Interaction-level Membership Inference Attack against Recommender Systems with Long-tailed Distribution
Pages 3433 - 3442
Abstract
Recommender systems (RSs) are susceptible to Interaction-level Membership Inference Attacks (IMIAs), which aim to determine whether specific user-item interactions are present in the training data of the target RS. However, existing IMIAs struggle with inferring the membership of tail interactions, i.e., the interactions involving tail items, due to the limited information available about these items. This paper introduces MINER, a new IMIA designed to enhance attack performance against RSs with long-tailed item distribution. MINER addresses the information scarcity of tail items at both the feature and sample levels. At the feature level, MINER leverages the Knowledge Graphs (KGs) to obtain the auxiliary knowledge of tail items. At the sample level, MINER designs a Bilateral-Branch Network (BBN) as the attack model. The BBN trains two branches independently, with one branch trained on interaction samples with the original long-tailed item distribution and the other on interaction samples with a more balanced item distribution. The outputs of the two branches are aggregated using a cumulative learning component. Our experimental results demonstrate that MINER significantly enhances the attack accuracy of IMIA, especially for tail interactions. Beyond attack design, we design a defense mechanism named RGL to defend against MINER. Empirical evaluations demonstrate that RGL effectively mitigates the privacy risks posed by MINER while preserving recommendation accuracy. Our code is available at https://github.com/dzhong2/MINER.
References
[1]
Amazon product review dataset. https://jmcauley.ucsd.edu/data/amazon/.
[2]
Lastfm dataset. http://www.lastfm.com.
[3]
Yelp dataset. https://www.yelp.com/dataset.
[4]
Martin Abadi, Andy Chu, Ian Goodfellow, H. Brendan McMahan, Ilya Mironov, Kunal Talwar, and Li Zhang. Deep learning with differential privacy. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2016.
[5]
Qingyao Ai, Vahid Azizi, Xu Chen, and Yongfeng Zhang. Learning heterogeneous knowledge base embeddings for explainable recommendation. Algorithms, 2018.
[6]
Bing Bai, Yushun Fan,Wei Tan, and Jia Zhang. Dltsr: A deep learning framework for recommendations of long-tail web services. IEEE Transactions on Services Computing, 2017.
[7]
J Roger Bray and John T Curtis. An ordination of the upland forest communities of southern wisconsin. Ecological monographs, 1957.
[8]
Nicholas Carlini, Steve Chien, Milad Nasr, Shuang Song, Andreas Terzis, and Florian Tramer. Membership inference attacks from first principles. In Proceedings of the IEEE Conference on Symposium on Security and Privacy, 2022.
[9]
Abdelberi Chaabane, Gergely Acs, Mohamed Ali Kaafar, et al. You are what you like! information leakage through users? interests. In Proceedings of annual network & distributed system security symposium, 2012.
[10]
Jin Chen, Defu Lian, Binbin Jin, Kai Zheng, and Enhong Chen. Learning recommenders for implicit feedback with importance resampling. In Proceedings of ACM World Wide Web Conference, 2022.
[11]
Cynthia Dwork. Differential privacy: A survey of results. In International conference on Theory and Applications of Models of Computation, 2008.
[12]
Matt Fredrikson, Somesh Jha, and Thomas Ristenpart. Model inversion attacks that exploit confidence information and basic countermeasures. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2015.
[13]
Christian Ganhör, David Penz, Navid Rekabsaz, Oleg Lesota, and Markus Schedl. Unlearning protected user attributes in recommendations with adversarial training. In Proceedings of International ACM SIGIR Conference on Research and Development in Information Retrieval, 2022.
[14]
Elaheh Malekzadeh Hamedani and Marjan Kaedi. Recommending the long tail items through personalized diversification. Knowledge-Based Systems, 2019.
[15]
Jamie Hayes, Luca Melis, George Danezis, and Emiliano De Cristofaro. Logan: Membership inference attacks against generative models. Procedings of Privacy Enhancing Technologies Symposium, 2019.
[16]
Xiangnan He and Tat-Seng Chua. Neural factorization machines for sparse predictive analytics. In Proceedings of International ACM SIGIR Conference on Research and Development in Information Retrieval, 2017.
[17]
Xiangnan He, Kuan Deng, Xiang Wang, Yan Li, Yongdong Zhang, and Meng Wang. Lightgcn: Simplifying and powering graph convolution network for recommendation. In Proceedings of International ACM SIGIR Conference on Research and Development in Information Retrieval, 2020.
[18]
Xiangnan He, Lizi Liao, Hanwang Zhang, Liqiang Nie, Xia Hu, and Tat-Seng Chua. Neural collaborative filtering. In Proceedings of ACM World Wide Web Conference, 2017.
[19]
Xinlei He, Jinyuan Jia, Michael Backes, Neil Zhenqiang Gong, and Yang Zhang. Stealing links from graph neural networks. In Procedings of USENIX Security Symposium, 2021.
[20]
Zecheng He, Tianwei Zhang, and Ruby B Lee. Model inversion attacks against collaborative inference. In Proceedings of Annual Computer Security Applications Conference, 2019.
[21]
Nils Homer, Szabolcs Szelinger, Margot Redman, David Duggan,Waibhav Tembe, Jill Muehling, John V Pearson, Dietrich A Stephan, Stanley F Nelson, and DavidW Craig. Resolving individuals contributing trace amounts of dna to highly complex mixtures using high-density snp genotyping microarrays. PLoS genetics, 2008.
[22]
Hongsheng Hu, Zoran Salcic, Lichao Sun, Gillian Dobbie, Philip S Yu, and Xuyun Zhang. Membership inference attacks on machine learning: A survey. ACM Computing Surveys (CSUR), 2022.
[23]
Li Hu, Anli Yan, Hongyang Yan, Jin Li, Teng Huang, Yingying Zhang, Changyu Dong, and Chunsheng Yang. Defenses to membership inference attacks: A survey. ACM Computing Surveys, 2023.
[24]
Dietmar Jannach, Markus Zanker, Alexander Felfernig, and Gerhard Friedrich. Recommender systems: an introduction. 2010.
[25]
Iordanis Koutsopoulos and Maria Halkidi. Efficient and fair item coverage in recommender systems. In Proceedings of the Dependable, Autonomic and Secure Computing, Pervasive Intelligence and Computing, Big Data Intelligence and Computing and Cyber Science and Technology Congress, 2018.
[26]
Xuan Nhat Lam, Thuc Vu, Trong Duc Le, and Anh Duc Duong. Addressing cold-start problem in recommendation systems. In Proceedings of International Conference on Ubiquitous Information Management and Communication, 2008.
[27]
Zheng Li and Yang Zhang. Membership leakage in label-only exposures. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2021.
[28]
Siyi Liu and Yujia Zheng. Long-tail session-based recommendation. In Proceedings of the ACM Conference on Recommender Systems, 2020.
[29]
Sichun Luo, Chen Ma, Yuanzhang Xiao, and Linqi Song. Improving long-tail item recommendation with graph augmentation. In Proceedings of the ACM International Conference on Information and Knowledge Management, 2023.
[30]
Milad Nasr, Reza Shokri, and Amir Houmansadr. Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning. In Proceedings of the IEEE Conference on Symposium on Security and Privacy, 2019.
[31]
Gong Neil, Zhenqiang and Liu Bin. You are who you know and how you behave: Attribute inference attacks via users' social friends and behaviors. In Procedings of USENIX Security Symposium, 2016.
[32]
Iyiola E Olatunji, Wolfgang Nejdl, and Megha Khosla. Membership inference attack on graph neural networks. In Proceedings of the IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications, 2021.
[33]
Enrico Palumbo, Diego Monti, Giuseppe Rizzo, Raphaël Troncy, and Elena Baralis. entity2rec: Property-specific knowledge graph embeddings for item recommendation. Expert Systems with Applications, 2020.
[34]
Yoon-Joo Park and Alexander Tuzhilin. The long tail of recommender systems and how to leverage it. In Proceedings of the ACM Conference on Recommender Systems, 2008.
[35]
Gourab K Patro, Arpita Biswas, Niloy Ganguly, Krishna P Gummadi, and Abhijnan Chakraborty. Fairrec: Two-sided fairness for personalized recommendations in two-sided platforms. In Proceedings of ACM World Wide Web Conference, 2020.
[36]
Paul Resnick and Hal R Varian. Recommender systems. Communications of the ACM, 1997.
[37]
Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. Membership inference attacks against machine learning models. In Proceedings of the IEEE Conference on Symposium on Security and Privacy, 2017.
[38]
Congzheng Song and Ananth Raghunathan. Information leakage in embedding models. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2020.
[39]
Rama Syamala Sreepada and Bidyut Kr Patra. Mitigating long tail effect in recommendations using few shot learning technique. Expert Systems with Applications, 2020.
[40]
Xiang Wang, Xiangnan He, Yixin Cao, Meng Liu, and Tat-Seng Chua. Kgat: Knowledge graph attention network for recommendation. In Proceedings of ACM SIGKDD Conference on Knowledge Discovery and Data Mining, 2019.
[41]
Zihan Wang, Na Huang, Fei Sun, Pengjie Ren, Zhumin Chen, Hengliang Luo, Maarten de Rijke, and Zhaochun Ren. Debiasing learning for membership inference attacks against recommender systems. In Proceedings of ACM SIGKDD Conference on Knowledge Discovery and Data Mining, 2022.
[42]
Zhichao Xu, Hansi Zeng, Juntao Tan, Zuohui Fu, Yongfeng Zhang, and Qingyao Ai. A reusable model-agnostic framework for faithfully explainable recommendation and system scrutability. ACM Transactions on Information Systems, 2023.
[43]
Hongzhi Yin, Bin Cui, Jing Li, Junjie Yao, and Chen Chen. Challenging the long tail recommendation. Proceedings of the VLDB Endowment, 2012.
[44]
Wei Yuan, Chaoqun Yang, Quoc Viet Hung Nguyen, Lizhen Cui, Tieke He, and Hongzhi Yin. Interaction-level membership inference attack against federated recommender systems. In Proceedings of ACM World Wide Web Conference, 2023.
[45]
Fuzheng Zhang, Nicholas Jing Yuan, Defu Lian, Xing Xie, and Wei-Ying Ma. Collaborative knowledge base embedding for recommender systems. In Proceedings of ACM SIGKDD Conference on Knowledge Discovery and Data Mining, 2016.
[46]
Minxing Zhang, Zhaochun Ren, Zihan Wang, Pengjie Ren, Zhunmin Chen, Pengfei Hu, and Yang Zhang. Membership inference attacks against recommender systems. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2021.
[47]
Shijie Zhang, Hongzhi Yin, Tong Chen, Zi Huang, Lizhen Cui, and Xiangliang Zhang. Graph embedding for recommendation against attribute inference attacks. In Proceedings of the World Wide Web Conference, 2021.
[48]
Yin Zhang, Ruoxi Wang, Derek Zhiyuan Cheng, Tiansheng Yao, Xinyang Yi, Lichan Hong, James Caverlee, and Ed H Chi. Empowering long-tail item recommendation through cross decoupling network. In Proceedings of ACM SIGKDD Conference on Knowledge Discovery and Data Mining, 2023.
[49]
Zhikun Zhang, Min Chen, Michael Backes, Yun Shen, and Yang Zhang. Inference attacks against graph neural networks. In Proceedings of USENIX Security Symposium, 2022.
[50]
Boyan Zhou, Quan Cui, Xiu-Shen Wei, and Zhao-Min Chen. Bbn: Bilateralbranch network with cumulative learning for long-tailed visual recognition. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2020.
Index Terms
- Interaction-level Membership Inference Attack against Recommender Systems with Long-tailed Distribution
Recommendations
Interaction-level Membership Inference Attack Against Federated Recommender Systems
WWW '23: Proceedings of the ACM Web Conference 2023The marriage of federated learning and recommender system (FedRec) has been widely used to address the growing data privacy concerns in personalized recommendation services. In FedRecs, users’ attribute information and behavior data (i.e., user-item ...
Membership Inference Attacks Against Recommender Systems
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications SecurityRecently, recommender systems have achieved promising performances and become one of the most widely used web applications. However, recommender systems are often trained on highly sensitive user data, thus potential data leakage from recommender ...
Debiasing Learning for Membership Inference Attacks Against Recommender Systems
KDD '22: Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data MiningLearned recommender systems may inadvertently leak information about their training data, leading to privacy violations. We investigate privacy threats faced by recommender systems through the lens of membership inference. In such attacks, an adversary ...
Comments
Information & Contributors
Information
Published In
October 2024
5705 pages
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 21 October 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
CIKM '24
Sponsor:
CIKM '24: The 33rd ACM International Conference on Information and Knowledge Management
October 21 - 25, 2024
ID, Boise, USA
Acceptance Rates
Overall Acceptance Rate 1,861 of 8,427 submissions, 22%
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 98Total Downloads
- Downloads (Last 12 months)98
- Downloads (Last 6 weeks)17
Reflects downloads up to 12 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in