Private Graph Extraction via Feature Explanations

Iyiola E  Olatunji; Mandeep Rathee; Thorben  Funke; M. Khosla

doi:10.56553/popets-2023-0041

Private Graph Extraction via Feature Explanations

Iyiola E Olatunji, Mandeep Rathee, Thorben Funke, M. Khosla

Multimedia Computing

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

41 Downloads (Pure)

Abstract

Privacy and interpretability are two important ingredients for achieving trustworthy machine learning. We study the interplay of these two aspects in graph machine learning through graph reconstruction attacks. The goal of the adversary here is to reconstruct the graph structure of the training data given access to model explanations. Based on the different kinds of auxiliary information available to the adversary, we propose several graph reconstruction attacks. We show that additional knowledge of post-hoc feature explanations substantially increases the success rate of these attacks. Further, we investigate in detail the differences between attack performance with respect to three different classes of explanation methods for graph neural networks: gradient-based, perturbationbased, and surrogate model-based methods. While gradient-based explanations reveal the most in terms of the graph structure, we find that these explanations do not always score high in utility. For the other two classes of explanations, privacy leakage increases with an increase in explanation utility. Finally, we propose a defense based on a randomized response mechanism for releasing the explanations, which substantially reduces the attack success rate. Our code is available at https://github.com/iyempissy/graphstealing- attacks-with-explanation.

Original language	English
Title of host publication	Proceedings on Privacy Enhancing Technologies 2023(2)
Pages	59-78
Number of pages	20
DOIs	https://doi.org/10.56553/popets-2023-0041
Publication status	Published - 2023
Event	23rd Privacy Enhancing Technologies Symposium - Lausanne, Switzerland Duration: 10 Jul 2023 → 15 Jul 2023 Conference number: 23

Conference

Conference	23rd Privacy Enhancing Technologies Symposium
Abbreviated title	PETS 2023
Country/Territory	Switzerland
City	Lausanne
Period	10/07/23 → 15/07/23

Keywords

privacy risk
model explanations
graph reconstruction attacks
private graph extraction
graph neural networks
attacks

Access to Document

10.56553/popets-2023-0041

popets-2023-0041Final published version, 2.58 MBLicence: CC BY

Cite this

@inproceedings{e98bde528de945d587613f6c34aa1b21,

title = "Private Graph Extraction via Feature Explanations",

abstract = "Privacy and interpretability are two important ingredients for achieving trustworthy machine learning. We study the interplay of these two aspects in graph machine learning through graph reconstruction attacks. The goal of the adversary here is to reconstruct the graph structure of the training data given access to model explanations. Based on the different kinds of auxiliary information available to the adversary, we propose several graph reconstruction attacks. We show that additional knowledge of post-hoc feature explanations substantially increases the success rate of these attacks. Further, we investigate in detail the differences between attack performance with respect to three different classes of explanation methods for graph neural networks: gradient-based, perturbationbased, and surrogate model-based methods. While gradient-based explanations reveal the most in terms of the graph structure, we find that these explanations do not always score high in utility. For the other two classes of explanations, privacy leakage increases with an increase in explanation utility. Finally, we propose a defense based on a randomized response mechanism for releasing the explanations, which substantially reduces the attack success rate. Our code is available at https://github.com/iyempissy/graphstealing- attacks-with-explanation. ",

keywords = "privacy risk, model explanations, graph reconstruction attacks, private graph extraction, graph neural networks, attacks",

author = "Olatunji, {Iyiola E} and Mandeep Rathee and Thorben Funke and M. Khosla",

year = "2023",

doi = "10.56553/popets-2023-0041",

language = "English",

pages = "59--78",

booktitle = "Proceedings on Privacy Enhancing Technologies 2023(2)",

note = "23rd Privacy Enhancing Technologies Symposium, PETS 2023 ; Conference date: 10-07-2023 Through 15-07-2023",

}

TY - GEN

T1 - Private Graph Extraction via Feature Explanations

AU - Olatunji, Iyiola E

AU - Rathee, Mandeep

AU - Funke, Thorben

AU - Khosla, M.

N1 - Conference code: 23

PY - 2023

Y1 - 2023

N2 - Privacy and interpretability are two important ingredients for achieving trustworthy machine learning. We study the interplay of these two aspects in graph machine learning through graph reconstruction attacks. The goal of the adversary here is to reconstruct the graph structure of the training data given access to model explanations. Based on the different kinds of auxiliary information available to the adversary, we propose several graph reconstruction attacks. We show that additional knowledge of post-hoc feature explanations substantially increases the success rate of these attacks. Further, we investigate in detail the differences between attack performance with respect to three different classes of explanation methods for graph neural networks: gradient-based, perturbationbased, and surrogate model-based methods. While gradient-based explanations reveal the most in terms of the graph structure, we find that these explanations do not always score high in utility. For the other two classes of explanations, privacy leakage increases with an increase in explanation utility. Finally, we propose a defense based on a randomized response mechanism for releasing the explanations, which substantially reduces the attack success rate. Our code is available at https://github.com/iyempissy/graphstealing- attacks-with-explanation.

AB - Privacy and interpretability are two important ingredients for achieving trustworthy machine learning. We study the interplay of these two aspects in graph machine learning through graph reconstruction attacks. The goal of the adversary here is to reconstruct the graph structure of the training data given access to model explanations. Based on the different kinds of auxiliary information available to the adversary, we propose several graph reconstruction attacks. We show that additional knowledge of post-hoc feature explanations substantially increases the success rate of these attacks. Further, we investigate in detail the differences between attack performance with respect to three different classes of explanation methods for graph neural networks: gradient-based, perturbationbased, and surrogate model-based methods. While gradient-based explanations reveal the most in terms of the graph structure, we find that these explanations do not always score high in utility. For the other two classes of explanations, privacy leakage increases with an increase in explanation utility. Finally, we propose a defense based on a randomized response mechanism for releasing the explanations, which substantially reduces the attack success rate. Our code is available at https://github.com/iyempissy/graphstealing- attacks-with-explanation.

KW - privacy risk

KW - model explanations

KW - graph reconstruction attacks

KW - private graph extraction

KW - graph neural networks

KW - attacks

U2 - 10.56553/popets-2023-0041

DO - 10.56553/popets-2023-0041

M3 - Conference contribution

SP - 59

EP - 78

BT - Proceedings on Privacy Enhancing Technologies 2023(2)

T2 - 23rd Privacy Enhancing Technologies Symposium

Y2 - 10 July 2023 through 15 July 2023

ER -

Private Graph Extraction via Feature Explanations

Abstract

Conference

Keywords

Access to Document

Fingerprint

Cite this