PC/
Articles/
2506000773
  • Open Access
  • Article
BadEmbNets: A Framework for Backdoor Attacks against Visually-Aware Recommender System
  • Duy Tung Khanh Nguyen *,   
  • Dung Hoang Duong *,   
  • Yang-Wai Chow

Received: 18 Mar 2025 | Revised: 15 May 2025 | Accepted: 15 Jun 2025 | Published: 19 Jun 2025

Abstract

Recommender systems play a pivotal role in e-commerce, social media, and content streaming platforms by personalizing user experiences and driving engagement. While enhancing the performance of these systems is crucial, ensuring their robustness is equally important to safeguard against security threats. Despite extensive research addressing adversarial and shilling attacks on recommender systems, backdoor attacks remain underexplored. This paper introduces BadEmbNets, an innovative framework for executing backdoor attacks on visually-aware recommender systems. Our experiments demonstrate that an attacker can effectively elevate the rank of compromised items by embedding triggers in their images without affecting the performance of benign items. This work motivates further research into backdoor attacks against recommender systems.

References 

  • 1.
    He, R.; McAuley, J. VBPR: Visual bayesian personalized ranking from implicit feedback. In Proceedings of the AAAI Conference on Artificial Intelligence, Phoenix, AZ, USA, 12–17 February 2016; Volume 30.
  • 2.
    Kang, W.C.; Fang, C.F.; Wang, Z.; et al. Visually-aware fashion recommendation and design with generative image models. In Proceedings of the IEEE International Conference on Data Mining, New Orleans, LA, USA, 18–21 November 2017; pp. 207–216.
  • 3.
    He, X.; Liao, L.; Zhang, H.; et al. Adversarial personalized ranking for recommendation. In Proceedings of the 41st International ACM SIGIR Conference on Research & Development in Information Retrieval, Ann Arbor, MI, USA, 8–12 July 2018; pp. 355–364.
  • 4.
    Yao, S.; Zhang, X.; He, X.; Chua, T.S. The robustness of latent collaborative retrieval. In Proceedings of the 42nd International ACM SIGIR Conference on Research and Development in Information Retrieval, Sheffield, UK, 29 July 2004; pp. 1121–1124.
  • 5.
    Lam, S.K.; Riedl, J. Shilling recommender systems for fun and profit. In Proceedings of the 13th international conference on World Wide Web, New York, NY, USA, 17–20 May 2004; pp. 393–402.
  • 6.
    Mehta, B.; Hofmann, T.; Fankhauser, P.; et al. Attack resistant collaborative filtering. In Proceedings of the 30th Annual In- ternational ACM SIGIR Conference on Research and Development in Information Retrieval, Amsterdam, The Netherlands, 23–27 July 2007; pp. 75–82.
  • 7.
    Gu, T.; Dolan-Gavitt, B.; Garg, S. Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv 2017, arXiv:1708.06733.
  • 8.
    Liu, Y.; Ma, S.; Aafer, Y.; et al. Trojaning attack on neural networks. In Proceedings of the 25th Annual Network And Distributed System Security Symposium (NDSS 2018), San Diego, CA, USA, 18–21 February 2018.
  • 9.
    Chen, X.; Liu, C.; Li, B.; et al. Targeted backdoor attacks on deep learning systems using data poisoning. arXiv 2017, arXiv:1712.05526.
  • 10.
    Liu, Y.; Ma, W.; Aafer, Y.; et al. Neural trojans. arXiv 2017, arXiv:1710.00942.
  • 11.
    Gunes, I.; Kaleli, C.; Bilge, A.; et al. Shilling attacks against recommender systems: A comprehensive survey. Artif. Intell. Rev. 2014, 42, 767–799.
  • 12.
    Liu, S.; Yu, S.; Li, H.; et al. A novel shilling attack on black-box recommendation systems for multiple targets. Neural Comput. Appl. 2025, 37, 3399–3417.
  • 13.
    Deldjoo, Y.; Noia, T.D.; Merra, F.A. A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. ACM Comput. Surv. 2021, 54, 1–38.
  • 14.
    Fan, W.; Wang, S.; Wei, X.; et al. Untargeted black-box attacks for social recommendations. arXiv 2023, arXiv:2311.07127.
  • 15.
    SharifRazavian, A.; Azizpour, H.; Sullivan, J.; et al. Cnn features off-the-shelf: an astounding baseline for recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition Workshops, Columbus, OH, USA, 23–28 June 2014; pp. 806–813.
  • 16.
    Simonyan, K.; Zisserman, A. Very deep convolutional networks for large-scale image recognition. arXiv 2014, arXiv:1409.1556.
  • 17.
    Babenko, A.; Slesarev, A.; Chigorin, A.; et al. Neural codes for image retrieval. In Proceedings of the Computer Vision– ECCV 2014: 13th European Conference, Zurich, Switzerland, 6–12 September 2014; Part I 13, pp. 584–599.
  • 18.
    McAuley, J.; Targett, C.; Shi, Q.; et al. Image-based recommendations on styles and substitutes. In Proceedings of the 38th International ACM SIGIR Conference on Research and Development in Information Retrieval, Santiago, Chile, 9–13 August 2015; pp. 43–52.
  • 19.
    Rendle, S.; Freudenthaler, C.; Gantner, Z.; et al. Bpr: Bayesian personalized ranking from implicit feedback. arXiv 2012, arXiv:1205.2618.
  • 20.
    Liu, Q.; Li, P.; Zhao, P.; et al. Adversarial attacks and defenses: An interpretation perspective. arXiv 2020, arXiv:2004.14116.
  • 21.
    Yuan, F.; Karatzoglou, A.; Arapakis, I.; et al. Adversarial training for graph convolutional networks on recommender systems. In Proceedings of the 43rd International ACM SIGIR Conference on Research and Development in Information Retrieval, Virtual Event, 25–30 July 2000; pp. 1721–1724.
  • 22.
    Deldjoo, Y.; DiNoia, T.; Merra, F.A. A survey on adversarial recommender systems: From attack/defense strategies to generative adversarial networks. ACM Comput. Surv. 2020, 53, 1–38.
  • 23.
    Dai, J.; Chen, C.; Li, Y. A backdoor attack against lstm-based text classification systems. IEEE Access 2019, 7, 138872– 138878.
  • 24.
    Kurita, K.; Michel, P.; Neubig, G. Weight poisoning attacks on pre-trained models. arXiv 2020, arXiv:2004.06660.
  • 25.
    Koffas, S.; Xu, J.; Conti, M.; et al. Can you hear it? backdoor attacks via ultrasonic triggers. In Proceedings of the 2022 ACM Workshop on Wireless Security and Machine Learning, Online, 16 May 2022; pp. 57–62.
  • 26.
    Zong, W.; Chow, Y.W.; Susilo, W.; et al. Trojanmodel: A practical trojan attack against automatic speech recognition systems. In Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 21–25 May 2023; pp. 1667–1683.
  • 27.
    Kalantidis, Y.; Kennedy, L.; Li, J. Getting the look: clothing recognition and segmentation for automatic product suggestions in everyday photos. In Proceedings of the 3rd ACM Conference on International Conference on Multimedia Retrieval, Dallas, TX, USA, 16–20 April 2013; pp. 105–112.
  • 28.
    Krizhevsky, A.; Sutskever, I.; Hinton, G.E. Imagenet Classification with Deep Convolutional Neural Networks. Adv. Neural Inf. Process. Syst. 2012, 2012, 25.
  • 29.
    He, K.; Zhang, X.; Ren, S.; et al. Deep residual learning for image recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, NV, USA, 27–30 June 2016; pp. 770–778.
  • 30.
    Deng, J.; Dong, W.; Socher, R.; et al. Imagenet: A large-scale hierarchical image database. In Proceedings of the 2009 IEEE Conference on Computer Vision and Pattern Recognition, Miami, FL, USA, 20–25 June 2009; pp. 248–255.
  • 31.
    Goodfellow, I.; Bengio, Y.; Courville, A. Deep Learning; MIT Press: Cambridge, MA, USA, 2016.
  • 32.
    Schroff, F.; Kalenichenko, D.; Philbin, J. Facenet: A unified embedding for face recognition and clustering. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 7–12 June 2015; Boston, MA, USA; pp. 815–823.
  • 33.
    Lam, X.N.; Vu, T.; Le T.D.; et al. Addressing cold-start problem in recommendation systems. In Proceedings of the 2nd International Conference on Ubiquitous Information Management and Communication, New York, NY, USA, 31 January–1 February 2008; pp. 208–211.
  • 34.
    Schein, A.I.; Popescul, A.; Ungar, L.H.; et al. Methods and metrics for cold-start recommendations. In Proceedings of the 25th Annual International ACM SIGIR Conference on Research and Development in Information Retrieval, Tampere, Finland, 11–15 August 2002; pp. 253–260.
  • 35.
    Zuva, K.; Zuva, T. Evaluation of information retrieval systems. Int. J. Comput. Sci. Inf. Technol. 2012, 4, 35.
  • 36.
    Jegou, H.; Douze, M.; Schmid, C. Product quantization for nearest neighbor search. IEEE Trans. Pattern Anal. Mach. Intell. 2010, 33, 117–128.
  • 37.
    Bai, J.; Chen, B.; Li, Y.; et al. Targeted attack for deep hashing based retrieval. In Proceedings of the Computer Vision– ECCV 2020: 16th European Conference, Glasgow, UK, 23–28 August 2020; Part I 16, pp. 618–634.
  • 38.
    Liu, Z.; Larson, M. Adversarial item promotion: Vulnerabilities at the core of top-n recommenders that use images to address cold start. In Proceedings of the Web Conference 2021, Ljubljana, Slovenia, 12–23 April 2021; pp. 3590–3602.
  • 39.
    Di Noia, T.; Malitesta, D.; Merra, F.A. TAaMR: Targeted adversarial attack against multimedia recommender systems. In Proceedings of the 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W), Valencia, Spain, 29 June–2 July 2020; pp. 1–8.
  • 40.
    Paszke, A.; Gross, S.; Chintala, S.; et al.Automatic differentiation in pytorch. In Proceedings of the 31st International Conference on Neural Information Processing Systems (NeurIPS 2017), Long Beach, CA, USA, 4–9 December 2017
  • 41.
    Kingma, D.P.; Ba, J. Adam: A method for stochastic optimization. arXiv 2014, arXiv:1412.6980.
  • 42.
    Vander, Maaten, L.; Hinton, G. Visualizing data using t-sne. J. Mach. Learn. Res. 2008, 9, 2579–2605.
  • 43.
    Hubert, L.; Arabie, P. Comparing partitions. J. Classif. 1985, 2, 193–218.
  • 44.
    Cormen, T.H.; Leiserson, C.E.; Rivest, R.L.; et al. Introduction to Algorithms; MIT Press: Cambridge, MA, USA, 2022.
  • 45.
    He, X.; Liao, L.; Zhang, H.; et al. Neural collaborative filtering. In Proceedings of the 26th International Conference on World Wide Web, Perth, Australia, 3–7 April 2017; pp. 173–182.
  • 46.
    Chen, B.; Carvalho, W.; Baracaldo, N.; et al. Detecting backdoor attacks on deep neural networks by activation clustering. arXiv 2018, arXiv:1811.03728.
  • 47.
    Gao, Y.; Kim, C.; Kim, K.; et al. STRIP: A defence against trojan attacks on deep neural networks. In Proceedings of the Annual Computer Security Applications Conference, San Juan, PR, USA, 9–13 December 2019; pp. 113–125.
  • 48.
    Liu, K.; Dolan-Gavitt, B.; Garg, S. Fine-pruning: Defending against backdooring attacks on deep neural networks.
  • 49.
    In Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses, 21st International Symposium on Research in Attacks, Intrusions, and Defenses, Heraklion, Greece, 10–12 September 2018; pp. 273–294. 49. Cao, B.; Jia, J.; Hu, C.; et al. Data-free backdoor attacks. arXiv 2024, arXiv:2412.06219.
  • 50.
    Li, Y.; Lyu, L.; He, D.; et al. Invisible backdoor attacks against deep neural networks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Nashville, TN, USA, 20–25 June 2021; pp. 16463–16472.
  • 51.
    Nguyen, A.T.; Tran, A. Wanet–imperceptible warping-based backdoor attack. In Proceedings of the International Confer- ence on Learning Representations (ICLR), Vienna, Austria, 4 May 2021.
  • 52.
    Shin, J.; Park, S. Unlearn to relearn backdoors: Deferred backdoor functionality attacks on deep learning models. arXiv 2024, arXiv:2411.14449.
  • 53.
    Yuan, Y.; Kong, R.; Xie, S.; et al. Patchbackdoor: Backdoor attack against deep neural networks without model modification. arXiv 2023, arXiv:2308.11822.
  • 54.
    Zhao, R.; Wang, X.; Liu, Q.; et al. Narcissus: A practical clean-label backdoor attack with limited information. In Proceedings of the 31st USENIX Security Symposium, Boston, MA, USA, 10–12 August 2022; pp. 1329–1346.
Share this article:
Download PDF
Issue
Volume 1, Issue 1
How to Cite
Nguyen, D. T. K.; Duong, D. H.; Chow, Y.-W. BadEmbNets: A Framework for Backdoor Attacks against Visually-Aware Recommender System. Pragmatic Cybersecurity 2025, 1 (1), 2.
RIS
BibTex
Copyright & License
article copyright Image
Copyright (c) 2025 by the authors.