The marriage of federated learning and recommender system (FedRec) has been widely used to address the growing data privacy concerns in personalized recommendation services. In FedRecs, users' attribute information and behavior data (i.e., user-item interaction data) are kept locally on their personal devices, therefore, it is considered a fairly secure approach to protect user privacy. As a result, the privacy issue of FedRecs is rarely explored. Unfortunately, several recent studies reveal that FedRecs are vulnerable to user attribute inference attacks, highlighting the privacy concerns of FedRecs. In this paper, we further investigate the privacy problem of user behavior data (i.e., user-item interactions) in FedRecs. Specifically, we perform the first systematic study on interaction-level membership inference attacks on FedRecs. An interaction-level membership inference attacker is first designed, and then the classical privacy protection mechanism, Local Differential Privacy (LDP), is adopted to defend against the membership inference attack. Unfortunately, the empirical analysis shows that LDP is not effective against such new attacks unless the recommendation performance is largely compromised. To mitigate the interaction-level membership attack threats, we design a simple yet effective defense method to significantly reduce the attacker's inference accuracy without losing recommendation performance. Extensive experiments are conducted with two widely used FedRecs (Fed-NCF and Fed-LightGCN) on three real-world recommendation datasets (MovieLens-100K, Steam-200K, and Amazon Cell Phone), and the experimental results show the effectiveness of our solutions.

翻译：联邦学习与推荐系统的结合（FedRec）被广泛用于解决个性化推荐服务中日益增长的数据隐私问题。在联邦推荐系统中，用户的属性信息与行为数据（即用户-项目交互数据）被保留在个人设备本地，因此被视为一种相当安全的用户隐私保护方法。基于此，联邦推荐系统的隐私问题鲜少被探究。然而，近期多项研究揭示联邦推荐系统易受用户属性推断攻击，凸显了其隐私风险。本文进一步探究联邦推荐系统中用户行为数据（即用户-项目交互）的隐私问题。具体而言，我们首次对联邦推荐系统的交互级成员推理攻击进行了系统性研究。首先设计了一种交互级成员推理攻击方法，随后采用经典隐私保护机制——本地差分隐私（LDP）来防御该成员推理攻击。但实证分析表明，除非大幅牺牲推荐性能，否则LDP对此类新型攻击收效甚微。为缓解交互级成员推理攻击威胁，我们设计了一种简单而有效的防御方法，能够在不损失推荐性能的前提下显著降低攻击者的推断准确率。基于两个广泛使用的联邦推荐系统（Fed-NCF和Fed-LightGCN），在三个真实推荐数据集（MovieLens-100K、Steam-200K和Amazon Cell Phone）上进行了大量实验，实验结果验证了所提方案的有效性。