Taipan: A Query-free Transfer-based Multiple Sensitive Attribute Inference Attack Solely from Publicly Released Graphs
Ying Song, Balaji Palanisamy
TL;DR
This work identifies an intrinsic privacy risk in publicly released graphs: multiple sensitive attributes can be inferred without querying victim models. It introduces Taipan, a query-free transfer-based attack framework for G-MSAIAs that uses Hierarchical Attack Knowledge Routing and Prompt-guided Attack Prototype Refinement to transfer knowledge from an auxiliary graph to a target graph. The authors propose a systematic evaluation framework with confidence, correctness, and semantics metrics, and demonstrate Taipan’s effectiveness across same-distribution and heterogeneous OOD settings, including under strong privacy protections. The findings highlight urgent needs for robust multi-attribute privacy-preserving graph publishing and guide policy discussions on data sharing and protection practices.
Abstract
Graph-structured data underpin a wide spectrum of modern applications. However, complex graph topologies and homophilic patterns can facilitate attribute inference attacks (AIAs) by enabling sensitive information leakage to propagate across local neighborhoods. Existing AIAs predominantly assume that adversaries can probe sensitive attributes through repeated model queries. Such assumptions are often impractical in real-world settings due to stringent data protection regulations, prohibitive query budgets, and heightened detection risks, especially when inferring multiple sensitive attributes. More critically, this model-centric perspective obscures a pervasive blind spot: \textbf{intrinsic multiple sensitive information leakage arising solely from publicly released graphs.} To exploit this unexplored vulnerability, we introduce a new attack paradigm and propose \textbf{Taipan, the first query-free transfer-based attack framework for multiple sensitive attribute inference attacks on graphs (G-MSAIAs).} Taipan integrates \emph{Hierarchical Attack Knowledge Routing} to capture intricate inter-attribute correlations, and \emph{Prompt-guided Attack Prototype Refinement} to mitigate negative transfer and performance degradation. We further present a systematic evaluation framework tailored to G-MSAIAs. Extensive experiments on diverse real-world graph datasets demonstrate that Taipan consistently achieves strong attack performance across same-distribution settings and heterogeneous similar- and out-of-distribution settings with mismatched feature dimensionalities, and remains effective even under rigorous differential privacy guarantees. Our findings underscore the urgent need for more robust multi-attribute privacy-preserving graph publishing methods and data-sharing practices.