Jiarong Xu,Yizhou Sun,Xin Jiang,Yanhao Wang,Chunping Wang,Jiangang Lu,Yang Yang

DOI: https://doi.org/10.48550/arxiv.2012.06757

2022-01-01

Abstract:Adversarial attacks on graphs have attracted considerable research interests. Existing works assume the attacker is either (partly) aware of the victim model, or able to send queries to it. These assumptions are, however, unrealistic. To bridge the gap between theoretical graph attacks and real-world scenarios, in this work, we propose a novel and more realistic setting: strict black-box graph attack, in which the attacker has no knowledge about the victim model at all and is not allowed to send any queries. To design such an attack strategy, we first propose a generic graph filter to unify different families of graph-based models. The strength of attacks can then be quantified by the change in the graph filter before and after attack. By maximizing this change, we are able to find an effective attack strategy, regardless of the underlying model. To solve this optimization problem, we also propose a relaxation technique and approximation theories to reduce the difficulty as well as the computational expense. Experiments demonstrate that, even with no exposure to the model, the Macro-F1 drops 6.4% in node classification and 29.5% in graph classification, which is a significant result compared with existent works.

Lingshuo Meng,Yijie Bai,Yanjiao Chen,Yutong Hu,Wenyuan Xu,Haiqin Weng

DOI: https://doi.org/10.1145/3576915.3623173

2023-01-01

Abstract:Graph neural networks (GNNs) have been developed to mine useful information from graph data of various applications, e.g., health-care, fraud detection, and social recommendation. However, GNNs open up new attack surfaces for privacy attacks on graph data. In this paper, we propose Infiltrator, a privacy attack that is able to pry node-level private information based on black-box access to GNNs. Different from existing works that require prior information of the victim node, we explore the possibility of conducting the attack without any information of the victim node. Our idea is to infiltrate the graph with attacker-created nodes to befriend the victim node. More specifically, we design infiltration schemes that enable the adversary to infer the label, neighboring links, and sensitive attributes of a victim node. We evaluate Infiltrator with extensive experiments on three representative GNN models and six real-world datasets. The results demonstrate that Infiltrator can achieve an attack performance of more than 98% in all three attacks, outperforming baseline approaches. We further evaluate the defense resistance of Infiltrator against the graph homophily defender and the differentially private model.

Hang Liu,Anna Scaglione,Hoi-To Wai

DOI: https://doi.org/10.1109/TSP.2024.3382840

2024-03-30

Abstract:Classical graph matching aims to find a node correspondence between two unlabeled graphs of known topologies. This problem has a wide range of applications, from matching identities in social networks to identifying similar biological network functions across species. However, when the underlying graphs are unknown, the use of conventional graph matching methods requires inferring the graph topologies first, a process that is highly sensitive to observation errors. In this paper, we tackle the blind graph matching problem with unknown underlying graphs directly using observations of graph signals, which are generated from graph filters applied to graph signal excitations. We propose to construct sample covariance matrices from the observed signals and match the nodes based on the selected sample eigenvectors. Our analysis shows that the blind matching outcome converges to the result obtained with known graph topologies when the signal sampling size is large and the signal noise is small. Numerical results showcase the performance improvement of the proposed algorithm compared to matching two estimated underlying graphs learned from the graph signals.

Signal Processing

Xiaoyan Yin,Wanyu Lin,Kexin Sun,Chun Wei,Yanjiao Chen

DOI: https://doi.org/10.1109/tifs.2022.3219342

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Social status, the social influence of a user, plays an important role in many real-world applications, e.g., trust relations and information propagation in a social network. In this paper, we reveal the possibility of falsifying social status through adversarial attacks in graph neural networks (GNNs). Different from neural networks in the visual or speech domain, GNNs take the attributes of nodes and edges in a graph as features. To cater to the characteristics of GNNs, $\vphantom {_{\int }}$ we design a new paradigm of adversarial example attack, named $A^{2} S^{2}$ - GNN ( $\mathbf {GNN}$ -based $\mathbf {A}$ dversarial $\mathbf {A}$ ttacks on $\mathbf {S}$ ocial $\mathbf {S}$ tatus), aiming at manipulating the social status of a target node in social networks. The key idea is to establish relationships or break relationships between a set of compromised nodes and the target node. More specifically, we consider a signed directed graph representing complicated positive/negative asymmetric relationships between nodes. We design an efficient adversarial attack algorithm to determine the minimum set of signed links that should be created or deleted to reach the attack objective. We conduct extensive experiments on baseline datasets. Compared with the benchmark algorithms, $A^{2} S^{2}$ - GNN can effectively promote or vilify the social status of the target node up to 89.36% and 192.38%, respectively, while keeping the modification to the social network to the minimum. Furthermore, the experimental results on six status evaluating algorithms verify the transferability of our proposed attack algorithm.

Shouling Ji,Weiqing Li,Mudhakar Srivatsa,Jing Selena He,Raheem Beyah

DOI: https://doi.org/10.1145/2894760

2016-01-01

ACM Transactions on Information and System Security

Abstract:When people utilize social applications and services, their privacy suffers a potential serious threat. In this article, we present a novel, robust, and effective de-anonymization attack to mobility trace data and social data. First, we design a Unified Similarity (US) measurement, which takes account of local and global structural characteristics of data, information obtained from auxiliary data, and knowledge inherited from ongoing de-anonymization results. By analyzing the measurement on real datasets, we find that some data can potentially be de-anonymized accurately and the other can be de-anonymized in a coarse granularity. Utilizing this property, we present a US-based De-Anonymization (DA) framework, which iteratively de-anonymizes data with accuracy guarantee. Then, to de-anonymize large-scale data without knowledge of the overlap size between the anonymized data and the auxiliary data, we generalize DA to an Adaptive De-Anonymization (ADA) framework. By smartly working on two core matching subgraphs , ADA achieves high de-anonymization accuracy and reduces computational overhead. Finally, we examine the presented de-anonymization attack on three well-known mobility traces: St Andrews, Infocom06, and Smallblue, and three social datasets: ArnetMiner, Google+, and Facebook. The experimental results demonstrate that the presented de-anonymization framework is very effective and robust to noise. The source code and employed datasets are now publicly available at SecGraph [2015].

Shouling Ji,Weiqing Li,Mudhakar Srivatsa,Jing Selena He,Raheem Beyah

DOI: https://doi.org/10.1145/2894760

2016-01-01

ACM Transactions on Information and System Security

Abstract:When people utilize social applications and services, their privacy suffers a potential serious threat. In this article, we present a novel, robust, and effective de-anonymization attack to mobility trace data and social data. First, we design a Unified Similarity (US) measurement, which takes account of local and global structural characteristics of data, information obtained from auxiliary data, and knowledge inherited from ongoing de-anonymization results. By analyzing the measurement on real datasets, we find that some data can potentially be de-anonymized accurately and the other can be de-anonymized in a coarse granularity. Utilizing this property, we present a US-based De-Anonymization (DA) framework, which iteratively de-anonymizes data with accuracy guarantee. Then, to de-anonymize large-scale data without knowledge of the overlap size between the anonymized data and the auxiliary data, we generalize DA to an Adaptive De-Anonymization (ADA) framework. By smartly working on two core matching subgraphs, ADA achieves high de-anonymization accuracy and reduces computational overhead. Finally, we examine the presented de-anonymization attack on three well-known mobility traces: St Andrews, Infocom06, and Smallblue, and three social datasets: ArnetMiner, Google+, and Facebook. The experimental results demonstrate that the presented de-anonymization framework is very effective and robust to noise.

Jia-Lin LIU,Shu-Yang SHI,Yue-Mei ZHANG,Ying-Xia SHAO,Bin CUI

DOI: https://doi.org/10.13328/j.cnki.jos.005436

2018-01-01

Abstract:Ever since social networks became the focus of a great number of researches,the privacy risks of published network data have also raised considerable concerns.To evaluate users' privacy risks,researchers have developed methods to de-anonymize graphs and identify same person in different graphs,yet the existing algorithms either requires high-quality seed mappings,or have low accuracy and high expense.In this paper,an effective and efficient seedless de-anonymization algorithm,"RoleMatch" is proposed.This algorithm is based on the network topology and consists of (1) a new cross-graph node similarity measurement "RoleSim++" with fast computation method,and (2) an effective node matching algorithm considering both similarities and feedbacks.In experiments,the algorithm is tested with graphs anonymized in several popular anonymization ways,using the data from LiveJournal.In addition to the traditional symmetric experiments,an asymmetric experiment setting is proposed to mimic closer to real-world application.The results from those experiment show that with the proposed algorithm the de-anonymization work achieves superior performance compared with existing de-anonymization algorithms.

Kaiyang Li,Guoming Lu,Guangchun Luo,Zhipeng Cai

DOI: https://doi.org/10.1145/3340531.3411970

2020-01-01

Abstract:The huge amount of graph data are published and shared for research and business purposes, which brings great benefit for our society. However, user privacy is badly undermined even though user identity can be anonymized. Graph de-anonymization to identify nodes from an anonymized graph is widely adopted to evaluate users' privacy risks. Most existing de-anonymization methods which are heavily reliant on side information (e.g., seeds, user profiles, community labels) are unrealistic due to the difficulty of collecting this side information. A few graph de-anonymization methods only using structural information, called seed-free methods, have been proposed recently, which mainly take advantage of the local and manual features of nodes while overlooking the global structural information of the graph for de-anonymization. In this paper, a seed-free graph de-anonymization method is proposed, where a deep neural network is adopted to learn features and an adversarial framework is employed for node matching. To be specific, the latent representation of each node is obtained by graph autoencoder. Furthermore, an adversarial learning model is proposed to transform the embedding of the anonymized graph to the latent space of auxiliary graph embedding such that a linear mapping can be derived from a global perspective. Finally, the most similar node pairs in the latent space as the anchor nodes are utilized to launch propagation to de-anonymize all the remaining nodes. The extensive experiments on some real datasets demonstrate that our method is comparative with the seed-based approaches and outperforms the start-of-the-art seed-free method significantly.

Wei-Han Lee,Changchang Liu,Shouling Ji,Prateek Mittal,Ruby Lee

DOI: https://doi.org/10.48550/arXiv.1801.05534

2018-01-17

Abstract:It is important to study the risks of publishing privacy-sensitive data. Even if sensitive identities (e.g., name, social security number) were removed and advanced data perturbation techniques were applied, several de-anonymization attacks have been proposed to re-identify individuals. However, existing attacks have some limitations: 1) they are limited in de-anonymization accuracy; 2) they require prior seed knowledge and suffer from the imprecision of such seed information. We propose a novel structure-based de-anonymization attack, which does not require the attacker to have prior information (e.g., seeds). Our attack is based on two key insights: using multi-hop neighborhood information, and optimizing the process of de-anonymization by exploiting enhanced machine learning techniques. The experimental results demonstrate that our method is robust to data perturbations and significantly outperforms the state-of-the-art de-anonymization techniques by up to $10\times$ improvement.

Social and Information Networks

Farhad Shirani,Siddharth Garg,Elza Erkip

DOI: https://doi.org/10.48550/arXiv.1710.04163

2017-10-12

Abstract:In this paper, a new mathematical formulation for the problem of de-anonymizing social network users by actively querying their membership in social network groups is introduced. In this formulation, the attacker has access to a noisy observation of the group membership of each user in the social network. When an unidentified victim visits a malicious website, the attacker uses browser history sniffing to make queries regarding the victim's social media activity. Particularly, it can make polar queries regarding the victim's group memberships and the victim's identity. The attacker receives noisy responses to her queries. The goal is to de-anonymize the victim with the minimum number of queries. Starting with a rigorous mathematical model for this active de-anonymization problem, an upper bound on the attacker's expected query cost is derived, and new attack algorithms are proposed which achieve this bound. These algorithms vary in computational cost and performance. The results suggest that prior heuristic approaches to this problem provide sub-optimal solutions.

Information Theory,Cryptography and Security,Social and Information Networks

Zhongzhao Hu,Luoyi Fu,Xiaoying Gan

DOI: https://doi.org/10.1145/3321408.3321577

2019-01-01

Abstract:De-anonymizing social networks has become a direct threat to people's privacy . Actually, It can be boiled down to graph matching problems. The attackers steal users' real information in anonymized social networks by mapping them to secondary cross-domain networks. In particular, when partial node identity in the anonymized network is known, such attacks will become more powerful. Some scholars have studied seeded network de-anonymization. However, there is a lack of consideration for network overlap. We further expand the work of predecessors and consider partially overlapping networks de-anonymization with the aid of seeded nodes. We give a more general form of theoretical results under Erdös - Rényi model(ER model). We also validated our results on both synthetic and real data.

Santiago Segarra,Gonzalo Mateos,Antonio G. Marques,Alejandro Ribeiro

DOI: https://doi.org/10.1109/TSP.2016.2628343

2016-04-25

Abstract:Network processes are often represented as signals defined on the vertices of a graph. To untangle the latent structure of such signals, one can view them as outputs of linear graph filters modeling underlying network dynamics. This paper deals with the problem of joint identification of a graph filter and its input signal, thus broadening the scope of classical blind deconvolution of temporal and spatial signals to the less-structured graph domain. Given a graph signal $\mathbf{y}$ modeled as the output of a graph filter, the goal is to recover the vector of filter coefficients $\mathbf{h}$, and the input signal $\mathbf{x}$ which is assumed to be sparse. While $\mathbf{y}$ is a bilinear function of $\mathbf{x}$ and $\mathbf{h}$, the filtered graph signal is also a linear combination of the entries of the lifted rank-one, row-sparse matrix $\mathbf{x} \mathbf{h}^T$. The blind graph-filter identification problem can thus be tackled via rank and sparsity minimization subject to linear constraints, an inverse problem amenable to convex relaxations offering provable recovery guarantees under simplifying assumptions. Numerical tests using both synthetic and real-world networks illustrate the merits of the proposed algorithms, as well as the benefits of leveraging multiple signals to aid the blind identification task.

Information Theory

Ao Liu,Beibei Li,Tao Li,Pan Zhou,Rui Wang

DOI: https://doi.org/10.1109/tnnls.2022.3172296

IF: 14.255

2022-01-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:Recent studies have revealed the vulnerability of graph convolutional networks (GCNs) to edge-perturbing attacks, such as maliciously inserting or deleting graph edges. However, theoretical proof of such vulnerability remains a big challenge, and effective defense schemes are still open issues. In this article, we first generalize the formulation of edge-perturbing attacks and strictly prove the vulnerability of GCNs to such attacks in node classification tasks. Following this, an anonymous GCN, named AN-GCN, is proposed to defend against edge-perturbing attacks. In particular, we present a node localization theorem to demonstrate how GCNs locate nodes during their training phase. In addition, we design a staggered Gaussian noise-based node position generator and a spectral graph convolution-based discriminator (in detecting the generated node positions). Furthermore, we provide an optimization method for the designed generator and discriminator. It is demonstrated that the AN-GCN is secure against edge-perturbing attacks in node classification tasks, as AN-GCN is developed to classify nodes without the edge information (making it impossible for attackers to perturb edges anymore). Extensive evaluations verify the effectiveness of the general edge-perturbing attack (G-EPA) model in manipulating the classification results of the target nodes. More importantly, the proposed AN-GCN can achieve 82.7% in node classification accuracy without the edge-reading permission, which outperforms the state-of-the-art GCN.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, hardware & architecture

Kaiyang Li,Ling Tian,Xu Zheng,Bei Hui

DOI: https://doi.org/10.26599/tst.2021.9010083

2022-01-01

Tsinghua Science & Technology

Abstract:The inefficient utilization of ubiquitous graph data with combinatorial structures necessitates graph embedding methods,aiming at learning a continuous vector space for the graph which is amenable to be adopted in traditional machine learning algorithms in favor of vector representations.Graph embedding methods build an important bridge between social network analysis and data analytics as social networks naturally generate an unprecedented volume of graph data continuously.Publishing social network data not only bring benefit for public health,disaster response,commercial promotion,and many other applications,but also give birth to threats that jeopardize each individual’s privacy and security.Unfortunately,most existing works in publishing social graph embedding data only focus on preserving social graph structure with less attention paid to the privacy issues inherited from social networks.To be specific,attackers can infer the presence of a sensitive relationship between two individuals by training a predictive model with the exposed social network embedding.In this paper,we propose a novel link-privacy preserved graph embedding framework using adversarial learning,which can reduce adversary’s prediction accuracy on sensitive links while persevering sufficient non-sensitive information such as graph topology and node attributes in graph embedding.Extensive experiments are conducted to evaluate the proposed framework using ground truth social network datasets.

Zhengyi Wang,Zhongkai Hao,Hang Su,Jun Zhu

2021-01-01

Abstract:While deep neural networks have achieved great success on the graph analysis, recent works have shown that they are also vulnerable to adversarial attacks where fraudulent users can fool the model with a limited number of queries. Compared with adversarial attacks on image classification, performing adversarial attack on graphs is challenging because of the discrete and non-differential nature of a graph. To address these issues, we proposed Cluster Attack, a novel adversarial attack by introducing a set of fake nodes to the original graph which can mislead the classification on certain victim nodes. Specifically, we query the victim model for each victim node to acquire their most adversarial feature, which is related to how the fake node’s feature will affect the victim nodes. We further cluster the victim nodes into several subgroups according to their most adversarial features such that we can reduce the searching space. Moreover, our attack is performed in a practical and unnoticeable manner: (1) We protect the predicted labels of nodes which we are not aimed for from being changed during attack. (2) We attack by introducing fake nodes into the original graph without changing existing links and features. (3) We attack with only partial information about the attacked graph, i.e., by leveraging the information of victim nodes along with their neighbors within k-hop instead of the whole graph. (4) We perform attack with a limited number of queries about the predicted scores of the model in a blackbox manner, i.e., without model architecture and parameters. Extensive experiments demonstrate the effectiveness of our method in terms of the success rate of attack. Department of Computer Science and Technology, Tsinghua University, China. Correspondence to: Zhengyi Wang <wangzy21@mails.tsinghua.edu.cn>. x x x

Jiapeng Zhang,Luoyi Fu,Huan Long,Guiae Meng,Feilong Tang,Xinbing Wang,Guihai Chen

DOI: https://doi.org/10.1109/infocom41043.2020.9155499

2020-01-01

Abstract:The interaction among users in different social networks raises deep concern on user privacy, as it may facilitate the assailants to identify user identities by matching the anonymized networks with a correlated sanitized one. Prior arts regarding such de-anonymization problem can be primarily divided into a seeded case or a seedless one, depending on whether or not there are a subset of pre-identified nodes. The seedless case is much more complicated since the adjacency matrix representation of one-hop user relations delivers limited structural information. To address this issue, we, for the first time, integrate the multi-hop neighborhood relationships, which exhibit more structural commonness between the anonymized and the sanitized networks, into seedless de-anonymization process. Our aim is to sufficiently leverage these multi-hop neighbors of all nodes and minimize the total disagreements of these multi-hop adjacency matrices, which we call collective adjacency disagreements (CADs), between two networks of different sizes. Theoretically, we demonstrate that CAD enlarges the difference between wrongly matched node pairs and correctly matched pairs, whereby two networks can be correctly matched with high probability even when the network density is below log n. Algorithmically, we adopt the conditional gradient descending method on a collective-form objective, which can efficiently find the minimal CADs for networks with broad degree distributions. Experiments on both synthetic and real-world networks return desirable de-anonymization accuracies thanks to the rich structural information manifested by such collectiveness, since most nodes can be correctly matched with their correspondences, especially in sparse networks where merely utilizing adjacency relations might fail to work.

Andrei Buciulea,Madeline Navarro,Samuel Rey,Santiago Segarra,Antonio G. Marques

2024-09-13

Abstract:Graph learning is the fundamental task of estimating unknown graph connectivity from available data. Typical approaches assume that not only is all information available simultaneously but also that all nodes can be observed. However, in many real-world scenarios, data can neither be known completely nor obtained all at once. We present a novel method for online graph estimation that accounts for the presence of hidden nodes. We consider signals that are stationary on the underlying graph, which provides a model for the unknown connections to hidden nodes. We then formulate a convex optimization problem for graph learning from streaming, incomplete graph signals. We solve the proposed problem through an efficient proximal gradient algorithm that can run in real-time as data arrives sequentially. Additionally, we provide theoretical conditions under which our online algorithm is similar to batch-wise solutions. Through experimental results on synthetic and real-world data, we demonstrate the viability of our approach for online graph learning in the presence of missing observations.

Machine Learning,Signal Processing

Gábor György Gulyás,Benedek Simon,Sándor Imre

DOI: https://doi.org/10.1145/2994620.2994632

2016-10-13

Abstract:Releasing connection data from social networking services can pose a significant threat to user privacy. In our work, we consider structural social network de-anonymization attacks, which are used when a malicious party uses connections in a public or other identified network to re-identify users in an anonymized social network release that he obtained previously. In this paper we design and evaluate a novel social de-anonymization attack. In particular, we argue that the similarity function used to re-identify nodes is a key component of such attacks, and we design a novel measure tailored for social networks. We incorporate this measure in an attack called Bumblebee. We evaluate Bumblebee in depth, and show that it significantly outperforms the state-of-the-art, for example it has higher re-identification rates with high precision, robustness against noise, and also has better error control.

Cryptography and Security,Social and Information Networks

Xiaoyun Wang,Minhao Cheng,Joe Eaton,Cho-Jui Hsieh,Felix Wu

DOI: https://doi.org/10.48550/arXiv.1810.10751

IF: 5.414

2018-10-25

Machine Learning

Abstract:In this paper, we study the robustness of graph convolutional networks (GCNs). Previous work have shown that GCNs are vulnerable to adversarial perturbation on adjacency or feature matrices of existing nodes; however, such attacks are usually unrealistic in real applications. For instance, in social network applications, the attacker will need to hack into either the client or server to change existing links or features. In this paper, we propose a new type of "fake node attacks" to attack GCNs by adding malicious fake nodes. This is much more realistic than previous attacks; in social network applications, the attacker only needs to register a set of fake accounts and link to existing ones. To conduct fake node attacks, a greedy algorithm is proposed to generate edges of malicious nodes and their corresponding features aiming to minimize the classification accuracy on the target nodes. In addition, we introduce a discriminator to classify malicious nodes from real nodes, and propose a Greedy-GAN attack to simultaneously update the discriminator and the attacker, to make malicious nodes indistinguishable from the real ones. Our non-targeted attack decreases the accuracy of GCN down to 0.03, and our targeted attack reaches a success rate of 78% on a group of 100 nodes, and 90% on average for attacking a single target node.

Zhikun Zhang,Min Chen,Michael Backes,Yun Shen,Yang Zhang

DOI: https://doi.org/10.48550/arXiv.2110.02631

2021-10-06

Abstract:Graph is an important data representation ubiquitously existing in the real world. However, analyzing the graph data is computationally difficult due to its non-Euclidean nature. Graph embedding is a powerful tool to solve the graph analytics problem by transforming the graph data into low-dimensional vectors. These vectors could also be shared with third parties to gain additional insights of what is behind the data. While sharing graph embedding is intriguing, the associated privacy risks are unexplored. In this paper, we systematically investigate the information leakage of the graph embedding by mounting three inference attacks. First, we can successfully infer basic graph properties, such as the number of nodes, the number of edges, and graph density, of the target graph with up to 0.89 accuracy. Second, given a subgraph of interest and the graph embedding, we can determine with high confidence that whether the subgraph is contained in the target graph. For instance, we achieve 0.98 attack AUC on the DD dataset. Third, we propose a novel graph reconstruction attack that can reconstruct a graph that has similar graph structural statistics to the target graph. We further propose an effective defense mechanism based on graph embedding perturbation to mitigate the inference attacks without noticeable performance degradation for graph classification tasks. Our code is available at <a class="link-external link-https" href="https://github.com/Zhangzhk0819/GNN-Embedding-Leaks" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Machine Learning