Adversarial Attacks against Visual Recommendation: an Investigation on the Influence of Items’ Popularity Vito Walter Anelli1 , Tommaso Di Noia1 , Eugenio Di Sciascio1 , Daniele Malitesta1 and Felice Antonio Merra1,2 1 Politecnico di Bari, via Orabona, 4, 70125 Bari, Italy 2 The authors are in alphabetical order. Corresponding author: Felice Antonio Merra (felice.merra@poliba.it). Abstract Visually-aware recommender systems (VRSs) integrate products’ image features with historical users’ feedback to enhance recommendation performance. Such models have shown to be very effective in dif- ferent domains, ranging from fashion, food, to point-of-interest. However, test-time adversarial attack strategies have recently unveiled severe security issues on these recommender models. Indeed, adver- saries can harm the integrity of recommenders by uploading item images with human-imperceptible ad- versarial perturbations capable of pushing a target item into higher recommendation positions. Given the importance of items’ popularity on the recommendation performance, in this work, we evaluate whether there is an influence of items’ popularity on the attacks’ effectiveness. To this end, we per- form three state-of-the-art adversarial attacks against VBPR (a standard VRS) by varying the adversary knowledge (white- vs. black- box) and capability (the magnitude of the perturbation). The results ob- tained evaluating attacks on two real-world datasets shed light on the remarkable efficacy of the attacks against the least popular items’ when planning novel defenses. Keywords Adversarial Machine Learning, Visual Recommender Systems, Collaborative Filtering 1. Introduction Recommender systems (RSs) try to unveil the hidden relationships among users and items on popular e-commerce platforms (e.g., Amazon, Zalando) by presenting personalized lists of rec- ommendations, thus supporting customers in the decision-making process. When the user’s visual taste matters, in scenarios such as fashion [1], food [2], or point-of-interest [3] recom- mendations, visually-aware recommender systems (VRSs) have recently proven to provide su- perior results by leveraging the representational power of (pretrained) convolutional neural networks (CNNs) to extract meaningful item visual representations and inject them into the preference learning process to model the users’ visual attitude towards products [4, 5, 6, 7]. For instance, He and McAuley [4] proposed VBPR, a popular matrix factorization (MF)-based VRS that integrates visual features extracted from a pre-trained CNN (i.e., AlexNet [8]). While transferring the visual knowledge of pretrained CNNs on the recommendation task OHARS’21: Second Workshop on Online Misinformation- and Harm-Aware Recommender Systems, October 2, 2021, Amsterdam, Netherlands £ vitowalter.anelli@poliba.it (V. W. Anelli); tommaso.dinoia@poliba.it (T. Di Noia); eugenio.disciascio@poliba.it (E. Di Sciascio); daniele.malitesta@poliba.it (D. Malitesta); felice.merra@poliba.it (F. A. Merra) © 2021 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings http://ceur-ws.org ISSN 1613-0073 CEUR Workshop Proceedings (CEUR-WS.org) 33 has represented a turning-point in the RecSys community, few have already considered the col- lateral and negative impact of adversarial attacks against deep/convolutional neural networks (DNNs/CNNs) used in visually-aware recommendations [9]. To date, there exists a plethora of adversarial attack strategies in the computer vision domain whose purpose is to perturb images and mislead the classification performance imperceptibly. In this set, FGSM [10], PGD [11], and Carlini & Wagner [12] represent the milestones in adversarial machine learning (AML). In col- laborative filtering recommendations, He et al. [13] have proposed and demonstrated the effi- cacy of adversarial perturbation of MF model embeddings in corrupting the model performance. Then, they have designed an adversarial training method to robustify the model performance against the previously proposed perturbations. Their experimental flow has also been applied in [14]. Here, the authors have tested the first adversarial procedures (attacks/defenses) in a visually-aware recommendation model. Indeed, they have attacked, and later defended, VBPR against adversarial perturbations applied on the visual embeddings extracted from a pretrained CNN (i.e., ResNet50 [15]). While Tang et al. [14] have worked on feature-level perturbations, later Di Noia et al. [16], Anelli et al. [17] have studied and designed the first set of targeted adversarial attack methods to be directly performed against input product images (and not the visual features) to increase the recommendation probability of low-recommended categories of products by poisoning the training data with their adversarial samples. More recently, Liu and Larson [18] and Cohen et al. [19] have proposed novel adversar- ial attack procedures that perturbs product images to push/nuke an item during the infer- ence/testing phase (i.e., evasive attacks). Both works have released black-box and white-box adversarial methods where, in the first scenario, the adversary does not know the recommender model, while in the second, the attacker has complete access to the model, input, and output. However, both training and testing time attacks have been evaluated considering their efficacy on pushing the target/victim items into top-𝐾 recommendation lists or increasing the prefer- ence scores without taking into account the different levels of items’ popularity (i.e., the num- ber of interactions recorded on each item in the training set). Indeed, considering the influence of different levels of item’s popularity on the recommendation performance [20, 21, 22, 23], we found a lack of investigation on their potential effects on the efficacy of adversarial attacks. In this work, motivated by the previous observations, we explore the performance of VBPR [4], a pioneering VRS, under test-time attacks. In particular, we investigate both black- box and white-box settings, and we split the target items into four groups based on their pop- ularity to understand whether there could be a connection between attacks efficacy and the number of feedbacks received by the target item. Our contributions may be summarized as follows: • we provide an extensive evaluation of three state-of-the-art adversarial attacks against visual-based recommendations in multiple settings, varying the adversary knowledge (i.e., black- and white-box), the adversarial capability (i.e., the maximum variation of each image pixel, that is 𝜖 ∈ {4, 8, 16}; and evaluating their performance on for groups of target items (i.e., Low Popular, Mid-Low Popular, Mid-High Popular, and High Popular); • we measure and discuss the changes in the preference scores predicted from the trained VRS according to the variations of the predicted preference scores and the fraction of times a target item has received a preference score higher than the one before the attack; 34 • we investigate and compare the effectiveness in pushing the target items (divided again by popularity groups) in the top-𝐾 position of the model generated recommendation lists. We conduct experiments on two datasets from the Amazon domain [24, 25] to validate the effectiveness of the proposed model for the task of personalized visual recommendation. 2. Related Work Recommender Systems (RSs) may rely on additional side information (e.g., images, audio, and text) to enhance the item representation and provide more tailored recommendations. Indeed, in domains such as fashion [1], food [2], and point-of-interest [3], product images displayed on online platforms can positively drive the final users’ decision. In this respect, to extend the expressive power of RSs, visually-aware recommender systems (VRSs) have recently pro- posed to incorporate products’ visual appearance of items into recommendation [4, 5, 6, 7, 26]. Given the representational power of convolutional neural networks (CNNs) in capturing high- level images’ characteristics, state-of-the-art VRSs often integrate visual features extracted via a CNN —pre-trained, e.g., [4, 6, 27, 28], or learned end-to-end, e.g., [29, 30]. When it comes to adversarially attacking VRSs, the literature recognizes two main approaches, by perturbing the visual appearance of items either on the feature-level (i.e., the visual embeddings extracted from the CNNs) or on the image-level (i.e., the item images). On the one side, the feature- level attacks, Tang et al. [14] designed and implemented a framework to robustify the model by He and McAuley [4] against visual feature perturbations by leveraging adversarial train- ing, while Paul et al. [31] proposed an aesthetic-based VRS which is adversarially defended by adopting an iterative adversarial training procedure on the aesthetic features. On the other hand, the image-level attacks, Di Noia et al. [16], Anelli et al. [17] run state-of-the-art adver- sarial attacks in computer vision for poisoning the dataset with adversarial product images to alter the training of the model in order to push the target items towards higher recommenda- tion positions. In addition, Liu and Larson [18], Cohen et al. [19] perturbed the item images at test-time in the realistic scenario that an adversary can upload an altered version of a prod- uct picture after the training of the model. In this work, we only consider image-level attacks, since uploading an adversarial version of product images on a platform (e.g., eBay, Amazon, and Instagram) is more realistic than having access to the model in order to modify the visual feature used in both training/prediction phases. Furthermore, we focus our investigation on test-time/evasion attacks, assuming that, for an adversary, it can be easier and more efficient to change the product image on a platform to directly increase its predicted preference score and push it in high top-𝐾 recommendation positions. In particular, considering the effects of items’ popularity on the recommendation quality [32, 23, 33], this work explored whether test time attacks might have different efficacy considering the items’ popularity. 3. Methodology In this section, we first describe some useful notations, and then briefly review and present the formalization of the three adversarial attack strategies tested in the current work. 35 3.1. Preliminaries and Notations Recommendation Task. Let 𝒰, ℐ , and 𝒮 be the set of users, items, and score-based pref- erence feedback, where |𝒰|, |ℐ |, and |𝒮 | are the set sizes, respectively. Then, let 𝑠𝑢𝑖 ∈ 𝒮 be the preference of a user 𝑢 ∈ 𝒰 on the item 𝑖 ∈ ℐ , assuming that 𝑠𝑢𝑖 = 1 when a user 𝑢 has previously interacted with the item 𝑖 (e.g. reviewed, purchased or clicked on the product). We define the recommendation task as the problem of producing a list of items that maximizes, for each user, a utility function. Moreover, 𝑠𝑢𝑖 ̂ refers to the predicted preference score inferred from the RS trained on the set of user-item preference-feedback. A popular class of methods to learn unseen users’ preferences is based on matrix factorization (MF) [34] techniques. The training of a MF-based recommender is aimed to learn an approximate version of the |𝒰| × |ℐ | high-dimensional matrix of user-item preferences as the dot product of two low-rank matrices of latent factors. Each row of the first matrix is a user latent vector 𝑝𝑢 ∈ ℙ|𝒰|×ℎ , while each row of the second is the item latent vector 𝑞𝑖 ∈ ℚ|ℐ |×ℎ , where ℎ << |𝒰|, |ℐ |. Visual Feature Extraction in VRSs. When it comes to visual recommendation, a common approach is to extract high-level visual features from (pretrained) CNNs (e.g., [4, 6, 28, 29]). We indicate with 𝑥𝑖 the image/photo associated with the item 𝑖 ∈ ℐ . While popular VRSs leverage either visual features extracted from pretrained CNNs or end-to-end trained approaches, we focus on the former class of visual recommenders, leaving the exploration of the latter as a future research direction. In this setting, given a set of data samples (𝑥𝑖 , 𝑦𝑖 ), where 𝑥𝑖 is the 𝑖-th image associated with the item 𝑖 ∈ ℐ and 𝑦𝑖 is the one-hot encoded representation of 𝑥𝑖 ’s image category, we indicate with 𝐹 the DNN/CNN classifier pre-trained on all (𝑥𝑖 , 𝑦𝑖 ). The network is trained such that the predicted probability vector of classes associated with an image (𝐹 (𝑥𝑖 ) = 𝑦𝑖̂ ) is as much as close to the one-hot encoded vector of the ground truth-class 𝑦𝑖 . Since the DNN is composed by 𝐿-layers, we indicate with 𝐹 (𝑙) (𝑥𝑖 ), 0 ≤ 𝑙 ≤ 𝐿 − 1, the output of the 𝑙-th layer of 𝐹 given the input 𝑥𝑖 . The actual extraction takes place at one of the last layers of the network, i.e., 𝐹 (𝑒) (𝑥𝑖 ), where 𝑒 refers to the extraction layer. In general, we define this layer output 𝐹 (𝑒) (𝑥𝑖 ) = 𝜑𝑖 as a mono-dimensional vector that will be the input to the VRS. A Popular Visual Recommender: VBPR. To investigate the effects of items’ popularity when affected by adversarial attacks, we considered the most popular baseline in the visually- aware recommendation task: Visual Bayesian Personalized Ranking from Implicit Feedback (VBPR) [4]. The model improves the MF preference predictor by adding a visual contribution to the traditional collaborative one. Given a user 𝑢 and a non-interacted item 𝑖, the predicted preference score is 𝑠𝑢𝑖 ̂ = 𝑝𝑢𝑇 𝑞𝑖 + 𝜃𝑢𝑇 𝜃𝑖 + 𝛽𝑢𝑖 , where 𝜃𝑢 ∈ Θ|𝒰|×𝜐 and 𝜃𝑖 ∈ Θ|ℐ |×𝜐 are the visual latent vectors of user 𝑢 and item 𝑖, respectively (𝜐 << |𝒰|, |ℐ |). The visual latent vector of item 𝑖 is obtained as 𝜃𝑖 = E𝜑𝑖 , where 𝜑𝑖 is the visual feature of image item 𝑖 extracted from a pretrained convolutional neural network (i.e., AlexNet [8] as in the original work), while E is a matrix to project the visual feature into the same space as of 𝜃𝑢 . Furthermore, 𝛽𝑢𝑖 stands for the sum of the overall offset, the user, item, and global visual bias. The Failure Point of a Visual Recommender: the Visual Features. All the state-of-the- art adversarial strategies [35, 19, 18, 17] alter the recommendation output (𝑠𝑢𝑖 ̂∗ ) by perturbing the products’ images so that the newly-extracted visual feature 𝜑𝑖 leads to 𝑠𝑢𝑖 ∗ ̂∗ ≠ 𝑠𝑢𝑖 ̂ . Then, ̂∗ > 𝑠𝑢𝑖 𝑠𝑢𝑖 ̂ when the adversary wants to push/increase the score predicted on the target item 𝑖 for the user 𝑢, while 𝑠𝑢𝑖 ̂∗ < 𝑠𝑢𝑖 ̂ holds in nuking scenarios. To craft the adversarially perturbed 36 version of 𝜑𝑖 , the adversary can either have complete knowledge of the recommender model (i.e., parameters, output, and training data) or can be completely unaware of this information. In the former case, the adversary is generally recognized to work in white-box settings, while, in the latter case, she works in black-box ones. Adversarial Perturbation on Images. We define an adversarial attack as the problem of finding the best value for a perturbation 𝛿𝑖 such that the attacked image 𝑥𝑖∗ = 𝑥𝑖 + 𝛿𝑖 must be visually similar to 𝑥𝑖 according to a certain distance metric, e.g., 𝐿𝑝 norms, and 𝑥𝑖∗ must stay within its original value range, i.e., [0, 1] for 8-bit RGB images re-scaled by a factor 255. here, the intuition is that the visual feature extracted from the network ( 𝜑𝑖∗ = 𝐹 (𝑥𝑖∗ ) ≠ 𝜑𝑖 = 𝐹 (𝑥𝑖∗ )) will change the original behavior of the recommender towards the malicious goal. Independently on the adversary knowledge of the VRS, all the adversarial attack strategies defined in the literature and explored in this work learn the adversarial perturbation of a product image 𝑥𝑖 (i.e., 𝛿𝑖 ) by backpropagating error information via 𝐹 (⋅). Below, we define the three strategies to evaluate 𝛿𝑖 : TAaMR, WB-SIGN, and INSA. Note that, 𝑥𝑖∗ pixel values are clipped in the [0, 255] range of values at the end of the attack. 3.2. Black-Box: Targeted Adversarial Attack against Multimedia Recommenders (TAaMR) The first adversarial attack strategy tested in this work is a test-time extension of the Targeted Adversarial Attack against Multimedia Recommenders attack (TAaMR) proposed by [16]. The strategy, originally proposed for poisoning the training set with altered items images, assumes to adversarially perturb the image such that the pretrained CNN used to extract the visual feature will misclassify the original images towards a different class. In particular, we use the Fast Gradient Sign Method (FGSM) [10] attack strategy —a baseline strategy in computer vision— that generates an adversarial version of the attacked image in only one step. Given a clean input image 𝑥𝑖 , a target class 𝑝, a CNN 𝐹 (⋅) with parameters 𝜃, and a perturbation coefficient 𝜖, the targeted adversarial image 𝑥𝑖∗ is: 𝑥𝑖∗ ← − 𝑥𝑖 − 𝜖 ⋅ sign(∇𝑥𝑖 ℒ𝐹 (𝜃, 𝑥𝑖 , 𝑝) (1) where ∇𝑥𝑖 ℒ𝐹 (𝜃, 𝑥𝑖 , 𝑦𝑖 ) is the loss function gradient of 𝐹 (⋅), and sign(⋅) is the sign function. 3.3. White-Box: Sign Method (WB-SIGN) The second adversarial strategy is the Sign-based White-Box Attack (WB-SIGN) method that ma- nipulates the product image computing the partial derivatives of the preference score function 𝑠(⋅) with respect to the item image 𝑥𝑖 used to predict the user-item preference score, and up- dates the pixels in that direction. Formally, we define the function of the sum of preference scores measured on all the items as: 𝜕 𝑠 ̂ (𝑥 )) 𝑠𝑖̂ (𝑥𝑖 ) = ∑ (𝑠𝑖̂ (𝑥𝑖 )) = ∑ (𝑝𝑢𝑇 𝑞𝑖 + 𝜃𝑢𝑇 E𝐹 (𝑥𝑖 ) + 𝛽𝑢𝑖 ) − 𝑥𝑖 − 𝜖 ⋅ sign( 𝑖 𝑖 ) then 𝑥𝑖∗ ← (2) 𝑢∈𝒰 𝑢∈𝒰 𝜕𝑥𝑖 37 3.4. White-Box: Insider Attack (INSA) The last experimented attack is the Insider Attack (INSA) method proposed by Liu and Larson [18]. Similar to WB-SIGN, this method assumes that the adversary has full knowledge and the access to the parameters of the trained model, and uses it to modify the pixels from the product image to increase the preference scores inferred from the recommender on each target item. To this end, INSA is defined as follows: 𝜕 𝑠𝑖̂ (𝑥𝑖 )) 𝜕 𝑠𝑖̂ (𝑥𝑖 )) 𝑥𝑖∗ ← − 𝑥𝑖 − such that ||𝛿𝑖 || ≤ 𝜖 where 𝛿𝑖 = (3) 𝜕𝑥𝑖 𝜕𝑥𝑖 Note that, similarly to WB-SIGN, INSA learns to build a perturbation that seeks to maximize all the users’ scores predicted for each attacked item. However, differently from WB-SIGN, the INSA’s perturbation is the gradient back-propagated through the recommender and the CNN, and not an 𝜖-bounded sign dependent perturbation. 4. Experiments This section is devoted to presenting the setting we followed to run the experiments, and then discuss the obtained results. 4.1. Experimental Setup Datasets. We perform the experiments on two recommendation datasets from Amazon.com containing customers’ feedback and items’ images. We use Amazon Boys & Girls and Amazon Men, including images in the fashion domain. The items set depend on the images still available on the e-commerce platform since they were not available in the released repository [24, 25]. We remove items/users with less than 5 interactions [5, 4]. Then, Amazon Boys & Girls has 1425, 5019, and 9213, while Amazon Men has 16278, 31750, and 113106, users, items, and feedback, respectively. Evaluation Metrics. We evaluate the tested attacks according to the ability of the adversary to compromise the integrity of the recommendations, i.e., the efficacy in increasing the preference score predicted by the visual recommender and pushing the target items into the top-𝐾 of each user’s recommendation list. To measure the variation of the preference score, we define the Prediction Shift (PS) as follows: 1 PS = ∑ (𝑠 ̂∗ − 𝑠𝑢𝑡 ̂ ) (4) |𝒯 | 𝑡∈𝒯 𝑢𝑡 where 𝒯 is the set of target items whose images have been perturbed in an adversarial way. Additionally, to track the occurrences of an increase in the preference score, we measure the fraction of items for which we have measured a preference score improvement. We name this metric as Improvement Fraction (IF), and we formally define it as follows, 1 IF = ̂∗ − 𝑠𝑢𝑡 ∑ 1[𝑠𝑢𝑡 ̂ ] (5) |𝒯 | 𝑡∈𝒯 38 where IF < 0.5 means that the number of times the target items have worsened their preference score is higher than the number of times it has been improved. While the previous metrics are related to preference score predictions, similar to [18, 17], we evaluate a ranking-wise metric that measures the average number of times a target item hits the top-𝐾 recommendation lists. This metric, named Hit Ratio (HR@K), is defined as follows, 1 1 HR@K = ∑ ∑ hit@𝐾 (𝑡, 𝑢) (6) |𝒯 | 𝑡∈𝑇 |𝒰| 𝑢∈|𝒰| where hit@𝐾 (𝑡, 𝑢) is 1 when the target item is in the top-𝐾 list of the user 𝑢. Reproducibility. We randomly initialize the model parameters with a Gaussian distribution with a mean of 0 and standard deviation of 0.01 and set the latent factor dimension to 128 as in [27]. We explore via grid-search: the learning rate in {0.0001, 0.001, 0.01} and the regularizers in {0.00001, 0.001}, whereas we fix the batch size to 256. We adopt early-stopping to avoid over- fitting and choose the best model configuration for each algorithm according to the Recall@100 as in [27]. After having identified the best VBPR configuration on each dataset, we randomly sample 200 items from the catalog (|𝒯 | = 200). We attack each target item image and measure the correspondent adversarial score (𝑠𝑢𝑖 ̂∗ ) for each user. To study the effects of popularity on the attack efficacy, we split the target items into four groups based on the recorded feedback in the training set (i.e., Low Popular (LP), Mid-Low Popular (MLP), Mid-High Popular (MHP), and High Popular (HP)). For each attack, we vary the perturbation budget 𝜖 ∈ {4, 8, 16}. For the black-box strategy (TAaMR), we select the target class as the most popular one (”running shoes”) for both datasets. All codes, datasets, and configuration files to run and evaluate the experiments are publicly available in the Elliot 1 reproducibility framework [17, 36]. 4.2. Results and Discussion In this section, we investigate the following research questions: RQ1: What is the effect of items’ popularity on the efficacy of testing time adversarial attacks with respect to increasing the inferred preference scores? Is the behavior observed on a smaller perturbation budget (𝜖 = 4) consistent with higher perturbation budgets (𝜖 ∈ {8, 16})? RQ2: While studying the adversary’s ability in pushing the target item into the top-𝐾 rec- ommendation list, what is the effect of items’ popularity? How much has 𝜖 influenced ranking-wise performance? 4.3. Analysis of Attack Performance on Increasing Preference Scores (RQ1) This paragraph analyses the Improvement Fraction (IF) and the Prediction Shift (PS) of the tested adversarial attacks against the Amazon Boys & Girls and Amazon Men datasets. Ta- ble 1 reports the measured performance on the four target items groups as defined in Section 4.1. 1 https://github.com/sisinflab/elliot 39 Table 1 Average Improvement Fraction and Prediction Shift across all popularity groups and perturbation bud- gets. We report the configuration files used to perform the experiments. Attack 𝜖 Improvement Fraction (IF) Prediction Shift (PS) LP MLP MHP HP LP MLP MHP HP Amazon Boys & Girls- [Elliot Configuration File: ws_attack_best_amazon_boys_girls.yml] 4 0.44463 0.43154 0.41907 0.42219 -0.22579 -0.27033 -0.33856 -0.39528 TAaMR 8 0.46338 0.44035 0.43328 0.42793 -0.14574 -0.24304 -0.30813 -0.36147 16 0.49444 0.45799 0.47867 0.45004 -0.01750 -0.21294 -0.16771 -0.31063 4 0.90726 0.91332 0.90087 0.88025 2.02115 1.95690 1.93221 1.80204 WB-SIGN 8 0.82153 0.82710 0.82013 0.78950 1.67599 1.61977 1.58222 1.44028 16 0.70281 0.70766 0.71564 0.67601 1.15195 1.12273 1.11164 0.95283 4 0.98828 0.99128 0.98848 0.98801 0.89236 0.89898 0.80334 0.81315 INSA 8 0.98831 0.99130 0.98841 0.98801 0.89228 0.89857 0.80303 0.81310 16 0.98831 0.99130 0.98841 0.98801 0.89228 0.89844 0.80303 0.81310 Amazon Men- [Elliot Configuration File: ws_attack_best_amazon_men.yml] 4 0.49325 0.49828 0.49779 0.42723 -0.03048 -0.04103 -0.00803 -0.40287 TAaMR 8 0.45327 0.45121 0.46360 0.38513 -0.34333 -0.28482 -0.21996 -0.72266 16 0.37303 0.38719 0.37847 0.33111 -1.03492 -0.85267 -0.88104 -1.32383 4 0.88149 0.85164 0.85136 0.82823 2.19162 2.02704 1.96209 1.91346 WB-SIGN 8 0.74791 0.72156 0.72428 0.68396 1.45054 1.37203 1.35763 1.17692 16 0.54332 0.55128 0.53101 0.50308 0.18964 0.31076 0.19959 0.06569 4 0.94537 0.91230 0.90757 0.90606 2.29845 2.09213 1.96360 2.05216 INSA 8 0.93399 0.89413 0.89756 0.88974 2.21695 2.00421 1.91811 1.99631 16 0.91968 0.87861 0.88227 0.87088 2.11271 1.91207 1.83971 1.91991 Before moving to the investigation of items’ popularity effects of the adversarial attack ef- ficacy, it is interesting to observe that the black-box strategy (TAaMR) is mostly ineffective in increasing the performance of the target items independently on the tested datasets. For in- stance, the most powerful attack with a perturbation budget equal to 16 has still negative PS values in both datasets (i.e., -0.01750 in and -0.00803 in ) and IF values lower than 0.5 in all settings. We may explain the low efficacy of this attack strategy by stating that, differently from the TAaMR’s proposal paper [37], we do not use the targeted adversarial strategy to poison the training procedure, but we use it in the test- ing phase when the model has already learned the users’ preferences. However, we may derive two additional insights. The first one states that when increasing 𝜖, the attacks become more performant, and IF gets closer to 0.5. The second one states that the attack results reported for TAaMR have been more effective on low popular target items than the most popular ones. For instance, IF on LP items is higher than HP ones in all attack settings (e.g., 0.49444 > 0.45004 in Amazon Boys & Girls and 0.37303 > 0.33111 in Amazon Men with 𝜖 = 16). After having discussed the black-box attack, we move the analysis to white-box ones. Start- ing from WB-SIGN, it can be noticed that the adversarial strategy is more effective against low popular items than high popular ones. For instance, PS with 𝜖 = 4 is 2.02115 on LP and 1.80204 on HP in Amazon Boys & Girls, while 2.19162 and 1.91346 on Amazon Men. The same re- sult trends are confirmed for INSA, the secondly reported white-box attacks for both datasets, where, for example, 0.94537 > 0.91230 > 0.90757 > 0.90606 for the IF measured on Amazon Men 40 Table 2 HR@50 measured before the attack (No Attacks) and after the attack on all popularity groups. For each attack values, we report the percentage variation with respect to the not attacked version. Attack 𝜖 Amazon Boys & Girls LP MLP MHP HP No Attacks 0.00669 0.01260 0.00762 0.01423 4 0.00392 (-70.97%) 0.00632 (-99.56%) 0.00519 (-46.76%) 0.00668 (-113.03%) TAaMR 8 0.00401 (-66.78%) 0.00627 (-100.89%) 0.00459 (-66.06%) 0.00622 (-128.89%) 16 0.00536 (-24.87%) 0.00658 (-91.47%) 0.00504 (-51.25%) 0.00589 (-141.43%) 4 0.02429 (+72.44%) 0.0434 (+70.96%) 0.03168 (+75.94%) 0.04173 (+65.89%) WB-SIGN 8 0.01644 (+59.27%) 0.03148 (+59.96%) 0.02392 (+68.13%) 0.0296 (+51.92%) 16 0.01241 (+46.04%) 0.02046 (+38.41%) 0.01697 (+55.09%) 0.02008 (+29.14%) 4 0.01321 (+49.31%) 0.02118 (+40.49%) 0.01533 (+50.27%) 0.0258 (+44.83%) INSA 8 0.01321 (+49.31%) 0.02118 (+40.49%) 0.01533 (+50.27%) 0.0258 (+44.83%) 16 0.01321 (+49.31%) 0.02118 (+40.49%) 0.01533 (+50.27%) 0.0258 (+44.83%) Attack 𝜖 Amazon Men LP MLP MHP HP No Attacks 0.00044 0.00109 0.00091 0.00297 4 0.00089 (+50.28%) 0.00075 (-45.42%) 0.00105 (+13.64%) 0.0021 (-41.68%) TAaMR 8 0.00092 (+51.99%) 0.00103 (-5.83%) 0.00152 (+40.29%) 0.00224 (-32.51%) 16 0.00082 (+46.04%) 0.00097 (-13.23%) 0.00162 (+43.82%) 0.00228 (-30.09%) 4 0.00299 (+85.19%) 0.00326 (+66.5%) 0.00527 (+82.74%) 0.01146 (+74.1%) WB-SIGN 8 0.00215 (+79.36%) 0.00279 (+60.76%) 0.00441 (+79.35%) 0.00741 (+59.92%) 16 0.00143 (+69.04%) 0.00179 (+39.04%) 0.0029 (+68.63%) 0.0044 (+32.47%) 4 0.00285 (+84.45%) 0.00333 (+67.19%) 0.00478 (+80.97%) 0.01209 (+75.44%) INSA 8 0.00287 (+84.57%) 0.00347 (+68.46%) 0.00507 (+82.05%) 0.01206 (+75.38%) 16 0.00281 (+84.22%) 0.00335 (+67.32%) 0.0047 (+80.63%) 0.01195 (+75.15%) with 𝜖 = 4. The same trends on both WB-attacks and datasets are observed when varying 𝜖. These empirical observations confirm that items’ popularity has influenced the efficacy of adversarial attack strategies, where the least popular target items are subject to an increment of the preference scores much bigger than those calculated on the most popular ones. In addition, the tendency mentioned above is consistent when varying the perturbation budget from small values (i.e., 4) to larger ones (i.e., a maximum value of 16). 4.4. Analysis of Attack Performance on Top-K Recommendation Lists (RQ2) Table 2 reports the HR@50 values measured on top-50 recommendation lists before and after the execution of adversarial attacks. This paragraph seeks to verify if the higher attack effi- cacy on low popular items measured from a preference score point of view is consistent when analyzing the top-𝐾 recommendation lists. Differently from the previous analysis, we should point out that most popular items may have HR@50 values (before the attack) higher than the ones of low popular items due to the well-known popularity bias issues [20, 21, 22, 23]. In- deed, it can be observed that the HR@50 of HP items is more than two times higher than the one measured on LP (i.e., 0.01423 > 0.0069) in Amazon Boys & Girls, and even more than six times higher in Amazon Men (i.e., 0.00297 > 0.00044). For this reason, we report the HR@50 variation after the attack in Table 2. Analyzing the variations measured under black-box attack settings, it can be noted that, 41 consistently with the findings measured in Section 4.3, low popular target items have been more affected by attacks than most popular ones. Indeed, despite the negative variations of HR@50 measured on LP items in Amazon Boys & Girls (i.e., -70.97%), the ones measured on HP are even more negative (i.e., -113.03). The same trend is also confirmed in the Amazon Men dataset independently of the perturbation budget. Extending the analysis to the white- box adversarial strategies, and considering that PS is always greater than 1 and IF is greater than 0.5, we should expect that the percentage variations measured on LP and MLP items should be higher than the ones on MHP and HP. Results in Table 2 confirm that both WB-SIGN and INSA are more effective on LP items. For instance, HR@50 increases by +85.19% on LP and +74.10% on HP, when WB-SIGN with 𝜖 = 4 is performed on Amazon Men. Results on the top-𝐾 recommendation performance additionally confirm that items’ popu- larity affects the efficacy of attacks by making the least popular target items easier to push into higher positions than the ones already in high positions. 5. Conclusion We examined if test-time adversarial attacks against VRSs have a distinct impact on items based on their popularity. To this end, we tested one black-box (i.e.,TAaMR) and two state-of-the-art white-box (i.e., WB-SIGN and INSA) single-step adversarial attacks by varying three levels of per- turbation budget (i.e., 𝜖 ∈ {4, 8, 16}) to alter the recommendations generated by VBPR, a baseline model for visual recommendation. Indeed, after VBPR’s training on two datasets (i.e., Amazon Boys & Girls and Amazon Men), we randomly extracted 200 target items from each catalog. Then, we divided them into four groups based on the number of ratings registered in the train- ing set, and performed two analyses: one on the preference score and the other on the effects on top-𝐾 lists. From the former, we found that items’ popularity influences the attacks’ efficacy, which is much more effective on the least popular than high popular items in incrementing the preference scores consistently at varying of 𝜖. From the latter, we verified that this trend is also confirmed when looking at top-𝐾 recommendation lists, with the least popular target items getting the highest pushing in ranking positions. These results open exciting challenges for developing adversarial defenses strategies, as the least popular items can be highly sub- jected to adversarial attacks. We propose extending the study on iterative adversarial attacks to understand if the previously identified trends are consistent with more robust strategies for future extension. Finally, we plan to extend this investigation line to examine the potential effects of users’ activeness (e.g., number of released ratings) on the attack efficacy for provid- ing more insights into planning more powerful defense strategies and to study of the verified effects with human evaluation. Acknowledgments We acknowledge support of PON ARS01_00876 BIO-D, Casa delle Tecnologie Emergenti della Città di Matera, PON ARS01_00821 FLET4.0, PIA Servizi Locali 2.0, H2020 Passapartout - Grant n. 101016956, and PIA ERP4.0. 42 References [1] Y. Hu, X. Yi, L. S. Davis, Collaborative fashion recommendation: A functional tensor factorization approach, in: ACM Multimedia, ACM, 2015, pp. 129–138. [2] D. Elsweiler, C. Trattner, M. Harvey, Exploiting food choice biases for healthier recipe recommendation, in: SIGIR, ACM, 2017, pp. 575–584. [3] S. Wang, Y. Wang, J. Tang, K. Shu, S. Ranganath, H. Liu, What your images reveal: Ex- ploiting visual contents for point-of-interest recommendation, in: WWW, ACM, 2017, pp. 391–400. [4] R. He, J. J. McAuley, VBPR: visual bayesian personalized ranking from implicit feedback, in: AAAI, AAAI Press, 2016, pp. 144–150. [5] R. He, J. J. McAuley, Ups and downs: Modeling the visual evolution of fashion trends with one-class collaborative filtering, in: WWW 2016, 2016. [6] Q. Liu, S. Wu, L. Wang, Deepstyle: Learning user preferences for visual recommendation, in: SIGIR, ACM, 2017, pp. 841–844. [7] L. Meng, F. Feng, X. He, X. Gao, T. Chua, Heterogeneous fusion of semantic and collabo- rative information for visually-aware food recommendation, in: ACM Multimedia, ACM, 2020, pp. 3460–3468. [8] A. Krizhevsky, I. Sutskever, G. E. Hinton, Imagenet classification with deep convolutional neural networks, in: NeurIPS 2012, 2012. [9] Y. Deldjoo, T. D. Noia, F. A. Merra, A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks, ACM Computing Surveys (CSUR) (2021). [10] I. J. Goodfellow, J. Shlens, C. Szegedy, Explaining and harnessing adversarial examples, in: ICLR (Poster), 2015. [11] A. Madry, A. Makelov, L. Schmidt, D. Tsipras, A. Vladu, Towards deep learning models resistant to adversarial attacks, in: ICLR 2018, 2018. [12] N. Carlini, D. A. Wagner, Towards evaluating the robustness of neural networks, in: SP 2017, 2017. [13] X. He, Z. He, X. Du, T. Chua, Adversarial personalized ranking for recommendation, in: SIGIR, ACM, 2018, pp. 355–364. [14] J. Tang, X. Du, X. He, F. Yuan, Q. Tian, T. Chua, Adversarial training towards robust multimedia recommender system, IEEE Trans. Knowl. Data Eng. 32 (2020) 855–867. [15] K. He, X. Zhang, S. Ren, J. Sun, Deep residual learning for image recognition, in: CVPR, IEEE Computer Society, 2016, pp. 770–778. [16] T. Di Noia, D. Malitesta, F. A. Merra, Taamr: Targeted adversarial attack against multi- media recommender systems, in: DSN–DSML 2020, 2020. [17] V. W. Anelli, Y. Deldjoo, T. Di Noia, D. Malitesta, F. A. Merra, A study of defensive methods to protect visual recommendation against adversarial manipulation of images, in: SIGIR, ACM, 2021, pp. 1094–1103. [18] Z. Liu, M. A. Larson, Adversarial item promotion: Vulnerabilities at the core of top-n recommenders that use images to address cold start, in: WWW, ACM / IW3C2, 2021, pp. 3590–3602. [19] R. Cohen, O. S. Shalom, D. Jannach, A. Amir, A black-box attack model for visually-aware 43 recommender systems, in: WSDM, ACM, 2021, pp. 94–102. [20] D. Jannach, L. Lerche, I. Kamehkhosh, M. Jugovac, What recommenders recommend: an analysis of recommendation biases and possible countermeasures, User Model. User Adapt. Interact. 25 (2015) 427–491. [21] H. Abdollahpouri, R. Burke, B. Mobasher, Controlling popularity bias in learning-to-rank recommendation, in: RecSys, ACM, 2017, pp. 42–46. [22] Z. Zhu, J. Wang, J. Caverlee, Measuring and mitigating item under-recommendation bias in personalized ranking systems, in: SIGIR, ACM, 2020, pp. 449–458. [23] L. Boratto, G. Fenu, M. Marras, Connecting user and item perspectives in popularity debiasing for collaborative recommendation, Inf. Process. Manag. 58 (2021) 102387. [24] R. He, C. Packer, J. J. McAuley, Learning compatibility across categories for heterogeneous item recommendation, in: ICDM, IEEE Computer Society, 2016, pp. 937–942. [25] J. J. McAuley, C. Targett, Q. Shi, A. van den Hengel, Image-based recommendations on styles and substitutes, in: SIGIR 2015, 2015. [26] V. W. Anelli, A. Bellogín, A. Ferrara, D. Malitesta, F. A. Merra, C. Pomo, F. M. Donini, T. Di Noia, Elliot: A comprehensive and rigorous framework for reproducible recommender systems evaluation, in: SIGIR, ACM, 2021, pp. 2405–2414. [27] J. Chen, H. Zhang, X. He, L. Nie, W. Liu, T. Chua, Attentive collaborative filtering: Multi- media recommendation with item- and component-level attention, in: SIGIR, ACM, 2017. [28] W. Niu, J. Caverlee, H. Lu, Neural personalized ranking for image recommendation, in: WSDM 2018, 2018. [29] W. Kang, C. Fang, Z. Wang, J. J. McAuley, Visually-aware fashion recommendation and design with generative image models, in: ICDM, IEEE Computer Society, 2017, pp. 207– 216. [30] R. Yin, K. Li, J. Lu, G. Zhang, Enhancing fashion recommendation with visual compatibil- ity relationship, in: WWW 2019, 2019. [31] A. Paul, Z. Wu, K. Liu, S. Gong, Robust multi-objective visual bayesian personalized ranking for multimedia recommendation, Applied Intelligence (2021) 1–12. [32] R. Cañamares, P. Castells, Should I follow the crowd?: A probabilistic analysis of the effectiveness of popularity in recommender systems, in: SIGIR, ACM, 2018, pp. 415–424. [33] E. Mena-Maldonado, R. Cañamares, P. Castells, Y. Ren, M. Sanderson, Popularity bias in false-positive metrics for recommender systems evaluation, ACM Trans. Inf. Syst. 39 (2021) 36:1–36:43. [34] Y. Koren, R. M. Bell, C. Volinsky, Matrix factorization techniques for recommender sys- tems, Computer 42 (2009) 30–37. [35] J. Tang, X. Du, X. He, F. Yuan, Q. Tian, T. Chua, Adversarial training towards robust multimedia recommender system, IEEE Trans. Knowl. Data Eng. 32 (2020) 855–867. [36] V. W. Anelli, A. Bellogín, A. Ferrara, D. Malitesta, F. A. Merra, C. Pomo, F. M. Donini, T. Di Noia, V-elliot: Design, evaluate and tune visual recommender systems, in: RecSys, ACM, 2021. [37] T. Di Noia, D. Malitesta, F. A. Merra, Taamr: Targeted adversarial attack against multi- media recommender systems, in: DSN Workshops, IEEE, 2020, pp. 1–8. 44