Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Membership Inference Attacks on Recommender System: A Survey

Jiajie He, Xintong Chen, Xinyang Fang, Min-Chun Chen, Yuechun Gu, Keke Chen

TL;DR

This survey addresses privacy risks in recommender systems by analyzing membership inference attacks (MIAs) that aim to determine whether a user’s data was in the training set. It reviews RecSys-specific MIAs, offers a taxonomy across user-level, interaction-level, and social-level attacks, and examines defenses and evaluation resources. Key contributions include the first comprehensive synthesis of RecSys MIAs, novel taxonomies, and discussions of challenges such as unseen posterior probabilities, data heterogeneity, and privacy-utility trade-offs. The work guides researchers and practitioners by mapping datasets, models, and metrics and by proposing future directions, including extensions to LLM-based recommender systems.

Abstract

Recommender systems (RecSys) have been widely applied to various applications, including E-commerce, finance, healthcare, social media and have become increasingly influential in shaping user behavior and decision-making, highlighting their growing impact in various domains. However, recent studies have shown that RecSys are vulnerable to membership inference attacks (MIAs), which aim to infer whether user interaction record was used to train a target model or not. MIAs on RecSys models can directly lead to a privacy breach. For example, via identifying the fact that a purchase record that has been used to train a RecSys associated with a specific user, an attacker can infer that user's special quirks. In recent years, MIAs have been shown to be effective on other ML tasks, e.g., classification models and natural language processing. However, traditional MIAs are ill-suited for RecSys due to the unseen posterior probability. Although MIAs on RecSys form a newly emerging and rapidly growing research area, there has been no systematic survey on this topic yet. In this article, we conduct the first comprehensive survey on RecSys MIAs. This survey offers a comprehensive review of the latest advancements in RecSys MIAs, exploring the design principles, challenges, attack and defense associated with this emerging field. We provide a unified taxonomy that categorizes different RecSys MIAs based on their characterizations and discuss their pros and cons. Based on the limitations and gaps identified in this survey, we point out several promising future research directions to inspire the researchers who wish to follow this area. This survey not only serves as a reference for the research community but also provides a clear description for researchers outside this research domain.

Membership Inference Attacks on Recommender System: A Survey

TL;DR

This survey addresses privacy risks in recommender systems by analyzing membership inference attacks (MIAs) that aim to determine whether a user’s data was in the training set. It reviews RecSys-specific MIAs, offers a taxonomy across user-level, interaction-level, and social-level attacks, and examines defenses and evaluation resources. Key contributions include the first comprehensive synthesis of RecSys MIAs, novel taxonomies, and discussions of challenges such as unseen posterior probabilities, data heterogeneity, and privacy-utility trade-offs. The work guides researchers and practitioners by mapping datasets, models, and metrics and by proposing future directions, including extensions to LLM-based recommender systems.

Abstract

Recommender systems (RecSys) have been widely applied to various applications, including E-commerce, finance, healthcare, social media and have become increasingly influential in shaping user behavior and decision-making, highlighting their growing impact in various domains. However, recent studies have shown that RecSys are vulnerable to membership inference attacks (MIAs), which aim to infer whether user interaction record was used to train a target model or not. MIAs on RecSys models can directly lead to a privacy breach. For example, via identifying the fact that a purchase record that has been used to train a RecSys associated with a specific user, an attacker can infer that user's special quirks. In recent years, MIAs have been shown to be effective on other ML tasks, e.g., classification models and natural language processing. However, traditional MIAs are ill-suited for RecSys due to the unseen posterior probability. Although MIAs on RecSys form a newly emerging and rapidly growing research area, there has been no systematic survey on this topic yet. In this article, we conduct the first comprehensive survey on RecSys MIAs. This survey offers a comprehensive review of the latest advancements in RecSys MIAs, exploring the design principles, challenges, attack and defense associated with this emerging field. We provide a unified taxonomy that categorizes different RecSys MIAs based on their characterizations and discuss their pros and cons. Based on the limitations and gaps identified in this survey, we point out several promising future research directions to inspire the researchers who wish to follow this area. This survey not only serves as a reference for the research community but also provides a clear description for researchers outside this research domain.

Paper Structure

This paper contains 13 sections, 6 equations, 1 table.

Table of Contents

  1. Introduction
  2. Preliminary
  3. Memebership Inference Attacks on RecSys
  4. user-level MIAs
  5. Interaction-level MIAs
  6. Social-level MIAs
  7. Evaluation
  8. Datasets
  9. Models
  10. Metrics
  11. Defense
  12. Discussion and Future Direction
  13. Conclusion