An Out-Of-Distribution Membership Inference Attack Approach for Cross-Domain Graph Attacks

TL;DR

This work tackles privacy leakage in Graph Neural Networks under cross-domain data shifts, where attackers lack identically distributed auxiliary data. It proposes GOOD-MIA, a two-phase framework that trains a shadow GNN on multi-domain augmentations using invariant learning and graph information bottleneck to distill task-relevant, domain-invariant signals, followed by risk extrapolation to generalize the attack across unseen domains. The approach combines invariant risk minimization, graph bottlenecking, and variance-based extrapolation to enable robust membership inference across domains, and demonstrates superior cross-domain attack performance on multiple real-world datasets. The findings underscore practical privacy risks for graph models when data come from diverse distributions and highlight the need for robust defenses against domain-adaptive MIAs.

Abstract

Graph Neural Network-based methods face privacy leakage risks due to the introduction of topological structures about the targets, which allows attackers to bypass the target's prior knowledge of the sensitive attributes and realize membership inference attacks (MIA) by observing and analyzing the topology distribution. As privacy concerns grow, the assumption of MIA, which presumes that attackers can obtain an auxiliary dataset with the same distribution, is increasingly deviating from reality. In this paper, we categorize the distribution diversity issue in real-world MIA scenarios as an Out-Of-Distribution (OOD) problem, and propose a novel Graph OOD Membership Inference Attack (GOOD-MIA) to achieve cross-domain graph attacks. Specifically, we construct shadow subgraphs with distributions from different domains to model the diversity of real-world data. We then explore the stable node representations that remain unchanged under external influences and consider eliminating redundant information from confounding environments and extracting task-relevant key information to more clearly distinguish between the characteristics of training data and unseen data. This OOD-based design makes cross-domain graph attacks possible. Finally, we perform risk extrapolation to optimize the attack's domain adaptability during attack inference to generalize the attack to other domains. Experimental results demonstrate that GOOD-MIA achieves superior attack performance in datasets designed for multiple domains.

Figures (4)

• Figure 1: Traditional MIA (Trad-MIA) vs GOOD-MIA.
• Figure 2: Framework of GOOD-MIA. (1) The input graph is augmented to construct $M$ training environments. Then, a GNN is employed to learn node representations across different environments via Invariant Risk Minimization and Graph Information Bottleneck, aiming to capture the features and structural information in graph data that can be utilized for cross-domain attacks. Next, (2) the output posteriors of the shadow model are used to construct the attack training set, and variance risk extrapolation is employed to enable the attack model to conduct cross-domain attacks.
• Figure 3: Trade-off parameter $\alpha$ analysis.
• Figure 4: Different numbers of neurons are used in the hidden layer of the shadow model for the MIA.