Model Inversion Attacks against Graph Neural Networks

TL;DR

This paper systematically studies model inversion attacks on Graph Neural Networks (GNNs), proposing new attack methods in white-box and black-box settings, revealing significant privacy risks in graph data analysis.

Contribution

It introduces GraphMI and RL-GraphMI, novel attack techniques tailored for GNNs, addressing the unique properties of graph data and black-box attack challenges.

Findings

White-box GraphMI effectively infers private graph data.

Black-box RL-GraphMI demonstrates successful edge inference with limited queries.

Existing defenses are insufficient against these GNN-specific attacks.

Abstract

Many data mining tasks rely on graphs to model relational structures among individuals (nodes). Since relational data are often sensitive, there is an urgent need to evaluate the privacy risks in graph data. One famous privacy attack against data analysis models is the model inversion attack, which aims to infer sensitive data in the training dataset and leads to great privacy concerns. Despite its success in grid-like domains, directly applying model inversion attacks on non-grid domains such as graph leads to poor attack performance. This is mainly due to the failure to consider the unique properties of graphs. To bridge this gap, we conduct a systematic study on model inversion attacks against Graph Neural Networks (GNNs), one of the state-of-the-art graph analysis tools in this paper. Firstly, in the white-box setting where the attacker has full access to the target GNN model, we present GraphMI to infer the private training graph data. Specifically, in GraphMI, a projected gradient module is proposed to tackle the discreteness of graph edges and preserve the sparsity and smoothness of graph features; a graph auto-encoder module is used to efficiently exploit graph topology, node attributes, and target model parameters for edge inference; a random sampling module can finally sample discrete edges. Furthermore, in the hard-label black-box setting where the attacker can only query the GNN API and receive the classification results, we propose two methods based on gradient estimation and reinforcement learning (RL-GraphMI). Our experimental results show that such defenses are not sufficiently effective and call for more advanced defenses against privacy attacks.