Publishing Neural Networks in Drug Discovery Might Compromise Training Data Privacy

TL;DR

This paper reveals significant privacy risks in sharing neural networks trained on chemical data for drug discovery, especially for minority classes, and suggests graph-based representations may reduce these risks.

Contribution

It introduces a framework to assess privacy risks in neural networks for molecular property prediction and highlights the vulnerability of minority class molecules.

Findings

Membership inference attacks reveal privacy risks across datasets.

Graph-based neural networks may mitigate privacy vulnerabilities.

Minority class molecules are particularly vulnerable.

Abstract

This study investigates the risks of exposing confidential chemical structures when machine learning models trained on these structures are made publicly available. We use membership inference attacks, a common method to assess privacy that is largely unexplored in the context of drug discovery, to examine neural networks for molecular property prediction in a black-box setting. Our results reveal significant privacy risks across all evaluated datasets and neural network architectures. Combining multiple attacks increases these risks. Molecules from minority classes, often the most valuable in drug discovery, are particularly vulnerable. We also found that representing molecules as graphs and using message-passing neural networks may mitigate these risks. We provide a framework to assess privacy risks of classification models and molecular representations. Our findings highlight the need for careful consideration when sharing neural networks trained on proprietary chemical structures, informing organisations and researchers about the trade-offs between data confidentiality and model openness.