Black-box recommender systems are vulnerable to model extraction and adversarial attacks; however, existing approaches often overlook the importance of ranking positions and generate adversarial sequences that lack semantic consistency with user behavior, making them easily detectable. To address these limitations, this work proposes a dual-enhancement attack framework. First, a cognitive distribution alignment mechanism is introduced to map discrete rankings into continuous distributions with position-based decay, thereby improving model extraction fidelity. Second, collaborative filtering signals are integrated with gradient information to craft noise perturbations that are both behaviorally coherent and statistically stealthy, effectively boosting the target item’s rank while preserving semantic plausibility. Extensive experiments across multiple datasets demonstrate that the proposed method significantly outperforms state-of-the-art techniques, achieving markedly higher attack success rates and evasion capabilities.

With the growing deployment of sequential recommender systems in e-commerce and other fields, their black-box interfaces raise security concerns: models are vulnerable to extraction and subsequent adversarial manipulation. Existing black-box extraction attacks primarily rely on hard labels or pairwise learning, often ignoring the importance of ranking positions, which results in incomplete knowledge transfer. Moreover, adversarial sequences generated via pure gradient methods lack semantic consistency with real user behavior, making them easily detectable. To overcome these limitations, this paper proposes a dual-enhanced attack framework. First, drawing on primacy effects and position bias, we introduce a cognitive distribution-driven extraction mechanism that maps discrete rankings into continuous value distributions with position-aware decay, thereby advancing from order alignment to cognitive distribution alignment. Second, we design a behavior-aware noisy item generation strategy that jointly optimizes collaborative signals and gradient signals. This ensures both semantic coherence and statistical stealth while effectively promoting target item rankings. Extensive experiments on multiple datasets demonstrate that our approach significantly outperforms existing methods in both attack success rate and evasion rate, validating the value of integrating cognitive modeling and behavioral consistency for secure recommender systems.