Graph neural networks (GNNs) play a key role in learning representations from graph-structured data and are demonstrated to be useful in many applications. However, the GNN training pipeline has been shown to be vulnerable to node feature leakage and edge extraction attacks. This paper investigates a scenario where an attacker aims to recover private edge information from a trained GNN model. Previous studies have employed differential privacy (DP) to add noise directly to the adjacency matrix or a compact graph representation. The added perturbations cause the graph structure to be substantially morphed, reducing the model utility. We propose a new privacy-preserving GNN training algorithm, Eclipse, that maintains good model utility while providing strong privacy protection on edges. Eclipse is based on two key observations. First, adjacency matrices in graph structures exhibit low-rank behavior. Thus, Eclipse trains GNNs with a low-rank format of the graph via singular values decomposition (SVD), rather than the original graph. Using the low-rank format, Eclipse preserves the primary graph topology and removes the remaining residual edges. Eclipse adds noise to the low-rank singular values instead of the entire graph, thereby preserving the graph privacy while still maintaining enough of the graph structure to maintain model utility. We theoretically show Eclipse provide formal DP guarantee on edges. Experiments on benchmark graph datasets show that Eclipse achieves significantly better privacy-utility tradeoff compared to existing privacy-preserving GNN training methods. In particular, under strong privacy constraints ($\epsilon$ < 4), Eclipse shows significant gains in the model utility by up to 46%. We further demonstrate that Eclipse also has better resilience against common edge attacks (e.g., LPA), lowering the attack AUC by up to 5% compared to other state-of-the-art baselines.

翻译：图神经网络（GNNs）在从图结构数据中学习表示方面发挥着关键作用，并已被证明在众多应用中具有实用性。然而，GNN训练流程已被证实易受节点特征泄露和边缘提取攻击的影响。本文研究一种场景，其中攻击者旨在从训练好的GNN模型中恢复私有边缘信息。以往研究采用差分隐私（DP）直接向邻接矩阵或紧凑图表示中添加噪声，但添加的扰动会导致图结构严重变形，从而降低模型效用。我们提出一种新的隐私保护GNN训练算法Eclipse，该算法在提供强边缘隐私保护的同时保持良好的模型效用。Eclipse基于两个关键观察：首先，图结构中的邻接矩阵呈现低秩特性。因此，Eclipse通过奇异值分解（SVD）使用图的低秩形式而非原始图来训练GNN。利用低秩形式，Eclipse保留了主要图拓扑结构并移除剩余的残差边缘。Eclipse向低秩奇异值而非整个图添加噪声，从而在保护图隐私的同时维持足够多的图结构以保持模型效用。我们从理论上证明了Eclipse能提供对边缘的形式化DP保证。在基准图数据集上的实验表明，与现有隐私保护GNN训练方法相比，Eclipse实现了显著更优的隐私-效用权衡。特别是在强隐私约束（$\epsilon$ < 4）下，Eclipse的模型效用提升高达46%。我们进一步证明，Eclipse相比其他最先进基线方法对常见边缘攻击（如LPA）具有更强的鲁棒性，攻击AUC最多降低5%。