DM4Steal: Diffusion Model For Link Stealing Attack On Graph Neural Networks

TL;DR

This paper introduces DM4Steal, a diffusion model-based attack that effectively extracts sensitive link data from GNNs in recommendation systems, even under defense mechanisms, by leveraging a novel training strategy and stability sampling.

Contribution

The paper presents a new diffusion model approach for link stealing attacks on GNNs, enhancing transferability, effectiveness, and adaptability against defenses in various scenarios.

Findings

DM4Steal achieves high attack success across six scenarios.

It maintains performance against defenses like DP and Dropout.

The diffusion model captures the target graph's topology effectively.

Abstract

Graph has become increasingly integral to the advancement of recommendation systems, particularly with the fast development of graph neural network(GNN). By exploring the virtue of rich node features and link information, GNN is designed to provide personalized and accurate suggestions. Meanwhile, the privacy leakage of GNN in such contexts has also captured special attention. Prior work has revealed that a malicious user can utilize auxiliary knowledge to extract sensitive link data of the target graph, integral to recommendation systems, via the decision made by the target GNN model. This poses a significant risk to the integrity and confidentiality of data used in recommendation system. Though important, previous works on GNN's privacy leakage are still challenged in three aspects, i.e., limited stealing attack scenarios, sub-optimal attack performance, and adaptation against defense. To address these issues, we propose a diffusion model based link stealing attack, named DM4Steal. It differs previous work from three critical aspects. (i) Generality: aiming at six attack scenarios with limited auxiliary knowledge, we propose a novel training strategy for diffusion models so that DM4Steal is transferable to diverse attack scenarios. (ii) Effectiveness: benefiting from the retention of semantic structure in the diffusion model during the training process, DM4Steal is capable to learn the precise topology of the target graph through the GNN decision process. (iii) Adaptation: when GNN is defensive (e.g., DP, Dropout), DM4Steal relies on the stability that comes from sampling the score model multiple times to keep performance degradation to a minimum, thus DM4Steal implements successful adaptive attack on defensive GNN.