Personalizing the Web: Building effective recommender systems

1
Personalizing the WebBuilding effective
recommender systems

• Bamshad Mobasher
• Center for Web Intelligence
• School of Computer Science, Telecommunication,
  and Information Systems
• DePaul University, Chicago, Illinois, USA

2
Outline

• Web Personalization Recommender systems
• Basic Approaches Algorithms
• Special focus on collaborative filtering
• Extending Traditional Approaches
• Hybrid models
• Personalization Based on Data Mining
• Vulnerability of Collaborative Filtering to
  Attacks

3
Web Personalization

• The Problem
• Dynamically serve customized content (pages,
  products, recommendations, etc.) to users based
  on their profiles, preferences, or expected
  interests
• Common Approaches
• Collaborative Filtering
• Give recommendations to a user based on
  preferences of similar users
• Preferences on items may be explicit or implicit
• Content-Based Filtering
• Give recommendations to a user based on items
  with similar content in the users profile
• Rule-Based (Knowledge-Based) Filtering
• Provide recommendations to users based on
  predefined (or learned) rules
• age(x, 25-35) and income(x, 70-100K) and
  childred(x, gt3) ? recommend(x, Minivan)

4
Content-Based Recommender Systems
5
Content-Based Recommenders Personalized Search
Agents

• How can the search engine determine the users
  context?

?
Query Madonna and Child
?

• Need to learn the user profile
• User is an art historian?
• User is a pop music fan?

6
Collaborative Recommender Systems
7
Collaborative Recommender Systems
8
Collaborative Recommender Systems
9
Collaborative Recommender Systems
http//movielens.umn.edu
10
Hybrid Recommender Systems
11
Other Combined to Hybrid Recommenders
12
Other Forms of Collaborative Filtering

• Social Tagging (Folksonomy)
• people add free-text tags to their content
• where people happen to use the same terms then
  their content is linked
• frequently used terms floating to the top to
  create a kind of positive feedback loop for
  popular tags.
• Examples
• Del.icio.us
• Flickr
• QLoud iTunes

13
Social / Collaborative Tags
14
Social / Collaborative Tags
15
Social / Collaborative Tags
16
The Recommendation Task

• Basic formulation as a prediction problem
• Typically, the profile Pu contains preference
  scores by u on some other items, i1, , ik
  different from it
• preference scores on i1, , ik may have been
  obtained explicitly (e.g., movie ratings) or
  implicitly (e.g., time spent on a product page or
  a news article)

Given a profile Pu for a user u, and a target
item it, predict the preference score of user u
on item it
17
Content-Based Recommenders

• Predictions for unseen (target) items are
  computed based on their similarity (in terms of
  content) to items in the user profile.
• E.g., user profile Pu contains
• recommend highly and recommend
  mildly

18
Content-Based Recommenders more examples

• Music recommendations
• Play list generation

Example Pandora
19
Basic Collaborative Filtering Process
Current User Record
ltuser, item1, item2, gt
Nearest Neighbors
Neighborhood Formation
Recommendation Engine
Combination Function
Historical User Records
Recommendations
user
item
rating
Recommendation Phase
Neighborhood Formation Phase
20
Collaborative Recommender Systems

• Collaborative filtering recommenders
• Predictions for unseen (target) items are
  computed based the other users with similar
  interest scores on items in user us profile
• i.e. users with similar tastes (aka nearest
  neighbors)
• requires computing correlations between user u
  and other users according to interest scores or
  ratings
• k-nearest-neighbor (knn) strategy

Can we predict Karens rating on the unseen item
Independence Day?
21
Collaborative Filtering Measuring Similarities

• Pearson Correlation
• weight by degree of correlation between user U
  and user J
• 1 means very similar, 0 means no correlation, -1
  means dissimilar
• Works well in case of user ratings (where there
  is at least a range of 1-5)
• Not always possible (in some situations we may
  only have implicit binary values, e.g., whether a
  user did or did not select a document)
• Alternatively, a variety of distance or
  similarity measures can be used

Average rating of user J on all items.
22
Collaborative Recommender Systems

• Collaborative filtering recommenders
• Predictions for unseen (target) items are
  computed based the other users with similar
  interest scores on items in user us profile
• i.e. users with similar tastes (aka nearest
  neighbors)
• requires computing correlations between user u
  and other users according to interest scores or
  ratings

prediction
Correlation to Karen
Predictions for Karen on Indep. Day based on the
K nearest neighbors
23
Collaborative Filtering Making Predictions

• When generating predictions from the nearest
  neighbors, neighbors can be weighted based on
  their distance to the target user
• To generate predictions for a target user a on an
  item i
• ra mean rating for user a
• u1, , uk are the k-nearest-neighbors to a
• ru,i rating of user u on item I
• sim(a,u) Pearson correlation between a and u
• This is a weighted average of deviations from the
  neighbors mean ratings (and closer neighbors
  count more)

24
Example Collaborative System
Item1 Item 2 Item 3 Item 4 Item 5 Item 6 Correlation with Alice
Alice 5 2 3 3 ?
User 1 2 4 4 1 -1.00
User 2 2 1 3 1 2 0.33
User 3 4 2 3 2 1 .90
User 4 3 3 2 3 1 0.19
User 5 3 2 2 2 -1.00
User 6 5 3 1 3 2 0.65
User 7 5 1 5 1 -1.00
Bestmatch
Prediction ?
Using k-nearest neighbor with k 1
25
Collaborative Recommenders problems of scale
26
Item-based Collaborative Filtering

• Find similarities among the items based on
  ratings across users
• Often measured based on a variation of Cosine
  measure
• Prediction of item I for user a is based on the
  past ratings of user a on items similar to i.
• Suppose
• Predicted rating for Karen on Indep. Day will be
  7, because she rated Star Wars 7
• That is if we only use the most similar item
• Otherwise, we can use the k-most similar items
  and again use a weighted average

sim(Star Wars, Indep. Day) gt sim(Jur. Park,
Indep. Day) gt sim(Termin., Indep. Day)
27
Item-based collaborative filtering
28
Item-Based Collaborative Filtering
Prediction ?
Item1 Item 2 Item 3 Item 4 Item 5 Item 6
Alice 5 2 3 3 ?
User 1 2 4 4 1
User 2 2 1 3 1 2
User 3 4 2 3 2 1
User 4 3 3 2 3 1
User 5 3 2 2 2
User 6 5 3 1 3 2
User 7 5 1 5 1
Item similarity 0.76 0.79 0.60 0.71 0.75
Bestmatch
29
Collaborative Filtering Evaluation

• split users into train/test sets
• for each user a in the test set
• split as votes into observed (I) and to-predict
  (P)
• measure average absolute deviation between
  predicted and actual votes in P
• MAE mean absolute error
• average over all test users

30
Semantically Enhanced Collaborative Filtering

• Basic Idea
• Extend item-based collaborative filtering to
  incorporate both similarity based on ratings (or
  usage) as well as semantic similarity based on
  domain knowledge
• Semantic knowledge about items
• Can be extracted automatically from the Web based
  on domain-specific reference ontologies
• Used in conjunction with user-item mappings to
  create a combined similarity measure for item
  comparisons
• Singular value decomposition used to reduce noise
  in the semantic data
• Semantic combination threshold
• Used to determine the proportion of semantic and
  rating (or usage) similarities in the combined
  measure

31
Semantically Enhanced Hybrid Recommendation

• An extension of the item-based algorithm
• Use a combined similarity measure to compute item
  similarities
• where,
• SemSim is the similarity of items ip and iq based
  on semantic features (e.g., keywords, attributes,
  etc.) and
• RateSim is the similarity of items ip and iq
  based on user ratings (as in the standard
  item-based CF)
• ? is the semantic combination parameter
• ? 1 ? only user ratings no semantic similarity
• ? 0 ? only semantic features no collaborative
  similarity

32
Semantically Enhanced CF

• Movie data set
• Movie ratings from the movielens data set
• Semantic info. extracted from IMDB based on the
  following ontology

33
Semantically Enhanced CF

• Used 10-fold x-validation on randomly selected
  test and training data sets
• Each user in training set has at least 20 ratings
  (scale 1-5)

34
Semantically Enhanced CF

• Dealing with new items and sparse data sets
• For new items, select all movies with only one
  rating as the test data
• Degrees of sparsity simulated using different
  ratios for training data

35
Web Mining Approach to Personalization

• Basic Idea
• generate aggregate user models (usage profiles)
  by discovering user access patterns through Web
  usage mining (offline process)
• Clustering user transactions
• Clustering items
• Association rule mining
• Sequential pattern discovery
• match a users active session against the
  discovered models to provide dynamic content
  (online process)
• Advantages
• no explicit user ratings or interaction with
  users
• helps preserve user privacy, by making effective
  use of anonymous data
• enhance the effectiveness and scalability of
  collaborative filtering

36
Web Usage Mining

• Web Usage Mining
• discovery of meaningful patterns from data
  generated by user access to resources on one or
  more Web/application servers
• Typical Sources of Data
• automatically generated Web/application server
  access logs
• e-commerce and product-oriented user events
  (e.g., shopping cart changes, product
  clickthroughs, etc.)
• user profiles and/or user ratings
• meta-data, page content, site structure
• User Transactions
• sets or sequences of pageviews possibly with
  associated weights
• a pageview is a set of page files and associated
  objects that contribute to a single display in a
  Web Browser

37
Personalization Based on Web Usage Mining
Offline Process
38
Personalization Based on Web Usage Mining
Online Process
39
Conceptual Representation of User Transactions or
Sessions
Pageview/objects
Session/user data
Raw weights are usually based on time spent on a
page, but in practice, need to normalize and
transform.
40
Web Usage Mining clustering example

• Transaction Clusters
• Clustering similar user transactions and using
  centroid of each cluster as a usage profile
  (representative for a user segment)

Sample cluster centroid from CTI Web site
(cluster size 330)
Support URL Pageview Description
1.00 /courses/syllabus.asp?course450-96-303q3y2002id290 SE 450 Object-Oriented Development class syllabus
0.97 /people/facultyinfo.asp?id290 Web page of a lecturer who thought the above course
0.88 /programs/ Current Degree Descriptions 2002
0.85 /programs/courses.asp?depcode96deptmnesecourseid450 SE 450 course description in SE program
0.82 /programs/2002/gradds2002.asp M.S. in Distributed Systems program description
41
Using Clusters for Personalization
Original Session/user data
Given an active session A ? B, the best matching
profile is Profile 1. This may result in a
recommendation for page F.html, since it appears
with high weight in that profile.
Result of Clustering
PROFILE 0 (Cluster Size 3) ---------------------
----------------- 1.00 C.html 1.00 D.html PROFILE
1 (Cluster Size 4) ----------------------------
---------- 1.00 B.html 1.00 F.html 0.75 A.html 0.2
5 C.html PROFILE 2 (Cluster Size
3) -------------------------------------- 1.00 A.h
tml 1.00 D.html 1.00 E.html 0.33 C.html
42
Clustering and Collaborative Filtering
clustering based on ratings movielens
43
Clustering and Collaborative Filtering tag
clustering example
44
Profile Injection Attacks

• Consist of a number of "attack profiles"
• added to the system by providing ratings for
  various items
• engineered to bias the system's recommendations
• Two basic types
• Push attack (Shilling) designed to promote
  an item
• Nuke attack designed to demote a item
• Prior work has shown that CF recommender systems
  are highly vulnerable to such attacks
• Attack Models
• strategies for assigning ratings to items based
  on knowledge of the system, products, or users
• examples of attack models random, average,
  bandwagon, segment, love-hate

45
A Successful Push Attack
Item1 Item 2 Item 3 Item 4 Item 5 Item 6 Correlation with Alice
Alice 5 2 3 3 ?
User 1 2 4 4 1 -1.00
User 2 2 1 3 1 2 0.33
User 3 4 2 3 2 1 .90
User 4 3 3 2 3 1 0.19
User 5 3 2 2 2 -1.00
User 6 5 3 1 3 2 0.65
User 7 5 1 5 1 -1.00
Attack 1 2 3 2 5 -1.00
Attack 2 3 2 3 2 5 0.76
Attack 3 3 2 2 2 5 0.93
BestMatch
Prediction ?
user-based algorithm using k-nearest neighbor
with k 1
46
Amazon blushes over sex link gaffeBy Stefanie
Olsen
http//news.com.com/Amazonblushesoversexlinkg
affe/2100-1023_3-976435.html Story last modified
Mon Dec 09 134631 PST 2002 In a incident that
highlights the pitfalls of online recommendation
systems, Amazon.com on Friday removed a link to a
sex manual that appeared next to a listing for a
spiritual guide by well-known Christian
televangelist Pat Robertson. The two titles
were temporarily linked as a result of technology
that tracks and displays lists of merchandise
perused and purchased by Amazon visitors. Such
promotions appear below the main description for
products under the title, "Customers who shopped
for this item also shopped for these items.
Amazon's automated results for Robertson's "Six
Steps to Spiritual Revival included a second
title by Robertson as well as a book about anal
sex for men. Amazon conducted an investigation
and determined hundreds of customers going to
the same items while they were shopping on the
site.
47
Profile Injection Attacks
48
A Generic Attack Profile
IS
IF
IÆ
it
null null null
Ratings for l filler items
Ratings for k selected items
Rating for the target item
Unrated items in the attack profile

• Attack models differ based on ratings assigned to
  filler and selected items

49
Average and Random Attack Models
IF
IÆ
it
null null null rmax
Rating for the target item
Random ratings for l filler items
Unrated items in the attack profile

• Random Attack filler items are assigned random
  ratings drawn from the overall distribution of
  ratings on all items across the whole DB
• Average Attack ratings each filler item drawn
  from distribution defined by average rating for
  that item in the DB
• The percentage of filler items determines the
  amount knowledge (and effort) required by the
  attacker

50
Bandwagon Attack Model
IS
IF
IÆ
it
rmax rmax null null null rmax
Ratings for k frequently rated items
Random ratings for l filler items
Unrated items in the attack profile
Rating for the target item

• What if the system's rating distribution is
  unknown?
• Identify products that are frequently rated
  (e.g., blockbuster movies)
• Associate the pushed product with them
• Ratings for the filler items centered on overall
  system average rating (Similar to Random attack)
• frequently rated items can be guessed or obtained
  externally

51
Segment Attack Model
IF
IS
IÆ
it
rmax rmax rmin rmin null null null rmax
Ratings for k favorite items in user segment
Rating for the target item
Ratings for l filler items
Unrated items in the attack profile

• Assume attacker wants to push product to a target
  segment of users
• those with preference for similar products
• fans of Harrison Ford
• fans of horror movies
• like bandwagon but for semantically-similar items
• originally designed for attacking item-based CF
  algorithms
• maximize sim(target item, segment items)
• minimize sim(target item, non-segment items)

52
Nuke Attacks Love/Hate Attack Model
IF
IÆ
it
rmax rmax null null null rmin
Min rating for the target item
Unrated items in the attack profile
Max rating for l filler items

• A limited-knowledge attack in its simplest form
• Target item given the minimum rating value
• All other ratings in the filler item set are
  given the maximum rating value
• Note
• Variations of this (an the other models) can also
  be used as a push or nuke attacks, essentially by
  switching the roles of rmin and rmax.

53
How Effective Can Attacks Be?

• First A Methodological Note
• Using MovieLens 100K data set
• 50 different "pushed" movies
• selected randomly but mirroring overall
  distribution
• 50 users randomly pre-selected
• Results were averages over all runs for each
  movie-user pair
• K 20 in all experiments
• Evaluating results
• prediction shift
• how much the rating of the pushed movie differs
  before and after the attack
• hit ratio
• how often the pushed movie appears in a
  recommendation list before and after the attack

54
Example Results Average Attack

• Average attack is very effective against user
  based algorithm (Random not as effective)
• Item-based CF more robust (but vulnerable to
  other attack types such as segment attack
  Burke Mobasher, 2005

55
Example Results Bandwagon Attack

• Only a small profile needed (3-7)
• Only a few (lt 10) popular movies needed
• As effective as the more data-intensive average
  attack (but still not effective against
  item-based algorithms)

56
Results Impact of Profile Size
Only a small number of filler items need to be
assigned ratings. An attacker, therefore, only
needs to use part of the product space to make
the attack effective.
In the item-based algorithm we dont see the same
drop-off, but prediction shift shows a
logarithmic behavior near maximum at about 7
filler size.
57
Example Results Segmented Attack Against
Item-Based CF

• Very effective against targeted group
• Best against item-based
• Also effective against user-based
• Low knowledge

58
Possible Solutions

• Explicit trust calculation?
• select peers through network of trust
  relationships
• law of large numbers
• hard to achieve numbers needed for CF to work
  well
• Hybrid recommendation
• Some indications that some hybrids may be more
  robust
• Model-based recommenders
• Certain recommenders using clustering are more
  robust, but generally at the cost of less
  accuracy
• But a probabilistic approach has been shown to be
  relatively accurate See Model-Based
  Collaborative Filtering as a Defense Against
  Profile Injection Attacks, B. Mobasher, R. Burke,
  JJ Sandvig. AAAI 2006, Boston.
• Detection and Response

59
Approaches to Detection Response

• Profile Classification
• Classification model to identify attack profiles
  and exclude these profiles in computing
  predictions
• Uses the characteristic features of most
  successful attack models
• Designed to increase cost of attacks by detecting
  most effective attacks
• Anomaly Detection
• Classify Items (as being possibly under attack)
• Not dependent on known attack models
• Can shed some light on which type of items are
  most vulnerable to which types of attacks

But, what if the attack does not closely
correspond to known attack signature
In Practice need a comprehensive framework
combining both approaches
60
Conclusions

• Why recommender systems?
• Many algorithmic advances ? more accurate and
  reliable systems ? more confidence by users
• Assist users in
• Finding more relevant information, items,
  products
• Give users alternatives ? broaden user knowledge
• Building communities
• Help companies to
• Better engage users and customers ? building
  loyalty
• Increase sales (on average 5-10)
• Problems and challenges
• More complex Web-based applications ? more
  complex user interactions ? need more
  sophisticated models
• Need to further explore the impact of
  recommendations on (a) user behavior and (b) on
  the evolution of Web communities
• Privacy, security, trust

61

• ?

62
Results Semantically Enhanced Hybrid
Semantic features extracted for movies top
actors, director, genre, synopsis (top
keywords), etc.
Alpha 0.0 100 semantic item-based
similarity Alpha 1.0 100 collaborative
item-based similarity
63
Anomaly Detection Using Control Charts
A new items average rating
Observations avg. ratings on training items in a
particular category, assuming no biased ratings
Upper and lower boundaries on average ratings of
items used as signal thresholds for push and nuke
attacks, respectively.
64
Anomaly Detection Using Time Series
A sudden change in an items mean rating may
indicate a suspicious pattern
65
Anomaly Detection Results

• SPC can be effective in identifying items under
  attack
• Time series effective in long-term monitoring of
  items
• Detection performance highly affected by the
  rating density and popularity of items

For more on the anomaly detection approach
see Securing Collaborative Filtering Against
Malicious Attacks Through Anomaly Detection. R.
Bhaumik, C. Williams, B. Mobasher, R. Burke In
Proceedings of the 4th Workshop on Intelligent
Techniques for Web Personalization (ITWP'06),
held at AAAI 2006, Boston, July 2006.
66
Classification-Based Approach to Detection

• Profile Classification
• Automatically identify attack profiles and
  exclude them from predictions
• Reverse-engineered profiles likely to be most
  damaging
• Increase cost of attacks by detecting most
  effective attacks
• Characteristics of known attack models are likely
  to appear in other effective attacks as well
• Basic Approach
• Create attributes that capture characteristics of
  suspicious profiles
• Use attributes to build classification models
• Apply model to user profiles to identify and
  discount potential attacks
• Two Types of Detection Attributes
• Generic Focus on overall profile
  characteristics
• Model-specific based on characteristics of
  specific attack models
• Partition profile to maximize similarity to known
  models
• Generate attributes related to partition
  characteristics

67
Methodological Note for Detection Results

• Data set
• Using MovieLens 100K data set
• Data split 50 training, 50 test
• Profile classifier - Supervised training approach
• kNN classifier, k9
• Training data
• Half of actual data labeled as Authentic
• Insert a mix of attack profiles built from
  several attack models labeled as Attack
• Test data
• Start with second half of actual data
• Insert test attack profiles targeting different
  movies than targeted in training data
• Recommendation Algorithm
• User based kNN, k 20
• Evaluating results
• 50 different target movies
• selected randomly but mirroring overall
  distribution
• 50 users randomly pre-selected
• Results were averaged over all runs for each
  movie-user pair

68
Evaluation Metrics

• Detection attribute value
• Information Gain attack profile vs. authentic
  profile
• Classification performance
• True positive of attack profiles correctly
  identified
• False positive of authentic profiles
  misclassified as attacks
• False negatives of attack profiles
  misclassified as authentic
• Precision true positives / (true pos. false
  pos.)
• Percent of profiles identified as attacks that
  are attacks
• Recall true positives / (true pos. false
  negatives)
• Percent of attack profiles that were identified
  correctly
• Recommender robustness
• Prediction shift change in recommenders
  prediction resulting from the attack

69
Classification Effectiveness Average and Random
Push Attacks
Note As a baseline we compared our classifier
with the ad hoc approach for attack detection by
Chirita et al., WIDM 2005, which does not use all
of the proposed attributes and does not build a
classification model.
70
RobustnessImpact of Detection on Prediction
Shift Due to Attacks
71
Attacks in Collaborative Recommenders Summary

• Collaborative spam (clam?)
• Worse than we thought common algorithms
  vulnerable targeting quite easy to achieve
• Attacks, if designed correctly, can require very
  limited system- or user-specific knowledge
• Need to understanding properties of attack models
• Can help in designing more robust algorithms
• E.g., hybrid and model-based algorithms
• Needed fro effective detection and response
• Most effective attacks are those that mimic known
  attack models

72
A Push Attack Against Item-Based Algorithm
Prediction ?
Item1 Item 2 Item 3 Item 4 Item 5 Item 6
Alice 5 2 3 3 ?
User 1 2 4 4 1
User 2 2 1 3 1 2
User 3 4 2 3 2 1
User 4 3 3 2 3 1
User 5 3 2 2 2
User 6 5 3 1 3 2
User 7 5 1 5 1
Attack 1 5 1 1 1 1 5
Attack 2 5 1 1 1 1 5
Attack 3 5 1 1 1 1 5
Item similarity 0.89 0.53 0.49 0.70 0.50
BestMatch
73
Examples of Generic Attributes

• Weighted Deviation from Mean Agreement (WDMA)
• Average difference in profiles rating from mean
  rating on each item weighted by the items
  inverse rating frequency squared
• Weighted Degree of Agreement (WDA)
• Sum of profiles rating agreement with mean
  rating on each item weighted by inverse rating
  frequency
• Average correlation of the profile's k nearest
  neighbors
• Captures rogue profiles that are part of large
  attacks with similar characteristics
• Variance in the number of ratings in a profile
  compared to the average number of ratings per
  user
• Few real users rate a large of items

74
Model Specific Attributes

• Partition profile to maximize similarity to known
  models
• Generate attributes related to partition
  characteristics that would stand out if the
  profile was that type of attack

75
Examples of Model Specific Attributes

• Average attack detection model
• Partition profile to minimize variance in ratings
  in Pu,F from mean rating for each item
• For average attack, the mean variance of the
  filler partition is likely less than an authentic
  user
• Segment attack detection model
• Partition profile into items with high ratings
  and low ratings
• For segment attack, the difference between the
  average rating of these two groups is likely
  greater than that of an authentic user
• Target focus detection model (TMF)
• Use the identified Pu,T partitions to identify
  concentrations of items under attack across all
  profiles