Graph auto-encoder with a personalized PageRank for model inversion attack on graph neural networks

Model inversion attack is the well-known privacy attack, in which the attacker infers the sensitive information of the input data by analyzing the output results of the model. Recently, due to the strength of Graph Neural Networks (GNNs), many tasks based on GNNs extract features from graph-structured data that may contain sensitive information, leading to serious privacy concerns. Therefore, an increasing number of studies have paid attention to the research of model inversion attack on GNNs, achieving success to some extent. While existing methods have made progress by considering graph similarity and leveraging graph auto-encoders to capture neighborhood information, there remains potential for further enhancement in two key aspects. First, the strategy for minimizing the discrepancy between the generated adversarial sample and the original sample can be refined to achieve higher attack performance. Second, the effectiveness of aggregating feature information from deeper-level neighboring nodes requires improvement to enable more powerful modeling of graph-structured data. To bridge this gap, this article proposes a model inversion attack on graph neural networks, named GMIA, to deduce the training graph data. Specifically, GMIA mainly consists of two core components: a projected gradient descent module with graph structure loss and a graph auto-encoder module with Personalized PageRank. Specifically, the projected gradient descent module with graph structure loss is designed to address discreteness of the graph structure, and improve the similarity between the generated adversarial sample and the original sample by adding the graph structure loss. The graph auto-encoder module with Personalized PageRank is designed to capture more complex node features and graph structure for more elaborate graph optimization post-processing operations, by using Approximation Personalized Propagation of Neural Prediction (APPNP) encoder. Experimental results on three public datasets demonstrate that GMIA yields significant performance advantages over state-of-the-art attack methods.