Recommender systems (RecSys) have been widely applied to various applications, including E-commerce, finance, healthcare, social media and have become increasingly influential in shaping user behavior and decision-making, highlighting their growing impact in various domains. However, recent studies have shown that RecSys are vulnerable to membership inference attacks (MIAs), which aim to infer whether user interaction record was used to train a target model or not. MIAs on RecSys models can directly lead to a privacy breach. For example, via identifying the fact that a purchase record that has been used to train a RecSys associated with a specific user, an attacker can infer that user's special quirks. In recent years, MIAs have been shown to be effective on other ML tasks, e.g., classification models and natural language processing. However, traditional MIAs are ill-suited for RecSys due to the unseen posterior probability. Although MIAs on RecSys form a newly emerging and rapidly growing research area, there has been no systematic survey on this topic yet. In this article, we conduct the first comprehensive survey on RecSys MIAs. This survey offers a comprehensive review of the latest advancements in RecSys MIAs, exploring the design principles, challenges, attack and defense associated with this emerging field. We provide a unified taxonomy that categorizes different RecSys MIAs based on their characterizations and discuss their pros and cons. Based on the limitations and gaps identified in this survey, we point out several promising future research directions to inspire the researchers who wish to follow this area. This survey not only serves as a reference for the research community but also provides a clear description for researchers outside this research domain.

翻译：推荐系统已广泛应用于电子商务、金融、医疗保健、社交媒体等多个领域，在塑造用户行为和决策方面影响力日益增强，凸显了其在各领域不断增长的重要性。然而，近期研究表明推荐系统易受成员推断攻击的威胁，此类攻击旨在推断特定用户交互记录是否被用于训练目标模型。针对推荐系统模型的成员推断攻击可直接导致隐私泄露。例如，攻击者通过识别某购物记录曾被用于训练与特定用户相关联的推荐系统，即可推断该用户的特殊偏好。近年来，成员推断攻击已被证明在分类模型、自然语言处理等其他机器学习任务中具有显著效果。然而，由于不可见的后验概率问题，传统成员推断攻击方法并不适用于推荐系统场景。尽管针对推荐系统的成员推断攻击已形成一个新兴且快速发展的研究领域，目前尚未出现该主题的系统性综述。本文首次对推荐系统成员推断攻击研究进行全面综述，系统梳理了该新兴领域的最新进展，深入探讨了相关设计原理、核心挑战、攻击与防御机制。我们提出了统一的分类框架，依据攻击特征对不同类型的推荐系统成员推断攻击进行归类，并分析其优劣特性。基于本综述揭示的现有局限与研究空白，我们指出了多个具有潜力的未来研究方向，以启发该领域的研究人员。本综述不仅为相关研究社群提供系统参考，也为领域外的研究者提供了清晰的研究脉络解析。