Impact of Graph Structure on Membership-Inference Risk for Graph Neural Networks
Title: How Graph Topology Influences Membership Inference Vulnerabilities in Graph Neural Networks
Abstract:
While Graph Neural Networks (GNNs) are extensively employed for applications like link prediction and node classification, their deployment in sensitive environments has sparked concerns regarding the potential leakage of training data. Existing research on privacy breaches in GNNs often imports assumptions from non-graph domains, thereby neglecting the critical influence of graph structure. In this study, we advocate for a graph-specific examination of privacy risks, focusing specifically on how structural elements impact node-level membership inference. We define membership inference (MI) in the context of node-neighborhood tuples and explore two key factors: (i) the methodology for constructing training graphs and (ii) the availability of edges connecting training and test nodes during the inference phase.
Our comparative analysis contrasts snowball sampling—a structure-aware technique—with uniform random node sampling for building training graphs. Experimental results indicate that snowball sampling frequently degrades generalization performance compared to random sampling, primarily due to coverage bias. Conversely, granting access to inter-train-test edges during inference enhances test accuracy and narrows the performance gap between training and test data; however, this access also exerts a significant and context-dependent influence on membership advantage. These findings demonstrate that graph structure is a direct determinant of privacy risk.
Furthermore, we demonstrate that the generalization gap—defined as the performance disparity between training and test nodes—is an insufficient proxy for assessing membership inference risk. Membership advantage may increase or decrease independently of shifts in this gap, with inference-time edge access often serving as a pivotal factor. From a theoretical standpoint, we establish that standard privacy-auditing frameworks based on membership inference are not directly applicable to inductive graph settings for node-level tasks. This limitation arises because training and test nodes are structurally dependent rather than interchangeable. The code and data associated with this study are available at https://github.com/PriXAI/GraphStructurePrivacyAnalysis-public.
Source: arXiv Generated at: 2026-06-03 00:00:00 UTC
