Researchers Assess Membership Inference Vulnerabilities in Graph Neural Networks

Global: Researchers Assess Membership Inference Vulnerabilities in Graph Neural Networks

A team of researchers has published a study analyzing how graph neural networks (GNNs) may expose details about the data used to train them. The work, posted on arXiv on January 2026, focuses on node‑level membership inference attacks and evaluates how graph construction and edge access influence privacy risk. The authors argue that understanding these factors is essential for deploying GNNs in applications where data confidentiality is critical.

Background on Graph Neural Networks

GNNs have become a dominant approach for representing relational data, enabling improved performance on tasks such as node classification and link prediction. Their ability to capture complex graph structures has led to widespread adoption across domains ranging from social network analysis to molecular modeling.

Membership Inference Threat Model

The study formalizes membership inference (MI) attacks as attempts to determine whether a specific node‑neighbourhood tuple was part of the training set. Two dimensions are examined: (i) the method used to construct the training graph, and (ii) the extent of edge information available to an adversary during inference.

Impact of Graph Construction Methods

Empirical results indicate that snowball sampling, which expands from a seed node outward, often introduces a coverage bias that harms model generalisation compared with random node sampling. However, this bias can also affect the success rate of MI attacks, sometimes reducing the attacker’s advantage.

Role of Edge Access at Inference Time

When adversaries are permitted to observe edges connecting test nodes to the training graph, the study finds that test accuracy improves and the gap between training and test performance narrows. In most experiments, this scenario also yields the lowest membership advantage, suggesting that edge visibility can both aid model performance and mitigate privacy leakage.

Limitations of Generalisation Gap as Risk Indicator

The authors demonstrate that the conventional metric of generalisation gap—the performance difference between training and test nodes—does not reliably predict MI risk. Access to edge information can cause membership advantage to rise or fall independently of changes in the gap, indicating that additional factors must be considered when assessing privacy.

Auditability of Differentially Private GNNs

Finally, the paper evaluates the auditability of differentially private GNNs by adapting the concept of statistical exchangeability for graph‑based models. The analysis shows that inductive splits, whether random or snowball sampled, break exchangeability at the node level, limiting the applicability of standard differential privacy bounds for membership advantage.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.