, LIAO Haonan, YANG Jingkun, et al. Correction is all you need: Towards high-order complementary cloud API recommendation correction with abductive reasoning[J]. Future Generation Computer Systems, 2026, 175: 108072. doi: 10.1016/J.FUTURE.2025.108072. [3] CHEN Zhen, YU Jianqiang, FAN Shuang, et al. Latent diffusion model-based data poisoning attack against QoS-aware cloud API recommender system[J]. Computer Networks, 2025, 260: 111120. doi: 10.1016/j.comnet.2025.111120. [4] 孙梦梦, 刘啸威, 陈文辉, 等. 基于个性化张量分解的高阶互补云API推荐方法[J]. 电子与信息学报, 2025, 47(8): 2859–2871. doi: 10.11999/JEIT250003.SUN Mengmeng, LIU Xiaowei, CHEN Wenhui, et al. Personalized tensor decomposition based high-order complementary cloud API recommendation[J]. Journal of Electronics & Information Technology, 2025, 47(8): 2859–2871. doi: 10.11999/JEIT250003. [5] NAZARY F, DELDJOO Y, and DI NOIA T. Poison-RAG: Adversarial data poisoning attacks on retrieval-augmented generation in recommender systems[C]. The 47th European Conference on Information Retrieval, Lucca, Italy, 2025: 239–251. doi: 10.1007/978-3-031-88717-8_18. [6] 陈真, 刘伟, 吕瑞民, 等. 基于代理生成对抗网络的服务质量感知云API推荐系统投毒攻击[J]. 通信学报, 2025, 46(3): 174–186. doi: 10.11959/j.issn.1000-436x.2025056.CHEN Zhen, LIU Wei, LV Ruimin, et al. Poisoning attack on quality of service aware cloud API recommender system via surrogate generative adversarial network[J]. Journal on Communications, 2025, 46(3): 174–186. doi: 10.11959/j.issn.1000-436x.2025056. [7] GUNES I, KALELI C, BILGE A, et al. Shilling attacks against recommender systems: A comprehensive survey[J]. Artificial Intelligence Review, 2014, 42(4): 767–799. doi: 10.1007/s10462-012-9364-9. [8] ZHANG Fuguo. Analysis of bandwagon and average hybrid attack model against trust-based recommender systems[C]. 2011 Fifth International Conference on Management of e-Commerce and e-Government, Wuhan, China, 2011: 269–273. doi: 10.1109/ICMeCG.2011.10. [9] LIN Chen, CHEN Si, ZENG Meifang, et al. Shilling black-box recommender systems by learning to generate fake user profiles[J]. IEEE Transactions on Neural Networks and Learning Systems, 2024, 35(1): 1305–1319. doi: 10.1109/TNNLS.2022.3183210. [10] CHEN Zhen, BAO Taiyu, QI Wenchao, et al. Poisoning QoS-aware cloud API recommender system with generative adversarial network attack[J]. Expert Systems with Applications, 2024, 238: 121630. doi: 10.1016/j.eswa.2023.121630. [11] HO J, JAIN A, and ABBEEL P. Denoising diffusion probabilistic models[C]. The 34th International Conference on Neural Information Processing Systems, Vancouver, Canada, 2020: 574. [12] CROITORU F A, HONDRU V, IONESCU R T, et al. Diffusion models in vision: A survey[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2023, 45(9): 10850–10869. doi: 10.1109/TPAMI.2023.3261988. [13] TAN Zeyu, SUN Mengmeng, QI Mingyang, et al. Compensation as defense: Trusted user guided representation correction learning for poisoned GNN-based recommender systems[J]. Information Processing & Management, 2026, 63(2): 104464. doi: 10.1016/j.ipm.2025.104464. [14] NGUYEN T T, QUOC VIET HUNG N, NGUYEN T T, et al. Manipulating recommender systems: A survey of poisoning attacks and countermeasures[J]. ACM Computing Surveys, 2025, 57(1): 3. doi: 10.1145/3677328. [15] WANG Zongwei, YU Junliang, GAO Min, et al. Unveiling vulnerabilities of contrastive recommender systems to poisoning attacks[C]. The 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, Barcelona, Spain, 2024: 3311–3322. doi: 10.1145/3637528.3671795. [16] WANG Wenjie, XU Yiyan, FENG Fuli, et al. Diffusion recommender model[C]. The 46th International ACM SIGIR Conference on Research and Development in Information Retrieval, Taipei, China, 2023: 832–841. doi: 10.1145/3539618.3591663. [17] CHEN Jianqi, CHEN Hao, CHEN Keyan, et al. Diffusion models for imperceptible and transferable adversarial attack[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2025, 47(2): 961–977. doi: 10.1109/TPAMI.2024.3480519. [18] WANG Yihao, SU Jiajie, CHEN Chaochao, et al. Sim4Rec: Data-free model extraction attack on sequential recommendation[C]. The 39th AAAI Conference on Artificial Intelligence, Philadelphia, USA, 2025: 12766–12774. doi: 10.1609/aaai.v39i12.33392. [19] SU Jiajie, CHEN Chaochao, WANG Yihao, et al. DuAda: Adaptive targeted model poisoning attack framework via dummy user simulation on federated recommendation[J]. ACM Transactions on Information Systems, 2025, 43(6): 161. doi: 10.1145/3757059. [20] LI Jiahui, WU Hao, CHEN Jiapei, et al. Topology-aware neural model for highly accurate QoS prediction[J]. IEEE Transactions on Parallel and Distributed Systems, 2022, 33(7): 1538–1552. doi: 10.1109/TPDS.2021.3116865. [21] SHEN Limin, PAN Maosheng, LIU Linlin, et al. Contexts enhance accuracy: On modeling context aware deep factorization machine for web API QoS prediction[J]. IEEE Access, 2020, 8: 165551–165569. doi: 10.1109/ACCESS.2020.3022891. [22] ZHANG Yiwen, YIN Chunhui, WU Qilin, et al. Location-aware deep collaborative filtering for service recommendation[J]. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 2021, 51(6): 3796–3807. doi: 10.1109/TSMC.2019.2931723. [23] SHAN Ying, HOENS T R, JIAO Jian, et al. Deep crossing: Web-scale modeling without manually crafted combinatorial features[C]. The 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Francisco, USA, 2016: 255–262. doi: 10.1145/2939672.2939704. [24] YU Junliang, XIA Xin, CHEN Tong, et al. XSimGCL: Towards extremely simple graph contrastive learning for recommendation[J]. IEEE Transactions on Knowledge and Data Engineering, 2024, 36(2): 913–926. doi: 10.1109/TKDE.2023.3288135. [25] ZHANG Fei, DENG Zijun, HE Zhimin, et al. Detection of shilling attack in collaborative filtering recommender system by PCA and data complexity[C]. 2018 International Conference on Machine Learning and Cybernetics (ICMLC), Chengdu, China, 2018: 673–678. doi: 10.1109/ICMLC.2018.8526965. [26] ZHANG Yongfeng, TAN Yunzhi, ZHANG Min, et al. Catch the black sheep: Unified framework for shilling attack detection based on fraudulent action propagation[C]. The 24th International Conference on Artificial Intelligence, Buenos Aires, Argentina, 2015: 2408–2414. [27] LI Wentao, GAO Min, LI Hua, et al. Shilling attack detection in recommender systems via selecting patterns analysis[J]. IEICE TRANSACTIONS on Information and Systems, 2016, E99. D(10): 2600–2611. doi: 10.1587/TRANSINF.2015EDP7500. [28] CAO Jie, WU Zhiang, MAO Bo, et al. Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system[J]. World Wide Web, 2013, 16(5/6): 729–748. doi: 10.1007/s11280-012-0164-6. -
图(3) / 表(6)
计量
- 文章访问数: 76
- HTML全文浏览量: 29
- PDF下载量: 12
- 被引次数: 0
下载:
