Abstract
Learned recommender systems may inadvertently leak information about theirtraining data, leading to privacy violations. We investigate privacy threatsfaced by recommender systems through the lens of membership inference. In suchattacks, an adversary aims to infer whether a user's data is used to train thetarget recommender. To achieve this, previous work has used a shadowrecommender to derive training data for the attack model, and then predicts themembership by calculating difference vectors between users' historicalinteractions and recommended items. State-of-the-art methods face twochallenging problems: (1) training data for the attack model is biased due tothe gap between shadow and target recommenders, and (2) hidden states inrecommenders are not observational, resulting in inaccurate estimations ofdifference vectors. To address the above limitations, we propose a DebiasingLearning for Membership Inference Attacks against recommender systems (DL-MIA)framework that has four main components: (1) a difference vector generator, (2)a disentangled encoder, (3) a weight estimator, and (4) an attack model. Tomitigate the gap between recommenders, a variational auto-encoder (VAE) baseddisentangled encoder is devised to identify recommender invariant and specificfeatures. To reduce the estimation bias, we design a weight estimator,assigning a truth-level score for each difference vector to indicate estimationaccuracy. We evaluate DL-MIA against both general recommenders and sequentialrecommenders on three real-world datasets. Experimental results show thatDL-MIA effectively alleviates training and estimation biases simultaneously,and achieves state-of-the-art attack performance.