Graph unlearning has emerged as a promising solution to comply with "the right to be forgotten" regulations by enabling the removal of sensitive information upon request. However, this solution is not foolproof. The involvement of multiple parties creates new attack surfaces, and residual traces of deleted data can still remain in the unlearned graph neural networks (GNNs). These vulnerabilities can be exploited by attackers to recover the supposedly erased samples, thereby undermining the intended functionality of graph unlearning. In this work, we propose GraphToxin, the first full graph reconstruction attack against graph unlearning. Specifically, we introduce a novel curvature matching module to provide fine-grained guidance for unlearned graph recovery. We demonstrate that GraphToxin can successfully subvert the regulatory guarantees expected from graph unlearning, it can recover not only a deleted individual's information and personal links but also sensitive content from their connections, thereby posing substantially more detrimental threats. Furthermore, we extend GraphToxin to multiple-node removal under both white-box and black-box settings, showcasing its practical feasibility and potential to cause considerable harm. We highlight the necessity of worst-case analysis and propose a systematic evaluation framework to assess attack performance under both random and worst-case node removal scenarios. Our extensive experiments demonstrate the effectiveness and flexibility of GraphToxin. Notably, existing defense mechanisms are largely ineffective against this attack or even amplify its performance in some cases. Given the severe privacy risks posed by GraphToxin, our work underscores the urgent need for more effective and robust defenses.
翻译:图遗忘已成为一种有前景的解决方案,通过按需移除敏感信息以符合"被遗忘权"法规要求。然而,该方案并非万无一失。多方参与引入了新的攻击面,且已删除数据的残留痕迹仍可能留存于未学习的图神经网络中。攻击者可利用这些漏洞恢复本应被擦除的样本,从而破坏图遗忘的预期功能。本文提出GraphToxin——首个针对图遗忘的完整图重构攻击。具体而言,我们引入新颖的曲率匹配模块,为未学习图的恢复提供细粒度指导。实验证明GraphToxin能成功颠覆图遗忘预期的法规保障,不仅能恢复被删除个体的信息与个人关联,还能从其连接关系中提取敏感内容,从而构成显著更具危害性的威胁。此外,我们将GraphToxin扩展至白盒与黑盒设置下的多节点移除场景,验证了其实用可行性及可能造成的重大危害。我们强调最坏情况分析的必要性,并提出系统化评估框架以衡量随机与最坏情况节点移除场景下的攻击性能。大量实验证明了GraphToxin的有效性与灵活性。值得注意的是,现有防御机制对该攻击基本无效,甚至在部分情况下会放大其攻击效果。鉴于GraphToxin带来的严重隐私风险,本研究强调亟需开发更有效且鲁棒的防御方案。