Security/ machine learning · privacy · graph neural networks · security

New Attacks Show GNNs Leak Sensitive Graph Data

Researchers demonstrate two reconstruction attacks that recover private training data from graph neural networks, even in black-box scenarios.

New Attacks Show GNNs Leak Sensitive Graph Data

Graph neural networks can be reverse-engineered to expose the private data they were trained on — and two new attack methods make that easier than previously shown.

Researchers introduced a pair of model inversion attacks targeting GNNs: one that conditions graph reconstruction on target model predictions, and another that uses intermediate model representations. Both approaches use a generator-discriminator technique — the same adversarial framework behind image-generating AI — to reconstruct graphs from three real-world benchmark datasets. Tests across four structural similarity metrics showed the attacks recover high-quality graphs even when the attacker has no direct access to model internals, a setup called a black-box scenario. A stripped-down variant that cuts query volume in half still achieved comparable results.

GNNs handle data that doesn't fit neatly into rows and columns — molecular structures, social networks, fraud graphs — and are increasingly used in healthcare, finance, and drug discovery, where the training data is often sensitive. Prior inversion-attack research has focused heavily on image classifiers; this work extends the threat model to graph-structured data, where the stakes for exposure are arguably higher. The black-box framing matters because real deployed models rarely hand over their weights.

Differential privacy via Laplacian noise is the conventional defense, but the paper finds GNNs remain vulnerable across a range of noise scales — a reminder that adding noise is not the same as solving the problem.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →