Link Stealing Attacks Against Inductive Graph Neural Networks

Yixin Wu; Xinlei He; Pascal Berrang; Mathias Humbert; Michael Backes; Neil Zhenqiang Gong; Yang Zhang

Link Stealing Attacks Against Inductive Graph Neural Networks

Authors: Yixin Wu (CISPA Helmholtz Center for Information Security), Xinlei He (Hong Kong University of Science and Technology), Pascal Berrang (University of Birmingham), Mathias Humbert (University of Lausanne), Michael Backes (CISPA Helmholtz Center for Information Security), Neil Zhenqiang Gong (Duke University), Yang Zhang (CISPA Helmholtz Center for Information Security)

Volume: 2024
Issue: 4
Pages: 818–839
DOI: https://doi.org/10.56553/popets-2024-0143

Download PDF

Abstract: A graph neural network (GNN) is a type of neural network that is specifically designed to process graph-structured data. Typically, GNNs can be implemented in two settings, including the transductive setting and the inductive setting. In the transductive setting, the trained model can only predict the labels of nodes that were observed at the training time. In the inductive setting, the trained model can be generalized to new nodes/graphs. Due to its flexibility, the inductive setting is the most popular GNN setting at the moment. Previous work has shown that transductive GNNs are vulnerable to a series of privacy attacks. However, a comprehensive privacy analysis of inductive GNN models is still missing. This paper fills the gap by conducting a systematic privacy analysis of inductive GNNs through the lens of link stealing attacks. We propose two types of link stealing attacks, i.e., posterior-only attacks and combined attacks. We define threat models of the posterior-only attacks with respect to node topology and the combined attacks by considering combinations of posteriors, node attributes, and graph features. Extensive evaluation on six real-world datasets demonstrates that inductive GNNs leak rich information that enables link stealing attacks with advantageous properties. Even attacks with no knowledge about graph structures can be effective. We also show that our attacks are robust to different node similarities and different graph features. As a counterpart, we investigate two possible defenses and discover they are ineffective against our attacks, which calls for more effective defenses.

Keywords: Graph Neural Networks (GNNs), Link Stealing Attacks

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.