TY - JOUR
T1 - NetFense
T2 - Adversarial Defenses Against Privacy Attacks on Neural Networks for Graph Data
AU - Hsieh, I. Chung
AU - Li, Cheng Te
N1 - Funding Information:
This work was supported in part by the Ministry of Science and Technology (MOST) of Taiwan under Grants 109-2636-E-006-017 (MOST Young Scholar Fellowship) and 109-2221-E-006-173, and in part by Academia Sinica under Grant AS-TP-107-M05.
Publisher Copyright:
© 1989-2012 IEEE.
PY - 2023/1/1
Y1 - 2023/1/1
N2 - Recent advances in protecting node privacy on graph data and attacking graph neural networks (GNNs) gain much attention. The eye does not bring these two essential tasks together yet. Imagine an adversary can utilize the powerful GNNs to infer users' private labels in a social network. How can we adversarially defend against such privacy attacks while maintaining the utility of perturbed graphs? In this work, we propose a novel research task, adversarial defenses against GNN-based privacy attacks, and present a graph perturbation-based approach, NetFense, to achieve the goal. NetFense can simultaneously keep graph data unnoticeability (i.e., having limited changes on the graph structure), maintain the prediction confidence of targeted label classification (i.e., preserving data utility), and reduce the prediction confidence of private label classification (i.e., protecting the privacy of nodes). Experiments conducted on single- and multiple-target perturbations using three real graph data exhibit that the perturbed graphs by NetFense can effectively maintain data utility (i.e., model unnoticeability) on targeted label classification and significantly decrease the prediction confidence of private label classification (i.e., privacy protection). Extensive studies also bring several insights, such as the flexibility of NetFense, preserving local neighborhoods in data unnoticeability, and better privacy protection for high-degree nodes.
AB - Recent advances in protecting node privacy on graph data and attacking graph neural networks (GNNs) gain much attention. The eye does not bring these two essential tasks together yet. Imagine an adversary can utilize the powerful GNNs to infer users' private labels in a social network. How can we adversarially defend against such privacy attacks while maintaining the utility of perturbed graphs? In this work, we propose a novel research task, adversarial defenses against GNN-based privacy attacks, and present a graph perturbation-based approach, NetFense, to achieve the goal. NetFense can simultaneously keep graph data unnoticeability (i.e., having limited changes on the graph structure), maintain the prediction confidence of targeted label classification (i.e., preserving data utility), and reduce the prediction confidence of private label classification (i.e., protecting the privacy of nodes). Experiments conducted on single- and multiple-target perturbations using three real graph data exhibit that the perturbed graphs by NetFense can effectively maintain data utility (i.e., model unnoticeability) on targeted label classification and significantly decrease the prediction confidence of private label classification (i.e., privacy protection). Extensive studies also bring several insights, such as the flexibility of NetFense, preserving local neighborhoods in data unnoticeability, and better privacy protection for high-degree nodes.
UR - http://www.scopus.com/inward/record.url?scp=85111033833&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85111033833&partnerID=8YFLogxK
U2 - 10.1109/TKDE.2021.3087515
DO - 10.1109/TKDE.2021.3087515
M3 - Article
AN - SCOPUS:85111033833
SN - 1041-4347
VL - 35
SP - 796
EP - 809
JO - IEEE Transactions on Knowledge and Data Engineering
JF - IEEE Transactions on Knowledge and Data Engineering
IS - 1
ER -