Developing a Model of the Dynamics of States of a Recommendation System under Conditions of Profile Injection Attacks

The recommendation systems used to form a news feed in social networks or to create recommendation lists on content websites or Internet stores are often exposed to information profile injection attacks. These attacks are aimed at changing ratings, and thus at changing the frequency of appearing in recommendations, certain objects of a system. This can lead to threats to users’ information security and losses of the system owners. There are methods to detect attacks in recommendation systems, but they require permanent repetitive checks of all users’ profiles, which is a rather resource-intensive operation. At the same time, these methods do not contain any proposals as for determining the optimal frequency of attack checks. However, a properly chosen frequency of such checks will not overload a system too much and, at the same time, will provide an adequate level of its operational security.<br><br>A mathematical model of the dynamics of states of a recommendation system under conditions of an information attack with the use of the mathematical apparatus of Markovian and semi-Markovian processes was developed. The developed model makes it possible to study the influence of profile injection attacks on recommendation systems, in particular, on their operation efficiency and amount of costs to ensure their information security. The practical application of the developed model enables calculating for recommendation systems the optimum frequency of information attack check, taking into consideration the damage from such attacks and costs of permanent inspections.<br><br>Based on the developed mathematical model, the method for determining total costs of a recommendation system as a result of monitoring its own information security, neutralization of bot-networks activity and as a result of information attacks was proposed.<br><br>A method for determining the optimal frequency of checking a recommendation system for information attacks to optimize the overall costs of a system was developed. The application of this method will enable the owners of websites with recommendation systems to minimize their financial costs to provide their information security.


Introduction
Recommendation systems are increasingly often used on various web-resources and are becoming their important part, as well as search sub-systems, sometimes complementing them, and sometimes creating an alternative to them [1,2]. They are most often used to form a news feed in social networks [2,3], and to create recommendation lists for users of content websites and online stores [1]. With the help of recommendation systems, a user finds more quickly the content he needs, and the owner increases visiting his web-resource, and consequently, his own profit [1,4].
Various informational impacts are often implemented through social networks [5,6], and recommendation systems as their component have become one of the goals for information attacks to perform such influences [7,8]. By making a successful attack on the recommendation system of a social network, one can change the content and order of showing the objects in news feeds to the system's users. This can be used for marketing, political, or fraudulent purposes.
The main type of information attacks on recommendation systems is the profile injection attacks [7][8][9]. These attacks are aimed at changing ratings, and thus at changing the frequency of showing certain objects of a system in recommendations. To implement the described actions, the bot-networks are used, because only a certain set of profiles in a system can affect the formation of recommendations by their cohesive actions [8,9]. If an attacker manages to increase object getting to the recommendation list, a target object is highly likely to become more wellknown, popular, and demanded with users. Thus, one can promote certain products, services, or information. The goal of an attacker can be the opposite -to decrease object getting to the recommendation list. This will enable it to fight competitors, reducing the popularity of their content. Therefore, attacks on recommendation systems can lead to threats to users' information security and damage to the owners of a system.
Of course, there are some methods to detect and neutralize attacks in recommendation systems [1,[10][11][12][13], but they require permanent repeated checks of all profiles of users, which is a rather resource-intensive operation. At the same time, these methods have no proposals for determining the optimal frequency of attack check. However, properly chosen frequency of such checks will not overload a system and, at the same time, will provide an adequate level of its operational security.
On the one hand, the state of information security of a recommendation system should be constantly monitored to detect timely new bot profiles, which can appear and be activated in a system at any time. On the other hand, periodic checks should not be too frequent so as not to overload a system and not to slow down its work. In addition, too frequent attack checks of a system can significantly increase the financial costs of website owners for using computing resources.
Therefore, to solve the problem of determining the optimal frequency of attack checks of a recommendation system is a relevant scientific and practical task. Its solution will minimize the costs of providing information security for recommendation systems while maintaining its sufficient level.

Literature review and problem statement
Papers [7][8][9] studied the causes and general principles of information attacks on recommendation systems. The research results show that the main type of information attacks on recommendation systems is the profile injection attacks.
Profile injection attacks are information attacks that involve creating bot-networks that change the frequency of target objects of a recommendation system getting to recommendation lists [1,[7][8][9]. At the stage of preparation for an attack, bots may collect statistics about system users, using a recommendation list provided by a system in response to their certain actions [1,10]. Such a method of information reception was called the Probe Attack, according to papers [1,[7][8][9], it can be considered an optional initial stage for a profile injection attack.
Papers [1,[10][11][12][13] address the methods for detection and neutralization of profile injection attacks in recommendation systems. These methods are based on identifying and neutralizing bot profiles based on clustering and machine learning algorithms. We can conclude from these works that the methods for protecting recommendation systems from information attacks are developed based on the known models of such attacks. The very first models of attacks on recommendation systems were proposed in [8], these are Random Attack and Average Attack models. The following papers [1,[14][15][16][17]] explore more complex and information-intensive attacks, such as the Popular Attack, Bandwagon Attack, Segment Attack, etc. Based on the known attack models, the methods for detection of bots are developed, as they are based on the features of their behavior, characteristic of a certain model of an attack on a recommendation system.
The studies focusing on the detection of bot profiles in recommendation systems do not raise and resolve the problem of how often a system should be checked for bots. The reason for this may be the lack of developed models of recommendation systems during information attacks. This makes it impossible to determine the impact of the frequency of checking attacks on a recommendation system and its operational efficiency.
However, as the research shows [1,[7][8][9], the recommendation systems applying the collaborative filtering methods [18][19][20][21] are often subjected to profile injection attacks and are very vulnerable to them. This is because such methods use feedback from users that can be forged by using a bot network. There are many methods for filtering data for recommendation systems, and they are all, to a different extent, vulnerable to information attacks [1,7]. At the same time, almost all modern recommendation systems are complex hybrids of different data filtering methods, most of which are the most common methods of collaborative filtering [1,22]. Thus, almost all modern recommendation systems are vulnerable to profile injection attacks and are often under their influence. Detection and neutralization of information attacks require the use of additional computing resources [1,11], and therefore additional financial costs for website owners.
Based on the conducted study of sources, we can conclude about the absence of mathematical models of recommendation systems during information attacks, which complicates the development of qualitative subsystems of information security of such systems. At the same time, the vast majority of existing recommendation systems require protection from information profile injection attacks.
The important data for the development of the information security subsystem of a recommendation system and optimization of costs of its owners are data on the dynamics of the system's states under conditions of an information attack. The model of dynamics of a recommendation system would make it possible to study better the impact of information attacks on its operation and the costs of the owners in various attack-caused states of a system. It would allow reasonable choosing the frequency of bot-checks of a recommendation system. Thus, the development of a mathematical model of dynamics of states of a recommendation system in the context of information attacks will enable solving the issue of determining the optimal frequency of system checking for an information attack to optimize the costs of the system owners.

The aim and objectives of the study
The aim of this research is to develop a mathematical model of dynamics of states of a recommendation system under conditions of information profile injection attacks. The practical application of the developed mathematical model will make it possible to calculate the optimum frequency of checks for the existence of information attacks for recommendation systems, taking into consideration their individual parameters, for subsequent neutralization of existing bots.
To achieve the set goal, the following tasks should be solved: -to conduct research into general principles of information profile injection attacks on recommendation systems and the methods for their detection and neutralization; -to develop a set of possible states of a recommendation system in the context of information profile injection attacks and analytical ratios to calculate the probabilities of a system being in these states at a random time; -to develop the method to determine the costs of the recommendation system owner in the face of profile injection attacks and the method for determining the optimal frequency of information attack check of a system to optimize these costs.

Studying the general principles of information profile injection attacks on recommendation systems and methods for their detection and neutralization
Profile injection attacks on recommendation systems aim to change the ratings of one or more objects in a system. The goal of an attack may be to increase the ratings of their goods (content), reduce the ratings of competitors' goods (competitors' content), or both.
To make this influence, an attacker should quite accurately simulate the actions of ordinary users so as not to be detected. An attack-robust recommendation system should work so that the result from attackers' actions should be so ineffective that they could have no stimuli to continue attacks, and authentic users continued to receive relevant undistorted recommendations.
An attack on a recommendation system will be considered the coordinated efforts of a large number of bot profiles to offset its operation results so that a group of users or all users could start receiving recommendations that promote attack objects.
The general principle of a profile injection attack on a recommendation system, which uses feedback from users in the form of estimates of recommendation objects, on the example of increasing the rating of one object, is shown in Fig. 1. Fig. 1 shows an example of a part of the rating database of an attacked recommendation system. A recommendation system is attacked by a bot network represented by users' profiles u 7 and u 8 . The question mark marks the unknown values of estimates (users have not yet assessed the target object), which a system will try to predict during the generation of guidelines for users u 5 and u 6 and object i t , which is the target of bot network attack. If a system predicts a positive estimate for an object i t , it is highly likely to fall into recommendation lists for given users and they will pay attention to it. That is why bots give positive estimates to object i t to increase its rating. And other objects of a system are given the estimates similar to those given by users u 5 and u 6 . This is done to get a positive correlation with target users and a high coefficient of similarity to them, which a recommendation system will take into account when formulating recommendations to target users. Since ordinary users, similar to users u 5 and u 6 , negatively assessed object i t , then without bots attack, a recommendation system would predict a low estimate to this object. And, in this case, it would not get to the recommendations specified by users.
In order to neutralize this attack, it is necessary to determine which profiles are bots without taking into consideration their estimates when forming the recommendation list.
The overall model of the profile of a bot that attacks a recommendation system can be represented as follows (Fig. 2). As Fig. 2 shows, the bot profile contains the following types of estimates: -estimates to objects from set I f . These estimates are given to simulate the actions of actual users. An attacker does not wish to change the ratings from this set. On the contrary, he tries to choose for them the values that are most Set of estimates to target objects to increase rating, I ti similar to the actual ones for a target group of users, who he is eager to influence; -estimates to objects from set I ti . These are the maximum (or close to them) estimates in the system for target objects, the rating of which an attacker seeks to increase; -estimates of objects from set I td . These are the minimum (or close to them) estimates in the system for target objects, the rating of which an attacker seeks to decrease.
The number of target objects in a bot can vary from 1 to K, and the number of objects to fill the profile -from 0 to N.
Bot actions can produce results only when the vast majority of bots give estimates on all target objects, and in this case, bots will not be detected and neutralized. The minimum required number of bots in a network, which will allow reaching the set goal depends on the algorithms of a recommendation system and can be determined by an attacker only experimentally.
There are several approaches to detecting bot profiles: 1. Profile clustering. Detection of bot profiles can be considered as a problem of binary classification of system profiles [1,8,10] with two possible results for each profile, specifically: -authentic user profile; -profile of a bot created to attack a system (Attack).
To create such a classifier, various methods of data clustering can be used, as well as various machine learning methods, which learn on a training sample of profiles, which contain both authentic profiles and bot profiles.
2. Analysis of individual profile statistics. The distribution of estimates in a bot profile is highly likely to be different from the distribution of estimates in authentic users' profiles. Although it is advantageous for an attacker to create bot profiles as similar to the profiles of regular system users as possible, he can never have enough information and resources to eliminate completely the differences between bots and normal users.
The features of a bot profile can be the following statistical characteristics [1,8]: for example, the deviation from the mean value of estimates is greater than usual, some group of profiles has higher similarity to the checked profile than usual.
To protect a recommendation system from information attacks, the data of the profiles defined as Attack must be removed from the computations of rating prediction and recommendations creation so that they do not influence these processes in a system.
The efficiency of attack neutralizing can be assessed by a shift in the forecast of target object ratings before and after detecting an attack and bot profiles removal from the process of recommendation system computation [1,8,10,12].
Predominantly in existing studies, it is proposed to consider the detection of an attack on a recommendation system identical to the detection of bot profiles [1,8,[10][11][12][13].
Since detection of bot profiles, based on the conducted study, is quite a resource-intensive task, it is proposed in this research to divide the problem of protecting a recommendation system from information profile injection attack into two parts: -attack detection; -detection and neutralization of bot profiles. Attack detection may be a less resource-intensive task and involve monitoring the dynamics of ratings of system objects, all of them or only those crucial in terms of information security. If the ratings of objects begin to change rapidly and new estimates leading to a change in ratings do not correspond to the previous average estimates of objects, it is necessary to check for bots among users who started to give such estimates to objects. This approach will reduce the number of users' profile checks. Firstly, because it will be necessary to check them only when the suspicion of an attack is detected. Secondly, because it will be necessary to check the profiles of not all users, but only of those engaged in suspicious activity.
After the detection of bot profiles, it is necessary to neutralize these profiles by removing their information from the database used for the formation of recommendation lists. Thus, the estimates they gave and the actions they performed (views, comments, etc.) will not affect the ratings of the objects of a system and forecasting recommendations.

Development of a mathematical model of the dynamics of a recommendation system states under conditions of information profile injection attack
A set of possible states of a recommendation system in the context of information profile injection attacks and analytical ratios to calculate the probability of a system being in these states at the random time were developed. Taking into account the conducted study of the threats to information security of recommendation systems and the ways to detect and neutralize the threats, we propose the following set of states of a recommendation system in terms of information security: 1) Normal operation. In this mode, there are additional costs for the organization of information attack detection, costs are proportional to the time of the system operation in the current state, and intensity of control measures: vtL 1 .
2) A system was attacked. There are active bot-networks in a system. Bots in a system were not detected, recommendations are distorted under their influence. In this operation mode, the losses from the activity of tL 2 bots are accumulated in the time proportion. At the same time, checks for an information attack with losses tL 1 are conducted.
3) The system fights back an attack. The existence of an information attack was detected. Losses from incorrect recommendations continue tL 2 . Resources are spent on the search and elimination of bots. In this mode, resources tL 3 to organize the return of the system operation to the normal state (1) are additionally consumed in proportion to operation time.
The graph of the system is shown in Fig. 3.
The methodology of probabilistic analysis of the dynamics of states of multidimensional Markovian and semi-Markovian dynamical systems, developed in paper [24], was used to develop a mathematical model of dynamics of states of a recommendation system.
Consider the possible scenarios that may occur with a recommendation system that is vulnerable to information attacks.
A system is in working condition (1). A system can transfer to state (2), the probability of this transition is a random process with flow intensity λ 1 . Then the distribution of density of system being in state (1) before the transition to state (2) will have the form: Transition from state (1) to state (3) is hardly probable, given that the time of the beginning of an attack on a system cannot coincide the time of detection of the fact of system damage. That is why there is no flow from state (1) to state (3): (2) can change in two ways: 1) an attack was unnoticed and in some time a system got stabilized by itself into state (1) probability p 2,1 , which determines that the process will develop in this way exactly, was added to the distribution; 2) an attack was noticed, active counteractions are conducted as for the fact of attack existence -a system transferred to state (3) ; t f t p e this sequence of events is the supplement to scenario 1, which is determined by a multiplier-probability of event continuation with the specified probability. Due to the use of the sub-system of detection of an information attack, this probability is higher than 80 %, that is why we will accept the lower boundary as p 2,3 =0.8, and probability If a system is in state (3), after a while, it returns to the normal operation mode to state (1). Even in the case of an attack on a recommendation system in state (3), it can be ignored, because an attack is quite a long process, and a system is sure to return to state (1) before the transition to state (2). That is why the densities of probability to find a recommendation system in another state over time t are We designate the probability of a system to be in state ( j) over time t as G i,j (t), i, j=1, 2, 3, if a system was in state (i) at the initial moment of time. Then one can write down the system of integral equations as: Here, a probability of the f form means that an event of transition to another state over time t has not taken place. Due to this, the system is independent and allows for non-trivial solutions.
To solve this system of equations, one can use the Laplace transform, where the transformation result will be denoted with suffix ^. Considering the transformation properties makes it possible to get the equation system in the following form:  Since the initial state of a system is known and it is state (1), it is enough to determine the following functions:

f s f s f s f s f s f s f s f s f s f s f s G s f s f s f s f s f s f s f s f s f s f s s
for which the Laplace transform will have the form:

. k
Since the analytical solution to the equation is quite complicated and cumbersome, we propose to use numerical methods. Existing specific values make it possible to find the roots either accurately, or approximately, so, for example, the following parameters will be used: λ 1 =0.01; λ 2 =0.01; λ 3 =0.1; λ 4 =0.1; p 21 =0.2; p 23 =0.8, here λ is the event intensity and is responsible for the time of a system being in a certain state. For example, at λ=0.01, we will observe on average one event on 100 conditional time units. In actual recommendation systems, the value of these intensities and probabilities can be any, their values depend on the system parameters and the fact of the existence of bot-networks parameters. These values can be determined by the owners of a recommendation system based on the analysis of statistical data available to system administrators.
As a result of the substitution, we have the following Laplace images of sought-after functions: As a result, each of the sought-after probabilities has the summand in the form of a number divided by s, which corresponds to the constant. That is, for a system that stabilized in time, probabilities of detecting a system in states (1) to (3), respectively, are equal to G 1,1 =25/34, G 1,2 =7/34, and G 1,3 =1/17. These probabilities totally make up 1, which is one of the arguments for correctness of obtained dependences.
The next fraction, which was represented in the second summand of Laplace images of ( ) All real parts of the roots have negative values that correspond to exponentially decreasing dependences. That is, the probabilities over time converge to the specified constants.
Therefore, the sought-after probabilities in the general case can be determined from the following formulas: The case when a recommendation system is modeled by semi-Markovian processes was considered as well. The Erlang distributions of second and higher-order are often used as an event flow model, which makes it possible to simulate semi-Markovian processes. Distribution is the product of the sum of two (for second-order distribution) of exponential distributions that in the Laplace arithmetic are represented as a product of images: As a result of using the magnitudes of flows λ 1 =0.01, λ 2 =0.01, λ 3 =0.1, λ 4 =0.1, we will have the following expressions: where k=10 8 .
It is important to note that the values of probabilities for a stabilized system are constant: 25/34, 7/34, 2/34. This is logical, because the probability of getting a system in this or that state over time that exceeds the system stabilization time does not depend on distribution, but only on the event flow. However, there are significant changes in transitional processes, the dynamics of which are determined by power fractions. Denominator's zeros are: As a result, when solving the problems of determining the dynamics of processes of a change in probability, it is advisable to significantly complicate the computation, however, in order to study the patterns in the operation of a stationary system, it is enough to check the stability of resulting solutions. Thus, the model of dynamics of states of a recommendation system in the context of information attacks with the use of the mathematical apparatus of Markovian and semi-Markovian processes was developed.

Development of the method for determining the costs of a recommendation system in the context of profile injection attacks and the method for determining the optimal frequency of information attack check
The method to determine the costs that a recommendation system has as a result of monitoring its own information security and due to information attacks was developed.
Let us assume that in a situation when a recommendation system is in state (2), owing to the incorrectly created recommendations, the gains are lost in proportion to the time of its being in this state C 1 =tK 1 . Here, K 1 is the number of conditional monetary units (mon. units) per unit of time, lost by the system owner as a result of a successful attack of a bot-network. If an information attack check is performed, it is necessary to use additional computing resources, which can be expressed by costs C 2 =tK 2 λ 3 .
Here K 2 is the number of conditional monetary units per unit time, which the system owner loses as a result of using additional computing resources to make an information attack check of a system. Costs C 2 are proportional not only to the time of a system being in state (1) and (2), but also to the intensity of bots testing. The testing frequency corresponds to the frequency of bots' detection if a system was attacked (transition from state (2) to (3)). State (3) corresponds to the continuation of getting losses L 1 .
Designate time t 1 as the share of time when we have losses L 1 due to active intervention of bots. Time t 2 will be designated as a share of time for bots intervention checks (existence of an information attack) with consuming resources L 2 . Time t 3 is a share of time for identification of particular bot profiles and elimination of consequences of their activities with the consumption of computing resources tK 3 . Here, K 1 is the number of conditional monetary units per unit of time, lost by the system owner as a result of using additional computing resources to identify particular bot profiles and neutralize their activities. Then the shares of time can be determined as the sum of probabilities: (2) and (3) we have losses from the activity of bots; -2 t =G +G because in states (1) and (2) we have losses from bots activity testing; -3 1 3 , t =G because only in state (3), there is an active search for bots and neutralization of their activity.
Accordingly, full costs in a recommendation system will be: Coefficients K 1 , K 2 , K 3 are the parameters of the model, which depend on the structure and algorithms of a recommendation system, the volume of its database, computing capacities of computer systems, on which a system is deployed. These coefficients for each particular system will be different and can be determined and known only by the owners of a specific web-resource. K 2 and K 3 owners of a web-resource determine their hosting providers based on their tariff plans. K 1 is determined based on average statistical losses from the previous attacks of bot-networks, the consequences of which could be a loss of customers, a loss of advertising revenues, and losses to overcome the results of an attack, etc.
Thus, using formula (7), it is possible to determine complete losses of a recommendation system from information security "monitoring", neutralization of bots, and the activity of bot-networks.
The method for determining the optimal frequency of an information attack check of a recommendation system was developed in this research.
In the subsystem of the recommendation system security, it is possible to control the frequency of checking an information attack and bots' activities, which is responsible for the value of parameter λ 3 . 6  5  4  3  2   1 2  7  6  5  4  3  2   7  1 2,187 5  962 5  166 5  14 0875  58,718,250  1,084,300  7,330 ,  34  17 625  275  47 875  4  In order to determine the optimal frequency of information attack check of a system v opt , it is necessary to find such value λ 3 , at which total losses of the L system will be minimal:

( )
This equation is nonlinear, because of the impact of value λ 3 on coefficients G. That is why its solution in the general case is possible only by means of numerical methods or optimization methods.
Consider an example of determining the optimal frequency of information attack check of a system, using numerical methods.
For example, let us take the following values of all the types of costs of a recommendation system: -K 1 =5 mon. units/min; -K 2 =1 mon. units/min; -K 3 =2 mon. units/min. Such values of costs are taken from the following consideration: the losses due to activity of bots K 1 are, as a rule, higher than costs of monitoring the state of system K 2 and for identification and neutralization of profiles of bots K 3 . In addition, costs of monitoring a system with a view to detecting the existence of attacks K 2 are lower than the costs to identify and neutralize particular profiles of bots K 3 .
The expression for the cost function at the specified values of parameters has the form of:  Table 1 Example of computations to determine the optimal frequency of checking a recommendation system for information bots' attacks v opt Graphic representation of the constructed points for the values of total losses of a recommendation system L at different values of frequency of information attack checks v, which are joined by a smooth curve, is shown in Fig. 4. From Fig. 4 and Table 1, it can be concluded that the minimal total costs of a system will make up L min =1.51 mon. unit/min at the frequency of information attack check v opt =0.16 1/min, which corresponds to periodicity of bots check T= =1/λ 3 =6.25 min. If a search for an existing intervention into a recommendation system is conducted with higher intensity, the costs will increase due to additional computations, if the bots with less intensity are identified, there will be a situation with an increase in costs due to the incorrect operation of a system.
If checking intensity for the explored example was maximum v=λ 3 =1, i. e. checking continued constantly, the total losses of a system would reach L=2.18 mon. unit/min. That is, at the application of the optimal frequency of attack checking of a recommendation system, the total losses of a system decrease by (2.18-1.51)/2.18=30.7 %.
Thus, the method for determining the optimal frequency of an information attack check of a recommendation system was proposed. Using a specific example, the method for using the developed mathematical model describing the probabilistic dynamics of states of a recommendation system under conditions of information attacks was explored.

Discussion of results of the development of a model of dynamics of states of a recommendation system under conditions of information attacks
Thus, the research into general principles of information profile injection attacks on recommendation systems (Fig. 1, 2) and the methods for their detection and neutralization was conducted. It was proposed, in contrast to the existing approaches [1,[10][11][12][13], to divide the problem of protection of a recommendation system from information profile injection attacks into two parts: detection of an attack and detection and neutralization of bot profiles. This approach will reduce the number of checks of users' profiles. An information attack check can involve tracking the dynamics of objects' ratings and the detection of abnormal trends in it. Thus, it is possible to track the dynamics of ratings of all objects of a system or only those crucial for the protection against information attacks. In this case, it is necessary to check users' profiles to search for bots only when some sus-  4. Dependence of the amount of total costs of a recommendation system L on frequency of its information attack check v picious changes in object ratings were detected and only of those users who affected the detected changes. Based on the conducted research, we developed the mathematical model of the dynamics of states of a recommendation system under conditions of information attacks (Fig. 3, formulas (1) to (5)), which is original in comparison with the well-known models of recommendation systems [1,2,4,[18][19][20][21][22][23]. The developed mathematical model proposes the following set of operation states of a recommendation system: normal operation of system H 1 , attacked system H 2 , the system fights back an attack H 3 . The graph of the dynamics of states of a recommendation system states in terms of information security was developed (Fig. 3).
Transitions between system states, caused by the following processes, are possible: 1) implementation of attacks (transition H 1 →H 2 , flow intensity λ 1 ); 2) loss of relevance of bots' activity (H 2 →H 1 , λ 2 ); 3) attack detection (H 2 →H 3 , λ 3 ); 4) detection and neutralization of bots (H 3 →H 1 , λ 4 ). λ 3 is the parameter, the value of which is chosen by the system's administrator, it is directly the frequency of checking a system for the existence of attacks.
The intensity of flows λ 1 , λ 2 , λ 4 is determined by measurements and depends on the parameters of a system. For flows λ 2 and λ 4 , it is possible to carry out direct measurements. λ 2 is determined as the inverse magnitude of the average period of the relevance of the attacked object of a system. λ 4 can be determined experimentally during test runs of the software for bots' detection and removal of the results of their activity. Event flow λ 1 corresponds to the frequency of attack implementation. Because some attacks can be undetected, this flow is difficult to estimate and it is clarified during the system operation.
The developed model contains a set of integral equations with respect to unknown functions that describe the probable dynamics of a system (1). The development of this mathematical model was based on the method for probabilistic analysis of dynamics of the states of multidimensional semi-Markovian dynamic systems, proposed in [24]. The equations (1) were solved with the help of Laplace transform, with the use of which the integral equations were replaced with the system of linear algebraic equations (2) that has the solution (3). With the use of representations for densities of transition distributions, the expressions for the Laplace transformants of conditional probabilities of transitions from state H 1 (4) were obtained. Unlike the example for two possible states [24], in this case, the reverse transition is quite cumbersome (since it is necessary to use formulas for the roots of algebraic equations of third and fourth powers). That is why the transition to the originals for conditional probabilities is performed for specific numerical values of parameters. The emphasis is placed on the ratio for stabilized values of probabilities (5) that are represented by first summands in the expressions for probability images. This is explained by the fact that the roots of denominators in decomposition into elementary fractions in the Laplace transform have negative values, which is why the summands, besides the first ones, will tend to zero during the transition to the originals of the Laplace transform. For semi-Markovian processes (6), which are modeled by Erlang distribution of the second and higher order, the values for stabilized probabilities have the same form (5). As a result of the numerical solution of integral equations, the obtained ratios for the calculation of the conditional probabilities G 1,1 , G 1,2 and G 1,3 of finding a recommendation system in states H 1 , H 2, and H 3 at an arbitrary moment of time t, if at the initial moment of time a system is in state H 1 . The developed mathematical model contains the proposed principle of dividing the problem of protection of a recommendation system from profile injection attacks into two sub-problems: 1) attack detection; 2) detection and neutralization of bots' profiles. The first sub-problem is represented by the transition from state H 2 to state H 3 and is characterized by flow intensity λ 3 . The second one is represented by the transition from state H 3 to state H 1 and is characterized by flow intensity λ 4 . If a system used the standard approach, when detection of an information attack and identification of bots' profiles is the same process, it is necessary to establish λ 4 =1 for further use of the developed model. In this case, the transition from state H 2 to state H 3 will take place during finding bots' profiles. The transition from state H 3 to state H 1 will take place during bots' neutralization, which will always occur for all detected bots. Thus, both sub-problems are united into one sequential process. Ratios (1)-(5), obtained in the developed mathematical model enable solving the problems of assessing the efficiency of a recommendation system and cost-effectiveness of using computational resources under conditions of information attacks.
Based on the developed mathematical model, the method for determining the total costs of a recommendation system in the process of its operation was proposed (formula (7)). It was possible to calculate the complete costs of a system under conditions of an information attack due to the detection of a set of possible states, in which it can be, and to find the expressions to identify the probability of its being in these states. After all, in its each state a system suffers from various losses. Thus, a system suffers from losses from the bots' activities in states H 2 and H 3 . It suffers from losses from monitoring for an information attack in states H 1 and H 2 . In state H 3 , there are losses from identification and neutralization of particular bots' profiles. The segments of time, on which certain costs appear, can be determined as the sums of corresponding probabilities. Determining total costs for providing information security of a recommendation system at its different parameters is a necessary step for the selection of optimal parameters of a system in terms of minimization of costs of its owners.
The method for determining the optimal frequency of information attack check of a recommendation system (formula (8), Table 1, Fig. 4), taking into consideration the limitation of computing resources for this check, was developed. This method makes it possible to determine the optimal frequency of attack check of a system at the known parameters of a recommendation system using numerical methods. To use it, it is necessary to know the cost of computational resources for the website owner, the amount of the required computing resources by the algorithms for information security monitoring and searching for bots, as well as the average losses from previous attacks of bots. The application of the developed method will make it possible to reduce the costs of the owner of a recommendation system for providing its information security.

Conclusions
1. It was proposed to divide the problem of protection of a recommendation system from information profile injection attacks into two parts: attack detection and detection and neutralization of bots' profiles. This division is advisable because detection of bots' profiles is quite a resource-intensive problem. This approach will reduce the number of checks of users' profiles. Firstly, this is because it will be necessary to check them only when the attack suspicions are detected. Secondly, it will be necessary to check the profiles of not all users, but only of those engaged in suspicious activity. An information attack check may be a less resource-intensive problem, which does not require the search for bots and involves tracking the dynamics of the ratings of objects and detection of abnormal trends in it. After revealing abnormal changes in objects' ratings, it is possible to check the profiles of the users who influenced the corresponding changes with a view to searching for bots among them.
2. The mathematical model of the dynamics of states of a recommendation system under conditions of information attacks was developed. The models of Markovian and semi-Markovian processes were chosen as the main tool of mathematical formalization. Within the mathematical model, a set of possible states, in which a recommendation system may be under conditions of information profile injection attack was developed. Three states of the recommendation system operation under conditions of an information attack were proposed, specifically, "normal state", "attacked system" and "a system fights back an attack". Possible transitions between these states were identified. Analytical ratios for calculation of probabilities of the recommendation system staying in its possible states at an arbitrary moment of time were developed. The developed mathematical model makes it possible to study the influence of information profile injection attacks on recommendation systems, on the accuracy and efficiency of their operation and the volume of costs of providing their information security.
3. Based on the developed mathematical model, we designed the method for determining total costs that a recommendation system has as a result of monitoring of its own information security, neutralization of the activity of bot-networks and as a result of information profile injection attacks. The formula for determining the total costs of a recommendation system under conditions of information profile injection attacks was offered. The developed method makes it possible at the known costs of computing resources and the known losses in attacks of bot-networks to determine the overall costs of servicing a security subsystem of a recommendation system. The method for determining the optimal frequency of checking a recommendation system for an information attack and bots' profiles to optimize the total costs of a system was developed. The proposed method is based on the use of numerical methods. The solution to a problem of determining the optimal frequency of checking a recommendation system for an information profile injection attack was considered using a specific example. If we know the average intensity of the flow of active bot-networks appearing in a recommendation system and the rate of operation of their detection algorithms, it is possible to reduce the total costs of a system by optimizing the attack search frequency. In this specific example, using the optimum frequency of attack check of a system lowers the total costs of system owners by 30.7 % compared to the constant check of a system. As the frequency of the appearance of active bot-networks in actual recommendation systems will not be continuous in time, the maximum frequency of attack checks will never be optimal. Thus, the application of the method for determining the optimal frequency of checking a recommendation system for an information attack will enable the owners of web-resources to minimize their financial costs of ensuring the information security of recommendation systems.