ML Security PapersReference Recommendation based Membership Inference Attack against Hybrid-based Recommender Systems
Xiaoxiao Chi 1, Xuyun Zhang 1,2, Yan Wang 1, Hongsheng Hu 1,2, Wanchun Dou 3
Published on arXiv
2512.09442
Membership Inference Attack
OWASP ML Top 10 — ML04
Key Finding
The proposed relative membership metric consistently outperforms baseline MIA methods in effectiveness and efficiency on hybrid-based recommender systems, and remains effective even when differential privacy is applied.
Reference Recommendation-based MIA (RRMIA)
Novel technique introduced
Recommender systems have been widely deployed across various domains such as e-commerce and social media, and intelligently suggest items like products and potential friends to users based on their preferences and interaction history, which are often privacy-sensitive. Recent studies have revealed that recommender systems are prone to membership inference attacks (MIAs), where an attacker aims to infer whether or not a user's data has been used for training a target recommender system. However, existing MIAs fail to exploit the unique characteristic of recommender systems, and therefore are only applicable to mixed recommender systems consisting of two recommendation algorithms. This leaves a gap in investigating MIAs against hybrid-based recommender systems where the same algorithm utilizing user-item historical interactions and attributes of users and items serves and produces personalised recommendations. To investigate how the personalisation in hybrid-based recommender systems influences MIA, we propose a novel metric-based MIA. Specifically, we leverage the characteristic of personalisation to obtain reference recommendation for any target users. Then, a relative membership metric is proposed to exploit a target user's historical interactions, target recommendation, and reference recommendation to infer the membership of the target user's data. Finally, we theoretically and empirically demonstrate the efficacy of the proposed metric-based MIA on hybrid-based recommender systems.
Key Contributions
- First MIA study targeting hybrid-based recommender systems, which use a unified algorithm for both interaction history and attribute-based recommendations.
- A reference recommendation query technique that exploits personalisation characteristics to obtain an attribute-only baseline recommendation for any target user.
- A relative membership metric combining historical interactions, actual recommendations, and reference recommendations, with mathematical analysis showing its nonlinear formulation outperforms SOTA baselines.
🛡️ Threat Analysis
The paper proposes a membership inference attack that determines whether a specific user's data was used to train a target hybrid recommender system — the textbook definition of ML04. The attack constructs a relative membership metric from target and reference recommendations to answer this binary membership question.