All Your Knowledge Belongs to Us: Stealing Knowledge Graphs via Reasoning APIs

TL;DR

This paper addresses the privacy risks of knowledge graph reasoning (KGR) APIs by introducing KGX, a black-box attack that reconstructs the relational structure of a private sub-KG under limited query budgets, even when responses related to the private sub-KG are filtered. KGX operates via an iterative loop of adaptive path-query generation and knowledge consolidation, bootstrapping from a public surrogate and balancing exploration and exploitation to maximize information gain. Across CyberKG, UMLS, YAGO, and Google KG, KGX achieves high precision (≈0.80+) and substantial recall (≈0.64+) with modest graph edit distance, illustrating practical leakage of private sub-KG structure. The work also discusses countermeasures and their trade-offs, highlighting the need for privacy-aware KGR design and defense strategies beyond simple filtering to mitigate leakage in real-world deployments.

Abstract

Knowledge graph reasoning (KGR), which answers complex, logical queries over large knowledge graphs (KGs), represents an important artificial intelligence task with a range of applications. Many KGs require extensive domain expertise and engineering effort to build and are hence considered proprietary within organizations and enterprises. Yet, spurred by their commercial and research potential, there is a growing trend to make KGR systems, (partially) built upon private KGs, publicly available through reasoning APIs. The inherent tension between maintaining the confidentiality of KGs while ensuring the accessibility to KGR systems motivates our study of KG extraction attacks: the adversary aims to "steal" the private segments of the backend KG, leveraging solely black-box access to the KGR API. Specifically, we present KGX, an attack that extracts confidential sub-KGs with high fidelity under limited query budgets. At a high level, KGX progressively and adaptively queries the KGR API and integrates the query responses to reconstruct the private sub-KG. This extraction remains viable even if any query responses related to the private sub-KG are filtered. We validate the efficacy of KGX against both experimental and real-world KGR APIs. Interestingly, we find that typical countermeasures (e.g., injecting noise into query responses) are often ineffective against KGX. Our findings suggest the need for a more principled approach to developing and deploying KGR systems, as well as devising new defenses against KG extraction attacks.

Figures (19)

• Figure 1: Illustration of KGR in cyber-threat querying.
• Figure 2: An example of query results using Google KG's API.
• Figure 3: KGR performance on different KGs with and without ${\mathcal{G}}_\mathrm{prv}$, measured by metrics (a) HIT@$5$ and (b) MRR.
• Figure 4: Sample KG with private sub-KG: (a) target KG ${\mathcal{G}}$ (private sub-KG ${\mathcal{G}}_\mathrm{prv}$ in red); (b) extracted sub-KG ${\mathcal{G}}^*_\mathrm{prv}$ (in red).
• Figure 5: Overview of Kgx attack.