Data Leakage via Access Patterns of Sparse Features in Deep Learning-based Recommendation Systems

TL;DR

This paper investigates how access patterns to sparse feature embeddings in cloud-based recommendation systems can leak private user information, highlighting potential security risks despite existing privacy-preserving methods.

Contribution

It characterizes attack types on sparse feature access patterns in recommendation models and demonstrates how these can lead to user privacy breaches.

Findings

Access patterns can reveal user behavior and private data.

Attacks can track users over time through embedding table access.

Current privacy methods may not fully prevent access pattern leakage.

Abstract

Online personalized recommendation services are generally hosted in the cloud where users query the cloud-based model to receive recommended input such as merchandise of interest or news feed. State-of-the-art recommendation models rely on sparse and dense features to represent users' profile information and the items they interact with. Although sparse features account for 99% of the total model size, there was not enough attention paid to the potential information leakage through sparse features. These sparse features are employed to track users' behavior, e.g., their click history, object interactions, etc., potentially carrying each user's private information. Sparse features are represented as learned embedding vectors that are stored in large tables, and personalized recommendation is performed by using a specific user's sparse feature to index through the tables. Even with recently-proposed methods that hides the computation happening in the cloud, an attacker in the cloud may be able to still track the access patterns to the embedding tables. This paper explores the private information that may be learned by tracking a recommendation model's sparse feature access patterns. We first characterize the types of attacks that can be carried out on sparse features in recommendation models in an untrusted cloud, followed by a demonstration of how each of these attacks leads to extracting users' private information or tracking users by their behavior over time.