One-step Reconstruction Diffusion Model for Poisoning Attack on QoS-aware cloud API Recommender System

TAN Zeyu; WANG Haoyuan; QI Mingyang; SUN Mengmeng; SHEN Limin; CHEN Zhen

doi:10.11999/JEIT260115

Article Contents

Article Navigation > Journal of Electronics & Information Technology > 2026 >

TAN Zeyu, WANG Haoyuan, QI Mingyang, SUN Mengmeng, SHEN Limin, CHEN Zhen. One-step Reconstruction Diffusion Model for Poisoning Attack on QoS-aware cloud API Recommender System[J]. Journal of Electronics & Information Technology. doi: 10.11999/JEIT260115

Citation:

TAN Zeyu, WANG Haoyuan, QI Mingyang, SUN Mengmeng, SHEN Limin, CHEN Zhen. One-step Reconstruction Diffusion Model for Poisoning Attack on QoS-aware cloud API Recommender System[J]. Journal of Electronics & Information Technology. doi: 10.11999/JEIT260115

Citation:

TAN Zeyu, WANG Haoyuan, QI Mingyang, SUN Mengmeng, SHEN Limin, CHEN Zhen. One-step Reconstruction Diffusion Model for Poisoning Attack on QoS-aware cloud API Recommender System[J]. Journal of Electronics & Information Technology. doi: 10.11999/JEIT260115

PDF( 1282 KB)

One-step Reconstruction Diffusion Model for Poisoning Attack on QoS-aware cloud API Recommender System

doi: 10.11999/JEIT260115 cstr: 32379.14.JEIT260115

1.
School of Artificial Intelligence, Yanshan University, Qinhuangdao 066004, China
2.
Hebei Key Laboratory for Computer Virtual Technology and System Integration, Yanshan University, Qinhuangdao 066004, China

Accepted Date: 2026-05-14
Rev Recd Date: 2026-05-14

Available Online: 2026-05-30

Abstract

Abstract

Objective In the cloud era, cloud Application Programming Interface (cloud API), as the best carrier for data output, capability replication and service delivery, has become an indispensable core element for service-oriented software development and operation. With the rapid increase in the number of cloud APIs, it is difficult for users to choose from a large number of cloud APIs with the same functions. For this purpose, researchers introduced Quality of Service (QoS) to effectively differentiate cloud APIs based on their non-functional attributes. Therefore, QoS-aware cloud API recommender systems (QARS) are gradually playing an increasingly important role in guiding users to choose the most suitable cloud API. However, existing research mainly focuses on improving the accuracy of QARS, ignoring the security risks brought about by the economic benefits of cloud APIs and the openness of the network environment. These risks are especially evident in the threats posed by poisoning attacks. Attackers manipulate the recommendations by injecting fake users, causing serious damage to the fairness and credibility of the QoS-aware cloud API recommender system. To counter the threat of poisoning attacks, this paper reveals the attack mechanisms of diffusion model-based attack methods from the perspective of learning defense through attacking, inspiring the design of corresponding defense methods. Methods This paper systematically defines the attack process of poisoning attacks and fake user profiles, and proposes attack scales to flexibly simulate poisoning attacks. Then, to reveal the attack principle of the diffusion model-based attack method, this paper further proposes a Preference guided one-step reconstruction Diffusion model-based Poisoning Attack framework (PDPA) to simulate poisoning attacks. Following the collaborative principle that similar users may have similar preferences toward cloud APIs, the fake users generated by the attack method need to ensure that both their QoS values and the distribution of cloud API invocations remain similar to those of real users, thereby exploiting the collaborative influence of fake users to interfere with the QARS's modeling of user preferences. Therefore, to effectively carry out poisoning attacks, PDPA aims to generate fake users that are similar to real users. Firstly, PDPA uses the One-step reconstruction Diffusion Model (ODM) to model the QoS data and the invocation distribution of real users, respectively. ODM avoids the error accumulation that occurs during the iterative denoising process caused by the noise dependence of standard diffusion models, enabling ODM to generate fake user cloud API invocation behaviors similar to those of real users, thereby ensuring that fake users can effectively have a collaborative influence. Subsequently, in order to improve the attack performance, PDPA systematically selects fake users with a preference for invoking the target cloud API to fill the maximum QoS value. This not only enhances the aggressiveness of fake users, but also alleviates the interference of the target cloud API's addition on the invocation behavior of fake users, ensuring the concealment of fake users. Results and Discussions The experiment was conducted in the real-world QoS dataset WS-DREAM. Firstly, this paper uses six recommendation methods as target recommender systems, and six baseline attack methods to simulate poisoning attacks. The experimental results (Table 3) reveal the vulnerability of the recommender system to poisoning attacks. Each attack method can cause damage to the accuracy of the recommender system. PDPA achieves the best attack performance in most experimental settings, which is attributed to its sufficient modeling of user invocation preferences, thereby enabling fake users to effectively exert collaborative influence on the QARS. Secondly, the comparison of the F1 and distribution in latent space of fake users generated by ODM and the standard diffusion model was conducted. The experimental results (Figure 2) verify that ODM is superior to the standard diffusion model not only in terms of stealth but also as reflected in low-dimensional visualization. Subsequently, the ablation study on each module of PDPA was conducted. The experimental results (Tables 4 and 5) verify that each module of PDPA is a necessary guarantee for the attack performance and concealment of fake users. Finally, the comparison of MAE and F1 on various attack scales was conducted to verify the impact of attack scale on the attack effect and concealment of fake users. The experimental results (Figure 3 and Table 6) indicate that increasing the attack scale could effectively enhance the attack performance, but it would also lead to an increase in the number of detected fake users. Conclusions To counter the threat of poisoning attacks, this paper explores the attack process and key attack parameters of poisoning attacks, and reveals the vulnerability of the QoS-aware cloud API recommender system by simulating poisoning attacks. This paper simulates poisoning attacks on QARS by constructing the PDPA, which demonstrates the significant potential of diffusion models in poisoning attacks and validates the necessity of separately modeling QoS data and cloud API invocations through ablation studies. Furthermore, PDPA reveals the underlying mechanism of generating fake users via diffusion models, providing insights for designing targeted countermeasures.
- Recommender System,
- Poisoning Attack,
- Quality of Service,
- Diffusion Model,
- Preference Guidance

FullText(HTML)

References(28)

References

[1]	SUN Mengmeng, XU Yueshen, TAN Zeyu, et al. Multi-level graph contrastive learning for cold-start recommendation in mashup development[J]. Information Sciences, 2025, 717: 122319. doi: 10.1016/J.INS.2025.122319.
[2]	CHEN Zhen, LIAO Haonan, YANG Jingkun, et al. Correction is all you need: Towards high-order complementary cloud API recommendation correction with abductive reasoning[J]. Future Generation Computer Systems, 2026, 175: 108072. doi: 10.1016/J.FUTURE.2025.108072.
[3]	CHEN Zhen, YU Jianqiang, FAN Shuang, et al. Latent diffusion model-based data poisoning attack against QoS-aware cloud API recommender system[J]. Computer Networks, 2025, 260: 111120. doi: 10.1016/j.comnet.2025.111120.
[4]	孙梦梦, 刘啸威, 陈文辉, 等. 基于个性化张量分解的高阶互补云API推荐方法[J]. 电子与信息学报, 2025, 47(8): 2859–2871. doi: 10.11999/JEIT250003. SUN Mengmeng, LIU Xiaowei, CHEN Wenhui, et al. Personalized tensor decomposition based high-order complementary cloud API recommendation[J]. Journal of Electronics & Information Technology, 2025, 47(8): 2859–2871. doi: 10.11999/JEIT250003.
[5]	NAZARY F, DELDJOO Y, and DI NOIA T. Poison-RAG: Adversarial data poisoning attacks on retrieval-augmented generation in recommender systems[C]. Proceedings of the 47th European Conference on Information Retrieval, Lucca, Italy, 2025: 239–251. doi: 10.1007/978-3-031-88717-8_18.
[6]	陈真, 刘伟, 吕瑞民, 等. 基于代理生成对抗网络的服务质量感知云API推荐系统投毒攻击[J]. 通信学报, 2025, 46(3): 174–186. doi: 10.11959/j.issn.1000-436x.2025056. CHEN Zhen, LIU Wei, LV Ruimin, et al. Poisoning attack on quality of service aware cloud API recommender system via surrogate generative adversarial network[J]. Journal on Communications, 2025, 46(3): 174–186. doi: 10.11959/j.issn.1000-436x.2025056.
[7]	GUNES I, KALELI C, BILGE A, et al. Shilling attacks against recommender systems: A comprehensive survey[J]. Artificial Intelligence Review, 2014, 42(4): 767–799. doi: 10.1007/s10462-012-9364-9.
[8]	ZHANG Fuguo. Analysis of bandwagon and average hybrid attack model against trust-based recommender systems[C]. 2011 Fifth International Conference on Management of e-Commerce and e-Government, Wuhan, China, 2011: 269–273. doi: 10.1109/ICMeCG.2011.10.
[9]	LIN Chen, CHEN Si, ZENG Meifang, et al. Shilling black-box recommender systems by learning to generate fake user profiles[J]. IEEE Transactions on Neural Networks and Learning Systems, 2024, 35(1): 1305–1319. doi: 10.1109/TNNLS.2022.3183210.
[10]	CHEN Zhen, BAO Taiyu, QI Wenchao, et al. Poisoning QoS-aware cloud API recommender system with generative adversarial network attack[J]. Expert Systems with Applications, 2024, 238: 121630. doi: 10.1016/j.eswa.2023.121630.
[11]	HO J, JAIN A, and ABBEEL P. Denoising diffusion probabilistic models[C]. Proceedings of the 34th International Conference on Neural Information Processing Systems, Vancouver, Canada, 2020: 574.
[12]	CROITORU F A, HONDRU V, IONESCU R T, et al. Diffusion models in vision: A survey[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2023, 45(9): 10850–10869. doi: 10.1109/TPAMI.2023.3261988.
[13]	TAN Zeyu, SUN Mengmeng, QI Mingyang, et al. Compensation as defense: Trusted user guided representation correction learning for poisoned GNN-based recommender systems[J]. Information Processing & Management, 2026, 63(2): 104464. doi: 10.1016/j.ipm.2025.104464.
[14]	NGUYEN T T, QUOC VIET HUNG N, NGUYEN T T, et al. Manipulating recommender systems: A survey of poisoning attacks and countermeasures[J]. ACM Computing Surveys, 2025, 57(1): 3. doi: 10.1145/3677328.
[15]	WANG Zongwei, YU Junliang, GAO Min, et al. Unveiling vulnerabilities of contrastive recommender systems to poisoning attacks[C]. Proceedings of the 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, Barcelona, Spain, 2024: 3311–3322. doi: 10.1145/3637528.3671795.
[16]	WANG Wenjie, XU Yiyan, FENG Fuli, et al. Diffusion recommender model[C]. Proceedings of the 46th International ACM SIGIR Conference on Research and Development in Information Retrieval, Taipei, China, 2023: 832–841. doi: 10.1145/3539618.3591663.
[17]	CHEN Jianqi, CHEN Hao, CHEN Keyan, et al. Diffusion models for imperceptible and transferable adversarial attack[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2025, 47(2): 961–977. doi: 10.1109/TPAMI.2024.3480519.
[18]	WANG Yihao, SU Jiajie, CHEN Chaochao, et al. Sim4Rec: Data-free model extraction attack on sequential recommendation[C]. Proceedings of the 39th AAAI Conference on Artificial Intelligence, Philadelphia, USA, 2025: 12766–12774. doi: 10.1609/aaai.v39i12.33392.
[19]	SU Jiajie, CHEN Chaochao, WANG Yihao, et al. DuAda: Adaptive targeted model poisoning attack framework via dummy user simulation on federated recommendation[J]. ACM Transactions on Information Systems, 2025, 43(6): 161. doi: 10.1145/3757059.
[20]	LI Jiahui, WU Hao, CHEN Jiapei, et al. Topology-aware neural model for highly accurate QoS prediction[J]. IEEE Transactions on Parallel and Distributed Systems, 2022, 33(7): 1538–1552. doi: 10.1109/TPDS.2021.3116865.
[21]	SHEN Limin, PAN Maosheng, LIU Linlin, et al. Contexts enhance accuracy: On modeling context aware deep factorization machine for web API QoS prediction[J]. IEEE Access, 2020, 8: 165551–165569. doi: 10.1109/ACCESS.2020.3022891.
[22]	ZHANG Yiwen, YIN Chunhui, WU Qilin, et al. Location-aware deep collaborative filtering for service recommendation[J]. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 2021, 51(6): 3796–3807. doi: 10.1109/TSMC.2019.2931723.
[23]	SHAN Ying, HOENS T R, JIAO Jian, et al. Deep crossing: Web-scale modeling without manually crafted combinatorial features[C]. Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Francisco, USA, 2016: 255–262. doi: 10.1145/2939672.2939704.
[24]	YU Junliang, XIA Xin, CHEN Tong, et al. XSimGCL: Towards extremely simple graph contrastive learning for recommendation[J]. IEEE Transactions on Knowledge and Data Engineering, 2024, 36(2): 913–926. doi: 10.1109/TKDE.2023.3288135.
[25]	ZHANG Fei, DENG Zijun, HE Zhimin, et al. Detection of shilling attack in collaborative filtering recommender system by PCA and data complexity[C]. 2018 International Conference on Machine Learning and Cybernetics (ICMLC), Chengdu, China, 2018: 673–678. doi: 10.1109/ICMLC.2018.8526965.
[26]	ZHANG Yongfeng, TAN Yunzhi, ZHANG Min, et al. Catch the black sheep: Unified framework for shilling attack detection based on fraudulent action propagation[C]. Proceedings of the 24th International Conference on Artificial Intelligence, Buenos Aires, Argentina, 2015: 2408–2414.
[27]	LI Wentao, GAO Min, LI Hua, et al. Shilling attack detection in recommender systems via selecting patterns analysis[J]. IEICE TRANSACTIONS on Information and Systems, 2016, E99. D(10): 2600–2611. doi: 10.1587/TRANSINF.2015EDP7500.
[28]	CAO Jie, WU Zhiang, MAO Bo, et al. Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system[J]. World Wide Web, 2013, 16(5/6): 729–748. doi: 10.1007/s11280-012-0164-6.