=Paper=
{{Paper
|id=Vol-3012/OHARS2021-paper3
|storemode=property
|title=Adversarial Attacks against Visual Recommendation: an Investigation on the Influence of Items' Popularity
|pdfUrl=https://ceur-ws.org/Vol-3012/OHARS2021-paper3.pdf
|volume=Vol-3012
|authors=Vito Walter Anelli,Tommaso Di Noia,Eugenio Di Sciascio,Daniele Malitesta,Felice Antonio Merra
|dblpUrl=https://dblp.org/rec/conf/recsys/AnelliNSMM21
}}
==Adversarial Attacks against Visual Recommendation: an Investigation on the Influence of Items' Popularity==
https://ceur-ws.org/Vol-3012/OHARS2021-paper3.pdf
Adversarial Attacks against Visual Recommendation:
an Investigation on the Influence of Items’ Popularity
Vito Walter Anelli1 , Tommaso Di Noia1 , Eugenio Di Sciascio1 , Daniele Malitesta1
and Felice Antonio Merra1,2
1
Politecnico di Bari, via Orabona, 4, 70125 Bari, Italy
2
The authors are in alphabetical order. Corresponding author: Felice Antonio Merra (felice.merra@poliba.it).
Abstract
Visually-aware recommender systems (VRSs) integrate products’ image features with historical users’
feedback to enhance recommendation performance. Such models have shown to be very effective in dif-
ferent domains, ranging from fashion, food, to point-of-interest. However, test-time adversarial attack
strategies have recently unveiled severe security issues on these recommender models. Indeed, adver-
saries can harm the integrity of recommenders by uploading item images with human-imperceptible ad-
versarial perturbations capable of pushing a target item into higher recommendation positions. Given
the importance of items’ popularity on the recommendation performance, in this work, we evaluate
whether there is an influence of items’ popularity on the attacks’ effectiveness. To this end, we per-
form three state-of-the-art adversarial attacks against VBPR (a standard VRS) by varying the adversary
knowledge (white- vs. black- box) and capability (the magnitude of the perturbation). The results ob-
tained evaluating attacks on two real-world datasets shed light on the remarkable efficacy of the attacks
against the least popular items’ when planning novel defenses.
Keywords
Adversarial Machine Learning, Visual Recommender Systems, Collaborative Filtering
1. Introduction
Recommender systems (RSs) try to unveil the hidden relationships among users and items on
popular e-commerce platforms (e.g., Amazon, Zalando) by presenting personalized lists of rec-
ommendations, thus supporting customers in the decision-making process. When the user’s
visual taste matters, in scenarios such as fashion [1], food [2], or point-of-interest [3] recom-
mendations, visually-aware recommender systems (VRSs) have recently proven to provide su-
perior results by leveraging the representational power of (pretrained) convolutional neural
networks (CNNs) to extract meaningful item visual representations and inject them into the
preference learning process to model the users’ visual attitude towards products [4, 5, 6, 7]. For
instance, He and McAuley [4] proposed VBPR, a popular matrix factorization (MF)-based VRS
that integrates visual features extracted from a pre-trained CNN (i.e., AlexNet [8]).
While transferring the visual knowledge of pretrained CNNs on the recommendation task
OHARS’21: Second Workshop on Online Misinformation- and Harm-Aware Recommender Systems, October 2, 2021,
Amsterdam, Netherlands
£ vitowalter.anelli@poliba.it (V. W. Anelli); tommaso.dinoia@poliba.it (T. Di Noia); eugenio.disciascio@poliba.it
(E. Di Sciascio); daniele.malitesta@poliba.it (D. Malitesta); felice.merra@poliba.it (F. A. Merra)
© 2021 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR
Workshop
Proceedings
http://ceur-ws.org
ISSN 1613-0073
CEUR Workshop Proceedings (CEUR-WS.org)
33
�has represented a turning-point in the RecSys community, few have already considered the col-
lateral and negative impact of adversarial attacks against deep/convolutional neural networks
(DNNs/CNNs) used in visually-aware recommendations [9]. To date, there exists a plethora of
adversarial attack strategies in the computer vision domain whose purpose is to perturb images
and mislead the classification performance imperceptibly. In this set, FGSM [10], PGD [11], and
Carlini & Wagner [12] represent the milestones in adversarial machine learning (AML). In col-
laborative filtering recommendations, He et al. [13] have proposed and demonstrated the effi-
cacy of adversarial perturbation of MF model embeddings in corrupting the model performance.
Then, they have designed an adversarial training method to robustify the model performance
against the previously proposed perturbations. Their experimental flow has also been applied
in [14]. Here, the authors have tested the first adversarial procedures (attacks/defenses) in a
visually-aware recommendation model. Indeed, they have attacked, and later defended, VBPR
against adversarial perturbations applied on the visual embeddings extracted from a pretrained
CNN (i.e., ResNet50 [15]). While Tang et al. [14] have worked on feature-level perturbations,
later Di Noia et al. [16], Anelli et al. [17] have studied and designed the first set of targeted
adversarial attack methods to be directly performed against input product images (and not the
visual features) to increase the recommendation probability of low-recommended categories
of products by poisoning the training data with their adversarial samples.
More recently, Liu and Larson [18] and Cohen et al. [19] have proposed novel adversar-
ial attack procedures that perturbs product images to push/nuke an item during the infer-
ence/testing phase (i.e., evasive attacks). Both works have released black-box and white-box
adversarial methods where, in the first scenario, the adversary does not know the recommender
model, while in the second, the attacker has complete access to the model, input, and output.
However, both training and testing time attacks have been evaluated considering their efficacy
on pushing the target/victim items into top-𝐾 recommendation lists or increasing the prefer-
ence scores without taking into account the different levels of items’ popularity (i.e., the num-
ber of interactions recorded on each item in the training set). Indeed, considering the influence
of different levels of item’s popularity on the recommendation performance [20, 21, 22, 23], we
found a lack of investigation on their potential effects on the efficacy of adversarial attacks.
In this work, motivated by the previous observations, we explore the performance of
VBPR [4], a pioneering VRS, under test-time attacks. In particular, we investigate both black-
box and white-box settings, and we split the target items into four groups based on their pop-
ularity to understand whether there could be a connection between attacks efficacy and the
number of feedbacks received by the target item. Our contributions may be summarized as
follows:
• we provide an extensive evaluation of three state-of-the-art adversarial attacks against
visual-based recommendations in multiple settings, varying the adversary knowledge
(i.e., black- and white-box), the adversarial capability (i.e., the maximum variation of
each image pixel, that is 𝜖 ∈ {4, 8, 16}; and evaluating their performance on for groups of
target items (i.e., Low Popular, Mid-Low Popular, Mid-High Popular, and High Popular);
• we measure and discuss the changes in the preference scores predicted from the trained
VRS according to the variations of the predicted preference scores and the fraction of
times a target item has received a preference score higher than the one before the attack;
34
� • we investigate and compare the effectiveness in pushing the target items (divided again
by popularity groups) in the top-𝐾 position of the model generated recommendation
lists.
We conduct experiments on two datasets from the Amazon domain [24, 25] to validate the
effectiveness of the proposed model for the task of personalized visual recommendation.
2. Related Work
Recommender Systems (RSs) may rely on additional side information (e.g., images, audio, and
text) to enhance the item representation and provide more tailored recommendations. Indeed,
in domains such as fashion [1], food [2], and point-of-interest [3], product images displayed
on online platforms can positively drive the final users’ decision. In this respect, to extend
the expressive power of RSs, visually-aware recommender systems (VRSs) have recently pro-
posed to incorporate products’ visual appearance of items into recommendation [4, 5, 6, 7, 26].
Given the representational power of convolutional neural networks (CNNs) in capturing high-
level images’ characteristics, state-of-the-art VRSs often integrate visual features extracted via
a CNN —pre-trained, e.g., [4, 6, 27, 28], or learned end-to-end, e.g., [29, 30]. When it comes
to adversarially attacking VRSs, the literature recognizes two main approaches, by perturbing
the visual appearance of items either on the feature-level (i.e., the visual embeddings extracted
from the CNNs) or on the image-level (i.e., the item images). On the one side, the feature-
level attacks, Tang et al. [14] designed and implemented a framework to robustify the model
by He and McAuley [4] against visual feature perturbations by leveraging adversarial train-
ing, while Paul et al. [31] proposed an aesthetic-based VRS which is adversarially defended by
adopting an iterative adversarial training procedure on the aesthetic features. On the other
hand, the image-level attacks, Di Noia et al. [16], Anelli et al. [17] run state-of-the-art adver-
sarial attacks in computer vision for poisoning the dataset with adversarial product images to
alter the training of the model in order to push the target items towards higher recommenda-
tion positions. In addition, Liu and Larson [18], Cohen et al. [19] perturbed the item images
at test-time in the realistic scenario that an adversary can upload an altered version of a prod-
uct picture after the training of the model. In this work, we only consider image-level attacks,
since uploading an adversarial version of product images on a platform (e.g., eBay, Amazon,
and Instagram) is more realistic than having access to the model in order to modify the visual
feature used in both training/prediction phases. Furthermore, we focus our investigation on
test-time/evasion attacks, assuming that, for an adversary, it can be easier and more efficient
to change the product image on a platform to directly increase its predicted preference score
and push it in high top-𝐾 recommendation positions. In particular, considering the effects of
items’ popularity on the recommendation quality [32, 23, 33], this work explored whether test
time attacks might have different efficacy considering the items’ popularity.
3. Methodology
In this section, we first describe some useful notations, and then briefly review and present the
formalization of the three adversarial attack strategies tested in the current work.
35
�3.1. Preliminaries and Notations
Recommendation Task. Let 𝒰, ℐ , and 𝒮 be the set of users, items, and score-based pref-
erence feedback, where |𝒰|, |ℐ |, and |𝒮 | are the set sizes, respectively. Then, let 𝑠𝑢𝑖 ∈ 𝒮 be
the preference of a user 𝑢 ∈ 𝒰 on the item 𝑖 ∈ ℐ , assuming that 𝑠𝑢𝑖 = 1 when a user 𝑢 has
previously interacted with the item 𝑖 (e.g. reviewed, purchased or clicked on the product). We
define the recommendation task as the problem of producing a list of items that maximizes,
for each user, a utility function. Moreover, 𝑠𝑢𝑖 ̂ refers to the predicted preference score inferred
from the RS trained on the set of user-item preference-feedback. A popular class of methods
to learn unseen users’ preferences is based on matrix factorization (MF) [34] techniques. The
training of a MF-based recommender is aimed to learn an approximate version of the |𝒰| × |ℐ |
high-dimensional matrix of user-item preferences as the dot product of two low-rank matrices
of latent factors. Each row of the first matrix is a user latent vector 𝑝𝑢 ∈ ℙ|𝒰|×ℎ , while each row
of the second is the item latent vector 𝑞𝑖 ∈ ℚ|ℐ |×ℎ , where ℎ << |𝒰|, |ℐ |.
Visual Feature Extraction in VRSs. When it comes to visual recommendation, a common
approach is to extract high-level visual features from (pretrained) CNNs (e.g., [4, 6, 28, 29]). We
indicate with 𝑥𝑖 the image/photo associated with the item 𝑖 ∈ ℐ . While popular VRSs leverage
either visual features extracted from pretrained CNNs or end-to-end trained approaches, we
focus on the former class of visual recommenders, leaving the exploration of the latter as a
future research direction. In this setting, given a set of data samples (𝑥𝑖 , 𝑦𝑖 ), where 𝑥𝑖 is the
𝑖-th image associated with the item 𝑖 ∈ ℐ and 𝑦𝑖 is the one-hot encoded representation of
𝑥𝑖 ’s image category, we indicate with 𝐹 the DNN/CNN classifier pre-trained on all (𝑥𝑖 , 𝑦𝑖 ). The
network is trained such that the predicted probability vector of classes associated with an image
(𝐹 (𝑥𝑖 ) = 𝑦𝑖̂ ) is as much as close to the one-hot encoded vector of the ground truth-class 𝑦𝑖 . Since
the DNN is composed by 𝐿-layers, we indicate with 𝐹 (𝑙) (𝑥𝑖 ), 0 ≤ 𝑙 ≤ 𝐿 − 1, the output of the
𝑙-th layer of 𝐹 given the input 𝑥𝑖 . The actual extraction takes place at one of the last layers of
the network, i.e., 𝐹 (𝑒) (𝑥𝑖 ), where 𝑒 refers to the extraction layer. In general, we define this layer
output 𝐹 (𝑒) (𝑥𝑖 ) = 𝜑𝑖 as a mono-dimensional vector that will be the input to the VRS.
A Popular Visual Recommender: VBPR. To investigate the effects of items’ popularity
when affected by adversarial attacks, we considered the most popular baseline in the visually-
aware recommendation task: Visual Bayesian Personalized Ranking from Implicit Feedback
(VBPR) [4]. The model improves the MF preference predictor by adding a visual contribution
to the traditional collaborative one. Given a user 𝑢 and a non-interacted item 𝑖, the predicted
preference score is 𝑠𝑢𝑖 ̂ = 𝑝𝑢𝑇 𝑞𝑖 + 𝜃𝑢𝑇 𝜃𝑖 + 𝛽𝑢𝑖 , where 𝜃𝑢 ∈ Θ|𝒰|×𝜐 and 𝜃𝑖 ∈ Θ|ℐ |×𝜐 are the visual latent
vectors of user 𝑢 and item 𝑖, respectively (𝜐 << |𝒰|, |ℐ |). The visual latent vector of item 𝑖 is
obtained as 𝜃𝑖 = E𝜑𝑖 , where 𝜑𝑖 is the visual feature of image item 𝑖 extracted from a pretrained
convolutional neural network (i.e., AlexNet [8] as in the original work), while E is a matrix to
project the visual feature into the same space as of 𝜃𝑢 . Furthermore, 𝛽𝑢𝑖 stands for the sum of
the overall offset, the user, item, and global visual bias.
The Failure Point of a Visual Recommender: the Visual Features. All the state-of-the-
art adversarial strategies [35, 19, 18, 17] alter the recommendation output (𝑠𝑢𝑖 ̂∗ ) by perturbing
the products’ images so that the newly-extracted visual feature 𝜑𝑖 leads to 𝑠𝑢𝑖 ∗ ̂∗ ≠ 𝑠𝑢𝑖
̂ . Then,
̂∗ > 𝑠𝑢𝑖
𝑠𝑢𝑖 ̂ when the adversary wants to push/increase the score predicted on the target item 𝑖
for the user 𝑢, while 𝑠𝑢𝑖 ̂∗ < 𝑠𝑢𝑖
̂ holds in nuking scenarios. To craft the adversarially perturbed
36
�version of 𝜑𝑖 , the adversary can either have complete knowledge of the recommender model
(i.e., parameters, output, and training data) or can be completely unaware of this information.
In the former case, the adversary is generally recognized to work in white-box settings, while,
in the latter case, she works in black-box ones.
Adversarial Perturbation on Images. We define an adversarial attack as the problem of
finding the best value for a perturbation 𝛿𝑖 such that the attacked image 𝑥𝑖∗ = 𝑥𝑖 + 𝛿𝑖 must be
visually similar to 𝑥𝑖 according to a certain distance metric, e.g., 𝐿𝑝 norms, and 𝑥𝑖∗ must stay
within its original value range, i.e., [0, 1] for 8-bit RGB images re-scaled by a factor 255. here, the
intuition is that the visual feature extracted from the network ( 𝜑𝑖∗ = 𝐹 (𝑥𝑖∗ ) ≠ 𝜑𝑖 = 𝐹 (𝑥𝑖∗ )) will
change the original behavior of the recommender towards the malicious goal. Independently
on the adversary knowledge of the VRS, all the adversarial attack strategies defined in the
literature and explored in this work learn the adversarial perturbation of a product image 𝑥𝑖
(i.e., 𝛿𝑖 ) by backpropagating error information via 𝐹 (⋅). Below, we define the three strategies to
evaluate 𝛿𝑖 : TAaMR, WB-SIGN, and INSA. Note that, 𝑥𝑖∗ pixel values are clipped in the [0, 255] range
of values at the end of the attack.
3.2. Black-Box: Targeted Adversarial Attack against Multimedia
Recommenders (TAaMR)
The first adversarial attack strategy tested in this work is a test-time extension of the Targeted
Adversarial Attack against Multimedia Recommenders attack (TAaMR) proposed by [16]. The
strategy, originally proposed for poisoning the training set with altered items images, assumes
to adversarially perturb the image such that the pretrained CNN used to extract the visual
feature will misclassify the original images towards a different class. In particular, we use
the Fast Gradient Sign Method (FGSM) [10] attack strategy —a baseline strategy in computer
vision— that generates an adversarial version of the attacked image in only one step. Given
a clean input image 𝑥𝑖 , a target class 𝑝, a CNN 𝐹 (⋅) with parameters 𝜃, and a perturbation
coefficient 𝜖, the targeted adversarial image 𝑥𝑖∗ is:
𝑥𝑖∗ ←
− 𝑥𝑖 − 𝜖 ⋅ sign(∇𝑥𝑖 ℒ𝐹 (𝜃, 𝑥𝑖 , 𝑝) (1)
where ∇𝑥𝑖 ℒ𝐹 (𝜃, 𝑥𝑖 , 𝑦𝑖 ) is the loss function gradient of 𝐹 (⋅), and sign(⋅) is the sign function.
3.3. White-Box: Sign Method (WB-SIGN)
The second adversarial strategy is the Sign-based White-Box Attack (WB-SIGN) method that ma-
nipulates the product image computing the partial derivatives of the preference score function
𝑠(⋅) with respect to the item image 𝑥𝑖 used to predict the user-item preference score, and up-
dates the pixels in that direction. Formally, we define the function of the sum of preference
scores measured on all the items as:
𝜕 𝑠 ̂ (𝑥 ))
𝑠𝑖̂ (𝑥𝑖 ) = ∑ (𝑠𝑖̂ (𝑥𝑖 )) = ∑ (𝑝𝑢𝑇 𝑞𝑖 + 𝜃𝑢𝑇 E𝐹 (𝑥𝑖 ) + 𝛽𝑢𝑖 ) − 𝑥𝑖 − 𝜖 ⋅ sign( 𝑖 𝑖 )
then 𝑥𝑖∗ ← (2)
𝑢∈𝒰 𝑢∈𝒰
𝜕𝑥𝑖
37
�3.4. White-Box: Insider Attack (INSA)
The last experimented attack is the Insider Attack (INSA) method proposed by Liu and Larson
[18]. Similar to WB-SIGN, this method assumes that the adversary has full knowledge and the
access to the parameters of the trained model, and uses it to modify the pixels from the product
image to increase the preference scores inferred from the recommender on each target item.
To this end, INSA is defined as follows:
𝜕 𝑠𝑖̂ (𝑥𝑖 )) 𝜕 𝑠𝑖̂ (𝑥𝑖 ))
𝑥𝑖∗ ←
− 𝑥𝑖 − such that ||𝛿𝑖 || ≤ 𝜖 where 𝛿𝑖 = (3)
𝜕𝑥𝑖 𝜕𝑥𝑖
Note that, similarly to WB-SIGN, INSA learns to build a perturbation that seeks to maximize all the
users’ scores predicted for each attacked item. However, differently from WB-SIGN, the INSA’s
perturbation is the gradient back-propagated through the recommender and the CNN, and not
an 𝜖-bounded sign dependent perturbation.
4. Experiments
This section is devoted to presenting the setting we followed to run the experiments, and then
discuss the obtained results.
4.1. Experimental Setup
Datasets. We perform the experiments on two recommendation datasets from Amazon.com
containing customers’ feedback and items’ images. We use Amazon Boys & Girls and Amazon
Men, including images in the fashion domain. The items set depend on the images still available
on the e-commerce platform since they were not available in the released repository [24, 25].
We remove items/users with less than 5 interactions [5, 4]. Then, Amazon Boys & Girls has
1425, 5019, and 9213, while Amazon Men has 16278, 31750, and 113106, users, items, and
feedback, respectively.
Evaluation Metrics. We evaluate the tested attacks according to the ability of the adversary to
compromise the integrity of the recommendations, i.e., the efficacy in increasing the preference
score predicted by the visual recommender and pushing the target items into the top-𝐾 of each
user’s recommendation list. To measure the variation of the preference score, we define the
Prediction Shift (PS) as follows:
1
PS = ∑ (𝑠 ̂∗ − 𝑠𝑢𝑡
̂ ) (4)
|𝒯 | 𝑡∈𝒯 𝑢𝑡
where 𝒯 is the set of target items whose images have been perturbed in an adversarial way.
Additionally, to track the occurrences of an increase in the preference score, we measure the
fraction of items for which we have measured a preference score improvement. We name this
metric as Improvement Fraction (IF), and we formally define it as follows,
1
IF = ̂∗ − 𝑠𝑢𝑡
∑ 1[𝑠𝑢𝑡 ̂ ] (5)
|𝒯 | 𝑡∈𝒯
38
�where IF < 0.5 means that the number of times the target items have worsened their preference
score is higher than the number of times it has been improved. While the previous metrics are
related to preference score predictions, similar to [18, 17], we evaluate a ranking-wise metric
that measures the average number of times a target item hits the top-𝐾 recommendation lists.
This metric, named Hit Ratio (HR@K), is defined as follows,
1 1
HR@K = ∑ ∑ hit@𝐾 (𝑡, 𝑢) (6)
|𝒯 | 𝑡∈𝑇 |𝒰| 𝑢∈|𝒰|
where hit@𝐾 (𝑡, 𝑢) is 1 when the target item is in the top-𝐾 list of the user 𝑢.
Reproducibility. We randomly initialize the model parameters with a Gaussian distribution
with a mean of 0 and standard deviation of 0.01 and set the latent factor dimension to 128 as
in [27]. We explore via grid-search: the learning rate in {0.0001, 0.001, 0.01} and the regularizers
in {0.00001, 0.001}, whereas we fix the batch size to 256. We adopt early-stopping to avoid over-
fitting and choose the best model configuration for each algorithm according to the Recall@100
as in [27]. After having identified the best VBPR configuration on each dataset, we randomly
sample 200 items from the catalog (|𝒯 | = 200). We attack each target item image and measure
the correspondent adversarial score (𝑠𝑢𝑖 ̂∗ ) for each user. To study the effects of popularity on
the attack efficacy, we split the target items into four groups based on the recorded feedback
in the training set (i.e., Low Popular (LP), Mid-Low Popular (MLP), Mid-High Popular (MHP),
and High Popular (HP)). For each attack, we vary the perturbation budget 𝜖 ∈ {4, 8, 16}. For
the black-box strategy (TAaMR), we select the target class as the most popular one (”running
shoes”) for both datasets. All codes, datasets, and configuration files to run and evaluate the
experiments are publicly available in the Elliot 1 reproducibility framework [17, 36].
4.2. Results and Discussion
In this section, we investigate the following research questions:
RQ1: What is the effect of items’ popularity on the efficacy of testing time adversarial attacks
with respect to increasing the inferred preference scores? Is the behavior observed on
a smaller perturbation budget (𝜖 = 4) consistent with higher perturbation budgets (𝜖 ∈
{8, 16})?
RQ2: While studying the adversary’s ability in pushing the target item into the top-𝐾 rec-
ommendation list, what is the effect of items’ popularity? How much has 𝜖 influenced
ranking-wise performance?
4.3. Analysis of Attack Performance on Increasing Preference Scores (RQ1)
This paragraph analyses the Improvement Fraction (IF) and the Prediction Shift (PS) of the
tested adversarial attacks against the Amazon Boys & Girls and Amazon Men datasets. Ta-
ble 1 reports the measured performance on the four target items groups as defined in Section 4.1.
1
https://github.com/sisinflab/elliot
39
�Table 1
Average Improvement Fraction and Prediction Shift across all popularity groups and perturbation bud-
gets. We report the configuration files used to perform the experiments.
Attack 𝜖 Improvement Fraction (IF) Prediction Shift (PS)
LP MLP MHP HP LP MLP MHP HP
Amazon Boys & Girls- [Elliot Configuration File: ws_attack_best_amazon_boys_girls.yml]
4 0.44463 0.43154 0.41907 0.42219 -0.22579 -0.27033 -0.33856 -0.39528
TAaMR 8 0.46338 0.44035 0.43328 0.42793 -0.14574 -0.24304 -0.30813 -0.36147
16 0.49444 0.45799 0.47867 0.45004 -0.01750 -0.21294 -0.16771 -0.31063
4 0.90726 0.91332 0.90087 0.88025 2.02115 1.95690 1.93221 1.80204
WB-SIGN 8 0.82153 0.82710 0.82013 0.78950 1.67599 1.61977 1.58222 1.44028
16 0.70281 0.70766 0.71564 0.67601 1.15195 1.12273 1.11164 0.95283
4 0.98828 0.99128 0.98848 0.98801 0.89236 0.89898 0.80334 0.81315
INSA 8 0.98831 0.99130 0.98841 0.98801 0.89228 0.89857 0.80303 0.81310
16 0.98831 0.99130 0.98841 0.98801 0.89228 0.89844 0.80303 0.81310
Amazon Men- [Elliot Configuration File: ws_attack_best_amazon_men.yml]
4 0.49325 0.49828 0.49779 0.42723 -0.03048 -0.04103 -0.00803 -0.40287
TAaMR 8 0.45327 0.45121 0.46360 0.38513 -0.34333 -0.28482 -0.21996 -0.72266
16 0.37303 0.38719 0.37847 0.33111 -1.03492 -0.85267 -0.88104 -1.32383
4 0.88149 0.85164 0.85136 0.82823 2.19162 2.02704 1.96209 1.91346
WB-SIGN 8 0.74791 0.72156 0.72428 0.68396 1.45054 1.37203 1.35763 1.17692
16 0.54332 0.55128 0.53101 0.50308 0.18964 0.31076 0.19959 0.06569
4 0.94537 0.91230 0.90757 0.90606 2.29845 2.09213 1.96360 2.05216
INSA 8 0.93399 0.89413 0.89756 0.88974 2.21695 2.00421 1.91811 1.99631
16 0.91968 0.87861 0.88227 0.87088 2.11271 1.91207 1.83971 1.91991
Before moving to the investigation of items’ popularity effects of the adversarial attack ef-
ficacy, it is interesting to observe that the black-box strategy (TAaMR) is mostly ineffective in
increasing the performance of the target items independently on the tested datasets. For in-
stance, the most powerful attack with a perturbation budget equal to 16 has still negative PS
values in both datasets (i.e., -0.01750 in and -0.00803 in ) and IF values lower than 0.5 in all settings. We may explain the low efficacy of
this attack strategy by stating that, differently from the TAaMR’s proposal paper [37], we do not
use the targeted adversarial strategy to poison the training procedure, but we use it in the test-
ing phase when the model has already learned the users’ preferences. However, we may derive
two additional insights. The first one states that when increasing 𝜖, the attacks become more
performant, and IF gets closer to 0.5. The second one states that the attack results reported for
TAaMR have been more effective on low popular target items than the most popular ones. For
instance, IF on LP items is higher than HP ones in all attack settings (e.g., 0.49444 > 0.45004 in
Amazon Boys & Girls and 0.37303 > 0.33111 in Amazon Men with 𝜖 = 16).
After having discussed the black-box attack, we move the analysis to white-box ones. Start-
ing from WB-SIGN, it can be noticed that the adversarial strategy is more effective against low
popular items than high popular ones. For instance, PS with 𝜖 = 4 is 2.02115 on LP and 1.80204
on HP in Amazon Boys & Girls, while 2.19162 and 1.91346 on Amazon Men. The same re-
sult trends are confirmed for INSA, the secondly reported white-box attacks for both datasets,
where, for example, 0.94537 > 0.91230 > 0.90757 > 0.90606 for the IF measured on Amazon Men
40
�Table 2
HR@50 measured before the attack (No Attacks) and after the attack on all popularity groups. For each
attack values, we report the percentage variation with respect to the not attacked version.
Attack 𝜖 Amazon Boys & Girls
LP MLP MHP HP
No Attacks 0.00669 0.01260 0.00762 0.01423
4 0.00392 (-70.97%) 0.00632 (-99.56%) 0.00519 (-46.76%) 0.00668 (-113.03%)
TAaMR 8 0.00401 (-66.78%) 0.00627 (-100.89%) 0.00459 (-66.06%) 0.00622 (-128.89%)
16 0.00536 (-24.87%) 0.00658 (-91.47%) 0.00504 (-51.25%) 0.00589 (-141.43%)
4 0.02429 (+72.44%) 0.0434 (+70.96%) 0.03168 (+75.94%) 0.04173 (+65.89%)
WB-SIGN 8 0.01644 (+59.27%) 0.03148 (+59.96%) 0.02392 (+68.13%) 0.0296 (+51.92%)
16 0.01241 (+46.04%) 0.02046 (+38.41%) 0.01697 (+55.09%) 0.02008 (+29.14%)
4 0.01321 (+49.31%) 0.02118 (+40.49%) 0.01533 (+50.27%) 0.0258 (+44.83%)
INSA 8 0.01321 (+49.31%) 0.02118 (+40.49%) 0.01533 (+50.27%) 0.0258 (+44.83%)
16 0.01321 (+49.31%) 0.02118 (+40.49%) 0.01533 (+50.27%) 0.0258 (+44.83%)
Attack 𝜖 Amazon Men
LP MLP MHP HP
No Attacks 0.00044 0.00109 0.00091 0.00297
4 0.00089 (+50.28%) 0.00075 (-45.42%) 0.00105 (+13.64%) 0.0021 (-41.68%)
TAaMR 8 0.00092 (+51.99%) 0.00103 (-5.83%) 0.00152 (+40.29%) 0.00224 (-32.51%)
16 0.00082 (+46.04%) 0.00097 (-13.23%) 0.00162 (+43.82%) 0.00228 (-30.09%)
4 0.00299 (+85.19%) 0.00326 (+66.5%) 0.00527 (+82.74%) 0.01146 (+74.1%)
WB-SIGN 8 0.00215 (+79.36%) 0.00279 (+60.76%) 0.00441 (+79.35%) 0.00741 (+59.92%)
16 0.00143 (+69.04%) 0.00179 (+39.04%) 0.0029 (+68.63%) 0.0044 (+32.47%)
4 0.00285 (+84.45%) 0.00333 (+67.19%) 0.00478 (+80.97%) 0.01209 (+75.44%)
INSA 8 0.00287 (+84.57%) 0.00347 (+68.46%) 0.00507 (+82.05%) 0.01206 (+75.38%)
16 0.00281 (+84.22%) 0.00335 (+67.32%) 0.0047 (+80.63%) 0.01195 (+75.15%)
with 𝜖 = 4. The same trends on both WB-attacks and datasets are observed when varying 𝜖.
These empirical observations confirm that items’ popularity has influenced the efficacy of
adversarial attack strategies, where the least popular target items are subject to an increment of
the preference scores much bigger than those calculated on the most popular ones. In addition, the
tendency mentioned above is consistent when varying the perturbation budget from small values
(i.e., 4) to larger ones (i.e., a maximum value of 16).
4.4. Analysis of Attack Performance on Top-K Recommendation Lists (RQ2)
Table 2 reports the HR@50 values measured on top-50 recommendation lists before and after
the execution of adversarial attacks. This paragraph seeks to verify if the higher attack effi-
cacy on low popular items measured from a preference score point of view is consistent when
analyzing the top-𝐾 recommendation lists. Differently from the previous analysis, we should
point out that most popular items may have HR@50 values (before the attack) higher than the
ones of low popular items due to the well-known popularity bias issues [20, 21, 22, 23]. In-
deed, it can be observed that the HR@50 of HP items is more than two times higher than the
one measured on LP (i.e., 0.01423 > 0.0069) in Amazon Boys & Girls, and even more than six
times higher in Amazon Men (i.e., 0.00297 > 0.00044). For this reason, we report the HR@50
variation after the attack in Table 2.
Analyzing the variations measured under black-box attack settings, it can be noted that,
41
�consistently with the findings measured in Section 4.3, low popular target items have been
more affected by attacks than most popular ones. Indeed, despite the negative variations of
HR@50 measured on LP items in Amazon Boys & Girls (i.e., -70.97%), the ones measured on
HP are even more negative (i.e., -113.03). The same trend is also confirmed in the Amazon
Men dataset independently of the perturbation budget. Extending the analysis to the white-
box adversarial strategies, and considering that PS is always greater than 1 and IF is greater
than 0.5, we should expect that the percentage variations measured on LP and MLP items
should be higher than the ones on MHP and HP. Results in Table 2 confirm that both WB-SIGN
and INSA are more effective on LP items. For instance, HR@50 increases by +85.19% on LP and
+74.10% on HP, when WB-SIGN with 𝜖 = 4 is performed on Amazon Men.
Results on the top-𝐾 recommendation performance additionally confirm that items’ popu-
larity affects the efficacy of attacks by making the least popular target items easier to push into
higher positions than the ones already in high positions.
5. Conclusion
We examined if test-time adversarial attacks against VRSs have a distinct impact on items based
on their popularity. To this end, we tested one black-box (i.e.,TAaMR) and two state-of-the-art
white-box (i.e., WB-SIGN and INSA) single-step adversarial attacks by varying three levels of per-
turbation budget (i.e., 𝜖 ∈ {4, 8, 16}) to alter the recommendations generated by VBPR, a baseline
model for visual recommendation. Indeed, after VBPR’s training on two datasets (i.e., Amazon
Boys & Girls and Amazon Men), we randomly extracted 200 target items from each catalog.
Then, we divided them into four groups based on the number of ratings registered in the train-
ing set, and performed two analyses: one on the preference score and the other on the effects on
top-𝐾 lists. From the former, we found that items’ popularity influences the attacks’ efficacy,
which is much more effective on the least popular than high popular items in incrementing
the preference scores consistently at varying of 𝜖. From the latter, we verified that this trend
is also confirmed when looking at top-𝐾 recommendation lists, with the least popular target
items getting the highest pushing in ranking positions. These results open exciting challenges
for developing adversarial defenses strategies, as the least popular items can be highly sub-
jected to adversarial attacks. We propose extending the study on iterative adversarial attacks
to understand if the previously identified trends are consistent with more robust strategies for
future extension. Finally, we plan to extend this investigation line to examine the potential
effects of users’ activeness (e.g., number of released ratings) on the attack efficacy for provid-
ing more insights into planning more powerful defense strategies and to study of the verified
effects with human evaluation.
Acknowledgments
We acknowledge support of PON ARS01_00876 BIO-D, Casa delle Tecnologie Emergenti della Città di
Matera, PON ARS01_00821 FLET4.0, PIA Servizi Locali 2.0, H2020 Passapartout - Grant n. 101016956,
and PIA ERP4.0.
42
�References
[1] Y. Hu, X. Yi, L. S. Davis, Collaborative fashion recommendation: A functional tensor
factorization approach, in: ACM Multimedia, ACM, 2015, pp. 129–138.
[2] D. Elsweiler, C. Trattner, M. Harvey, Exploiting food choice biases for healthier recipe
recommendation, in: SIGIR, ACM, 2017, pp. 575–584.
[3] S. Wang, Y. Wang, J. Tang, K. Shu, S. Ranganath, H. Liu, What your images reveal: Ex-
ploiting visual contents for point-of-interest recommendation, in: WWW, ACM, 2017,
pp. 391–400.
[4] R. He, J. J. McAuley, VBPR: visual bayesian personalized ranking from implicit feedback,
in: AAAI, AAAI Press, 2016, pp. 144–150.
[5] R. He, J. J. McAuley, Ups and downs: Modeling the visual evolution of fashion trends with
one-class collaborative filtering, in: WWW 2016, 2016.
[6] Q. Liu, S. Wu, L. Wang, Deepstyle: Learning user preferences for visual recommendation,
in: SIGIR, ACM, 2017, pp. 841–844.
[7] L. Meng, F. Feng, X. He, X. Gao, T. Chua, Heterogeneous fusion of semantic and collabo-
rative information for visually-aware food recommendation, in: ACM Multimedia, ACM,
2020, pp. 3460–3468.
[8] A. Krizhevsky, I. Sutskever, G. E. Hinton, Imagenet classification with deep convolutional
neural networks, in: NeurIPS 2012, 2012.
[9] Y. Deldjoo, T. D. Noia, F. A. Merra, A survey on adversarial recommender systems: from
attack/defense strategies to generative adversarial networks, ACM Computing Surveys
(CSUR) (2021).
[10] I. J. Goodfellow, J. Shlens, C. Szegedy, Explaining and harnessing adversarial examples,
in: ICLR (Poster), 2015.
[11] A. Madry, A. Makelov, L. Schmidt, D. Tsipras, A. Vladu, Towards deep learning models
resistant to adversarial attacks, in: ICLR 2018, 2018.
[12] N. Carlini, D. A. Wagner, Towards evaluating the robustness of neural networks, in: SP
2017, 2017.
[13] X. He, Z. He, X. Du, T. Chua, Adversarial personalized ranking for recommendation, in:
SIGIR, ACM, 2018, pp. 355–364.
[14] J. Tang, X. Du, X. He, F. Yuan, Q. Tian, T. Chua, Adversarial training towards robust
multimedia recommender system, IEEE Trans. Knowl. Data Eng. 32 (2020) 855–867.
[15] K. He, X. Zhang, S. Ren, J. Sun, Deep residual learning for image recognition, in: CVPR,
IEEE Computer Society, 2016, pp. 770–778.
[16] T. Di Noia, D. Malitesta, F. A. Merra, Taamr: Targeted adversarial attack against multi-
media recommender systems, in: DSN–DSML 2020, 2020.
[17] V. W. Anelli, Y. Deldjoo, T. Di Noia, D. Malitesta, F. A. Merra, A study of defensive methods
to protect visual recommendation against adversarial manipulation of images, in: SIGIR,
ACM, 2021, pp. 1094–1103.
[18] Z. Liu, M. A. Larson, Adversarial item promotion: Vulnerabilities at the core of top-n
recommenders that use images to address cold start, in: WWW, ACM / IW3C2, 2021, pp.
3590–3602.
[19] R. Cohen, O. S. Shalom, D. Jannach, A. Amir, A black-box attack model for visually-aware
43
� recommender systems, in: WSDM, ACM, 2021, pp. 94–102.
[20] D. Jannach, L. Lerche, I. Kamehkhosh, M. Jugovac, What recommenders recommend:
an analysis of recommendation biases and possible countermeasures, User Model. User
Adapt. Interact. 25 (2015) 427–491.
[21] H. Abdollahpouri, R. Burke, B. Mobasher, Controlling popularity bias in learning-to-rank
recommendation, in: RecSys, ACM, 2017, pp. 42–46.
[22] Z. Zhu, J. Wang, J. Caverlee, Measuring and mitigating item under-recommendation bias
in personalized ranking systems, in: SIGIR, ACM, 2020, pp. 449–458.
[23] L. Boratto, G. Fenu, M. Marras, Connecting user and item perspectives in popularity
debiasing for collaborative recommendation, Inf. Process. Manag. 58 (2021) 102387.
[24] R. He, C. Packer, J. J. McAuley, Learning compatibility across categories for heterogeneous
item recommendation, in: ICDM, IEEE Computer Society, 2016, pp. 937–942.
[25] J. J. McAuley, C. Targett, Q. Shi, A. van den Hengel, Image-based recommendations on
styles and substitutes, in: SIGIR 2015, 2015.
[26] V. W. Anelli, A. Bellogín, A. Ferrara, D. Malitesta, F. A. Merra, C. Pomo, F. M. Donini, T. Di
Noia, Elliot: A comprehensive and rigorous framework for reproducible recommender
systems evaluation, in: SIGIR, ACM, 2021, pp. 2405–2414.
[27] J. Chen, H. Zhang, X. He, L. Nie, W. Liu, T. Chua, Attentive collaborative filtering: Multi-
media recommendation with item- and component-level attention, in: SIGIR, ACM, 2017.
[28] W. Niu, J. Caverlee, H. Lu, Neural personalized ranking for image recommendation, in:
WSDM 2018, 2018.
[29] W. Kang, C. Fang, Z. Wang, J. J. McAuley, Visually-aware fashion recommendation and
design with generative image models, in: ICDM, IEEE Computer Society, 2017, pp. 207–
216.
[30] R. Yin, K. Li, J. Lu, G. Zhang, Enhancing fashion recommendation with visual compatibil-
ity relationship, in: WWW 2019, 2019.
[31] A. Paul, Z. Wu, K. Liu, S. Gong, Robust multi-objective visual bayesian personalized
ranking for multimedia recommendation, Applied Intelligence (2021) 1–12.
[32] R. Cañamares, P. Castells, Should I follow the crowd?: A probabilistic analysis of the
effectiveness of popularity in recommender systems, in: SIGIR, ACM, 2018, pp. 415–424.
[33] E. Mena-Maldonado, R. Cañamares, P. Castells, Y. Ren, M. Sanderson, Popularity bias
in false-positive metrics for recommender systems evaluation, ACM Trans. Inf. Syst. 39
(2021) 36:1–36:43.
[34] Y. Koren, R. M. Bell, C. Volinsky, Matrix factorization techniques for recommender sys-
tems, Computer 42 (2009) 30–37.
[35] J. Tang, X. Du, X. He, F. Yuan, Q. Tian, T. Chua, Adversarial training towards robust
multimedia recommender system, IEEE Trans. Knowl. Data Eng. 32 (2020) 855–867.
[36] V. W. Anelli, A. Bellogín, A. Ferrara, D. Malitesta, F. A. Merra, C. Pomo, F. M. Donini, T. Di
Noia, V-elliot: Design, evaluate and tune visual recommender systems, in: RecSys, ACM,
2021.
[37] T. Di Noia, D. Malitesta, F. A. Merra, Taamr: Targeted adversarial attack against multi-
media recommender systems, in: DSN Workshops, IEEE, 2020, pp. 1–8.
44
�