Safeguarding Graph Neural Networks against Topology Inference Attacks
Jie Fu, Yuan Hong, Zhili Chen, Wendy Hui Wang
TL;DR
The paper identifies topology privacy as a critical risk for GNNs and shows that existing edge-level differential privacy defenses are insufficient against topology leakage. It introduces Topology Inference Attacks (M-TIA, C-TIA, I-TIA) that reconstruct a target graph’s structure using only black-box GNN outputs, and demonstrates substantial leakage, especially under I-TIA. To counter this, it proposes Private Graph Reconstruction (PGR), a bi-level optimization framework that synthesizes a disjoint graph hat G and trains a GNN hat f on it, with meta-gradient guidance ensuring comparable utility to training on the original graph. The approach is extended with DP-PGR to provide edge-DP guarantees, and extensive experiments across multiple datasets and models show that PGR significantly reduces topology leakage with minimal accuracy loss, while DP-PGR preserves utility and improves privacy when combined with existing edge-DP methods.
Abstract
Graph Neural Networks (GNNs) have emerged as powerful models for learning from graph-structured data. However, their widespread adoption has raised serious privacy concerns. While prior research has primarily focused on edge-level privacy, a critical yet underexplored threat lies in topology privacy - the confidentiality of the graph's overall structure. In this work, we present a comprehensive study on topology privacy risks in GNNs, revealing their vulnerability to graph-level inference attacks. To this end, we propose a suite of Topology Inference Attacks (TIAs) that can reconstruct the structure of a target training graph using only black-box access to a GNN model. Our findings show that GNNs are highly susceptible to these attacks, and that existing edge-level differential privacy mechanisms are insufficient as they either fail to mitigate the risk or severely compromise model accuracy. To address this challenge, we introduce Private Graph Reconstruction (PGR), a novel defense framework designed to protect topology privacy while maintaining model accuracy. PGR is formulated as a bi-level optimization problem, where a synthetic training graph is iteratively generated using meta-gradients, and the GNN model is concurrently updated based on the evolving graph. Extensive experiments demonstrate that PGR significantly reduces topology leakage with minimal impact on model accuracy. Our code is available at https://github.com/JeffffffFu/PGR.