With the increasing popularity of Graph Neural Networks (GNNs) in several sensitive applications like healthcare and medicine, concerns have been raised over the privacy aspects of trained GNNs. More notably, GNNs are vulnerable to privacy attacks, such as membership inference attacks, even if only blackbox access to the trained model is granted. To build defenses, differential privacy has emerged as a mechanism to disguise the sensitive data in training datasets. Following the strategy of Private Aggregation of Teacher Ensembles (PATE), recent methods leverage a large ensemble of teacher models. These teachers are trained on disjoint subsets of private data and are employed to transfer knowledge to a student model, which is then released with privacy guarantees. However, splitting graph data into many disjoint training sets may destroy the structural information and adversely affect accuracy. We propose a new graph-specific scheme of releasing a student GNN, which avoids splitting private training data altogether. The student GNN is trained using public data, partly labeled privately using the teacher GNN models trained exclusively for each query node. We theoretically analyze our approach in the R\`{e}nyi differential privacy framework and provide privacy guarantees. Besides, we show the solid experimental performance of our method compared to several baselines, including the PATE baseline adapted for graph-structured data. Our anonymized code is available.
翻译:随着建筑神经网络(GNNs)在医疗保健和医药等若干敏感应用中越来越受欢迎,人们对受过训练的GNNs的隐私方面提出了关切。更值得注意的是,GNNs很容易受到隐私攻击,例如会籍推断攻击,即使只允许黑匣进入经过训练的模型;为了建立防御,不同隐私已成为在培训数据集中掩盖敏感数据的一种机制。根据私人教师集体聚合(PATE)战略,最近的方法利用了一大堆教师模型。这些教师接受了关于私人数据脱节子集的培训,并被用来将知识转让给学生模型,然后以隐私保障的方式予以发布。然而,将图表数据分解成许多互不连的培训单元可能会破坏结构信息,并对准确性产生不利影响。我们提出了一个新的图表化计划,即释放学生GNNN(GNN),避免将私人培训数据完全分解。学生GNNN是使用公共数据培训的,部分贴有私人标签的教师GNN模式,专门为每个查询节。我们从理论上分析我们的方法,在RQNNNe的基线上分析我们的方法,包括我们现有的隐私基准模型,我们提供了一种比较的保密性标准。我们提供了一种比较的隐私的模型的模型。