# Background and Problem

# Backgrounds of recommend system

The recommender system is essentially an information filtering system, relying on machine learning algorithms to predict user preferences for items. There are two main methods in these realm:

collaborative filtering: using traditional methods, combining the history action and similar actions to make decisions

content-based recommendation: using meta-data to distinguish the user preferences.

The success of recommender systems lies in the large- scale user data. However, the data in many cases contains sensitive information of individuals.

# Contribution of this paper

First quantification of privacy risks in recommender systems through user-level membership inference attacks.

Overcoming technical challenges by addressing limited access to ranked recommendations without posterior probabilities.

Introducing a shadow recommender system to generate labeled data for attack models.

Extensive experiments demonstrating strong attack performance across benchmark datasets.

Proposing a defense mechanism called “Popularity Randomization” to reduce attack success by adding randomness.

# Methods

# Labeled Data Generation

The adversary builds a shadow recommender system to mimic the target recommender system and generate training data. This involves factorizing a user-item rating matrix to project users and items into a shared latent space. The adversary then calculates the center vectors of user interactions and recommendations, and the difference between these vectors forms the user feature vector. Users are labeled as members (1) or non-members (0).

# Attack Model Establishment

A multi-layer perceptron (MLP) with two hidden layers is used as the attack model to infer membership status. The MLP is trained on the feature vectors generated in the previous step, and outputs probabilities indicating membership.

# Parameter Optimization

The MLP is trained using stochastic gradient descent, minimizing a cross-entropy loss function. After training, the attack model uses the test data to infer the membership status of users in the target recommender system.

# Framework

This method leverages both user interactions and recommendation patterns, and captures the order information from the ranked lists of recommended items, a critical aspect that distinguishes it from previous membership inference attacks .

# Experiments

# Experimental target

Target Models: The experiment use three Personalized recommendation algorithms for members: Latent Factor Model (LFM) and Neural Collaborative Filtering (NCF) ; And use popularity recommendation algorithm for non-members due to the lack of non-members’ data.

Data Sets: This paper use three real-world datasets that is widely used for experiments of recommend systems, including Amazon Digital Music (ADM) , Lastfm-2k (lf-2k) , and Movielens-1m (ml-1m) .

# Data Preprocessing

For each dataset, the paper divide it into three disjoint subsets: shadow dataset, a target dataset and a dataset for extracting item features. Then , the paper processes these to make the data suitable:

1. To generate feature vectors for users, the dataset for item feature should contain all items of the target and shadow recommenders.
2. For the shadow or target dataset, the paper further divide it into two disjoint parts, which are used to conduct recommendations to members and non-members, respectively.
3. The paper filtered out the users who have less than 20 interactions.

# Evaluation Metrics

This paper use AUC (area under the ROC curve) as the metric to evaluate attack performances. Regarding members as positive data points and non-members as negative data points. AUC indicates the proportion of the prediction results being positive to negative.

# Implementation

The attack model is a multi-layer perceptron (MLP) with two hidden layers. The first layer has 32 units, and the second has 8 units. Stochastic Gradient Descent (SGD) is used as the optimizer, with a learning rate of 0.01 and a momentum of 0.7. The model is trained for 20 epochs.

# Data Preprocessing

For each dataset, the paper divide it into three disjoint subsets: shadow dataset, a target dataset and a dataset for extracting item features. Then , the paper processes to make the data suitable:
To generate feature vectors for users, the dataset for item feature should contain all items of the target and shadow recommenders.
For the shadow or target dataset, the paper further divide it into two disjoint parts, which are used to conduct recommendations to members and non-members, respectively.
The paper filtered out the users who have less than 20 interactions.

# Recommendation Performance

This paper use HR@100 (HR means hit rate)to evaluate the recommendation performance. The result shows that the Recommendation systems works better on Ml-1m data sets. When using Item methods , the HR is up to about 0.95

# Attack Performance

In this part, the paper evaluated three assumptions and evaluate the performance of the attack model for each assumption:

# Assumption I

the attacker knows both the algorithm and the data distribution of the target recommender system. Under this assumption, the experimental results show very strong attack performance. As the figure in the paper,when the shadow recommender system mirrors the target recommender system’s algorithm and data, the AUC scores are highly accurate.

# Assumption II

The attacker only knows the data distribution used to train the target recommender system but does not know the specific recommendation algorithm. Under this assumption, the attack performance decreases but remains strong. For example, in the ADM dataset, when the target system uses the Item algorithm and the shadow system uses the LFM algorithm, the AUC drops from 0.926 to 0.843, showing the impact of data distribution similarity on the attack.

# Assumption III

The attacker only knows the data distribution used to train the target recommender system but does not know the specific recommendation algorithm. Under this assumption, the attack performance decreases but remains strong. For example, in the ADM dataset, when the target system uses the Item algorithm and the shadow system uses the LFM algorithm, the AUC drops from 0.926 to 0.843, showing the impact of data distribution similarity on the attack.

# HyperParameters

In this paper, the impact of hyperparameters on the success of the attack is reflected in the following aspects:

1. Number of recommendations (k): With more recommended items, the attack model gains more information, but performance improvements cease when the number is large enough.
2. Length of feature vectors (l): Longer feature vectors provide more dimensional information to the model, but after a certain point, further increasing the length no longer significantly boosts performance.
3. Weights of recommended items: When considering the order of items in the recommendation list, attack performance significantly improves. Items at the front of the list are more likely to be accepted by users, and assigning higher weights to these items enhances the effectiveness of the attack.

# Defence

# Popularity Randomization

non-members are provided with the most popular items. As a result, feature vectors of non-members are extremely similar and easily distinguished from members. To fix this problems, the paper bring forward the popularity randomization. By selecting candidates from the most popular items randomly to make the target vectors harder to be distinguished.

# Evaluation results

The figure of the test result shows that when using the popularity randomization, the AUC rate was apparently downed for most of the data sets, and some of them even close to 0.5, which is nearly close to random guessing.

# Discussion and conclusion

# The Factors for effects of attacks

1. The Choice of Datasets: The dataset with a denser user-item matrix leads to better attack performances. Attack models works better in the datasets with rich informations.
2. The Selection of Recommendation Algorithms: The recommender system with simple model structure is easier to be attacked. Compare with more complex algorithm,LFM has higher model complexity, which makes it harder to attack.
3. Distributions of Generated User Features: When the distribution of user feature vectors generated by the shadow recommender system closely matches the target system, attack performance improves. The similarity between target data and target data is crucial for boosting attack effectiveness.

# Conclusions

# Effectiveness of the Attack:

The proposed membership inference attack model demonstrates strong performance across various recommender systems and datasets. Even with limited knowledge, the model can effectively infer user membership.

# Proposed Defense Mechanism

To mitigate the attack, the authors introduce the “Popularity Randomization” defense mechanism. Experiments show that this defense significantly reduces the success rate of the attack, especially in complex models like Neural Collaborative Filtering (NCF).

# Future Work

The paper suggests further exploration of more effective defense mechanisms against such attacks and expanding the application of similar attacks and defenses to other machine learning models.