Advanced Search
Turn off MathJax
Article Contents
TAN Zeyu, WANG Haoyuan, QI Mingyang, SUN Mengmeng, SHEN Limin, CHEN Zhen. One-step Reconstruction Diffusion Model-based Poisoning Attack on QoS-aware Cloud API Recommender Systems[J]. Journal of Electronics & Information Technology. doi: 10.11999/JEIT260115
Citation: TAN Zeyu, WANG Haoyuan, QI Mingyang, SUN Mengmeng, SHEN Limin, CHEN Zhen. One-step Reconstruction Diffusion Model-based Poisoning Attack on QoS-aware Cloud API Recommender Systems[J]. Journal of Electronics & Information Technology. doi: 10.11999/JEIT260115

One-step Reconstruction Diffusion Model-based Poisoning Attack on QoS-aware Cloud API Recommender Systems

doi: 10.11999/JEIT260115 cstr: 32379.14.JEIT260115
Funds:  The National Natural Science Foundation of China (62102348), Hebei Natural Science Foundation (F2022203012), The Science and Technology Program of Hebei (236Z0103G), The Innovation Capability Improvement Plan Project of Hebei Province (22567626H), Hebei Postgraduate Innovation Fund Project (CXZZSS2025039)
  • Received Date: 2026-01-29
  • Accepted Date: 2026-05-14
  • Rev Recd Date: 2026-05-14
  • Available Online: 2026-05-30
  •   Objective  In cloud computing, Cloud Application Programming Interfaces (cloud APIs) serve as key carriers for data output, capability reuse, and service delivery. They have become core elements in service-oriented software development and operation. With the rapid growth of cloud APIs, users often find it difficult to select suitable services from many functionally similar candidates. Quality of Service (QoS) is therefore used to differentiate cloud APIs by non-functional attributes. QoS-Aware cloud API Recommender System (QARS) plays an increasingly important role in guiding users toward suitable cloud APIs. However, existing studies mainly focus on improving recommendation accuracy and often ignore security risks caused by the economic value of cloud APIs and the openness of network environments. These risks are particularly evident in poisoning attacks. By injecting fake users, attackers can manipulate recommendation results and reduce the fairness and credibility of QARS. To address this threat from an attack-informed defense perspective, this paper analyzes the attack mechanisms of diffusion model-based poisoning methods and supports the design of targeted defense strategies.  Methods  The poisoning attack process and fake user profiles are first formally defined. Attack scale is then defined to flexibly simulate poisoning attacks under different settings. To analyze the attack principle of diffusion model-based methods, a One-step reconstruction Diffusion Model (ODM) is adopted, and a Preference guided one-step reconstruction Diffusion model-based Poisoning Attack framework (PDPA) is proposed. According to the collaborative principle that similar users tend to have similar preferences for cloud APIs, fake users generated by an attack method should have QoS values and cloud API invocation distributions similar to those of real users. This similarity allows fake users to exert collaborative influence and interfere with user preference modeling in QARS. PDPA is therefore designed to generate fake users that closely match real users. First, ODM separately models the QoS data and invocation distributions of real users. Unlike standard diffusion models, ODM avoids error accumulation caused by noise-dependent iterative denoising. It can generate fake-user invocation behavior similar to real-user behavior, which helps fake users exert effective collaborative influence. Then, to improve attack effectiveness, PDPA systematically selects fake users with invocation preferences for the target cloud API and assigns the maximum QoS value to the target item. This strategy strengthens the attack while reducing the disturbance caused by adding the target cloud API to fake-user invocation behavior, thereby improving stealthiness.  Results and Discussions  Experiments are conducted on the real-world WS-DREAM response-time QoS dataset. First, six recommendation methods, namely LR, MLP, DeepFM, AFM, DCN, and XSimGCL, are used as target recommender systems. Six baseline attack methods are used to simulate poisoning attacks. The results in Table 3 reveal the vulnerability of QARS to poisoning attacks. All attack methods reduce recommendation accuracy. PDPA achieves the best attack effectiveness in most experimental settings because it sufficiently models user invocation preferences, enabling fake users to exert stronger collaborative influence on QARS. Second, fake users generated by ODM and those generated by the standard diffusion model are compared in terms of F1 score and latent-space distribution. The results in Figure 2 show that ODM outperforms the standard diffusion model in stealthiness and produces a latent-space distribution closer to that of real users. Third, ablation studies are conducted for each module of PDPA. The results in Tables 4 and 5 verify that each module is necessary for attack effectiveness and fake-user stealthiness. Finally, Mean Absolute Error (MAE) and F1 score are compared under different attack scales to evaluate the effect of attack scale on attack effectiveness and stealthiness. The results in Figure 3 and Table 6 show that increasing the attack scale improves attack effectiveness but also increases the number of detected fake users.  Conclusions  This paper investigates the threat of poisoning attacks against QARS by analyzing the attack process and key attack parameters. The proposed PDPA simulates poisoning attacks on QARS and reveals their vulnerability. The results show the potential of diffusion models for poisoning attacks and verify the necessity of separately modeling QoS data and cloud API invocations. PDPA also clarifies how diffusion models generate fake users, providing a basis for future targeted countermeasures.
  • loading
  • [1]
    SUN Mengmeng, XU Yueshen, TAN Zeyu, et al. Multi-level graph contrastive learning for cold-start recommendation in mashup development[J]. Information Sciences, 2025, 717: 122319. doi: 10.1016/J.INS.2025.122319.
    [2]
    CHEN Zhen, LIAO Haonan, YANG Jingkun, et al. Correction is all you need: Towards high-order complementary cloud API recommendation correction with abductive reasoning[J]. Future Generation Computer Systems, 2026, 175: 108072. doi: 10.1016/J.FUTURE.2025.108072.
    [3]
    CHEN Zhen, YU Jianqiang, FAN Shuang, et al. Latent diffusion model-based data poisoning attack against QoS-aware cloud API recommender system[J]. Computer Networks, 2025, 260: 111120. doi: 10.1016/j.comnet.2025.111120.
    [4]
    孙梦梦, 刘啸威, 陈文辉, 等. 基于个性化张量分解的高阶互补云API推荐方法[J]. 电子与信息学报, 2025, 47(8): 2859–2871. doi: 10.11999/JEIT250003.

    SUN Mengmeng, LIU Xiaowei, CHEN Wenhui, et al. Personalized tensor decomposition based high-order complementary cloud API recommendation[J]. Journal of Electronics & Information Technology, 2025, 47(8): 2859–2871. doi: 10.11999/JEIT250003.
    [5]
    NAZARY F, DELDJOO Y, and DI NOIA T. Poison-RAG: Adversarial data poisoning attacks on retrieval-augmented generation in recommender systems[C]. The 47th European Conference on Information Retrieval, Lucca, Italy, 2025: 239–251. doi: 10.1007/978-3-031-88717-8_18.
    [6]
    陈真, 刘伟, 吕瑞民, 等. 基于代理生成对抗网络的服务质量感知云API推荐系统投毒攻击[J]. 通信学报, 2025, 46(3): 174–186. doi: 10.11959/j.issn.1000-436x.2025056.

    CHEN Zhen, LIU Wei, LV Ruimin, et al. Poisoning attack on quality of service aware cloud API recommender system via surrogate generative adversarial network[J]. Journal on Communications, 2025, 46(3): 174–186. doi: 10.11959/j.issn.1000-436x.2025056.
    [7]
    GUNES I, KALELI C, BILGE A, et al. Shilling attacks against recommender systems: A comprehensive survey[J]. Artificial Intelligence Review, 2014, 42(4): 767–799. doi: 10.1007/s10462-012-9364-9.
    [8]
    ZHANG Fuguo. Analysis of bandwagon and average hybrid attack model against trust-based recommender systems[C]. 2011 Fifth International Conference on Management of e-Commerce and e-Government, Wuhan, China, 2011: 269–273. doi: 10.1109/ICMeCG.2011.10.
    [9]
    LIN Chen, CHEN Si, ZENG Meifang, et al. Shilling black-box recommender systems by learning to generate fake user profiles[J]. IEEE Transactions on Neural Networks and Learning Systems, 2024, 35(1): 1305–1319. doi: 10.1109/TNNLS.2022.3183210.
    [10]
    CHEN Zhen, BAO Taiyu, QI Wenchao, et al. Poisoning QoS-aware cloud API recommender system with generative adversarial network attack[J]. Expert Systems with Applications, 2024, 238: 121630. doi: 10.1016/j.eswa.2023.121630.
    [11]
    HO J, JAIN A, and ABBEEL P. Denoising diffusion probabilistic models[C]. The 34th International Conference on Neural Information Processing Systems, Vancouver, Canada, 2020: 574.
    [12]
    CROITORU F A, HONDRU V, IONESCU R T, et al. Diffusion models in vision: A survey[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2023, 45(9): 10850–10869. doi: 10.1109/TPAMI.2023.3261988.
    [13]
    TAN Zeyu, SUN Mengmeng, QI Mingyang, et al. Compensation as defense: Trusted user guided representation correction learning for poisoned GNN-based recommender systems[J]. Information Processing & Management, 2026, 63(2): 104464. doi: 10.1016/j.ipm.2025.104464.
    [14]
    NGUYEN T T, QUOC VIET HUNG N, NGUYEN T T, et al. Manipulating recommender systems: A survey of poisoning attacks and countermeasures[J]. ACM Computing Surveys, 2025, 57(1): 3. doi: 10.1145/3677328.
    [15]
    WANG Zongwei, YU Junliang, GAO Min, et al. Unveiling vulnerabilities of contrastive recommender systems to poisoning attacks[C]. The 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, Barcelona, Spain, 2024: 3311–3322. doi: 10.1145/3637528.3671795.
    [16]
    WANG Wenjie, XU Yiyan, FENG Fuli, et al. Diffusion recommender model[C]. The 46th International ACM SIGIR Conference on Research and Development in Information Retrieval, Taipei, China, 2023: 832–841. doi: 10.1145/3539618.3591663.
    [17]
    CHEN Jianqi, CHEN Hao, CHEN Keyan, et al. Diffusion models for imperceptible and transferable adversarial attack[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2025, 47(2): 961–977. doi: 10.1109/TPAMI.2024.3480519.
    [18]
    WANG Yihao, SU Jiajie, CHEN Chaochao, et al. Sim4Rec: Data-free model extraction attack on sequential recommendation[C]. The 39th AAAI Conference on Artificial Intelligence, Philadelphia, USA, 2025: 12766–12774. doi: 10.1609/aaai.v39i12.33392.
    [19]
    SU Jiajie, CHEN Chaochao, WANG Yihao, et al. DuAda: Adaptive targeted model poisoning attack framework via dummy user simulation on federated recommendation[J]. ACM Transactions on Information Systems, 2025, 43(6): 161. doi: 10.1145/3757059.
    [20]
    LI Jiahui, WU Hao, CHEN Jiapei, et al. Topology-aware neural model for highly accurate QoS prediction[J]. IEEE Transactions on Parallel and Distributed Systems, 2022, 33(7): 1538–1552. doi: 10.1109/TPDS.2021.3116865.
    [21]
    SHEN Limin, PAN Maosheng, LIU Linlin, et al. Contexts enhance accuracy: On modeling context aware deep factorization machine for web API QoS prediction[J]. IEEE Access, 2020, 8: 165551–165569. doi: 10.1109/ACCESS.2020.3022891.
    [22]
    ZHANG Yiwen, YIN Chunhui, WU Qilin, et al. Location-aware deep collaborative filtering for service recommendation[J]. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 2021, 51(6): 3796–3807. doi: 10.1109/TSMC.2019.2931723.
    [23]
    SHAN Ying, HOENS T R, JIAO Jian, et al. Deep crossing: Web-scale modeling without manually crafted combinatorial features[C]. The 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Francisco, USA, 2016: 255–262. doi: 10.1145/2939672.2939704.
    [24]
    YU Junliang, XIA Xin, CHEN Tong, et al. XSimGCL: Towards extremely simple graph contrastive learning for recommendation[J]. IEEE Transactions on Knowledge and Data Engineering, 2024, 36(2): 913–926. doi: 10.1109/TKDE.2023.3288135.
    [25]
    ZHANG Fei, DENG Zijun, HE Zhimin, et al. Detection of shilling attack in collaborative filtering recommender system by PCA and data complexity[C]. 2018 International Conference on Machine Learning and Cybernetics (ICMLC), Chengdu, China, 2018: 673–678. doi: 10.1109/ICMLC.2018.8526965.
    [26]
    ZHANG Yongfeng, TAN Yunzhi, ZHANG Min, et al. Catch the black sheep: Unified framework for shilling attack detection based on fraudulent action propagation[C]. The 24th International Conference on Artificial Intelligence, Buenos Aires, Argentina, 2015: 2408–2414.
    [27]
    LI Wentao, GAO Min, LI Hua, et al. Shilling attack detection in recommender systems via selecting patterns analysis[J]. IEICE TRANSACTIONS on Information and Systems, 2016, E99. D(10): 2600–2611. doi: 10.1587/TRANSINF.2015EDP7500.
    [28]
    CAO Jie, WU Zhiang, MAO Bo, et al. Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system[J]. World Wide Web, 2013, 16(5/6): 729–748. doi: 10.1007/s11280-012-0164-6.
  • 加载中

Catalog

    通讯作者: 陈斌, bchen63@163.com
    • 1. 

      沈阳化工大学材料科学与工程学院 沈阳 110142

    1. 本站搜索
    2. 百度学术搜索
    3. 万方数据库搜索
    4. CNKI搜索

    Figures(3)  / Tables(6)

    Article Metrics

    Article views (159) PDF downloads(13) Cited by()
    Proportional views
    Related

    /

    DownLoad:  Full-Size Img  PowerPoint
    Return
    Return