ReconXF: Graph Reconstruction Attack via Public Feature Explanations on Privatized Node Features and Labels

TL;DR

ReconXF is a novel graph reconstruction attack leveraging public feature explanations and denoising techniques to recover graph structure from privatized node features and labels, exposing privacy risks in explainable GNNs.

Contribution

The paper introduces ReconXF, a new attack method that effectively reconstructs graph structure under differential privacy protections by combining explanation-based insights with denoising strategies.

Findings

ReconXF outperforms existing methods in privatized settings.

The attack achieves higher AUC and precision in graph reconstruction.

Public explanations combined with denoising can breach privacy protections.

Abstract

Graph Neural Networks (GNNs) achieve high performance across many applications but function as black-box models, limiting their use in critical domains like healthcare and criminal justice. Explainability methods address this by providing feature-level explanations that identify important node attributes for predictions. These explanations create privacy risks. Combined with auxiliary information, feature explanations can enable adversaries to reconstruct graph structure, exposing sensitive relationships. Existing graph reconstruction attacks assume access to original auxiliary data, but practical systems use differential privacy to protect node features and labels while providing explanations for transparency. We study a threat model where adversaries access public feature explanations along with privatized node features and labels. We show that existing explanation-based attacks like GSEF perform poorly with privatized data due to noise from differential privacy mechanisms. We propose ReconXF, a graph reconstruction attack for scenarios with public explanations and privatized auxiliary data. Our method adapts explanation-based frameworks by incorporating denoising mechanisms that handle differential privacy noise while exploiting structural signals in explanations. Experiments across multiple datasets show ReconXF outperforms SoTA methods in privatized settings, with improvements in AUC and average precision. Results indicate that public explanations combined with denoising enable graph structure recovery even under the privacy protection of auxiliary data. Code is available at (link to be made public after acceptance).