Graph has become increasingly integral to the advancement of recommendation systems, particularly with the fast development of graph neural network(GNN). By exploring the virtue of rich node features and link information, GNN is designed to provide personalized and accurate suggestions. Meanwhile, the privacy leakage of GNN in such contexts has also captured special attention. Prior work has revealed that a malicious user can utilize auxiliary knowledge to extract sensitive link data of the target graph, integral to recommendation systems, via the decision made by the target GNN model. This poses a significant risk to the integrity and confidentiality of data used in recommendation system. Though important, previous works on GNN's privacy leakage are still challenged in three aspects, i.e., limited stealing attack scenarios, sub-optimal attack performance, and adaptation against defense. To address these issues, we propose a diffusion model based link stealing attack, named DM4Steal. It differs previous work from three critical aspects. (i) Generality: aiming at six attack scenarios with limited auxiliary knowledge, we propose a novel training strategy for diffusion models so that DM4Steal is transferable to diverse attack scenarios. (ii) Effectiveness: benefiting from the retention of semantic structure in the diffusion model during the training process, DM4Steal is capable to learn the precise topology of the target graph through the GNN decision process. (iii) Adaptation: when GNN is defensive (e.g., DP, Dropout), DM4Steal relies on the stability that comes from sampling the score model multiple times to keep performance degradation to a minimum, thus DM4Steal implements successful adaptive attack on defensive GNN.

翻译：图在推荐系统发展中的作用日益重要，图神经网络（GNN）的快速发展进一步强化了这一趋势。GNN通过挖掘丰富的节点特征与链接信息，旨在提供个性化且精准的推荐。与此同时，GNN在此类场景下的隐私泄露问题也引起了特别关注。已有研究表明，恶意用户可利用辅助知识，通过目标GNN模型（推荐系统的核心组成部分）的决策结果，提取目标图中敏感的链接数据。这对推荐系统所用数据的完整性与保密性构成了重大风险。尽管该问题至关重要，现有关于GNN隐私泄露的研究仍面临三方面挑战：窃取攻击场景有限、攻击性能欠佳以及对抗防御的适应性不足。为解决这些问题，我们提出了一种基于扩散模型的链接窃取攻击方法，命名为DM4Steal。该方法在三个关键方面区别于先前工作：（一）通用性：针对六种辅助知识有限的攻击场景，我们提出了一种新颖的扩散模型训练策略，使DM4Steal能够迁移至不同的攻击场景。（二）有效性：得益于扩散模型在训练过程中对语义结构的保留能力，DM4Steal能够通过GNN的决策过程精确学习目标图的拓扑结构。（三）适应性：当GNN采取防御措施（如差分隐私、随机丢弃）时，DM4Steal依托多次采样评分模型带来的稳定性，将性能下降控制在最小程度，从而实现对防御性GNN的成功自适应攻击。