ACM Digital Library home
ACM home
Advanced Search
10.1145/3460120.3484770acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Membership Inference Attacks Against Recommender Systems

Authors Info & Claims
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications SecurityNovember 2021Pages 864–879https://doi.org/10.1145/3460120.3484770
Published:13 November 2021Publication History
  • 10citation
  • 899
  • Downloads
Metrics
Total Citations10
Total Downloads899
Last 12 Months405
Last 6 weeks31

ABSTRACT

Recently, recommender systems have achieved promising performances and become one of the most widely used web applications. However, recommender systems are often trained on highly sensitive user data, thus potential data leakage from recommender systems may lead to severe privacy problems.

In this paper, we make the first attempt on quantifying the privacy leakage of recommender systems through the lens of membership inference. In contrast with traditional membership inference against machine learning classifiers, our attack faces two main differences. First, our attack is on the user-level but not on the data sample-level. Second, the adversary can only observe the ordered recommended items from a recommender system instead of prediction results in the form of posterior probabilities. To address the above challenges, we propose a novel method by representing users from relevant items. Moreover, a shadow recommender is established to derive the labeled training data for training the attack model. Extensive experimental results show that our attack framework achieves a strong performance. In addition, we design a defense mechanism to effectively mitigate the membership inference threat of recommender systems.

Skip Supplemental Material Section

Supplemental Material

CCS21-fp288.mp4

To investigate the privacy problem in recommender systems, we design various attack strategies of membership inference. To the best of our knowledge, ours is the first work on the membership inference attacks against recommender systems. Comparing to membership inference attacks on data sample-level classifiers, for recommender systems, our work focuses on the user-level membership status, which cannot be directly obtained from the system outputs. To address these challenges, we propose a novel membership inference attack scheme, the core of which is to obtain user-level feature vectors based on the interactions between users and the target recommender, and input these feature vectors into attack models. Extensive experiment results show the effectiveness and generalization ability of our attack. To remedy the situation, we further propose a defense mechanism, namely Popularity Randomization. Our empirical evaluations demonstrate that Popularity Randomization can largely mitigate the privacy risks.

mp4

28.5 MB

Play streamDownload

References

  1. Michael Backes, Mathias Humbert, Jun Pang, and Yang Zhang. walk2friends: Inferring Social Links from Mobility Profiles. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1943--1957. ACM, 2017.Google ScholarGoogle Scholar
  2. Ting Bai, Ji-Rong Wen, Jun Zhang, and Wayne Xin Zhao. A Neural Collaborative Filtering Model with Interaction-based Neighborhood. In ACM International Conference on Information and Knowledge Management (CIKM), pages 1979--1982. ACM, 2017.Google ScholarGoogle Scholar
  3. Battista Biggio, Igino Corona, Davide Maiorca, Blaine Nelson, Nedim Srndic, Pavel Laskov, Giorgio Giacinto, and Fabio Roli. Evasion Attacks against Machine Learning at Test Time. In European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases (ECML/PKDD), pages 387--402. Springer, 2013.Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Iván Cantador, Peter Brusilovsky, and Tsvi Kuflik. Second Workshop on Information Heterogeneity and Fusion in Recommender Systems (HetRec2011). In ACM Conference on Recommender Systems (RecSys), pages 387--388. ACM, 2011.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Nicholas Carlini, Chang Liu, Úlfar Erlingsson, Jernej Kos, and Dawn Song. The Secret Sharer: Evaluating and Testing Unintended Memorization in Neural Networks. In USENIX Security Symposium (USENIX Security), pages 267--284. USENIX, 2019.Google ScholarGoogle Scholar
  6. Nicholas Carlini, Florian Tramè r, Eric Wallace, Matthew Jagielski, Ariel Herbert-Voss, Katherine Lee, Adam Roberts, Tom B. Brown, Dawn Song, Ú lfar Erlingsson, Alina Oprea, and Colin Raffel. Extracting Training Data from Large Language Models. CoRR abs/2012.07805, 2020.Google ScholarGoogle Scholar
  7. Nicholas Carlini and David Wagner. Towards Evaluating the Robustness of Neural Networks. In IEEE Symposium on Security and Privacy (S&P), pages 39--57. IEEE, 2017.Google ScholarGoogle Scholar
  8. Dingfan Chen, Ning Yu, Yang Zhang, and Mario Fritz. GAN-Leaks: A Taxonomy of Membership Inference Attacks against Generative Models. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 343--362. ACM, 2020.Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Wanyu Chen, Fei Cai, Honghui Chen, and Maarten de Rijke. Joint Neural Collaborative Filtering for Recommender Systems. ACM Transactions on Information Systems, 2019.Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Christopher A. Choquette Choo, Florian Tramèr, Nicholas Carlini, and Nicolas Papernot. Label-Only Membership Inference Attacks. CoRR abs/2007.14321, 2020.Google ScholarGoogle Scholar
  11. Mukund Deshpande and George Karypis. Item-Based Top-N Recommendation Algorithms. ACM Transactions on Information Systems, 2004.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Grag. Badnets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain. CoRR abs/1708.06733, 2017.Google ScholarGoogle Scholar
  13. F. Maxwell Harper and Joseph A Konstan. The MovieLens Datasets: History and Context. ACM Transactions on Interactive Intelligent Systems, 2015.Google ScholarGoogle Scholar
  14. Jamie Hayes, Luca Melis, George Danezis, and Emiliano De Cristofaro. LOGAN: Evaluating Privacy Leakage of Generative Models Using Generative Adversarial Networks. Symposium on Privacy Enhancing Technologies Symposium, 2019.Google ScholarGoogle Scholar
  15. Ruining He and Julian McAuley. Ups and Downs: Modeling the Visual Evolution of Fashion Trends with One-Class Collaborative Filtering. In The Web Conference (WWW), pages 507--517. ACM, 2016.Google ScholarGoogle Scholar
  16. Xiangnan He, Lizi Liao, Hanwang Zhang, Liqiang Nie, Xia Hu, and Tat-Seng Chua. Neural Collaborative Filtering. In International Conference on World Wide Web (WWW), pages 173--182. ACM, 2017.Google ScholarGoogle Scholar
  17. Xiangnan He, Hanwang Zhang, Min-Yen Kan, and Tat-Seng Chua. Fast Matrix Factorization for Online Recommendation with Implicit Feedback. In International ACM SIGIR Conference on Research and Development in Information Retrieval (SIGIR), pages 549--558. ACM, 2016.Google ScholarGoogle Scholar
  18. Xinlei He, Jinyuan Jia, Michael Backes, Neil Zhenqiang Gong, and Yang Zhang. Stealing Links from Graph Neural Networks. In USENIX Security Symposium (USENIX Security). USENIX, 2021.Google ScholarGoogle Scholar
  19. Jonathan L. Herlocker, Joseph A. Konstan, and John Riedl. Explaining Collaborative Filtering Recommendations. In ACM Conference on Computer Supported Cooperative Work (CSCW), pages 241--250. ACM, 2000.Google ScholarGoogle Scholar
  20. Matthew Jagielski, Nicholas Carlini, David Berthelot, Alex Kurakin, and Nicolas Papernot. High Accuracy and High Fidelity Extraction of Neural Networks. In USENIX Security Symposium (USENIX Security), pages 1345--1362. USENIX, 2020.Google ScholarGoogle Scholar
  21. Matthew Jagielski, Alina Oprea, Battista Biggio, Chang Liu, Cristina Nita-Rotaru, and Bo Li. Manipulating Machine Learning: Poisoning Attacks and Countermeasures for Regression Learning. In IEEE Symposium on Security and Privacy (S&P), pages 19--35. IEEE, 2018.Google ScholarGoogle Scholar
  22. Jinyuan Jia, Ahmed Salem, Michael Backes, Yang Zhang, and Neil Zhenqiang Gong. MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 259--274. ACM, 2019.Google ScholarGoogle Scholar
  23. George Karypis. Evaluation of Item-Based Top-N Recommendation Algorithms. In ACM International Conference on Information and Knowledge Management (CIKM), pages 247--254. ACM, 2001.Google ScholarGoogle Scholar
  24. Yehuda Koren. Factorization Meets the Neighborhood: a Multifaceted Collaborative Filtering Model. In ACM Conference on Knowledge Discovery and Data Mining (KDD), pages 426--434. ACM, 2008.Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Yehuda Koren. Collaborative Filtering with Temporal Dynamics. In ACM Conference on Knowledge Discovery and Data Mining (KDD), pages 447--456. ACM, 2009.Google ScholarGoogle Scholar
  26. Klas Leino and Matt Fredrikson. Stolen Memories: Leveraging Model Memorization for Calibrated White-Box Membership Inference. In USENIX Security Symposium (USENIX Security), pages 1605--1622. USENIX, 2020.Google ScholarGoogle Scholar
  27. Zheng Li, Chengyu Hu, Yang Zhang, and Shanqing Guo. How to Prove Your Model Belongs to You: A Blind-Watermark based Framework to Protect Intellectual Property of DNN. In Annual Computer Security Applications Conference (ACSAC), pages 126--137. ACM, 2019.Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Zheng Li and Yang Zhang. Membership Leakage in Label-Only Exposures. In ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2021.Google ScholarGoogle Scholar
  29. Luca Melis, Congzheng Song, Emiliano De Cristofaro, and Vitaly Shmatikov. Exploiting Unintended Feature Leakage in Collaborative Learning. In IEEE Symposium on Security and Privacy (S&P), pages 497--512. IEEE, 2019.Google ScholarGoogle Scholar
  30. Milad Nasr, Reza Shokri, and Amir Houmansadr. Machine Learning with Membership Privacy using Adversarial Regularization. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 634--646. ACM, 2018.Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Milad Nasr, Reza Shokri, and Amir Houmansadr. Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference Attacks against Centralized and Federated Learning. In IEEE Symposium on Security and Privacy (S&P), pages 1021--1035. IEEE, 2019.Google ScholarGoogle ScholarCross RefCross Ref
  32. Milad Nasr, Shuang Song, Abhradeep Thakurta, Nicolas Papernot, and Nicholas Carlini. Adversary Instantiation: Lower Bounds for Differentially Private Machine Learning. In IEEE Symposium on Security and Privacy (S&P). IEEE, 2021.Google ScholarGoogle Scholar
  33. Nicolas Papernot, Patrick McDaniel, Arunesh Sinha, and Michael Wellman. SoK: Towards the Science of Security and Privacy in Machine Learning. In IEEE European Symposium on Security and Privacy (Euro S&P), pages 399--414. IEEE, 2018.Google ScholarGoogle Scholar
  34. Nicolas Papernot, Shuang Song, Ilya Mironov, Ananth Raghunathan, Kunal Talwar, and Ú lfar Erlingsson. Scalable Private Learning with PATE. In International Conference on Learning Representations (ICLR), 2018.Google ScholarGoogle Scholar
  35. Michael J. Pazzani and Daniel Billsus. Content-Based Recommendation Systems. In The Adaptive Web, Methods and Strategies of Web Personalization, pages 325--341. Springer, 2007.Google ScholarGoogle Scholar
  36. Huseyin Polat and Wenliang Du. SVD-based Collaborative Filtering with Privacy. In ACM Symposium on Applied Computing (SAC), pages 791--795. ACM, 2005.Google ScholarGoogle Scholar
  37. Alexandre Sablayrolles, Matthijs Douze, Cordelia Schmid, Yann Ollivier, and Hervé Jégou. White-box vs Black-box: Bayes Optimal Strategies for Membership Inference. In International Conference on Machine Learning (ICML), pages 5558--5567. PMLR, 2019.Google ScholarGoogle Scholar
  38. Ruslan Salakhutdinov and Andriy Mnih. Probabilistic Matrix Factorization. In Annual Conference on Neural Information Processing Systems (NIPS), pages 1257--1264. NIPS, 2007.Google ScholarGoogle Scholar
  39. Ahmed Salem, Yang Zhang, Mathias Humbert, Pascal Berrang, Mario Fritz, and Michael Backes. ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models. In Network and Distributed System Security Symposium (NDSS). Internet Society, 2019.Google ScholarGoogle Scholar
  40. Badrul Munir Sarwar, George Karypis, Joseph A. Konstan, and John Riedl. Item-Based Collaborative Filtering Recommendation Algorithms. In International Conference on World Wide Web (WWW), pages 285--295. ACM, 2001.Google ScholarGoogle Scholar
  41. J. Ben Schafer, Dan Frankowski, Jon Herlocker, and Shilad Sen. Collaborative Filtering Recommender Systems. In The Adaptive Web, Methods and Strategies of Web Personalization, pages 291--324. Springer, 2007.Google ScholarGoogle ScholarCross RefCross Ref
  42. Virat Shejwalkar and Amir Houmansadr. Membership Privacy for Machine Learning Models Through Knowledge Transfer. In AAAI Conference on Artificial Intelligence (AAAI). AAAI, 2021.Google ScholarGoogle Scholar
  43. Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. Membership Inference Attacks Against Machine Learning Models. In IEEE Symposium on Security and Privacy (S&P), pages 3--18. IEEE, 2017.Google ScholarGoogle Scholar
  44. Reza Shokri, Georgios Theodorakopoulos, Jean-Yves Le Boudec, and Jean-Pierre Hubaux. Quantifying Location Privacy. In IEEE Symposium on Security and Privacy (S&P), pages 247--262. IEEE, 2011.Google ScholarGoogle Scholar
  45. Congzheng Song and Vitaly Shmatikov. Auditing Data Provenance in Text-Generation Models. In ACM Conference on Knowledge Discovery and Data Mining (KDD), pages 196--206. ACM, 2019.Google ScholarGoogle Scholar
  46. Peijie Sun, Le Wu, and Meng Wang. Attentive Recurrent Social Recommendation. In International ACM SIGIR Conference on Research and Development in Information Retrieval (SIGIR), pages 185--194. ACM, 2018.Google ScholarGoogle Scholar
  47. Peijie Sun, Le Wu, Kun Zhang, Yanjie Fu, Richang Hong, and Meng Wang. Dual Learning for Explainable Recommendation: Towards Unifying User Preference Prediction and Review Generation. In The Web Conference (WWW), pages 837--847. ACM, 2020.Google ScholarGoogle Scholar
  48. Florian Tramèr, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, and Patrick McDaniel. Ensemble Adversarial Training: Attacks and Defenses. In International Conference on Learning Representations (ICLR), 2017.Google ScholarGoogle Scholar
  49. Florian Tramèr, Fan Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. Stealing Machine Learning Models via Prediction APIs. In USENIX Security Symposium (USENIX Security), pages 601--618. USENIX, 2016.Google ScholarGoogle Scholar
  50. Laurens van der Maaten and Geoffrey Hinton. Visualizing Data using t-SNE. Journal of Machine Learning Research, 2008.Google ScholarGoogle Scholar
  51. Bogdan Walek and Vladimir Fojtik. A Hybrid Recommender System for Recommending Relevant Movies Using An Expert System. Expert Systems with Applications, 2020.Google ScholarGoogle ScholarCross RefCross Ref
  52. Samuel Yeom, Irene Giacomelli, Matt Fredrikson, and Somesh Jha. Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting. In IEEE Computer Security Foundations Symposium (CSF), pages 268--282. IEEE, 2018.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. Membership Inference Attacks Against Recommender Systems

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      Get this Publication

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      View Table of Contents
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!