Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Graph in the Vault: Protecting Edge GNN Inference with Trusted Execution Environment

Ruyi Ding, Tianhong Xu, Aidong Adam Ding, Yunsi Fei

TL;DR

GNNVault addresses IP and edge privacy risks in edge GNN inference by partitioning the model into a public backbone trained on a substitute graph and a private rectifier trained on the real adjacency, with the rectifier and edge data secured inside a TEEs. The approach uses four deployment designs (parallel, cascaded, series) and enforces one-way data flow to prevent leakage, achieving accuracy close to unprotected GNNs while significantly reducing edge leakage, as validated by SGX-based experiments and link-stealing attacks. Key contributions include the first secure edge GNN deployment tailored to TEEs, multiple rectifier designs with memory-conscious enclave constraints, and extensive software and real-world evaluations. The work demonstrates practical privacy-preserving GNN inference on edge devices, enabling private graph data and IP protection with acceptable overheads and robust security analysis.

Abstract

Wide deployment of machine learning models on edge devices has rendered the model intellectual property (IP) and data privacy vulnerable. We propose GNNVault, the first secure Graph Neural Network (GNN) deployment strategy based on Trusted Execution Environment (TEE). GNNVault follows the design of 'partition-before-training' and includes a private GNN rectifier to complement with a public backbone model. This way, both critical GNN model parameters and the private graph used during inference are protected within secure TEE compartments. Real-world implementations with Intel SGX demonstrate that GNNVault safeguards GNN inference against state-of-the-art link stealing attacks with negligible accuracy degradation (<2%).

Graph in the Vault: Protecting Edge GNN Inference with Trusted Execution Environment

TL;DR

GNNVault addresses IP and edge privacy risks in edge GNN inference by partitioning the model into a public backbone trained on a substitute graph and a private rectifier trained on the real adjacency, with the rectifier and edge data secured inside a TEEs. The approach uses four deployment designs (parallel, cascaded, series) and enforces one-way data flow to prevent leakage, achieving accuracy close to unprotected GNNs while significantly reducing edge leakage, as validated by SGX-based experiments and link-stealing attacks. Key contributions include the first secure edge GNN deployment tailored to TEEs, multiple rectifier designs with memory-conscious enclave constraints, and extensive software and real-world evaluations. The work demonstrates practical privacy-preserving GNN inference on edge devices, enabling private graph data and IP protection with acceptable overheads and robust security analysis.

Abstract

Wide deployment of machine learning models on edge devices has rendered the model intellectual property (IP) and data privacy vulnerable. We propose GNNVault, the first secure Graph Neural Network (GNN) deployment strategy based on Trusted Execution Environment (TEE). GNNVault follows the design of 'partition-before-training' and includes a private GNN rectifier to complement with a public backbone model. This way, both critical GNN model parameters and the private graph used during inference are protected within secure TEE compartments. Real-world implementations with Intel SGX demonstrate that GNNVault safeguards GNN inference against state-of-the-art link stealing attacks with negligible accuracy degradation (<2%).

Paper Structure

This paper contains 26 sections, 2 equations, 6 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Graph Neural Network
  4. Model Deployment in Trusted Execution Environments
  5. Problem Statement
  6. Deploying GNN locally Causes Vulnerabilities
  7. Edge Privacy is Valuable
  8. TEE Has Memory Restrictions
  9. Our Approach: GNNVault
  10. Threat Model
  11. Overview of GNNVault
  12. Public GNN Backbone
  13. Secure GNN Rectifier
  14. Deployment of GNN on TEE
  15. Experimental Validation
  16. ...and 11 more sections

Figures (6)

  • Figure 1: Motivation Example: Alice (victim) builds a graph of products and trains a GNN RS. She deploys both edge data and RS on local devices. Bob (attacker) accesses this device and steals the edge data and model parameters.
  • Figure 2: Overview of GNNVault. GNNVault can be summarized into four steps: 1. generate a substitute graph based on the similarity between the node features; 2. train the GNN backbone with the substitute adjacency matrix; 3. freeze the backbone and train the secure recalibration rectifier using real adjacency information; 4. deploy the backbone and substitute graph in untrusted environments (in brown) and deploy the real graph and rectifiers on enclaves (in green).
  • Figure 3: Backbone and GNN Rectifier Designs: (a). Public GNN backbone; (b). Parallel rectifier; (c). Cascaded rectifier; (d) Series rectifier.
  • Figure 4: Visualization of the node embeddings. We visualize the embedding latent space for parallel GNNVault on Cora dataset using the same structure for the original GNN, backbone and rectifier as $\mathcal{M}_2$. The line chart shows the Silhouette Score of the clustering performance(the higher the better).
  • Figure 5: Impact of hyperparameters of different substitute graphs
  • ...and 1 more figures