Recommender systems (RecSys) have been widely applied to various applications, including E-commerce, finance, healthcare, social media and have become increasingly influential in shaping user behavior and decision-making, highlighting their growing impact in various domains. However, recent studies have shown that RecSys are vulnerable to membership inference attacks (MIAs), which aim to infer whether user interaction record was used to train a target model or not. MIAs on RecSys models can directly lead to a privacy breach. For example, via identifying the fact that a purchase record that has been used to train a RecSys associated with a specific user, an attacker can infer that user's special quirks. In recent years, MIAs have been shown to be effective on other ML tasks, e.g., classification models and natural language processing. However, traditional MIAs are ill-suited for RecSys due to the unseen posterior probability. Although MIAs on RecSys form a newly emerging and rapidly growing research area, there has been no systematic survey on this topic yet. In this article, we conduct the first comprehensive survey on RecSys MIAs. This survey offers a comprehensive review of the latest advancements in RecSys MIAs, exploring the design principles, challenges, attack and defense associated with this emerging field. We provide a unified taxonomy that categorizes different RecSys MIAs based on their characterizations and discuss their pros and cons. Based on the limitations and gaps identified in this survey, we point out several promising future research directions to inspire the researchers who wish to follow this area. This survey not only serves as a reference for the research community but also provides a clear description for researchers outside this research domain.

翻译：推荐系统（RecSys）已广泛应用于电子商务、金融、医疗、社交媒体等多个领域，对用户行为与决策的影响日益显著，凸显了其在各领域不断增强的影响力。然而，近期研究表明，推荐系统易受成员推断攻击（MIAs）的影响，此类攻击旨在推断用户的交互记录是否被用于训练目标模型。针对推荐系统模型的成员推断攻击可直接导致隐私泄露。例如，通过识别某条购买记录被用于训练与特定用户关联的推荐系统，攻击者可推断该用户的特殊偏好。近年来，成员推断攻击在其他机器学习任务（如分类模型与自然语言处理）中已被证实有效。然而，由于未见后验概率的存在，传统成员推断攻击方法难以直接适用于推荐系统。尽管针对推荐系统的成员推断攻击是一个新兴且快速发展的研究领域，目前尚未有系统性的综述。本文首次对推荐系统成员推断攻击进行了全面综述。本综述系统梳理了该领域的最新进展，探讨了其设计原理、面临的挑战、攻击与防御策略。我们提出了统一的分类体系，依据不同攻击的特征对推荐系统成员推断攻击进行分类，并分析了各类方法的优缺点。基于本综述指出的现有局限与研究空白，我们提出了多个具有潜力的未来研究方向，以启发该领域的研究者。本综述不仅可为相关研究社区提供参考，也为领域外的研究者提供了清晰的领域描述。