基于圖神經(jīng)網(wǎng)絡(luò)模型校準的成員推理攻擊

謝麗霞; 史鏡琛; 楊宏宇; 胡澤; 成翔

doi:10.11999/JEIT240477

基于圖神經(jīng)網(wǎng)絡(luò)模型校準的成員推理攻擊

doi: 10.11999/JEIT240477

謝麗霞¹,
史鏡琛¹,
楊宏宇^{1, 2, ,},
胡澤²,
成翔³

1.
中國民航大學計算機科學與技術(shù)學院天津 300300
2.
中國民航大學安全科學與工程學院天津 300300
3.
揚州大學信息工程學院揚州 225127

基金項目: 國家自然科學基金民航聯(lián)合研究基金重點項目(U2433205)，國家自然科學基金(62201576, U1833107)，江蘇省基礎(chǔ)研究計劃自然科學基金青年基金(BK20230558)

詳細信息

作者簡介:
謝麗霞：女，碩士，教授，研究方向為網(wǎng)絡(luò)信息安全

史鏡琛：男，碩士生，研究方向為人工智能安全

楊宏宇：男，博士，教授，博士生導師，研究方向為網(wǎng)絡(luò)與系統(tǒng)安全、軟件安全、網(wǎng)絡(luò)安全態(tài)勢感知

胡澤：男，博士，講師，研究方向為人工智能、自然語言處理、網(wǎng)絡(luò)信息安全

成翔：男，博士，講師，研究方向為網(wǎng)絡(luò)與系統(tǒng)安全、網(wǎng)絡(luò)安全態(tài)勢感知、APT攻擊檢測

通訊作者:
楊宏宇　yhyxlx@hotmail.com

中圖分類號: TN915.08; TP309
計量
- 文章訪問數(shù): 116
- HTML全文瀏覽量: 40
- PDF下載量: 21
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2024-06-12
- 修回日期: 2025-02-17
- 網(wǎng)絡(luò)出版日期: 2025-02-26

Membership Inference Attacks Based on Graph Neural Network Model Calibration

1.
School of Computer Science and Technology, Civil Aviation University of China, Tianjin 300300, China
2.
School of Safety Science and Engineering, Civil Aviation University of China, Tianjin 300300, China
3.
School of Information Engineering, Yangzhou University, Yangzhou 225127, China

Funds: Civil Aviation Joint Research Fund Project of the National Natural Science Foundation of China (U2433205), The National Natural Science Foundation of China (62201576, U1833107), Jiangsu Provincial Basic Research Program Natural Science Foundation-Youth Fund (BK20230558)

摘要

摘要: 針對圖神經(jīng)網(wǎng)絡(luò)(GNN)模型在其預(yù)測中常處于欠自信狀態(tài)，導致該狀態(tài)下實施成員推理攻擊難度大且攻擊漏報率高的問題，該文提出一種基于GNN模型校準的成員推理攻擊方法。首先，設(shè)計一種基于因果推斷的GNN模型校準方法，通過基于注意力機制的因果圖提取、因果圖與非因果圖解耦、后門路徑調(diào)整策略和因果關(guān)聯(lián)圖生成過程，構(gòu)建用于訓練GNN模型的因果關(guān)聯(lián)圖。其次，使用與目標因果關(guān)聯(lián)圖在相同數(shù)據(jù)分布下的影子因果關(guān)聯(lián)圖構(gòu)建影子GNN模型，模擬目標GNN模型的預(yù)測行為。最后，使用影子GNN模型的后驗概率構(gòu)建攻擊數(shù)據(jù)集以訓練攻擊模型，根據(jù)目標GNN模型對目標節(jié)點的后驗概率輸出推斷其是否屬于目標GNN模型的訓練數(shù)據(jù)。在4個數(shù)據(jù)集上的實驗結(jié)果表明，該文方法在2種攻擊模式下面對不同架構(gòu)的GNN模型進行攻擊時，攻擊準確率最高為92.6%，攻擊漏報率最低為6.7%，性能指標優(yōu)于基線攻擊方法，可有效地實施成員推理攻擊。
- 圖神經(jīng)網(wǎng)絡(luò) /
- 成員推理攻擊 /
- 模型校準 /
- 因果推斷 /
- 隱私風險
Abstract: Objective Membership Inference Attacks (MIAs) against machine learning models represent a significant threat to the privacy of training data. The primary goal of MIAs is to determine whether specific data samples are part of a target model’s training set. MIAs reveal potential privacy vulnerabilities in artificial intelligence models, making them a critical area of research in AI security. Investigating MIAs not only helps security researchers assess model vulnerabilities to such attacks but also provides a theoretical foundation for establishing guidelines for the use of sensitive data and developing strategies to improve model security. In recent years, Graph Neural Network (GNN) models have become a key focus in MIAs research. However, GNN models often exhibit under-confidence in their predictions, marked by cautious probability distributions in model outputs. This issue prevents existing MIAs methods from fully utilizing posterior probability information, resulting in reduced attack accuracy and higher false negative rates. These challenges significantly limit the effectiveness and applicability of current attack methods. Therefore, addressing the under-confidence problem in GNN predictions and developing enhanced MIA approaches to improve attack performance has become both necessary and urgent. Methods Given that GNN models are often characterized by under-confidence in their predictions, which hampers the implementation of MIAs and resulting in high false negative rates, an MIAs method based on GNN Model Calibration (MIAs-MC) is proposed (Fig. 1). First, a GNN model calibration method based on causal inference is designed and applied. This approach involves extracting causal graphs using an attention mechanism, decoupling causal and non-causal graphs, applying a backdoor adjustment strategy, and generating causal association graphs, which are then used to train the GNN model (Fig. 2). Next, a shadow GNN model is constructed using shadow causal association graphs that share the same data distribution as the target causal association graph, enabling the shadow models to mimic the performance of the target GNN model. Finally, posterior probabilities from the shadow GNN model are used to create an attack dataset, which is employed to train an attack model. This attack model is then used to infer whether a target node is part of the training data of the target GNN model, based on the posterior probabilities generated by the target GNN model. Results and Discussions To assess the feasibility and effectiveness of the proposed attack method, two attack modes are implemented in the experiment, and MIAs are conducted under both modes. The experimental results demonstrate that the proposed method consistently outperforms the baseline attack method across various metrics. In Attack Mode 1, the proposed method is evaluated on the Cora, CiteSeer, PubMed, and Flickr datasets, with comparative results presented against the baseline method (Table 2 and Table 3). Compared to the baseline attack method, the proposed method achieves improvements in attack accuracy and attack precision for GCN, GAT, GraphSAGE, and SGC models, ranging from 2.6% to 19.4% and 0.9% to 19.4%, respectively. Furthermore, the results indicate that after GNN model calibration, the shadow model more effectively mimics the prediction behavior of the target model, contributing to an increased success rate of MIAs on the target model (Table 4 and Table 5). Notably, the GAT model exhibits high robustness against MIAs, both for the proposed and baseline methods. In Attack Mode 2, the attack performance of the proposed method is compared with the baseline method across the same datasets (Cora, CiteSeer, PubMed, and Flickr) (Fig. 4, Fig. 5, and Fig. 6). The proposed method improves attack accuracy by 0.3% to 21.4%, attack precision by 0.2% to 21.7%, and reduces the average attack false negative rate by 9.1%, compared to the baseline methods. Overall, the results from both attack modes indicate that calibrating the GNN model and training the attack model with the calibrated GNN posterior probabilities significantly enhances the performance of MIAs. However, the attack performance varies across different datasets and model architectures. Analysis of the experimental results reveals that the effectiveness of the proposed method is influenced by the structural characteristics of the graph datasets and the specific configurations of the GNN architectures. Conclusions The proposed MIAs method, based on GNN model calibration, constructs a causal association graph using a calibration technique rooted in causal inference. This causal association graph is subsequently used to build shadow GNN models and attack models, facilitating MIAs on target GNN models. The results verify that GNN model calibration enhances the effectiveness of MIAs.
- Graph Neural Network (GNN) /
- Membership Inference Attacks (MIAs) /
- Model calibration /
- Causal inference /
- Privacy risk

HTML全文

圖 1 MIAs-MC攻擊方法架構(gòu)

下載: 全尺寸圖片幻燈片

圖 2 基于因果推斷的模型校準方法

下載: 全尺寸圖片幻燈片

圖 3 GNN中的結(jié)構(gòu)因果模型

下載: 全尺寸圖片幻燈片

圖 4 攻擊模式2下MIAs的攻擊準確率

下載: 全尺寸圖片幻燈片

圖 5 攻擊模式2下MIAs的攻擊精確率

下載: 全尺寸圖片幻燈片

圖 6 攻擊模式2下MIAs的攻擊漏報率

下載: 全尺寸圖片幻燈片

1 因果關(guān)聯(lián)圖生成算法

輸入：GNN模型初始的訓練子圖G(G_t, G_s ∈ G)，迭代次數(shù)T
輸出：目標因果關(guān)聯(lián)圖G_target，影子因果關(guān)聯(lián)圖G_shadow
(1) for t = 1 to T
(2) 　G_c, G_u ← Attention(G) //因果圖提取
(3) 　L_c, L_u ← Decouple(G) //因果圖與非因果圖解耦，生成對　　　應(yīng)損失函數(shù)
(4) 　L_cau ← Backdoor Adjustment(G_c, G_u) //后門路徑調(diào)整，　　　生成后門路徑調(diào)整損失函數(shù)
(5) 　L ←L_c, L_u, L_cau //計算模型總損失函數(shù)
(6) 　θ_t+1 ← Update(θ_t) //更新模型參數(shù)
(7) 　G_t+1 ← G_t //迭代更新因果注意力圖
(8) endfor
(9) G_target, G_shadow ← G_T //生成目標因果關(guān)聯(lián)圖和影子因果關(guān) 　　聯(lián)圖
(10) 結(jié)束算法返回目標因果關(guān)聯(lián)圖G_target，影子因果關(guān)聯(lián)圖　　 G_shadow

下載: 導出CSV

表 1 數(shù)據(jù)集的統(tǒng)計信息

數(shù)據(jù)集	類別數(shù)	節(jié)點數(shù)	邊數(shù)	節(jié)點特征維度	使用節(jié)點數(shù)
Cora	7	2 708	5 429	1 433	2 520
CiteSeer	6	3 327	4 732	3 703	2 400
PubMed	3	19 717	44 338	500	18 000
Flickr	7	89 250	449 878	500	42 000

下載: 導出CSV

表 2 攻擊模式1下MIAs-MC的攻擊結(jié)果

數(shù)據(jù)集	GNN架構(gòu)	Accuracy	Precision	AUC	Recall	F1-score
Cora	GCN	0.926	0.920	0.912	0.913	0.912
	GAT	0.911	0.914	0.910	0.911	0.911
	GraphSAGE	0.905	0.908	0.904	0.905	0.905
	SGC	0.914	0.923	0.915	0.914	0.914
CiteSeer	GCN	0.918	0.912	0.917	0.918	0.918
	GAT	0.857	0.879	0.857	0.857	0.855
	GraphSAGE	0.933	0.936	0.931	0.933	0.933
	SGC	0.930	0.938	0.929	0.930	0.930
PubMed	GCN	0.750	0.784	0.750	0.751	0.743
	GAT	0.642	0.686	0.643	0.642	0.621
	GraphSAGE	0.748	0.754	0.747	0.748	0.748
	SGC	0.690	0.702	0.691	0.690	0.690
Flickr	GCN	0.841	0.846	0.841	0.841	0.841
	GAT	0.786	0.801	0.787	0.786	0.785
	GraphSAGE	0.732	0.764	0.732	0.732	0.725
	SGC	0.907	0.916	0.908	0.907	0.907

下載: 導出CSV

表 3 攻擊模式1下基線攻擊方法的攻擊結(jié)果

數(shù)據(jù)集	GNN架構(gòu)	Accuracy	Precision	AUC	Recall	F1-score
Cora	GCN	0.763	0.770	0.764	0.763	0.763
	GAT	0.721	0.728	0.718	0.721	0.720
	GraphSAGE	0.825	0.837	0.825	0.825	0.824
	SGC	0.806	0.812	0.808	0.806	0.807
CiteSeer	GCN	0.860	0.865	0.859	0.860	0.860
	GAT	0.772	0.775	0.769	0.772	0.771
	GraphSAGE	0.858	0.875	0.859	0.858	0.827
	SGC	0.863	0.868	0.862	0.863	0.863
PubMed	GCN	0.647	0.655	0.647	0.647	0.647
	GAT	0.593	0.612	0.593	0.593	0.580
	GraphSAGE	0.554	0.560	0.553	0.554	0.553
	SGC	0.664	0.685	0.665	0.664	0.658
Flickr	GCN	0.774	0.805	0.775	0.774	0.769
	GAT	0.601	0.613	0.602	0.601	0.598
	GraphSAGE	0.689	0.755	0.688	0.689	0.668
	SGC	0.877	0.893	0.878	0.877	0.876

下載: 導出CSV

表 4 Cora數(shù)據(jù)集上影子模型與目標模型準確率差異(%)

GNN架構(gòu)	基線攻擊下訓練準確率差值	基線攻擊下測試準確率差值	模型校準后訓練準確率差值	模型校準后測試準確率差值
GCN	0.32	3.97	0.79	0.95
GAT	3.65	1.99	1.91	2.22
GraphSAGE	0.32	4.92	0.16	0.80
SGC	0.66	0.47	1.11	1.70

下載: 導出CSV

表 5 PubMed數(shù)據(jù)集上影子模型與目標模型準確率差異(%)

GNN架構(gòu)	基線攻擊下訓練準確率差值	基線攻擊下測試準確率差值	模型校準后訓練準確率差值	模型校準后測試準確率差值
GCN	1.45	0.75	1.15	0.14
GAT	0.36	1.15	0.82	0.51
GraphSAGE	0.20	5.12	0.13	3.15
SGC	1.58	0.60	0.73	0.56

下載: 導出CSV

參考文獻(20)

[1]	SHOKRI R, STRONATI M, SONG Congzheng, et al. Membership inference attacks against machine learning models[C]. 2017 IEEE Symposium on Security and Privacy (SP), San Jose, USA, 2017: 3–18. doi: 10.1109/SP.2017.41.
[2]	SALEM A, ZHANG Yang, HUMBERT M, et al. ML-Leaks: Model and data independent membership inference attacks and defenses on machine learning models[C]. The Network and Distributed System Security Symposium (NDSS), San Diego, USA, 2019: 24–27.
[3]	LONG Yunhui, WANG Lei, BU Diyue, et al. A pragmatic approach to membership inferences on machine learning models[C]. 2020 IEEE European Symposium on Security and Privacy (EuroS&P), Genoa, Italy, 2020: 521–534. doi: 10.1109/EuroSP48549.2020.00040.
[4]	KO M, JIN Ming, WANG Chenguang, et al. Practical membership inference attacks against large-scale multi-modal models: A pilot study[C]. 2023 IEEE/CVF International Conference on Computer Vision (ICCV), Paris, France, 2023: 4848–4858. doi: 10.1109/ICCV51070.2023.00449.
[5]	CHOQUETTE-CHOO C A, TRAMER F, CARLINI N, et al. Label-only membership inference attacks[C]. The 38th International Conference on Machine Learning, 2021: 1964–1974.
[6]	LIU Han, WU Yuhao, YU Zhiyuan, et al. Please tell me more: Privacy impact of explainability through the lens of membership inference attack[C]. 2024 IEEE Symposium on Security and Privacy (SP), San Francisco, USA, 2024: 120–120. doi: 10.1109/SP54263.2024.00120.
[7]	吳博, 梁循, 張樹森, 等. 圖神經(jīng)網(wǎng)絡(luò)前沿進展與應(yīng)用[J]. 計算機學報, 2022, 45(1): 35–68. doi: 10.11897/SP.J.1016.2022.00035. WU Bo, LIANG Xun, ZHANG Shusen, et al. Advances and applications in graph neural network[J]. Chinese Journal of Computers, 2022, 45(1): 35–68. doi: 10.11897/SP.J.1016.2022.00035.
[8]	OLATUNJI I E, NEJDL W, and KHOSLA M. Membership inference attack on graph neural networks[C]. 2021 Third IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA), Atlanta, USA, 2021: 11–20. doi: 10.1109/TPSISA52974.2021.00002.
[9]	HE Xinlei, WEN Rui, WU Yixin, et al. Node-level membership inference attacks against graph neural networks[EB/OL]. https://arxiv.org/abs/2102.05429, 2021.
[10]	WU Bang, YANG Xiangwen, PAN Shirui, et al. Adapting membership inference attacks to GNN for graph classification: Approaches and implications[C]. 2021 IEEE International Conference on Data Mining (ICDM), Auckland, New Zealand, 2021: 1421–1426. doi: 10.1109/ICDM51629.2021.00182.
[11]	WANG Xiuling and WANG W H. Link membership inference attacks against unsupervised graph representation learning[C]. The 39th Annual Computer Security Applications Conference, Austin, USA, 2023: 477–491. doi: 10.1145/3627106.3627115.
[12]	WANG Xiao, LIU Hongrui, SHI Chuan, et al. Be confident! Towards trustworthy graph neural networks via confidence calibration[C]. The 35th Conference on Neural Information Processing Systems, 2021: 1820.
[13]	HSU H H H, SHEN Y, TOMANI C, et al. What makes graph neural networks miscalibrated?[C]. The 36th Conference on Neural Information Processing Systems, New Orleans, USA, 2022: 1001.
[14]	LIU Tong, LIU Yushan, HILDEBRANDT M, et al. On calibration of graph neural networks for node classification[C]. 2022 International Joint Conference on Neural Networks (IJCNN), Padua, Italy, 2022: 1–8. doi: 10.1109/IJCNN55064.2022.9892866.
[15]	YANG Zhilin, COHEN W W, and SALAKHUTDINOV R. Revisiting semi-supervised learning with graph embeddings[C]. The 33rd International Conference on International Conference on Machine Learning, New York, USA, 2016: 40–48.
[16]	ZENG Hanqing, ZHOU Hongkuan, SRIVASTAVA A, et al. GraphSAINT: Graph sampling based inductive learning method[C]. The 8th International Conference on Learning Representations, Addis Ababa, Ethiopia, 2020: 1–19.
[17]	KIPF T N and WELLING M. Semi-supervised classification with graph convolutional networks[C]. The 5th International Conference on Learning Representations, Toulon, France, 2017: 1–14.
[18]	VELI?KOVI? P, CUCURULL G, CASANOVA A, et al. Graph attention networks[C]. The 6th International Conference on Learning Representations, Vancouver, Canada, 2018: 1–12.
[19]	HAMILTON W, YING Z, and LESKOVEC J. Inductive representation learning on large graphs[C]. Proceedings of the 31st Conference on Neural Information Processing Systems, Long Beach, USA, 2017: 1025–1035.
[20]	WU F, SOUZA A, ZHANG Tianyi, et al. Simplifying graph convolutional networks[C]. The 36th International Conference on Machine Learning, Long Beach, USA, 2019: 6861–6871.