Model Stealing Attack against Recommender System

TL;DR

This paper presents a novel model stealing attack on recommender systems that leverages auxiliary data and attention mechanisms to effectively extract recommendation models, even with limited target data and queries.

Contribution

It introduces a new attack method using auxiliary data and attention fusion to improve model stealing effectiveness against recommender systems.

Findings

Effective attack performance on multiple datasets

Applicable to various recommender system scenarios

Utilizes auxiliary data to enhance attack success

Abstract

Recent studies have demonstrated the vulnerability of recommender systems to data privacy attacks. However, research on the threat to model privacy in recommender systems, such as model stealing attacks, is still in its infancy. Some adversarial attacks have achieved model stealing attacks against recommender systems, to some extent, by collecting abundant training data of the target model (target data) or making a mass of queries. In this paper, we constrain the volume of available target data and queries and utilize auxiliary data, which shares the item set with the target data, to promote model stealing attacks. Although the target model treats target and auxiliary data differently, their similar behavior patterns allow them to be fused using an attention mechanism to assist attacks. Besides, we design stealing functions to effectively extract the recommendation list obtained by querying the target model. Experimental results show that the proposed methods are applicable to most recommender systems and various scenarios and exhibit excellent attack performance on multiple datasets.