Differentially Private Neighborhood-based Recommender Systems
Jun Wang, Qiang Tang

TL;DR
This paper introduces two differentially private neighborhood-based recommender system methods that effectively balance privacy and accuracy, outperforming private matrix factorization approaches at small privacy budgets.
Contribution
The paper proposes novel differential privacy techniques for neighborhood-based recommender systems, including Laplace noise calibration and Bayesian sampling, improving privacy-utility trade-offs.
Findings
Both methods maintain promising accuracy with modest privacy budgets.
The Bayesian sampling approach yields better accuracy with convergence.
Our solutions outperform private matrix factorization at small privacy budgets.
Abstract
Privacy issues of recommender systems have become a hot topic for the society as such systems are appearing in every corner of our life. In contrast to the fact that many secure multi-party computation protocols have been proposed to prevent information leakage in the process of recommendation computation, very little has been done to restrict the information leakage from the recommendation results. In this paper, we apply the differential privacy concept to neighborhood-based recommendation methods (NBMs) under a probabilistic framework. We first present a solution, by directly calibrating Laplace noise into the training process, to differential-privately find the maximum a posteriori parameters similarity. Then we connect differential privacy to NBMs by exploiting a recent observation that sampling from the scaled posterior distribution of a Bayesian model results in provably…
| the rating that user gave item | |
|---|---|
| the similarity between item and | |
| rating matrix | |
| all the observed ratings or training data | |
| item similarity matrix | |
| similarity vector of item | |
| ’s rating vector without the item being modeled | |
| hyperparameters of and respectively | |
| any NBM which takes as input the and | |
| prior distribution of | |
| likelihood function of conditioned on | |
| likelihood function of |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsPrivacy-Preserving Technologies in Data · Random Matrices and Applications · Stochastic Gradient Optimization Techniques
11institutetext: 1University of Luxembourg
2Luxembourg Institute of Science and Technology
11email: [email protected]; 11email: [email protected]
Differentially Private Neighborhood-based Recommender Systems
Jun Wang1
Qiang Tang2
Abstract
Privacy issues of recommender systems have become a hot topic for the society as such systems are appearing in every corner of our life. In contrast to the fact that many secure multi-party computation protocols have been proposed to prevent information leakage in the process of recommendation computation, very little has been done to restrict the information leakage from the recommendation results. In this paper, we apply the differential privacy concept to neighborhood-based recommendation methods (NBMs) under a probabilistic framework. We first present a solution, by directly calibrating Laplace noise into the training process, to differential-privately find the maximum a posteriori parameters similarity. Then we connect differential privacy to NBMs by exploiting a recent observation that sampling from the scaled posterior distribution of a Bayesian model results in provably differentially private systems. Our experiments show that both solutions allow promising accuracy with a modest privacy budget, and the second solution yields better accuracy if the sampling asymptotically converges. We also compare our solutions to the recent differentially private matrix factorization (MF) recommender systems, and show that our solutions achieve better accuracy when the privacy budget is reasonably small. This is an interesting result because MF systems often offer better accuracy when differential privacy is not applied.
Keywords:
Recommender System; Collaborative Filtering; Differential Privacy
1 Introduction
Recommender systems, particularly collaborative filtering (CF) systems, have been widely deployed due to the success of E-commerce [29]. There are two dominant approaches in CF. One is matrix factorization (MF) [15] which models the user preference matrix as a product of two low-rank user and item feature matrices, and the other is neighborhood-based method (NBM) which leverages the similarity between items or users to estimate user preferences [8]. Generally, MF is more accurate than NBM [29], while NBM has an irreplaceable advantage that it naturally explains the recommendation results. In addition, recent research shows that MF falls short in session-based recommendation while NBMs allow promising accuracy [13]. Therefore, NBM is still an interesting research topic for the community.
In reality, industrial CF recommender and ranking systems often adopt a client-server model, in which a single server (or, server cluster) holds databases and serves a large number of users. CF exploits the fact that similar users are likely to prefer similar products, unfortunately this property facilitates effective user de-anonymization and history information recovery through the recommendation results [5, 21]. To this end, NBM is more fragile (e.g. [5, 19]), since it is essentially a simple linear combination of user history information which is weighted by the normalized similarity between users or items. In this paper, we aim at preventing information leakage from the recommendation results, for the NBM systems. Note that a related research topic is to avoid the server from accessing the users’ plaintext inputs, and many solutions exist for this (e.g. [22, 30]). Combining them with our solution will result in a comprehensive solution, which prevent information leakage from both the computation process and final recommendation results. We skip the details here.
Differential privacy [10] provides rigorous privacy protection for user information in statistical databases. Intuitively, it offers a participant the possibility to deny his participation in a computation. Some works, such as [17, 37], have been proposed for some specific NBMs, which adopt correlations or artificially defined metrics as similarity [8] and are less appealing from the perspective of accuracy. It remains as an open issue to apply the differential privacy concept to more sophisticated NBM models, which automatically learn similarity from training data (e.g. [26, 31, 33]). Particularly, probabilistic NBM [33] models the dependencies among observations (ratings) which leads user preference estimation to a penalized risk minimization problem to search optimal unobserved factors (In our context, the unobserved factor is similarity). It has been shown that the instantiation in [33] outperforms most other NBM systems and even the MF or probabilistic MF systems in many settings.
1.1 Our Contribution
Due to its accuracy advantages, we focus on the probabilistic NBM systems in our study. Inspired by [4, 16], we propose two methods to instantiate differentially private solutions.
First, we calibrate noise into the training process (i.e. SGD) to differential-privately find the maximum a posteriori similarity. This instantiation achieves differential privacy for each rating value. Second, we link the differential privacy concept to probabilistic NBM, by sampling from scaled posterior distribution. For the sake of efficiency, we employ a recent MCMC method, namely Stochastic Gradient Langevin Dynamics (SGLD) [36], as the sampler. In order to use SGLD, we derive an unbiased estimator of similarity gradient from a mini-batch. This instantiation achieves differential privacy for every user profile (rating vector).
To evaluate our solutions, we carry out experiments to compare our solutions to the state-of-the-art differentially private MFs, and also to compare our solutions between themselves. Our results show that differentially private MFs are more accurate when privacy loss is large (extremely, in a non-private case), but differentially private NBMs are better when privacy loss is set in a more reasonable range. Even with the added noises, both our solutions consistently outperform non-private traditional NBMs in accuracy. Despite the complexity concern, our solution with posterior sampling (i.e. SGLD) outperforms the other from the accuracy perspective.
1.2 Organization
The rest of this paper is organized as follows. In Section 2, we recap the preliminary knowledge. In Section 3 and 4, we present our two differentially private NBM solutions respectively. In Section 5, we present our experiment results. In Section 6, we present the related work. In Section 7, we conclude the paper.
2 Preliminary
Generally, NBMs can be divided into user-user approach (relies on similarity between users) and item-item approach (relies on similarity between items) [8]. Probabilistic NBM can be regarded as a generic methodology, to be employed by any other specific NBM system. Commonly, the item-item approach is more accurate and robust than the user-user approach [8, 19]. In this paper, we take the item-item approach as an instance to introduce the probabilistic NBM concept from [33]. We also review the concept of differential privacy.
2.1 Review Probabilistic NBM
Suppose we have a dataset with users and items. Probabilistic NBM [33] assumes the observed ratings conditioned on historical ratings with Gaussian noise, see Fig. 1. Some notation is summarized in Table 1. The likelihood function of observations and prior of similarity are written as
[TABLE]
where denotes the Gaussian distribution with mean and precision . indicates that if item is being modeled then it is excluded from the training data . denotes any NBM which takes as inputs the and . In the following, we instantiate it to be a typical NBM [8]:
[TABLE]
denotes the estimation of user ’s preference on item , is item ’s mean rating value, is the rating indicator if user rated item , otherwise, . Similar with , denotes user ’s indicator vector but set if is the item being estimated. For the ease of notation, we will omit the term and present Equation (2) in a vectorization form in favor of a slightly more succinct notation.
The log of the posterior distribution over the similarity is
[TABLE]
Thanks to the simplicity of the log-posterior distribution (i.e. , where we omit the constant terms in Equation (3)). We can have two approaches to solve this risk minimization problem.
- •
Stochastic Gradient Descent (SGD). In this approach, is treated as an error function. SGD can be adopted to minimize the error function. In each SGD iteration we update the gradient of similarity () with a set of randomly chosen ratings by
[TABLE]
where is the learning rate, is the regular parameter, the set may contain users. In Section 3, we will introduce how to build the differentially private SGD to train probabilistic NBM.
- •
Monte Carlo Markov Chain (MCMC). We estimate the predictive distribution of an unknown rating by a Monte Carlo approximation. In Section 4, we will connect differential privacy to samples from the posterior , via Stochastic Gradient Langevin Dynamics (SGLD) [36].
2.2 Differential Privacy
Differential privacy [10], which is a dominate security definition against inference attacks, aims to rigorously protect sensitive data in statistical databases. It allows to efficiently perform machine learning tasks with quantified privacy guarantee while accurately approximating the non-private results.
Definition 1
(Differential Privacy [10]) A random algorithm is differentially private if for all and for any of all which only differs on one single record such that satisfies
[TABLE]
And guarantees differential privacy if .
The parameter states the difference of algorithm ’s output for any . It measures the privacy loss. Lower indicates stronger privacy protection.
Laplace Mechanism [9] is a common approach to approximate a real-valued function with a differential privacy preservation using additive noise sampled from Laplace distribution: , where the indicates the largest possible change between the outputs of the function which takes as input any neighbor databases . It is referred to as the -sensitivity which is defined as: .
Sampling from the posterior distribution of a Bayesian model with bounded log-likelihood, recently, has been proven to be differentially private [34]. It is essentially an exponential mechanism [18]. Formally, suppose we have a dataset of i.i.d examples which we model using a conditional probability distribution where is a parameter vector, with a prior distribution . If satisfies , then releasing one sample from the posterior distribution with any prior preserves differential privacy. Alternatively, differential privacy can be preserved by simply rescaling the log-posterior distribution by a factor of , under the regularity conditions where asymptotic normality (Bernstein-von Mises theorem) holds.
3 Differentially Private SGD
When applying the differential privacy concept, treating the training model (process) as a black box, by only working on the original input or finally output, may result in very poor utility [1, 4]. In contrast, by leveraging the tight characterization of training data, NBM and SGD, we directly calibrate noise into the SGD training process, via Laplace mechanism, to differential-privately learn similarity. Algorithm 1 outlines our differentially-private SGD method for training probabilistic NBM.
According to Equation (3) and (4), for each user (in a randomly chosen mini-batch ) the gradient of similarity is
[TABLE]
where . For the convenience of notation, we omit part in Equation (5) which does not compromise the correctness of bound estimation.
To achieve differential privacy, we update the gradient by adding Laplace noise (Algorithm 1, line 6). The amount of noise is determined by the bound of gradient (sensitivity ) which further depends on and . We reduce the sensitivity by exploiting the characteristics of training data, NBM and SGD respectively, by the following tricks.
Preprocessing is often adopted in machine learning for utility reasons. In our case, it can contribute to privacy protection. For example, we only put users who have more than 20 ratings in the training data. It results in a bigger thus will reduce sensitivity. Suppose the rating scale is , removing “paranoid” records makes hold, where .
Rescaling the value of similarity allows a lower sensitivity. NBM, see Equation (2), allows us to rescale the similarity to an arbitrarily large magnitude such that we can further reduce the sensitivity ( by increasing the value of ). However, the initialization of similarity strongly influences the convergence of the training. Thus, it is important to balance the convergence (accuracy) and the value of similarity (privacy). Another observation is that the gradient down-scales when enlarging the similarity, see Equation (5). We can up-scale the gradient monotonically during the training process (Algorithm 1, line 1 and 7). Fig. 2 shows , let , the lower bound of , denote as , is 10.
The prediction error decreases when the training goes to convergence such that we can clamp to a lower bound dynamically. In our experiments, we bound the prediction error as , where is the iteration index. This constraint trivially influences the convergence under non-private training process.
After applying all the tricks, we have the dynamic gradient bound at iteration as follows
[TABLE]
The sensitivity of each iteration is .
Theorem 3.1
Uniform-randomly sample examples from a dataset of the size , Algorithm 1 achieves differential privacy if in each SGD iteration we set where is the number of iterations and .
Proof
In Algorithm 1, suppose the number of iterations is known in advance, and each SGD iteration maintains differential privacy. The privacy enhancing technique [3, 14] indicates that given a method which is differentially private over a deterministic training set, then it maintains differential privacy with respect to a full database if we uniform-randomly sample training set from the database where is the sampling ratio. Finally, combining the privacy enhancing technique with composition theory [10], it ensures the iterations SGD process maintain the overall bound of differential privacy. ∎
4 Differentially Private Posterior Sampling
Sampling from the posterior distribution of a Bayesian model with bounded log-likelihood has free differential privacy to some extent [34]. Specifically, for probabilistic NBM, releasing a sample of the similarity ,
[TABLE]
achieves differential privacy at user level, if each user’s log-likelihood is bounded to B, i.e. . Wang et al. [34] showed that we can achieve differential privacy by simply rescaling the log-posterior distribution with , i.e. .
Posterior sampling is computationally costly. For the sake of efficiency, we adopt a recent introduced Monte Carlo method, Stochastic Gradient Langevin Dynamics (SGLD) [36], as our MCMC sampler. To successfully use SGLD, we need to derive an unbiased estimator of similarity gradient from a mini-batch which is a non-trivial task.
Next, we first overview the basic principles of SGLD (Section 4.1), then we derive an unbiased estimator of the true similarity gradient (Section 4.2), and finally present our privacy-preserving algorithm (Section 4.3).
4.1 Stochastic Gradient Langevin Dynamics
SGLD is an annealing of SGD and Langevin dynamics [27] which generates samples from a posterior distribution. Intuitively, it adds an amount of Gaussian noise calibrated by the step sizes (learning rate) used in the SGD process, and the step sizes are allowed to go to zero. When it is far away from the basin of convergence, the update is much larger than noise and it acts as a normal SGD process. The update decreases when the sampling approaches to the convergence basin such that the noise dominated, and it behaves like a Brownian motion. SGLD updates the candidate states according to the following rule.
[TABLE]
where is a sequence of step sizes. denotes conditional probability distribution, and is a parameter vector with a prior distribution . is the size of a mini-batch randomly sampled from dataset . To ensure convergence to a local optimum, the following requirements of step size have to be satisfied:
[TABLE]
Decreasing step size reduces the discretization error such that the rejection rate approaches zero, thus we do not need accept-reject test. Following the previous works, e.g. [16, 36], we set step size , commonly, . In order to speed up the burn-in phase of SGLD, we multiply the step size by a temperature parameter () where [7].
4.2 Unbiased Estimator of The Gradient
The log-posterior distribution of similarity has been defined in Equation (3). The true gradient of the similarity over can be computed as
[TABLE]
where . To use SGLD and make it converge to true posterior distribution, we need an unbiased estimator of the true gradient which can be computed from a mini-batch . Assume that the size of and are and respectively. The stochastic approximation of the gradient is
[TABLE]
where . is symmetric binary matrix, and if any item-pair exists in , otherwise 0. presents element-wise product (i.e. Hadamard product). The expectation of over all possible mini-batches is,
[TABLE]
is not an unbiased estimator of the true gradient due to the prior term . Let , we can remove this bias by multiplying the prior term with thus to obtain an unbiased estimator. Follow previous approach [2], we assume the mini-batches are sampled with replacement, then is,
[TABLE]
where (resp. ) denotes the number of ratings of item (resp. ) in the complete dataset . Then the SGLD update rule is the following:
[TABLE]
4.3 Differential Privacy via Posterior Sampling
To construct a differentially private NBM, we exploit a recent observation that sampling from scaled posterior distribution of a Bayesian model with bounded log-likelihood can achieve differential privacy [34]. We summarize the differentially private sampling process (via SGLD) in Algorithm 2.
Now, a natural question is how to determine the log-likelihood bound ? (, and see Equation (7)). Obviously, depends on the max rating number per user. To those users who rated more than items, we randomly remove some ratings thus to ensure that each user at most has ratings. In our context, the rating scale is [1,5], let , we have (In reality, most users have less than 200 ratings [16]).
Theorem 4.1
Algorithm 2 provides differential privacy guarantee to any user if the distribution where the approximate samples from is far away from the true posterior distribution , formally . And if the MCMC sampling asymptotically converges.
Proof
Essentially, differential privacy via posterior sampling [34] is an exponential mechanism [18] which protects differential privacy when releasing a sample with probability proportional to , where serves as the utility function. If is bounded to , we have the sensitivity . Thus, release a sample by Algorithm 2 preserves differential privacy. It compromises the privacy guarantee to if the distribution (where the sample from) is far away from the true posterior distribution, proved by [34]. ∎
Note that when , the differentially private sampling process is identical to the non-private sampling. This is also the meaning of some extent of free privacy. It starts to lose accuracy when . One concern of this sampling approach is the distance between the distribution where the samples from and the true posterior distribution, which compromises the differential privacy guarantee. Fortunately, an emerging line of works, such as [28, 32], proved that SGLD can converge in finite iterations. As such we can have arbitrarily small with a (large) number of iterations.
5 Experiments and Evaluation
We test the proposed solutions on two real world datasets, ML100K and ML1M [20], which are widely employed for evaluating recommender systems. ML100K dataset has 100K ratings that 943 users assigned to 1682 movies. ML1M dataset contains 1 million ratings that 6040 users gave to 3952 movies. In the experiments, we adopt 5-fold cross validation for training and evaluation. We use root mean square error (RMSE) to measure accuracy performance:
[TABLE]
where is the total number of ratings in the test set . The lower the RMSE value the higher the accuracy. As a result of cross validation, the RMSE value reported in the following figures is the mean value of multiple runs.
5.1 Experiments Setup
In the following, the differentially-private SGD based PNBM is referred to as DPSGD-PNBM, and the differentially-private posterior sampling PNBM is referred as DPPS-PNBM. The experiment source code is available at Github111https://github.com/lux-jwang/Experiments/tree/master/dpnbm.
We compare their performances with the following (state-of-the-art) baseline algorithms.
- •
*non-private PCC and COS: * There exist differentially-private NBMs based on Pearson correlation (PCC) or Cosine similarity (COS) NBMs (e.g. [17, 37, 12]). Since their accuracy is worse than the non-private algorithms, we directly focus on these non-private ones.
- •
*DPSGD-MF: * Differentially private matrix factorization from [4], which calibrates Laplacian noise into the SGD training process.
- •
*DPPS-MF: * Differentially private matrix factorization from [16], which exploits the posterior sampling technique.
We empirically choose the optimal parameters for each model using a heuristic grid search method. We summarize them as follows.
- •
*DPSGD-PNBM: * The learning rate is searched in , and the iteration number , the regular parameter , the rescale parameter . The neighbor size , the lower bound of . In the training process, we decrease and increase when requiring a stronger privacy guarantee (a smaller ).
- •
*DPPS-PNBM: * The initial learning rate , , the temperature parameter , the decay parameter . .
- •
*DPSGD-MF: * , (the smaller privacy loss the less iterations), , the latent feature dimension .
- •
*DPPS-MF: * , , , ,.
- •
*non-private PCC and COS: * For ML100K, we set . For ML1M, we set .
5.2 Comparison Results
We first compare the accuracy between DPSGD-PNBM, DPSGD-MF, non-private PCC and COS and show the results in Fig. 3 for the two datasets respectively. When , DPSGD-MF does not lose much accuracy, and it is better than non-private PCC and COS. However, the accuracy drops quickly (or, the RMSE increase quickly) when the privacy loss is reduced. This matches the observation in [4]. In the contrast, DPSGD-PNBM maintains a promising accuracy when , and is better than non-private PCC and COS.
DPPS-PNBM and DPPS-MF preserve differential privacy at user level. We denote the privacy loss in form of where is a float value which indicates the average privacy loss at a rating level, and is the max rate number per user. The comparison is shown in Fig. 4. In our context, for both datasets, . Both DPPS-PNBM and DPPS-MF allow accurate estimations when . It may seem that is a meaningless privacy guarantee. We remark that the average privacy of a rating level is 0.1. Besides the accuracy performance is better than the non-private PCC and COS, from the point of privacy loss ratio, our models match previous works [16, 17], where the authors showed that differentially private systems may not lose much accuracy when .
For bandwidth and efficiency reason, mobile service providers may prefer to store the trained model (e.g. item similarity) in mobile devices directly. Commercial recommender systems often have very large similarity matrix such that the shortage of memory space in mobile devices may become a bottleneck. In order to alleviate this issue, we choose the most similar neighbors only by similarity matrix, by removing the rest neighbors of each item, such that we can sparsely store the matrix in practice. We compare accuracy with different number of neighbors with , and summarize the results in Fig. 5. We stress two observations. Both DPSGD-PNBM and DPPS-PNBM reach their best accuracy with a smaller neighbor size. The accuracy of both DPSGD-PNBM and DPPS-PNBM is less sensitive than PCC and COS, when neighbor size is changed. This helps mitigate over-fitting problem and enhance system robustness.
DPSGD-PNBM and DPPS-PNBM achieve differential privacy at rating level (a single rating) and user level (a whole user profile) respectively. Below, we try to compare them at rating level, precisely at the average rating level for DPPS-PNBM. Fig. 6 shows that both solutions can obtain quite accurate predictions with a privacy guarantee (). With the same privacy guarantee, DPPS-PNBM seems to be more accurate. However, DPPS-PNBM has its potential drawback. Recall from Section 4, the difference between the distribution where samples from and the true posterior distribution compromises differential privacy guarantee. In order to have an arbitrarily small , DPPS-PNBM requires a large number of iterations [28, 32]. At this point, it is less efficient than DPSGD-PNBM. In our comparison, we assume .
5.3 Summary
In summary, DPSGD-MF and DPPS-MF are more accurate when privacy loss is large (e.g. in a non-private case). DPSGD-PNBM and DPPS-PNBM are better when we want to reduce the privacy loss to a meaningful range. Both our models consistently outperform non-private traditional NBMs, with a meaningful differential privacy guarantee. Note that similarity is independent of NBM itself, thus other neighborhood-based recommenders can use our models to differential-privately learn Similarity, and deploy it to their existing systems without requiring extra effort.
6 Related Work
A number of works have demonstrated that an attacker can infer the user sensitive information, such as gender and politic view, from public recommendation results without using much background knowledge [5, 11, 21, 35].
Randomized data perturbation is one of earliest approaches to prevent user data from inference attack in which people either add random noise to their profiles or substitute some randomly chosen ratings with real ones (e.g.[23, 24, 25]). While this approach is very simple, it does not offer rigorous privacy guarantee. Differential privacy [10] aims to precisely protect user privacy in statistical databases, and the concept has become very popular recently. [17] is the first work to apply differential privacy to recommender systems, and it has considered both neighborhood-based methods (using correlation as similarity) and latent factor model (e.g. SVD). [37] introduced a differentially private neighbor selection scheme by injecting Laplace noise to the similarity matrix. [12] presented a scheme to obfuscate user profiles that preserves differential privacy. [4, 16] applied differential privacy to matrix factorization, and we have compared our solutions to theirs in Section 5.
Secure multiparty computation (SMC) recommender systems allow users to compute recommendation results without revealing their inputs to other parties. Many protocols have been proposed in the literature, e.g. [6, 30, 22]. Unfortunately, these protocols do not prevent information leakage from the recommendation results.
7 Conclusion
In this paper, we have proposed two different differentially private NBMs, under a probabilistic framework. We firstly introduced a way to differential-privately find the maximum a posteriori similarity by calibrating noise to the SGD training process. Then we built differentially private NBM by exploiting the fact that sampling from scaled posterior distribution can result in differentially private systems. While the experiment results have demonstrated that our models allow promising accuracy with a modest privacy budget in some well-known datasets, we consider it as an interesting future work to test the performances in other real world datasets.
Acknowledgments
Both authors are supported by a CORE (junior track) grant from the National Research Fund, Luxembourg.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] M. Abadi, A. Chu, I. Goodfellow, H. B. Mc Mahan, I. Mironov, K. Talwar, and L. Zhang. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security . ACM, 2016.
- 2[2] S. Ahn, A. Korattikara, N. Liu, S. Rajan, and M. Welling. Large-scale distributed bayesian matrix factorization using stochastic gradient mcmc. In Proceedings of the 21th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining , pages 9–18. ACM, 2015.
- 3[3] A. Beimel, H. Brenner, S. P. Kasiviswanathan, and K. Nissim. Bounds on the sample complexity for private learning and private data release. Machine learning , 94(3):401–437, 2014.
- 4[4] A. Berlioz, A. Friedman, M. A. Kaafar, R. Boreli, and S. Berkovsky. Applying differential privacy to matrix factorization. In Proceedings of the 9th ACM Conference on Recommender Systems , pages 107–114. ACM, 2015.
- 5[5] J. A. Calandrino, A. Kilzer, A. Narayanan, E. W. Felten, and V. Shmatikov. ” you might also like:” privacy risks of collaborative filtering. In 2011 IEEE Symposium on Security and Privacy , pages 231–246. IEEE, 2011.
- 6[6] J. Canny. Collaborative filtering with privacy. In Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on , pages 45–57. IEEE, 2002.
- 7[7] T. Chen, E. B. Fox, and C. Guestrin. Stochastic gradient hamiltonian monte carlo. In ICML , pages 1683–1691, 2014.
- 8[8] C. Desrosiers and G. Karypis. A comprehensive survey of neighborhood-based recommendation methods. In Recommender systems handbook . Springer, 2011.
