arxiv: 2605.06238 · v1 · submitted 2026-05-07 · 💻 cs.LG · cs.AI

Recognition: unknown

Band Together: Untargeted Adversarial Training with Multimodal Coordination against Evasion-based Promotion Attacks

Guanmeng Xian , Ning Yang , Philip S. Yu

Authors on Pith no claims yet

Pith reviewed 2026-05-08 13:27 UTC · model grok-4.3

classification 💻 cs.LG cs.AI

keywords multimodal recommender systemsadversarial trainingevasion attackspromotion attacksgradient alignmentrobustnesscross-modal coordination

0 comments

The pith

By identifying cross-modal gradient mismatch and using multimodal coordination in untargeted adversarial training, the method improves robustness of multimodal recommender systems against evasion-based promotion attacks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper identifies a cross-modal gradient mismatch that arises in multi-user evasion-based promotion attacks on multimodal recommender systems, where visual and textual perturbations optimize in inconsistent directions because distinct user groups dominate each modality. This mismatch dilutes overall attack strength and causes standard robust training to underestimate the worst-case risks. To address it, the authors introduce Untargeted Adversarial Training with Multimodal Coordination (UAT-MC), which treats all items as potential targets and aligns gradients across modalities to synchronize perturbations and maximize adversarial strength during training. If the approach holds, it yields models that resist promotion attacks more effectively while preserving acceptable recommendation accuracy under the defense-accuracy trade-off.

Core claim

The central claim is that cross-modal gradient mismatch dilutes the effectiveness of evasion-based promotion attacks in the multi-user setting, and that UAT-MC corrects this mismatch by gradient alignment plus untargeted treatment of all items as targets, thereby generating stronger adversarial examples that enable more effective robust training.

What carries the argument

UAT-MC, the untargeted adversarial training procedure that applies a gradient alignment mechanism to synchronize perturbation directions between visual and textual modalities.

If this is right

Synchronized perturbations allow robust training to capture and defend against higher worst-case risks.
The method works against evasion attacks with unknown targets by treating every item as a potential target.
Recommendation performance remains acceptable despite the added robustness.
The coordination directly counters the extra vulnerability created by combining visual and textual signals.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Gradient alignment techniques may extend to defend other multimodal tasks such as vision-language models against coordinated attacks.
Future attackers could design methods that break or bypass the alignment step, creating a need for adaptive defenses.
Hybrid systems that combine this evasion defense with existing poisoning defenses could cover a wider range of threats to recommender platforms.
Deployment on large-scale real-world datasets would test whether the defense-accuracy trade-off holds outside controlled experiments.

Load-bearing premise

The cross-modal gradient mismatch is the primary reason attack effectiveness is diluted, and that explicit alignment of gradients will maximize adversarial strength for robust training without new vulnerabilities or performance losses.

What would settle it

An experiment that measures attack success rate on the defended model when gradient alignment is added versus omitted, specifically checking whether synchronization produces a measurable increase in measured robustness against multi-user promotion attacks.

Figures

Figures reproduced from arXiv: 2605.06238 by Guanmeng Xian, Ning Yang, Philip S. Yu.

**Figure 1.** Figure 1: VBPR’s vulnerability to vanilla FGSM-based promotion view at source ↗

**Figure 2.** Figure 2: Illustration of objective inconsistency across modalities. view at source ↗

**Figure 3.** Figure 3: Distribution of Jaccard Similarity between view at source ↗

**Figure 4.** Figure 4: The framework of UAT-MC. Algorithm 1 UAT-MC Input: Training data D; Learning rate η; Perturbation budgets ϵt, ϵv; Hyperparameters λ, α, β Output: Robust MRS model parameters Θ 1: Initialize Θ from normal-trained MRS 2: while not converged do 3: Randomly draw an example (u, i+, i−) from D 4: // Max phase 5: L ′ BPR = − ln σ(h ′ u · h ′ + − h ′ u · h ′ −) 6: Γv = ∇∆v L ′ BPR, Γt = ∇∆tL ′ BPR 7: LAlign = cos… view at source ↗

**Figure 5.** Figure 5: Visualization of attack effectiveness under varying budgets. The heatmaps display the view at source ↗

**Figure 6.** Figure 6: Trade-off between recommendation performance view at source ↗

**Figure 7.** Figure 7: Distribution of Jaccard Similarity between view at source ↗

**Figure 8.** Figure 8: Case study of PGD-based promotion attacks on item view at source ↗

**Figure 10.** Figure 10: Impact of λ and α on the trade-off between accuracy and attack effectiveness for MMGCN under PGD-based attack view at source ↗

read the original abstract

Multimodal recommender systems exploit visual and textual signals to alleviate data sparsity, but this also makes them more vulnerable to evasion-based promotion attacks. Existing defenses are largely limited to single-modal settings and mainly focus on poisoning-based threats, leaving evasion-based threats underexplored. In this work, we first identify a cross-modal gradient mismatch under the multi-user promotion setting, where visual and textual perturbations are optimized in inconsistent directions due to the dominance of distinct user groups. This phenomenon dilutes the attack effectiveness and leads robust training to underestimate worst-case risks. To address this issue, we propose Untargeted Adversarial Training with Multimodal Coordination (UAT-MC). UAT-MC tackles the challenge of unknown targeted items in evasion-based attacks (as opposed to poisoning-based attacks) by treating all items as potential targets, and introduces a gradient alignment mechanism to explicitly correct this mismatch. This design ensures synchronized perturbations across modalities, thereby maximizing adversarial strength for robust training. Extensive experiments demonstrate that UAT-MC significantly improves robustness against promotion attacks while maintaining acceptable recommendation performance under the defense-accuracy trade-off. Code is available at https://github.com/gmXian/UAT-MC.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

UAT-MC adds gradient alignment across modalities to untargeted adversarial training for evasion promotion attacks in multimodal recommenders, but the experiments leave open whether alignment is the main driver of any gains.

read the letter

The paper's core move is to treat evasion promotion attacks in multimodal recommenders as an untargeted problem where the attacker can push any item, then add a gradient alignment step so that visual and textual perturbations reinforce rather than cancel each other under multi-user optimization. This is positioned as fixing a dilution effect that single-modal defenses miss. The idea is straightforward and directly motivated by the observed mismatch between modalities when different user groups dominate the gradient signal. That part is clear and worth noting as a concrete extension of existing adversarial training to the multimodal case. The claim that this produces stronger worst-case perturbations for robust training follows logically from the setup. Experiments are said to show better robustness with acceptable accuracy trade-offs, and code is released, which helps reproducibility. The main soft spot is that the evaluation does not isolate the alignment component. Gains could come from the all-items-as-targets choice, from other training details, or from multi-user effects unrelated to cross-modal mismatch. Without ablations that measure how much mismatch actually occurs and how much alignment reduces it, it is hard to attribute improvements specifically to the coordination fix. The abstract also gives no statistical details or baseline breakdowns, so the strength of the robustness numbers remains hard to judge from the given material. This work is aimed at researchers focused on adversarial robustness in recommender systems, particularly those already looking at multimodal models. A reader in that niche can extract the gradient-alignment idea and the untargeted framing even if the validation needs tightening. It is coherent enough on its own terms to deserve a serious referee, though the review would likely press for component ablations and clearer quantification of the mismatch effect. I would send it to peer review rather than desk reject.

Referee Report

2 major / 1 minor

Summary. The paper identifies a cross-modal gradient mismatch in multi-user evasion-based promotion attacks on multimodal recommender systems, where visual and textual perturbations optimize in inconsistent directions due to distinct user groups. This mismatch is argued to dilute attack strength and cause robust training to underestimate risks. The authors propose Untargeted Adversarial Training with Multimodal Coordination (UAT-MC), which treats all items as potential targets (to handle unknown targets in evasion attacks) and introduces a gradient alignment mechanism to synchronize perturbations across modalities. Extensive experiments are reported to show that UAT-MC improves robustness against promotion attacks while preserving acceptable recommendation performance under the defense-accuracy trade-off.

Significance. If the results and attribution hold, the work fills a gap in defenses for evasion attacks in multimodal recommenders (as opposed to the more studied poisoning attacks), and the gradient alignment idea may generalize to other multimodal settings with inconsistent optimization directions. The public code release supports reproducibility and allows verification of the claims.

major comments (2)

Experimental evaluation: No ablation is presented that isolates the gradient alignment mechanism from the 'treat all items as targets' component. The reported robustness gains could therefore stem from the untargeted formulation rather than the coordination fix for cross-modal mismatch, undermining the central claim that alignment maximizes adversarial strength for robust training.
Method and motivation sections: The existence of cross-modal gradient mismatch is asserted but not quantified (e.g., via pre/post-alignment gradient cosine similarities or attack success rate deltas attributable to mismatch alone) across datasets or user groups, leaving the dilution effect as an unisolated assumption rather than a measured phenomenon.

minor comments (1)

Abstract: The claim of 'extensive experiments' would be strengthened by briefly naming the datasets, primary metrics (e.g., HR, NDCG, attack success rate), and baselines used.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback and for recognizing the significance of our work on defenses against evasion-based promotion attacks in multimodal recommender systems. We address each major comment below, agreeing that additional analyses will strengthen the paper, and we outline the planned revisions.

read point-by-point responses

Referee: Experimental evaluation: No ablation is presented that isolates the gradient alignment mechanism from the 'treat all items as targets' component. The reported robustness gains could therefore stem from the untargeted formulation rather than the coordination fix for cross-modal mismatch, undermining the central claim that alignment maximizes adversarial strength for robust training.

Authors: We agree that an explicit ablation isolating the gradient alignment from the untargeted formulation would more clearly attribute the robustness gains to the coordination mechanism. The current experiments compare UAT-MC against standard adversarial training baselines, but do not include a dedicated variant that applies the untargeted approach without alignment. In the revision, we will add this ablation study, reporting attack success rates and recommendation metrics for the untargeted-only variant versus the full UAT-MC across all datasets. This will directly demonstrate the incremental benefit of the gradient alignment in addressing cross-modal mismatch. revision: yes
Referee: Method and motivation sections: The existence of cross-modal gradient mismatch is asserted but not quantified (e.g., via pre/post-alignment gradient cosine similarities or attack success rate deltas attributable to mismatch alone) across datasets or user groups, leaving the dilution effect as an unisolated assumption rather than a measured phenomenon.

Authors: We acknowledge that providing quantitative evidence for the cross-modal gradient mismatch would strengthen the motivation and central claim. The manuscript describes the mismatch arising from distinct user groups in multi-user evasion attacks, but does not report explicit metrics such as gradient cosine similarities before and after alignment or isolated attack success rate improvements due to mismatch correction. In the revised version, we will include these measurements (e.g., average cosine similarities between visual and textual gradients across user groups and datasets, plus attack performance deltas with and without alignment) to empirically validate the dilution effect and the effectiveness of the coordination fix. revision: yes

Circularity Check

0 steps flagged

No significant circularity in UAT-MC derivation or claims

full rationale

The paper's central contribution rests on an empirical observation of cross-modal gradient mismatch (identified via direct inspection of optimization directions across user groups) followed by a proposed gradient alignment fix inside an untargeted adversarial training loop that treats all items as targets. This is validated through standard experimental comparisons rather than any self-referential equations, fitted parameters renamed as predictions, or load-bearing self-citations. No derivation step reduces by construction to its own inputs; the method is self-contained against external benchmarks and the reader's provided circularity assessment of 2.0 is consistent with at most minor non-load-bearing self-citation.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Based solely on the abstract, no explicit free parameters, axioms, or invented entities are detailed. The approach likely relies on standard adversarial optimization assumptions and training hyperparameters that are not specified here.

pith-pipeline@v0.9.0 · 5516 in / 1070 out tokens · 78843 ms · 2026-05-08T13:27:42.821113+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

30 extracted references · 2 canonical work pages · 2 internal anchors

[1]

Adversarial item promotion on visually-aware rec- ommender systems by guided diffusion.ACM Trans

[Chenet al., 2024 ] Lijian Chen, Wei Yuan, Tong Chen, Guanhua Ye, Nguyen Quoc Viet Hung, and Hongzhi Yin. Adversarial item promotion on visually-aware rec- ommender systems by guided diffusion.ACM Trans. Inf. Syst., 42(6), August

2024
[2]

Taamr: Targeted adversar- ial attack against multimedia recommender systems

[Di Noiaet al., 2020 ] Tommaso Di Noia, Daniele Malitesta, and Felice Antonio Merra. Taamr: Targeted adversar- ial attack against multimedia recommender systems. In 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W), pages 1–8,

2020
[3]

Explaining and Harnessing Adversarial Examples

[Goodfellowet al., 2014 ] Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples.arXiv preprint arXiv:1412.6572,

work page internal anchor Pith review arXiv 2014
[4]

Lgmrec: local and global graph learning for multimodal recommendation

[Guoet al., 2024 ] Zhiqiang Guo, Jianjun Li, Guohui Li, Chaoyang Wang, Si Shi, and Bin Ruan. Lgmrec: local and global graph learning for multimodal recommendation. In Proceedings of the AAAI Conference on Artificial Intelli- gence, volume 38, pages 8454–8462,

2024
[5]

Unsupervised post-time fake social mes- sage detection with recommendation-aware representation learning

[Hsiaoet al., 2022 ] Shao-Ping Hsiao, Yu-Che Tsai, and Cheng-Te Li. Unsupervised post-time fake social mes- sage detection with recommendation-aware representation learning. InCompanion Proceedings of the Web Confer- ence 2022, pages 232–235,

2022
[6]

Teach me how to denoise: A universal framework for denoising multi-modal recommender systems via guided calibration

[Liet al., 2025 ] Hongji Li, Hanwen Du, Youhua Li, Junchen Fu, Chunxiao Li, Ziyi Zhuang, Jiakang Li, and Yongxin Ni. Teach me how to denoise: A universal framework for denoising multi-modal recommender systems via guided calibration. InProceedings of the Eighteenth ACM In- ternational Conference on Web Search and Data Mining, WSDM ’25, page 782–791, New Y...

2025
[7]

[Linet al., 2023 ] Weilin Lin, Xiangyu Zhao, Yejing Wang, Yuanshao Zhu, and Wanyu Wang

Association for Computing Machinery. [Linet al., 2023 ] Weilin Lin, Xiangyu Zhao, Yejing Wang, Yuanshao Zhu, and Wanyu Wang. Autodenoise: Auto- matic data instance denoising for recommendations. In Proceedings of the ACM Web Conference 2023, pages 1003–1011,

2023
[8]

Adversarial item promotion: Vulnerabilities at the core of top-n recommenders that use images to address cold start

[Liu and Larson, 2021] Zhuoran Liu and Martha Larson. Adversarial item promotion: Vulnerabilities at the core of top-n recommenders that use images to address cold start. InProceedings of the Web Conference 2021, WWW ’21, page 3590–3602, New York, NY , USA,

2021
[9]

[Liuet al., 2024 ] Yifan Liu, Kangning Zhang, Xiangyuan Ren, Yanhua Huang, Jiarui Jin, Yingjie Qin, Ruilong Su, Ruiwen Xu, Yong Yu, and Weinan Zhang

Association for Computing Machinery. [Liuet al., 2024 ] Yifan Liu, Kangning Zhang, Xiangyuan Ren, Yanhua Huang, Jiarui Jin, Yingjie Qin, Ruilong Su, Ruiwen Xu, Yong Yu, and Weinan Zhang. Alignrec: Aligning and training in multimodal recommendations. In Proceedings of the 33rd ACM International Conference on Information and Knowledge Management, CIKM ’24, ...

2024
[10]

Towards Deep Learning Models Resistant to Adversarial Attacks

Association for Computing Machinery. [Madryet al., 2017 ] Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. Towards deep learning models resistant to adversarial attacks.arXiv preprint arXiv:1706.06083,

work page internal anchor Pith review arXiv 2017
[11]

Trust-grs: A trustworthy training frame- work for graph neural network based recommender sys- tems against shilling attacks

[Muet al., 2025 ] Lingyu Mu, Zhengxiao Liu, Zhitong Zhu, and Zheng Lin. Trust-grs: A trustworthy training frame- work for graph neural network based recommender sys- tems against shilling attacks. InProceedings of the AAAI Conference on Artificial Intelligence, volume 39, pages 12408–12416,

2025
[12]

Poisoning gnn-based recommender systems with generative surrogate-based attacks.ACM Trans

[Nguyen Thanhet al., 2023 ] Toan Nguyen Thanh, Nguyen Duc Khang Quach, Thanh Tam Nguyen, Thanh Trung Huynh, Viet Hung Vu, Phi Le Nguyen, Jun Jo, and Quoc Viet Hung Nguyen. Poisoning gnn-based recommender systems with generative surrogate-based attacks.ACM Trans. Inf. Syst., 41(3), February

2023
[13]

[Ong and Khong, 2025] Rongqing Kenneth Ong and Andy W. H. Khong. Spectrum-based modality representation fusion graph convolutional network for multimodal rec- ommendation. InProceedings of the Eighteenth ACM In- ternational Conference on Web Search and Data Mining, WSDM ’25, page 773–781, New York, NY , USA,

2025
[14]

[Rendleet al., 2009 ] Steffen Rendle, Christoph Freuden- thaler, Zeno Gantner, and Lars Schmidt-Thieme

Association for Computing Machinery. [Rendleet al., 2009 ] Steffen Rendle, Christoph Freuden- thaler, Zeno Gantner, and Lars Schmidt-Thieme. Bpr: Bayesian personalized ranking from implicit feedback. In Proceedings of the Twenty-Fifth Conference on Uncer- tainty in Artificial Intelligence, UAI ’09, page 452–461, Arlington, Virginia, USA,

2009
[15]

[Sunet al., 2020 ] Rui Sun, Xuezhi Cao, Yan Zhao, Junchen Wan, Kun Zhou, Fuzheng Zhang, Zhongyuan Wang, and Kai Zheng

AUAI Press. [Sunet al., 2020 ] Rui Sun, Xuezhi Cao, Yan Zhao, Junchen Wan, Kun Zhou, Fuzheng Zhang, Zhongyuan Wang, and Kai Zheng. Multi-modal knowledge graphs for recom- mender systems. InProceedings of the 29th ACM inter- national conference on information & knowledge manage- ment, pages 1405–1414,

2020
[16]

Adversarial training towards robust multimedia recommender system

[Tanget al., 2020 ] Jinhui Tang, Xiaoyu Du, Xiangnan He, Fajie Yuan, Qi Tian, and Tat-Seng Chua. Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering, 32(5):855–867,

2020
[17]

Detecting shilling groups in online recommender systems based on graph convolu- tional network.Information Processing & Management, 59(5):103031,

[Wanget al., 2022 ] Shilei Wang, Peng Zhang, Hui Wang, Hongtao Yu, and Fuzhi Zhang. Detecting shilling groups in online recommender systems based on graph convolu- tional network.Information Processing & Management, 59(5):103031,

2022
[18]

Dualgnn: Dual graph neural network for multimedia recommenda- tion.Multimedia, IEEE Trans

[Wanget al., 2023 ] Qifan Wang, Yinwei Wei, Jianhua Yin, Jianlong Wu, Xuemeng Song, and Liqiang Nie. Dualgnn: Dual graph neural network for multimedia recommenda- tion.Multimedia, IEEE Trans. on (T-MM), 25(000):11,

2023
[19]

Mmgcn: Multi-modal graph convolution network for per- sonalized recommendation of micro-video

[Weiet al., 2019 ] Yinwei Wei, Xiang Wang, Liqiang Nie, Xiangnan He, Richang Hong, and Tat-Seng Chua. Mmgcn: Multi-modal graph convolution network for per- sonalized recommendation of micro-video. InProceed- ings of the 27th ACM international conference on multi- media, pages 1437–1445,

2019
[20]

Graph-refined con- volutional network for multimedia recommendation with implicit feedback

[Weiet al., 2020 ] Yinwei Wei, Xiang Wang, Liqiang Nie, Xiangnan He, and Tat-Seng Chua. Graph-refined con- volutional network for multimedia recommendation with implicit feedback. InProceedings of the 28th ACM In- ternational Conference on Multimedia, MM ’20, page 3541–3549, New York, NY , USA,

2020
[21]

[Wuet al., 2021 ] Chenwang Wu, Defu Lian, Yong Ge, Zhi- hao Zhu, Enhong Chen, and Senchao Yuan

Association for Computing Machinery. [Wuet al., 2021 ] Chenwang Wu, Defu Lian, Yong Ge, Zhi- hao Zhu, Enhong Chen, and Senchao Yuan. Fight fire with fire: Towards robust recommender systems via ad- versarial poisoning training. InProceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval, SIGIR ’21, pag...

2021
[22]

[Wuet al., 2023 ] Chenwang Wu, Defu Lian, Yong Ge, Zhi- hao Zhu, and Enhong Chen

Association for Computing Machinery. [Wuet al., 2023 ] Chenwang Wu, Defu Lian, Yong Ge, Zhi- hao Zhu, and Enhong Chen. Influence-driven data poison- ing for robust recommender systems.IEEE Trans. Pattern Anal. Mach. Intell., 45(10):11915–11931, October

2023
[23]

Attacking visually-aware recom- mender systems with transferable and imperceptible ad- versarial styles

[Yanget al., 2024 ] Shiyi Yang, Chen Wang, Xiwei Xu, Lim- ing Zhu, and Lina Yao. Attacking visually-aware recom- mender systems with transferable and imperceptible ad- versarial styles. InProceedings of the 33rd ACM Interna- tional Conference on Information and Knowledge Man- agement, CIKM ’24, page 2900–2909, New York, NY , USA,

2024
[24]

[Yuet al., 2023 ] Penghang Yu, Zhiyi Tan, Guanming Lu, and Bing-Kun Bao

Association for Computing Machinery. [Yuet al., 2023 ] Penghang Yu, Zhiyi Tan, Guanming Lu, and Bing-Kun Bao. Multi-view graph convolutional net- work for multimedia recommendation. InProceedings of the 31st ACM international conference on multimedia, pages 6576–6585,

2023
[25]

Mining latent structures for multimedia recommendation

[Zhanget al., 2021 ] Jinghao Zhang, Yanqiao Zhu, Qiang Liu, Shu Wu, Shuhui Wang, and Liang Wang. Mining latent structures for multimedia recommendation. InPro- ceedings of the 29th ACM international conference on multimedia, pages 3872–3880,

2021
[26]

Stealthy attack on large language model based recommendation

[Zhanget al., 2024 ] Jinghao Zhang, Yuting Liu, Qiang Liu, Shu Wu, Guibing Guo, and Liang Wang. Stealthy attack on large language model based recommendation. In Lun- Wei Ku, Andre Martins, and Vivek Srikumar, editors,Pro- ceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), pages 5839–5857, Bangkok,...

2024
[27]

Enhancing dyadic relations with homoge- neous graphs for multimodal recommendation

[Zhouet al., 2023b ] Hongyu Zhou, Xin Zhou, Lingzi Zhang, and Zhiqi Shen. Enhancing dyadic relations with homoge- neous graphs for multimodal recommendation. InECAI 2023, pages 3123–3130. IOS Press,

2023
[28]

Bootstrap latent representations for multi-modal recommendation

[Zhouet al., 2023c ] Xin Zhou, Hongyu Zhou, Yong Liu, Zhiwei Zeng, Chunyan Miao, Pengwei Wang, Yuan You, and Feijun Jiang. Bootstrap latent representations for multi-modal recommendation. InProceedings of the ACM web conference 2023, pages 845–854,

2023
[29]

For example, VBPR [He and McAuley, 2016b] extends traditional Matrix Factorization by integrating mul- timodal representations with item ID embeddings

A Related Work A.1 Multimodal Recommender Systems Multimodal recommender systems (MRSs) aim to enhance recommendation performance by integrating multiple modal- ities of items. For example, VBPR [He and McAuley, 2016b] extends traditional Matrix Factorization by integrating mul- timodal representations with item ID embeddings. GNN- based methods such as M...

2019
[30]

Across both settings, we observe that increasing the defense budgetϵ d consistently suppresses the attack gain, demonstrat- ing the robustness of our method against different variations of promotion attacks. B.4 Case Study To illustrate how cross-modal gradient mismatch manifests during optimization and how gradient-level alignment re- shapes the optimiza...

1946