How to construct imperceptible (realistic) fake samples is critical in adversarial attacks. Due to the sample feature diversity of a recommender system (containing both discrete and continuous features), traditional gradient-based adversarial attack methods may fail to construct realistic fake samples. Meanwhile, most recommendation models adopt click-through rate (CTR) predictors, which usually utilize black-box deep models with discrete features as input. Thus, how to efficiently construct realistic fake samples for black-box recommender systems is still full of challenges. In this article, we propose a hierarchical adversarial attack method against black-box CTR models via generating realistic fake samples, named CTRAttack. To better train the generation network, the weights of its embedding layer are shared with those of the substitute model, with both the similarity loss and classification loss used to update the generation network. To ensure that the discrete features of the generated fake samples are all real, we first adopt the similarity loss to ensure that the distribution of the generated perturbed samples is sufficiently close to the distribution of the real features, and then the nearest neighbor algorithm is used to retrieve the most appropriate features for non-existent discrete features from the candidate instance set. Extensive experiments demonstrate that CTRAttack can not only effectively attack the black-box recommender systems but also improve the robustness of these models while maintaining prediction accuracy.

如何构建难以察觉的（真实的）假样本在对抗性攻击中至关重要。由于推荐系统的样本特征多样性（包含离散特征和连续特征），传统的基于梯度的对抗攻击方法可能无法构造真实的假样本。同时，大多数推荐模型采用点击率（CTR）预测器，通常利用具有离散特征的黑盒深度模型作为输入。因此，如何有效地为黑盒推荐系统构建真实的假样本仍然充满挑战。在本文中，我们提出了一种通过生成真实假样本来针对黑盒 CTR 模型的分层对抗攻击方法，称为 CTRAtack。为了更好地训练生成网络，其嵌入层的权重与替代模型的权重共享，相似性损失和分类损失都用于更新生成网络。为了保证生成的假样本的离散特征都是真实的，我们首先采用相似度损失来保证生成的扰动样本的分布足够接近真实特征的分布，然后使用最近邻算法从候选实例集中检索不存在的离散特征的最合适的特征。大量实验表明，CTRAtack 不仅可以有效攻击黑盒推荐系统，而且可以在保持预测准确性的同时提高这些模型的鲁棒性。