Table of Contents
Fetching ...

Inference Attacks Against Graph Generative Diffusion Models

Xiuling Wang, Xin Huang, Guibo Luo, Jianliang Xu

TL;DR

This work investigates privacy risks in graph generative diffusion models (GGDMs) by introducing three black-box inference attacks: graph reconstruction, property inference, and membership inference. It develops attack pipelines in black-box settings using shadow graphs, graph alignment (REGAL), and Anonymous Walk Embeddings to extract training-data information from generated graphs, and evaluates them on six real-world graph datasets across three GGDMs, achieving high effectiveness (e.g., F1 up to 0.99 and AUC up to 0.999). The authors also propose two defense mechanisms that perturb training or generated graphs by flipping the least important edges, yielding strong privacy protection with minimal degradation in graph utility. The study highlights tangible privacy vulnerabilities in GGDMs and offers practical, evaluation-supported defenses with open-science release of code and datasets.

Abstract

Graph generative diffusion models have recently emerged as a powerful paradigm for generating complex graph structures, effectively capturing intricate dependencies and relationships within graph data. However, the privacy risks associated with these models remain largely unexplored. In this paper, we investigate information leakage in such models through three types of black-box inference attacks. First, we design a graph reconstruction attack, which can reconstruct graphs structurally similar to those training graphs from the generated graphs. Second, we propose a property inference attack to infer the properties of the training graphs, such as the average graph density and the distribution of densities, from the generated graphs. Third, we develop two membership inference attacks to determine whether a given graph is present in the training set. Extensive experiments on three different types of graph generative diffusion models and six real-world graphs demonstrate the effectiveness of these attacks, significantly outperforming the baseline approaches. Finally, we propose two defense mechanisms that mitigate these inference attacks and achieve a better trade-off between defense strength and target model utility than existing methods. Our code is available at https://zenodo.org/records/17946102.

Inference Attacks Against Graph Generative Diffusion Models

TL;DR

This work investigates privacy risks in graph generative diffusion models (GGDMs) by introducing three black-box inference attacks: graph reconstruction, property inference, and membership inference. It develops attack pipelines in black-box settings using shadow graphs, graph alignment (REGAL), and Anonymous Walk Embeddings to extract training-data information from generated graphs, and evaluates them on six real-world graph datasets across three GGDMs, achieving high effectiveness (e.g., F1 up to 0.99 and AUC up to 0.999). The authors also propose two defense mechanisms that perturb training or generated graphs by flipping the least important edges, yielding strong privacy protection with minimal degradation in graph utility. The study highlights tangible privacy vulnerabilities in GGDMs and offers practical, evaluation-supported defenses with open-science release of code and datasets.

Abstract

Graph generative diffusion models have recently emerged as a powerful paradigm for generating complex graph structures, effectively capturing intricate dependencies and relationships within graph data. However, the privacy risks associated with these models remain largely unexplored. In this paper, we investigate information leakage in such models through three types of black-box inference attacks. First, we design a graph reconstruction attack, which can reconstruct graphs structurally similar to those training graphs from the generated graphs. Second, we propose a property inference attack to infer the properties of the training graphs, such as the average graph density and the distribution of densities, from the generated graphs. Third, we develop two membership inference attacks to determine whether a given graph is present in the training set. Extensive experiments on three different types of graph generative diffusion models and six real-world graphs demonstrate the effectiveness of these attacks, significantly outperforming the baseline approaches. Finally, we propose two defense mechanisms that mitigate these inference attacks and achieve a better trade-off between defense strength and target model utility than existing methods. Our code is available at https://zenodo.org/records/17946102.
Paper Structure (33 sections, 15 equations, 9 figures, 7 tables, 4 algorithms)

This paper contains 33 sections, 15 equations, 9 figures, 7 tables, 4 algorithms.

Figures (9)

  • Figure 1: Inference attacks against graph generative diffusion models. The attacker inputs a set of shadow graphs into the target graph generative diffusion model $\Phi$ or directly executes $\Phi$ through an API or online marketplaces to obtain a large number of synthetic graphs $\hat{G}$, aiming to infer the sensitive information about the training data of $\Phi$. In this paper, we investigate three types of inference attacks: (1) reconstructing the graph structures in $\Phi^{\text{train}}$; (2) inferring the properties of $\Phi^{\text{train}}$, such as the graph density of $\Phi^{\text{train}}$; and (3) determining the membership of a given target graph.
  • Figure 2: Overview of graph reconstruction.
  • Figure 3: Overview of property inference attack.
  • Figure 4: Overview of membership inference attack.
  • Figure 5: Performance of PIA - the distribution of training graphs in different degree and density ranges. Figure (a) - (c) shows results for graph density, and Figure (d) - (f) for graph degree ($k=5$, IMDB-B dataset).
  • ...and 4 more figures