Rethinking Generative Reconstruction Attacks against Graph Neural Network Models
Pith reviewed 2026-06-30 06:44 UTC · model grok-4.3
The pith
Adversaries can reconstruct high-quality private graphs from black-box GNNs using a generator-discriminator approach.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
By conditioning a generative model on either the target GNN's class predictions or its intermediate embeddings and using a discriminator to refine the output, an attacker can produce graphs whose distribution closely matches the private training graphs, as measured by multiple structural and distributional statistics, in realistic black-box query scenarios.
What carries the argument
The generator-discriminator framework conditioned on GNN predictions (GLC) or embeddings (ELC) that inverts the model's behavior to recover input graphs.
If this is right
- GNN models expose private graph data through accessible predictions and embeddings.
- Black-box access to outputs suffices for high-quality reconstruction without internal model details.
- A 50 percent reduction in queries still yields comparable reconstruction quality.
- GNNs remain vulnerable to privacy attacks across varying scales of Laplacian noise.
Where Pith is reading between the lines
- Graph-specific privacy methods beyond noise addition may be needed for deployed GNNs.
- The same generative inversion approach could apply to other structured-data models.
- Task-specific metrics on label accuracy would give a clearer picture of leakage beyond distributional scores.
Load-bearing premise
The four chosen distributional and structural metrics accurately reflect successful recovery of the actual private graph structures and labels.
What would settle it
A direct comparison showing that the reconstructed graphs differ substantially from the originals in edge connectivity or node labels on a held-out evaluation set.
Figures
read the original abstract
The application of graph data in numerous disciplines raises the need for gathering and analyzing huge volumes of data, some of which is private and sensitive. The non-Euclidean nature of the graph data makes the analysis computationally challenging, leading to the use of Graph Neural Networks (GNNs) in the age of AI. GNNs may inadvertently leak sensitive data they are trained on, which raises serious data security issues, including the model inversion attack. In this study, we analyze GNNs' vulnerabilities by introducing two novel graph inversion (i.e., reconstruction) attacks: graph-label conditioned (GLC) attack and embedding-label conditioned (ELC) attack, utilizing targetmodel predictions and their intermediate representations, respectively. We perform a comprehensive analysis of our introduced privacy attacks and compare them with existing baselines across three benchmark graph datasets (i.e., NCI1, PROTEINS, and AIDS) and four graph distributional/structural metrics (i.e., FGD, EGD, MMD, and GKS). Our work demonstrates that an adversary can use the generator-discriminator technique to reconstruct high-quality graphs in real-world black-box attack scenarios against GNNs. Additionally, we present a variant of our attacks (Ours--) with 50% reduced queries, achieving good or comparable reconstruction attack performance. In addition, we show that GNNs are highly vulnerable to privacy attacks, varying Laplacian noise-scales.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper introduces two black-box graph reconstruction attacks on GNNs—graph-label conditioned (GLC) and embedding-label conditioned (ELC)—that employ a generator-discriminator framework conditioned on target model predictions or intermediate embeddings plus labels. It evaluates these attacks against baselines on the NCI1, PROTEINS, and AIDS datasets using four distributional/structural metrics (FGD, EGD, MMD, GKS), reports that the attacks achieve high-quality reconstruction, presents a query-reduced variant (Ours--), and examines robustness under varying Laplacian noise scales.
Significance. If the results hold, the work would be significant for highlighting practical privacy risks in GNNs deployed on sensitive graph data and for providing concrete, query-efficient attack methods that could inform defense design. The reduced-query variant and noise analysis add practical value.
major comments (2)
- [Section 4] Section 4 (Experimental Evaluation): The central claim that the attacks 'reconstruct high-quality graphs' and enable 'reconstruction of private graph structure and labels' rests on improvements in set-level distributional metrics (FGD, EGD, MMD, GKS). These metrics can be satisfied by unconditional distribution matching without recovering the structure or labels of any specific training instance, leaving the mapping from metric scores to instance-level privacy leakage unverified. No instance-level fidelity measures (e.g., edge overlap, graph edit distance to originals, or per-graph label recovery) are reported.
- [Section 4.3] Section 4.3 (Comparison with baselines) and abstract: The superiority claims over existing baselines are quantified only via the same four distributional metrics; without instance-level verification, it is unclear whether the reported gains correspond to better inversion of private data or simply better unconditional graph generation.
minor comments (2)
- [Abstract] Abstract: The clause 'we show that GNNs are highly vulnerable to privacy attacks, varying Laplacian noise-scales' is grammatically unclear; rephrase to 'under varying Laplacian noise scales'.
- [Section 3] Notation: The distinction between GLC and ELC conditioning is introduced in the abstract but would benefit from an explicit side-by-side comparison table early in Section 3.
Simulated Author's Rebuttal
We thank the referee for the constructive comments on our manuscript. We address the major comments point by point below and indicate where revisions will be made.
read point-by-point responses
-
Referee: [Section 4] Section 4 (Experimental Evaluation): The central claim that the attacks 'reconstruct high-quality graphs' and enable 'reconstruction of private graph structure and labels' rests on improvements in set-level distributional metrics (FGD, EGD, MMD, GKS). These metrics can be satisfied by unconditional distribution matching without recovering the structure or labels of any specific training instance, leaving the mapping from metric scores to instance-level privacy leakage unverified. No instance-level fidelity measures (e.g., edge overlap, graph edit distance to originals, or per-graph label recovery) are reported.
Authors: We acknowledge the distinction between distributional and instance-level evaluation. Our attacks are explicitly generative and conditioned on target model predictions (GLC) or embeddings plus labels (ELC), with the goal of producing graphs whose distribution aligns with the private training data. The four metrics are standard for assessing generative graph models and were chosen to quantify structural and distributional fidelity under black-box access. However, we agree that the current presentation could more clearly separate claims about distributional reconstruction from instance-specific recovery. We will revise Section 4 to include an explicit discussion of this limitation and its implications for interpreting privacy leakage. revision: partial
-
Referee: [Section 4.3] Section 4.3 (Comparison with baselines) and abstract: The superiority claims over existing baselines are quantified only via the same four distributional metrics; without instance-level verification, it is unclear whether the reported gains correspond to better inversion of private data or simply better unconditional graph generation.
Authors: All methods, including baselines, are evaluated under identical conditions and metrics to ensure comparability. The conditioning mechanisms in GLC and ELC differentiate them from purely unconditional generators. That said, we accept that the superiority claims should be framed more precisely around improved distributional matching rather than guaranteed per-instance inversion. We will update the abstract and Section 4.3 to reflect this nuance and avoid overstatement. revision: partial
Circularity Check
No significant circularity; empirical attack evaluation is self-contained.
full rationale
This is an empirical paper introducing GLC and ELC reconstruction attacks on GNNs via generator-discriminator methods and evaluating them on three benchmark datasets using four external distributional/structural metrics (FGD, EGD, MMD, GKS). No derivations, equations, fitted parameters, or self-citation chains are present that reduce any claimed result to its own inputs by construction. The central claims rest on experimental outcomes against independent benchmarks rather than any definitional or fitted-input loop, satisfying the criteria for a non-circular finding.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
Toward better drug discovery with knowledge graph,
X. Zeng, X. Tu, Y . Liu, X. Fu, and Y . Su, “Toward better drug discovery with knowledge graph,”Current opinion in structural biology, vol. 72, pp. 114–126, 2022
2022
-
[2]
Utilizing graph machine learning within drug discovery and development,
T. Gaudelet, B. Day, A. R. Jamasb, J. Soman, C. Regep, G. Liu, J. B. Hayter, R. Vickers, C. Roberts, J. Tang,et al., “Utilizing graph machine learning within drug discovery and development,”Briefings in bioinformatics, vol. 22, no. 6, p. bbab159, 2021
2021
-
[3]
Graph pattern matching revised for social network analysis,
W. Fan, “Graph pattern matching revised for social network analysis,” inProceedings of the 15th international conference on database theory, pp. 8–21, 2012
2012
-
[4]
A machine learning approach for predicting hidden links in supply chain with graph neural networks,
E. E. Kosasih and A. Brintrup, “A machine learning approach for predicting hidden links in supply chain with graph neural networks,” International Journal of Production Research, vol. 60, no. 17, pp. 5380– 5393, 2022
2022
-
[5]
Machine learning methods in finance: Recent applications and prospects,
D. Hoang and K. Wiegratz, “Machine learning methods in finance: Recent applications and prospects,”European Financial Management, vol. 29, no. 5, pp. 1657–1701, 2023
2023
-
[6]
Preserving data privacy in machine learning systems,
S. Z. El Mestari, G. Lenzini,et al., “Preserving data privacy in machine learning systems,”Computers & Security, vol. 137, p. 103605, 2024
2024
-
[7]
Understanding stability of choices: Toward robust choice-based authentication in cybersecurity,
S. Dibbo, S. Vhaduri, S. Gomez, and A. Gajic, “Understanding stability of choices: Toward robust choice-based authentication in cybersecurity,” inSoutheastCon 2026, pp. 1–8, IEEE, 2026
2026
-
[8]
An overview on the application of graph neural networks in wireless networks,
S. He, S. Xiong, Y . Ou, J. Zhang, J. Wang, Y . Huang, and Y . Zhang, “An overview on the application of graph neural networks in wireless networks,”IEEE Open Journal of the Communications Society, vol. 2, pp. 2547–2565, 2021
2021
-
[9]
Adoption of machine learning in pharmacometrics: an overview of recent implementations and their considerations,
A. Janssen, F. C. Bennis, and R. A. Math ˆot, “Adoption of machine learning in pharmacometrics: an overview of recent implementations and their considerations,”Pharmaceutics, vol. 14, no. 9, p. 1814, 2022
2022
-
[10]
Opinion leaders for information diffusion using graph neural network in online social networks,
L. Jain, R. Katarya, and S. Sachdeva, “Opinion leaders for information diffusion using graph neural network in online social networks,”ACM Transactions on the Web, vol. 17, no. 2, pp. 1–37, 2023
2023
-
[11]
Graphmi: Extracting private graph data from graph neural networks,
Z. Zhang, Q. Liu, Z. Huang, H. Wang, C. Lu, C. Liu, and E. Chen, “Graphmi: Extracting private graph data from graph neural networks,” arXiv preprint arXiv:2106.02820, 2021
-
[12]
Model inversion attacks: A survey of approaches and countermeasures,
Z. Zhou, J. Zhu, F. Yu, X. Li, X. Peng, T. Liu, and B. Han, “Model inversion attacks: A survey of approaches and countermeasures,”arXiv preprint arXiv:2411.10023, 2024
-
[13]
Adversarial attacks on graph neural networks: Perturbations and their patterns,
D. Z ¨ugner, O. Borchert, A. Akbarnejad, and S. G¨unnemann, “Adversarial attacks on graph neural networks: Perturbations and their patterns,”ACM Transactions on Knowledge Discovery from Data (TKDD), vol. 14, no. 5, pp. 1–31, 2020
2020
-
[14]
Ad- versarial attack on graph structured data,
H. Dai, H. Li, T. Tian, X. Huang, L. Wang, J. Zhu, and L. Song, “Ad- versarial attack on graph structured data,” inInternational conference on machine learning, pp. 1115–1124, PMLR, 2018
2018
-
[15]
Privacy in pharmacogenetics: An{End-to-End}case study of person- alized warfarin dosing,
M. Fredrikson, E. Lantz, S. Jha, S. Lin, D. Page, and T. Ristenpart, “Privacy in pharmacogenetics: An{End-to-End}case study of person- alized warfarin dosing,” in23rd USENIX security symposium (USENIX Security 14), pp. 17–32, 2014
2014
-
[16]
Model inversion attacks for prediction systems: Without knowledge of non-sensitive attributes,
S. Hidano, T. Murakami, S. Katsumata, S. Kiyomoto, and G. Hanaoka, “Model inversion attacks for prediction systems: Without knowledge of non-sensitive attributes,” in2017 15th Annual Conference on Privacy, Security and Trust (PST), pp. 115–11509, IEEE, 2017
2017
-
[17]
SoK: model inversion attack landscape: Taxonomy, challenges, and future roadmap,
S. V . Dibbo, “SoK: model inversion attack landscape: Taxonomy, challenges, and future roadmap,” in2023 IEEE 36th Computer Security Foundations Symposium (CSF), pp. 439–456, IEEE, 2023
2023
-
[18]
The secret revealer: Generative model-inversion attacks against deep neural net- works,
Y . Zhang, R. Jia, H. Pei, W. Wang, B. Li, and D. Song, “The secret revealer: Generative model-inversion attacks against deep neural net- works,” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp. 253–261, 2020
2020
-
[19]
Improved techniques for model inversion attacks,
S. Chen, R. Jia, and G.-J. Qi, “Improved techniques for model inversion attacks,” 2020
2020
-
[20]
Re-thinking model inversion attacks against deep neural net- works,
N.-B. Nguyen, K. Chandrasegaran, M. Abdollahzadeh, and N.-M. Che- ung, “Re-thinking model inversion attacks against deep neural net- works,” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp. 16384–16393, 2023
2023
-
[21]
A new federated learning framework against gradient inversion attacks,
P. Guo, S. Zeng, W. Chen, X. Zhang,et al., “A new federated learning framework against gradient inversion attacks,” 2024
2024
-
[22]
Model inversion attacks against graph neural networks,
Z. Zhang, Q. Liu, Z. Huang, H. Wang, C.-K. Lee, and E. Chen, “Model inversion attacks against graph neural networks,”IEEE Transactions on Knowledge and Data Engineering, vol. 35, no. 9, pp. 8729–8741, 2022
2022
-
[23]
Model inversion attacks against collaborative inference,
Z. He, T. Zhang, and R. B. Lee, “Model inversion attacks against collaborative inference,” inProceedings of the 35th annual computer security applications conference, pp. 148–162, 2019
2019
-
[24]
Inference attacks against graph neural networks,
Z. Zhang, M. Chen, M. Backes, Y . Shen, and Y . Zhang, “Inference attacks against graph neural networks,” 2021
2021
-
[25]
Model inversion attacks that exploit confidence information and basic countermeasures,
M. Fredrikson, S. Jha, and T. Ristenpart, “Model inversion attacks that exploit confidence information and basic countermeasures,” in Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, pp. 1322–1333, 2015
2015
-
[26]
A methodology for formalizing model-inversion attacks,
X. Wu, M. Fredrikson, S. Jha, and J. F. Naughton, “A methodology for formalizing model-inversion attacks,” in2016 IEEE 29th Computer Security Foundations Symposium (CSF), pp. 355–370, 2016
2016
-
[27]
Model inversion attacks through target-specific conditional diffusion models,
O. Li, Y . Hao, Z. Wang, B. Zhu, S. Wang, Z. Zhang, and F. Feng, “Model inversion attacks through target-specific conditional diffusion models,” arXiv preprint arXiv:2407.11424, 2024
-
[28]
Variational model inversion attacks,
K.-C. Wang, Y . Fu, K. Li, A. Khisti, R. Zemel, and A. Makhzani, “Variational model inversion attacks,”Advances in neural information processing systems, vol. 34, pp. 9706–9719, 2021
2021
-
[29]
Quantifying privacy leakage in graph embedding,
V . Duddu, A. Boutet, and V . Shejwalkar, “Quantifying privacy leakage in graph embedding,”CoRR, vol. abs/2010.00906, 2020
-
[30]
Privacy risks of llm-empowered recommender systems: An inversion attack perspective,
Y . Wang, M. Tang, N. Shen, S. Cui, and W. Wang, “Privacy risks of llm-empowered recommender systems: An inversion attack perspective,” inProceedings of the Nineteenth ACM Conference on Recommender Systems, pp. 812–821, 2025
2025
-
[31]
Prompt inversion attack against collaborative inference of large language mod- els,
W. Qu, Y . Zhou, Y . Wu, T. Xiao, B. Yuan, Y . Li, and J. Zhang, “Prompt inversion attack against collaborative inference of large language mod- els,” in2025 IEEE Symposium on Security and Privacy (SP), pp. 1695– 1712, IEEE, 2025
2025
-
[32]
Model inversion attacks that exploit confidence information and basic countermeasures,
M. Fredrikson, S. Jha, and T. Ristenpart, “Model inversion attacks that exploit confidence information and basic countermeasures,” CCS ’15, (New York, NY , USA), p. 1322–1333, Association for Computing Machinery, 2015
2015
-
[33]
Adversarial neural network inversion via auxiliary knowledge alignment,
Z. Yang, E.-C. Chang, and Z. Liang, “Adversarial neural network inversion via auxiliary knowledge alignment,” 2019
2019
-
[34]
Mirror: Model inversion for deep learningnetwork with high fidelity,
S. An, G. Tao, Q. Xu, Y . Liu, G. Shen, Y . Yao, J. Xu, and X. Zhang, “Mirror: Model inversion for deep learningnetwork with high fidelity,” Proceedings 2022 Network and Distributed System Security Symposium, 2022
2022
-
[35]
Defending the graph reconstruction attacks for simplicial neural networks,
H. Zhan, L. Gao, K. Zhang, Z. Chen, and V . S. Sheng, “Defending the graph reconstruction attacks for simplicial neural networks,” in2023 IEEE 10th International Conference on Data Science and Advanced Analytics (DSAA), pp. 1–9, 2023
2023
-
[36]
Generative adversarial networks,
I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y . Bengio, “Generative adversarial networks,” Commun. ACM, vol. 63, p. 139–144, Oct. 2020
2020
-
[37]
TUDataset: A collection of benchmark datasets for learning with graphs
C. Morris, N. M. Kriege, F. Bause, K. Kersting, P. Mutzel, and M. Neu- mann, “Tudataset: A collection of benchmark datasets for learning with graphs,”arXiv preprint arXiv:2007.08663, 2020
work page internal anchor Pith review Pith/arXiv arXiv 2007
-
[38]
On the relation between graph distance and euclidean distance in random geometric graphs,
J. D ´ıaz, D. Mitsche, G. Perarnau, and X. P ´erez-Gim´enez, “On the relation between graph distance and euclidean distance in random geometric graphs,”Advances in Applied Probability, vol. 48, 04 2014
2014
-
[39]
A continuous structural intervention distance to compare causal graphs,
M. Dhanakshirur, F. Laumann, J. Park, and M. Barahona, “A continuous structural intervention distance to compare causal graphs,” inPacific Causal Inference Conference, pp. 25–40, Springer, 2024
2024
-
[40]
A generalized weisfeiler-lehman graph kernel,
T. H. Schulz, T. Horv ´ath, P. Welke, and S. Wrobel, “A generalized weisfeiler-lehman graph kernel,” 2021
2021
-
[41]
Predicting a user’s de- mographic identity from leaked samples of health-tracking wearables and understanding associated risks,
S. Vhaduri, S. V . Dibbo, and C.-Y . Chen, “Predicting a user’s de- mographic identity from leaked samples of health-tracking wearables and understanding associated risks,” in2022 IEEE 10th International Conference on Healthcare Informatics (ICHI), pp. 309–318, IEEE, 2022
2022
-
[42]
Network intrusion detection,
B. Mukherjee, L. T. Heberlein, and K. N. Levitt, “Network intrusion detection,”IEEE network, vol. 8, no. 3, pp. 26–41, 1994
1994
-
[43]
Deriving college students’ phone call patterns to improve student life,
Y . Kimet al., “Deriving college students’ phone call patterns to improve student life,”IEEE Access, vol. 9, pp. 96453–96465, 2021
2021
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.