Benchmarking Fraud Detectors on Private Graph Data

TL;DR

This paper introduces a new benchmark for fraud detection on private graph data, reveals privacy vulnerabilities in current evaluation methods, and evaluates differential privacy solutions that currently struggle to maintain utility.

Contribution

It presents a novel privacy attack on private graph data benchmarks and empirically assesses differential privacy approaches, highlighting their limitations in preserving utility.

Findings

Privacy attack achieves 98% TPR with 0% FPR in identifying individuals.

Current DP methods fail to provide useful utility due to high noise requirements.

Trade-off exists between bias and variance in DP graph data methods.

Abstract

We introduce the novel problem of benchmarking fraud detectors on private graph-structured data. Currently, many types of fraud are managed in part by automated detection algorithms that operate over graphs. We consider the scenario where a data holder wishes to outsource development of fraud detectors to third parties (e.g., vendors or researchers). The third parties submit their fraud detectors to the data holder, who evaluates these algorithms on a private dataset and then publicly communicates the results. We propose a realistic privacy attack on this system that allows an adversary to de-anonymize individuals' data based only on the evaluation results. In simulations of a privacy-sensitive benchmark for facial recognition algorithms by the National Institute of Standards and Technology (NIST), our attack achieves near perfect accuracy in identifying whether individuals' data is present in a private dataset, with a True Positive Rate of 0.98 at a False Positive Rate of 0.00. We then study how to benchmark algorithms while satisfying a formal differential privacy (DP) guarantee. We empirically evaluate two classes of solutions: subsample-and-aggregate and DP synthetic graph data. We demonstrate through extensive experiments that current approaches do not provide utility when guaranteeing DP. Our results indicate that the error arising from DP trades off between bias from distorting graph structure and variance from adding random noise. Current methods lie on different points along this bias-variance trade-off, but more complex methods tend to require high-variance noise addition, undermining utility.