Graph-Level Label-Only Membership Inference Attack Against Graph Neural Networks

Graph-Level Label-Only Membership Inference Attack Against Graph Neural Networks

Graph neural networks (GNNs) are widely used for graph-structured data. However, GNNs are vulnerable to membership inference attacks (MIAs) in graph classification tasks, which determine whether a graph was in the training set, risking the leakage of sensitive data. Existing MIAs rely on prediction...

Full description

Saved in:
Bibliographic Details
Main Authors: Jiazhu Dai, Yubing Lu
Format: Article
Language:English
Published: MDPI AG 2025-05-01
Series:Applied Sciences
Subjects:
graph neural networks
membership inference attack
graph classification
Online Access:https://www.mdpi.com/2076-3417/15/9/5086
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Graph neural networks (GNNs) are widely used for graph-structured data. However, GNNs are vulnerable to membership inference attacks (MIAs) in graph classification tasks, which determine whether a graph was in the training set, risking the leakage of sensitive data. Existing MIAs rely on prediction probability vectors, but they become ineffective when only prediction labels are available. We propose a <b>G</b>raph-level <b>L</b>abel-<b>O</b>nly <b>M</b>embership <b>I</b>nference <b>A</b>ttack (GLO-MIA), which is based on the intuition that the target model’s predictions on training data are more stable than those on testing data. GLO-MIA generates a set of perturbed graphs for the target graph by adding perturbations to its effective features and queries the target model with the perturbed graphs to obtain their prediction labels, which are then used to calculate the robustness score of the target graph. Finally, by comparing the robustness score with a predefined threshold, the membership of the target graph can be inferred correctly with high probability. Experimental evaluations on three datasets and four GNN models demonstrate that GLO-MIA achieves an attack accuracy of up to 0.825, outperforming baseline work by 8.5% and closely matching the performance of probability-based MIAs, even with only prediction labels.
ISSN:2076-3417

Similar Items