Physical Trajectory Inference Attack and Defense in Decentralized POI Recommendation
Jing Long, Tong Chen, Guanhua Ye, Kai Zheng, Nguyen Quoc Viet Hung, Hongzhi Yin
TL;DR
This work reveals a concrete privacy risk in decentralized collaborative-learning POI recommenders by introducing PTIA, an attack that infers users' visited POIs from target POIs and their correlated neighbors. It unifies model-sharing and knowledge-distillation CL paradigms through shadow models and an MLP attacker, demonstrating strong inference on two real-world datasets. To counter PTIA, the authors propose AGD, an adversarial game that erases sensitive POIs and their implicit signals with minimal degradation to recommendation performance, outperforming Local Differential Privacy and Embedding Reset baselines. The study highlights the limitations of standard privacy protections in trajectory-aware recommendations and provides a practical defense mechanism for on-device deployment in decentralized POI systems.
Abstract
As an indispensable personalized service within Location-Based Social Networks (LBSNs), the Point-of-Interest (POI) recommendation aims to assist individuals in discovering attractive and engaging places. However, the accurate recommendation capability relies on the powerful server collecting a vast amount of users' historical check-in data, posing significant risks of privacy breaches. Although several collaborative learning (CL) frameworks for POI recommendation enhance recommendation resilience and allow users to keep personal data on-device, they still share personal knowledge to improve recommendation performance, thus leaving vulnerabilities for potential attackers. Given this, we design a new Physical Trajectory Inference Attack (PTIA) to expose users' historical trajectories. Specifically, for each user, we identify the set of interacted POIs by analyzing the aggregated information from the target POIs and their correlated POIs. We evaluate the effectiveness of PTIA on two real-world datasets across two types of decentralized CL frameworks for POI recommendation. Empirical results demonstrate that PTIA poses a significant threat to users' historical trajectories. Furthermore, Local Differential Privacy (LDP), the traditional privacy-preserving method for CL frameworks, has also been proven ineffective against PTIA. In light of this, we propose a novel defense mechanism (AGD) against PTIA based on an adversarial game to eliminate sensitive POIs and their information in correlated POIs. After conducting intensive experiments, AGD has been proven precise and practical, with minimal impact on recommendation performance.