Many real-world data come in the form of graphs. Graph neural networks
(GNNs), a new family of machine learning (ML) models, have been proposed to
fully leverage graph data to build powerful applications. In particular, the
inductive GNNs, which can generalize to unseen data, become mainstream in this
direction. Machine learning models have shown great potential in various tasks
and have been deployed in many real-world scenarios. To train a good model, a
large amount of data as well as computational resources are needed, leading to
valuable intellectual property. Previous research has shown that ML models are
prone to model stealing attacks, which aim to steal the functionality of the
target models. However, most of them focus on the models trained with images
and texts. On the other hand, little attention has been paid to models trained
with graph data, i.e., GNNs. In this paper, we fill the gap by proposing the
first model stealing attacks against inductive GNNs. We systematically define
the threat model and propose six attacks based on the adversary's background
knowledge and the responses of the target models. Our evaluation on six
benchmark datasets shows that the proposed model stealing attacks against GNNs
achieve promising performance.

本文提出了针对归纳图神经网络的模型盗窃攻击，定义了威胁模型并根据对手的背景知识和目标模型的响应提出了六种攻击方式。在六个基准数据集上的评估结果显示，该攻击方式取得了良好的性能表现。

归纳图神经网络的模型窃取攻击

Model Stealing Attacks Against Inductive Graph Neural Networks

Graph data, such as chemical networks and social networks, may be deemed
confidential/private because the data owner often spends lots of resources
collecting the data or the data contains sensitive information, e.g., social
relationships. Recently, neural networks were extended to graph data, which are
known as graph neural networks (GNNs). Due to their superior performance, GNNs
have many applications, such as healthcare analytics, recommender systems, and
fraud detection. In this work, we propose the first attacks to steal a graph
from the outputs of a GNN model that is trained on the graph. Specifically,
given a black-box access to a GNN model, our attacks can infer whether there
exists a link between any pair of nodes in the graph used to train the model.
We call our attacks link stealing attacks. We propose a threat model to
systematically characterize an adversary's background knowledge along three
dimensions which in total leads to a comprehensive taxonomy of 8 different link
stealing attacks. We propose multiple novel methods to realize these 8 attacks.
Extensive experiments on 8 real-world datasets show that our attacks are
effective at stealing links, e.g., AUC (area under the ROC curve) is above 0.95
in multiple cases. Our results indicate that the outputs of a GNN model reveal
rich information about the structure of the graph used to train the model.

本研究提出了针对图神经网络的链路窃取攻击，并介绍了三个维度的威胁模型以及八种链路窃取攻击方法。在八个真实数据集上的实验表明，攻击是有效的，并揭示了 GNN 模型输出关于训练图结构的丰富信息，证明了在黑盒条件下，一些私密数据可以被窃取。