Graph neural networks (GNNs) have shown promising results on real-life datasets and applications, including healthcare, finance, and education. However, recent studies have shown that GNNs are highly vulnerable to attacks such as membership inference attack and link reconstruction attack. Surprisingly, attribute inference attacks has received little attention. In this paper, we initiate the first investigation into attribute inference attack where an attacker aims to infer the sensitive user attributes based on her public or non-sensitive attributes. We ask the question whether black-box attribute inference attack constitutes a significant privacy risk for graph-structured data and their corresponding GNN model. We take a systematic approach to launch the attacks by varying the adversarial knowledge and assumptions. Our findings reveal that when an attacker has black-box access to the target model, GNNs generally do not reveal significantly more information compared to missing value estimation techniques. Code is available.

翻译：图神经网络（GNN）在医疗、金融和教育等现实数据集与应用中展现出显著成果。然而，近期研究表明GNN极易遭受诸如成员推断攻击和链接重构攻击等威胁。值得注意的是，属性推断攻击却鲜少受到关注。本文首次系统探究属性推断攻击——即攻击者试图基于用户公开或非敏感属性推断其敏感属性的攻击行为。我们提出核心问题：针对图结构化数据及其对应GNN模型的黑盒属性推断攻击，是否构成重大隐私风险？本文通过改变对抗性知识与假设条件，采用系统化方法实施攻击。研究结果表明：当攻击者拥有目标模型的黑盒访问权限时，相较于缺失值估计技术，GNN通常不会泄露显著更多的信息。相关代码已公开。