Membership Inference Attacks on LLM-based Recommender Systems

TL;DR

This paper investigates privacy risks in LLM-based recommender systems by designing and evaluating novel membership inference attacks that can reveal sensitive user interaction data, highlighting significant security concerns.

Contribution

It introduces new membership inference attack methods tailored for LLM-based RecSys and provides comprehensive evaluation and analysis of their effectiveness and influencing factors.

Findings

Inquiry and poisoning attacks have high success rates.

MIA threats are realistic and pose privacy risks.

Factors like prompt structure influence attack success.

Abstract

Large language models (LLMs) based recommender systems (RecSys) can adapt to different domains flexibly. It utilizes in-context learning (ICL), i.e., prompts, to customize the recommendation functions, which include sensitive historical user-specific item interactions, encompassing implicit feedback such as clicked items and explicit product reviews. Such private information may be exposed by novel privacy attacks. However, no study has been conducted on this important issue. We design several membership inference attacks (MIAs) aimed to revealing whether system prompts include victims' historical interactions. The attacks are \emph{Similarity, Memorization, Inquiry, and Poisoning attacks}, each utilizing unique features of LLMs or RecSys. We have carefully evaluated them on five of the latest open-source LLMs and three well-known RecSys benchmark datasets. The results confirm that the MIA threat to LLM RecSys is realistic: inquiry and poisoning attacks show significantly high attack advantages. We also discussed possible methods to mitigate such MIA threats. We have also analyzed the factors affecting these attacks, such as the number of shots in system prompts, the position of the victim in the shots, the number of poisoning items in the prompt,etc.