VENOMREC: Cross-Modal Interactive Poisoning for Targeted Promotion in Multimodal LLM Recommender Systems

Multimodal large language models (MLLMs) are pushing recommender systems (RecSys) toward content-grounded retrieval and ranking via cross-modal fusion. We find that while cross-modal consensus often mitigates conventional poisoning that manipulates interaction logs or perturbs a single modality, it also introduces a new attack surface where synchronised multimodal poisoning can reliably steer fused representations along stable semantic directions during fine-tuning. To characterise this threat, we formalise cross-modal interactive poisoning and propose VENOMREC, which performs Exposure Alignment to identify high-exposure regions in the joint embedding space and Cross-modal Interactive Perturbation to craft attention-guided coupled token-patch edits. Experiments on three real-world multimodal datasets demonstrate that VENOMREC consistently outperforms strong baselines, achieving 0.73 mean ER@20 and improving over the strongest baseline by +0.52 absolute ER points on average, while maintaining comparable recommendation utility.

Key Contributions

• First formalization of cross-modal interactive poisoning as a distinct threat against MLLM-based recommender systems, showing that cross-modal consensus — while suppressing single-modality noise — creates a new amplification surface for synchronized attacks.
• Exposure Alignment (EA) technique that identifies high-exposure 'hotspot' regions in the joint embedding space to set the attack's optimization target.
• Cross-modal Interactive Perturbation (CIP) algorithm that leverages cross-modal attention to identify salient token-patch pairs and crafts coupled, stealthy perturbations achieving 0.73 mean ER@20, outperforming the best baseline by +0.52 absolute ER points.

🛡️ Threat Analysis

Details

Similar Papers