TAaMR: Targeted Adversarial Attack against Multimedia Recommender Systems

Deep learning classifiers are hugely vulnerable to adversarial examples, and their existence raised cybersecurity concerns in many tasks with an emphasis on malware detection, computer vision, and speech recognition. While there is a considerable effort to investigate attacks and defense strategies in these tasks, only limited work explores the influence of targeted attacks on input data (e.g., images, textual descriptions, audio) used in multimedia recommender systems (MR). In this work, we examine the consequences of applying targeted adversarial attacks against the product images of a visual-based MR. We propose a novel adversarial attack approach, called Target Adversarial Attack against Multimedia Recommender Systems (TAaMR), to investigate the modification of MR behavior when the images of a category of low recommended products (e.g., socks) are perturbed to misclassify the deep neural classifier towards the class of more recommended products (e.g., running shoes) with human-level slight images alterations. We explore the TAaMR approach studying the effect of two targeted adversarial attacks (i.e., FGSM and PGD) against input pictures of two state-of-the-art MR (i.e., VBPR and AMR). Extensive experiments on two real-world recommender fashion datasets confirmed the effectiveness of TAaMR in terms of recommendation lists changing while keeping the original human judgment on the perturbed images.

[1]  Aleksander Madry,et al.  On Evaluating Adversarial Robustness , 2019, ArXiv.

[2]  Julian J. McAuley,et al.  Ups and Downs: Modeling the Visual Evolution of Fashion Trends with One-Class Collaborative Filtering , 2016, WWW.

[3]  Ananthram Swami,et al.  The Limitations of Deep Learning in Adversarial Settings , 2015, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[4]  David A. Wagner,et al.  Towards Evaluating the Robustness of Neural Networks , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[5]  Jian Sun,et al.  Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[6]  George Karypis,et al.  Item-based top-N recommendation algorithms , 2004, TOIS.

[7]  Li Chen,et al.  Recommender systems based on user reviews: the state of the art , 2015, User Modeling and User-Adapted Interaction.

[8]  Benjamin Schrauwen,et al.  Deep content-based music recommendation , 2013, NIPS.

[9]  Neil J. Hurley,et al.  Collaborative recommendation: A robustness analysis , 2004, TOIT.

[10]  Fabio Crestani,et al.  Adversarial Training for Review-Based Recommendations , 2019, SIGIR.

[11]  Douglas B. Terry,et al.  Using collaborative filtering to weave an information tapestry , 1992, CACM.

[12]  Ying Cai,et al.  Fake Co-visitation Injection Attacks to Recommender Systems , 2017, NDSS.

[13]  Li Fei-Fei,et al.  Perceptual Losses for Real-Time Style Transfer and Super-Resolution , 2016, ECCV.

[14]  Xiaoyu Du,et al.  Adversarial Personalized Ranking for Recommendation , 2018, SIGIR.

[15]  Jinfeng Yi,et al.  Enhancing the Robustness of Neural Collaborative Filtering Systems Under Malicious Attacks , 2019, IEEE Transactions on Multimedia.

[16]  Patrick D. McDaniel,et al.  Making machine learning robust against adversarial inputs , 2018, Commun. ACM.

[17]  Yifan Hu,et al.  Collaborative Filtering for Implicit Feedback Datasets , 2008, 2008 Eighth IEEE International Conference on Data Mining.

[18]  Tommaso Di Noia,et al.  Adversarial Machine Learning in Recommender Systems (AML-RecSys) , 2020, WSDM.

[19]  Lina Yao,et al.  Adversarial Collaborative Neural Network for Robust Recommendation , 2019, SIGIR.

[20]  Kaiming He,et al.  Faster R-CNN: Towards Real-Time Object Detection with Region Proposal Networks , 2015, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[21]  Samy Bengio,et al.  Adversarial examples in the physical world , 2016, ICLR.

[22]  Jing Li,et al.  Adversarial tensor factorization for context-aware recommendation , 2019, RecSys.

[23]  Geoffrey E. Hinton,et al.  ImageNet classification with deep convolutional neural networks , 2012, Commun. ACM.

[24]  Kristen Grauman,et al.  Computer Vision for Fashion: From Individual Recommendations to World-wide Trends , 2020, WSDM.

[25]  Pasquale Lops,et al.  Content-based Recommender Systems: State of the Art and Trends , 2011, Recommender Systems Handbook.

[26]  Julian J. McAuley,et al.  VBPR: Visual Bayesian Personalized Ranking from Implicit Feedback , 2015, AAAI.

[27]  Robin Burke,et al.  Securing collaborative filtering against malicious attacks through anomaly detection , 2006, AAAI 2006.

[28]  Jaana Kekäläinen,et al.  Cumulated gain-based evaluation of IR techniques , 2002, TOIS.

[29]  Tommaso Di Noia,et al.  Assessing the Impact of a User-Item Collaborative Attack on Class of Users , 2019, ImpactRS@RecSys.

[30]  Zhenlong Yuan,et al.  Droid-Sec: deep learning in android malware detection , 2015, SIGCOMM 2015.

[31]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[32]  Lars Schmidt-Thieme,et al.  BPR: Bayesian Personalized Ranking from Implicit Feedback , 2009, UAI.

[33]  Greg Linden,et al.  Amazon . com Recommendations Item-to-Item Collaborative Filtering , 2001 .

[34]  Tat-Seng Chua,et al.  Learning Image and User Features for Recommendation in Social Networks , 2015, 2015 IEEE International Conference on Computer Vision (ICCV).

[35]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[36]  CARLOS A. GOMEZ-URIBE,et al.  The Netflix Recommender System , 2015, ACM Trans. Manag. Inf. Syst..

[37]  Kim-Han Thung,et al.  A survey of image quality measures , 2009, 2009 International Conference for Technical Postgraduates (TECHPOS).

[38]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[39]  Jia Liu,et al.  Poisoning Attacks to Graph-Based Recommender Systems , 2018, ACSAC.

[40]  Tommaso Di Noia,et al.  How to make latent factors interpretable by feeding Factorization machines with knowledge graphs , 2019, SEMWEB.

[41]  Qi Tian,et al.  Adversarial Training Towards Robust Multimedia Recommender System , 2018, IEEE Transactions on Knowledge and Data Engineering.

[42]  John Riedl,et al.  Shilling recommender systems for fun and profit , 2004, WWW '04.

[43]  Tommaso Di Noia,et al.  SAShA: Semantic-Aware Shilling Attacks on Recommender Systems Exploiting Knowledge Graphs , 2020, ESWC.

[44]  Jia Liu,et al.  Influence Function based Data Poisoning Attacks to Top-N Recommender Systems , 2020, WWW.

[45]  David A. Wagner,et al.  Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples , 2018, ICML.

[46]  Tara N. Sainath,et al.  Deep Neural Networks for Acoustic Modeling in Speech Recognition: The Shared Views of Four Research Groups , 2012, IEEE Signal Processing Magazine.

[47]  Stefan Winkler,et al.  The Evolution of Video Quality Measurement: From PSNR to Hybrid Metrics , 2008, IEEE Transactions on Broadcasting.

[48]  Anton van den Hengel,et al.  Image-Based Recommendations on Styles and Substitutes , 2015, SIGIR.

[49]  Yehuda Koren,et al.  Advances in Collaborative Filtering , 2011, Recommender Systems Handbook.

[50]  Ian J. Goodfellow,et al.  Technical Report on the CleverHans v2.1.0 Adversarial Examples Library , 2016 .

[51]  Pan He,et al.  Adversarial Examples: Attacks and Defenses for Deep Learning , 2017, IEEE Transactions on Neural Networks and Learning Systems.

[52]  Franca Garzotto,et al.  Content-Based Video Recommendation System Based on Stylistic Visual Features , 2016, Journal on Data Semantics.

[53]  Justin Donaldson A hybrid social-acoustic recommendation system for popular music , 2007, RecSys '07.

[54]  Eero P. Simoncelli,et al.  Image quality assessment: from error visibility to structural similarity , 2004, IEEE Transactions on Image Processing.

[55]  Huseyin Polat,et al.  Shilling attacks against recommender systems: a comprehensive survey , 2014, Artificial Intelligence Review.