Unlearning Inversion Attacks for Graph Neural Networks
This exposes a critical privacy vulnerability in current graph unlearning methods, which is a problem for users relying on these methods for data deletion in sensitive applications.
The paper tackles the problem of privacy vulnerabilities in graph unlearning methods for Graph Neural Networks (GNNs) by introducing an inversion attack that reconstructs removed edges, and it shows that TrendAttack outperforms state-of-the-art baselines on four real-world datasets.
Graph unlearning methods aim to efficiently remove the impact of sensitive data from trained GNNs without full retraining, assuming that deleted information cannot be recovered. In this work, we challenge this assumption by introducing the graph unlearning inversion attack: given only black-box access to an unlearned GNN and partial graph knowledge, can an adversary reconstruct the removed edges? We identify two key challenges: varying probability-similarity thresholds for unlearned versus retained edges, and the difficulty of locating unlearned edge endpoints, and address them with TrendAttack. First, we derive and exploit the confidence pitfall, a theoretical and empirical pattern showing that nodes adjacent to unlearned edges exhibit a large drop in model confidence. Second, we design an adaptive prediction mechanism that applies different similarity thresholds to unlearned and other membership edges. Our framework flexibly integrates existing membership inference techniques and extends them with trend features. Experiments on four real-world datasets demonstrate that TrendAttack significantly outperforms state-of-the-art GNN membership inference baselines, exposing a critical privacy vulnerability in current graph unlearning methods.