This repo contains the PyTorch implementation and LaTeX code for my master thesis, Adversarial Attacks and Defenses for Image-Based Recommendation Systems using Deep Neural Networks.
Today recommendation systems (RSs) are an established part of modern web-services and are deployed by numerous companies. Owing to the success of deep neural networks (DNNs) in other domains, the industry has started implementing RSs using DNNs. However, DNNs were shown to be vulnerable to targeted adversarial attacks in recent studies. While there have been several studies on the subject of adversarial attacks against collaborative filtering (CF) based RSs only few studies focusing on content-based RSs have been published. In this thesis, we showed that a visual content-based RSs using DNNs is vulnerable to targeted adversarial attacks using state-of-the-art white-box attacks. In the next step, we tested different defense mechanisms utilizing adversarial training (AT) and were able to show that AT had a significant positive impact on the robustness of our trained models against our performed attacks.
Proposed targeted item-to-item attack setup for an image based k-NN recommender
Adversarial example, created using PGD with ε=0.03 and 32 iterations
Recommendation results with injected PGD adversarial example
Attack success rates (%) for reaching a target rank <= 3 for an undefended model
Attack success rates (%) for reaching a target rank <= 3 for an adversarially trained model
Attack success rates (%) for reaching a target rank <= 3 and ε=0.05 for all evaluated attacks and defenses
Attacks | |||
---|---|---|---|
Defenses | FGSM | PGD-128 | CW-1000 |
Unsecured | 0.07 | 98.32 | 99.70 |
AT | 0.03 | 0.07 | 0.30 |
CAT | 0.00 | 14.89 | 32.80 |
To install all required dependencies a script for debian based distros is included
./setup.sh
for other distros or operating systems you need to install Python 3.7 and Pipenv manually
./data.sh
pipenv run python -m src.train --batch-size 32 normal --num-epochs 12
pipenv run python -m src.train --batch-size 32 adversarial --num-epochs 12
pipenv run python -m src.train --batch-size 32 curriculum-adversarial --num-epochs 12
./evaluate.sh
./attack.sh
pipenv run python -m src.attack --model-name normal-24-epochs --epsilon 0.03 fgsm
pipenv run python -m src.attack --model-name normal-24-epochs --epsilon 0.03 pgd
pipenv run python -m src.attack --model-name normal-24-epochs --epsilon 0.03 cw
@mastersthesis{normann2020advrecsys,
title={Adversarial Attacks and Defenses for Image-Based Recommendation Systems using Deep Neural Networks},
author={Philipp Normann},
year={2020}
}