Does Black-box Attribute Inference Attacks on Graph Neural Networks Constitute Privacy Risk?
This work addresses privacy concerns for users of graph-structured data in domains like healthcare and finance, but it is incremental as it builds on known vulnerabilities like membership inference attacks.
The paper investigates whether black-box attribute inference attacks pose a significant privacy risk for graph neural networks (GNNs), finding that GNNs generally do not reveal significantly more sensitive information compared to missing value estimation techniques.
Graph neural networks (GNNs) have shown promising results on real-life datasets and applications, including healthcare, finance, and education. However, recent studies have shown that GNNs are highly vulnerable to attacks such as membership inference attack and link reconstruction attack. Surprisingly, attribute inference attacks has received little attention. In this paper, we initiate the first investigation into attribute inference attack where an attacker aims to infer the sensitive user attributes based on her public or non-sensitive attributes. We ask the question whether black-box attribute inference attack constitutes a significant privacy risk for graph-structured data and their corresponding GNN model. We take a systematic approach to launch the attacks by varying the adversarial knowledge and assumptions. Our findings reveal that when an attacker has black-box access to the target model, GNNs generally do not reveal significantly more information compared to missing value estimation techniques. Code is available.