Inference Attacks Against Graph Generative Diffusion Models
Xiuling Wang, Xin Huang, Guibo Luo, Jianliang Xu
TL;DR
This work investigates privacy risks in graph generative diffusion models (GGDMs) by introducing three black-box inference attacks: graph reconstruction, property inference, and membership inference. It develops attack pipelines in black-box settings using shadow graphs, graph alignment (REGAL), and Anonymous Walk Embeddings to extract training-data information from generated graphs, and evaluates them on six real-world graph datasets across three GGDMs, achieving high effectiveness (e.g., F1 up to 0.99 and AUC up to 0.999). The authors also propose two defense mechanisms that perturb training or generated graphs by flipping the least important edges, yielding strong privacy protection with minimal degradation in graph utility. The study highlights tangible privacy vulnerabilities in GGDMs and offers practical, evaluation-supported defenses with open-science release of code and datasets.
Abstract
Graph generative diffusion models have recently emerged as a powerful paradigm for generating complex graph structures, effectively capturing intricate dependencies and relationships within graph data. However, the privacy risks associated with these models remain largely unexplored. In this paper, we investigate information leakage in such models through three types of black-box inference attacks. First, we design a graph reconstruction attack, which can reconstruct graphs structurally similar to those training graphs from the generated graphs. Second, we propose a property inference attack to infer the properties of the training graphs, such as the average graph density and the distribution of densities, from the generated graphs. Third, we develop two membership inference attacks to determine whether a given graph is present in the training set. Extensive experiments on three different types of graph generative diffusion models and six real-world graphs demonstrate the effectiveness of these attacks, significantly outperforming the baseline approaches. Finally, we propose two defense mechanisms that mitigate these inference attacks and achieve a better trade-off between defense strength and target model utility than existing methods. Our code is available at https://zenodo.org/records/17946102.
