Since collaborative filtering generates personalized recommendations according to the preference of nearest neighbors, malicious users can fake profiles to be nearest neighbors of normal users, in order to push or suppress the recommendation rank of the target item and thus change the output of recommender systems. Such attack is termed "shilling attack". This paper reviews the states of art and the main problems of existing works related to shilling attack models and detection techniques, and attempts to sketch a comprehensive and explicit outline for this new and active research realm. In particular, the motivations, concepts, intent, ingredients and classifications of the shilling profiles are introduced, and two kinds of metrics for evaluating the harmness of shilling attacks are presented. A set of metrics for characterizing the normal user and the shilling attacker are discussed. Moreover, the instant shilling attack detection algorithms can fall into three categories from the machine learning aspect, and then data sets, evaluation measures, as well as experimental methods for evaluating these algorithms are addressed. Finally, a wealth of research directions that are worth for further exploration are marked out.