pith. sign in

arxiv: 2606.08067 · v1 · pith:WZVJWRHMnew · submitted 2026-06-06 · 💻 cs.LG

Beyond Homophily: Towards Generalized Graph Reconstruction Attack and Defense

Zhanke Zhou , Bo Han , Xuan Li , Jiangchao Yao , Sanmi Koyejo , Michael K. Ng This is my paper

Pith reviewed 2026-06-27 19:59 UTC · model grok-4.3

classification 💻 cs.LG
keywords graph reconstruction attackgraph neural networkshomophilyheterophilymodel inversionprivacy defenseadjacency leakage
0
0 comments X

The pith

Approximating GNN layers as a Markov chain of topology-dependent representations enables stronger attacks that reconstruct training adjacency and defenses that suppress it with little accuracy cost.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that graph neural networks leak adjacency information from their training graphs through features, labels, embeddings, and predictions, with the amount of leakage depending on homophily or heterophily and the model's bias. It develops a Markov chain approximation that treats the forward pass as a sequence of topology-dependent representations at each layer. This approximation supports an attack that optimizes a surrogate adjacency to match the target's representations layer by layer and a defense that removes adjacency-dependent signals throughout the chain while preserving task performance. A reader would care because GNNs process relational data such as social ties or transactions where unintended reconstruction of those relations poses privacy risks. If the approach holds, it provides concrete tools to both expose and mitigate such leakage on graphs that deviate from homophily assumptions.

Core claim

The paper claims that GNN inference admits a Markov chain approximation in which each layer produces representations whose dependence on the input topology can be tracked explicitly. Under this view the authors construct MC-GRA, an attack that searches for a surrogate adjacency whose induced representations align with those of the target model at every layer, and MC-GPB, a defense that suppresses adjacency-dependent information across the same chain subject to a classification-accuracy constraint. Systematic experiments on both homophilic and heterophilic benchmarks show that the attack recovers adjacency more faithfully than prior methods while the defense reduces reconstruction success wit

What carries the argument

The Markov chain approximation that models the layered GNN forward computation as a sequence of topology-dependent representations, used to align surrogate and target representations for attack and to suppress adjacency signals for defense.

If this is right

  • Reconstruction attacks achieve higher fidelity than prior methods on both homophilic and heterophilic graphs.
  • Defenses suppress adjacency leakage while incurring only minor drops in classification accuracy.
  • Leakage strength varies systematically with graph homophily, heterophily, and the GNN's inductive bias.
  • The same Markov-chain view supports complementary attack and defense methods rather than treating them separately.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same layer-wise alignment technique could be tested on deeper or attention-based GNN variants to check whether the Markov approximation remains useful.
  • Deployed GNNs on social or transaction data may require routine application of the defense to limit exposure of private edges.
  • The privacy-utility trade-off curve produced by the defense offers a concrete benchmark for comparing other privacy mechanisms on graphs.

Load-bearing premise

The layered forward computation of a GNN can be treated as a Markov chain of topology-dependent representations with enough accuracy to guide both attack optimization and defense suppression.

What would settle it

An experiment in which optimizing a surrogate adjacency under the Markov chain alignment objective fails to produce higher reconstruction fidelity than existing attack baselines, or in which the corresponding defense reduces reconstruction success only at the cost of large accuracy loss.

Figures

Figures reproduced from arXiv: 2606.08067 by Bo Han, Jiangchao Yao, Michael K. Ng, Sanmi Koyejo, Xuan Li, Zhanke Zhou.

Figure 1
Figure 1. Figure 1: Illustration of a graph reconstruction attack using characters from [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Modeling graph reconstruction as Markov-chain approximation (here “Markov chain” in the sense of layered conditional independence; see Sec. 4). The upper chain is the target GNN’s forward computation induced by the private adjacency A and node feature X, while the lower chain is the attacker’s surrogate computation induced by the reconstructed adjacency Aˆ and node feature X (if available). To recover the … view at source ↗
Figure 3
Figure 3. Figure 3: Recovered adjacency on Cora. Green dots denote correctly recovered edges; red dots [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Graph information plane for a two-layer GCN on the homophilic graph Cora [PITH_FULL_IMAGE:figures/full_fig_p020_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Graph information plane for a two-layer GPR-GNN on the homophilic graph Cora [PITH_FULL_IMAGE:figures/full_fig_p021_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: The MC-GRA attack framework. Forward (in red): an estimated adjacency Aˆ is sampled from a parameterized distribution Pϕ(Aˆ) and perturbed via injected stochasticity to enable differentiable optimization and exploration. The perturbed Aˆ is then propagated through the target model to generate the corresponding GRA-chain variables. Backward (in blue): the sampling parameters ϕ are updated by maximizing the … view at source ↗
Figure 7
Figure 7. Figure 7: An information-theoretic view of training, attack, and defense. Illus￾tration of how information flows and is (progressively) compressed along the GNN-induced Markov chains during standard training, how MC-GRA exploits dependence between aligned ORI-chain/GRA-chain variables for reconstruction, and how MC-GPB reduces adjacency leakage by discouraging dependence between hidden representations and the adjace… view at source ↗
Figure 8
Figure 8. Figure 8: The MC-GPB defense framework. MC-GPB addresses the accuracy-privacy trade-off through the population objective in Eq. (48) and its practical surrogate in Sec. 6.2: it regularizes layerwise graph representations to reduce adjacency leakage while maintaining label-predictive information. During training, injected stochasticity (e.g., edge dropping) further promotes suppression of adjacency dependence by limi… view at source ↗
Figure 9
Figure 9. Figure 9: Examples of recovered adjacency. Green dots indicate correct predictions (true [PITH_FULL_IMAGE:figures/full_fig_p059_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: Recovered adjacency with GPR-GNN on two representative datasets. The first row [PITH_FULL_IMAGE:figures/full_fig_p060_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: Graph information plane of GPR-GNN on Brazil under unprotected and protected [PITH_FULL_IMAGE:figures/full_fig_p061_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: Graph information plane: defensive training with MC-GPB (+). Compared with [PITH_FULL_IMAGE:figures/full_fig_p061_12.png] view at source ↗
Figure 13
Figure 13. Figure 13: Recovered adjacency on Cora. (a) Ground truth. (b) MC-GRA (+) on unprotected [PITH_FULL_IMAGE:figures/full_fig_p086_13.png] view at source ↗
Figure 14
Figure 14. Figure 14: Recovered adjacency on Citeseer. (a)–(e) as in Fig. [PITH_FULL_IMAGE:figures/full_fig_p086_14.png] view at source ↗
Figure 15
Figure 15. Figure 15: Recovered adjacency on Polblogs. (a)–(e) as in Fig. [PITH_FULL_IMAGE:figures/full_fig_p086_15.png] view at source ↗
Figure 16
Figure 16. Figure 16: Recovered adjacency on USA. (a)–(e) as in Fig. [PITH_FULL_IMAGE:figures/full_fig_p087_16.png] view at source ↗
Figure 17
Figure 17. Figure 17: Recovered adjacency on Brazil. (a)–(e) as in Fig. [PITH_FULL_IMAGE:figures/full_fig_p087_17.png] view at source ↗
Figure 18
Figure 18. Figure 18: Recovered adjacency on AIDS. (a)–(e) as in Fig. [PITH_FULL_IMAGE:figures/full_fig_p087_18.png] view at source ↗
Figure 19
Figure 19. Figure 19: Additional graph information planes for GCN on Cornell, Wisconsin, and Texas [PITH_FULL_IMAGE:figures/full_fig_p088_19.png] view at source ↗
Figure 20
Figure 20. Figure 20: Additional graph information planes for GPR-GNN on AIDS, Brazil, Citeseer, [PITH_FULL_IMAGE:figures/full_fig_p088_20.png] view at source ↗
Figure 21
Figure 21. Figure 21: Further graph information planes for GPR-GNN on Polblogs, USA, and Wisconsin, [PITH_FULL_IMAGE:figures/full_fig_p089_21.png] view at source ↗
Figure 22
Figure 22. Figure 22: Additional recovered adjacency examples on Cornell under GCN, comparing [PITH_FULL_IMAGE:figures/full_fig_p089_22.png] view at source ↗
Figure 23
Figure 23. Figure 23: Full GPR-GNN recovered adjacency comparisons on Cora and Citeseer. For [PITH_FULL_IMAGE:figures/full_fig_p090_23.png] view at source ↗
Figure 24
Figure 24. Figure 24: Full GPR-GNN recovered adjacency comparisons on Polblogs and USA. [PITH_FULL_IMAGE:figures/full_fig_p090_24.png] view at source ↗
Figure 25
Figure 25. Figure 25: Full GPR-GNN recovered adjacency comparisons on Brazil and AIDS. [PITH_FULL_IMAGE:figures/full_fig_p091_25.png] view at source ↗
Figure 26
Figure 26. Figure 26: Full GPR-GNN recovered adjacency comparisons on Texas and Cornell. [PITH_FULL_IMAGE:figures/full_fig_p091_26.png] view at source ↗
Figure 27
Figure 27. Figure 27: Full GPR-GNN recovered adjacency comparisons on Wisconsin. [PITH_FULL_IMAGE:figures/full_fig_p092_27.png] view at source ↗
Figure 28
Figure 28. Figure 28: Training curves of MC-GRA (+) on each dataset. [PITH_FULL_IMAGE:figures/full_fig_p092_28.png] view at source ↗
Figure 29
Figure 29. Figure 29: Training curves of MC-GPB (+) on each dataset. [PITH_FULL_IMAGE:figures/full_fig_p093_29.png] view at source ↗
Figure 30
Figure 30. Figure 30: Graph information plane on Cora dataset. [PITH_FULL_IMAGE:figures/full_fig_p093_30.png] view at source ↗
Figure 31
Figure 31. Figure 31: Graph information plane on Citeseer dataset. [PITH_FULL_IMAGE:figures/full_fig_p093_31.png] view at source ↗
Figure 32
Figure 32. Figure 32: Graph information plane on Polblogs dataset. [PITH_FULL_IMAGE:figures/full_fig_p094_32.png] view at source ↗
Figure 33
Figure 33. Figure 33: Graph information plane on USA dataset. 0.4 0.5 0.6 0.7 0.8 0.9 Privacy I(A;H) 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 Accuracy I(Y;H) Graph Information Plane (brazil dataset) GCN Layer-1 GCN Layer-2 Linear 0 50 100 150 200 Training epoch 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 Accuracy I(Y;H) 0 50 100 150 200 Training epoch 0.4 0.5 0.6 0.7 0.8 0.9 Privacy I(A;H) 0 50 100 150 200 Training epoch (a) GNN with unprotected t… view at source ↗
Figure 34
Figure 34. Figure 34: Graph information plane on Brazil dataset. [PITH_FULL_IMAGE:figures/full_fig_p094_34.png] view at source ↗
Figure 35
Figure 35. Figure 35: Graph information plane on AIDS dataset. [PITH_FULL_IMAGE:figures/full_fig_p095_35.png] view at source ↗
read the original abstract

Graph neural networks (GNNs) are widely deployed on relational data, yet they can leak sensitive or proprietary information about the training graph adjacency, e.g., social ties, transactions, and interactions. This work studies graph reconstruction attacks (GRA), a form of model inversion that reconstructs the training adjacency from a trained GNN, given different levels of attacker-side information. We first provide a systematic characterization of when and why adjacency becomes recoverable through features, labels, embeddings, and predictions, with leakage modulated by graph homophily, heterophily, and the model's inductive bias. Motivated by these findings, we view GNN inference through a Markov chain approximation lens, treating the layered forward computation as a chain of topology-dependent representations. Building on this view, we develop complementary attack and defense methods. On the attack side, we propose MC-GRA (+), which reconstructs the adjacency by optimizing a surrogate adjacency whose GNN-induced representations align with those of the target model at each layer. On the defense side, we propose MC-GPB (+), which suppresses adjacency-dependent information throughout the representation chain while aiming to preserve classification accuracy under a privacy-utility trade-off. Experiments across homophilic/heterophilic graph benchmarks and GNNs show that our attacks improve reconstruction fidelity over prior methods, while our defenses reduce reconstruction success with only minor accuracy loss.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper claims that modeling GNN forward passes via a Markov chain approximation of topology-dependent layer representations enables a generalized graph reconstruction attack (MC-GRA) that optimizes a surrogate adjacency to match target-model representations at each layer, together with a complementary defense (MC-GPB) that suppresses adjacency-dependent information under a privacy-utility trade-off. Systematic characterization of leakage under homophily/heterophily and inductive bias is provided, and experiments on homophilic/heterophilic benchmarks are said to show higher reconstruction fidelity for the attack and lower reconstruction success for the defense with only minor accuracy degradation.

Significance. If the Markov-chain view is accurate and the empirical gains are robust, the work supplies the first systematic treatment of GRA that explicitly targets both homophilic and heterophilic regimes and supplies concrete, complementary attack and defense primitives; this could inform privacy analysis of deployed GNNs on relational data.

major comments (2)
  1. [Method (Markov chain approximation)] The Markov chain approximation of layered GNN computation is load-bearing for both MC-GRA and MC-GPB; the manuscript must supply either error bounds on the approximation, an ablation that measures how closely the chain matches exact layer-wise representations, or a sensitivity study showing that attack/defense performance degrades when the approximation is replaced by exact forward passes.
  2. [Experiments] The central empirical claim (improved reconstruction fidelity and reduced attack success with minor accuracy loss) is asserted without reported ablation tables, statistical significance tests, or controls for post-hoc hyper-parameter selection; the experiments section must include these to establish that the reported gains are not artifacts of the evaluation protocol.
minor comments (2)
  1. Define the notation MC-GRA (+) and MC-GPB (+) explicitly; the parenthetical is used in the abstract but never explained.
  2. Add a short related-work paragraph that situates the Markov-chain lens against prior message-passing analyses or information-flow studies in GNNs.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments. We address each major comment below and will revise the manuscript to incorporate the requested validations and statistical controls.

read point-by-point responses

  1. Referee: [Method (Markov chain approximation)] The Markov chain approximation of layered GNN computation is load-bearing for both MC-GRA and MC-GPB; the manuscript must supply either error bounds on the approximation, an ablation that measures how closely the chain matches exact layer-wise representations, or a sensitivity study showing that attack/defense performance degrades when the approximation is replaced by exact forward passes.

    Authors: We agree that the Markov chain approximation is central to both methods. The manuscript motivates the view from the leakage characterization but does not provide quantitative validation against exact layer-wise passes. In the revision we will add a sensitivity study that substitutes exact forward passes (where computationally feasible) for the approximation and reports the resulting impact on reconstruction fidelity and defense performance. revision: yes

  2. Referee: [Experiments] The central empirical claim (improved reconstruction fidelity and reduced attack success with minor accuracy loss) is asserted without reported ablation tables, statistical significance tests, or controls for post-hoc hyper-parameter selection; the experiments section must include these to establish that the reported gains are not artifacts of the evaluation protocol.

    Authors: We acknowledge the need for stronger statistical support. The revised manuscript will add ablation tables for the core components of MC-GRA and MC-GPB, report results across multiple random seeds with standard deviations and significance tests, and document the hyper-parameter selection protocol to address post-hoc selection concerns. revision: yes

Circularity Check

0 steps flagged

No significant circularity in derivation chain

full rationale

The paper motivates MC-GRA and MC-GPB via a Markov-chain view of layered GNN forward passes, then defines the attack as direct optimization of a surrogate adjacency to match per-layer representations and the defense as suppression of adjacency-dependent signals under a utility constraint. These are independent optimization objectives, not quantities fitted on one subset and then reported as predictions on the same data. No self-definitional equations, no fitted-input-called-prediction pattern, and no load-bearing self-citations that collapse the central result to its inputs appear in the abstract or claim description. Experiments on external homophilic/heterophilic benchmarks supply independent validation.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 2 invented entities

Only the abstract is available, so the ledger is necessarily incomplete; the central modeling choice is treated as a domain assumption rather than a derived result.

axioms (1)
  • domain assumption GNN forward passes can be usefully approximated as a Markov chain whose transition structure depends on the unknown adjacency
    Explicitly invoked in the abstract as the lens for both attack and defense construction.
invented entities (2)
  • MC-GRA no independent evidence
    purpose: Surrogate-adjacency optimization attack that aligns layer-wise representations
    New attack procedure introduced in the abstract.
  • MC-GPB no independent evidence
    purpose: Defense that suppresses adjacency-dependent information across the representation chain
    New defense procedure introduced in the abstract.

pith-pipeline@v0.9.1-grok · 5786 in / 1353 out tokens · 23759 ms · 2026-06-27T19:59:15.573808+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

24 extracted references · 4 linked inside Pith

  1. [1]

    Adamic and N

    L. Adamic and N. Glance. The political blogosphere and the 2004 us election: divided they blog. InProceedings of the 3rd international workshop on Link discovery,

    2004

  2. [2]

    Hidano and T

    S. Hidano and T. Murakami. Degree-preserving randomized response for graph neural networks under local differential privacy.arXiv preprint arXiv:2202.10209,

    arXiv

  3. [3]

    Ioannidis, Zheng, and G

    V. Ioannidis, Zheng, and G. Karypis. Few-shot link prediction via graph neural networks for covid-19 drug-repurposing.arXiv preprint arXiv:2007.10261,

    arXiv 2007

  4. [4]

    Jayaraman, L

    B. Jayaraman, L. Wang, K. Knipmeyer, Q. Gu, and D. Evans. Revisiting membership inference under realistic assumptions.Proceedings on Privacy Enhancing Technologies, 2021(2):348–368,

    2021

  5. [5]

    M. Khosla. Privacy and transparency in graph machine learning: A unified perspective. arXiv preprint arXiv:2207.10896,

    arXiv

  6. [6]

    Parikh, C

    66 Beyond Homophily: Tow ards Generalized Graph Reconstruction Attack and Defense R. Parikh, C. Dupuy, and R. Gupta. Canary extraction in natural language understanding models.arXiv preprint arXiv:2203.13920,

    arXiv

  7. [7]

    A. M. Saxe, Y. Bansal, J. Dapello, M. Advani, A. Kolchinsky, B. D. Tracey, and D. D. Cox. On the information bottleneck theory of deep learning.Journal of Statistical Mechanics: Theory and Experiment, 2019(12):124020,

    2019

  8. [8]

    Shwartz-Ziv and N

    R. Shwartz-Ziv and N. Tishby. Opening the black box of deep neural networks via information. arXiv preprint arXiv:1703.00810,

    Pith/arXiv arXiv

  9. [9]

    Szegedy, W

    C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus. Intriguing properties of neural networks.arXiv preprint arXiv:1312.6199,

    Pith/arXiv arXiv

  10. [10]

    67 Zhanke Zhou, Bo Han, Xuan Li, Jiangchao Yao, Sanmi Koyejo, Michael K. Ng N. Tishby, F. Pereira, and W. Bialek. The information bottleneck method.arXiv preprint physics/0004057,

    Pith/arXiv arXiv

  11. [11]

    X. Wang, X. Liu, and C. Hsieh. Graphdefense: Towards robust graph convolutional networks. arXiv preprint arXiv:1911.04429,

    arXiv 1911

  12. [12]

    Z. Yang, E. Chang, and Z. Liang. Adversarial neural network inversion via auxiliary knowledge alignment.arXiv preprint arXiv:1902.08552,

    Pith/arXiv arXiv 1902

  13. [13]

    Zhang, P

    M. Zhang, P. Li, Y. Xia, K. Wang, and L. Jin. Labeling trick: A theory of using graph neural networks for multi-node representation learning. InNeurIPS, 2021a. R. Zhang, S. Hidano, and F. Koushanfar. Text revealer: Private text reconstruction via model inversion attacks against transformers.arXiv preprint arXiv:2209.10505, 2022a. Y. Zhang, R. Jia, H. Pei,...

    arXiv

  14. [14]

    Zhang, Q

    Z. Zhang, Q. Liu, Z. Huang, H. Wang, C. Lu, C. Liu, and E. Chen. Graphmi: Extracting private graph data from graph neural networks. InIJCAI, 2021b. Z. Zhang, M. Chen, M. Backes, Y. Shen, and Y. Zhang. Inference attacks against graph neural networks. InUSENIX Security, 2022b. T. Zhao, G. Liu, D. Wang, W. Yu, and M. Jiang. Learning from counterfactual links...

    arXiv

  15. [15]

    =H(W t |W 1). A.2 Proof of Theorem 8 ProofWe prove the theorem for the layer-map template (GCN-type form) stated in the main text; the argument uses only the data processing inequality for deterministic measurable maps. We first recall two standard facts about mutual information under measurable transformations. Lemma 24(Invariance under bijections).Let X...

    1999

  16. [16]

    Node features do not always exist (e.g., Polblogs, USA, Brazil), so this setting is practically relevant

    show that MC-GRA (+) remains effective whenX is omitted; adjacency can be recovered from labels, hidden representations, and predictions alone. Node features do not always exist (e.g., Polblogs, USA, Brazil), so this setting is practically relevant. Why does classification accuracy sometimes improve under MC-GPB (+)? Tab. 11 shows that MC-GPB (+) can impr...

    2022

  17. [17]

    Green: correct; red: errors. Additional qualitative results with the updated plotting pipeline.To complement the visualizations above, we include additional figures from the same plotting pipeline as in the main paper, grouped by model and task. Tracking the MI terms.We show the learning curves of MC-GRA (+) and MC- GPB (+) on each dataset below. For MC-G...

    arXiv 2013

  18. [18]

    These methods share a focus on generative priors and gradient-based search in a learned or fixed latent space

    further reduces computational cost and broadens applicability by decoupling the generator from the classifier; a single off-the-shelf GAN suffices to attack multiple targets with minimal fine-tuning, demonstrating that MIA remains practical even under substantial domain shifts. These methods share a focus on generative priors and gradient-based search in ...

    2000

  19. [19]

    observes that the cross-entropy objective adopted in earlier attacks (Zhang et al., 2020; Chen et al.,

    2020

  20. [20]

    91 Zhanke Zhou, Bo Han, Xuan Li, Jiangchao Yao, Sanmi Koyejo, Michael K

    introduces a coarse-to-fine refinement stage that boosts visual quality in strict black-box settings. 91 Zhanke Zhou, Bo Han, Xuan Li, Jiangchao Yao, Sanmi Koyejo, Michael K. Ng 0 50 100 150 200 250 0 50 100 150 200 250 GraphMI (wisconsin) 0 50 100 150 200 250 0 50 100 150 200 250 MC-GRA (wisconsin) 0 50 100 150 200 250 0 50 100 150 200 250 GraphMI (wisco...

    2014

  21. [21]

    Although both defenses heavily distort the attacker’s reconstructions, they also degrade accuracy, underscoring the difficulty of achieving a favorable privacy-utility trade-off

    simultaneously suppresses I(X; Z), removing redundant cues from latent features, and maximizes I(Y ; Z)to preserve task relevance. Although both defenses heavily distort the attacker’s reconstructions, they also degrade accuracy, underscoring the difficulty of achieving a favorable privacy-utility trade-off. Therefore, principled and practical defenses ag...

    2021

  22. [22]

    Information-theoretic attacks instead train an auxiliary decoder to infer words directly from embeddings (Song and Raghunathan, 2020), and GEIA (Li et al.,

    treats inversion as controlled embedding optimization, iteratively refining candidate text so its embedding converges to a target. Information-theoretic attacks instead train an auxiliary decoder to infer words directly from embeddings (Song and Raghunathan, 2020), and GEIA (Li et al.,

    2020

  23. [23]

    Defenses.Most defenses perturb the embedding space to obscure the mapping between internal representations and plaintext

    eliminates query dependence: it first steals a surrogate model and then adversarially trains an inversion decoder against that surrogate, enabling fully query-free attacks. Defenses.Most defenses perturb the embedding space to obscure the mapping between internal representations and plaintext. Chen et al. (2024) prepend a language-ID mask to token embeddi...

    2024

  24. [24]

    removes this constraint: a sparse encoder-decoder conditioned solely on generated text recovers system prompts with high cosine similarity to the originals, showing that output-level defenses remain an open problem. Beyond the centralized setting surveyed above, graph reconstruction attacks have also been studied in federated learning settings, where grad...

    2024