Inferring Communities of Interest in Collaborative Learning-based Recommender Systems

TL;DR

This paper introduces a novel, efficient community inference attack on federated and gossip learning recommender systems, demonstrating its high accuracy and evaluating mitigation strategies for privacy protection.

Contribution

It proposes the Community Inference Attack (CIA), a low-cost, comparison-based method to identify community members, and evaluates mitigation strategies like DP-SGD and Share less.

Findings

CIA can be up to 10 times more accurate than random guessing.

Share less policy provides a better privacy-utility trade-off.

CIA is effective across multiple datasets and models.

Abstract

Collaborative-learning-based recommender systems, such as those employing Federated Learning (FL) and Gossip Learning (GL), allow users to train models while keeping their history of liked items on their devices. While these methods were seen as promising for enhancing privacy, recent research has shown that collaborative learning can be vulnerable to various privacy attacks. In this paper, we propose a novel attack called Community Inference Attack (CIA), which enables an adversary to identify community members based on a set of target items. What sets CIA apart is its efficiency: it operates at low computational cost by eliminating the need for training surrogate models. Instead, it uses a comparison-based approach, inferring sensitive information by comparing users' models rather than targeting any specific individual model. To evaluate the effectiveness of CIA, we conduct experiments on three real-world recommendation datasets using two recommendation models under both Federated and Gossip-like settings. The results demonstrate that CIA can be up to 10 times more accurate than random guessing. Additionally, we evaluate two mitigation strategies: Differentially Private Stochastic Gradient Descent (DP-SGD) and a Share less policy, which involves sharing fewer, less sensitive model parameters. Our findings suggest that the Share less strategy offers a better privacy-utility trade-off, especially in GL.