ML Security PapersMembership Inference Attacks on Recommender System: A Survey
Jiajie He 1, Xintong Chen 2, Xinyang Fang 3, Min-Chun Chen 1, Yuechun Gu 1, Keke Chen 1
Published on arXiv
2509.11080
Membership Inference Attack
OWASP ML Top 10 — ML04
Key Finding
Identifies that RecSys MIAs have unique features — including diverse attack targets (user-level vs. interaction-level) and the absence of posterior probabilities — that make traditional MIA methods ill-suited and require domain-specific solutions.
Recommender systems (RecSys) have been widely applied to various applications, including E-commerce, finance, healthcare, social media and have become increasingly influential in shaping user behavior and decision-making, highlighting their growing impact in various domains. However, recent studies have shown that RecSys are vulnerable to membership inference attacks (MIAs), which aim to infer whether user interaction record was used to train a target model or not. MIAs on RecSys models can directly lead to a privacy breach. For example, via identifying the fact that a purchase record that has been used to train a RecSys associated with a specific user, an attacker can infer that user's special quirks. In recent years, MIAs have been shown to be effective on other ML tasks, e.g., classification models and natural language processing. However, traditional MIAs are ill-suited for RecSys due to the unseen posterior probability. Although MIAs on RecSys form a newly emerging and rapidly growing research area, there has been no systematic survey on this topic yet. In this article, we conduct the first comprehensive survey on RecSys MIAs. This survey offers a comprehensive review of the latest advancements in RecSys MIAs, exploring the design principles, challenges, attack and defense associated with this emerging field. We provide a unified taxonomy that categorizes different RecSys MIAs based on their characterizations and discuss their pros and cons. Based on the limitations and gaps identified in this survey, we point out several promising future research directions to inspire the researchers who wish to follow this area. This survey not only serves as a reference for the research community but also provides a clear description for researchers outside this research domain.
Key Contributions
- First comprehensive survey of membership inference attacks specifically targeting recommender systems, distinguishing their unique challenges from MIAs on classification or LLM models
- Unified taxonomy categorizing RecSys MIAs by target level (user-level, interaction-level), attack surface, and design principles
- Systematic review of defense mechanisms against RecSys MIAs and identification of open research directions
🛡️ Threat Analysis
The entire paper surveys membership inference attacks on recommender systems — attacks that determine whether a specific user or interaction record was in the model's training data. This is the textbook definition of ML04, covering both attack methods and defenses against them.