research-article

Interaction-level Membership Inference Attack Against Federated Recommender Systems

Authors:

Quoc Viet Hung Nguyen,

Hongzhi YinAuthors Info & Claims

WWW '23: Proceedings of the ACM Web Conference 2023

Pages 1053 - 1062

https://doi.org/10.1145/3543507.3583359

Published: 30 April 2023 Publication History

Abstract

The marriage of federated learning and recommender system (FedRec) has been widely used to address the growing data privacy concerns in personalized recommendation services. In FedRecs, users’ attribute information and behavior data (i.e., user-item interaction data) are kept locally on their personal devices, therefore, it is considered a fairly secure approach to protect user privacy. As a result, the privacy issue of FedRecs is rarely explored. Unfortunately, several recent studies reveal that FedRecs are vulnerable to user attribute inference attacks, highlighting the privacy concerns of FedRecs. In this paper, we further investigate the privacy problem of user behavior data (i.e., user-item interactions) in FedRecs. Specifically, we perform the first systematic study on interaction-level membership inference attacks on FedRecs. An interaction-level membership inference attacker is first designed, and then the classical privacy protection mechanism, Local Differential Privacy (LDP), is adopted to defend against the membership inference attack. Unfortunately, the empirical analysis shows that LDP is not effective against such new attacks unless the recommendation performance is largely compromised. To mitigate the interaction-level membership attack threats, we design a simple yet effective defense method to significantly reduce the attacker’s inference accuracy without losing recommendation performance. Extensive experiments are conducted with two widely used FedRecs (Fed-NCF and Fed-LightGCN) on three real-world recommendation datasets (MovieLens-100K, Steam-200K, and Amazon Cell Phone), and the experimental results show the effectiveness of our solutions.

References

[1]

Muhammad Ammad-Ud-Din, Elena Ivannikova, Suleiman A Khan, Were Oyomno, Qiang Fu, Kuan Eeik Tan, and Adrian Flanagan. 2019. Federated collaborative filtering for privacy-preserving personalized recommendation system. arXiv preprint arXiv:1901.09888(2019).

[2]

Germán Cheuque, José Guzmán, and Denis Parra. 2019. Recommender systems for Online video game platforms: The case of STEAM. In Companion Proceedings of The 2019 World Wide Web Conference. 763–771.

Digital Library

[3]

Karan Ganju, Qi Wang, Wei Yang, Carl A Gunter, and Nikita Borisov. 2018. Property inference attacks on fully connected neural networks using permutation invariant representations. In Proceedings of the 2018 ACM SIGSAC conference on computer and communications security. 619–633.

Digital Library

[4]

Jonas Geiping, Hartmut Bauermeister, Hannah Dröge, and Michael Moeller. 2020. Inverting gradients-how easy is it to break privacy in federated learning¿Advances in Neural Information Processing Systems 33 (2020), 16937–16947.

[5]

Carlos A Gomez-Uribe and Neil Hunt. 2015. The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6, 4(2015), 1–19.

Digital Library

[6]

Elizabeth Liz Harding, Jarno J Vanto, Reece Clark, L Hannah Ji, and Sara C Ainsworth. 2019. Understanding the scope and impact of the California Consumer Privacy Act of 2018. Journal of Data Protection & Privacy 2, 3 (2019), 234–253.

[7]

F Maxwell Harper and Joseph A Konstan. 2015. The movielens datasets: History and context. Acm transactions on interactive intelligent systems (tiis) 5, 4(2015), 1–19.

[8]

John A Hartigan and Manchek A Wong. 1979. Algorithm AS 136: A k-means clustering algorithm. Journal of the royal statistical society. series c (applied statistics) 28, 1(1979), 100–108.

[9]

Ruining He and Julian McAuley. 2016. Ups and downs: Modeling the visual evolution of fashion trends with one-class collaborative filtering. In proceedings of the 25th international conference on world wide web. 507–517.

Digital Library

[10]

Xiangnan He, Kuan Deng, Xiang Wang, Yan Li, Yongdong Zhang, and Meng Wang. 2020. Lightgcn: Simplifying and powering graph convolution network for recommendation. In Proceedings of the 43rd International ACM SIGIR conference on research and development in Information Retrieval. 639–648.

Digital Library

[11]

Xiangnan He, Lizi Liao, Hanwang Zhang, Liqiang Nie, Xia Hu, and Tat-Seng Chua. 2017. Neural collaborative filtering. In Proceedings of the 26th international conference on world wide web. 173–182.

Digital Library

[12]

Hongsheng Hu, Zoran Salcic, Lichao Sun, Gillian Dobbie, and Xuyun Zhang. 2021. Source inference attacks in federated learning. In 2021 IEEE International Conference on Data Mining (ICDM). IEEE, 1102–1107.

[13]

Mubashir Imran, Hongzhi Yin, Tong Chen, Nguyen Quoc Viet Hung, Alexander Zhou, and Kai Zheng. 2022. ReFRS: Resource-efficient Federated Recommender System for Dynamic and Diversified User Preferences. ACM Transactions on Information Systems (TOIS) (2022).

[14]

Diederik P Kingma and Jimmy Ba. 2014. Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980(2014).

[15]

Shyong K Lam, Dan Frankowski, John Riedl, 2006. Do you trust your recommendations¿ An exploration of security and privacy issues in recommender systems. In International conference on emerging trends in information and communication security. Springer, 14–29.

Digital Library

[16]

Feng Liang, Weike Pan, and Zhong Ming. 2021. Fedrec++: Lossless federated recommendation with explicit feedback. In Proceedings of the AAAI conference on artificial intelligence, Vol. 35. 4224–4231.

[17]

Guanyu Lin, Feng Liang, Weike Pan, and Zhong Ming. 2020. Fedrec: Federated recommendation with explicit feedback. IEEE Intelligent Systems 36, 5 (2020), 21–30.

[18]

Zhaohao Lin, Weike Pan, and Zhong Ming. 2021. FR-FMSS: federated recommendation via fake marks and secret sharing. In Fifteenth ACM Conference on Recommender Systems. 668–673.

Digital Library

[19]

Zhaohao Lin, Weike Pan, Qiang Yang, and Zhong Ming. 2022. A Generic Federated Recommendation Framework via Fake Marks and Secret Sharing. ACM Transactions on Information Systems (TOIS) (2022).

[20]

Zhiwei Liu, Liangwei Yang, Ziwei Fan, Hao Peng, and Philip S Yu. 2022. Federated social recommendation with graph neural network. ACM Transactions on Intelligent Systems and Technology (TIST) 13, 4(2022), 1–24.

Digital Library

[21]

Lingjuan Lyu, Han Yu, and Qiang Yang. 2020. Threats to federated learning: A survey. arXiv preprint arXiv:2003.02133(2020).

[22]

Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Aguera y Arcas. 2017. Communication-efficient learning of deep networks from decentralized data. In Artificial intelligence and statistics. PMLR, 1273–1282.

[23]

Andriy Mnih and Russ R Salakhutdinov. 2007. Probabilistic matrix factorization. Advances in neural information processing systems 20 (2007).

[24]

Khalil Muhammad, Qinqin Wang, Diarmuid O’Reilly-Morgan, Elias Tragos, Barry Smyth, Neil Hurley, James Geraci, and Aonghus Lawlor. 2020. Fedfast: Going beyond average for faster training of federated recommender systems. In Proceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 1234–1242.

Digital Library

[25]

Milad Nasr, Reza Shokri, and Amir Houmansadr. 2019. Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning. In 2019 IEEE symposium on security and privacy (SP). IEEE, 739–753.

[26]

Quoc Viet Hung Nguyen, Chi Thang Duong, Thanh Tam Nguyen, Matthias Weidlich, Karl Aberer, Hongzhi Yin, and Xiaofang Zhou. 2017. Argument discovery via crowdsourcing. The VLDB Journal 26(2017), 511–535.

[27]

Steffen Rendle, Christoph Freudenthaler, Zeno Gantner, and Lars Schmidt-Thieme. 2012. BPR: Bayesian personalized ranking from implicit feedback. arXiv preprint arXiv:1205.2618(2012).

[28]

Nuria Rodríguez-Barroso, Daniel Jiménez López, M Victoria Luzón, Francisco Herrera, and Eugenio Martínez-Cámara. 2022. Survey on federated learning threats: concepts, taxonomy on attacks and defences, experimental study and challenges. Information Fusion (2022).

[29]

Franco Scarselli, Marco Gori, Ah Chung Tsoi, Markus Hagenbuchner, and Gabriele Monfardini. 2008. The graph neural network model. IEEE transactions on neural networks 20, 1 (2008), 61–80.

[30]

Anshuman Suri, Pallika Kanani, Virendra J Marathe, and Daniel W Peterson. 2022. Subject Membership Inference Attacks in Federated Learning. arXiv preprint arXiv:2206.03317(2022).

[31]

Huynh Thanh Trung, Tong Van Vinh, Nguyen Thanh Tam, Hongzhi Yin, Matthias Weidlich, and Nguyen Quoc Viet Hung. 2020. Adaptive network alignment with unsupervised and multi-order convolutional networks. In 2020 IEEE 36th International Conference on Data Engineering (ICDE). IEEE, 85–96.

[32]

Paul Voigt and Axel Von dem Bussche. 2017. The eu general data protection regulation (gdpr). A Practical Guide, 1st Ed., Cham: Springer International Publishing 10, 3152676(2017), 10–5555.

[33]

Ning Wang, Xiaokui Xiao, Yin Yang, Jun Zhao, Siu Cheung Hui, Hyejin Shin, Junbum Shin, and Ge Yu. 2019. Collecting and analyzing multidimensional data with local differential privacy. In 2019 IEEE 35th International Conference on Data Engineering (ICDE). IEEE, 638–649.

[34]

Qinyong Wang, Hongzhi Yin, Tong Chen, Zi Huang, Hao Wang, Yanchang Zhao, and Nguyen Quoc Viet Hung. 2020. Next point-of-interest recommendation on resource-constrained mobile devices. In Proceedings of the Web conference 2020. 906–916.

Digital Library

[35]

Qinyong Wang, Hongzhi Yin, Tong Chen, Junliang Yu, Alexander Zhou, and Xiangliang Zhang. 2022. Fast-adapting and privacy-preserving federated recommender system. The VLDB Journal 31, 5 (2022), 877–896.

Digital Library

[36]

Zhibo Wang, Mengkai Song, Zhifei Zhang, Yang Song, Qian Wang, and Hairong Qi. 2019. Beyond inferring class representatives: User-level privacy leakage from federated learning. In IEEE INFOCOM 2019-IEEE Conference on Computer Communications. IEEE, 2512–2520.

Digital Library

[37]

Kang Wei, Jun Li, Ming Ding, Chuan Ma, Howard H Yang, Farhad Farokhi, Shi Jin, Tony QS Quek, and H Vincent Poor. 2020. Federated learning with differential privacy: Algorithms and performance analysis. IEEE Transactions on Information Forensics and Security 15 (2020), 3454–3469.

Digital Library

[38]

Chuhan Wu, Fangzhao Wu, Yongfeng Huang, and Xing Xie. 2021. Personalized news recommendation: A survey. arXiv preprint arXiv:2106.08934(2021).

[39]

Liu Yang, Ben Tan, Vincent W Zheng, Kai Chen, and Qiang Yang. 2020. Federated recommendation systems. In Federated Learning. Springer, 225–239.

[40]

Mengmeng Yang, Lingjuan Lyu, Jun Zhao, Tianqing Zhu, and Kwok-Yan Lam. 2020. Local differential privacy and its applications: A comprehensive survey. arXiv preprint arXiv:2008.03686(2020).

[41]

Hongzhi Yin, Weiqing Wang, Hao Wang, Ling Chen, and Xiaofang Zhou. 2017. Spatial-aware hierarchical collaborative deep learning for POI recommendation. IEEE Transactions on Knowledge and Data Engineering 29, 11(2017), 2537–2551.

Digital Library

[42]

Wei Yuan, Hongzhi Yin, Fangzhao Wu, Shijie Zhang, Tieke He, and Hao Wang. 2022. Federated Unlearning for On-Device Recommendation. arXiv preprint arXiv:2210.10958(2022).

[43]

Jingwen Zhang, Jiale Zhang, Junjun Chen, and Shui Yu. 2020. Gan enhanced membership inference: A passive local attack in federated learning. In ICC 2020-2020 IEEE International Conference on Communications (ICC). IEEE, 1–6.

[44]

Shuai Zhang, Lina Yao, Aixin Sun, and Yi Tay. 2019. Deep learning based recommender system: A survey and new perspectives. ACM Computing Surveys (CSUR) 52, 1 (2019), 1–38.

Digital Library

[45]

Shijie Zhang and Hongzhi Yin. 2022. Comprehensive Privacy Analysis on Federated Recommender System against Attribute Inference Attacks. arXiv preprint arXiv:2205.11857(2022).

[46]

Shijie Zhang, Hongzhi Yin, Tong Chen, Zi Huang, Lizhen Cui, and Xiangliang Zhang. 2021. Graph embedding for recommendation against attribute inference attacks. In Proceedings of the Web Conference 2021. 3002–3014.

Digital Library

[47]

Shijie Zhang, Hongzhi Yin, Tong Chen, Zi Huang, Quoc Viet Hung Nguyen, and Lizhen Cui. 2022. Pipattack: Poisoning federated recommender systems for manipulating item promotion. In Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining. 1415–1423.

Digital Library

[48]

Yuheng Zhang, Ruoxi Jia, Hengzhi Pei, Wenxiao Wang, Bo Li, and Dawn Song. 2020. The secret revealer: Generative model-inversion attacks against deep neural networks. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 253–261.

[49]

Yanchao Zhao, Jiale Chen, Jiale Zhang, Zilu Yang, Huawei Tu, Hao Han, Kun Zhu, and Bing Chen. 2021. User-Level Membership Inference for Federated Learning in Wireless Network Environment. Wireless Communications and Mobile Computing 2021 (2021).

Cited By

Ali WZhou XShao J(2025)Privacy-preserved and Responsible Recommenders: From Conventional Defense to Federated Learning and BlockchainACM Computing Surveys10.1145/370898257:5(1-35)Online publication date: 9-Jan-2025
https://dl.acm.org/doi/10.1145/3708982
Xia FLiu YJin BYu ZCai XLi HZha ZHou DPeng K(2024)Leveraging Multiple Adversarial Perturbation Distances for Enhanced Membership Inference Attack in Federated LearningSymmetry10.3390/sym1612167716:12(1677)Online publication date: 18-Dec-2024
https://doi.org/10.3390/sym16121677
Bai LHu HYe QLi HWang LXu J(2024)Membership Inference Attacks and Defenses in Federated Learning: A SurveyACM Computing Surveys10.1145/370463357:4(1-35)Online publication date: 10-Dec-2024
https://dl.acm.org/doi/10.1145/3704633
Show More Cited By

Index Terms

Interaction-level Membership Inference Attack Against Federated Recommender Systems
1. Information systems
  1. Information retrieval
    1. Retrieval tasks and goals
      1. Recommender systems

Recommendations

Single-User Injection for Invisible Shilling Attack against Recommender Systems
CIKM '23: Proceedings of the 32nd ACM International Conference on Information and Knowledge Management

Recommendation systems (RS) are crucial for alleviating the information overload problem. Due to its pivotal role in guiding users to make decisions, unscrupulous parties are lured to launch attacks against RS to affect the decisions of normal users and ...
Membership Inference Attacks Against Recommender Systems
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Recently, recommender systems have achieved promising performances and become one of the most widely used web applications. However, recommender systems are often trained on highly sensitive user data, thus potential data leakage from recommender ...
Interaction-level Membership Inference Attack against Recommender Systems with Long-tailed Distribution
CIKM '24: Proceedings of the 33rd ACM International Conference on Information and Knowledge Management

Recommender systems (RSs) are susceptible to Interaction-level Membership Inference Attacks (IMIAs), which aim to determine whether specific user-item interactions are present in the training data of the target RS. However, existing IMIAs struggle with ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WWW '23: Proceedings of the ACM Web Conference 2023

April 2023

4293 pages

ISBN:9781450394161

DOI:10.1145/3543507

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 April 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Australian Research Council

Conference

WWW '23

Sponsor:

SIGWEB

WWW '23: The ACM Web Conference 2023

April 30 - May 4, 2023

TX, Austin, USA

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

28
Total Citations
View Citations
422
Total Downloads

Downloads (Last 12 months)230
Downloads (Last 6 weeks)24

Reflects downloads up to 12 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ali WZhou XShao J(2025)Privacy-preserved and Responsible Recommenders: From Conventional Defense to Federated Learning and BlockchainACM Computing Surveys10.1145/370898257:5(1-35)Online publication date: 9-Jan-2025
https://dl.acm.org/doi/10.1145/3708982
Xia FLiu YJin BYu ZCai XLi HZha ZHou DPeng K(2024)Leveraging Multiple Adversarial Perturbation Distances for Enhanced Membership Inference Attack in Federated LearningSymmetry10.3390/sym1612167716:12(1677)Online publication date: 18-Dec-2024
https://doi.org/10.3390/sym16121677
Bai LHu HYe QLi HWang LXu J(2024)Membership Inference Attacks and Defenses in Federated Learning: A SurveyACM Computing Surveys10.1145/370463357:4(1-35)Online publication date: 10-Dec-2024
https://dl.acm.org/doi/10.1145/3704633
Wang LZhou HBao YYan XShen GKong X(2024)Horizontal Federated Recommender System: A SurveyACM Computing Surveys10.1145/365616556:9(1-42)Online publication date: 8-May-2024
https://dl.acm.org/doi/10.1145/3656165
Ge YLiu SFu ZTan JLi ZXu SLi YXian YZhang Y(2024)A Survey on Trustworthy Recommender SystemsACM Transactions on Recommender Systems10.1145/36528913:2(1-68)Online publication date: 13-Apr-2024
https://dl.acm.org/doi/10.1145/3652891
Li ZLin ZLiang FPan WYang QMing Z(2024)Decentralized Federated Recommendation with Privacy-aware Structured Client-level GraphACM Transactions on Intelligent Systems and Technology10.1145/364128715:4(1-23)Online publication date: 22-Jan-2024
https://dl.acm.org/doi/10.1145/3641287
Zhang CLong GZhou TZhang ZYan PYang BBaeza-Yates RBonchi F(2024)GPFedRec: Graph-Guided Personalization for Federated RecommendationProceedings of the 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining10.1145/3637528.3671702(4131-4142)Online publication date: 25-Aug-2024
https://dl.acm.org/doi/10.1145/3637528.3671702
Zhong DWang XXu ZXu JWang WSerra ESpezzano F(2024)Interaction-level Membership Inference Attack against Recommender Systems with Long-tailed DistributionProceedings of the 33rd ACM International Conference on Information and Knowledge Management10.1145/3627673.3679804(3433-3442)Online publication date: 21-Oct-2024
https://dl.acm.org/doi/10.1145/3627673.3679804
Zhang SLong CYuan WChen HYin HSerra ESpezzano F(2024)Watermarking Recommender SystemsProceedings of the 33rd ACM International Conference on Information and Knowledge Management10.1145/3627673.3679617(3217-3226)Online publication date: 21-Oct-2024
https://dl.acm.org/doi/10.1145/3627673.3679617
Yin HChen TQu LCui BChua TNgo CKa-Wei Lee RKumar RLauw H(2024)On-Device Recommender Systems: A Tutorial on The New-Generation Recommendation ParadigmCompanion Proceedings of the ACM on Web Conference 202410.1145/3589335.3641250(1280-1283)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589335.3641250
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents