TLDR: This survey provides the first comprehensive review of Membership Inference Attacks (MIAs) on recommender systems (RecSys). It categorizes MIAs into user-level and interaction-level attacks, discussing their design principles, challenges, and effectiveness. The paper also covers evaluation metrics, current defense strategies, and identifies future research directions to inspire further work in protecting user privacy in RecSys.
Recommender systems have become an indispensable part of our daily digital lives, influencing everything from what we buy online to the movies we watch and the news we consume. These systems, which learn from vast amounts of user data, are incredibly powerful in personalizing our experiences. However, their reliance on our personal information also raises significant privacy concerns. A recent comprehensive survey delves into a specific type of privacy threat known as Membership Inference Attacks (MIAs) on these very systems.
What are Membership Inference Attacks?
At its core, a Membership Inference Attack aims to determine whether a particular user’s data was included in the training dataset of a machine learning model. Imagine an online store’s recommendation system. If an attacker can figure out that your specific purchase history was used to train that system, they might infer sensitive details about your preferences or habits. This isn’t just a theoretical risk; it’s a direct privacy breach that can have real-world implications, potentially violating privacy regulations like GDPR and CCPA.
While MIAs have been studied in other areas of machine learning, like image recognition and natural language processing, applying them to recommender systems presents unique challenges. Traditional MIA methods often rely on observing “posterior probabilities,” which are not typically available in recommender systems. Instead, attackers usually only see a ranked list of recommended items. This difference requires specialized attack strategies.
Two Main Types of Attacks: User-Level and Interaction-Level
The survey categorizes MIAs on recommender systems into two primary types:
User-Level MIAs: These attacks focus on inferring whether an entire user profile (all their interactions) was part of the training data. Early methods, like those based on item embedding differences, tried to distinguish members by comparing recommended items to a user’s past interactions. More advanced techniques, such as Debiased Learning MIA (DL-MIA), work to overcome biases between different models, making attacks more stable. Another innovative approach, Model Extraction based MIA (ME-MIA), involves creating a “surrogate” model that mimics the target recommender’s behavior to then infer membership, even in scenarios where little data is available. Recent research has also extended user-level attacks to recommender systems powered by large language models (LLMs), exploiting how these models memorize and generate text.
Interaction-Level MIAs: These attacks are even more granular, aiming to determine if a *specific interaction* (e.g., a user buying a particular product, or rating a movie) was used in the model’s training. This is particularly relevant in settings like federated recommender systems, where user data is kept local. Attacks like IFed-MIA analyze how item embeddings change to infer specific interactions. Other methods, such as MINER, use knowledge graphs to identify risks related to personalized interactions, especially for less popular “long-tail” items. LiRA-based attacks (RecLiRA) offer high accuracy in identifying specific interaction memberships. Similar to user-level attacks, interaction-level MIAs are also being developed for LLM-based recommender systems, leveraging the LLM’s ability to recall prompt content.
Measuring Attack Success
To evaluate how effective these attacks are, researchers use several metrics. These include AUC (Area Under the ROC Curve), which measures overall performance across different decision thresholds; F1-score, which balances precision and recall; and True Positive Rate (TPR) and False Positive Rate (FPR), which indicate how many actual members are correctly identified versus how many non-members are mistakenly identified.
Defending Against the Attacks
While the research on MIAs is rapidly advancing, effective defenses are still catching up. Common defense strategies include “Popularity Randomization,” where non-members might receive recommendations from a broader pool of popular items to obscure their non-membership. In federated systems, techniques like Local Differential Privacy (LDP) can help, though they sometimes come at the cost of recommendation quality. Other defenses involve adding “noisy embeddings” or using “embedding-based regularizers.” The most robust protection often comes from “Differentially Private Training (DP-SGD),” but this can significantly impact the model’s overall usefulness. The ongoing challenge is to find a balance between strong privacy guarantees and maintaining high-quality recommendations.
Also Read:
- Detecting Targeted Overfitting in Federated Learning
- Enhancing Private In-Context Learning Through Public Information
The Road Ahead
Despite significant progress, several challenges remain. Researchers are looking for ways to design more efficient attacks that are less affected by factors like the size of item embeddings or the length of recommendation lists, and that can work across different recommender system architectures. There’s also a need for attacker-centric interaction-level MIAs that don’t require access to sensitive internal model scores. Furthermore, expanding MIA research beyond current “in-context learning” setups for LLM-based recommenders is a crucial future direction. This survey, available at arXiv:2509.11080, provides a foundational understanding for anyone interested in the privacy of recommender systems.
