Quantifying Privacy Leakage in Graph Embedding

TL;DR

This paper quantifies privacy risks in graph embeddings by demonstrating inference attacks that can reveal membership, reconstruct graphs, and infer sensitive attributes, highlighting significant privacy leakage in current methods.

Contribution

It introduces the first comprehensive analysis of privacy leakage in graph embeddings through novel inference attacks and evaluates their effectiveness.

Findings

Membership inference accuracy up to 36%

Graph reconstruction with over 80% accuracy

Sensitive attribute inference demonstrates strong correlation

Abstract

Graph embeddings have been proposed to map graph data to low dimensional space for downstream processing (e.g., node classification or link prediction). With the increasing collection of personal data, graph embeddings can be trained on private and sensitive data. For the first time, we quantify the privacy leakage in graph embeddings through three inference attacks targeting Graph Neural Networks. We propose a membership inference attack to infer whether a graph node corresponding to individual user's data was member of the model's training or not. We consider a blackbox setting where the adversary exploits the output prediction scores, and a whitebox setting where the adversary has also access to the released node embeddings. This attack provides an accuracy up to 28% (blackbox) 36% (whitebox) beyond random guess by exploiting the distinguishable footprint between train and test data records left by the graph embedding. We propose a Graph Reconstruction attack where the adversary aims to reconstruct the target graph given the corresponding graph embeddings. Here, the adversary can reconstruct the graph with more than 80% of accuracy and link inference between two nodes around 30% more confidence than a random guess. We then propose an attribute inference attack where the adversary aims to infer a sensitive attribute. We show that graph embeddings are strongly correlated to node attributes letting the adversary inferring sensitive information (e.g., gender or location).