Membership Inference Attacks on LLM-based Recommender Systems

Files

2508.18665v5.pdf (2.46 MB)

Links to Files

https://arxiv.org/abs/2508.18665

Permanent Link

https://doi.org/10.48550/arXiv.2508.18665
 http://hdl.handle.net/11603/41898

Collections

UMBC Computer Science and Electrical Engineering Department
UMBC Faculty Collection
UMBC Student Collection

Author/Creator

Author/Creator ORCID

https://orcid.org/0009-0009-7956-8355
 https://orcid.org/0009-0006-4945-7310
 https://orcid.org/0000-0002-9996-156X
 https://orcid.org/0009-0002-8274-2827

Date

2026-01-22

Type of Work

conference papers and proceedings
preprints
Text

Department

Program

Citation of Original Publication

Rights

This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author

Subjects

UMBC Cyber Defense Lab (CDL)

Abstract

Large language models (LLMs) based recommender systems (RecSys) can adapt flexibly across different domains. It uses in-context learning (ICL), i.e., prompts, including sensitive historical user-specific item interactions, to customize the recommendation functions. However, no study has examined whether such private information may be exposed by novel privacy attacks. We design several membership inference attacks (MIAs): Similarity, Memorization, Inquiry, and Poisoning attacks, aiming to reveal whether system prompts include victims’ historical interactions. We have carefully evaluated them on the latest open-source LLMs and three well-known RecSys datasets. The results confirm that the MIA threat to LLM RecSys is realistic, and that existing promptbased defense methods may be insufficient to protect against these attacks.