Adversarial Text Rewriting for Text-aware Recommender Systems

TL;DR

Adversarial Text Rewriting exposes a vulnerability in text-aware recommender systems by showing that sellers can rewrite item descriptions to boost target items’ ranks without altering model parameters. The authors introduce ATR, with two modes: ATR-2FT (two-phase fine-tuning) and ATR-ICL (in-context learning), to generate ranking-optimized yet fluent rewritten text, optimizing a text-generation loss and a rank-promotion objective. Across three real-world datasets and multiple text-aware recommenders, ATR-2FT consistently improves target-item rankings, with ATR-ICL delivering superior text quality; black-box surrogates enable effective attacks without model access. These findings raise important robustness concerns and motivate defenses such as adversarial training and defense-aware evaluation for text-rich recommender systems.

Abstract

Text-aware recommender systems incorporate rich textual features, such as titles and descriptions, to generate item recommendations for users. The use of textual features helps mitigate cold-start problems, and thus, such recommender systems have attracted increased attention. However, we argue that the dependency on item descriptions makes the recommender system vulnerable to manipulation by adversarial sellers on e-commerce platforms. In this paper, we explore the possibility of such manipulation by proposing a new text rewriting framework to attack text-aware recommender systems. We show that the rewriting attack can be exploited by sellers to unfairly uprank their products, even though the adversarially rewritten descriptions are perceived as realistic by human evaluators. Methodologically, we investigate two different variations to carry out text rewriting attacks: (1) two-phase fine-tuning for greater attack performance, and (2) in-context learning for higher text rewriting quality. Experiments spanning 3 different datasets and 4 existing approaches demonstrate that recommender systems exhibit vulnerability against the proposed text rewriting attack. Our work adds to the existing literature around the robustness of recommender systems, while highlighting a new dimension of vulnerability in the age of large-scale automated text generation.

Figures (6)

• Figure 1: Our work investigates the vulnerabilities of text-aware recommender systems against adversarial product description rewriting that cause increase in ranks of the targeted items across all users.
• Figure 2: An overview of the two-phase fine-tuning process of ATR-2FT for promoting target items in text-aware recommender systems. ATR-2FT first fine-tunes a pre-trained text generation model with product descriptions to learn domain-specific knowledge (Phase 1). Next, ATR-2FT performs a special fine-tuning of the language model with a rank promotion objective (Phase 2). The fully fine-tuned text generation model after Phase 2 can be used to generate ranking-optimized descriptions of target item(s).
• Figure 3: A prompt example for our proposed in-context learning for the Llama-2-Chat-7B language model.
• Figure 4: Various text quality metrics of rewritten item descriptions created by ATR and the GPT-2 baseline.
• Figure 5: Distinctive examples of rewritten item descriptions generated by ATR-2FT and ATR-ICL on three real-world datasets. The rewritten descriptions are fluent, relevant, and lead to higher ranks of target items than the ranks computed with the original text.