Shadow-Free Membership Inference Attacks: Recommender Systems Are More Vulnerable Than You Thought

TL;DR

This paper introduces shadow-free membership inference attacks that exploit user recommendation similarity to reveal membership privacy in recommender systems, outperforming existing methods in accuracy and efficiency.

Contribution

It presents a novel shadow-free attack method that does not require shadow training, improving privacy attack effectiveness on recommender systems.

Findings

Achieves higher attack accuracy than baselines

Requires lower computational cost

Effective under black-box access scenarios

Abstract

Recommender systems have been successfully applied in many applications. Nonetheless, recent studies demonstrate that recommender systems are vulnerable to membership inference attacks (MIAs), leading to the leakage of users' membership privacy. However, existing MIAs relying on shadow training suffer a large performance drop when the attacker lacks knowledge of the training data distribution and the model architecture of the target recommender system. To better understand the privacy risks of recommender systems, we propose shadow-free MIAs that directly leverage a user's recommendations for membership inference. Without shadow training, the proposed attack can conduct MIAs efficiently and effectively under a practice scenario where the attacker is given only black-box access to the target recommender system. The proposed attack leverages an intuition that the recommender system personalizes a user's recommendations if his historical interactions are used by it. Thus, an attacker can infer membership privacy by determining whether the recommendations are more similar to the interactions or the general popular items. We conduct extensive experiments on benchmark datasets across various recommender systems. Remarkably, our attack achieves far better attack accuracy with low false positive rates than baselines while with a much lower computational cost.