TLDR: This research paper introduces and evaluates four novel membership inference attacks (MIAs) specifically designed for Large Language Model (LLM)-based recommender systems that utilize in-context learning. The study reveals that two of these attacks, the Direct Inquiry Attack and the Poisoning Attack, are surprisingly effective at determining if a user’s data was included in the system’s prompts. These findings highlight significant privacy risks in next-generation recommendation technologies and emphasize the urgent need for enhanced privacy protection in LLM-based RecSys.
Recommender systems have become an indispensable part of our daily online experience, from shopping to entertainment. These systems rely heavily on vast amounts of user-item interaction data to provide personalized suggestions. However, this reliance on sensitive personal information raises significant privacy concerns.
While privacy-enhancing technologies are a hot topic in research, real-world recommender systems often operate with minimal privacy safeguards. Users typically lack the means to understand which of their interactions are more sensitive or how their data contributes to the system’s recommendations. Quantifying these privacy risks is crucial for developing and deploying privacy-aware recommender models.
A recent research paper, titled “Membership Inference Attacks on LLM-based Recommender Systems,” by Jiajie He, Yuechun Gu, Min-Chun Chen, and Keke Chen from the University of Maryland, Baltimore County, delves into this critical issue. The paper explores a specific type of privacy threat known as Membership Inference Attacks (MIAs) in the context of next-generation recommender systems powered by Large Language Models (LLMs).
Understanding Membership Inference Attacks (MIAs)
A Membership Inference Attack aims to determine whether a specific piece of data (e.g., a user’s interaction history) was included in the dataset used to train a model. If an attacker can confirm that certain sensitive data was used, it represents a privacy breach.
Traditional recommender systems have faced MIAs, but LLM-based systems introduce new complexities. LLMs, especially those using In-Context Learning (ICL), operate differently. Instead of being fine-tuned on specific user data, they are often customized using ‘prompts’ that include a few examples of user interactions. This unique setup means that existing MIA methods designed for traditional models cannot be directly applied.
The Challenge with LLM-based Recommender Systems
The authors highlight several reasons why LLM-based RecSys are different:
- Traditional MIAs often rely on item embeddings (vector representations of items) derived from large interaction matrices. This information is typically not accessible in LLM-based systems.
- Existing MIAs assume knowledge of the training data distribution to train ‘shadow models’ that mimic the target model. In LLM-based RecSys, training data appears in system prompts, requiring a re-evaluation of this assumption.
- LLMs possess distinct features like ‘hallucination’ (generating plausible but incorrect information) and ‘memorization’ (retaining specific training examples). These features could enable new types of attacks not seen in traditional RecSys models.
Novel Attack Methods
To address these challenges, the researchers designed and evaluated four novel membership inference attacks specifically for LLM-powered recommender systems that use in-context learning:
1. Direct Inquiry Attack: This method leverages the LLM’s ability to remember past information. An attacker directly asks the LLM if it has ‘seen’ a particular user. If the LLM responds affirmatively, the user is inferred to be a member.
2. Hallucination Attack: This attack hypothesizes that an LLM might hallucinate (recommend out-of-domain items) more frequently if it hasn’t seen a user’s data. By counting the number of hallucinated items in recommendations, an attacker attempts to infer membership.
3. Similarity Attack: Similar to traditional RecSys MIAs, this attack infers membership if items recommended by the LLM are highly similar to the user’s known historical interactions. However, it uses general text embeddings instead of RecSys-specific item embeddings.
4. Poisoning Attack: This method exploits the LLM’s memorization. An attacker provides additional prompts with *modified* historical interactions for a target user. If the LLM has already seen the user’s original interactions, its recommendations might be less influenced by the poisoned data, indicating membership.
Also Read:
- Unveiling Privacy Vulnerabilities in Graph-Enhanced AI Systems
- Advertisement Embedding Attacks: A New Stealthy Threat to LLMs and AI Agents
Key Findings and Implications
The experiments, conducted on popular LLMs like Llama-2, Llama-3, and Vicuna, and benchmark datasets like MovieLens-1M and Amazon Digital Music, yielded significant results:
- The Direct Inquiry Attack proved surprisingly effective, especially against Llama-3, achieving over 99% attack advantage in some cases. This suggests newer LLMs might be more vulnerable due to improved prompt memorization.
- The Poisoning Attack also performed well, with over 70% attack advantage against Llama-2 on MovieLens-1M and over 80% on Amazon Digital Music. This attack seemed more effective on older LLMs, possibly due to their stronger memorization tendencies.
- The Hallucination Attack and Similarity Attack performed much worse, showing limited effectiveness. The general text embeddings used in the similarity attack did not capture the unique user-item interaction information as effectively as specialized RecSys embeddings.
The study also found that factors like the number of ‘shots’ (examples) used in system prompts and the position of the attacked shot can influence attack performance. For instance, increasing the number of shots in system prompts might make RecSys more resilient to direct inquiry attacks.
This research confirms that membership inference is a realistic and significant threat to LLM-based recommender systems. As LLMs become more integrated into these systems, practitioners and researchers must prioritize designing robust privacy protection measures. You can read the full paper here: Membership Inference Attacks on LLM-based Recommender Systems.
