Lingshuo Meng,Yijie Bai,Yanjiao Chen,Yutong Hu,Wenyuan Xu,Haiqin Weng

DOI: https://doi.org/10.1145/3576915.3623173

2023-01-01

Abstract:Graph neural networks (GNNs) have been developed to mine useful information from graph data of various applications, e.g., health-care, fraud detection, and social recommendation. However, GNNs open up new attack surfaces for privacy attacks on graph data. In this paper, we propose Infiltrator, a privacy attack that is able to pry node-level private information based on black-box access to GNNs. Different from existing works that require prior information of the victim node, we explore the possibility of conducting the attack without any information of the victim node. Our idea is to infiltrate the graph with attacker-created nodes to befriend the victim node. More specifically, we design infiltration schemes that enable the adversary to infer the label, neighboring links, and sensitive attributes of a victim node. We evaluate Infiltrator with extensive experiments on three representative GNN models and six real-world datasets. The results demonstrate that Infiltrator can achieve an attack performance of more than 98% in all three attacks, outperforming baseline approaches. We further evaluate the defense resistance of Infiltrator against the graph homophily defender and the differentially private model.

Longfei Zheng,Chaochao Chen,Yingting Liu,Bingzhe Wu,Xibin Wu,Li Wang,Lei Wang,Jun Zhou,Shuang Yang

2020-01-01

Abstract:Deep Neural Network (DNN) has been showing great potential in kinds of real-world applications such as fraud detection and distress prediction. Meanwhile, data isolation has become a serious problem currently, i.e., different parties cannot share data with each other. To solve this issue, most research leverages cryptographic techniques to train secure DNN models for multi-parties without compromising their private data. Although such methods have strong security guarantee, they are difficult to scale to deep networks and large datasets due to its high communication and computation complexities. To solve the scalability of the existing secure Deep Neural Network (DNN) in data isolation scenarios, in this paper, we propose an industrial scale privacy preserving neural network learning paradigm, which is secure against semi-honest adversaries. Our main idea is to split the computation graph of DNN into two parts, i.e., the computations related to private data are performed by each party using cryptographic techniques, and the rest computations are done by a neutral server with high computation ability. We also present a defender mechanism for further privacy protection. We conduct experiments on real-world fraud detection dataset and financial distress prediction dataset, the encouraging results demonstrate the practicalness of our proposal.

Mengyuan Lee,Guanding Yu,Huaiyu Dai

DOI: https://doi.org/10.1109/twc.2023.3279442

IF: 10.4

2024-01-01

IEEE Transactions on Wireless Communications

Abstract:As an efficient neural network model for graph data, graph neural networks (GNNs) recently find successful applications for various wireless optimization problems. Given that the inference stage of GNNs can be naturally implemented in a decentralized manner, GNN is a potential enabler for decentralized control/management in the next-generation wireless communications. Privacy leakage, however, may occur due to the information exchanges among neighbors during decentralized inference with GNNs. To deal with this issue, in this paper, we analyze and enhance the privacy of decentralized inference with GNNs in wireless networks. Specifically, we adopt local differential privacy as the metric, and design novel privacy-preserving signals as well as privacy-guaranteed training algorithms to achieve privacy-preserving inference. We also define the SNR-privacy trade-off function to analyze the performance upper bound of decentralized inference with GNNs in wireless networks. To further enhance the communication and computation efficiency, we adopt the over-the-air computation technique and theoretically demonstrate its advantage in privacy preservation. Through extensive simulations on the synthetic graph data, we validate our theoretical analysis, verify the effectiveness of proposed privacy-preserving wireless signaling and privacy-guaranteed training algorithm, and offer some guidance on practical implementation.

Xinjun Pei,Xiaoheng Deng,Shengwei Tian,Kaiping Xue

DOI: https://doi.org/10.1109/icassp49357.2023.10096911

2023-01-01

Abstract:Graph Neural Networks (GNNs) as an emerging technique have shown excellent performance in a variety of fields, such as social networks and recommendation systems. However, GNNs may have to overcome privacy concerns as large amounts of information about their training datasets may be compromised. In this paper, we develop a privacy-preserving GNN to enforce privacy preservation, which utilizes a private Functional Mechanism (FM) to train the learning model. This mechanism perturbs the polynomial approximation of the objective function to enforce Differential Privacy (DP) in the GNN model. We show that our method can maximize the accuracy of the results with comparable prediction power to the unperturbed results while satisfying the privacy guarantees.

Xinjun Pei,Xiaoheng Deng,Shengwei Tian,Jianqing Liu,Kaiping Xue

DOI: https://doi.org/10.1109/tifs.2023.3329971

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:With the ever-growing interest in modeling complex graph structures, graph neural networks (GNN) provide a generalized form of exploiting non-Euclidean space data. However, the global graph may be distributed across multiple data centers, which makes conventional graph-based models incapable of modeling a complete graph structure. This also brings an unprecedented challenge to user privacy protection in distributed graph learning. Due to privacy requirements of legal policies, existing graph-based solutions are difficult to deploy in practice. In this paper, we propose a privacy-preserving graph neural network based on local graph augmentation, named LGA-PGNN, which preserves user privacy by enforcing local differential privacy (LDP) noise into the decentralized local graphs held by different data holders. Moreover, we perform local neighborhood augmentation on low-degree vertices to enhance the expressiveness of the learned model. Specifically, we propose two graph privacy attacks, namely attribute inference attack and link stealing attack, which aim at compromising user privacy. The experimental results demonstrate that LGA-PGNN can effectively mitigate these two attacks and provably avoid potential privacy leakage while ensuring the utility of the learning model.

David Pujol-Perich,José Suárez-Varela,Albert Cabellos-Aparicio,Pere Barlet-Ros

DOI: https://doi.org/10.48550/arXiv.2107.14756

2021-07-31

Abstract:The last few years have seen an increasing wave of attacks with serious economic and privacy damages, which evinces the need for accurate Network Intrusion Detection Systems (NIDS). Recent works propose the use of Machine Learning (ML) techniques for building such systems (e.g., decision trees, neural networks). However, existing ML-based NIDS are barely robust to common adversarial attacks, which limits their applicability to real networks. A fundamental problem of these solutions is that they treat and classify flows independently. In contrast, in this paper we argue the importance of focusing on the structural patterns of attacks, by capturing not only the individual flow features, but also the relations between different flows (e.g., the source/destination hosts they share). To this end, we use a graph representation that keeps flow records and their relationships, and propose a novel Graph Neural Network (GNN) model tailored to process and learn from such graph-structured information. In our evaluation, we first show that the proposed GNN model achieves state-of-the-art results in the well-known CIC-IDS2017 dataset. Moreover, we assess the robustness of our solution under two common adversarial attacks, that intentionally modify the packet size and inter-arrival times to avoid detection. The results show that our model is able to maintain the same level of accuracy as in previous experiments, while state-of-the-art ML techniques degrade up to 50% their accuracy (F1-score) under these attacks. This unprecedented level of robustness is mainly induced by the capability of our GNN model to learn flow patterns of attacks structured as graphs.

Cryptography and Security,Artificial Intelligence,Machine Learning,Networking and Internet Architecture

Li Zhou,Jing Wang,Dongmei Fan,Haifeng Zhang,Kai Zhong

DOI: https://doi.org/10.1016/j.physa.2023.129187

IF: 3.778

2023-01-01

Physica A Statistical Mechanics and its Applications

Abstract:Graph neural networks (GNNs) can learn the node representations to capture both node features and graph topology information through the message passing mechanism. However, since the information collected by GNNs is often used without authorization or maliciously attacked by hackers, which may result in leakage of users’ private information. To this end, we propose a privacy preserving GNNs framework, which not only protects the attribute privacy but also performs well in various downstream tasks. Specifically, when the users communicate with the third party, Paillier homomorphic encryption (HE) is used to encrypt users’ sensitive attribute information to prevent privacy leakage. Considering that the third party may be untrustworthy, differential privacy (DP) with Laplace mechanism is carried out to add noise to sensitive attribute information before transmission, so that the real attribute information is not accessible to the third party. Subsequently, the third party trains the GNNs model by using both the privacy preserving attribute information and public network topology information. Extensive experimental results show that, compared with the state-of-the-art methods, the privacy preserving GNNs still achieves satisfactory performance regarding different downstream tasks, such as node classification and link prediction while protecting the sensitive attributes of individuals.

Junpeng He,Hanyue Kong,Shihe Zhang,Xiong Li,Weina Niu,Xiaosong Zhang,Fagen Li

DOI: https://doi.org/10.1109/icc51166.2024.10622440

2024-01-01

Abstract:Recently, deep learning (DL)-driven intrusion detection technology has been rising gradually to reduce the economic and privacy losses caused by the dramatic increase in cyber attacks. Besides exploiting the statistical network traffic features, the inherent attack topologies are also important as they are highly associated with attack behaviors. Thus, many works use graph neural networks (GNN) to make use of them to improve the detection performance. Nevertheless, these topologies contain many isolated IPs that interact with far fewer targets than other non-isolated IPs. Due to the message-passing scheme, information from isolated IPs is less likely to be transmitted in GNN training, resulting in poor model understanding of the traffic connecting these isolated IPs. Therefore, the performance of GNN-based intrusion detection models is not satisfactory for this traffic. To address this problem, we implement a generation algorithm with traffic functionality preservation to improve the performance of GNN-based intrusion detectors by locally augmenting this type of traffic. The proposed method first converts the IP-based graph of the traffic dataset into a line graph, and then utilizes a conditional denoising diffusion probabilistic model to generate new graph snapshots to enhance the expressiveness of isolated IP in GNN message aggregation. We evaluate the performance of our method and compare it with state-of-the-art works on three datasets, i.e., NF-BoT-IoT-V2, NF-ToN-IoT-V2, and NF-CSECIC-IDS2018-V2, and the results show it achieves accuracy of 99.11%(↑0.11%), 93.84%(↑2.47%), and 97.15%(↑3.94%), respectively. Case study shows that the proposed local augmentation can improve detection performance under different isolated thresholds. Moreover, our method can alleviate the over-smoothing problem to a certain extent, and the augmented traffic also possesses better quality.

Tianyi Zhao,Hui Hu,Lu Cheng

2023-08-26

Abstract:Graph Neural Networks (GNNs) are powerful tools for learning representations on graphs, such as social networks. However, their vulnerability to privacy inference attacks restricts their practicality, especially in high-stake domains. To address this issue, privacy-preserving GNNs have been proposed, focusing on preserving node and/or link privacy. This work takes a step back and investigates how GNNs contribute to privacy leakage. Through theoretical analysis and simulations, we identify message passing under structural bias as the core component that allows GNNs to \textit{propagate} and \textit{amplify} privacy leakage. Building upon these findings, we propose a principled privacy-preserving GNN framework that effectively safeguards both node and link privacy, referred to as dual-privacy preservation. The framework comprises three major modules: a Sensitive Information Obfuscation Module that removes sensitive information from node embeddings, a Dynamic Structure Debiasing Module that dynamically corrects the structural bias, and an Adversarial Learning Module that optimizes the privacy-utility trade-off. Experimental results on four benchmark datasets validate the effectiveness of the proposed model in protecting both node and link privacy while preserving high utility for downstream tasks, such as node classification.

Machine Learning,Cryptography and Security,Social and Information Networks

Xuemin Wang,Tianlong Gu,Xuguang Bao,Liang Chang

DOI: https://doi.org/10.1007/978-3-031-30678-5_64

2023-01-01

Abstract:Graph neural networks (GNNs) have demonstrated superior performance in modeling graph-structured. They are vastly applied in various high-stakes scenarios such as financial analysis and social analysis. Among the fields, privacy issues and fairness issues have become the focus of attention. Currently, most studies focus on protecting data privacy or promoting the fairness of the model. However, how to both guarantee privacy and fairness is under-explored on GNN. To ensure GNNs behave in a socially responsible manner, it is necessary to protect the privacy and mitigate bias simultaneously. Therefore, our Ph.D. project aims at creating GNNs which can promote fairness and protect data privacy, preserving high utility performance.

Xuemin Wang,Tianlong Gu,Xuguang Bao,Liang Chang,Long Li

DOI: https://doi.org/10.1016/j.knosys.2023.110490

IF: 8.139

2023-01-01

Knowledge-Based Systems

Abstract:Graph neural networks (GNNs) have shown superior performance in learning node representation for various graph inference tasks and play a pivotal role in high-stakes decision scenarios. However, GNNs may magnify the bias in the original data and make discriminatory decisions toward individuals, reducing user trust. Some research advances have been made to improve the individual fairness of GNNs and increase trust. However, they raise privacy issues when the acquired data involves sensitive information. To address this challenge, we propose a GNN privacy protection method called local private feature-individual​ fairness graph neural network, LPF-IFGNN for node features based on local differential privacy (LDP) that can strike a balance between fairness and privacy. Specially, we propose an LDP mechanism that considers privacy issues in normalization and can compress and perturb features. In addition, we employ a convolution layer that aggregates multi-hop node features using the mean function to denoise and avoid promoting individual fairness about the perturbed features. We consider the situation where node labels are also required to be protected, and we further propose LPL-LPF-IFGNN based on LDP. Experimental results on five real-world datasets show that LPL-LPF-IFGNN outperforms the state-of-the-art fairness baseline by 41.75% on ACC and 5.02% on NDCG@10 on private data with a feature privacy budget of 1 and a label privacy budget of 0.5. Experiments further indicate that our methods can achieve a good balance between model utility and individual fairness for private node data with LDP guarantees.

Yanli Yuan,Dian Lei,Qing Fan,Keli Zhao,Liehuang Zhu,Chuan Zhang

DOI: https://doi.org/10.1109/icicn62625.2024.10761771

2024-01-01

Abstract:With the widespread adoption of Graph Neural Network (GNN) technology in industry, concerns regarding graph data privacy have become increasingly prominent. Differential privacy has been demonstrated as an effective method to ensure privacy in graph learning. However, existing differential privacy-based GNN methods often overlook the individual privacy protection needs of users, offering uniform privacy guarantees to all. This approach can result in either over-protection or insufficient protection for certain users. To address this issue, we propose an adaptive privacy-preserving GNN training method that accommodates the varying privacy requirements of nodes while achieving high model training accuracy. Specifically, APPGNN allocates adaptive privacy budgets based on individual user privacy needs. Additionally, to mitigate the impact of noise on data utility, APPGNN incorporates a weighted neighborhood aggregation mechanism to enhance GNN model accuracy. Theoretical analysis indicates that APPGNN provides adaptive privacy protection while ensuring ε-differential privacy on node data. Experimental evaluations on four real-world graph datasets validate the effectiveness of APPGNN.

Guanghui He,Yanli Ren,Jingyuan Jiang,Guorui Feng,Xinpeng Zhang

DOI: https://doi.org/10.1109/tetci.2024.3502434

2024-01-01

IEEE Transactions on Emerging Topics in Computational Intelligence

Abstract:Graph neural networks (GNNs) have become a powerful tool for processing and learning graph data. However, due to the existence of data silos, the privacy of data and the processing result is an important concern. Meanwhile, the malicious example will result in the incorrect output of the model. For the above concerns, this paper proposes privacy-enhanced federated graph network inference against adversarial example attack. Specifically, we adopt secret sharing and homomorphic encryption to ensure the privacy of graph data, where the user can get the final inference, and the server holds nothing except the model parameters. Moreover, in order to prevent malicious users from interfering with the accuracy of the model, an adversarial example detection mechanism on the ciphertext is designed to identify local embedding submitted by malicious users. During the whole process, both local and global embedding are both protected. The experimental results show that the model accuracy is about 69% and 66% with malicious samples on Cora and Citeseer in the domain of ciphertext respectively and they are nearly same as 70% and 69% in the domain of plaintext, which shows the effectiveness of our protocol.

Enyan Dai,Limeng Cui,Zhengyang Wang,Xianfeng Tang,Yinghan Wang,Monica Cheng,Bing Yin,Suhang Wang

DOI: https://doi.org/10.48550/arXiv.2306.08604

2023-06-15

Abstract:Graph Neural Networks (GNNs) have achieved great success in modeling graph-structured data. However, recent works show that GNNs are vulnerable to adversarial attacks which can fool the GNN model to make desired predictions of the attacker. In addition, training data of GNNs can be leaked under membership inference attacks. This largely hinders the adoption of GNNs in high-stake domains such as e-commerce, finance and bioinformatics. Though investigations have been made in conducting robust predictions and protecting membership privacy, they generally fail to simultaneously consider the robustness and membership privacy. Therefore, in this work, we study a novel problem of developing robust and membership privacy-preserving GNNs. Our analysis shows that Information Bottleneck (IB) can help filter out noisy information and regularize the predictions on labeled samples, which can benefit robustness and membership privacy. However, structural noises and lack of labels in node classification challenge the deployment of IB on graph-structured data. To mitigate these issues, we propose a novel graph information bottleneck framework that can alleviate structural noises with neighbor bottleneck. Pseudo labels are also incorporated in the optimization to minimize the gap between the predictions on the labeled set and unlabeled set for membership privacy. Extensive experiments on real-world datasets demonstrate that our method can give robust predictions and simultaneously preserve membership privacy.

Machine Learning,Artificial Intelligence,Cryptography and Security

Yining Yang,Jialiang Lu

DOI: https://doi.org/10.1109/vtc2023-fall60731.2023.10333722

2023-01-01

Abstract:Graph neural networks (GNNs) have emerged as a promising approach for real-world applications such as the Internet of Vehicles (IoV) or social networks, yet the spectral properties of the GNN model are under-explored, especially from a privacy detection and protection perspective. This article proposes a general framework to distinguish black-box GNN based on spectral filtering performance. The framework offers a new perspective for spectral privacy detection with a generated graph sample set. Specifically, by introducing a set of graphs of different connectivity, we could access the spectral characteristics of black-box GNN. Furthermore, we could infer information about its underlying structure, such as message passing or positional embedding. Overall, our work sheds light on the spectral properties of GNNs and opens up new avenues for analyzing their behavior in real-world applications.

Lina Zhang,Yang Wang,Minyue Wu,Yanwei Wang,Ying Zheng

DOI: https://doi.org/10.1109/safeprocess58597.2023.10295926

2023-01-01

Abstract:Network technology has become an inseparable part of daily life, which is easily attacked by some criminals. Therefore, ensuring the security of network becomes an urgent problem. In the past few years, various deep learning techniques have been put forward for identifying network intrusions. However, the majority of these approaches overlook the non-Euclidean nature of relationships within network intrusion data. In this paper, graph neural network (GNN) is used to learn the relationship between data. The sample balancing module is to address the significant disparity between the number of intrusive samples and normal samples. The results obtained from the experiments indicate that the suggested approach can enhance the effectiveness of the intrusion detection system.

Zhikun Zhang,Min Chen,Michael Backes,Yun Shen,Yang Zhang

DOI: https://doi.org/10.48550/arXiv.2110.02631

2021-10-06

Abstract:Graph is an important data representation ubiquitously existing in the real world. However, analyzing the graph data is computationally difficult due to its non-Euclidean nature. Graph embedding is a powerful tool to solve the graph analytics problem by transforming the graph data into low-dimensional vectors. These vectors could also be shared with third parties to gain additional insights of what is behind the data. While sharing graph embedding is intriguing, the associated privacy risks are unexplored. In this paper, we systematically investigate the information leakage of the graph embedding by mounting three inference attacks. First, we can successfully infer basic graph properties, such as the number of nodes, the number of edges, and graph density, of the target graph with up to 0.89 accuracy. Second, given a subgraph of interest and the graph embedding, we can determine with high confidence that whether the subgraph is contained in the target graph. For instance, we achieve 0.98 attack AUC on the DD dataset. Third, we propose a novel graph reconstruction attack that can reconstruct a graph that has similar graph structural statistics to the target graph. We further propose an effective defense mechanism based on graph embedding perturbation to mitigate the inference attacks without noticeable performance degradation for graph classification tasks. Our code is available at <a class="link-external link-https" href="https://github.com/Zhangzhk0819/GNN-Embedding-Leaks" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Machine Learning

Hedyeh Nazari,Abbas Yazdinejad,Ali Dehghantanha,Fattane Zarrinkalam,Gautam Srivastava

2024-07-09

Abstract:Software Defined Networking (SDN) has brought significant advancements in network management and programmability. However, this evolution has also heightened vulnerability to Advanced Persistent Threats (APTs), sophisticated and stealthy cyberattacks that traditional detection methods often fail to counter, especially in the face of zero-day exploits. A prevalent issue is the inadequacy of existing strategies to detect novel threats while addressing data privacy concerns in collaborative learning scenarios. This paper presents P3GNN (privacy-preserving provenance graph-based graph neural network model), a novel model that synergizes Federated Learning (FL) with Graph Convolutional Networks (GCN) for effective APT detection in SDN environments. P3GNN utilizes unsupervised learning to analyze operational patterns within provenance graphs, identifying deviations indicative of security breaches. Its core feature is the integration of FL with homomorphic encryption, which fortifies data confidentiality and gradient integrity during collaborative learning. This approach addresses the critical challenge of data privacy in shared learning contexts. Key innovations of P3GNN include its ability to detect anomalies at the node level within provenance graphs, offering a detailed view of attack trajectories and enhancing security analysis. Furthermore, the models unsupervised learning capability enables it to identify zero-day attacks by learning standard operational patterns. Empirical evaluation using the DARPA TCE3 dataset demonstrates P3GNNs exceptional performance, achieving an accuracy of 0.93 and a low false positive rate of 0.06.

Cryptography and Security

Yi Zhang,Yuying Zhao,Zhaoqing Li,Xueqi Cheng,Yu Wang,Olivera Kotevska,Philip S. Yu,Tyler Derr

DOI: https://doi.org/10.48550/arXiv.2308.16375

2023-09-19

Abstract:Graph Neural Networks (GNNs) have gained significant attention owing to their ability to handle graph-structured data and the improvement in practical applications. However, many of these models prioritize high utility performance, such as accuracy, with a lack of privacy consideration, which is a major concern in modern society where privacy attacks are rampant. To address this issue, researchers have started to develop privacy-preserving GNNs. Despite this progress, there is a lack of a comprehensive overview of the attacks and the techniques for preserving privacy in the graph domain. In this survey, we aim to address this gap by summarizing the attacks on graph data according to the targeted information, categorizing the privacy preservation techniques in GNNs, and reviewing the datasets and applications that could be used for analyzing/solving privacy issues in GNNs. We also outline potential directions for future research in order to build better privacy-preserving GNNs.

Machine Learning,Artificial Intelligence,Cryptography and Security

Iyiola E. Olatunji,Thorben Funke,Megha Khosla

DOI: https://doi.org/10.48550/arXiv.2109.08907

2023-11-02

Abstract:With the increasing popularity of graph neural networks (GNNs) in several sensitive applications like healthcare and medicine, concerns have been raised over the privacy aspects of trained GNNs. More notably, GNNs are vulnerable to privacy attacks, such as membership inference attacks, even if only black-box access to the trained model is granted. We propose PrivGNN, a privacy-preserving framework for releasing GNN models in a centralized setting. Assuming an access to a public unlabeled graph, PrivGNN provides a framework to release GNN models trained explicitly on public data along with knowledge obtained from the private data in a privacy preserving manner. PrivGNN combines the knowledge-distillation framework with the two noise mechanisms, random subsampling, and noisy labeling, to ensure rigorous privacy guarantees. We theoretically analyze our approach in the Renyi differential privacy framework. Besides, we show the solid experimental performance of our method compared to several baselines adapted for graph-structured data. Our code is available at <a class="link-external link-https" href="https://github.com/iyempissy/privGnn" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Cryptography and Security