Abstract
Recently, to promote private graph data sharing, a collaborative graph learning paradigm known as Graph Split Learning (GSL) is proposed. However, current security research about GSL focuses more on one-shot learning but ignores the fact that training models is usually an ongoing process in practice. Fresh data need to be added periodically to ensure the time-effectiveness of the trained model. In this paper, we propose the first attack against GSL, called Graph Update Leakage Attack (Gula), to show the vulnerability of GSL to privacy leakage attacks when running with updated training sets. Specifically, we systematically analyze the adversary’s knowledge of GSL from three dimensions, leading to 8 different implementations of Gula. All 8 attacks demonstrate that a malicious server in GSL can leverage the posteriors received during the forward computation stage to reconstruct the update graph data of clients. Extensive experiments on 6 real-world datasets and 8 different GNN models show that for GSL, our attacks can effectively reveal the private links and node features in the update set.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Amazon AWS. https://aws.amazon.com
Microsoft Azure. https://azure.microsoft.com/en-us
Backes, M., Humbert, M., Pang, J., Zhang, Y.: walk2friends: inferring social links from mobility profiles. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1943–1957 (2017)
Bhardwaj, R., et al.: Ekya: continuous learning of video analytics models on edge compute servers. In: 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2022), pp. 119–135. USENIX Association, Renton, WA (2022)
Ding, R., Duan, S., Xu, X., Fei, Y.: Vertexserum: poisoning graph neural networks for link inference. In: Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV), pp. 4532–4541. IEEE, Piscataway, NJ (2023)
Duddu, V., Boutet, A., Shejwalkar, V.: Quantifying privacy leakage in graph embedding. In: MobiQuitous 2020-17th EAI International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services, pp. 76–85 (2020)
Gallicchio, C., Micheli, A.: Fast and deep graph neural networks. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 34, no. 04, pp. 3898–3905. AAAI Press, Palo Alto, California USA (2020)
Gao, X., Zhang, L.: PCAT: functionality and data stealing from split learning by Pseudo-Client attack. In: 32nd USENIX Security Symposium (USENIX Security 2023), pp. 5271–5288. USENIX Association, Anaheim, CA (2023)
Hamilton, W., Ying, Z., Leskovec, J.: Inductive representation learning on large graphs. In: Advances in Neural Information Processing Systems, vol. 30 (2017)
He, X., Jia, J., Backes, M., Gong, N.Z., Zhang, Y.: Stealing links from graph neural networks. In: 30th USENIX Security Symposium (USENIX Security 2021), pp. 2669–2686. USENIX Association, Vancouver, B.C., Canada (2021)
Kipf, T.N., Welling, M.: Semi-supervised classification with graph convolutional networks. In: International Conference on Learning Representations (2016)
Knoke, D., Yang, S.: Social Network Analysis. SAGE Publications (2019)
Lee, H., Yoo, S., Lee, D., Kim, J.: How important is periodic model update in recommender system? In: Proceedings of the 46th International ACM SIGIR Conference on Research and Development in Information Retrieval, pp. 2661–2668. Association for Computing Machinery, New York, NY, USA (2023)
Li, K., et al.: Towards practical edge inference attacks against graph neural networks. In: ICASSP 2023-2023 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pp. 1–5. IEEE (2023)
Liu, Z., Fang, Y., Liu, C., Hoi, S.C.: Relative and absolute location embedding for few-shot node classification on graph. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 35,5, pp. 4267–4275. AAAI, Menlo Park (2021)
McAuley, J., Targett, C., Shi, Q., Van Den Hengel, A.: Image-based recommendations on styles and substitutes. In: Proceedings of the 38th International ACM SIGIR Conference on Research and Development in Information Retrieval, pp. 43–52. Association for Computing Machinery, New York, NY, USA (2015)
Mislove, A., Marcon, M., Gummadi, K.P., Druschel, P., Bhattacharjee, B.: Measurement and analysis of online social networks. In: Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement, pp. 29–42. Association for Computing Machinery, New York, NY, USA (2007)
Nelson, Q., Steffensmeier, D., Pawaskar, S.: A simple approach for sustainable transportation systems in smart cities: a graph theory model. In: 2018 IEEE Conference on Technologies for Sustainability (SusTech), pp. 1–5. IEEE, Piscataway, NJ (2018)
Salem, A., Bhattacharya, A., Backes, M., Fritz, M., Zhang, Y.: \(\{\)Updates-Leak\(\}\): data set inference and reconstruction attacks in online learning. In: 29th USENIX security symposium (USENIX Security 2020), pp. 1291–1308. Association for Computing Machinery, New York, NY, USA (2020)
Shen, Y., He, X., Han, Y., Zhang, Y.: Model stealing attacks against inductive graph neural networks. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 1175–1192. IEEE, Piscataway, NJ (2022)
Sima, C., et al.: Ekko: a \(\{\)Large-Scale\(\}\) deep learning recommender system with \(\{\)Low-Latency\(\}\) model update. In: 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2022), pp. 821–839. USENIX Association, Carlsbad, CA (2022)
Vázquez, A.: Growing network with local rules: preferential attachment, clustering hierarchy, and degree correlations. Phys. Rev. E 67(5), 056104 (2003)
Veličković, P., Cucurull, G., Casanova, A., Romero, A., Liò, P., Bengio, Y.: Graph attention networks. In: International Conference on Learning Representations (2018)
Wang, W., Liu, X., Jiao, P., Chen, X., Jin, D.: A unified weakly supervised framework for community detection and semantic matching. In: Phung, D., Tseng, V.S., Webb, G.I., Ho, B., Ganji, M., Rashidi, L. (eds.) PAKDD 2018. LNCS (LNAI), vol. 10939, pp. 218–230. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93040-4_18
Wang, X., et al.: Heterogeneous graph attention network. In: The World Wide Web Conference, pp. 2022–2032. Association for Computing Machinery, New York, NY, USA (2019)
Wang, X., Wang, W.H.: Group property inference attacks against graph neural networks. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pp. 2871–2884. Association for Computing Machinery, New York, NY, USA (2022)
Wu, B., Yang, X., Pan, S., Yuan, X.: Model extraction attacks on graph neural networks: taxonomy and realisation. In: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security, pp. 337–350. Association for Computing Machinery, New York, NY, USA (2022)
Wu, F., Long, Y., Zhang, C., Li, B.: Linkteller: recovering private edges from graph neural networks via influence analysis. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 2005–2024. IEEE (2022)
Wu, Z., Pan, S., Chen, F., Long, G., Zhang, C., Philip, S.Y.: A comprehensive survey on graph neural networks. IEEE Trans. Neural Networks Learn. Syst. 32(1), 4–24 (2020)
Xu, K., Hu, W., Leskovec, J., Jegelka, S.: How powerful are graph neural networks? In: International Conference on Learning Representations (2018)
Xu, X., Lyu, L., Dong, Y., Lu, Y., Wang, W., Jin, H.: Splitgnn: splitting GNN for node classification with heterogeneous attention. arXiv preprint arXiv:2301.12885 (2023)
Yin, Y., et al.: Ginver: generative model inversion attacks against collaborative inference. In: Proceedings of the ACM Web Conference 2023, pp. 2122–2131. Association for Computing Machinery, New York, NY, USA (2023)
Zanella-Béguelin, S., et al.: Analyzing information leakage of updates to natural language models. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pp. 363–375. Association for Computing Machinery, New York, NY, USA (2020)
Zhang, Z., Liu, Q., Huang, Z., Wang, H., Lee, C.K., Chen, E.: Model inversion attacks against graph neural networks. IEEE Trans. Knowl. Data Eng. 35, 8729–8741 (2022)
Zheng, L., Zhou, J., Chen, C., Wu, B., Wang, L., Zhang, B.: Asfgnn: automated separated-federated graph neural network. Peer-to-Peer Network. Appl. 14(3), 1692–1704 (2021)
Acknowledgement
This work was supported by the National Key Research and Development Program of China (Program No. 2023YFE0111100), the National Natural Science Foundation of China (Program No. U21A20464, Program No. 62261160651, Program No. U23A20307, Program No. U23A20306), the Fundamental Research Funds for the Central Universities (Program No. QTZX24081).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2025 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Yang, H., Ma, Z., Liu, Y., Liu, X., Yang, B., Ma, J. (2025). Updates Leakage Attack Against Private Graph Split Learning. In: Zhu, T., Li, J., Castiglione, A. (eds) Algorithms and Architectures for Parallel Processing. ICA3PP 2024. Lecture Notes in Computer Science, vol 15252. Springer, Singapore. https://doi.org/10.1007/978-981-96-1528-5_1
Download citation
DOI: https://doi.org/10.1007/978-981-96-1528-5_1
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-96-1527-8
Online ISBN: 978-981-96-1528-5
eBook Packages: Computer ScienceComputer Science (R0)