Graph neural networks can be reverse-engineered to expose the private data they were trained on — and two new attack methods make that easier than previously shown.
Researchers introduced a pair of model inversion attacks targeting GNNs: one that conditions graph reconstruction on target model predictions, and another that uses intermediate model representations. Both approaches use a generator-discriminator technique — the same adversarial framework behind image-generating AI — to reconstruct graphs from three real-world benchmark datasets. Tests across four structural similarity metrics showed the attacks recover high-quality graphs even when the attacker has no direct access to model internals, a setup called a black-box scenario. A stripped-down variant that cuts query volume in half still achieved comparable results.
GNNs handle data that doesn't fit neatly into rows and columns — molecular structures, social networks, fraud graphs — and are increasingly used in healthcare, finance, and drug discovery, where the training data is often sensitive. Prior inversion-attack research has focused heavily on image classifiers; this work extends the threat model to graph-structured data, where the stakes for exposure are arguably higher. The black-box framing matters because real deployed models rarely hand over their weights.
Differential privacy via Laplacian noise is the conventional defense, but the paper finds GNNs remain vulnerable across a range of noise scales — a reminder that adding noise is not the same as solving the problem.
