TY - GEN
T1 - Shadow-free membership inference attacks
T2 - International Joint Conference on Artificial Intelligence (33rd : 2024)
AU - Chi, Xiaoxiao
AU - Zhang, Xuyun
AU - Wang, Yan
AU - Qi, Lianyong
AU - Beheshti, Amin
AU - Xu, Xiaolong
AU - Choo, Kim-Kwang Raymond
AU - Wang, Shuo
AU - Hu, Hongsheng
PY - 2024
Y1 - 2024
N2 - Recommender systems have been successfully applied in many applications. Nonetheless, recent studies demonstrate that recommender systems are vulnerable to membership inference attacks (MIAs), leading to the leakage of users' membership privacy. However, existing MIAs relying on shadow training suffer a large performance drop when the attacker lacks knowledge of the training data distribution and the model architecture of the target recommender system. To better understand the privacy risks of recommender systems, we propose shadow-free MIAs that directly leverage a user's recommendations for membership inference. Without shadow training, the proposed attack can conduct MIAs efficiently and effectively under a practice scenario where the attacker is given only black-box access to the target recommender system. The proposed attack leverages an intuition that the recommender system personalizes a user's recommendations if his historical interactions are used by it. Thus, an attacker can infer membership privacy by determining whether the recommendations are more similar to the interactions or the general popular items. We conduct extensive experiments on benchmark datasets across various recommender systems. Remarkably, our attack achieves far better attack accuracy with low false positive rates than baselines while with a much lower computational cost.
AB - Recommender systems have been successfully applied in many applications. Nonetheless, recent studies demonstrate that recommender systems are vulnerable to membership inference attacks (MIAs), leading to the leakage of users' membership privacy. However, existing MIAs relying on shadow training suffer a large performance drop when the attacker lacks knowledge of the training data distribution and the model architecture of the target recommender system. To better understand the privacy risks of recommender systems, we propose shadow-free MIAs that directly leverage a user's recommendations for membership inference. Without shadow training, the proposed attack can conduct MIAs efficiently and effectively under a practice scenario where the attacker is given only black-box access to the target recommender system. The proposed attack leverages an intuition that the recommender system personalizes a user's recommendations if his historical interactions are used by it. Thus, an attacker can infer membership privacy by determining whether the recommendations are more similar to the interactions or the general popular items. We conduct extensive experiments on benchmark datasets across various recommender systems. Remarkably, our attack achieves far better attack accuracy with low false positive rates than baselines while with a much lower computational cost.
KW - Multidisciplinary Topics and Applications: MTA: Security and privacy
KW - AI Ethics, Trust, Fairness: ETF: Safety and robustness
KW - AI Ethics, Trust, Fairness: ETF: Trustworthy AI
UR - http://www.scopus.com/inward/record.url?scp=85204286599&partnerID=8YFLogxK
U2 - 10.24963/ijcai.2024/639
DO - 10.24963/ijcai.2024/639
M3 - Conference proceeding contribution
AN - SCOPUS:85204286599
T3 - IJCAI International Joint Conference on Artificial Intelligence
SP - 5781
EP - 5789
BT - IJCAI 2024
A2 - Larson, Kate
PB - Association for Computing Machinery (ACM)
CY - New York, NY
Y2 - 3 August 2024 through 9 August 2024
ER -