An Out-Of-Distribution Membership Inference Attack Approach for Cross-Domain Graph Attacks

TL;DR

This paper introduces GOOD-MIA, a novel out-of-distribution approach for cross-domain graph membership inference attacks on Graph Neural Networks, addressing privacy risks in real-world diverse data scenarios.

Contribution

The paper proposes a new OOD-based method for cross-domain graph MIAs, modeling distribution diversity and enhancing attack generalization across domains.

Findings

GOOD-MIA outperforms existing methods in multiple domain datasets.

The approach effectively models distribution diversity with shadow subgraphs.

Risk extrapolation improves attack domain adaptability.

Abstract

Graph Neural Network-based methods face privacy leakage risks due to the introduction of topological structures about the targets, which allows attackers to bypass the target's prior knowledge of the sensitive attributes and realize membership inference attacks (MIA) by observing and analyzing the topology distribution. As privacy concerns grow, the assumption of MIA, which presumes that attackers can obtain an auxiliary dataset with the same distribution, is increasingly deviating from reality. In this paper, we categorize the distribution diversity issue in real-world MIA scenarios as an Out-Of-Distribution (OOD) problem, and propose a novel Graph OOD Membership Inference Attack (GOOD-MIA) to achieve cross-domain graph attacks. Specifically, we construct shadow subgraphs with distributions from different domains to model the diversity of real-world data. We then explore the stable node representations that remain unchanged under external influences and consider eliminating redundant information from confounding environments and extracting task-relevant key information to more clearly distinguish between the characteristics of training data and unseen data. This OOD-based design makes cross-domain graph attacks possible. Finally, we perform risk extrapolation to optimize the attack's domain adaptability during attack inference to generalize the attack to other domains. Experimental results demonstrate that GOOD-MIA achieves superior attack performance in datasets designed for multiple domains.