A Black-Box Attack Model for Visually-Aware Recommender Systems
This work addresses security risks for recommendation service providers and users by exposing vulnerabilities in systems relying on external images, though it is incremental as it builds on existing attack methods in other domains.
The authors tackled the vulnerability of visually-aware recommender systems to attacks by external image sources, demonstrating that a black-box attack model with small, imperceptible image perturbations can effectively manipulate item scores and rankings, even with modest visual feature contributions.
Due to the advances in deep learning, visually-aware recommender systems (RS) have recently attracted increased research interest. Such systems combine collaborative signals with images, usually represented as feature vectors outputted by pre-trained image models. Since item catalogs can be huge, recommendation service providers often rely on images that are supplied by the item providers. In this work, we show that relying on such external sources can make an RS vulnerable to attacks, where the goal of the attacker is to unfairly promote certain pushed items. Specifically, we demonstrate how a new visual attack model can effectively influence the item scores and rankings in a black-box approach, i.e., without knowing the parameters of the model. The main underlying idea is to systematically create small human-imperceptible perturbations of the pushed item image and to devise appropriate gradient approximation methods to incrementally raise the pushed item's score. Experimental evaluations on two datasets show that the novel attack model is effective even when the contribution of the visual features to the overall performance of the recommender system is modest.