pith. sign in

arxiv: 2606.29748 · v1 · pith:C7VHLSWEnew · submitted 2026-06-29 · 💻 cs.AI · cs.LG

Rethinking Generative Reconstruction Attacks against Graph Neural Network Models

Pith reviewed 2026-06-30 06:44 UTC · model grok-4.3

classification 💻 cs.AI cs.LG
keywords graph neural networksmodel inversion attackgraph reconstructionprivacy attackblack-box attackgenerator-discriminatorGNN vulnerability
0
0 comments X

The pith

Adversaries can reconstruct high-quality private graphs from black-box GNNs using a generator-discriminator approach.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents two new attacks on Graph Neural Networks called graph-label conditioned (GLC) and embedding-label conditioned (ELC) attacks. These attacks train a generator to create graphs that match the target model's outputs or internal embeddings, paired with a discriminator to improve quality. Evaluations on NCI1, PROTEINS, and AIDS datasets using FGD, EGD, MMD, and GKS metrics show that these methods recover graphs effectively in black-box settings. A version with half the queries maintains performance. The results indicate GNNs leak sensitive information through their predictions and representations even under noise.

Core claim

By conditioning a generative model on either the target GNN's class predictions or its intermediate embeddings and using a discriminator to refine the output, an attacker can produce graphs whose distribution closely matches the private training graphs, as measured by multiple structural and distributional statistics, in realistic black-box query scenarios.

What carries the argument

The generator-discriminator framework conditioned on GNN predictions (GLC) or embeddings (ELC) that inverts the model's behavior to recover input graphs.

If this is right

  • GNN models expose private graph data through accessible predictions and embeddings.
  • Black-box access to outputs suffices for high-quality reconstruction without internal model details.
  • A 50 percent reduction in queries still yields comparable reconstruction quality.
  • GNNs remain vulnerable to privacy attacks across varying scales of Laplacian noise.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Graph-specific privacy methods beyond noise addition may be needed for deployed GNNs.
  • The same generative inversion approach could apply to other structured-data models.
  • Task-specific metrics on label accuracy would give a clearer picture of leakage beyond distributional scores.

Load-bearing premise

The four chosen distributional and structural metrics accurately reflect successful recovery of the actual private graph structures and labels.

What would settle it

A direct comparison showing that the reconstructed graphs differ substantially from the originals in edge connectivity or node labels on a held-out evaluation set.

Figures

Figures reproduced from arXiv: 2606.29748 by Adebayo Keji, Sayanton Dibbo.

Figure 1
Figure 1. Figure 1: An overview of the proposed two novel privacy attacks against graphs: (a) GLC attack and (b) ELC attack. [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Comparison of graph reconstruction quality under GLC attack with varying Laplace scales for three datasets. Columns correspond to FGD, EGD, MMD, and GKS, respectively. Rows correspond to NCI1, PROTEINS, and AIDS datasets. of Ours−− reduced by 0.3% when compared to VAE−− while Ours has a remarkable reconstruction value of 12% when compared to the VAE. Ours consistently outperforms VAE for EGD and GKS score … view at source ↗
Figure 3
Figure 3. Figure 3: Comparison of graph reconstruction quality under ELC attack with varying Laplace scales for three datasets. Columns correspond to FGD, EGD, MMD, and GKS, respectively. Rows correspond to NCI1, PROTEINS, and AIDS datasets. two attack variants, Ours and Ours−−. Ours involves training the attack model with 100% of the dataset, Ours−− with 50% of the dataset. From the empirical analysis carried out using diffe… view at source ↗
read the original abstract

The application of graph data in numerous disciplines raises the need for gathering and analyzing huge volumes of data, some of which is private and sensitive. The non-Euclidean nature of the graph data makes the analysis computationally challenging, leading to the use of Graph Neural Networks (GNNs) in the age of AI. GNNs may inadvertently leak sensitive data they are trained on, which raises serious data security issues, including the model inversion attack. In this study, we analyze GNNs' vulnerabilities by introducing two novel graph inversion (i.e., reconstruction) attacks: graph-label conditioned (GLC) attack and embedding-label conditioned (ELC) attack, utilizing targetmodel predictions and their intermediate representations, respectively. We perform a comprehensive analysis of our introduced privacy attacks and compare them with existing baselines across three benchmark graph datasets (i.e., NCI1, PROTEINS, and AIDS) and four graph distributional/structural metrics (i.e., FGD, EGD, MMD, and GKS). Our work demonstrates that an adversary can use the generator-discriminator technique to reconstruct high-quality graphs in real-world black-box attack scenarios against GNNs. Additionally, we present a variant of our attacks (Ours--) with 50% reduced queries, achieving good or comparable reconstruction attack performance. In addition, we show that GNNs are highly vulnerable to privacy attacks, varying Laplacian noise-scales.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper introduces two black-box graph reconstruction attacks on GNNs—graph-label conditioned (GLC) and embedding-label conditioned (ELC)—that employ a generator-discriminator framework conditioned on target model predictions or intermediate embeddings plus labels. It evaluates these attacks against baselines on the NCI1, PROTEINS, and AIDS datasets using four distributional/structural metrics (FGD, EGD, MMD, GKS), reports that the attacks achieve high-quality reconstruction, presents a query-reduced variant (Ours--), and examines robustness under varying Laplacian noise scales.

Significance. If the results hold, the work would be significant for highlighting practical privacy risks in GNNs deployed on sensitive graph data and for providing concrete, query-efficient attack methods that could inform defense design. The reduced-query variant and noise analysis add practical value.

major comments (2)
  1. [Section 4] Section 4 (Experimental Evaluation): The central claim that the attacks 'reconstruct high-quality graphs' and enable 'reconstruction of private graph structure and labels' rests on improvements in set-level distributional metrics (FGD, EGD, MMD, GKS). These metrics can be satisfied by unconditional distribution matching without recovering the structure or labels of any specific training instance, leaving the mapping from metric scores to instance-level privacy leakage unverified. No instance-level fidelity measures (e.g., edge overlap, graph edit distance to originals, or per-graph label recovery) are reported.
  2. [Section 4.3] Section 4.3 (Comparison with baselines) and abstract: The superiority claims over existing baselines are quantified only via the same four distributional metrics; without instance-level verification, it is unclear whether the reported gains correspond to better inversion of private data or simply better unconditional graph generation.
minor comments (2)
  1. [Abstract] Abstract: The clause 'we show that GNNs are highly vulnerable to privacy attacks, varying Laplacian noise-scales' is grammatically unclear; rephrase to 'under varying Laplacian noise scales'.
  2. [Section 3] Notation: The distinction between GLC and ELC conditioning is introduced in the abstract but would benefit from an explicit side-by-side comparison table early in Section 3.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments on our manuscript. We address the major comments point by point below and indicate where revisions will be made.

read point-by-point responses
  1. Referee: [Section 4] Section 4 (Experimental Evaluation): The central claim that the attacks 'reconstruct high-quality graphs' and enable 'reconstruction of private graph structure and labels' rests on improvements in set-level distributional metrics (FGD, EGD, MMD, GKS). These metrics can be satisfied by unconditional distribution matching without recovering the structure or labels of any specific training instance, leaving the mapping from metric scores to instance-level privacy leakage unverified. No instance-level fidelity measures (e.g., edge overlap, graph edit distance to originals, or per-graph label recovery) are reported.

    Authors: We acknowledge the distinction between distributional and instance-level evaluation. Our attacks are explicitly generative and conditioned on target model predictions (GLC) or embeddings plus labels (ELC), with the goal of producing graphs whose distribution aligns with the private training data. The four metrics are standard for assessing generative graph models and were chosen to quantify structural and distributional fidelity under black-box access. However, we agree that the current presentation could more clearly separate claims about distributional reconstruction from instance-specific recovery. We will revise Section 4 to include an explicit discussion of this limitation and its implications for interpreting privacy leakage. revision: partial

  2. Referee: [Section 4.3] Section 4.3 (Comparison with baselines) and abstract: The superiority claims over existing baselines are quantified only via the same four distributional metrics; without instance-level verification, it is unclear whether the reported gains correspond to better inversion of private data or simply better unconditional graph generation.

    Authors: All methods, including baselines, are evaluated under identical conditions and metrics to ensure comparability. The conditioning mechanisms in GLC and ELC differentiate them from purely unconditional generators. That said, we accept that the superiority claims should be framed more precisely around improved distributional matching rather than guaranteed per-instance inversion. We will update the abstract and Section 4.3 to reflect this nuance and avoid overstatement. revision: partial

Circularity Check

0 steps flagged

No significant circularity; empirical attack evaluation is self-contained.

full rationale

This is an empirical paper introducing GLC and ELC reconstruction attacks on GNNs via generator-discriminator methods and evaluating them on three benchmark datasets using four external distributional/structural metrics (FGD, EGD, MMD, GKS). No derivations, equations, fitted parameters, or self-citation chains are present that reduce any claimed result to its own inputs by construction. The central claims rest on experimental outcomes against independent benchmarks rather than any definitional or fitted-input loop, satisfying the criteria for a non-circular finding.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract provides no equations or methods, so no free parameters, axioms, or invented entities can be identified.

pith-pipeline@v0.9.1-grok · 5782 in / 925 out tokens · 21899 ms · 2026-06-30T06:44:31.792461+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

43 extracted references · 5 canonical work pages · 1 internal anchor

  1. [1]

    Toward better drug discovery with knowledge graph,

    X. Zeng, X. Tu, Y . Liu, X. Fu, and Y . Su, “Toward better drug discovery with knowledge graph,”Current opinion in structural biology, vol. 72, pp. 114–126, 2022

  2. [2]

    Utilizing graph machine learning within drug discovery and development,

    T. Gaudelet, B. Day, A. R. Jamasb, J. Soman, C. Regep, G. Liu, J. B. Hayter, R. Vickers, C. Roberts, J. Tang,et al., “Utilizing graph machine learning within drug discovery and development,”Briefings in bioinformatics, vol. 22, no. 6, p. bbab159, 2021

  3. [3]

    Graph pattern matching revised for social network analysis,

    W. Fan, “Graph pattern matching revised for social network analysis,” inProceedings of the 15th international conference on database theory, pp. 8–21, 2012

  4. [4]

    A machine learning approach for predicting hidden links in supply chain with graph neural networks,

    E. E. Kosasih and A. Brintrup, “A machine learning approach for predicting hidden links in supply chain with graph neural networks,” International Journal of Production Research, vol. 60, no. 17, pp. 5380– 5393, 2022

  5. [5]

    Machine learning methods in finance: Recent applications and prospects,

    D. Hoang and K. Wiegratz, “Machine learning methods in finance: Recent applications and prospects,”European Financial Management, vol. 29, no. 5, pp. 1657–1701, 2023

  6. [6]

    Preserving data privacy in machine learning systems,

    S. Z. El Mestari, G. Lenzini,et al., “Preserving data privacy in machine learning systems,”Computers & Security, vol. 137, p. 103605, 2024

  7. [7]

    Understanding stability of choices: Toward robust choice-based authentication in cybersecurity,

    S. Dibbo, S. Vhaduri, S. Gomez, and A. Gajic, “Understanding stability of choices: Toward robust choice-based authentication in cybersecurity,” inSoutheastCon 2026, pp. 1–8, IEEE, 2026

  8. [8]

    An overview on the application of graph neural networks in wireless networks,

    S. He, S. Xiong, Y . Ou, J. Zhang, J. Wang, Y . Huang, and Y . Zhang, “An overview on the application of graph neural networks in wireless networks,”IEEE Open Journal of the Communications Society, vol. 2, pp. 2547–2565, 2021

  9. [9]

    Adoption of machine learning in pharmacometrics: an overview of recent implementations and their considerations,

    A. Janssen, F. C. Bennis, and R. A. Math ˆot, “Adoption of machine learning in pharmacometrics: an overview of recent implementations and their considerations,”Pharmaceutics, vol. 14, no. 9, p. 1814, 2022

  10. [10]

    Opinion leaders for information diffusion using graph neural network in online social networks,

    L. Jain, R. Katarya, and S. Sachdeva, “Opinion leaders for information diffusion using graph neural network in online social networks,”ACM Transactions on the Web, vol. 17, no. 2, pp. 1–37, 2023

  11. [11]

    Graphmi: Extracting private graph data from graph neural networks,

    Z. Zhang, Q. Liu, Z. Huang, H. Wang, C. Lu, C. Liu, and E. Chen, “Graphmi: Extracting private graph data from graph neural networks,” arXiv preprint arXiv:2106.02820, 2021

  12. [12]

    Model inversion attacks: A survey of approaches and countermeasures,

    Z. Zhou, J. Zhu, F. Yu, X. Li, X. Peng, T. Liu, and B. Han, “Model inversion attacks: A survey of approaches and countermeasures,”arXiv preprint arXiv:2411.10023, 2024

  13. [13]

    Adversarial attacks on graph neural networks: Perturbations and their patterns,

    D. Z ¨ugner, O. Borchert, A. Akbarnejad, and S. G¨unnemann, “Adversarial attacks on graph neural networks: Perturbations and their patterns,”ACM Transactions on Knowledge Discovery from Data (TKDD), vol. 14, no. 5, pp. 1–31, 2020

  14. [14]

    Ad- versarial attack on graph structured data,

    H. Dai, H. Li, T. Tian, X. Huang, L. Wang, J. Zhu, and L. Song, “Ad- versarial attack on graph structured data,” inInternational conference on machine learning, pp. 1115–1124, PMLR, 2018

  15. [15]

    Privacy in pharmacogenetics: An{End-to-End}case study of person- alized warfarin dosing,

    M. Fredrikson, E. Lantz, S. Jha, S. Lin, D. Page, and T. Ristenpart, “Privacy in pharmacogenetics: An{End-to-End}case study of person- alized warfarin dosing,” in23rd USENIX security symposium (USENIX Security 14), pp. 17–32, 2014

  16. [16]

    Model inversion attacks for prediction systems: Without knowledge of non-sensitive attributes,

    S. Hidano, T. Murakami, S. Katsumata, S. Kiyomoto, and G. Hanaoka, “Model inversion attacks for prediction systems: Without knowledge of non-sensitive attributes,” in2017 15th Annual Conference on Privacy, Security and Trust (PST), pp. 115–11509, IEEE, 2017

  17. [17]

    SoK: model inversion attack landscape: Taxonomy, challenges, and future roadmap,

    S. V . Dibbo, “SoK: model inversion attack landscape: Taxonomy, challenges, and future roadmap,” in2023 IEEE 36th Computer Security Foundations Symposium (CSF), pp. 439–456, IEEE, 2023

  18. [18]

    The secret revealer: Generative model-inversion attacks against deep neural net- works,

    Y . Zhang, R. Jia, H. Pei, W. Wang, B. Li, and D. Song, “The secret revealer: Generative model-inversion attacks against deep neural net- works,” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp. 253–261, 2020

  19. [19]

    Improved techniques for model inversion attacks,

    S. Chen, R. Jia, and G.-J. Qi, “Improved techniques for model inversion attacks,” 2020

  20. [20]

    Re-thinking model inversion attacks against deep neural net- works,

    N.-B. Nguyen, K. Chandrasegaran, M. Abdollahzadeh, and N.-M. Che- ung, “Re-thinking model inversion attacks against deep neural net- works,” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp. 16384–16393, 2023

  21. [21]

    A new federated learning framework against gradient inversion attacks,

    P. Guo, S. Zeng, W. Chen, X. Zhang,et al., “A new federated learning framework against gradient inversion attacks,” 2024

  22. [22]

    Model inversion attacks against graph neural networks,

    Z. Zhang, Q. Liu, Z. Huang, H. Wang, C.-K. Lee, and E. Chen, “Model inversion attacks against graph neural networks,”IEEE Transactions on Knowledge and Data Engineering, vol. 35, no. 9, pp. 8729–8741, 2022

  23. [23]

    Model inversion attacks against collaborative inference,

    Z. He, T. Zhang, and R. B. Lee, “Model inversion attacks against collaborative inference,” inProceedings of the 35th annual computer security applications conference, pp. 148–162, 2019

  24. [24]

    Inference attacks against graph neural networks,

    Z. Zhang, M. Chen, M. Backes, Y . Shen, and Y . Zhang, “Inference attacks against graph neural networks,” 2021

  25. [25]

    Model inversion attacks that exploit confidence information and basic countermeasures,

    M. Fredrikson, S. Jha, and T. Ristenpart, “Model inversion attacks that exploit confidence information and basic countermeasures,” in Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, pp. 1322–1333, 2015

  26. [26]

    A methodology for formalizing model-inversion attacks,

    X. Wu, M. Fredrikson, S. Jha, and J. F. Naughton, “A methodology for formalizing model-inversion attacks,” in2016 IEEE 29th Computer Security Foundations Symposium (CSF), pp. 355–370, 2016

  27. [27]

    Model inversion attacks through target-specific conditional diffusion models,

    O. Li, Y . Hao, Z. Wang, B. Zhu, S. Wang, Z. Zhang, and F. Feng, “Model inversion attacks through target-specific conditional diffusion models,” arXiv preprint arXiv:2407.11424, 2024

  28. [28]

    Variational model inversion attacks,

    K.-C. Wang, Y . Fu, K. Li, A. Khisti, R. Zemel, and A. Makhzani, “Variational model inversion attacks,”Advances in neural information processing systems, vol. 34, pp. 9706–9719, 2021

  29. [29]

    Quantifying privacy leakage in graph embedding,

    V . Duddu, A. Boutet, and V . Shejwalkar, “Quantifying privacy leakage in graph embedding,”CoRR, vol. abs/2010.00906, 2020

  30. [30]

    Privacy risks of llm-empowered recommender systems: An inversion attack perspective,

    Y . Wang, M. Tang, N. Shen, S. Cui, and W. Wang, “Privacy risks of llm-empowered recommender systems: An inversion attack perspective,” inProceedings of the Nineteenth ACM Conference on Recommender Systems, pp. 812–821, 2025

  31. [31]

    Prompt inversion attack against collaborative inference of large language mod- els,

    W. Qu, Y . Zhou, Y . Wu, T. Xiao, B. Yuan, Y . Li, and J. Zhang, “Prompt inversion attack against collaborative inference of large language mod- els,” in2025 IEEE Symposium on Security and Privacy (SP), pp. 1695– 1712, IEEE, 2025

  32. [32]

    Model inversion attacks that exploit confidence information and basic countermeasures,

    M. Fredrikson, S. Jha, and T. Ristenpart, “Model inversion attacks that exploit confidence information and basic countermeasures,” CCS ’15, (New York, NY , USA), p. 1322–1333, Association for Computing Machinery, 2015

  33. [33]

    Adversarial neural network inversion via auxiliary knowledge alignment,

    Z. Yang, E.-C. Chang, and Z. Liang, “Adversarial neural network inversion via auxiliary knowledge alignment,” 2019

  34. [34]

    Mirror: Model inversion for deep learningnetwork with high fidelity,

    S. An, G. Tao, Q. Xu, Y . Liu, G. Shen, Y . Yao, J. Xu, and X. Zhang, “Mirror: Model inversion for deep learningnetwork with high fidelity,” Proceedings 2022 Network and Distributed System Security Symposium, 2022

  35. [35]

    Defending the graph reconstruction attacks for simplicial neural networks,

    H. Zhan, L. Gao, K. Zhang, Z. Chen, and V . S. Sheng, “Defending the graph reconstruction attacks for simplicial neural networks,” in2023 IEEE 10th International Conference on Data Science and Advanced Analytics (DSAA), pp. 1–9, 2023

  36. [36]

    Generative adversarial networks,

    I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y . Bengio, “Generative adversarial networks,” Commun. ACM, vol. 63, p. 139–144, Oct. 2020

  37. [37]

    TUDataset: A collection of benchmark datasets for learning with graphs

    C. Morris, N. M. Kriege, F. Bause, K. Kersting, P. Mutzel, and M. Neu- mann, “Tudataset: A collection of benchmark datasets for learning with graphs,”arXiv preprint arXiv:2007.08663, 2020

  38. [38]

    On the relation between graph distance and euclidean distance in random geometric graphs,

    J. D ´ıaz, D. Mitsche, G. Perarnau, and X. P ´erez-Gim´enez, “On the relation between graph distance and euclidean distance in random geometric graphs,”Advances in Applied Probability, vol. 48, 04 2014

  39. [39]

    A continuous structural intervention distance to compare causal graphs,

    M. Dhanakshirur, F. Laumann, J. Park, and M. Barahona, “A continuous structural intervention distance to compare causal graphs,” inPacific Causal Inference Conference, pp. 25–40, Springer, 2024

  40. [40]

    A generalized weisfeiler-lehman graph kernel,

    T. H. Schulz, T. Horv ´ath, P. Welke, and S. Wrobel, “A generalized weisfeiler-lehman graph kernel,” 2021

  41. [41]

    Predicting a user’s de- mographic identity from leaked samples of health-tracking wearables and understanding associated risks,

    S. Vhaduri, S. V . Dibbo, and C.-Y . Chen, “Predicting a user’s de- mographic identity from leaked samples of health-tracking wearables and understanding associated risks,” in2022 IEEE 10th International Conference on Healthcare Informatics (ICHI), pp. 309–318, IEEE, 2022

  42. [42]

    Network intrusion detection,

    B. Mukherjee, L. T. Heberlein, and K. N. Levitt, “Network intrusion detection,”IEEE network, vol. 8, no. 3, pp. 26–41, 1994

  43. [43]

    Deriving college students’ phone call patterns to improve student life,

    Y . Kimet al., “Deriving college students’ phone call patterns to improve student life,”IEEE Access, vol. 9, pp. 96453–96465, 2021