期刊名称:Proceedings on Privacy Enhancing Technologies
电子版ISSN:2299-0984
出版年度:2020
卷号:2020
期号:3
页码:264-283
DOI:10.2478/popets-2020-0052
语种:English
出版社:Sciendo
摘要:Privacy risks of collaborative filtering (CF) have been widely studied. The current state-of-theart inference attack on user behaviors (e.g.,ratings/purchases on sensitive items) for CF is by Calandrino et al. (S&P,2011). They showed that if an adversary obtained a moderate amount of user’s public behavior before some time T,she can infer user’s private behavior after time T. However,the existence of an attack that infers user’s private behavior before T remains open. In this paper,we propose the first inference attack that reveals past private user behaviors. Our attack departs from previous techniques and is based on model inversion (MI). In particular,we propose the first MI attack on factorization-based CF systems by leveraging data poisoning by Li et al. (NIPS,2016) in a novel way. We inject malicious users into the CF system so that adversarialy chosen “decoy” items are linked with user’s private behaviors. We also show how to weaken the assumption made by Li et al. on the information available to the adversary from the whole rating matrix to only the item profile and how to create malicious ratings effectively. We validate the effectiveness of our inference algorithm using two real-world datasets.
