pith. sign in

arxiv: 2606.04069 · v1 · pith:KRUYE2XCnew · submitted 2026-06-02 · 💻 cs.CR · cs.LG

Bayesian Membership Privacy for Graph Neural Networks

Pith reviewed 2026-06-28 09:33 UTC · model grok-4.3

classification 💻 cs.CR cs.LG
keywords Bayesian Membership PrivacyGraph Neural NetworksMembership InferenceNode-level PrivacyGraph SamplingPrivacy AuditingPosterior Probability
0
0 comments X

The pith

Bayesian Membership Privacy measures node-level leakage in GNNs by posterior probability after accounting for node priors and sampling.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Existing privacy analyses for graph neural networks inherit assumptions from non-graph settings and overlook structural correlations plus the stochastic sampling used to form training graphs. Node-dependent priors make type-I and type-II errors alone insufficient to characterize the strongest membership inference attack. The paper introduces Bayesian Membership Privacy as a sampling-aware definition that treats graph sampling probabilities as known to the adversary and casts membership inference as a Bayesian hypothesis test. Privacy is then quantified directly by the posterior probability that a node was a member. A practical auditing procedure estimates the required parameters, and experiments on benchmark graphs show that this view reveals node-specific leakage invisible to global attack accuracy.

Core claim

The paper establishes Bayesian Membership Privacy (BMP) as a node-level membership privacy definition for GNNs. BMP incorporates node-dependent priors, treats stochastic graph sampling probabilities as adversary knowledge, and quantifies privacy via the posterior membership probability obtained from a Bayesian hypothesis test. It relates BMP theoretically to prior definitions and supplies a sampling-aware auditing mechanism whose estimates on benchmark datasets expose fine-grained privacy differences not captured by aggregate attack success rates.

What carries the argument

Bayesian Membership Privacy (BMP), the formulation that converts membership inference into a Bayesian hypothesis test whose output is the posterior probability of membership given node-dependent priors and known sampling probabilities.

If this is right

  • Privacy audits of GNNs can now report per-node posterior probabilities instead of a single global accuracy number.
  • Theoretical relations between BMP and earlier definitions allow direct comparison of privacy guarantees.
  • The sampling-aware auditing procedure can be run on any trained GNN to produce concrete leakage estimates.
  • Node-level variation in posterior probability implies that some nodes leak more than others even when aggregate accuracy looks moderate.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • BMP-style auditing could be applied to other graph models that use stochastic neighborhood sampling.
  • If regulators adopt posterior-based metrics, compliance checks for graph datasets would need to include prior estimation steps.
  • The gap between global accuracy and BMP values suggests that current differential-privacy mechanisms for graphs may need recalibration per node.

Load-bearing premise

The adversary knows or can accurately model the node-dependent priors and the probabilities governing stochastic graph sampling.

What would settle it

If the posterior membership probability computed under BMP fails to rank nodes by actual membership more accurately than a simple threshold on attack success rate across repeated trainings on the same graphs, the claim that BMP is required would be falsified.

Figures

Figures reproduced from arXiv: 2606.04069 by Megha Khosla, Sinan Y{\i}ld{\i}r{\i}m.

Figure 1
Figure 1. Figure 1: The region Rη(εL, εR) for different choices. Definition 6 (MIA – Hypothesis Testing Perspective). Let G = (V, E) be a graph with node feature matrix X and label matrix Y. Let A = (S, Φ) be a (possibly ran￾domized) algorithm operating on (G, X, Y), producing an output Yˆ ∈ W. For i ∈ {1, . . . , N}, a MIA, denoted as M(i, D, A), is a hypothesis test for the hypotheses H0 : Mi = 0, H1 : Mi = 1, whose decisio… view at source ↗
Figure 2
Figure 2. Figure 2: Marginal effects of the experiment parameters [PITH_FULL_IMAGE:figures/full_fig_p010_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Each dot corresponds to a target node in [PITH_FULL_IMAGE:figures/full_fig_p011_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Post. samples of (εR, εL) of BMP for random vs. snowball samp. on CORA (50% samp., GCN, clean outputs). work. By incorporating node-dependent priors and cast￾ing membership inference as Bayesian hypothesis test￾ing, BMP captures heterogeneous privacy risk that uni￾form metrics may miss. Our designed MIA and the ac￾companying MCMC posterior sampling method enable computation of uncertainty-aware estimates o… view at source ↗
read the original abstract

Existing privacy analyses for Graph Neural Networks (GNNs) largely inherit assumptions from non-graph settings, overlooking structural correlations and stochastic training-graph sampling. In particular, node-dependent priors make type-I and type-II errors alone insufficient to characterize the best membership inference test. To address this, we introduce Bayesian Membership Privacy (BMP), a sampling-aware formulation of node-level membership privacy that incorporates node-dependent priors and treats graph sampling probabilities as part of the adversary's knowledge. BMP casts membership inference as a Bayesian hypothesis test and accordingly quantifies membership privacy in terms of posterior membership probability. We explore theoretical properties of BMP in relation to the existing definitions in the literature. We further propose a practical, sampling-aware auditing mechanism to estimate the parameters of BMP as a measure of node-level privacy leakage in GNNs. We conduct experiments on benchmark graph datasets and show that BMP yields fine-grained privacy insights that are not visible through global attack accuracy alone.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

0 major / 2 minor

Summary. The manuscript introduces Bayesian Membership Privacy (BMP), a sampling-aware formulation of node-level membership privacy for Graph Neural Networks. BMP incorporates node-dependent priors and treats graph sampling probabilities as part of the adversary's knowledge, casting membership inference as a Bayesian hypothesis test and quantifying privacy via posterior membership probability rather than type-I/II errors alone. The paper explores theoretical relations between BMP and existing privacy definitions, proposes a practical sampling-aware auditing mechanism to estimate BMP parameters, and reports benchmark experiments showing that BMP provides finer-grained privacy insights than global attack accuracy.

Significance. If the central claims hold, the work supplies a more complete privacy characterization for GNNs by explicitly modeling node-dependent priors and stochastic sampling, which standard membership-inference analyses can miss. The auditing procedure and its empirical demonstration on benchmark graphs constitute a practical contribution that could improve privacy evaluation tools. The absence of free parameters or circular reductions in the definition (as noted in the abstract-level description) is a positive feature.

minor comments (2)
  1. [Abstract] Abstract: the claim that 'node-dependent priors make type-I and type-II errors alone insufficient' is stated without a short illustrative example; adding one sentence would clarify the motivation for readers unfamiliar with Bayesian hypothesis testing.
  2. [Abstract] The abstract refers to 'theoretical properties of BMP in relation to the existing definitions' and to 'benchmark graph datasets' but does not name the datasets or the specific prior definitions compared; these details should appear in the abstract or be cross-referenced to the first section that contains them.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for the supportive review and the recommendation of minor revision. The provided summary accurately captures the manuscript's contributions on Bayesian Membership Privacy (BMP) for GNNs, including the sampling-aware definition, Bayesian hypothesis testing formulation, theoretical relations to prior definitions, auditing procedure, and benchmark experiments demonstrating finer-grained insights beyond global attack accuracy.

Circularity Check

0 steps flagged

No significant circularity identified

full rationale

The paper defines BMP as a new sampling-aware Bayesian reformulation of membership privacy that incorporates node-dependent priors and treats sampling probabilities as adversary knowledge, then quantifies it via posterior probability rather than type-I/II errors. This is a direct definitional extension of standard Bayesian hypothesis testing applied to the GNN setting. The abstract and description state that theoretical relations to prior definitions are explored and a practical auditing procedure is supplied; neither step reduces the central claim to a fitted parameter, self-referential equation, or load-bearing self-citation chain. The derivation chain is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Based solely on the abstract, the central claim rests on standard Bayesian hypothesis testing and the premise that structural correlations and sampling in GNNs require a new privacy definition; no explicit free parameters, ad-hoc axioms, or invented entities are identifiable from the provided text.

axioms (1)
  • domain assumption Bayesian hypothesis testing is an appropriate framework for quantifying membership privacy when priors are node-dependent.
    Invoked in the definition of BMP as casting membership inference as a Bayesian test (abstract).

pith-pipeline@v0.9.1-grok · 5691 in / 1307 out tokens · 22881 ms · 2026-06-28T09:33:45.047336+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

61 extracted references · 15 canonical work pages · 4 internal anchors

  1. [1]

    Proceedings of the 18th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining , pages =

    Lee, Jaewoo and Clifton, Chris , title =. Proceedings of the 18th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining , pages =. 2012 , isbn =. doi:10.1145/2339530.2339695 , abstract =

  2. [2]

    2021 IEEE Symposium on security and privacy (SP) , pages=

    Adversary instantiation: Lower bounds for differentially private machine learning , author=. 2021 IEEE Symposium on security and privacy (SP) , pages=. 2021 , organization=

  3. [3]

    Jagielski, Matthew and Ullman, Jonathan and Oprea, Alina , title =. Proc. of the 34th Int. Conf. on Neural Information Proc. Sys. , articleno =. 2020 , isbn =

  4. [4]

    IEEE Trans

    Kairouz, Peter and Oh, Sewoong and Viswanath, Pramod , title =. IEEE Trans. Inf. Theor. , month = jun, pages =. 2017 , issue_date =

  5. [5]

    Pufferfish: A framework for mathematical privacy definitions.ACM Trans

    Kifer, Daniel and Machanavajjhala, Ashwin , title =. ACM Trans. Database Syst. , month = jan, articleno =. 2014 , issue_date =. doi:10.1145/2514689 , abstract =

  6. [6]

    Pufferfish Privacy

    Kifer, Daniel and Machanavajjhala, Ashwin. Pufferfish Privacy. Encyclopedia of Cryptography, Security and Privacy. 2025. doi:10.1007/978-3-030-71522-9_1569

  7. [7]

    Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security , pages=

    Membership privacy: A unifying framework for privacy definitions , author=. Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security , pages=

  8. [8]

    Forty-second International Conference on Machine Learning , year=

    Going Deeper into Locally Differentially Private Graph Neural Networks , author=. Forty-second International Conference on Machine Learning , year=

  9. [9]

    2020 , eprint=

    Metropolis-Hastings with Averaged Acceptance Ratios , author=. 2020 , eprint=

  10. [10]

    Proceedings of the 40th International Conference on Machine Learning , pages =

    Zanella-Beguelin, Santiago and Wutschitz, Lukas and Tople, Shruti and Salem, Ahmed and R\". Proceedings of the 40th International Conference on Machine Learning , pages =. 2023 , editor =

  11. [11]

    and Nejdl, Wolfgang and Khosla, Megha , booktitle =

    Olatunji, Iyiola E. and Nejdl, Wolfgang and Khosla, Megha , booktitle =. 2021 , volume =. doi:10.1109/TPSISA52974.2021.00002 , url =

  12. [12]

    PAC Privacy: Automatic Privacy Measurement and Control of Data Processing

    Xiao, Hanshen and Devadas, Srinivas. PAC Privacy: Automatic Privacy Measurement and Control of Data Processing. Advances in Cryptology -- CRYPTO 2023. 2023

  13. [13]

    Proceedings of the 2015 ACM SIGMOD International Conference on Management of Data , pages =

    Yang, Bin and Sato, Issei and Nakagawa, Hiroshi , title =. Proceedings of the 2015 ACM SIGMOD International Conference on Management of Data , pages =. 2015 , isbn =. doi:10.1145/2723372.2747643 , abstract =

  14. [14]

    Proceedings of the 37th International Conference on Machine Learning , articleno =

    Triastcyn, Aleksei and Faltings, Boi , title =. Proceedings of the 37th International Conference on Machine Learning , articleno =. 2020 , publisher =

  15. [15]

    MCMC for Bayesian Estimation of Differential Privacy from Membership Inference Attacks

    Y ld r m, Ceren and Kaya, Kamer and Y ld r m, Sinan and Sava s , Erkay. MCMC for Bayesian Estimation of Differential Privacy from Membership Inference Attacks. Machine Learning and Knowledge Discovery in Databases. Research Track. 2026

  16. [16]

    2019 , eprint=

    Multi-scale Attributed Node Embedding , author=. 2019 , eprint=

  17. [17]

    AI magazine , volume=

    Collective classification in network data , author=. AI magazine , volume=

  18. [18]

    Goodfellow, H

    Abadi, Martin and Chu, Andy and Goodfellow, Ian and McMahan, H. Brendan and Mironov, Ilya and Talwar, Kunal and Zhang, Li , title =. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security , pages =. 2016 , isbn =. doi:10.1145/2976749.2978318 , abstract =

  19. [19]

    Scalable Private Learning with PATE

    Scalable private learning with pate , author=. arXiv preprint arXiv:1802.08908 , year=

  20. [20]

    arXiv preprint arXiv:2203.09205 , year=

    SoK: Differential privacy on graph-structured data , author=. arXiv preprint arXiv:2203.09205 , year=

  21. [21]

    28th USENIX security symposium (USENIX security 19) , pages=

    Evaluating differentially private machine learning in practice , author=. 28th USENIX security symposium (USENIX security 19) , pages=

  22. [22]

    Advances in Neural Information Processing Systems , volume=

    Auditing differentially private machine learning: How private is private sgd? , author=. Advances in Neural Information Processing Systems , volume=

  23. [23]

    ACM Computing Surveys (CSUR) , volume=

    Membership inference attacks on machine learning: A survey , author=. ACM Computing Surveys (CSUR) , volume=. 2022 , publisher=

  24. [24]

    Proceedings of the 38th International Conference on Machine Learning , pages =

    Label-Only Membership Inference Attacks , author =. Proceedings of the 38th International Conference on Machine Learning , pages =. 2021 , editor =

  25. [25]

    ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models

    Ml-leaks: Model and data independent membership inference attacks and defenses on machine learning models , author=. arXiv preprint arXiv:1806.01246 , year=

  26. [26]

    Proceedings of the 2020 ACM SIGSAC conference on computer and communications security , pages=

    Information leakage in embedding models , author=. Proceedings of the 2020 ACM SIGSAC conference on computer and communications security , pages=

  27. [27]

    2024 IEEE Symposium on Security and Privacy (SP) , pages=

    Preserving node-level privacy in graph neural networks , author=. 2024 IEEE Symposium on Security and Privacy (SP) , pages=. 2024 , organization=

  28. [28]

    2023 IEEE 36th Computer Security Foundations Symposium (CSF) , pages=

    Investigating membership inference attacks under data dependencies , author=. 2023 IEEE 36th Computer Security Foundations Symposium (CSF) , pages=. 2023 , organization=

  29. [29]

    2018 IEEE 31st computer security foundations symposium (CSF) , pages=

    Privacy risk in machine learning: Analyzing the connection to overfitting , author=. 2018 IEEE 31st computer security foundations symposium (CSF) , pages=. 2018 , organization=

  30. [30]

    Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery and data mining , pages=

    Sampling from large graphs , author=. Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery and data mining , pages=

  31. [31]

    2017 IEEE symposium on security and privacy (SP) , pages=

    Membership inference attacks against machine learning models , author=. 2017 IEEE symposium on security and privacy (SP) , pages=. 2017 , organization=

  32. [32]

    MobiQuitous 2020-17th EAI International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services , pages=

    Quantifying privacy leakage in graph embedding , author=. MobiQuitous 2020-17th EAI International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services , pages=

  33. [33]

    arXiv preprint arXiv:2204.08570 , year=

    A comprehensive survey on trustworthy graph neural networks: Privacy, robustness, fairness, and explainability , author=. arXiv preprint arXiv:2204.08570 , year=

  34. [34]

    2021 Third IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA) , pages=

    Membership inference attack on graph neural networks , author=. 2021 Third IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA) , pages=. 2021 , organization=

  35. [35]

    2021 IEEE International Conference on Data Mining (ICDM) , pages=

    Adapting membership inference attacks to GNN for graph classification: Approaches and implications , author=. 2021 IEEE International Conference on Data Mining (ICDM) , pages=. 2021 , organization=

  36. [36]

    arXiv preprint arXiv:2104.08273 , year=

    Membership inference attacks on knowledge graphs , author=. arXiv preprint arXiv:2104.08273 , year=

  37. [37]

    Proceedings of the 15th ACM Workshop on Artificial Intelligence and Security , pages=

    Label-only membership inference attack against node-level graph neural networks , author=. Proceedings of the 15th ACM Workshop on Artificial Intelligence and Security , pages=

  38. [38]

    Proceedings on Privacy Enhancing Technologies , year=

    Subgraph Structure Membership Inference Attacks against Graph Neural Networks , author=. Proceedings on Privacy Enhancing Technologies , year=

  39. [39]

    Pacific-Asia Conference on Knowledge Discovery and Data Mining , pages=

    DPNE: Differentially private network embedding , author=. Pacific-Asia Conference on Knowledge Discovery and Data Mining , pages=. 2018 , organization=

  40. [40]

    International Conference on Machine Learning , pages=

    Learning to simulate complex physics with graph networks , author=. International Conference on Machine Learning , pages=. 2020 , organization=

  41. [41]

    Nature Machine Intelligence , volume=

    Integration of multiomics data with graph convolutional networks to identify new cancer genes and their associated molecular mechanisms , author=. Nature Machine Intelligence , volume=. 2021 , publisher=

  42. [42]

    Briefings in bioinformatics , volume=

    Utilizing graph machine learning within drug discovery and development , author=. Briefings in bioinformatics , volume=. 2021 , publisher=

  43. [43]

    Proceedings of the 34th International Conference on Scientific and Statistical Database Management , pages=

    How Powerful are Membership Inference Attacks on Graph Neural Networks? , author=. Proceedings of the 34th International Conference on Scientific and Statistical Database Management , pages=

  44. [44]

    Graph Attention Networks

    Graph attention networks , author=. arXiv preprint arXiv:1710.10903 , year=

  45. [45]

    Theory of cryptography conference , pages=

    Calibrating noise to sensitivity in private data analysis , author=. Theory of cryptography conference , pages=. 2006 , organization=

  46. [46]

    30th USENIX security symposium (USENIX security 21) , pages=

    Stealing links from graph neural networks , author=. 30th USENIX security symposium (USENIX security 21) , pages=

  47. [47]

    Kipf and Max Welling , title =

    Thomas N. Kipf and Max Welling , title =. 5th International Conference on Learning Representations,

  48. [48]

    Advances in neural information processing systems , volume=

    Inductive representation learning on large graphs , author=. Advances in neural information processing systems , volume=

  49. [49]

    Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security , pages=

    Locally private graph neural networks , author=. Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security , pages=

  50. [50]

    arXiv preprint arXiv:2203.00949 , year=

    GAP: Differentially Private Graph Neural Networks with Aggregation Perturbation , author=. arXiv preprint arXiv:2203.00949 , year=

  51. [51]

    Transactions on Machine Learning Research , year=

    Releasing graph neural networks with differential privacy guarantees , author=. Transactions on Machine Learning Research , year=

  52. [52]

    Zhang and Y

    Y. Zhang and Y. Zhao and Z. Li and X. Cheng and Y. Wang and O. Kotevska and P. S. Yu and T. Derr , journal =. A Survey on Privacy in Graph Neural Networks: Attacks, Preservation, and Applications , year =

  53. [53]

    A Survey and Taxonomy of Graph Sampling

    A survey and taxonomy of graph sampling , author=. arXiv preprint arXiv:1308.5865 , year=

  54. [54]

    arXiv preprint arXiv:2102.05429 , year=

    Node-level membership inference attacks against graph neural networks , author=. arXiv preprint arXiv:2102.05429 , year=

  55. [55]

    2022 IEEE Symposium on Security and Privacy (SP) , pages=

    Membership inference attacks from first principles , author=. 2022 IEEE Symposium on Security and Privacy (SP) , pages=. 2022 , organization=

  56. [56]

    Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence,

    GraphMI: Extracting Private Graph Data from Graph Neural Networks , author =. Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence,

  57. [57]

    Proceedings of the 2021 AAAI/ACM Conference on AI, Ethics, and Society , pages=

    On the privacy risks of model explanations , author=. Proceedings of the 2021 AAAI/ACM Conference on AI, Ethics, and Society , pages=

  58. [58]

    Advances in Neural Information Processing Systems , volume=

    Privacy auditing with one (1) training run , author=. Advances in Neural Information Processing Systems , volume=

  59. [59]

    Proceedings of Privacy Enhancing Technologies Symposium (PETS 2023) , year=

    Private Graph Extraction via Feature Explanations , author=. Proceedings of Privacy Enhancing Technologies Symposium (PETS 2023) , year=

  60. [60]

    Advances in Interpretable Machine Learning and Artificial Intelligence (AIMLAI) at International Conference on Information and Knowledge Management (CIKM'22) , year=

    Privacy and Transparency in Graph Machine Learning: A Unified Perspective , author=. Advances in Interpretable Machine Learning and Artificial Intelligence (AIMLAI) at International Conference on Information and Knowledge Management (CIKM'22) , year=

  61. [61]

    Proceedings of Privacy Enhancing Technologies Symposium (PETS 2026) , year=

    Impact of Graph Structure on Membership-Inference Risk for Graph Neural Networks , author=. Proceedings of Privacy Enhancing Technologies Symposium (PETS 2026) , year=