Prompt-based Unifying Inference Attack on Graph Neural Networks
Yuecen Wei, Xingcheng Fu, Lingyun Liu, Qingyun Sun, Hao Peng, Chunming Hu
TL;DR
The paper addresses privacy risks in graph neural networks by introducing ProIA, a prompt-based unifying inference attack framework. ProIA preserves graph topology during pre-training, generates attack-prompts from the pre-trained model, and employs a disentanglement mechanism to adapt to both attribute and membership inference tasks. Through local/global subgraph information, information bottleneck constraints, and contrastive learning, ProIA yields stronger IA performance and robustness against defenses across several real-world datasets. This framework advances privacy-attacking capabilities on graphs and provides guidance on potential vulnerabilities in graph pre-training pipelines with practical implications for security and privacy in GNN deployments.
Abstract
Graph neural networks (GNNs) provide important prospective insights in applications such as social behavior analysis and financial risk analysis based on their powerful learning capabilities on graph data. Nevertheless, GNNs' predictive performance relies on the quality of task-specific node labels, so it is common practice to improve the model's generalization ability in the downstream execution of decision-making tasks through pre-training. Graph prompting is a prudent choice but risky without taking measures to prevent data leakage. In other words, in high-risk decision scenarios, prompt learning can infer private information by accessing model parameters trained on private data (publishing model parameters in pre-training, i.e., without directly leaking the raw data, is a tacitly accepted trend). However, myriad graph inference attacks necessitate tailored module design and processing to enhance inference capabilities due to variations in supervision signals. In this paper, we propose a novel Prompt-based unifying Inference Attack framework on GNNs, named ProIA. Specifically, ProIA retains the crucial topological information of the graph during pre-training, enhancing the background knowledge of the inference attack model. It then utilizes a unified prompt and introduces additional disentanglement factors in downstream attacks to adapt to task-relevant knowledge. Finally, extensive experiments show that ProIA enhances attack capabilities and demonstrates remarkable adaptability to various inference attacks.