A Large Language Model-Based Detection Method for Poisoning Attacks in Recommender Systems

Recommender systems are vulnerable to poisoning attacks due to their open nature, and attackers can inject malicious user profiles to deliberately manipulate the recommendation results. Existing detection methods mainly focus on rating behaviors while neglecting key semantic information such as item labels, making them ineffective in handling complex or highly camouflaged attacks. To overcome the limitations that detection methods overly rely on ratings and insufficiently exploit semantic association information in item labels, we use a pretrained large language model to encode label semantic information, and fuse rating information with label semantic information to jointly identify malicious users, thereby proposing a poisoning attack detection method based on large language model–based label semantic encoding, PAD-LLM. First, we adopt a text-to-text Transfer Transformer model to semantically encode the label text sequences, and fuse them with rating behaviors to construct a user-item-label three-dimensional tensor representation, thereby enabling unified modeling of multi-source heterogeneous data. On this basis, we design a local-lobal joint feature extraction framework, via three-dimensional depthwise separable convolution and multi-head Performer to jointly model local interaction patterns and global dependency structures, and via a gated residual mechanism to realize dynamic fusion; furthermore, we incorporate contrastive learning to enhance the inter-class separability of latent representations, thereby improving the identification capability for malicious user profiles. We conduct comparative experiments on the MovieLens-1M and Amazon datasets. The results demonstrate that PAD-LLM achieves better detection performance than the baseline methods under multiple poisoning attack settings.