research-article

Membership Inference Attacks Against Recommender Systems

Authors:

Yang ZhangAuthors Info & Claims

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Pages 864 - 879

https://doi.org/10.1145/3460120.3484770

Published: 13 November 2021 Publication History

Get Access

Abstract

Recently, recommender systems have achieved promising performances and become one of the most widely used web applications. However, recommender systems are often trained on highly sensitive user data, thus potential data leakage from recommender systems may lead to severe privacy problems.

In this paper, we make the first attempt on quantifying the privacy leakage of recommender systems through the lens of membership inference. In contrast with traditional membership inference against machine learning classifiers, our attack faces two main differences. First, our attack is on the user-level but not on the data sample-level. Second, the adversary can only observe the ordered recommended items from a recommender system instead of prediction results in the form of posterior probabilities. To address the above challenges, we propose a novel method by representing users from relevant items. Moreover, a shadow recommender is established to derive the labeled training data for training the attack model. Extensive experimental results show that our attack framework achieves a strong performance. In addition, we design a defense mechanism to effectively mitigate the membership inference threat of recommender systems.

Supplementary Material

MP4 File (CCS21-fp288.mp4)

To investigate the privacy problem in recommender systems, we design various attack strategies of membership inference. To the best of our knowledge, ours is the first work on the membership inference attacks against recommender systems. Comparing to membership inference attacks on data sample-level classifiers, for recommender systems, our work focuses on the user-level membership status, which cannot be directly obtained from the system outputs. To address these challenges, we propose a novel membership inference attack scheme, the core of which is to obtain user-level feature vectors based on the interactions between users and the target recommender, and input these feature vectors into attack models. Extensive experiment results show the effectiveness and generalization ability of our attack. To remedy the situation, we further propose a defense mechanism, namely Popularity Randomization. Our empirical evaluations demonstrate that Popularity Randomization can largely mitigate the privacy risks.

Download
28.48 MB

References

[1]

Michael Backes, Mathias Humbert, Jun Pang, and Yang Zhang. walk2friends: Inferring Social Links from Mobility Profiles. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1943--1957. ACM, 2017.

Abstract

Supplementary Material

References

Cited By

Index Terms

Recommendations

Debiasing Learning for Membership Inference Attacks Against Recommender Systems

Interaction-level Membership Inference Attack Against Federated Recommender Systems

Membership Inference Attacks Against Sequential Recommender Systems

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations