ML Security PapersTaipan: A Query-free Transfer-based Multiple Sensitive Attribute Inference Attack Solely from Publicly Released Graphs
Published on arXiv
2602.06700
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
Taipan consistently achieves strong multi-sensitive-attribute inference across heterogeneous graph distributions and remains effective even under rigorous differential privacy protections
Taipan
Novel technique introduced
Graph-structured data underpin a wide spectrum of modern applications. However, complex graph topologies and homophilic patterns can facilitate attribute inference attacks (AIAs) by enabling sensitive information leakage to propagate across local neighborhoods. Existing AIAs predominantly assume that adversaries can probe sensitive attributes through repeated model queries. Such assumptions are often impractical in real-world settings due to stringent data protection regulations, prohibitive query budgets, and heightened detection risks, especially when inferring multiple sensitive attributes. More critically, this model-centric perspective obscures a pervasive blind spot: \textbf{intrinsic multiple sensitive information leakage arising solely from publicly released graphs.} To exploit this unexplored vulnerability, we introduce a new attack paradigm and propose \textbf{Taipan, the first query-free transfer-based attack framework for multiple sensitive attribute inference attacks on graphs (G-MSAIAs).} Taipan integrates \emph{Hierarchical Attack Knowledge Routing} to capture intricate inter-attribute correlations, and \emph{Prompt-guided Attack Prototype Refinement} to mitigate negative transfer and performance degradation. We further present a systematic evaluation framework tailored to G-MSAIAs. Extensive experiments on diverse real-world graph datasets demonstrate that Taipan consistently achieves strong attack performance across same-distribution settings and heterogeneous similar- and out-of-distribution settings with mismatched feature dimensionalities, and remains effective even under rigorous differential privacy guarantees. Our findings underscore the urgent need for more robust multi-attribute privacy-preserving graph publishing methods and data-sharing practices.
Key Contributions
- First query-free, transfer-based attack framework (Taipan) for multiple sensitive attribute inference on graphs (G-MSAIAs), leaving no interaction footprint on victim models
- Hierarchical Attack Knowledge Routing to capture complex inter-attribute correlations, combined with Prompt-guided Attack Prototype Refinement to mitigate negative transfer across heterogeneous graph distributions
- Systematic G-MSAIA evaluation framework demonstrating attack effectiveness across same-, similar-, and out-of-distribution settings with mismatched feature dimensions, and resilience against differential privacy guarantees
🛡️ Threat Analysis
Attribute inference attacks recovering private sensitive attributes of individuals are the canonical ML03 threat. Although Taipan is query-free (no model oracle), it targets the same privacy goal — inferring private attributes about individuals whose data is embedded in GNN-amplified homophilic graph structures — and is explicitly evaluated against differential privacy defenses, confirming its placement within the model/data inversion privacy-attack literature.