Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Shadow-Free Membership Inference Attacks: Recommender Systems Are More Vulnerable Than You Thought

Xiaoxiao Chi, Xuyun Zhang, Yan Wang, Lianyong Qi, Amin Beheshti, Xiaolong Xu, Kim-Kwang Raymond Choo, Shuo Wang, Hongsheng Hu

TL;DR

This work proposes shadow-free MIAs that directly leverage a user’s recommendations for membership inference and achieves far better attack accuracy with low false positive rates than baselines while with a much lower computational cost.

Abstract

Recommender systems have been successfully applied in many applications. Nonetheless, recent studies demonstrate that recommender systems are vulnerable to membership inference attacks (MIAs), leading to the leakage of users' membership privacy. However, existing MIAs relying on shadow training suffer a large performance drop when the attacker lacks knowledge of the training data distribution and the model architecture of the target recommender system. To better understand the privacy risks of recommender systems, we propose shadow-free MIAs that directly leverage a user's recommendations for membership inference. Without shadow training, the proposed attack can conduct MIAs efficiently and effectively under a practice scenario where the attacker is given only black-box access to the target recommender system. The proposed attack leverages an intuition that the recommender system personalizes a user's recommendations if his historical interactions are used by it. Thus, an attacker can infer membership privacy by determining whether the recommendations are more similar to the interactions or the general popular items. We conduct extensive experiments on benchmark datasets across various recommender systems. Remarkably, our attack achieves far better attack accuracy with low false positive rates than baselines while with a much lower computational cost.

Shadow-Free Membership Inference Attacks: Recommender Systems Are More Vulnerable Than You Thought

TL;DR

This work proposes shadow-free MIAs that directly leverage a user’s recommendations for membership inference and achieves far better attack accuracy with low false positive rates than baselines while with a much lower computational cost.

Abstract

Recommender systems have been successfully applied in many applications. Nonetheless, recent studies demonstrate that recommender systems are vulnerable to membership inference attacks (MIAs), leading to the leakage of users' membership privacy. However, existing MIAs relying on shadow training suffer a large performance drop when the attacker lacks knowledge of the training data distribution and the model architecture of the target recommender system. To better understand the privacy risks of recommender systems, we propose shadow-free MIAs that directly leverage a user's recommendations for membership inference. Without shadow training, the proposed attack can conduct MIAs efficiently and effectively under a practice scenario where the attacker is given only black-box access to the target recommender system. The proposed attack leverages an intuition that the recommender system personalizes a user's recommendations if his historical interactions are used by it. Thus, an attacker can infer membership privacy by determining whether the recommendations are more similar to the interactions or the general popular items. We conduct extensive experiments on benchmark datasets across various recommender systems. Remarkably, our attack achieves far better attack accuracy with low false positive rates than baselines while with a much lower computational cost.
Paper Structure (42 sections, 12 equations, 3 figures, 6 tables)

This paper contains 42 sections, 12 equations, 3 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Recommender Systems.
  4. Membership Inference Attacks.
  5. Methodology
  6. Threat Model
  7. Shadow-based MIAs and Their Limitations
  8. Notations.
  9. Shadow-free Membership Inference
  10. Key Intuition.
  11. i) Creating an Empty User.
  12. ii) Query the Recommender System.
  13. iii) Infer the Membership Privacy.
  14. Experiments
  15. Experimental Setup
  16. ...and 27 more sections

Figures (3)

  • Figure 1: An overview of shadow-free MIAs. The attacker creates a user with an empty profile to obtain the general popular items of the recommender system. For a target user, the attacker examines whether the recommendations of the target user are more similar to his historical interactions or the general popular items to determine the membership status of the target user.
  • Figure 2: Visualization of $\alpha_1-\alpha_2$ data distribution. As we can see, the distributions of member and non-member users are very different.
  • Figure 3: Understanding the impact of the number of recommendations and the length of the feature vector in shadow-free MIAs. As we can see, shadow-free MIAs are stable when varying the two factors.