Abstract:Recent studies have demonstrated the vulnerability of recommender systems to membership inference attacks, which determine whether a user’s historical data was utilized for model training, posing serious privacy leakage issues. Existing works assumed that member and non-member users follow different recommendation modes, and then infer membership based on the difference vector between the user’s historical behaviors and the recommendation list. The previous frameworks are invalid against inductive recommendations, such as sequential recommendations, since the disparities of difference vectors constructed by the recommendations between members and non-members become imperceptible. This motivates us to dig deeper into the target model. In addition, most MIA frameworks assume that they can obtain some in-distribution data from the same distribution of the target data, which is hard to gain in recommender system. To address these difficulties, we propose a Membership Inference Attack framework against sequential recommenders based on Model Extraction(ME-MIA). Specifically, we train a surrogate model to simulate the target model based on two universal loss functions. For a given behavior sequence, the loss functions ensure the recommended items and corresponding rank of the surrogate model are consistent with the target model’s recommendation. Due to the special training mode of the surrogate model, it is hard to judge which user is its member(non-member). Therefore, we establish a shadow model and use shadow model’s members(non-members) to train the attack model later. Next, we build a user feature generator to construct representative feature vectors from the shadow(surrogate) model. The crafting feature vectors are finally input into the attack model to identify users’ membership. Furthermore, to tackle the high cost of obtaining in-distribution data, we develop two variants of ME-MIA, realizing data-efficient and even data-free MIA by fabricating authentic in-distribution data. Notably, the latter is impossible in the previous works. Finally, we evaluate ME-MIA against multiple sequential recommendation models on three real-world datasets. Experimental results show that ME-MIA and its variants can achieve efficient extraction and outperform state-of-the-art algorithms in terms of attack performance.

Membership Inference Attacks Against Sequential Recommender Systems

Debiasing Learning for Membership Inference Attacks Against Recommender Systems

SeqMIA: Sequential-Metric Based Membership Inference Attack

Shadow-Free Membership Inference Attacks: Recommender Systems Are More Vulnerable Than You Thought

Membership Inference Attacks Against Recommender Systems

Membership Inference Attacks Against Latent Factor Model

HP-MIA: A Novel Membership Inference Attack Scheme for High Membership Prediction Precision

Defending Against Membership Inference Attack by Shielding Membership Signals

On the Vulnerability of Data Points under Multiple Membership Inference Attacks and Target Models

Evaluating Membership Inference Attacks and Defenses in Federated Learning

Membership Inference Attacks by Exploiting Loss Trajectory

Membership reconstruction attack in deep neural networks

Asurvey on membership inference attacks and defenses in Machine Learning

A Statistical and Multi-Perspective Revisiting of the Membership Inference Attack in Large Language Models

Advancing Membership Inference Attacks: the Present and the Future

MIST: Defending Against Membership Inference Attacks Through Membership-Invariant Subspace Training

CS-MIA: Membership Inference Attack Based on Prediction Confidence Series in Federated Learning

Membership Inference Attacks on Machine Learning: A Survey

MIA-BAD: An Approach for Enhancing Membership Inference Attack and its Mitigation with Federated Learning

Is Difficulty Calibration All We Need? Towards More Practical Membership Inference Attacks