Towards Differential Privacy in Sequential Recommendation: A Noisy Graph Neural Network Approach

TL;DR

This work tackles privacy risks in sequential recommendations where user behaviors are interdependent. It introduces DIPSGNN, a differential-privacy framework that protects sensitive user features via a piecewise local-DP mechanism and safeguards sequential interactions by perturbing GNN aggregation to achieve edge-level DP. The method initializes embeddings with perturbed features, uses a gated graph neural network with clipped, noisy aggregations, and employs a readout strategy to predict next items, all trained end-to-end with BPTT. Empirical results on ML-1M, Yelp, and Tmall show DIPSGNN achieves stronger privacy-utility trade-offs than state-of-the-art private baselines while preserving competitive accuracy.

Abstract

With increasing frequency of high-profile privacy breaches in various online platforms, users are becoming more concerned about their privacy. And recommender system is the core component of online platforms for providing personalized service, consequently, its privacy preservation has attracted great attention. As the gold standard of privacy protection, differential privacy has been widely adopted to preserve privacy in recommender systems. However, existing differentially private recommender systems only consider static and independent interactions, so they cannot apply to sequential recommendation where behaviors are dynamic and dependent. Meanwhile, little attention has been paid on the privacy risk of sensitive user features, most of them only protect user feedbacks. In this work, we propose a novel DIfferentially Private Sequential recommendation framework with a noisy Graph Neural Network approach (denoted as DIPSGNN) to address these limitations. To the best of our knowledge, we are the first to achieve differential privacy in sequential recommendation with dependent interactions. Specifically, in DIPSGNN, we first leverage piecewise mechanism to protect sensitive user features. Then, we innovatively add calibrated noise into aggregation step of graph neural network based on aggregation perturbation mechanism. And this noisy graph neural network can protect sequentially dependent interactions and capture user preferences simultaneously. Extensive experiments demonstrate the superiority of our method over state-of-the-art differentially private recommender systems in terms of better balance between privacy and accuracy.

Figures (7)

• Figure 1: A toy example of sequential RS. Each user' interactions are indexed chronologically to form a interaction sequence. And sequential RSs need to predict the next items that users will interact based on historical interaction sequences.
• Figure 2: The framework of DIPSGNN. First, user features are perturbed and protected at input stage. Next, we construct user behavior graph based on user interaction sequence. Then, user behavior graph is protected with our newly designed DIPSGNN at embedding update stage. Finally, we utilize updated user embedding and item embedding to make next-item recommendation without leakage of user features and interactions.
• Figure 3: Recall@20 of DIPSGNN and EdgeRand with different $\epsilon_2$ (privacy budget for protect user interactions).
• Figure 4: Recall@20 of DIPSGNN and EdgeRand with different $\epsilon_1$ (privacy budget for protect user features).
• Figure 5: Recall@20 of DIPSGNN and EdgeRand with different GNN aggregation steps $T$.

Theorems & Definitions (4)

• definition 1: Differential Privacy
• definition 2: Local Differential Privacy
• theorem 1
• theorem 2