Stealing Links from Graph Neural Networks

05/05/2020 ∙ by Xinlei He, et al. ∙ 0

Graph data, such as social networks and chemical networks, contains a wealth of information that can help to build powerful applications. To fully unleash the power of graph data, a family of machine learning models, namely graph neural networks (GNNs), is introduced. Empirical results show that GNNs have achieved state-of-the-art performance in various tasks. Graph data is the key to the success of GNNs. High-quality graph is expensive to collect and often contains sensitive information, such as social relations. Various research has shown that machine learning models are vulnerable to attacks against their training data. Most of these models focus on data from the Euclidean space, such as images and texts. Meanwhile, little attention has been paid to the security and privacy risks of graph data used to train GNNs. In this paper, we aim at filling the gap by proposing the first link stealing attacks against graph neural networks. Given a black-box access to a GNN model, the goal of an adversary is to infer whether there exists a link between any pair of nodes in the graph used to train the model. We propose a threat model to systematically characterize the adversary's background knowledge along three dimensions. By combination, we obtain a comprehensive taxonomy of 8 different link stealing attacks. We propose multiple novel methods to realize these attacks. Extensive experiments over 8 real-world datasets show that our attacks are effective at inferring links, e.g., AUC (area under the ROC curve) is above 0.95 in multiple cases.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 8

page 9

page 10

page 13

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

The past decade has witnessed the tremendous progress of machine learning (ML). Nowadays, ML models have been deployed in various domains, including image classification [38, 30], machine translation [70, 4], and recommendation system [31, 79]. Many current machine learning applications concentrate on data in the Euclidean space, such as images and texts. Meanwhile, graph data, e.g., social networks and chemical networks, contains a wealth of information which can help to build powerful applications [14, 60, 44, 13, 50, 82, 26, 85, 87, 83, 63]. To fully unleash the power of graph data, a whole family of ML models, namely graph neural networks (GNNs), has been proposed [37, 28, 75, 80, 32].

As one of the most popular ML models during the past three years, GNNs have achieved state-of-the-art performance in various tasks, e.g., social network recommendation [57, 20, 80] and chemical property prediction [23, 71, 19]

. The goal of a GNN is to predict labels for nodes in a graph. To train a GNN model, one needs a dataset containing both nodes’ attributes and a graph linking all these nodes. The former is the same as datasets used for training other ML models, e.g., multilayer perceptron (MLP), convolutional neural networks (CNNs), and recurrent neural networks (RNNs). The latter, i.e., the graph, is the key to GNNs’ success.

Recently, various research has shown that machine learning models are vulnerable to attacks against their training data [22, 21, 24, 72, 53, 66, 46, 64, 47, 62, 34, 39, 42, 58, 65, 40, 33, 12]. So far, most of these attacks have focused on ML models using data from the Euclidean space, e.g., MLP, CNNs, and RNNs. Meanwhile, very little attention has been paid to GNNs, in particular, the security and privacy risks of the graph data used to train GNNs.

1.1 Our Contributions

In this paper, we propose the first attacks aiming at stealing links from GNNs, which we refer to as link stealing attacks. Specifically, given a black-box access to a target GNN model, the goal of an adversary is to predict whether there exists a link between any pair of nodes in the dataset used to train the target GNN model. We refer to the dataset as the target dataset. Successful link stealing attacks can lead to severe consequences. For instance, an adversary stealing the underlying links from the target dataset directly violates the intellectual property of the target model owner. Also, when a GNN is trained on sensitive data, such as social network data, leakage of two users’ link, i.e., social relation, may jeopardize their privacy to a large extent.

We propose a threat model to characterize the adversary’s background knowledge along three dimensions, i.e., the target dataset’s nodes’ attributes, the target dataset’s partial graph, and an auxiliary dataset called shadow dataset which also contains its own nodes’ attributes and graph. By jointly considering whether the adversary has each of these knowledge, we obtain a comprehensive taxonomy of 8 different types of link stealing attacks.

We implement our attacks with multiple novel methodologies. For instance, when the adversary only has the target dataset’s nodes’ attributes, we design an unsupervised attack by calculating the distance between two nodes’ attributes. When the target dataset’s partial graph is available, we use supervised learning to train a binary classifier as our attack model with features summarized from two nodes’ attributes and predictions obtained from the black-box access to the target GNN model. When the adversary has a shadow dataset, we propose a

transferring attack which transfers the knowledge from the shadow dataset to the target dataset to mount the link stealing attack.

We evaluate all our 8 attacks over 8 real-world datasets. Extensive results show that our attacks in general achieve high AUC (area under the ROC curve) at inferring links between node pairs. Our results demonstrate that the predictions of a target GNN model encode rich information about the structure of a graph that is used to train the model, and our attacks can exploit them to steal the graph structure.

We also observe that more knowledge leads to better attack performance in general. For instance, on the Citeseer dataset [37], when an adversary has all the three types of knowledge, the attack achieves 0.977 AUC. On the same dataset, when the adversary only has nodes’ attributes, the AUC is 0.878. Moreover, we discover that the three types of knowledge have different impacts on our attacks. The target dataset’s partial graph is the strongest predictor followed by nodes’ attributes, the shadow dataset, on the other hand, is the weakest. Our proposed transferring attack can achieve high AUC. Moreover, our transferring attack achieves better performance if the shadow dataset comes from the same domain as the target dataset, e.g., both of them are chemical networks. We believe this is due to the fact that similar types of graphs have analogous graph structures, which leads to less information loss during the transferring phase.

In summary, we make the following contributions in this paper.

  • We propose the first set of link stealing attacks against graph neural networks.

  • We propose a threat model to comprehensively characterize an adversary’s background knowledge along three dimensions. Moreover, we propose 8 different link stealing attacks for adversaries with different background knowledge.

  • We extensively evaluate our 8 attacks over 8 real-world datasets. Our results show that our attacks can steal links from a GNN model effectively.

1.2 Organization

The rest of the paper is organized as follows. In Section 2, we introduce graph neural networks. Section 3 presents our threat model and attack definition. Methodologies of our 8 attacks are introduced in Section 4. Section 5 presents our experimental evaluation results. Section 6 discusses some related work and we conclude the paper in Section 7.

2 Graph Neural Networks

Many important real-world datasets come in the form of graphs or networks, e.g., social networks, knowledge graph, and chemical networks. Therefore, it is urgent to develop machine learning algorithms to fully utilize graph data. To this end, a new family of machine learning algorithms, i.e., graph neural networks (GNNs), has been proposed and shown superior performance in various tasks 

[2, 16, 37, 75].

Training a GNN Model. Given a graph, attributes for each node in the graph, and a small number of labeled nodes, GNN trains a neural network to predict labels of the remaining unlabeled nodes via analyzing the graph structure and node attributes. Formally, we define the target dataset as , where is the adjacency matrix of the graph and contains all nodes’ attributes. Specifically, is an element in : if there exists an edge between node and node , then , otherwise . Moreover, represents the attributes of . is a set containing all nodes in the graph. Note that we consider undirected graphs in this paper, i.e., .

A GNN method iteratively updates a node’s features via aggregating its neighbors’ features using a neural network, whose last layer predicts labels for nodes. Different GNN methods use slightly different aggregation rules. For instance, graph convolutional network (GCN), the most representative and well-established GNN method [37], uses a multi-layer neural network whose architecture is determined by the graph structure. Specifically, each layer obeys the following propagation rule to aggregate the neighboring features:

(1)

where is the adjacency matrix of the graph with self-connection added, i.e.,

is the identity matrix.

is the symmetric normalized adjacency matrix and . Moreover, is the trainable weight matrix of the th layer, and

is the activation function to introduce non-linearity, such as ReLU. As the input layer, we have

. When the GCN uses a two-layer neural network, the GCN model can be described as follows:

(2)

Note that two-layer GCN is widely used [37]. In our experiments, we adopt two-layer GCN.

Prediction in a GNN Model. Since all nodes’ attributes and the whole graph have been fed into the GNN model in the training phase, to predict the label of a node, we only need to provide the node’s ID to the trained model and obtain the prediction result. We assume the prediction result is a posterior distribution (called posteriors) over the possible labels for the node. Our work shows that such posteriors reveal rich information about the graph structure and an adversary can leverage them to infer whether a pair of nodes are linked or not in the graph.

We use to denote the target GNN model and to represent the posteriors of node . For presentation purposes, we summarize the notations introduced here and in the following sections in Table 1.

Notation Description
Target dataset
Graph of represented as adjacency matrix
Partial graph of
Nodes’ attributes of
Set of nodes of
Target model
Reference model
’s posteriors from the target model
’s posteriors from the reference model
Shadow dataset
Shadow target model
Shadow reference model
Adversary’s knowledge
Distance metric

Pairwise vector operations

Entropy of
Table 1: List of notations.

3 Problem Formulation

In this section, we first propose a threat model to characterize an adversary’s background knowledge. Then, we formally define our link stealing attack.

3.1 Threat Model

Adversary’s Goal. An adversary’s goal is to infer whether a given pair of nodes and are connected in the target dataset. Inferring links between nodes is a privacy threat when the links represent sensitive relationship between users. Moreover, links may be confidential and viewed as a model owner’s intellectual property because the model owner may spend lots of resources collecting the links, e.g., it requires expensive medical/chemical experiments to determine the interaction/link between two molecules in a chemical network. Therefore, inferring links may also compromise a model owner’s intellectual property.

Adversary’s Background Knowledge. First of all, we assume an adversary has a black-box access to the target GNN model. In other words, the adversary can only obtain nodes’ posteriors by querying the target model . This is the most difficult setting for the adversary [66, 62, 61]. Then, we characterize an adversary’s background knowledge along three dimensions:

  • Target Dataset’s Nodes’ Attributes, denoted by . This background knowledge characterizes whether the adversary knows nodes’ attributes in . We also assume that the adversary knows labels of a small subset of nodes.

  • Target Dataset’s Partial Graph, denoted by . This dimension characterizes whether the adversary knows a subset of links in the target dataset . Since the goal of link stealing attack is to infer whether there exists an edge/link between a pair of nodes, the partial graph can be used as ground truth edges to train the adversary’s attack model.

  • A Shadow Dataset, denoted by . This is a dataset which contains its own nodes’ attributes and graph. The adversary can use this to build a GNN model, referred to as shadow target model (denoted by ) in order to perform a transferring attack. It is worth noting that the shadow dataset does not need to come from the same domain of the target dataset. For instance, the shadow dataset can be a chemical network, while the target dataset can be a citation network. However, results in Section 5 show that same-domain shadow dataset indeed leads to better transferring attack performance.

We denote the adversary’s background knowledge as a triplet:

Whether the adversary has each of the three items is a binary choice, i.e., yes or no. Therefore, we have a comprehensive taxonomy with 8 different types of background knowledge, which leads to 8 different link stealing attacks. Table 2 summarizes our attack taxonomy.

Attack Attack
Attack-0 Attack-4
Attack-1 Attack-5
Attack-2 Attack-6
Attack-3 Attack-7
Table 2: Our comprehensive taxonomy of threat model. represents the target dataset’s nodes attributes, represents the target dataset’s partial graph, represents a shadow dataset, and () means the adversary has (does not have) the knowledge.

3.2 Link Stealing Attack

After describing our threat model, we can formally define our link stealing attack as follows:

Definition 1 (Link Stealing Attack).

Given a black-box access to a GNN model that is trained on a target dataset, a pair of nodes and in the target dataset, and an adversary’s background knowledge , link stealing attack aims to infer whether there is a link between and in the target dataset.

4 Attack Taxonomy

Attack
Attack-1
Attack-3
Attack-4
Attack-5
Attack-6
Attack-7
Table 3: Features adopted by our supervised attacks (Attack-3 and Attack 6) and transferring attacks (Attack-1, Attack-4, Attack-5, and Attack-7). Here, means the features are extracted from the shadow dataset in the training phase and means the features are extracted from both the shadow dataset and the target dataset (its partial graph) in the training phase. represents distance metrics defined in Table 4, represents the pairwise vector operations defined in Table 5. Note that the features used in these attack models include all the distance metrics and pairwise vector operations.

In this section, we present the detailed constructions of all the 8 attacks listed in Table 2. Given different knowledge , the adversary can conduct their attacks in different ways. However, there are two problems that exist across different attacks.

The first problem is node pair order. As we consider undirected graph, when the adversary wants to predict whether there is a link between two given nodes and , the output should be the same regardless of the input node pair order.

The second problem is dimension mismatch. The shadow dataset and the target dataset normally have different dimensions with respect to attributes and posteriors (as they are collected for different classification tasks). For transferring attacks that require the adversary to transfer information from the shadow dataset to the target dataset, it is crucial to keep the attack model’s input features’ dimension consistent no matter which shadow dataset she has.

We will discuss how to solve these two problems during the description of different attacks. For presentation purposes, features used in our supervised attacks and transferring attacks are summarised in Table 3.

4.1 Attack Methodologies

Attack-0: . We start with the most difficult setting for the adversary, that is she has no knowledge of the target dataset’s nodes’ attributes, partial graph, and a shadow dataset. All she has is the posteriors of nodes obtained from the target model (see Section 2).

As introduced in Section 2, GNN essentially aggregates information for each node from its neighbors. This means if there is a link between two nodes, then their posteriors obtained from the target model should be closer. Following this intuition, we propose an unsupervised attack. More specifically, to predict whether there is a link between and , we calculate the distance between their posteriors, i.e., , as the predictor.

We have in total experimented with 8 common distance metrics: Cosine distance, Euclidean distance, Correlation distance, Chebyshev distance, Braycurtis distance, Canberra distance, Manhattan distance, and Square-euclidean distance. Their formal definitions are in Table 4. It is worth noting that all distance metrics we adopt are symmetric, i.e., , this naturally solves the problem of node pair order.

Since the attack is unsupervised, the adversary cannot algorithmically find a threshold to make a concrete prediction, instead, she needs to make a manual decision depending on application scenarios. To evaluate our attack, we use AUC (area under the ROC curve) which considers a set of thresholds as previous works [22, 3, 55, 27, 62, 34, 86] (see Section 5 for more details).

Attack-1: . In this attack, we broaden the adversary’s knowledge with a shadow dataset, i.e., . This means the adversary can train a classifier for a supervised attack, more specifically, a transferring attack. She first constructs a shadow target model with . Then, she derives the training data from to train her attack model.

The adversary cannot directly use the posteriors obtained from the shadow target model as features to train her attack model, as the shadow dataset and the target dataset very likely have different numbers of labels, i.e., the corresponding posteriors are in different dimensions. This is the dimension mismatch problem mentioned before. To tackle this, we need to design features over posteriors.

As discussed in Attack-0, for any dataset, if two nodes are linked, then their posteriors obtained from the target model should be similar. This means if the attack model can capture the similarity of two nodes’ posteriors from the shadow target model, it should also be able to transfer the information to the target model.

We take two approaches together to design features. The first approach is measuring distances between two nodes’ posteriors. To this end, for each pair of nodes and from the shadow dataset , we adopt the same set of 8 metrics used in Attack-0 (formal definitions are listed in Table 4) to measure their posteriors and ’s distances, and concatenate these different distances together. This leads to an 8-dimension vector.

The second approach is to use entropy to describe each posterior inspired by previous works [46, 34]. Formally, for the posterior of node obtained from the shadow target model , its entropy is defined as the following.

(3)

where denotes the -th element of . Then, for each pair of nodes and from the shadow dataset, we obtain two entropies and . To eliminate the pair order problems for these entropies, we further take the approach of Grover and Leskovec [25], by applying pairwise vector operation, denoted by . In total, we have used all the 4 operations defined in Table 5 for our attack. Note that these operations in Table 5 are applied on two single numbers, i.e., scalars, in this attack. However, they can also be applied to vectors and we will adopt them again on posteriors and nodes’ attributes in other attacks.

In total, the features used for training the attack model is assembled with 8 different distances between two nodes’ posteriors from the shadow target model and 4 features obtained from pairwise vector operations between two nodes’ posteriors’ entropies. Regarding labels for the training set, the adversary uses all the links in and samples the same number of node pairs that are not linked (see Section 5 for more details). We adopt an MLP as our attack model.

Metrics Definition
Cosine distance
Euclidean distance
Correlation distance
Chebyshev distance
Braycurtis distance
Manhattan distance
Canberra distance
Sqeuclidean distance
Table 4: Distance metrics adopted by our attacks, represents the -th component of . We use and to present these metrics, however, they can be applied to nodes’ attributes and posteriors from the reference model, shadow target model, and shadow reference model as well.
Operator Definition Operator Definition
Average Weighted-L1
Hadamard Weighted-L2
Table 5: Pairwise vector operations adopted by our attacks [25], represents the -th component of . We use and to present these metrics, however, they can be applied to nodes’ attributes and posteriors from the reference model, shadow target model, and shadow reference model as well. Moreover, these operations are also applied to entropies summarized from posteriors.

Attack-2: . In this attack, we assume that the adversary has the knowledge of the target model’s nodes’ attributes . Since the adversary has no knowledge of the partial graph and a shadow dataset, her attack here is also unsupervised (similar to Attack-0). We again rely on the distance metrics to perform our attack. For each pair of nodes and from the target dataset, we consider four types of information to measure distance with all the metrics listed in Table 4. Similar to Attack-0, we experimentally decide which is the most suitable distance metric for Attack-2.

  • . The first type is the same as the method for Attack-0, i.e., distance between posteriors of and from the target model , i.e., and .

  • . The second type is calculating the pairwise distance over and ’s attributes and .

  • . For the third type, since we have the target model’s nodes’ attributes (as well as a subset of their corresponding labels), we train a separate MLP model, namely reference model (denoted by ). Our intuition is that if two nodes are connected, the distance between their posteriors from the target model should be smaller than the corresponding distance from the reference model. Therefore, we calculate to make prediction.

  • . For the fourth type, we measure the distance over and ’s posteriors from the reference model.

Attack-3: . In this scenario, the adversary has access to the partial graph of the target dataset. For the attack model, we rely on links from the known partial graph as the ground truth label to train an attack model (we again adopt an MLP).

Features used for Attack-3 are summarized in Table 3. For each pair of nodes and from the target dataset, we calculate the same set of features proposed for Attack-1 on their posteriors and posteriors’ entropies. Besides, since we can directly train the attack model on the partial target graph (i.e., we do not face the dimension mismatch problem), we further define new features by adopting the pairwise vector operations listed in Table 5 to and .

Attack-4: . In this attack, the adversary has the knowledge of the partial graph of the target dataset and a shadow dataset . To take both knowledge into consideration, for each pair of nodes either from the shadow dataset or the partial graph of the target dataset, we calculate the same set of features over posteriors as proposed in Attack-1. This means the only difference between Attack-4 and Attack-1 is that the training set for Attack-4 also includes information from the target dataset’s partial graph (see Table 3 for more details).

Different from Attack-3, Attack-4 cannot perform the pairwise vector operations to and . This is due to the dimension mismatch problem as the adversary needs to take both and into account for her attack.

Attack-5: . In this attack, the adversary has the knowledge of the target model’s nodes’ attributes and a shadow dataset . As we do not have to train the attack model, we need to rely on the graph of the shadow dataset. To this end, we first calculate the same set of features used for Attack-1.

Moreover, as we have the target dataset’s nodes’ attributes, we further build a reference model (as in Attack-2), and also a shadow reference model in order to transfer more knowledge from the shadow dataset for the attack. For this, we build the same set of features as in Attack-1 over the posteriors obtained from the shadow reference model, i.e., the distance of posteriors (Table 4) and pairwise vector operations performed on posteriors’ entropies (Table 5). In addition, we also calculate the 8 different distances over the shadow dataset’s nodes’ attributes.

Attack-6: . In this scenario, the adversary has the access to target dataset’s nodes’ attributes and the partial target graph . As a supervised learning setting, we build an MLP considering links from the partial graph as the ground truth label.

The adversary first adopts the same set of features defined over posteriors obtained from the target model as proposed in Attack-3. Then, the adversary builds a reference model over the target dataset’s nodes’ attributes, and calculate the same set of features over posteriors obtained from the reference model. In the end, we further calculate the distances of the target dataset’s nodes’ attributes as another set of features.

Attack-7: . This is the last attack with the adversary having all three knowledge, i.e., the target dataset’s nodes’ attributes , target dataset’s partial graph , and a shadow dataset . The set of features for this attack is the same as the ones used in Attack-5 (Table 3). The only difference lies in the training phase, we can use the partial graph from the target dataset together with the graph from the shadow dataset as the ground truth. We expect this leads to better performance than the one for Attack-5. However, this attack also relies on the information of the shadow dataset, thus, the features used here are a subset of the ones for Attack-6, this is similar to the difference between Attack-4 and Attack-3. Note that if the adversary does not take the shadow dataset into consideration, this scenario is equivalent to the one for Attack-6.

4.2 Summary

We propose 8 attack scenarios with the combination of the knowledge that the adversary could have. They could be divided into three categories.

The first category is the unsupervised attacks, including Attack-0 and Attack-2, where the adversary does not have the knowledge about the partial graph from the target dataset or a shadow dataset. In these scenarios, the adversary can use distance metrics for posteriors or nodes’ attributes to infer the link.

The second category is the supervised attacks, including Attack-3 and Attack-6, where the adversary has the knowledge of the partial graph from the target dataset but does not have a shadow dataset. In these scenarios, the adversary can use different distances and pairwise vector operations over nodes’ posteriors (and the corresponding entropies) from the target model and their attributes to build features as the input for the attack model.

The third category is the transferring attacks (supervised), including Attack-1, Attack-4, Attack-5, and Attack-7, where the adversary has the knowledge of a shadow dataset. In these scenarios, the adversary can use distance metrics over posteriors/nodes’ attributes and pairwise operations over posteriors’ entropies as the bridge to transfer the knowledge from the shadow dataset to perform link stealing attacks. It is worth noting that for Attack-4 and Attack-7, if the adversary leaves the shadow dataset out of consideration, they will not have the dimension mismatch problem and can take the same attack methods as Attack-3 and Attack-6, respectively.

5 Evaluation

This section presents the evaluation results of our 8 attacks. We first introduce our experimental setup. Then, we present detailed results for different attacks. Finally, we summarize our experimental findings.

5.1 Experimental Setup

Datasets. We utilize 8 public datasets, including Citeseer [37], Cora [37], Pubmed [37], AIDS [59], COX2 [69], DHFR [69], ENZYMES [17], and PROTEINS_full [7], to conduct our experiments. These datasets are widely used as benchmark datasets for evaluating GNNs [37, 75, 80, 18, 19]. Among them, Citeseer, Cora, and Pubmed are citation datasets with nodes representing publications and links indicating citations among these publications. The other five datasets are chemical datasets, each node is a molecule and each link represents the interaction between two molecules. All these datasets have nodes’ attributes and labels. Table 6 summarizes the general statistics.

Dataset Type #. Nodes #. Edges #. Classes #. Attributes
AIDS Chemical 31,385 32390 38 4
COX2 Chemical 19,252 20,289 8 3
DHFR Chemical 32,075 33,676 9 3
ENZYMES Chemical 19,580 37,282 3 18
PROTEINS_full Chemical 43,471 81,044 3 29
Citeseer Citation 3,327 4,732 6 3,703
Cora Citation 2,708 5,429 7 1,433
Pubmed Citation 19,717 44,338 3 500
Table 6: Dataset statistics.

Datasets Configuration. For each dataset, we train a target model and a reference model. In particular, we randomly sample 10% nodes and use their ground truth labels to train the target model and the reference model.111Note that we do not train the reference model for attacks when is unavailable. Recall that several attacks require the knowledge of the target dataset’s partial graph. To simulate and fairly evaluate different attacks, we construct an attack dataset which contains node pairs and labels representing whether they are linked or not. Specifically, we first select all node pairs that are linked. Then, we randomly sample the same number of node pairs that are not linked. Note that such negative sampling method has been used in previous works [25, 3, 62]. Then, we split the attack dataset randomly by half into attack training dataset and attack testing dataset. We use the attack training dataset to train our attack models when the target dataset’s partial graph is part of the adversary’s knowledge. We use attack testing dataset to evaluate all our attacks. For the attacks that have a shadow dataset, we also construct an attack dataset on the shadow dataset to train the attack model. Note that we do not split this attack dataset because we do not use it for evaluation.

Metric.

We use AUC (area under the ROC curve) as our evaluation metric. AUC is frequently used in binary classification tasks 

[22, 3, 52, 51, 55, 27, 62, 87, 34, 86], it is threshold independent and insensitive to label distribution, i.e., the result of AUC is stable regardless of the percentage of positive labels in the dataset. For convenience, we refer to node pairs that are linked as positive node pairs and those that are not linked as negative node pairs

. If we rank node pairs according to the probability that there is a link between them, then AUC is the probability that a randomly selected positive node pair ranks higher than a randomly selected negative node pair. Note that when performing random guessing, i.e., we rank all node pairs uniformly at random, the AUC value is 0.5.

Models. We use a graph convolutional network with 1 hidden layer for both the target model and the shadow target model, and assume they share the same architecture (see Section 3

). The number of neurons in the hidden layer is set to 16. We adopt the frequently used ReLU and softmax as activation functions for the hidden layer and the output layer, respectively. Note that we append Dropout (the rate is 0.5) to the output of the hidden layer to prevent overfitting. We train 100 epochs with a learning rate of 0.01. Cross-entropy is adopted as the loss function and we use the Adam optimizer to update the model parameters. Our GNNs are implemented based on publicly available code.

222https://github.com/tkipf/gcn

We use an MLP with 1 hidden layer as the reference model and the shadow reference model. Hyperparameters, including number of neurons in the hidden layer, activation functions, loss function, optimizer, epochs, and learning rate are the same as those of the target model.

Shadow Dataset
Target Dataset AIDS COX2 DHFR ENZYMES PROTEINS_full Citeseer Cora Pubmed
AIDS - 0.720 0.009 0.690 0.005 0.730 0.010 0.720 0.005 0.689 0.019 0.650 0.025 0.667 0.014
COX2 0.755 0.032 - 0.831 0.005 0.739 0.116 0.832 0.009 0.762 0.009 0.773 0.008 0.722 0.024
DHFR 0.689 0.004 0.771 0.004 - 0.577 0.044 0.701 0.010 0.736 0.005 0.740 0.003 0.663 0.010
ENZYMES 0.747 0.014 0.695 0.023 0.514 0.041 - 0.691 0.030 0.680 0.012 0.663 0.009 0.637 0.018
PROTEINS_full 0.775 0.020 0.821 0.016 0.528 0.038 0.822 0.020 - 0.823 0.004 0.809 0.015 0.809 0.013
Citeseer 0.801 0.040 0.920 0.006 0.842 0.036 0.846 0.042 0.848 0.015 - 0.965 0.001 0.942 0.003
Cora 0.791 0.019 0.884 0.005 0.811 0.024 0.804 0.048 0.869 0.012 0.942 0.001 - 0.917 0.002
Pubmed 0.705 0.039 0.796 0.007 0.704 0.042 0.708 0.067 0.752 0.014 0.883 0.006 0.885 0.005 -
Table 7:

Average AUC with standard deviation for Attack-1 on all the 8 datasets. Best results are highlighted in bold.

We use an MLP with 2 hidden layers as our attack model. The number of neurons for both hidden layers is 32. ReLU is adopted as the activation function for hidden layers and softmax is used as the output activation function. We again append Dropout (the rate is 0.5) to each hidden layer to prevent overfitting. We train 50 epochs with a learning rate of 0.001. The loss function is cross-entropy and the optimizer is Adam.

We run all experiments with this setting for 5 times and report the average value and the standard deviation of AUC scores. Note that for Attack-0 and Attack-2, the AUC scores keep the same since these two attacks are unsupervised.

5.2 Attack Performance in Different Scenarios

Figure 1: AUC for Attack-0 on all the 8 datasets with all the 8 distance metrics. The x-axis represents the dataset and the y-axis represents the AUC score.
Figure 2: The Correlation distance distribution between nodes’ posteriors for positive node pairs and negative node pairs on all the 8 datasets. The x-axis represents Correlation distance and the y-axis represents the number of node pairs.
(a)
(b)
Figure 3: The last hidden layer’s output from the attack model of Attack-1 for 200 randomly sampled positive node pairs and 200 randomly sampled negative node pairs projected into a 2-dimension space using t-SNE. (a) Cora as the shadow dataset and Citeseer as the target dataset, (b) Cora as the shadow dataset and ENZYMES as the target dataset.

Attack-0: . In this attack, the adversary only relies on measuring the distance of two nodes’ posteriors obtained from the target model. We compare 8 different distance metrics and Figure 1 shows the results. First, we observe that Correlation distance achieves the best performance followed by Cosine distance across all datasets. In contrast, Canberra distance performs the worst. For instance, on the Citeseer dataset, the AUC scores for Correlation distance and Cosine distance are 0.959 and 0.946, respectively, while the AUC score for Canberra distance is 0.801. Note that both Correlation distance and Cosine distance measure the inner product between two vectors, or the “angle” of two vectors while other distance metrics do not. Second, we find that the performance of the same metric on different datasets is different. For instance, the AUC of Correlation distance on Citeseer is 0.959 compared to 0.635 on ENZYMES.

Figure 2 shows the frequency of Correlation distance computed on posteriors obtained from the target model for both positive node pairs and negative node pairs in attack testing datasets. The x-axis is the value of Correlation distance and the y-axis is the number of pairs. A clear trend is that for all datasets, the Correlation distance for positive node pairs is much smaller than negative node pairs. In other words, on average, the posteriors for positive node pairs are “closer” than that for negative node pairs. This verifies our intuition presented in Section 4: GNN can be considered as an aggregation function over the neighborhoods, if two nodes are linked, they aggregate with each other’s features and therefore become closer.

Attack-1: . In this attack, the adversary can leverage a shadow dataset. In particular, for each dataset, we use one of the remaining datasets as the shadow dataset to perform the attack. Table 7 summarizes the results. We leave the blank in the diagonal because we do not use the target dataset itself as its shadow dataset. As we can see from Table 7, the AUC scores from the best performing shadow dataset have a consistent improvement on almost all datasets compared to Attack-0. One exception is the COX2 dataset in which the AUC score decreases by 0.02. The results indicate that adversary can indeed transfer the knowledge from the shadow dataset to enhance her attack.

An interesting finding is that for a chemical dataset, the best shadow dataset is normally a chemical dataset as well. Similar results can be observed for citation datasets. This shows that it is more effective to transfer knowledge across datasets from the same domain. To better understand this, we extract the attack model’s last hidden layer’s output (32-dimension) for positive node pairs and negative node pairs and project them into a 2-dimension space using t-Distributed Stochastic Neighbor Embedding (t-SNE) [74]. (a) shows the results for Citeseer when using Cora as the shadow dataset, both of which are citation datasets. We can see that the positive (negative) node pairs from both the target dataset and the shadow dataset can be clustered into similar position, which indicates the positive (negative) node pairs from both datasets have similar distributions. This means if the attack model learns a decision boundary to separate positive nodes pairs from the negative node pairs on the shadow dataset, this decision boundary can be easily carried over to the target dataset as well.

In contrast, (b) shows the results for ENZYMES (a chemical dataset) when using Cora (a citation dataset) as the shadow dataset. We see that the positive (negative) node pairs from the shadow dataset and the target dataset are distributed differently in the 2-dimension space. For example, the positive node pairs for Cora are clustered into the outer space of the circle area whereas the positive node pairs for ENZYMES are clustered into the inner space of the circle area. Therefore, it is hard for the adversary to perform an effective transferring attack. The underlying reason for this to happen is that graphs from the same domain have analogous graph structures and similar features. This leads to less information loss for our transferring attack.

Figure 4: Average AUC for Attack-2 on all the 8 datasets with all the 4 types of information considered. The x-axis represents the dataset and the y-axis represents the AUC score.

Attack-2: . In Attack-2, the adversary has the knowledge of the target dataset’s nodes’ attributes . As discussed in Section 4, she trains a reference model by herself from . We compare four types of information mentioned in Section 4, and the results are shown in Figure 4. It is worth noting that we only show the results calculated with Correlation distance out of the 8 distance metrics (Table 4) since Correlation distance achieves the best performance in almost all settings. We can see that in all chemical datasets and one citation dataset, using the distance of target dataset’s nodes’ attributes leads to the best performance. For the other two citation datasets, using the distance between posteriors of the target model can get better performance. Nodes’ attributes’ dimensions are higher in citation datasets than in chemical datasets as shown in Table 6. In other words, the node attributes for citation datasets are sparser. For instance, we observe that most attributes are 0 in citation datasets. Therefore, we conclude that the attack can get better performance using the Correlation distance between posteriors of the target model when the target dataset’s nodes’ attributes are in high dimension.

Attack-3: . Table 8 shows the results for this attack. With the knowledge of the target dataset’s partial graph, the average AUC score for all cases is over 0.9. Compared to Attack-2, the AUC scores on chemical datasets have an improvement over 10% and the AUC scores on citation datasets have an improvement over 2%.333Attack-2 already achieves relatively high AUC on citation datasets.

Compared to Attack-1 and Attack-2, Attack-3 achieves the best performance, this indicates the target dataset’s partial graph is the most important component for an adversary for performing a link stealing attack. The reason is that the partial graph contains the ground truth links in the target dataset, which can be directly exploited by the attack model.

Dataset AUC Dataset AUC
AIDS 0.961 0.001 PROTEINS_full 0.958 0.000
COX2 0.939 0.002 Citeseer 0.973 0.000
DHFR 0.934 0.001 Cora 0.954 0.001
ENZYMES 0.882 0.001 Pubmed 0.947 0.001
Table 8: Average AUC with standard deviation for Attack-3 on all the 8 datasets.
Shadow Dataset
Target Dataset AIDS COX2 DHFR ENZYMES PROTEINS_full Citeseer Cora Pubmed
AIDS - 0.750 0.009 0.763 0.010 0.733 0.007 0.557 0.009 0.729 0.015 0.702 0.010 0.673 0.009
COX2 0.802 0.031 - 0.866 0.004 0.782 0.012 0.561 0.030 0.860 0.002 0.853 0.004 0.767 0.023
DHFR 0.758 0.022 0.812 0.005 - 0.662 0.030 0.578 0.067 0.799 0.002 0.798 0.009 0.736 0.005
ENZYMES 0.741 0.010 0.684 0.024 0.670 0.008 - 0.733 0.019 0.624 0.002 0.627 0.014 0.691 0.012
PROTEINS_full 0.715 0.009 0.802 0.025 0.725 0.041 0.863 0.010 - 0.784 0.031 0.815 0.012 0.867 0.003
Citeseer 0.832 0.078 0.940 0.005 0.914 0.007 0.879 0.062 0.833 0.088 - 0.967 0.001 0.955 0.003
Cora 0.572 0.188 0.899 0.003 0.887 0.014 0.878 0.045 0.738 0.168 0.945 0.001 - 0.924 0.005
Pubmed 0.777 0.056 0.893 0.001 0.90 0.006 0.866 0.002 0.806 0.042 0.907 0.004 0.902 0.001 -
Table 9: Average AUC with standard deviation for Attack-4 on all the 8 datasets. Best results are highlighted in bold.

Attack-4: . Table 9 shows the results for Attack-4. First, compared to Attack-1 (), the overall performance of Attack-4 improves with the help of target dataset’s partial graph . This is reasonable since the target dataset’s partial graph contains some ground truth links from the target dataset. Second, we note that the performances of Attack-4 are worse than Attack-3 (). Intuitively, the performance should be better since Attack-4 has more background knowledge. The reason for the performance degradation is that we do not take the pairwise vector operation (Table 5) over posteriors as the input for Attack-4 since we want to learn information from both the target dataset and the shadow dataset, and need to eliminate the dimension mismatch issue (as discussed in Section 4). Moreover, the results also indicate that compared to the shadow dataset, the target dataset’s partial graph is more informative.

Attack-5: . In Attack-5, the adversary has the knowledge of target dataset’s nodes’ attributes as well as a shadow dataset, evaluation results are shown in Table 10. We observe that Attack-5 performs better than both Attack-1 (only with ) and Attack-2 (only with ). This shows the combination of and can lead to a better link stealing performance. Furthermore, we observe similar trends as for Attack-1, that is the attack performs better if the shadow dataset comes from the same domain as the target dataset.

Shadow Dataset
Target Dataset AIDS COX2 DHFR ENZYMES PROTEINS_full Citeseer Cora Pubmed
AIDS - 0.841 0.003 0.846 0.009 0.795 0.016 0.875 0.002 0.839 0.006 0.793 0.015 0.787 0.008
COX2 0.832 0.036 - 0.977 0.002 0.874 0.020 0.946 0.003 0.911 0.004 0.908 0.004 0.887 0.004
DHFR 0.840 0.018 0.988 0.001 - 0.757 0.032 0.970 0.004 0.909 0.010 0.911 0.009 0.860 0.004
ENZYMES 0.639 0.005 0.581 0.010 0.587 0.005 - 0.608 0.001 0.685 0.005 0.674 0.007 0.663 0.002
PROTEINS_full 0.948 0.007 0.981 0.004 0.968 0.014 0.818 0.017 - 0.970 0.002 0.876 0.010 0.885 0.003
Citeseer 0.773 0.048 0.666 0.018 0.652 0.020 0.860 0.049 0.794 0.009 - 0.969 0.002 0.967 0.001
Cora 0.743 0.017 0.587 0.012 0.568 0.009 0.778 0.052 0.686 0.018 0.956 0.001 - 0.936 0.002
Pubmed 0.777 0.030 0.661 0.018 0.645 0.008 0.786 0.041 0.741 0.008 0.938 0.007 0.941 0.007 -
Table 10: Average AUC with standard deviation for Attack-5 on all the 8 datasets. Best results are highlighted in bold.
Shadow Dataset
Target Dataset AIDS COX2 DHFR ENZYMES PROTEINS_full Citeseer Cora Pubmed
AIDS - 0.925 0.001 0.913 0.005 0.784 0.010 0.848 0.010 0.538 0.022 0.520 0.011 0.849 0.004
COX2 0.954 0.007 - 0.982 0.001 0.874 0.010 0.898 0.030 0.947 0.003 0.940 0.007 0.875 0.034
DHFR 0.982 0.002 0.992 0.00 - 0.871 0.017 0.966 0.008 0.933 0.008 0.947 0.012 0.937 0.003
ENZYMES 0.698 0.007 0.691 0.008 0.671 0.003 - 0.610 0.001 0.657 0.009 0.662 0.006 0.677 0.001
PROTEINS_full 0.984 0.002 0.962 0.010 0.986 0.002 0.993 0.001 - 0.840 0.013 0.823 0.006 0.987 0.005
Citeseer 0.816 0.048 0.791 0.033 0.702 0.025 0.880 0.057 0.902 0.026 - 0.977 0.000 0.964 0.000
Cora 0.746 0.068 0.680 0.038 0.574 0.038 0.888 0.014 0.695 0.10 0.960 0.001 - 0.935 0.001
Pubmed 0.807 0.016 0.712 0.025 0.710 0.006 0.881 0.009 0.739 0.012 0.956 0.001 0.949 0.001 -
Table 11: Average AUC with standard deviation for Attack-7 on all the 8 datasets. Best results are highlighted in bold.
Dataset AUC Dataset AUC
AIDS 0.979 0.001 PROTEINS_full 0.999 0.000
COX2 0.987 0.001 Citeseer 0.981 0.000
DHFR 0.992 0.001 Cora 0.964 0.000
ENZYMES 0.891 0.001 Pubmed 0.970 0.000
Table 12: Average AUC with standard deviation for Attack-6 on all the 8 datasets.

Attack-6: . The result of Attack-6 on all datasets is shown in Table 12. We can see that for almost all datasets (except ENZYMES), the AUC scores are over 0.95, which means this attack achieves an excellent performance.444http://gim.unmc.edu/dxtests/roc3.htm In particular, the AUC score is nearly 1 on PROTEINS_full. Moreover, Attack-6 consistently outperforms Attack-2 (). This further validates the effectiveness of in helping the adversary to infer links. Another finding is that for chemical datasets, the information of target dataset’s partial graph brings a larger improvement than the citation datasets. One possible explanation is that the nodes’ attributes in chemical datasets contain less information (they are in lower dimension), thus the target dataset’s partial graph contributes more to the final prediction performance.

Attack-7: . The results of Attack-7 are summarized in Table 11. Compared to Attack-5 (), the overall performances improve with the help of . We would expect the adversary’s accuracy is better than that of Attack-6 () since she has more background knowledge. However, we observe that the performance drops from Attack-6 to Attack-7. We suspect this is due to the fact that we want to learn information from both the target dataset and the shadow dataset, to avoid the dimension mismatch problem, Attack-7 uses fewer features than Attack-6 (similar to the reason that Attack-4 performs worse than Attack-3).

Figure 5: The relationship between the ratio of attack training dataset in the attack dataset and the attacks’ AUC scores on all the 8 datasets. The x-axis represents the ratio and the y-axis represents the AUC score.
Figure 6: Average AUC with standard deviation for all the attacks on all the 8 datasets. For each attack, we list its best result. The x-axis represents the dataset and the y-axis represents the AUC score.

Comparison with Link Prediction. We further compare all our attacks with a traditional link prediction method [41]

. More specifically, we build an MLP with features summarized from the target model’s partial graph, including Common neighbor, Jaccard index, and Preferential attachment (formal definition can be found in Appendix 

A). As we can see from Figure 6, most of our attacks outperforms the link prediction method. For instance, on the COX2 dataset, all our 8 attacks outperform the link prediction model, the best attack (Attack-6) achieves more than 20% performance gain. This demonstrates that GNNs lead to more severe privacy risks than traditional link prediction.

Attack Robustness. Previous experiments are based on the setting that we evenly split the attack dataset to attack training dataset and attack testing dataset. However, we want to know whether our attacks still work with different size of training data. To this end, we vary the ratio of attack training data from 10% to 90% in the attack dataset and evaluate all attacks’ AUC scores on the same remaining 10% of the dataset. The results are depicted in Figure 5. First, for Attack-0 and Attack-2, the overall AUC scores stay the same with different ratios of attack training data since they only calculate the AUC score with Correlation distance over the attack testing data. Second, for Attack-3 and Attack-6 where the adversary uses the target dataset’s partial graph to train the attack model, the overall AUC scores are stable with a small increase. This demonstrates that only a small fraction of the target dataset’s graph is enough to conduct high-performing attacks. For the transferring attacks, i.e., Attack-1, Attack-4, Attack-5, and Attack-7, although they are fluctuating when varying the size of attack training data compared to other attacks, their overall performances are still relatively high.

5.3 Summary of Results

In summary, we have made the following observations from our experimental results.

  • Our attacks can effectively steal the links from GNNs. For instance, our Attack-6 can achieve average AUC scores over 0.95 on 7 out of 8 datasets, which demonstrate that the GNNs are vulnerable to our attacks.

  • Generally speaking, the performances of the attack are better if there is more background knowledge as shown in Figure 6. However, we find the impact of different knowledge is different. In particular, the target dataset’s partial graph is the most informative. For instance, Attack-3 () significantly outperforms Attack-1 () and Attack-2 ().

  • Our transferring attack can achieve good performance. Furthermore, we find that our transferring attack achieves better performance when the shadow dataset and the target dataset are from the same domain as validated by experimental results for Attack-1 and Attack-5.

6 Related Work

Membership Inference. In membership inference attacks [66, 62, 43, 46, 81, 29, 47, 68, 8], the adversary aims to infer whether a data sample is in the target model’s training dataset or not. Shokri et al. [66] propose the first membership inference attacks against ML models and demonstrate its relationship with model overfitting. Salem et al. [62] further show membership inference attacks are broadly applicable at low cost via relaxing assumptions on the adversary. To mitigate attacks, many empirical defenses [66, 62, 46, 34] have been proposed. For instance, Nasr et al. [46] propose to mitigate attacks via formulating the defense as a min-max optimization problem which tries to decrease the accuracy loss and increase the membership privacy. Salem et al. [62] explore dropout and model stacking to mitigate membership inference attacks. More recently, Jia et al. [34]

leverage adversarial examples to fool the adversary and show their defense has a formal utility guarantee. Other attacks in this space study membership inference in natural language processing models 

[67], generative models [29, 10], federated learning [45], biomedical and location data [27, 55, 56].

Model Inversion. In model inversion attacks [22, 21, 54, 45], the adversary aims to learn sensitive attributes of training data from target models. For example, Fredrikson et al. [22] propose the model inversion attack in which adversary can infer the patient’s genetic markers given the model and some demographic information about the patients. Fredrikson et al. [21]

further explore the model inversion attacks on decision trees and neural networks via exploiting the confidence score values revealed along with predictions. Melis et al. 

[45] revealed that in the collaborative learning scenarios, when the target model updated with new training data, the adversary could infer sensitive attributes about the new training data.

Model Extraction. In model extraction attacks [1, 72, 73, 9, 76, 84, 33], the adversary aims to steal the parameters of a certain target model or mimic its behaviors. Tramér et al. [72] show that an adversary can exactly recover the target model’s parameters via solving the equations for certain models, e.g., linear models. Wang and Gong [76]

propose attacks to steal the hyperparameters and show their attacks are broadly applicable to a variety of machine learning algorithms, e.g., ridge regression and SVM. Orekondy et al. 

[48] propose a functionality stealing attack aiming at mimicking the behaviors of the target model. Concretely, they query the target model and use the query-prediction pairs to train a “knockoff” model. Jagielski et al. [33] improve the query efficiency of learning-based model extraction attacks and develop the practical functionally-equivalent model whose predictions are identical to target model on all inputs without training model’s weights. Some defenses [36, 49] have been proposed to defend against model extraction attacks. For instance, Juuti et al. [36] propose to detect malicious queries via analyzing the distribution of consecutive API queries and raises an alarm when the distribution different from benign queries. Orekondy et al [49] propose a utility-constrained defense against neural network model stealing attacks via adding perturbations to the output of the target model.

Adversarial Attacks on Graph Neural Networks. Some recent studies [89, 5, 15, 90, 78, 77] show that GNNs are vulnerable to adversarial attacks. In particular, the adversary can fool GNNs via manipulating the graph structure and/or node features. For instance, Zügner et al. [89] introduce adversarial attacks to attributed graphs and focus on both training and testing phase. In particular, their attacks target both node’s features and graph structure and show that the node classification accuracy drops with a few perturbations. Bojchevski et al. [5]

analyze the vulnerability of node embeddings to graph structure perturbation via solving a bi-level optimization problem based on eigenvalue perturbation theory. Zügner and Günnemann 

[90] investigate training time attacks on GNNs for node classification via treating the graph as a hyperparameter to optimize. Wang and Gong [77] propose attack to evade collective classification based classifier via perturbing the graph structure, which can also transfer to GNNs. Dai et al. [15]

propose to fool the GNNs via manipulating the combinatorial structure of data and try to learn generalizable attack policy via reinforcement learning. These studies are different from our work since we aim to steal links from GNNs.

To mitigate attacks, many defenses [6, 88, 78, 91] have been proposed. For instance, Zhu et al. [88]

propose to enhance the robustness of GCNs via using Gaussian distributions in graph convolutional layers to mitigate the effects of adversarial attacks and leveraged attention mechanism to impede the propagation of attacks. Zügner and Günnemann 

[91] propose a learning principle that improves the robustness of the GNNs and show provable robustness guarantees against nodes’ attributes perturbation. Bojchevski et al. [5]

propose to certify the robustness against graph structure perturbation for a general class of models, e.g., GNNs, via exploiting connections to PageRank and Markov decision processes. These defenses are designed to improve the robustness of GNNs rather than preventing the privacy leakage of it.

We note that there are also some attacks and defenses on graph that focus on non-GNN models [11, 35]. For instance, Chen et al. [11] propose attacks that mislead the behavior of graph-cluster algorithm and show some practical defenses. Jia et al. [35] propose certified defense which is based on randomized smoothing to defend against adversarial structural attacks to community detection.

7 Conclusion

Many real-world data can be organized in the form of graphs. In recent years, graph neural networks have been proposed to leverage the rich graph data for building powerful applications. Classical ML models are shown to be vulnerable to various security and privacy attacks. However, whether GNNs exhibit similar risks is left largely unexplored.

In this paper, we propose the first link stealing attacks against GNNs. More specifically, the adversary aims at inferring whether there is a link between two nodes from a trained GNN. We characterize three types of knowledge an adversary can have, including the target dataset’s nodes’ attributes, the target dataset’s partial graph, and a shadow dataset. By jointly considering them, we define 8 types of link stealing attacks, and propose novel methods to realize these attacks. Extensive evaluation over a set of 8 real-world datasets shows that our attacks achieve strong performance. Moreover, we make multiple interesting observations, such as the target dataset’s partial graph is the most informative predictor. For our transferring attacks, a shadow dataset which comes from the same domain as the target dataset leads to a better attack performance. We hope that our results can shed light on the security and privacy risks stemming from graph neural networks.

References

  • [1] I. M. Alabdulmohsin, X. Gao, and X. Zhang (2014)

    Adding Robustness to Support Vector Machines Against Adversarial Reverse Engineering

    .
    In ACM International Conference on Information and Knowledge Management (CIKM), pp. 231–240. Cited by: §6.
  • [2] J. Atwood and D. Towsley (2016) Diffusion-Convolutional Neural Networks. In Annual Conference on Neural Information Processing Systems (NIPS), pp. 1993–2001. Cited by: §2.
  • [3] M. Backes, M. Humbert, J. Pang, and Y. Zhang (2017) walk2friends: Inferring Social Links from Mobility Profiles. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1943–1957. Cited by: §4.1, §5.1, §5.1.
  • [4] D. Bahdanau, K. Cho, and Y. Bengio (2015) Neural Machine Translation by Jointly Learning to Align and Translate. In International Conference on Learning Representations (ICLR), Cited by: §1.
  • [5] A. Bojchevski and S. Günnemann (2019) Adversarial Attacks on Node Embeddings via Graph Poisoning. In International Conference on Machine Learning (ICML), pp. 695–704. Cited by: §6, §6.
  • [6] A. Bojchevski and S. Günnemann (2019) Certifiable Robustness to Graph Perturbations. In Annual Conference on Neural Information Processing Systems (NIPS), pp. 8317–8328. Cited by: §6.
  • [7] K. M. Borgwardt, C. S. Ong, S. Schönauer, S. V. N. Vishwanathan, A. J. Smola, and H. Kriegel (2005) Protein Function Prediction via Graph Kernels. Bioinformatics. Cited by: §5.1.
  • [8] N. Carlini, C. Liu, Ú. Erlingsson, J. Kos, and D. Song (2019) The Secret Sharer: Evaluating and Testing Unintended Memorization in Neural Networks. In USENIX Security Symposium (USENIX Security), pp. 267–284. Cited by: §6.
  • [9] V. Chandrasekaran, K. Chaudhuri, I. Giacomelli, S. Jha, and S. Yan (2018)

    Model Extraction and Active Learning

    .
    Note: CoRR abs/1811.02054 Cited by: §6.
  • [10] D. Chen, N. Yu, Y. Zhang, and M. Fritz (2019) GAN-Leaks: A Taxonomy of Membership Inference Attacks against GANs. Note: CoRR abs/1909.03935 Cited by: §6.
  • [11] Y. Chen, Y. Nadji, A. Kountouras, F. Monrose, R. Perdisci, M. Antonakakis, and N. Vasiloglou (2017) Practical Attacks Against Graph-based Clustering. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1125–1142. Cited by: §6.
  • [12] Y. Chen, S. Wang, D. She, and S. Jana (2020) On Training Robust PDF Malware Classifiers. In USENIX Security Symposium (USENIX Security), Cited by: §1.
  • [13] J. Cheng, L. Adamic, P. A. Dow, J. Kleinberg, and J. Leskovec (2014) Can Cascades be Predicted?. In International Conference on World Wide Web (WWW), pp. 925–936. Cited by: §1.
  • [14] D. J. Crandall, L. Backstrom, D. Cosley, S. Suri, D. Huttenlocher, and J. Kleinberg (2010) Inferring Social Ties from Geographic Coincidences. Proceedings of the National Academy of Sciences. Cited by: §1.
  • [15] H. Dai, H. Li, T. Tian, X. Huang, L. Wang, J. Zhu, and L. Song (2018) Adversarial Attack on Graph Structured Data. In International Conference on Machine Learning (ICML), pp. 1123–1132. Cited by: §6.
  • [16] M. Defferrard, X. Bresson, and P. Vandergheynst (2016) Convolutional Neural Networks on Graphs with Fast Localized Spectral Filtering. In Annual Conference on Neural Information Processing Systems (NIPS), pp. 3837–3845. Cited by: §2.
  • [17] P. D. Dobson and A. J. Doig (2003) Distinguishing Enzyme Structures from Non-Enzymes without Alignments. Journal of Molecular Biology. Cited by: §5.1.
  • [18] V. P. Dwivedi, C. K. Joshi, T. Laurent, Y. Bengio, and X. Bresson (2020) Benchmarking Graph Neural Networks. Note: CoRR abs/2003.00982 Cited by: §5.1.
  • [19] F. Errica, M. Podda, D. Bacciu, and A. Micheli (2020) A Fair Comparison of Graph Neural Networks for Graph Classification. In International Conference on Learning Representations (ICLR), Cited by: §1, §5.1.
  • [20] W. Fan, Y. Ma, Q. Li, Y. He, Y. E. Zhao, J. Tang, and D. Yin (2019) Graph Neural Networks for Social Recommendation. In The Web Conference (WWW), pp. 417–426. Cited by: §1.
  • [21] M. Fredrikson, S. Jha, and T. Ristenpart (2015) Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1322–1333. Cited by: §1, §6.
  • [22] M. Fredrikson, E. Lantz, S. Jha, S. Lin, D. Page, and T. Ristenpart (2014) Privacy in Pharmacogenetics: An End-to-End Case Study of Personalized Warfarin Dosing. In USENIX Security Symposium (USENIX Security), pp. 17–32. Cited by: §1, §4.1, §5.1, §6.
  • [23] J. Gilmer, S. S. Schoenholz, P. F. Riley, O. Vinyals, and G. E. Dahl (2017) Neural Message Passing for Quantum Chemistry. In International Conference on Machine Learning (ICML), pp. 1263–1272. Cited by: §1.
  • [24] I. Goodfellow, J. Shlens, and C. Szegedy (2015) Explaining and Harnessing Adversarial Examples. In International Conference on Learning Representations (ICLR), Cited by: §1.
  • [25] A. Grover and J. Leskovec (2016) node2vec: Scalable Feature Learning for Networks. In ACM Conference on Knowledge Discovery and Data Mining (KDD), pp. 855–864. Cited by: §4.1, Table 5, §5.1.
  • [26] W. Guo, D. Mu, J. Xu, P. Su, and G. W. abd Xinyu Xing (2018)

    LEMNA: Explaining Deep Learning based Security Applications

    .
    In ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 364–379. Cited by: §1.
  • [27] I. Hagestedt, Y. Zhang, M. Humbert, P. Berrang, H. Tang, X. Wang, and M. Backes (2019) MBeacon: Privacy-Preserving Beacons for DNA Methylation Data. In Network and Distributed System Security Symposium (NDSS), Cited by: §4.1, §5.1, §6.
  • [28] W. L. Hamilton, Z. Ying, and J. Leskovec (2017) Inductive Representation Learning on Large Graphs. In Annual Conference on Neural Information Processing Systems (NIPS), pp. 1025–1035. Cited by: §1.
  • [29] J. Hayes, L. Melis, G. Danezis, and E. D. Cristofaro (2019) LOGAN: Evaluating Privacy Leakage of Generative Models Using Generative Adversarial Networks. Symposium on Privacy Enhancing Technologies Symposium. Cited by: §6.
  • [30] K. He, X. Zhang, S. Ren, and J. Sun (2016) Deep Residual Learning for Image Recognition. In

    IEEE Conference on Computer Vision and Pattern Recognition (CVPR)

    ,
    pp. 770–778. Cited by: §1.
  • [31] X. He, H. Zhang, M. Kan, and T. Chua (2016) Fast Matrix Factorization for Online Recommendation with Implicit Feedback. In International ACM SIGIR Conference on Research and Development in Information Retrieval (SIGIR), pp. 549–558. Cited by: §1.
  • [32] W. Hu, B. Liu, J. Gomes, M. Zitnik, P. Liang, V. Pande, and J. Leskovec (2020) Strategies for Pre-training Graph Neural Networks. In International Conference on Learning Representations (ICLR), Cited by: §1.
  • [33] M. Jagielski, N. Carlini, D. Berthelot, A. Kurakin, and N. Papernot (2020) High Accuracy and High Fidelity Extraction of Neural Networks. In USENIX Security Symposium (USENIX Security), Cited by: §1, §6.
  • [34] J. Jia, A. Salem, M. Backes, Y. Zhang, and N. Z. Gong (2019) MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 259–274. Cited by: §1, §4.1, §4.1, §5.1, §6.
  • [35] J. Jia, B. Wang, X. Cao, and N. Z. Gong (2020) Certified Robustness of Community Detection against Adversarial Structural Perturbation via Randomized Smoothing. In The Web Conference (WWW), Cited by: §6.
  • [36] M. Juuti, S. Szyller, S. Marchal, and N. Asokan (2019) PRADA: Protecting Against DNN Model Stealing Attacks. In IEEE European Symposium on Security and Privacy (Euro S&P), pp. 512–527. Cited by: §6.
  • [37] T. N. Kipf and M. Welling (2017) Semi-Supervised Classification with Graph Convolutional Networks. In International Conference on Learning Representations (ICLR), Cited by: §1.1, §1, §2, §2, §5.1.
  • [38] A. Krizhevsky, I. Sutskever, and G. E. Hinton (2012) ImageNet Classification with Deep Convolutional Neural Networks. In Annual Conference on Neural Information Processing Systems (NIPS), pp. 1106–1114. Cited by: §1.
  • [39] K. Leino and M. Fredrikson (2019) Stolen Memories: Leveraging Model Memorization for Calibrated White-Box Membership Inference. Note: CoRR abs/1906.11798 Cited by: §1.
  • [40] Z. Li, C. Hu, Y. Zhang, and S. Guo (2019) How to Prove Your Model Belongs to You: A Blind-Watermark based Framework to Protect Intellectual Property of DNN. In Annual Computer Security Applications Conference (ACSAC), Cited by: §1.
  • [41] D. Liben-Nowell and J. Kleinberg (2007) The Link-prediction Problem for Social Networks. Journal of the American Society for Information Science and Technology. Cited by: §5.2.
  • [42] X. Ling, S. Ji, J. Zou, J. Wang, C. Wu, B. Li, and T. Wang (2019) DEEPSEC: A Uniform Platform for Security Analysis of Deep Learning Model. In IEEE Symposium on Security and Privacy (S&P), pp. 673–690. Cited by: §1.
  • [43] Y. Long, V. Bindschaedler, L. Wang, D. Bu, X. Wang, H. Tang, C. A. Gunter, and K. Chen (2018) Understanding Membership Inferences on Well-Generalized Learning Models. Note: CoRR abs/1802.04889 Cited by: §6.
  • [44] J. McAuley and J. Leskovec (2012) Learning to Discover Social Circles in Ego Networks. In Annual Conference on Neural Information Processing Systems (NIPS), pp. 539–547. Cited by: §1.
  • [45] L. Melis, C. Song, E. D. Cristofaro, and V. Shmatikov (2019) Exploiting Unintended Feature Leakage in Collaborative Learning. In IEEE Symposium on Security and Privacy (S&P), Cited by: §6, §6.
  • [46] M. Nasr, R. Shokri, and A. Houmansadr (2018) Machine Learning with Membership Privacy using Adversarial Regularization. In ACM SIGSAC Conference on Computer and Communications Security (CCS), Cited by: §1, §4.1, §6.
  • [47] M. Nasr, R. Shokri, and A. Houmansadr (2019) Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference Attacks against Centralized and Federated Learning. In IEEE Symposium on Security and Privacy (S&P), Cited by: §1, §6.
  • [48] T. Orekondy, B. Schiele, and M. Fritz (2019) Knockoff Nets: Stealing Functionality of Black-Box Models. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Cited by: §6.
  • [49] T. Orekondy, B. Schiele, and M. Fritz (2020) Prediction Poisoning: Towards Defenses Against DNN Model Stealing Attacks. In International Conference on Learning Representations (ICLR), Cited by: §6.
  • [50] J. Pang and Y. Zhang (2015) Location Prediction: Communities Speak Louder than Friends. In ACM Conference on Online Social Networks (COSN), pp. 161–171. Cited by: §1.
  • [51] J. Pang and Y. Zhang (2017) DeepCity: A Feature Learning Framework for Mining Location Check-Ins. In International Conference on Weblogs and Social Media (ICWSM), pp. 652–655. Cited by: §5.1.
  • [52] J. Pang and Y. Zhang (2017) Quantifying Location Sociality. In ACM Conference on Hypertext and Social Media (HT), pp. 145–154. Cited by: §5.1.
  • [53] N. Papernot, P. D. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik, and A. Swami (2017) Practical Black-Box Attacks Against Machine Learning. In ACM Asia Conference on Computer and Communications Security (ASIACCS), pp. 506–519. Cited by: §1.
  • [54] N. Papernot, P. McDaniel, A. Sinha, and M. Wellman (2018) SoK: Towards the Science of Security and Privacy in Machine Learning. In IEEE European Symposium on Security and Privacy (Euro S&P), Cited by: §6.
  • [55] A. Pyrgelis, C. Troncoso, and E. D. Cristofaro (2018) Knock Knock, Who’s There? Membership Inference on Aggregate Location Data. In Network and Distributed System Security Symposium (NDSS), Cited by: §4.1, §5.1, §6.
  • [56] A. Pyrgelis, C. Troncoso, and E. D. Cristofaro (2019) Under the Hood of Membership Inference Attacks on Aggregate Location Time-Series. Note: CoRR abs/1902.07456 Cited by: §6.
  • [57] J. Qiu, J. Tang, H. Ma, Y. Dong, K. Wang, and J. Tang (2018) DeepInf: Social Influence Prediction with Deep Learning. In ACM Conference on Knowledge Discovery and Data Mining (KDD), pp. 2110–2119. Cited by: §1.
  • [58] E. Quiring, A. Maier, and K. Rieck (2019) Misleading Authorship Attribution of Source Code using Adversarial Learning. In USENIX Security Symposium (USENIX Security), pp. 479–496. Cited by: §1.
  • [59] K. Riesen and H. Bunke (2008) Structural, Syntactic, and Statistical Pattern Recognition. Springer. Cited by: §5.1.
  • [60] D. M. Romero, B. Meeder, and J. Kleinberg (2011) Differences in the Mechanics of Information Diffusion Across Topics: Idioms, Political Hashtags, and Complex Contagion on Twitter. In International Conference on World Wide Web (WWW), pp. 695–704. Cited by: §1.
  • [61] A. Salem, A. Bhattacharya, M. Backes, M. Fritz, and Y. Zhang (2020) Updates-Leak: Data Set Inference and Reconstruction Attacks in Online Learning. In USENIX Security Symposium (USENIX Security), Cited by: §3.1.
  • [62] A. Salem, Y. Zhang, M. Humbert, P. Berrang, M. Fritz, and M. Backes (2019) ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models. In Network and Distributed System Security Symposium (NDSS), Cited by: §1, §3.1, §4.1, §5.1, §5.1, §6.
  • [63] L. Schild, C. Ling, J. Blackburn, G. Stringhini, Y. Zhang, and S. Zannettou (2020) “Go eat a bat, Chang!”: An Early Look on the Emergence of Sinophobic Behavior on Web Communities in the Face of COVID-19. Note: CoRR abs/2004.04046 Cited by: §1.
  • [64] A. Shafahi, W. R. Huang, M. Najibi, O. Suciu, C. Studer, T. Dumitras, and T. Goldstein (2018) Poison Frogs! Targeted Clean-Label Poisoning Attacks on Neural Networks. In Annual Conference on Neural Information Processing Systems (NIPS), pp. 6103–6113. Cited by: §1.
  • [65] D. She, Y. Chen, A. Shah, B. Ray, and S. Jana (2019) Neutaint: Efficient Dynamic Taint Analysis with Neural Networks. In IEEE Symposium on Security and Privacy (S&P), Cited by: §1.
  • [66] R. Shokri, M. Stronati, C. Song, and V. Shmatikov (2017) Membership Inference Attacks Against Machine Learning Models. In IEEE Symposium on Security and Privacy (S&P), pp. 3–18. Cited by: §1, §3.1, §6.
  • [67] C. Song and V. Shmatikov (2019) Auditing Data Provenance in Text-Generation Models. In ACM Conference on Knowledge Discovery and Data Mining (KDD), pp. 196–206. Cited by: §6.
  • [68] C. Song and R. Shokri (2020) Robust Membership Encoding: Inference Attacks and Copyright Protection for Deep Learning. Note: CoRR abs/1909.12982 Cited by: §6.
  • [69] J. Sutherland, L. O’Brien, and D. Weaver (2003)

    SplineFitting with a Genetic Algorithm: A Method for Developing Classification Structure Activity Relationships

    .
    Journal of Chemical Information and Computer Sciences. Cited by: §5.1.
  • [70] I. Sutskever, O. Vinyals, and Q. V. Le (2014) Sequence to Sequence Learning with Neural Networks. In Annual Conference on Neural Information Processing Systems (NIPS), pp. 3104–3112. Cited by: §1.
  • [71] W. Torng and R. B. Altman (2019) Graph Convolutional Neural Networks for Predicting Drug-Target Interactions. Journal of Chemical Information and Modeling. Cited by: §1.
  • [72] F. Tramér, F. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart (2016) Stealing Machine Learning Models via Prediction APIs. In USENIX Security Symposium (USENIX Security), pp. 601–618. Cited by: §1, §6.
  • [73] Y. Uchida, Y. Nagai, S. Sakazawa, and S. Satoh (2017) Embedding Watermarks into Deep Neural Networks. In International Conference on Multimedia Retrieval (ICMR), pp. 269–277. Cited by: §6.
  • [74] L. van der Maaten and G. Hinton (2008) Visualizing Data using t-SNE. Journal of Machine Learning Research. Cited by: §5.2.
  • [75] P. Velickovic, G. Cucurull, A. Casanova, A. Romero, P. Liò, and Y. Bengio (2018) Graph Attention Networks. In International Conference on Learning Representations (ICLR), Cited by: §1, §2, §5.1.
  • [76] B. Wang and N. Z. Gong (2018) Stealing Hyperparameters in Machine Learning. In IEEE Symposium on Security and Privacy (S&P), Cited by: §6.
  • [77] B. Wang and N. Z. Gong (2019) Attacking Graph-based Classification via Manipulating the Graph Structure. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 2023–2040. Cited by: §6.
  • [78] H. Wu, C. Wang, Y. Tyshetskiy, A. Docherty, K. Lu, and L. Zhu (2019) Adversarial Examples for Graph Data: Deep Insights into Attack and Defense. In International Joint Conferences on Artifical Intelligence (IJCAI), pp. 4816–4823. Cited by: §6, §6.
  • [79] L. Wu, P. Sun, Y. Fu, R. Hong, X. Wang, and M. Wang (2019) A Neural Influence Diffusion Model for Social Recommendation. In International ACM SIGIR Conference on Research and Development in Information Retrieval (SIGIR), pp. 235–244. Cited by: §1.
  • [80] K. Xu, W. Hu, J. Leskovec, and S. Jegelka (2019) How Powerful are Graph Neural Networks?. In International Conference on Learning Representations (ICLR), Cited by: §1, §1, §5.1.
  • [81] S. Yeom, I. Giacomelli, M. Fredrikson, and S. Jha (2018) Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting. In IEEE Computer Security Foundations Symposium (CSF), Cited by: §6.
  • [82] S. Zannettou, T. Caulfield, J. Blackburn, E. D. Cristofaro, M. Sirivianos, G. Stringhini, and G. Suarez-Tangil (2018) On the Origins of Memes by Means of Fringe Web Communities. In ACM Internet Measurement Conference (IMC), pp. 188–202. Cited by: §1.
  • [83] S. Zannettou, J. Finkelstein, B. Bradlyn, and J. Blackburn (2020) A Quantitative Approach to Understanding Online Antisemitism. In International Conference on Weblogs and Social Media (ICWSM), Cited by: §1.
  • [84] J. Zhang, Z. Gu, J. Jang, H. Wu, M. Ph. Stoecklin, H. Huang, and I. Molloy (2018) Protecting Intellectual Property of Deep Neural Networks with Watermarking. In ACM Asia Conference on Computer and Communications Security (ASIACCS), pp. 159–172. Cited by: §6.
  • [85] Y. Zhang, M. Humbert, T. Rahman, C. Li, J. Pang, and M. Backes (2018) Tagvisor: A Privacy Advisor for Sharing Hashtags. In The Web Conference (WWW), pp. 287–296. Cited by: §1.
  • [86] Y. Zhang, M. Humbert, B. Surma, P. Manoharan, J. Vreeken, and M. Backes (2020) Towards Plausible Graph Anonymization. In Network and Distributed System Security Symposium (NDSS), Cited by: §4.1, §5.1.
  • [87] Y. Zhang (2019) Language in Our Time: An Empirical Analysis of Hashtags. In The Web Conference (WWW), pp. 2378–2389. Cited by: §1, §5.1.
  • [88] D. Zhu, Z. Zhang, P. Cui, and W. Zhu (2019) Robust Graph Convolutional Networks Against Adversarial Attacks. In ACM Conference on Knowledge Discovery and Data Mining (KDD), pp. 1399–1407. Cited by: §6.
  • [89] D. Zügner, A. Akbarnejad, and S. Günnemann (2018) Adversarial Attacks on Neural Networks for Graph Data. In ACM Conference on Knowledge Discovery and Data Mining (KDD), pp. 2847–2856. Cited by: §6.
  • [90] D. Zügner and S. Günnemann (2019) Adversarial Attacks on Graph Neural Networks via Meta Learning. In International Conference on Learning Representations (ICLR), Cited by: §6.
  • [91] D. Zügner and S. Günnemann (2019) Certifiable Robustness and Robust Training for Graph Convolutional Networks. In ACM Conference on Knowledge Discovery and Data Mining (KDD), pp. 246–256. Cited by: §6.

Appendix A Appendix

The formal definitions of Common neighbor, Jaccard index, and Preferential attachment for and are as follows. We use to denote the set of neighbors for in the target dataset’s partial graph.

  • Common neighbor.

  • Jaccard index.

  • Preferential attachment.