Abstract:Text-aware recommender systems incorporate rich textual features, such as titles and descriptions, to generate item recommendations for users. The use of textual features helps mitigate cold-start problems, and thus, such recommender systems have attracted increased attention. However, we argue that the dependency on item descriptions makes the recommender system vulnerable to manipulation by adversarial sellers on e-commerce platforms. In this paper, we explore the possibility of such manipulation by proposing a new text rewriting framework to attack text-aware recommender systems. We show that the rewriting attack can be exploited by sellers to unfairly uprank their products, even though the adversarially rewritten descriptions are perceived as realistic by human evaluators. Methodologically, we investigate two different variations to carry out text rewriting attacks: (1) two-phase fine-tuning for greater attack performance, and (2) in-context learning for higher text rewriting quality. Experiments spanning 3 different datasets and 4 existing approaches demonstrate that recommender systems exhibit vulnerability against the proposed text rewriting attack. Our work adds to the existing literature around the robustness of recommender systems, while highlighting a new dimension of vulnerability in the age of large-scale automated text generation.

What problem does this paper attempt to address?

### What problem does this paper attempt to solve? This paper explores the vulnerability of text-aware recommender systems when faced with adversarial sellers. Specifically, the authors propose a new text rewriting framework to attack these recommender systems. Through this framework, sellers can rewrite product descriptions to unfairly boost their product rankings, even though these adversarially rewritten descriptions still appear authentic to human evaluators. ### Main Issues and Background 1. **Advantages of Text-Aware Recommender Systems**: - Utilize rich textual features (such as titles and descriptions) to generate user recommendations. - Help mitigate the cold start problem and improve the performance of recommender systems. 2. **New Vulnerability**: - Reliance on product descriptions makes recommender systems susceptible to manipulation. - Adversarial sellers can unfairly boost their product rankings by rewriting product descriptions. ### Research Objectives - **Propose Text Rewriting Attacks**: Explore how to attack text-aware recommender systems through text rewriting. - **Evaluate System Vulnerability**: Experimentally verify the vulnerability of recommender systems when faced with these attacks. - **Method Innovation**: Propose two different text rewriting strategies to accommodate different resources and language model choices. ### Specific Research Content 1. **Two-Phase Fine-Tuning (ATR-2FT)**: - Phase 1: Domain-adaptive fine-tuning of a pre-trained text generation model to generate text that conforms to specific domain characteristics. - Phase 2: Introduce a ranking enhancement loss function to optimize the generated text to boost the target product's ranking. 2. **In-Context Learning (ATR-ICL)**: - Suitable for large language models (LLMs) such as Llama-2 and GPT-4. - Use carefully designed prompts and a few examples to guide the model in generating fluent text with ranking enhancement effects. ### Experimental Results - **Datasets**: Three datasets were used, including Amazon Books, Amazon Electronics, and MovieLens. - **Evaluation Metrics**: The primary metric is the average predicted ranking of the target product among all users, and the secondary metric is the number of times the target product appears in the top 20 recommendations (Appear@20). - **Experimental Results**: The proposed ATR methods significantly improved the target product's ranking, and the generated text was superior in fluency and authenticity compared to baseline methods. ### Conclusion - This paper reveals the vulnerability of text-aware recommender systems to text rewriting attacks. - The proposed ATR methods excel in boosting target product rankings while generating high-quality text. - This research provides new perspectives and methods for improving the robustness of recommender systems.

Adversarial Text Rewriting for Text-aware Recommender Systems

Repairing Adversarial Texts Through Perturbation

Adversarial Robustness of Deep Reinforcement Learning based Dynamic Recommender Systems

Adversarial Attacks and Detection on Reinforcement Learning-Based Interactive Recommender Systems

Textual Adversarial Attack As Combinatorial Optimization

LLM-Powered Text Simulation Attack Against ID-Free Recommender Systems

Learning to Generate Textual Adversarial Examples

Revisiting Adversarially Learned Injection Attacks Against Recommender Systems

Defending Substitution-Based Profile Pollution Attacks on Sequential Recommenders

Semantic Stealth: Adversarial Text Attacks on NLP Using Several Methods

Improving the Shortest Plank: Vulnerability-Aware Adversarial Training for Robust Recommender System

Review-Incorporated Model-Agnostic Profile Injection Attacks on Recommender Systems

A Visual Analytics Framework for Adversarial Text Generation

Searching for Textual Adversarial Examples with Learned Strategy.

Rebuild and Ensemble: Exploring Defense Against Text Adversaries

A Constraint-Enforcing Reward for Adversarial Attacks on Text Classifiers

Adversarial Reprogramming of Text Classification Neural Networks

Rethinking Textual Adversarial Defense for Pre-trained Language Models

Textual adversarial attacks by exchanging text‐self words

Effective and Imperceptible Adversarial Textual Attack via Multi-objectivization

Towards Variable-Length Textual Adversarial Attacks