International Journal of Open Information Technologies

This article assesses the resilience of session-based recommender systems to training set poisoning attacks using synthetic sessions. Real event logs inevitably contain entries generated by automated agents, which reduces the quality of the trained models. To controllably reproduce such poisoning, a Python software package has been developed. It includes four classes of synthetic session generators: a navigation graph (first-order Markov chain), a hidden Markov model (HMM), a recurrent generator based on the Elman network, and a transformer generator. All generators implement a unified interface and can work with arbitrary sets of event logs. The targeted attack module implements a beam search for synthetic sessions with a given final element in black-box mode, without requiring access to the parameters of the attacked model. After poisoning, the target model is retrained on D_train ∪ P with the same hyperparameters. The test set remains unchanged. The success criterion for the attack is quality degradation on the clean test set. An experimental evaluation was conducted on the YooChoose and Last.fm datasets. A mean pooled embeddings model is used as the recommended model: for each session prefix, the arithmetic mean of the element embeddings is calculated, followed by a linear layer to compute logits over the dictionary. With a 2% share of poisoning sessions, HR@10 degradation is 0.4–0.9 percentage points; with 5%, it is 1.2–3.1 percentage points; with 20%, degradation increases nonlinearly and reaches 5.9–7.9 percentage points. Neural network generators produce more diverse synthetic sessions compared to Markov models. A transformer generator can combine transitions not observed in the aggregate, which expands the coverage of the feature space. It is the diversity of the generated paths that increases the bias of the training distribution toward the target element. The transformer generator exhibits the greatest degradation among the four classes, while the navigation graph exhibits the least. These results allow recommender system developers to reasonably assess the robustness of models before deployment.

P. Covington, J. Adams, and E. Sargin, “Deep neu ral networks for YouTube recommendations,” in Pro ceedings of the ACM Conference on Recommender Systems (RecSys). ACM, 2016, pp. 191–198.

S. Zhang, L. Yao, A. Sun, and Y. Tay, “Deep learn ing based recommender system: A survey and new perspectives,” vol. 52, no. 1. ACM, 2019, pp. 5:1 5:38.

M. Ludewig and D. Jannach, “Evaluation of session based recommendation algorithms,” in User Model ing and User-Adapted Interaction, vol. 28. Springer, 2018, pp. 331–390.

S. Wang, L. Cao, Y. Wang, Q. Z. Sheng, M. A. Orgun, and D. Lian, “A survey on session-based recommender systems,” ACM Computing Surveys, vol. 54, no. 7, pp. 154:1–154:38, 2021.

J. Srivastava, R. Cooley, M. Deshpande, and P.-N. Tan, “Web usage mining: Discovery and applications of usage patterns from Web data,” ACM SIGKDD Explorations Newsletter, vol. 1, no. 2, pp. 12–23, 2000.

B. Biggio, B. Nelson, and P. Laskov, “Poisoning attacks against support vector machines,” in Pro ceedings of the International Conference on Machine Learning (ICML). JMLR.org, 2012, pp. 1807–1814.

M. Fang, N. Z. Gong, and J. Liu, “Influence function based data poisoning attacks to top-n recommender systems,” in Proceedings of the International World Wide Web Conference (WWW). ACM, 2020, pp. 3019–3025.

Z. Yue, Z. He, Q. Zeng, and J. McAuley, “Black-box attacks on sequential recommenders via data-free model extraction,” in Proceedings of the ACM Con ference on Recommender Systems (RecSys). ACM, 2021, pp. 44–54.

D. Jannach and M. Ludewig, “When recurrent neural networks meet the neighborhood for session-based recommendation,” in Proceedings of the ACM Con ference on Recommender Systems (RecSys). ACM, 2017, pp. 306–310.

L. R. Rabiner, “A tutorial on hidden Markov mod els and selected applications in speech recognition,” Proceedings of the IEEE, vol. 77, no. 2, pp. 257–286, 1989.

S. Rendle, C. Freudenthaler, and L. Schmidt Thieme, “Factorizing personalized markov chains for next-basket recommendation,” in Proceedings of the International World Wide Web Conference (WWW). ACM, 2010, pp. 811–820.

B. Hidasi, A. Karatzoglou, L. Baltrunas, and D. Tikk, “Session-based recommendations with re current neural networks,” in Proceedings of the In ternational Conference on Learning Representations (ICLR), San Juan, Puerto Rico, 2016.

B. Hidasi and A. Karatzoglou, “Recurrent neural net works with top-k gains for session-based recommen dations,” Proceedings of the ACM International Con ference on Information and Knowledge Management (CIKM), pp. 843–852, 2018.

J. Li, P. Ren, Z. Chen, Z. Ren, T. Lian, and J. Ma, “Neural attentive session-based recommendation,” in Proceedings of the ACM International Conference on Information and Knowledge Management (CIKM). ACM, 2017, pp. 1419–1428.

Q. Liu, Y. Zeng, R. Mokhosi, and H. Zhang, “STAMP: Short-term attention/memory priority model for session-based recommendation,” in Pro ceedings of the ACM SIGKDD International Con ference on Knowledge Discovery and Data Mining (KDD). ACM, 2018, pp. 1831–1839.

W.-C. Kang and J. McAuley, “Self-attentive sequen tial recommendation,” in Proceedings of the IEEE International Conference on Data Mining (ICDM). IEEE, 2018, pp. 197–206.

F. Sun, J. Liu, J. Wu, C. Pei, X. Lin, W. Ou, and P. Jiang, “BERT4Rec: Sequential recommenda tion with bidirectional encoder representations from transformer,” in Proceedings of the ACM Interna tional Conference on Information and Knowledge Management (CIKM). ACM, 2019, pp. 1441–1450.

S. Wu, Y. Tang, Y. Zhu, L. Wang, X. Xie, and T. Tan, “Session-based recommendation with graph neural networks,” in Proceedings of the AAAI Con ference on Artificial Intelligence. AAAI Press, 2019, pp. 346–353.

A. Vaswani, N. Shazeer, N. Parmar, J. Uszkoreit, L. Jones, A. N. Gomez, L. Kaiser, and I. Polosukhin, “Attention is all you need,” in Advances in Neural Information Processing Systems (NeurIPS), vol. 30. Curran Associates, 2017.

X. Yuan, P. He, Q. Zhu, and X. Li, “Adversarial examples: Attacks and defenses for deep learning,” IEEE Transactions on Neural Networks and Learn ing Systems, vol. 30, no. 9, pp. 2805–2824, 2019.

B. Biggio and F. Roli, “Wild patterns: Ten years af ter the rise of adversarial machine learning,” Pattern Recognition, vol. 84, pp. 317–331, 2018.

I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explain ing and harnessing adversarial examples,” in Pro ceedings of the International Conference on Learning Representations (ICLR), San Diego, CA, 2015.

A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” in Proceedings of the In ternational Conference on Learning Representations (ICLR), Vancouver, Canada, 2018.

N. Carlini and D. Wagner, “Towards evaluating the robustness of neural networks,” in Proceedings of the IEEE Symposium on Security and Privacy (S&P). IEEE, 2017, pp. 39–57.

Y. Deldjoo, V. W. Anelli, H. Abdollahpouri, A. Bel login, C. Gao, D. Jannach, B. P. Knijnenburg, J. Ni, A. Said, S. Sato, M. Schedl, and D. Tikk, “A sur vey on adversarial recommender systems: from at tack/defense strategies to generative adversarial net works,” ACM Computing Surveys, vol. 54, no. 2, pp. 1–38, 2021.

V. W. Anelli, Y. Deldjoo, T. Di Noia, A. Ferrara, and F. Narducci, “Adversarial recommender systems: Attack, defense, and advances,” Proceedings of the ACM Conference on Recommender Systems (Rec Sys), 2021.

S. K. Lam and J. Riedl, “Shilling recommender sys tems for fun and profit,” in Proceedings of the In ternational World Wide Web Conference (WWW). ACM, 2004, pp. 393–402.

B. Mobasher, R. Burke, R. Bhaumik, and C. Williams, “Toward trustworthy recommender sys tems: An analysis of attack models and algorithm robustness,” ACM Transactions on Internet Tech nology (TOIT), vol. 7, no. 4, pp. 23:1–23:37, 2007.

R. Burke, B. Mobasher, C. Williams, and R. Bhau mik, “Classification features for attack detection in collaborative recommender systems,” Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD), pp. 542–547, 2006.

C. Lin, S. Chen, H. Li, Y. Xiao, L. Li, and D. Yang, “Attacking recommender systems with augmented user profiles,” in Proceedings of the ACM Interna tional Conference on Information and Knowledge Management (CIKM). ACM, 2020, pp. 855–864.

H. Chen, J. Li, and P. Hui, “Data poisoning at tacks on neighborhood-based collaborative filtering,” in Proceedings of the SIAM International Conference on Data Mining (SDM). SIAM, 2021, pp. 145–153.

L. Huang, Y. Ma, S. Li, B. Liu, and H. Wang, “Data poisoning attacks to deep learning based recommender systems,” in Proceedings of the Net work and Distributed System Security Symposium (NDSS), 2021.

S. Hochreiter and J. Schmidhuber, “Long short-term memory,” Neural Computation, vol. 9, no. 8, pp. 1735–1780, 1997.

K. Cho, B. van Merri¨enboer, C. Gulcehre, D. Bah danau, F. Bougares, H. Schwenk, and Y. Ben gio, “Learning phrase representations using RNN encoder–decoder for statistical machine transla tion,” in Proceedings of the Conference on Empirical Methods in Natural Language Processing (EMNLP). ACL, 2014, pp. 1724–1734.

Berber, D. V., and O. R. Laponina. "Razrabotka podhodov k uvelicheniju ustojchivosti modelej mashinnogo obuchenija dlja obnaruzhenija raspredelennyh atak otkaza obsluzhivanija." International Journal of Open Information Technologies 13.6 (2025): 16-24.

Ninichuk, M. M., and D. E. Namiot. "Obzor metodov postroenija rekomendatel'nyh sistem na osnove sessij." International Journal of Open Information Technologies 11.5 (2023): 22-32.

Laponina, O. R., and R. N. Kostin. "Razrabotka programmnogo obespechenija modelirovanija ugroz dlja sistem na baze LLM-agentov." International Journal of Open Information Technologies 13.6 (2025): 132-146