pith. sign in

arxiv: 2604.22170 · v1 · submitted 2026-04-24 · 💻 cs.LG · cs.IR

Sharpness-Aware Poisoning: Enhancing Transferability of Injective Attacks on Recommender Systems

Junsong Xie , Yonghui Yang , Pengyang Shao , Le Wu This is my paper

Pith reviewed 2026-05-08 12:29 UTC · model grok-4.3

classification 💻 cs.LG cs.IR
keywords poisoning attacksrecommender systemstransferabilitysharpness-aware minimizationinjective attacksadversarial machine learningsurrogate models
0
0 comments X

The pith

Sharpness-aware minimization finds worst-case models to improve poisoning attack transferability across recommender systems.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces Sharpness-Aware Poisoning (SharpAP) to generate fake user profiles that promote target items more effectively even when the actual victim recommender model differs from the surrogate used during attack creation. Existing methods overfit to the surrogate, so attacks lose power on structurally different models. SharpAP applies sharpness-aware minimization to approximate the worst-case victim model and then optimizes the poison specifically against it. This produces more robust poisoned data that transfers better. Experiments on three real-world datasets show the resulting attacks succeed more often on unseen models.

Core claim

By integrating the sharpness-aware minimization principle into the attack process, SharpAP seeks an approximately worst-case victim model and optimizes poisoned data specifically against it. The attack is cast as a min-max-min tri-level optimization problem. Integrating this step into iterative attack generation yields poisoned data less sensitive to model structure shifts and mitigates overfitting to the surrogate.

What carries the argument

Sharpness-Aware Poisoning (SharpAP), which applies sharpness-aware minimization to locate and optimize against an approximately worst-case victim model inside the poisoning loop.

If this is right

  • Poisoned data becomes less sensitive to structural differences between the surrogate and actual victim models.
  • Attack success improves on real victim models never seen during poison generation.
  • The tri-level optimization integrates directly into existing iterative attack procedures.
  • Experiments confirm stronger transfer on three real-world datasets compared with prior surrogate-only methods.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Similar sharpness-based optimization could be applied to adversarial attacks in other domains where the target model is unknown in advance.
  • Recommender system defenders might adopt sharpness-aware training to reduce vulnerability to poisons optimized this way.
  • The approach underscores that accounting for model variability during attack design can narrow the gap between black-box and white-box effectiveness.

Load-bearing premise

Sharpness-aware minimization can reliably locate an approximately worst-case victim model whose optimization produces poisoned data that transfers better to real victim models.

What would settle it

If SharpAP-generated poisoned data shows no higher attack success rate than standard surrogate-based poisons when evaluated on victim models with architectures clearly different from the surrogate, such as switching from matrix factorization to a deep neural recommender.

Figures

Figures reproduced from arXiv: 2604.22170 by Junsong Xie, Le Wu, Pengyang Shao, Yonghui Yang.

Figure 1
Figure 1. Figure 1: Illustration of injective attacks on full-users and group users. Full-user view at source ↗
Figure 2
Figure 2. Figure 2: Illustration of the origin of our work’s motivation. Since the victim model is inaccessible to attackers, existing methods use a fixed surrogate model to view at source ↗
Figure 3
Figure 3. Figure 3: A flow chart of fake profiles instantiated. view at source ↗
Figure 4
Figure 4. Figure 4: The overall illustration of our method SharpAP. We propose a sharpness-aware tri-level optimization, which seeks the worst-case model (i.e., the victim model with the worst poisoning effect) under a bounded perturbation to generate robust poisoned data. III. METHODOLOGY A. The Objective of SharpAP We begin by theoretically defining the victim model space, denoted as Ω. This space encompasses all potential … view at source ↗
Figure 5
Figure 5. Figure 5: Visualization of user representations with t-SNE. The top and right view at source ↗
Figure 6
Figure 6. Figure 6: Performance comparisons under different perturbation radius view at source ↗
Figure 7
Figure 7. Figure 7: The attack performance under different fake user budget percentages. view at source ↗
Figure 8
Figure 8. Figure 8: The attack performance under different ratios of interactable items. view at source ↗
Figure 9
Figure 9. Figure 9: Visualization of loss landscape on Movielens-1M trained with or view at source ↗
read the original abstract

Recommender Systems~(RS) have been shown to be vulnerable to injective attacks, where attackers inject limited fake user profiles to promote the exposure of target items to real users for unethical gains (e.g., economic or political advantages). Since attackers typically lack knowledge of the victim model deployed in the target RS, existing methods resort to using a fixed surrogate model to mimic the potential victim model. Despite considerable progress, we argue that the assumption that \textit{poisoned data generated for the surrogate model can be used to attack other victim models} is wishful. When there are significant structural discrepancies between the surrogate and victim models, the attack transferability inevitably suffers. Intuitively, if we can identify the worst-case victim model and iteratively optimize the poisoning effect specifically against it, then the generated poisoned data would be better transferred to other victim models. However, exactly identifying the worst-case victim model during the attack process is challenging due to the large space of victim models. To this end, in this work, we propose a novel attack method called Sharpness-Aware Poisoning (\textit{SharpAP}). Specifically, it employs the sharpness-aware minimization principle to seek the approximately worst-case victim model and optimizes the poisoned data specifically for this worst-case model. The poisoning attack with SharpAP is formulated as a min-max-min tri-level optimization problem. By integrating SharpAP into the iterative process for attacks, our method can generate more robust poisoned data which is less sensitive to the shift of model structure, mitigating the overfitting to the surrogate model. Comprehensive experimental comparisons on three real-world datasets demonstrate that \name~can significantly enhance the attack transferability.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes Sharpness-Aware Poisoning (SharpAP) to improve the transferability of injective poisoning attacks on recommender systems. It formulates the attack generation as a min-max-min tri-level optimization that uses sharpness-aware minimization (SAM) to approximate a worst-case victim model around the surrogate, then optimizes the poisoned data specifically against that approximation. The central claim is that this produces poisoned profiles less sensitive to model-structure shifts (e.g., MF to NeuMF or GCN) than standard surrogate-based attacks, with experiments on three real-world datasets reported to show significant gains in attack success on unseen victims.

Significance. If the empirical gains hold and the mechanism is shown to operate as described, the work would offer a practical way to reduce surrogate overfitting in poisoning attacks, a known weakness when victim architectures differ from the attacker's surrogate. The tri-level formulation and application of SAM to discrete model-family shifts represent a novel technical direction that could influence both attack and defense research in RS security.

major comments (2)
  1. [§3.2] §3.2 (Method), Eq. (3)–(5): the inner maximization is performed via SAM-style perturbations in the surrogate parameter space, yet the paper provides no analysis showing that high-curvature directions around the surrogate parameters correspond to structural dissimilarity with unseen victim families. Because model architecture is discrete and non-differentiable, it is unclear why the local sharpness approximation yields a representative worst-case victim rather than simply regularizing the poison against the surrogate; this directly affects whether the claimed transferability improvement follows from the stated mechanism.
  2. [§4] §4 (Experiments): while the abstract states that SharpAP yields significant improvement on three datasets, the reported results must include (i) concrete metrics (HR@K, NDCG@K, attack success rate) with standard deviations across multiple runs, (ii) explicit comparison against both surrogate-only baselines and other transferability-enhancing attacks, and (iii) an ablation isolating the contribution of the SAM inner loop versus plain min-max. Without these, the magnitude and robustness of the transferability gain cannot be assessed.
minor comments (2)
  1. [§3] Notation: the tri-level objective is introduced without a clear statement of which variables are optimized in each level and which are held fixed; adding an explicit variable legend would improve readability.
  2. [§2] Related work: the discussion of prior injective attacks should cite the specific transferability limitations they exhibit (e.g., performance drop when victim is GCN vs. MF) rather than generic statements.

Simulated Author's Rebuttal

2 responses · 0 unresolved

Thank you for your detailed review and constructive feedback on our manuscript. We have carefully considered each comment and provide point-by-point responses below. We will revise the paper to address the concerns raised, particularly by enhancing the experimental section and adding further discussion on the methodological justification.

read point-by-point responses

  1. Referee: [§3.2] §3.2 (Method), Eq. (3)–(5): the inner maximization is performed via SAM-style perturbations in the surrogate parameter space, yet the paper provides no analysis showing that high-curvature directions around the surrogate parameters correspond to structural dissimilarity with unseen victim families. Because model architecture is discrete and non-differentiable, it is unclear why the local sharpness approximation yields a representative worst-case victim rather than simply regularizing the poison against the surrogate; this directly affects whether the claimed transferability improvement follows from the stated mechanism.

    Authors: We thank the referee for highlighting this important aspect. Our motivation for using SAM is to find a worst-case perturbation in the surrogate's parameter space that maximizes the attack loss, based on the idea that such directions may correspond to models that are more dissimilar in behavior. Although architectures are discrete, the continuous parameter perturbations can simulate variations in model capacity or fitting that mimic structural differences, as evidenced by our cross-architecture experiments. We agree that a deeper theoretical analysis would be beneficial. In the revised manuscript, we will include additional discussion in Section 3 explaining this intuition with references to related work on sharpness and generalization, and acknowledge the limitations of the approximation. revision: partial

  2. Referee: [§4] §4 (Experiments): while the abstract states that SharpAP yields significant improvement on three datasets, the reported results must include (i) concrete metrics (HR@K, NDCG@K, attack success rate) with standard deviations across multiple runs, (ii) explicit comparison against both surrogate-only baselines and other transferability-enhancing attacks, and (iii) an ablation isolating the contribution of the SAM inner loop versus plain min-max. Without these, the magnitude and robustness of the transferability gain cannot be assessed.

    Authors: We appreciate this suggestion for improving the clarity and rigor of our experimental evaluation. The current manuscript reports HR@K and NDCG@K as attack success metrics on three datasets, but we will add standard deviations computed over multiple independent runs. We will also ensure explicit comparisons to surrogate-only attacks and include relevant transferability methods from the literature. Furthermore, we will add an ablation study comparing SharpAP to a variant without the SAM inner maximization (i.e., plain min-max optimization). These enhancements will be incorporated into the revised version of the paper. revision: yes

Circularity Check

0 steps flagged

No circularity: derivation relies on external SAM principle and independent experiments

full rationale

The paper formulates SharpAP as a min-max-min optimization that applies the established sharpness-aware minimization principle (from prior literature) to approximate a worst-case victim model during poisoning. No equation reduces by construction to a fitted parameter from the same data, no self-citation bears the central claim, and the transferability improvement is supported by experiments on three real-world datasets rather than by redefinition. The derivation chain is self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the domain assumption that sharpness-aware minimization approximates worst-case victim models effectively and that the resulting poisoned data transfers better; no free parameters or invented entities are explicitly introduced in the abstract.

axioms (1)
  • domain assumption Sharpness-aware minimization can be used to seek the approximately worst-case victim model during the attack process
    Invoked to justify the min-max-min formulation and improved transferability

pith-pipeline@v0.9.0 · 5605 in / 1184 out tokens · 60863 ms · 2026-05-08T12:29:28.737797+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

54 extracted references · 54 canonical work pages

  1. [1]

    Burke, B

    R. Burke, B. Mobasher, and R. Bhaumik. Limited knowledge shilling attacks in collaborative filtering systems. InIJCAI, pages 17–24, 2005

    work page 2005

  2. [2]

    Z. Chen, J. Zhang, Y . Kou, X. Chen, C.-J. Hsieh, and Q. Gu. Why does sharpness-aware minimization generalize better than sgd? InNeurIPS, pages 72325–72376, 2023

    work page 2023

  3. [3]

    Cheng, X

    L. Cheng, X. Huang, J. Sang, and J. Yu. Towards robust recommenda- tion: A review and an adversarial robustness evaluation library.arXiv preprint arXiv:2404.17844, 2024

    work page arXiv 2024

  4. [4]

    E. Cho, S. A. Myers, and J. Leskovec. Friendship and mobility: user movement in location-based social networks. InKDD, pages 1082–1090, 2011

    work page 2011

  5. [5]

    W. Fan, T. Derr, X. Zhao, Y . Ma, H. Liu, J. Wang, J. Tang, and Q. Li. Attacking black-box recommendations via copying cross-domain user profiles. InICDE, pages 1583–1594. IEEE, 2021

    work page 2021

  6. [6]

    M. Fang, N. Z. Gong, and J. Liu. Influence function based data poisoning attacks to top-n recommender systems. InWWW, pages 3019–3025, 2020

    work page 2020

  7. [7]

    Foret, A

    P. Foret, A. Kleiner, H. Mobahi, and B. Neyshabur. Sharpness-aware minimization for efficiently improving generalization. InICLR, 2021

    work page 2021

  8. [8]

    S. Guo, T. Bai, and W. Deng. Targeted shilling attacks on gnn-based recommender systems. InCIKM, pages 649–658, 2023

    work page 2023

  9. [9]

    F. M. Harper and J. A. Konstan. The movielens datasets: History and context.TIIS, 5(4):1–19, 2015

    work page 2015

  10. [10]

    P. He, H. Xu, J. Ren, Y . Cui, S. Zeng, H. Liu, C. Aggarwal, and J. Tang. Sharpness-aware data poisoning attack. InICLR, 2024

    work page 2024

  11. [11]

    X. He, K. Deng, X. Wang, Y . Li, Y . Zhang, and M. Wang. Lightgcn: Simplifying and powering graph convolution network for recommenda- tion. InSIGIR, pages 639–648, 2020

    work page 2020

  12. [12]

    R. Jin, J. Y . Chai, and L. Si. An automatic weighting scheme for collaborative filtering. InSIGIR, pages 337–344, 2004. JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021 14

    work page 2004

  13. [13]

    N. S. Keskar, D. Mudigere, J. Nocedal, M. Smelyanskiy, and P. T. P. Tang. On large-batch training for deep learning: Generalization gap and sharp minima. InICLR, 2017

    work page 2017

  14. [14]

    Koren, R

    Y . Koren, R. Bell, and C. V olinsky. Matrix factorization techniques for recommender systems.Computer, 42(8):30–37, 2009

    work page 2009

  15. [15]

    J. Kwon, J. Kim, H. Park, and I. K. Choi. Asam: Adaptive sharpness- aware minimization for scale-invariant learning of deep neural networks. InICML, pages 5905–5914. PMLR, 2021

    work page 2021

  16. [16]

    S. K. Lam and J. Riedl. Shilling recommender systems for fun and profit. InProceedings of the 13th international conference on World Wide Web, pages 393–402, 2004

    work page 2004

  17. [17]

    B. Li, Y . Wang, A. Singh, and Y . V orobeychik. Data poisoning attacks on factorization-based collaborative filtering.NeurIPS, 29, 2016

    work page 2016

  18. [18]

    H. Li, S. Di, and L. Chen. Revisiting injective attacks on recommender systems.NeurIPS, 35:29989–30002, 2022

    work page 2022

  19. [19]

    H. Li, Z. Xu, G. Taylor, C. Studer, and T. Goldstein. Visualizing the loss landscape of neural nets.Advances in neural information processing systems, 31, 2018

    work page 2018

  20. [20]

    T. Li, P. Zhou, Z. He, X. Cheng, and X. Huang. Friendly sharpness- aware minimization. InCVPR, pages 5631–5640, 2024

    work page 2024

  21. [21]

    C. Lin, S. Chen, H. Li, Y . Xiao, L. Li, and Q. Yang. Attacking recommender systems with augmented user profiles. InCIKM, pages 855–864, 2020

    work page 2020

  22. [22]

    C. Lin, S. Chen, M. Zeng, S. Zhang, M. Gao, and H. Li. Shilling black- box recommender systems by learning to generate fake user profiles. IEEE TNNLS, 35(1):1305–1319, 2022

    work page 2022

  23. [23]

    McAuley, C

    J. McAuley, C. Targett, Q. Shi, and A. Van Den Hengel. Image-based recommendations on styles and substitutes. InSIGIR, pages 43–52, 2015

    work page 2015

  24. [24]

    Mehta and W

    B. Mehta and W. Nejdl. Unsupervised strategies for shilling detection and robust collaborative filtering.User Modeling and User-Adapted Interaction, 19:65–97, 2009

    work page 2009

  25. [25]

    Mobasher, R

    B. Mobasher, R. Burke, R. Bhaumik, and C. Williams. Toward trustworthy recommender systems: An analysis of attack models and algorithm robustness.ACM Transactions on Internet Technology (TOIT), 7(4):23–es, 2007

    work page 2007

  26. [26]

    Rendle, C

    S. Rendle, C. Freudenthaler, Z. Gantner, and L. Schmidt-Thieme. Bpr: Bayesian personalized ranking from implicit feedback. InUAI, pages 452–461, 2009

    work page 2009

  27. [27]

    Sarwar, G

    B. Sarwar, G. Karypis, J. Konstan, and J. Riedl. Item-based collaborative filtering recommendation algorithms. InProceedings of the 10th international conference on World Wide Web, pages 285–295, 2001

    work page 2001

  28. [28]

    Tang and K

    J. Tang and K. Wang. Personalized top-n sequential recommendation via convolutional sequence embedding. InWSDM, pages 565–573, 2018

    work page 2018

  29. [29]

    J. Tang, H. Wen, and K. Wang. Revisiting adversarially learned injection attacks against recommender systems. InRecSys, pages 318–327, 2020

    work page 2020

  30. [30]

    C. Wang, H. Zhu, C. Zhu, C. Qin, and H. Xiong. Setrank: A setwise bayesian approach for collaborative ranking from implicit feedback. In AAAI, volume 34, pages 6127–6136, 2020

    work page 2020

  31. [31]

    W. Wang, C. Wang, F. Feng, W. Shi, D. Ding, and T.-S. Chua. Uplift modeling for target user attacks on recommender systems. InWWW, pages 3343–3354, 2024

    work page 2024

  32. [32]

    Z. Wang, M. Gao, J. Li, J. Zhang, and J. Zhong. Gray-box shilling attack: An adversarial learning approach.TIST, 13(5):1–21, 2022

    work page 2022

  33. [33]

    Z. Wang, M. Gao, J. Yu, X. Gao, Q. V . H. Nguyen, S. Sadiq, and H. Yin. Id-free not risk-free: Llm-powered agents unveil risks in id- free recommender systems. InProceedings of the 48th International ACM SIGIR Conference on Research and Development in Information Retrieval, pages 1902–1911, 2025

    work page 1902

  34. [34]

    Z. Wang, M. Gao, J. Yu, S. Sadiq, H. Yin, and L. Liu. When graph contrastive learning backfires: Spectral vulnerability and defense in recommendation.ACM Transactions on Information Systems, 2025

    work page 2025

  35. [35]

    Z. Wang, J. Yu, M. Gao, H. Yin, B. Cui, and S. Sadiq. Unveiling vulnerabilities of contrastive recommender systems to poisoning attacks. InKDD, pages 3311–3322, 2024

    work page 2024

  36. [36]

    Z. Wang, J. Yu, M. Gao, W. Yuan, G. Ye, S. Sadiq, and H. Yin. Poisoning attacks and defenses in recommender systems: A survey.arXiv preprint arXiv:2406.01022, 2024

    work page arXiv 2024

  37. [37]

    K. Wen, T. Ma, and Z. Li. How sharpness-aware minimization minimizes sharpness? InICLR, 2023

    work page 2023

  38. [38]

    C. Wu, D. Lian, Y . Ge, Z. Zhu, and E. Chen. Triple adversarial learning for influence based poisoning attack in recommender systems. InKDD, pages 1830–1840, 2021

    work page 2021

  39. [39]

    C. Wu, D. Lian, Y . Ge, Z. Zhu, E. Chen, and S. Yuan. Fight fire with fire: towards robust recommender systems via adversarial poisoning training. InSIGIR, pages 1074–1083, 2021

    work page 2021

  40. [40]

    Wu, S.-T

    D. Wu, S.-T. Xia, and Y . Wang. Adversarial weight perturbation helps robust generalization. InNeurIPS, pages 2958–2969, 2020

    work page 2020

  41. [41]

    J. Wu, X. Wang, F. Feng, X. He, L. Chen, J. Lian, and X. Xie. Self- supervised graph learning for recommendation. InSIGIR, pages 726– 735, 2021

    work page 2021

  42. [42]

    L. Wu, X. He, X. Wang, K. Zhang, and M. Wang. A survey on accuracy-oriented neural recommendation: From collaborative filtering to information-rich recommendation.IEEE TKDE, 35(5):4425–4445, 2022

    work page 2022

  43. [43]

    L. Wu, P. Sun, R. Hong, Y . Ge, and M. Wang. Collaborative neural social recommendation.IEEE transactions on systems, man, and cybernetics: systems, 51(1):464–476, 2018

    work page 2018

  44. [44]

    G. Yang, N. Z. Gong, and Y . Cai. Fake co-visitation injection attacks to recommender systems. InNDSS, 2017

    work page 2017

  45. [45]

    Y . Yang, Z. Wu, L. Wu, K. Zhang, R. Hong, Z. Zhang, J. Zhou, and M. Wang. Generative-contrastive graph learning for recommendation. InSIGIR, pages 1117–1126, 2023

    work page 2023

  46. [46]

    J. Yu, H. Yin, X. Xia, T. Chen, L. Cui, and Q. V . H. Nguyen. Are graph augmentations necessary? simple graph contrastive learning for recommendation. InSIGIR, pages 1294–1303, 2022

    work page 2022

  47. [47]

    Zhang, C

    H. Zhang, C. Tian, Y . Li, L. Su, N. Yang, W. X. Zhao, and J. Gao. Data poisoning attack against recommender system using incomplete and perturbed data. InKDD, pages 2154–2164, 2021

    work page 2021

  48. [48]

    Zhang, Q

    K. Zhang, Q. Cao, Y . Wu, F. Sun, H. Shen, and X. Cheng. Improving the shortest plank: Vulnerability-aware adversarial training for robust recommender system. InRecSys, pages 680–689, 2024

    work page 2024

  49. [49]

    Zhang, Q

    K. Zhang, Q. Cao, Y . Wu, F. Sun, H. Shen, and X. Cheng. Understanding and improving adversarial collaborative filtering for robust recommen- dation. InNeurIPS, volume 37, pages 120381–120417, 2024

    work page 2024

  50. [50]

    Zhang, L

    S. Zhang, L. Yao, A. Sun, and Y . Tay. Deep learning based recommender system: A survey and new perspectives.ACM computing surveys (CSUR), 52(1):1–38, 2019

    work page 2019

  51. [51]

    Y . Zhao, T. Chen, J. Yu, K. Zheng, L. Cui, and H. Yin. Diversity- aware dual-promotion poisoning attack on sequential recommendation. InSIGIR, pages 1634–1644, 2025

    work page 2025

  52. [52]

    Zheng, R

    Y . Zheng, R. Zhang, and Y . Mao. Regularizing neural networks via adversarial model perturbation. InCVPR, pages 8156–8165, 2021

    work page 2021

  53. [53]

    G. Zhou, X. Zhu, C. Song, Y . Fan, H. Zhu, X. Ma, Y . Yan, J. Jin, H. Li, and K. Gai. Deep interest network for click-through rate prediction. In KDD, pages 1059–1068, 2018

    work page 2018

  54. [54]

    Y . Zhou, Y . Qu, X. Xu, and H. Shen. Imbsam: A closer look at sharpness-aware minimization in class-imbalanced recognition. In CVPR, pages 11345–11355, 2023. Junsong Xieis currently pursuing a Ph.D. degree at Hefei University of Technology (HFUT), China. He received the master’s degree from the University of Science and Technology of China (USTC). He has...

    work page 2023