As machine learning becomes more widely used for critical applications, the need to study its implications in privacy turns to be urgent. Given access to the target model and auxiliary information, the model inversion attack aims to infer sensitive features of the training dataset, which leads to great privacy concerns. Despite its success in grid-like domains, directly applying model inversion techniques on non-grid domains such as graph achieves poor attack performance due to the difficulty to fully exploit the intrinsic properties of graphs and attributes of nodes used in Graph Neural Networks (GNN). To bridge this gap, we present \textbf{Graph} \textbf{M}odel \textbf{I}nversion attack (GraphMI), which aims to extract private graph data of the training graph by inverting GNN, one of the state-of-the-art graph analysis tools. Specifically, we firstly propose a projected gradient module to tackle the discreteness of graph edges while preserving the sparsity and smoothness of graph features. Then we design a graph auto-encoder module to efficiently exploit graph topology, node attributes, and target model parameters for edge inference. With the proposed methods, we study the connection between model inversion risk and edge influence and show that edges with greater influence are more likely to be recovered. Extensive experiments over several public datasets demonstrate the effectiveness of our method. We also show that differential privacy in its canonical form can hardly defend our attack while preserving decent utility.

翻译：随着机器学习被广泛用于关键应用,研究其在隐私中的影响的必要性变得十分迫切。鉴于访问目标模型和辅助信息的机会,模型反向攻击的目的是推断培训数据集的敏感特征,这会导致极大的隐私问题。尽管在网状域中取得了成功,但在非网状域中直接应用模型反向技术,如图形,由于难以充分利用图形神经网络(GNN)中使用的图表和节点的内在特性,攻击性能较差。为了缩小这一差距,我们提出“textbf{Graph}\ textbf{M}odel\textbf{M}odel\textbf{I}nversion 攻击(GraphMI)”,目的是通过在像样域域域域域域域域域域域名这样的工具中将模型反向技术直接应用于非网域。具体地说,由于难以充分利用图形边缘边缘的离散特性,因此我们首先提出一个预测的梯度模块,以便解决图形边缘的离散性,同时保持微度和平滑度特性。然后我们设计一个图形自动分解模块模块模块模块模块模块,以便有效地利用图表的表、不易变形模型,同时显示我们更深的连接的连接法和更深层的研究方法,从而展示了我们更深层的磁度研究。