Model Inversion Attacks Against Graph Neural Networks

Many data mining tasks rely on graphs to model relational structures among individuals (nodes). Since are often sensitive, there is an urgent need evaluate the privacy risks in graph data. One famous attack against analysis models inversion attack, which aims infer sensitive training dataset and leads great concerns. Despite its success grid-like domains, directly applying attacks non-grid domains such as poor performance. This mainly due failure consider unique properties of graphs. To bridge this gap, we conduct a systematic study Graph Neural Networks (GNNs), one state-of-the-art tools paper. Firstly, white-box setting where attacker has full access target GNN model, present GraphMI private Specifically GraphMI, projected gradient module proposed tackle discreteness edges preserve sparsity smoothness features; auto-encoder used efficiently exploit topology, node attributes, parameters for edge inference; random sampling can finally sample discrete edges. Furthermore, hard-label black-box only query API receive classification results, propose two methods based estimation reinforcement learning (RL-GraphMI). With methods, connection between risk influence show that with greater more likely be recovered. Extensive experiments over several public datasets demonstrate effectiveness our methods. We also under defenses: well-designed differential training, other preprocessing. Our experimental results defenses not sufficiently effective call advanced attacks.