We are very proud to have Debiasing Learning for Membership Inference Attacks Against Recommender Systems by Zihang Wang, Na Huang, Fei Sun, Pengjie Ren, Zhumin Chen, Hengliang Luo, Maarten de Rijke, and Zhaochun Ren accepted at the KDD ’22. The paper will be presented in August 2022.
Abstract: Trained recommender systems may inadvertently leak information about their training data, leading to severe privacy violations. In this paper, we investigate the privacy threats faced by recommender systems through the lens of membership inference. In this attack, the adversary aims to infer whether a user’s data is used to train the target recommender. To achieve this, previous work establishes a shadow recommender to derive training data for the attack model, and then predicts the membership by calculating difference vectors between users’ historical interactions an recommended items. However, the current method still faces two challenging problems. First, training data for the attack model is biased due to the gap between shadow and target recommenders. Second, hidden states in recommenders are not observational, resulting in inaccurate estimations of difference vectors.
To address the above limitations, we propose a framework, the Debiasing Learning for Membership Inference Attacks against recommender systems (DL-MIA). DL-MIA has four main components: (1) a difference vector generator, (2) a disentangled encoder, (3) a weight estimator, and (4) an attack model. To mitigate the gap between recommenders, a variational auto-encoder (VAE) based disentangled encoder is devised to identify recommender invariant and specific features. To reduce the estimation bias, we design a weight estimator, assigning a truth-level score for each difference vector to indicate estimation accuracy. We evaluate DL-MIA against both general recommenders and sequential recommenders on three real-world datasets. Experimental results show that DL-MIA effectively alleviates training and estimation biases simultaneously, and achieves state-of-the-art attack performance.