LLM4MEA: Data-free Model Extraction Attacks on Sequential Recommenders via Large Language Models

TL;DR

This paper introduces LLM4MEA, a novel data-free model extraction attack on sequential recommenders that uses large language models as human-like rankers to generate high-quality data, significantly improving attack effectiveness.

Contribution

The paper proposes LLM4MEA, a new method leveraging LLMs for data generation in model extraction attacks, overcoming prior limitations of random sampling and improving attack success.

Findings

LLM4MEA reduces data divergence by up to 64.98%.

It improves attack performance by 44.82% on average.

The method outperforms existing approaches in data quality and effectiveness.

Abstract

Recent studies have demonstrated the vulnerability of sequential recommender systems to Model Extraction Attacks (MEAs). MEAs collect responses from recommender systems to replicate their functionality, enabling unauthorized deployments and posing critical privacy and security risks. Black-box attacks in prior MEAs are ineffective at exposing recommender system vulnerabilities due to random sampling in data selection, which leads to misaligned synthetic and real-world distributions. To overcome this limitation, we propose LLM4MEA, a novel model extraction method that leverages Large Language Models (LLMs) as human-like rankers to generate data. It generates data through interactions between the LLM ranker and target recommender system. In each interaction, the LLM ranker analyzes historical interactions to understand user behavior, and selects items from recommendations with consistent preferences to extend the interaction history, which serves as training data for MEA. Extensive experiments demonstrate that LLM4MEA significantly outperforms existing approaches in data quality and attack performance, reducing the divergence between synthetic and real-world data by up to 64.98% and improving MEA performance by 44.82% on average. From a defensive perspective, we propose a simple yet effective defense strategy and identify key hyperparameters of recommender systems that can mitigate the risk of MEAs.