Graph Transductive Defense: a Two-Stage Defense for Graph Membership Inference Attacks

TL;DR

The paper tackles privacy risks of membership inference attacks on graph neural networks operating in graph transductive learning. It introduces Graph Transductive Defense (GTD), a two-stage training method with a flattening strategy and a train–test alternate schedule that reduces overfitting-induced leakage while preserving or improving task utility. Empirical results across synthetic and real-world graphs show GTD lowers attack AUROC by approximately 9.4 percentage points on average and outperforms LBP and DMP, with robust results across diverse GNN backbones. The work provides actionable defense design for transductive graph learning and sheds light on how graph topology influences MIA susceptibility.

Abstract

Graph neural networks (GNNs) have become instrumental in diverse real-world applications, offering powerful graph learning capabilities for tasks such as social networks and medical data analysis. Despite their successes, GNNs are vulnerable to adversarial attacks, including membership inference attacks (MIA), which threaten privacy by identifying whether a record was part of the model's training data. While existing research has explored MIA in GNNs under graph inductive learning settings, the more common and challenging graph transductive learning setting remains understudied in this context. This paper addresses this gap and proposes an effective two-stage defense, Graph Transductive Defense (GTD), tailored to graph transductive learning characteristics. The gist of our approach is a combination of a train-test alternate training schedule and flattening strategy, which successfully reduces the difference between the training and testing loss distributions. Extensive empirical results demonstrate the superior performance of our method (a decrease in attack AUROC by $9.42\%$ and an increase in utility performance by $18.08\%$ on average compared to LBP), highlighting its potential for seamless integration into various classification models with minimal overhead.

Figures (8)

• Figure 1: (a) The train and test loss of GCN on Cora dataset, with normal ($200$ epochs) and two-stage training ($400$ epochs) schedule. The difference between train and test loss after two-stage training is significantly smaller than normal training. (b) A diagram of the two-stage training schedule. The key idea is to use the predicted labels of test nodes from the first stage (blue) as psudolabels and switch the training and testing set in the second stage (yellow). More details are included in Section \ref{['sec:method']}. (c)(d) Sample-wise loss distribution for train (member) and test (non-member) nodes with normal and two-stage training schedule on Cora and Chameleon dataset, respectively. The divergence between train and test loss distribution for two-stage training schedule is smaller than normal training one.
• Figure 2: Comparison of average training loss and testing loss on Cora for (a) normal training, (b) two-stage training (GTD). In (b), the left half of the orange dashed line indicates the first training stage of our method, while the one on the right indicates the second stage.
• Figure 3: Loss distribution histograms for (a) normal training on Cora, (b) two-stage training (GTD) on Cora, (c) normal training on Chameleon, and (d) two-stage training (GTD) on Chameleon.
• Figure 4: The difference of Attack AUROC between hard and weak setting (i.e., hard - weak). Different legends correspond to different train/test split ratios.
• Figure 5: The Process of Membership Inference Attack in graph transductive setting. The shadow GNN model generates attack trainset for training the attack model. Attackers then query the trained attack model with posteriors obtained from the target model (target predictions) to infer membership.