Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
102 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Shadow-Free Membership Inference Attacks: Recommender Systems Are More Vulnerable Than You Thought (2405.07018v1)

Published 11 May 2024 in cs.CR

Abstract: Recommender systems have been successfully applied in many applications. Nonetheless, recent studies demonstrate that recommender systems are vulnerable to membership inference attacks (MIAs), leading to the leakage of users' membership privacy. However, existing MIAs relying on shadow training suffer a large performance drop when the attacker lacks knowledge of the training data distribution and the model architecture of the target recommender system. To better understand the privacy risks of recommender systems, we propose shadow-free MIAs that directly leverage a user's recommendations for membership inference. Without shadow training, the proposed attack can conduct MIAs efficiently and effectively under a practice scenario where the attacker is given only black-box access to the target recommender system. The proposed attack leverages an intuition that the recommender system personalizes a user's recommendations if his historical interactions are used by it. Thus, an attacker can infer membership privacy by determining whether the recommendations are more similar to the interactions or the general popular items. We conduct extensive experiments on benchmark datasets across various recommender systems. Remarkably, our attack achieves far better attack accuracy with low false positive rates than baselines while with a much lower computational cost.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (44)
  1. Deep learning with differential privacy. In CCS, pages 308–318, 2016.
  2. Robin Burke. Hybrid recommender systems: Survey and experiments. User Modeling and User-adapted Interaction, 12:331–370, 2002.
  3. The secret sharer: Evaluating and testing unintended memorization in neural networks. In USENIX Security, pages 267–284, 2019.
  4. Extracting training data from large language models. In USENIX Security, pages 2633–2650, 2021.
  5. Membership inference attacks from first principles. In S&P, pages 1897–1914. IEEE, 2022.
  6. Attentive collaborative filtering: Multimedia recommendation with item-and component-level attention. In SIGIR, pages 335–344, 2017.
  7. Improving implicit recommender systems with view data. In IJCAI, pages 3343–3349, 2018.
  8. Calibrating noise to sensitivity in private data analysis. In Theory of Cryptography: Theory of Cryptography Conference (TCC), pages 265–284. Springer, 2006.
  9. Graph neural networks for social recommendation. In WWW, pages 417–426, 2019.
  10. The movielens datasets: History and context. Acm Transactions on Interactive Intelligent Systems (TIIS), 5(4):1–19, 2015.
  11. Logan: Membership inference attacks against generative models. arXiv preprint arXiv:1705.07663, 2017.
  12. Fast matrix factorization for online recommendation with implicit feedback. In SIGIR, pages 549–558, 2016.
  13. Neural collaborative filtering. In WWW, pages 173–182, 2017.
  14. Segmentations-leak: Membership inference attacks and defenses in semantic image segmentation. In Computer Vision–ECCV, pages 519–535. Springer, 2020.
  15. Node-level membership inference attacks against graph neural networks. arXiv preprint arXiv:2102.05429, 2021.
  16. Session-based recommendations with recurrent neural networks. arXiv preprint arXiv:1511.06939, 2015.
  17. Membership inference attacks on machine learning: A survey. ACM Computing Surveys (CSUR), 54(11s):1–37, 2022.
  18. Matrix factorization techniques for recommender systems. Computer, 42(8):30–37, 2009.
  19. Stamp: short-term attention/memory priority model for session-based recommendation. In KDD, pages 1831–1839, 2018.
  20. Image-based recommendations on styles and substitutes. In SIGIR, pages 43–52, 2015.
  21. A recommender system for connecting patients to the right doctors in the healthnet social network. In WWW, pages 81–82, 2015.
  22. Stuart L Pardau. The california consumer privacy act: Towards a european-style privacy regime in the united states. J. Tech. L. & Pol’y, 23:68, 2018.
  23. Mlaas: Machine learning as a service. In ICMLA, pages 896–902, 2015.
  24. Jeffrey Rosen. The right to be forgotten. Stanford Law Review, 64:88, 2011.
  25. Ml-leaks: Model and data independent membership inference attacks and defenses on machine learning models. In NDSS Symposium. Internet Society, 2019.
  26. Item-based collaborative filtering recommendation algorithms. In WWW, pages 285–295, 2001.
  27. Social collaborative filtering for cold-start recommendations. In RecSys, pages 345–348, 2014.
  28. Autorec: Autoencoders meet collaborative filtering. In WWW, pages 111–112, 2015.
  29. Low-rank linear cold-start recommendation from social data. In AAAI, volume 31, 2017.
  30. Membership inference attacks against machine learning models. In S&P, pages 3–18. IEEE, 2017.
  31. Systematic evaluation of privacy risks of machine learning models. In USENIX Security, pages 2615–2632, 2021.
  32. Auditing data provenance in text-generation models. In KDD, pages 196–206, 2019.
  33. Bert4rec: Sequential recommendation with bidirectional encoder representations from transformer. In CIKM, pages 1441–1450, 2019.
  34. Jiaxi Tang and Ke Wang. Personalized top-n sequential recommendation via convolutional sequence embedding. In WSDM, pages 565–573, 2018.
  35. Recommendations in signed social networks. In WWW, pages 31–40, 2016.
  36. Debiasing learning for membership inference attacks against recommender systems. In KDD, pages 1959–1968, 2022.
  37. A neural influence diffusion model for social recommendation. In SIGIR, pages 235–244, 2019.
  38. Enhanced membership inference attacks against machine learning models. In CCS, pages 3093–3106, 2022.
  39. Privacy risk in machine learning: Analyzing the connection to overfitting. In CSF, pages 268–282. IEEE, 2018.
  40. Deep learning based recommender system: A survey and new perspectives. ACM Computing Surveys (CSUR), 52(1):1–38, 2019.
  41. Membership inference attacks against recommender systems. In CCS, pages 864–879, 2021.
  42. Micro behaviors: A new perspective in e-commerce recommender systems. In WSDM, pages 727–735, 2018.
  43. Deep interest evolution network for click-through rate prediction. In AAAI, volume 33, pages 5941–5948, 2019.
  44. Membership inference attacks against sequential recommender systems. In WWW, pages 1208–1219, 2023.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (9)
  1. Xiaoxiao Chi (2 papers)
  2. Xuyun Zhang (21 papers)
  3. Yan Wang (733 papers)
  4. Lianyong Qi (10 papers)
  5. Amin Beheshti (31 papers)
  6. Xiaolong Xu (38 papers)
  7. Kim-Kwang Raymond Choo (59 papers)
  8. Shuo Wang (382 papers)
  9. Hongsheng Hu (27 papers)

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets