Inference Attacks Against Graph Generative Diffusion Models

• URL: http://arxiv.org/abs/2601.03701v1
• Date: Wed, 07 Jan 2026 08:38:13 GMT
• Title: Inference Attacks Against Graph Generative Diffusion Models
• Authors: Xiuling Wang, Xin Huang, Guibo Luo, Jianliang Xu,
• Abstract summary: Graph generative diffusion models have emerged as a powerful paradigm for generating complex graph structures.<n>However, the privacy risks associated with these models remain largely unexplored.<n>In this paper, we investigate information leakage in such models through three types of black-box inference attacks.
• Score: 20.384972857911976
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Graph generative diffusion models have recently emerged as a powerful paradigm for generating complex graph structures, effectively capturing intricate dependencies and relationships within graph data. However, the privacy risks associated with these models remain largely unexplored. In this paper, we investigate information leakage in such models through three types of black-box inference attacks. First, we design a graph reconstruction attack, which can reconstruct graphs structurally similar to those training graphs from the generated graphs. Second, we propose a property inference attack to infer the properties of the training graphs, such as the average graph density and the distribution of densities, from the generated graphs. Third, we develop two membership inference attacks to determine whether a given graph is present in the training set. Extensive experiments on three different types of graph generative diffusion models and six real-world graphs demonstrate the effectiveness of these attacks, significantly outperforming the baseline approaches. Finally, we propose two defense mechanisms that mitigate these inference attacks and achieve a better trade-off between defense strength and target model utility than existing methods. Our code is available at https://zenodo.org/records/17946102.

Related papers

• Cluster-Aware Attacks on Graph Watermarks [50.19105800063768]
  We introduce a cluster-aware threat model in which adversaries apply community-guided modifications to evade detection.<n>Our results show that cluster-aware attacks can reduce attribution accuracy by up to 80% more than random baselines.<n>We propose a lightweight embedding enhancement that distributes watermark nodes across graph communities.
  arXiv  Detail & Related papers  (2025-04-24T22:49:28Z)
• Backdoor Attacks on Discrete Graph Diffusion Models [23.649243273191605]
  We study graph diffusion models against backdoor attacks, a severe attack that manipulates both the training and inference/generation phases.<n>We first define the threat model, under which we design the attack such that the backdoored graph diffusion model can generate 1) high-quality graphs without backdoor activation, 2) effective, stealthy, and persistent backdoored graphs with backdoor activation, and 3) graphs that are permutation invariant and exchangeable--two core properties in graph generative models.
  arXiv  Detail & Related papers  (2025-03-08T21:01:15Z)
• Graph Defense Diffusion Model [26.41730982598055]
  Graph Neural Networks (GNNs) are highly vulnerable to adversarial attacks, which can greatly degrade their performance.<n>Existing graph purification methods attempt to address this issue by filtering attacked graphs.<n>We propose a more versatile approach for defending against adversarial attacks on graphs.
  arXiv  Detail & Related papers  (2025-01-20T16:18:40Z)
• Towards Robust Graph Structural Learning Beyond Homophily via Preserving Neighbor Similarity [26.990618075974485]
  We explore the vulnerability of graph-based learning systems regardless of the homophily degree.<n>We propose a novel graph structural learning strategy that serves as a useful graph mining module.
  arXiv  Detail & Related papers  (2024-01-18T06:57:29Z)
• Graph Generation with Diffusion Mixture [57.78958552860948]
  Generation of graphs is a major challenge for real-world tasks that require understanding the complex nature of their non-Euclidean structures. We propose a generative framework that models the topology of graphs by explicitly learning the final graph structures of the diffusion process.
  arXiv  Detail & Related papers  (2023-02-07T17:07:46Z)
• Model Inversion Attacks against Graph Neural Networks [65.35955643325038]
  We study model inversion attacks against Graph Neural Networks (GNNs) In this paper, we present GraphMI to infer the private training graph data. Our experimental results show that such defenses are not sufficiently effective and call for more advanced defenses against privacy attacks.
  arXiv  Detail & Related papers  (2022-09-16T09:13:43Z)
• Inference Attacks Against Graph Neural Networks [33.19531086886817]
  Graph embedding is a powerful tool to solve the graph analytics problem. While sharing graph embedding is intriguing, the associated privacy risks are unexplored. We systematically investigate the information leakage of the graph embedding by mounting three inference attacks.
  arXiv  Detail & Related papers  (2021-10-06T10:08:11Z)
• GraphMI: Extracting Private Graph Data from Graph Neural Networks [59.05178231559796]
  We present textbfGraph textbfModel textbfInversion attack (GraphMI), which aims to extract private graph data of the training graph by inverting GNN. Specifically, we propose a projected gradient module to tackle the discreteness of graph edges while preserving the sparsity and smoothness of graph features. We design a graph auto-encoder module to efficiently exploit graph topology, node attributes, and target model parameters for edge inference.
  arXiv  Detail & Related papers  (2021-06-05T07:07:52Z)
• Adversarial Attack Framework on Graph Embedding Models with Limited Knowledge [126.32842151537217]
  Existing works usually perform the attack in a white-box fashion. We demand to attack various kinds of graph embedding models with black-box driven. We prove that GF-Attack can perform an effective attack without knowing the number of layers of graph embedding models.
  arXiv  Detail & Related papers  (2021-05-26T09:18:58Z)
• A Robust and Generalized Framework for Adversarial Graph Embedding [73.37228022428663]
  We propose a robust framework for adversarial graph embedding, named AGE. AGE generates the fake neighbor nodes as the enhanced negative samples from the implicit distribution. Based on this framework, we propose three models to handle three types of graph data.
  arXiv  Detail & Related papers  (2021-05-22T07:05:48Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.