<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta />
    <article-meta>
      <title-group>
        <article-title>Privacy and transparency in graph machine learning: A unified perspective</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <string-name>Megha Khosla</string-name>
          <email>m.khosla@tudelft.nl</email>
          <xref ref-type="aff" rid="aff0">0</xref>
          <xref ref-type="aff" rid="aff1">1</xref>
        </contrib>
        <aff id="aff0">
          <label>0</label>
          <institution>Delft University of Technology</institution>
          ,
          <addr-line>Delft</addr-line>
          ,
          <country country="NL">The Netherlands</country>
        </aff>
        <aff id="aff1">
          <label>1</label>
          <institution>Workshop Proce dings</institution>
        </aff>
      </contrib-group>
      <abstract>
        <p>Graph Machine Learning (GraphML), whereby classical machine learning is generalized to irregular graph domains, has enjoyed a recent renaissance, leading to a dizzying array of models and their applications in several domains. With its growing applicability to sensitive domains and regulations by governmental agencies for trustworthy AI systems, researchers have started looking into the issues of transparency and privacy of graph learning. However, these topics have been mainly investigated independently. In this position paper, we provide a unified perspective on the interplay of privacy and transparency in GraphML. In particular, we describe the challenges and possible research directions for a formal investigation of privacy-transparency tradeofs in GraphML. Graph machine learning, Graph neural networks, Privacy-preserving machine learning, Interpretability/Explainability in machine learning, Post-hoc explainability, Privacy-transparency tradeofs CEUR</p>
      </abstract>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>1. Introduction</title>
      <p>
        Graphs are a highly informative, flexible, and natural
way to represent data. Graph based machine learning
(GraphML), whereby classical machine learning is
generalized to irregular graph domains, has enjoyed a recent
renaissance, leading to a dizzying array of models and
their applications in several fields [
        <xref ref-type="bibr" rid="ref1 ref2 ref3 ref4 ref5">1, 2, 3, 4, 5</xref>
        ]. GraphML
models have achieved great success due to their ability to
lfexibly learn from the complex interplay of graph
structure and node attributes/features. Such ability comes
with a compromise in privacy and transparency, two
indispensable ingredients to achieve trustworthy ML [
        <xref ref-type="bibr" rid="ref6">6</xref>
        ].
      </p>
      <p>Deep models trained on graph data are inherently
blackbox, and their decisions are dificult for humans
to understand and interpret. The growing application of
these models in sensitive applications like healthcare and
ifnance and the regulations by various AI governance
frameworks necessitate the need for transparency in their
decision-making process. Meanwhile, recent research
[7, 8, 9, 10] has highlighted the privacy risks of deploying
models trained on graph data. It has been suggested that
these models are even more vulnerable to privacy
leakage than models trained on non-graph data due to the
additional encoding of relational structure in the model
itself [7].</p>
      <sec id="sec-1-1">
        <title>Consequently, an increasing number of works are fo</title>
        <p>cussing on explaining [11, 12, 13, 14] the decisions of
black box GraphML models in a post-hoc manner,
designing interpretable models [15, 16, 17] as well as
privacy preserving techniques for real world deployments
of graph models [18, 19, 20].</p>
        <p>Despite the growing research interest, the current state
of the art considers privacy and transparency in GraphML
independently. While transparency provides insight into
the model’s working, privacy aims to preserve the
sensitive information about the training data1. The seemingly
conflicting goals of privacy and transparency call for the
need of a joint investigation. To date, any gain in
privacy or transparency is usually compared to any drop in
model performance. However, questions like “what
effects would be releasing post-hoc explanations have on the
privacy of training data?” or “how well can we interpret
the decisions of privacy-preserving graph models?” have
so far received little attention [21, 22].</p>
        <p>In this position paper, we provide a unified
perspective on the inextricable link between privacy and
transparency for GraphML. Besides, we sketch the possible
research directions towards formally exploring
privacytransparency tradeofs in GraphML.</p>
      </sec>
    </sec>
    <sec id="sec-2">
      <title>2. Background</title>
      <sec id="sec-2-1">
        <title>2.1. Graph Machine Learning</title>
        <sec id="sec-2-1-1">
          <title>The key idea in graph machine learning is to encode the discrete graph structure into low dimensional continuous</title>
          <p>AIMLAI’22: In Proceedings of Advances in Interpretable Machine Learn- vector representations using non-linear dimensionality
ing and Artificial Intelligence (AIMLAI) at CIKM’22
nEvelop-O
LGOBE
0000-0002-0319-3181 (M. Khosla)</p>
          <p>reduction techniques. Popular classes of GraphML
meth</p>
        </sec>
        <sec id="sec-2-1-2">
          <title>1Here we are only concerned with data privacy. Model Privacy or</title>
          <p>protecting the model itself against, for example, stealing model
parameters is out of the scope of this paper.</p>
          <p>Which model provides the best prediction
over the unseen test set? E!ectiveness
Privacy attacks</p>
          <p>Bob</p>
          <p>Graph Machine</p>
          <p>Learning</p>
          <p>Trade-o!s
Privacy</p>
          <p>Transparency</p>
          <p>Bob</p>
          <p>X
Membership Inference : Was Bob part of training data?</p>
          <p>Link Inference : Who are Bob’s friends ?
Attribute Inference : Does Bob smoke?
Decision: Bob to be denied of loan
Explanation: In terms important features and
connections (marked as red)
ods include random walk based strategies [23, 24] which Specifically, predictions on graphs are induced by a
encode structural similarity of the nodes exposed by their complex combination of nodes and paths of edges
beco-occurrence in random walks; matrix-factorization tween them in addition to the node features. A trivial
based [25] which rely on low rank factorization of some application of existing explainability methods to graph
node similarity matrix; and the most popular graph neural models cannot account for the role of graph structure
networks (GNNs) [26, 27] which learns node represen- in the model decision. Consequently several graph
spetations by recursive aggregation and transformation of cific explainability approaches have been recently
develneighborhood features. These methods are usually non- oped which focus primarily on explaining graph neural
transparent and are shown to be prone to privacy leakage networks’ decisions for node and graph classification
risks. [32, 33].</p>
          <p>
            Explanations usually include the importance scores for
Towards improving the adoption of these meth- nodes/edges in a subgraph (or node’s neighborhood in
ods in sensitivity applications like healthcare case of node-level task) and the node features [11, 12, 13].
and medicine the community has started pay- Figure 2 depicts an example of an explanation over graph
ing attention to the aspects of transparency and data. Depending on the explanation method, the
imprivacy. However these aspects have been so portance scores could be either continuous (soft masks)
far studied independently (see also Figure 1 for or binary (hard masks). A few works have also been
an illustration). A formal investigation into proposed to explain dense unsupervised node
representhe linked role of transparency and privacy in tations [34, 35]. In terms of methodologies, several
techachieving trustworthy GraphML is missing. niques based on input perturbations [11, 12, 13], input
gradients[
            <xref ref-type="bibr" rid="ref7 ref8">36, 37</xref>
            ], causal techniques [
            <xref ref-type="bibr" rid="ref9">34, 38, 33</xref>
            ] as well
as utilizing simpler surrogate models [14] have been
explored.
2.2. Transparency for GraphML Models Another methodology to provide transparency is to
Transparency for deep models, as in GraphML, is usu- develop interpretable by design models [
            <xref ref-type="bibr" rid="ref10">15, 16, 39</xref>
            ]. Such
ally achieved by providing explanations corresponding to models usually contain a self-explanatory module trained
decisions of an already trained model or by building inter- jointly with the learner module. Explanations are thus,
pretable by design or self-explaining models. Numerous by design, faithful to the model.
approaches have been proposed in the literature for ex- A few other works also focus on unifying diverse
noplaining general machine learning models [28, 29, 30, 31]; tions of evaluation strategies [
            <xref ref-type="bibr" rid="ref11 ref8">40, 37</xref>
            ] necessary for
efechowever, models learned over graph-structured data have tively assessing the quality and utility of explanations.
some unique challenges.
          </p>
          <p>Despite the progress in improving transparency
of GraphML techniques its efect on data
privacy has escaped attention. While transparency
could increase the utility of the model, for
sensitive applications any unaddressed concerns for
privacy can hinder the full adoption of the
models and further dissuade the participants to share
their data.</p>
        </sec>
      </sec>
      <sec id="sec-2-2">
        <title>2.3. Privacy in GraphML</title>
        <sec id="sec-2-2-1">
          <title>Deep learning models, in general, are known to leak</title>
          <p>
            private information about the employed training data.
Recent works showed that trained model on graph data
can leak sensitive information about the training data
(see Figure 3) like node membership [7, 8], certain dataset
properties [
            <xref ref-type="bibr" rid="ref12">41</xref>
            ] and connectivity structure of the nodes
[9]. In Figure 3 we illustrate the possibility of diferent
privacy attacks given access to trained GraphML model.
Compared to general deep learning models, GraphML is
more vulnerable to privacy risks as they incorporate not
only the node features/labels but also the graph structure
[7].
          </p>
          <p>
            Privacy-preserving techniques for graph models are
mainly based on diferential privacy [
            <xref ref-type="bibr" rid="ref13">42, 7, 19, 20</xref>
            ] and
adversarial training frameworks [
            <xref ref-type="bibr" rid="ref14 ref15 ref16">43, 44, 45</xref>
            ]. The key
idea in diferential privacy [
            <xref ref-type="bibr" rid="ref17">46</xref>
            ] is to conceal the presence
of a single individual in the dataset. In particular, if we
query a dataset containing  individuals, the query’s
result will be probabilistically indistinguishable from the
result of querying a neighboring dataset with one less
or one more individual. For machine learning models,
such probabilistic indistuinguishability is achieved by
adding appropriate levels of noise at diferent levels of
model development. For instance, [
            <xref ref-type="bibr" rid="ref13">42</xref>
            ] employs objective
perturbation mechanism to develop diferential private
network embeddings. Olatunji et al. [7] combines the
knowledge-distillation framework with the two noise
mechanisms, random subsampling, and noisy labeling to
release graph neural networks under diferential privacy
guarantees. In particular it uses only a random sample
of private data to train teacher models corresponding to
nodes in an unlabelled public dataset. The final model
which is later released is trained on public data using
the noisy labels generated by the teacher models. Other
works [20, 19] do not build a separate public model but
achieve DP via adding noise directly to the aggregation
module of GNNs. Adversarial defence to privacy attacks
on GNNs is proposed in [
            <xref ref-type="bibr" rid="ref14">43</xref>
            ], in which the predictability
of private labels is destroyed and the utility of perturbed
graphs is maintained. An adversarial learning approach
based on mini-max game between the desired graph
feature encoder and the worst-case attacker is proposed in
[
            <xref ref-type="bibr" rid="ref15">44</xref>
            ] to address the attribute inference attack on GNNs.
          </p>
        </sec>
        <sec id="sec-2-2-2">
          <title>Despite the growing number of works in im</title>
          <p>proving privacy in GraphML, its efect on
transparency of these models is not at all studied.
The complex mechanisms employed to ensure
privacy further hurts the model transparency.
Consequently it is not clear if existing
explainers can be used to explain the decision making
process of privacy-preserving models.</p>
        </sec>
      </sec>
    </sec>
    <sec id="sec-3">
      <title>3. A Unified Perspective</title>
      <sec id="sec-3-1">
        <title>Graphs are powerful abstractions that facilitate leverag</title>
        <p>ing data interconnection to represent, predict, and
explain real-world phenomena. Exploiting such explicit
or latent data interconnections, on the one hand, makes
GraphML more powerful but also brings in additional
challenges, further exacerbating the need for a joint
investigation of privacy and transparency. In following
?
Tries to infer private information
Node Membership Inference : Is Bob a part of training data?
Relation reconstruction :
Who are friends of Bob?
Attribute Inference :
Does Bob smoke?
we discuss the key issues arising due to the independent
treatment of privacy and transparency for GraphML.
3.1. Diverse explanation types and
methods
complex privacy-preserving mechanisms, which results
in a further loss of transparency. To understand the issue,
consider a simple diferential privacy-based mechanism
in which randomized noise is added to the model’s
output. Such noise could alter the final decision but not the
decision process that an explanation (according to its
current definition) is usually expected to reveal. Model
agnostic approaches for explainability, which only
assume black-box access to the trained model, might be
misguided by such alteration in the final decision.</p>
      </sec>
      <sec id="sec-3-2">
        <title>Model explanations for graph data are usually in the form</title>
        <p>of feature and neighborhood (subgraph) attributions. In
particular, importance scores for node features and its
neighboring nodes/edges are released as explanations.</p>
        <p>Neighborhood attributions or structure explanations are
a more direct form of information leakage. They can be, 3.3. The curse of overfitting
for example, leveraged to identify nodes in the training
set or infer hidden attributes of sensitive nodes using the In traditional machine learning, we can randomly divide
attributes of their neighbors. the data into two parts to obtain training and test sets. It</p>
        <p>
          Besides, the data points (nodes) in graph data are cor- is more tricky in graphs where the data points are
conrelated, thus violating the usual i.i.d. assumption over nected, and random data sampling may result in non i.i.d.
data distributions. Consequently, the decisions and ex- train and test sets. Even for the task of graph
classificaplanations over correlated nodes might themselves be tion where the graphs constitute the datapoints instead
correlated. Such correlations among released explana- of the the nodes, distributional changes are common in
tions might be exploited to reconstruct sensitive infor- train and test splits [
          <xref ref-type="bibr" rid="ref18">47</xref>
          ] due to varying graph structure
mation of the training data. For example, the similarity and size. Specifically, the train set may contain specific
in feature explanations for recommendations to two con- spurious correlations which are not representative of the
nected users might reveal the sensitive link information entire dataset. This puts GraphML models at a higher risk
they want to hide. Towards this [22] show that the link of overfitting to sample specific correlations rather than
structure of the training graph can be reconstructed with learning the desired general patterns [
          <xref ref-type="bibr" rid="ref19">48</xref>
          ]. Existing
pria high success rate even if only the feature explanations vacy attacks have leveraged overfitting to reveal sensitive
are available. information about the training sample [
          <xref ref-type="bibr" rid="ref20">49</xref>
          ]. Exploiting
associated explanations, which in principle should reveal
3.2. Transparency of private models learned spurious correlations, can further aid in privacy
leakage.
        </p>
      </sec>
      <sec id="sec-3-3">
        <title>Moreover, due to the correlated nature of the graph data, privacy-preserving mechanisms on graph models need to focus on several aspects such as node privacy, edge privacy, and attribute privacy [20]. This leads to more</title>
      </sec>
    </sec>
    <sec id="sec-4">
      <title>4. Research Directions</title>
      <p>
        Based on the described issues and challenges in the
previous section, we recommend the following research
directions towards a formal investigation of
privacytransparency tradeofs.
using stochastic attention mechanisms [
        <xref ref-type="bibr" rid="ref10">39</xref>
        ], graph
sparsification strategies [ 16] etc. These methods are
claimed to remove spurious correlations in the
training phase leading to a reduction in overfitting. A
possible research direction is further exploiting such
transparency strategies to minimize privacy leakage.
1. New Threat Models. A first step is to quantify the
privacy risks of releasing post-hoc explanations. To- 5. Conclusion
wards that, we need to design new threat models
and structure-aware privacy attacks in the presence of There has been an unprecedented rise in the popularity
post-hoc model explanations. Care should be taken of graph machine learning in recent years. With its
growto formulate realistic assumptions on adversary’s back- ing applications in sensitive areas, several works focus
ground knowledge. For example, in highly homophilic independently on their transparency and privacy aspects.
graphs, an adversary might be able to approximate We provide a unified perspective on the need for a joint
well the link structure of the graph only if the node investigation of privacy and transparency in GraphML.
features/labels are available. What information expla- We hope to start a discussion and foster future research
nations could leak in addition when explanations are in quantifying and resolving the privacy-transparency
provided? tradeofs in GraphML. Resolution of such tradeofs would
make GraphML more accessible to stakeholders currently
tied down by regulatory concerns and lack of trust in the
solutions.
2. Risk-utilty assessment of diferent explanation
types and methods. Model explanations for
GraphML can be in the form of feature or node/edge
importance scores. Besides, existing explanation
methods are based on diferent methodologies and
might be discovering diferent aspects of the model
decision process. Depending on the dataset and
application, certain types of explanation methods and types
of explanation (feature or structural) might be
preferred over others. A dataset and application-specific
risk-utility assessment might reveal more favorable
explanations for minimizing privacy loss. For instance,
[22] finds that gradient-based feature explanations
have the least predictive (faithfulness to the model)
power for the task of node classification but leak the
most amount of information about the private
structure of the training graph. In such cases, one can
decide not to reveal such an explanation as it has little
utility for the user.
3. Transparency of privacy-preserving models.
Besides evaluating the privacy risks of releasing
explanations, it is essential to analyze the transparency of
privacy-preserving techniques. It is not clear if
existing explanation strategies can faithfully explain the
privacy-preserving models’ decisions. Questions like
what should be the properties of explanations of such
models? What constitutes a faithful explanation? need
to be investigated. Consequently new techniques to
explain privacy preserving models need to be
developed.
      </p>
      <sec id="sec-4-1">
        <title>4. Reducing overfitting. Overfitting is usually con</title>
        <p>sidered a common enemy for model efectiveness on
unseen data and privacy. Recently, a few works have
proposed interpretable by design models for example
worthy graph neural networks: Privacy, robust- Communications Security, 2021, pp. 2130–2145.
ness, fairness, and explainability, arXiv preprint [20] S. Sajadmanesh, A. S. Shamsabadi, A. Bellet,
arXiv:2204.08570 (2022). D. Gatica-Perez, Gap: Diferentially private graph
[7] I. E. Olatunji, W. Nejdl, M. Khosla, Membership in- neural networks with aggregation perturbation,
ference attack on graph neural networks, in: 2021 arXiv preprint arXiv:2203.00949 (2022).
IEEE International Conference on Trust, Privacy [21] R. Shokri, M. Strobel, Y. Zick, On the
priand Security in Intelligent Systems and Applica- vacy risks of model explanations, in:
Proceedtions (TPS-ISA), IEEE Computer Society, Los Alami- ings of the 2021 AAAI/ACM Conference on AI,
tos, CA, USA, 2021, pp. 11–20. Ethics, and Society, AIES ’21, Association for
[8] V. Duddu, A. Boutet, V. Shejwalkar, Quantifying pri- Computing Machinery, New York, NY, USA, 2021,
vacy leakage in graph embedding, in: MobiQuitous p. 231–241. URL: https://doi.org/10.1145/3461702.
2020-17th EAI International Conference on Mobile 3462533. doi:1 0 . 1 1 4 5 / 3 4 6 1 7 0 2 . 3 4 6 2 5 3 3 .
and Ubiquitous Systems: Computing, Networking [22] I. E. Olatunji, M. Rathee, T. Funke, M. Khosla,
Priand Services, 2020, pp. 76–85. vate graph extraction via feature explanations, in:
[9] Z. Zhang, Q. Liu, Z. Huang, H. Wang, C. Lu, C. Liu, Accepted for publication in 23rd Privacy Enhancing
E. Chen, Graphmi: Extracting private graph data Technologies Symposium (PETS 2023), 2023. URL:
from graph neural networks, in: Z.-H. Zhou https://arxiv.org/abs/2206.14724.
(Ed.), Proceedings of the Thirtieth International [23] B. Perozzi, R. Al-Rfou, S. Skiena, Deepwalk: Online
Joint Conference on Artificial Intelligence, IJCAI-21, learning of social representations, in: KDD, 2014.
2021, pp. 3749–3755. [24] M. Khosla, J. Leonhardt, W. Nejdl, A. Anand, Node
[10] X. He, J. Jia, M. Backes, N. Z. Gong, Y. Zhang, Steal- representation learning for directed graphs, in:
ing links from graph neural networks, in: 30th ECML, 2019.</p>
        <p>USENIX Security Symposium (USENIX Security 21), [25] C. Zhou, Y. Liu, X. Liu, Z. Liu, J. Gao, Scalable graph
2021, pp. 2669–2686. embedding for asymmetric proximity., in: AAAI,
[11] R. Ying, D. Bourgeois, J. You, et al., GNN explainer: 2017, pp. 2942–2948.</p>
        <p>A tool for post-hoc explanation of graph neural net- [26] T. N. Kipf, M. Welling, Semi-supervised
classificaworks, Advances in neural information processing tion with graph convolutional networks, in: ICLR,
systems 32 (2019) 9240–9251. 2017.
[12] T. Funke, M. Khosla, M. Rathee, A. Anand, Zorro: [27] W. L. Hamilton, R. Ying, J. Leskovec, Inductive
repValid, sparse, and stable explanations in graph neu- resentation learning on large graphs, in: NeurIPS,
ral networks, IEEE Transactions on Knowledge and 2017.</p>
        <p>Data Engineering (2022) 1–12. doi:1 0 . 1 1 0 9 / T K D E . [28] J. Chen, L. Song, M. J. Wainwright, M. I. Jordan,
2 0 2 2 . 3 2 0 1 1 7 0 . Learning to explain: An information-theoretic
per[13] D. Luo, W. Cheng, D. Xu, W. Yu, B. Zong, H. Chen, spective on model interpretation, arXiv:1802.07814
X. Zhang, Parameterized explainer for graph neural (2018).
network, Advances in Neural Information Process- [29] J. Yoon, J. Jordon, M. van der Schaar, Invase:
ing Systems 33 (2020). Instance-wise variable selection using neural
net[14] M. N. Vu, M. T. Thai, Pgm-explainer: Probabilis- works, ICLR (2018).</p>
        <p>tic graphical model explanations for graph neural [30] A. Binder, G. Montavon, S. Lapuschkin, K.-R. Müller,
networks, in: NeurIPS, 2020. W. Samek, Layer-wise relevance propagation for
[15] J. Yu, T. Xu, Y. Rong, Y. Bian, J. Huang, R. He, Graph neural networks with local renormalization layers,
information bottleneck for subgraph recognition, in: ICANN, 2016.</p>
        <p>arXiv preprint arXiv:2010.05563 (2020). [31] M. Sundararajan, A. Taly, Q. Yan, Axiomatic
attri[16] M. Rathee, Z. Zhang, T. Funke, M. Khosla, A. Anand, bution for deep networks, in: PMLR, 2017.</p>
        <p>Learnt sparsification for interpretable graph neural [32] H. Yuan, J. Tang, X. Hu, S. Ji, Xgnn: Towards
modelnetworks, arXiv preprint arXiv:2106.12920 (2021). level explanations of graph neural networks, in:
[17] Z. Zhang, Q. Liu, H. Wang, C. Lu, C. Lee, Protgnn: SIGKDD, 2020.</p>
        <p>Towards self-explaining graph neural networks, [33] Y. Gao, T. Sun, R. Bhatt, D. Yu, S. Hong, L. Zhao,
arXiv preprint arXiv:2112.00911 (2021). Gnes: Learning to explain graph neural networks,
[18] I. E. Olatunji, T. Funke, M. Khosla, Releasing graph in: ICDM, 2021.</p>
        <p>neural networks with diferential privacy guaran- [34] B. Kang, J. Lijfijt, T. De Bie, Explaine: An approach
tees, arXiv preprint arXiv:2109.08907 (2021). for explaining network embedding-based link
pre[19] S. Sajadmanesh, D. Gatica-Perez, Locally private dictions, arXiv:1904.12694 (2019).
graph neural networks, in: Proceedings of the [35] M. Idahl, M. Khosla, A. Anand, Finding
inter2021 ACM SIGSAC Conference on Computer and pretable concept spaces in node embeddings using</p>
      </sec>
    </sec>
  </body>
  <back>
    <ref-list>
      <ref id="ref1">
        <mixed-citation>
          [1]
          <string-name>
            <given-names>T.</given-names>
            <surname>Gaudelet</surname>
          </string-name>
          ,
          <string-name>
            <given-names>B.</given-names>
            <surname>Day</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A. R.</given-names>
            <surname>Jamasb</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Soman</surname>
          </string-name>
          ,
          <string-name>
            <given-names>C.</given-names>
            <surname>Regep</surname>
          </string-name>
          , G. Liu,
          <string-name>
            <given-names>J. B. R.</given-names>
            <surname>Hayter</surname>
          </string-name>
          ,
          <string-name>
            <given-names>R.</given-names>
            <surname>Vickers</surname>
          </string-name>
          ,
          <string-name>
            <given-names>C.</given-names>
            <surname>Roberts</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Tang</surname>
          </string-name>
          ,
          <string-name>
            <given-names>D.</given-names>
            <surname>Roblin</surname>
          </string-name>
          ,
          <string-name>
            <given-names>T. L.</given-names>
            <surname>Blundell</surname>
          </string-name>
          ,
          <string-name>
            <surname>M. M. Bronstein</surname>
            ,
            <given-names>J. P.</given-names>
          </string-name>
          <string-name>
            <surname>Taylor-King</surname>
          </string-name>
          ,
          <article-title>Utilizing graph machine learning within drug discovery and development</article-title>
          ,
          <source>Briefings in Bioinformatics</source>
          <volume>22</volume>
          (
          <year>2021</year>
          ).
          <source>doi:1 0 . 1 0 9 3 / b i b / b b a b 1</source>
          <volume>5</volume>
          <fpage>9</fpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref2">
        <mixed-citation>
          [2]
          <string-name>
            <given-names>T. N.</given-names>
            <surname>Dong</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Mucke</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Khosla</surname>
          </string-name>
          ,
          <article-title>Mucomid: A multitask graph convolutional learning framework for mirna-disease association prediction</article-title>
          ,
          <source>IEEE/ACM Transactions on Computational Biology and Bioinformatics</source>
          (
          <year>2022</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref3">
        <mixed-citation>
          [3]
          <string-name>
            <given-names>R.</given-names>
            <surname>Ying</surname>
          </string-name>
          ,
          <string-name>
            <given-names>R.</given-names>
            <surname>He</surname>
          </string-name>
          ,
          <string-name>
            <given-names>K.</given-names>
            <surname>Chen</surname>
          </string-name>
          ,
          <string-name>
            <given-names>P.</given-names>
            <surname>Eksombatchai</surname>
          </string-name>
          ,
          <string-name>
            <given-names>W. L.</given-names>
            <surname>Hamilton</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Leskovec</surname>
          </string-name>
          ,
          <article-title>Graph convolutional neural networks for web-scale recommender systems</article-title>
          ,
          <source>in: Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD '18</source>
          ,
          <string-name>
            <surname>ACM</surname>
          </string-name>
          ,
          <year>2018</year>
          , pp.
          <fpage>974</fpage>
          -
          <lpage>983</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref4">
        <mixed-citation>
          [4]
          <string-name>
            <given-names>A.</given-names>
            <surname>Sanchez-Gonzalez</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Godwin</surname>
          </string-name>
          ,
          <string-name>
            <given-names>T.</given-names>
            <surname>Pfaf</surname>
          </string-name>
          ,
          <string-name>
            <given-names>R.</given-names>
            <surname>Ying</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Leskovec</surname>
          </string-name>
          ,
          <string-name>
            <given-names>P.</given-names>
            <surname>Battaglia</surname>
          </string-name>
          ,
          <article-title>Learning to simulate complex physics with graph networks</article-title>
          ,
          <source>in: International Conference on Machine Learning, PMLR</source>
          ,
          <year>2020</year>
          , pp.
          <fpage>8459</fpage>
          -
          <lpage>8468</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref5">
        <mixed-citation>
          [5]
          <string-name>
            <given-names>T. N.</given-names>
            <surname>Dong</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Johanna</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Mucke</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Khosla</surname>
          </string-name>
          ,
          <article-title>A message passing framework with multiple data integration for mirna-disease association prediction</article-title>
          , Scientific
          <string-name>
            <surname>Reports</surname>
          </string-name>
          (
          <year>2022</year>
          ).
          <source>doi: 1 0 . 1 0 3 8 / s 4 1</source>
          <volume>5 9 8 - 0 2 2 - 2 0 5 2 9 - 5</volume>
          .
        </mixed-citation>
      </ref>
      <ref id="ref6">
        <mixed-citation>
          [6]
          <string-name>
            <given-names>E.</given-names>
            <surname>Dai</surname>
          </string-name>
          ,
          <string-name>
            <given-names>T.</given-names>
            <surname>Zhao</surname>
          </string-name>
          ,
          <string-name>
            <given-names>H.</given-names>
            <surname>Zhu</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Xu</surname>
          </string-name>
          ,
          <string-name>
            <given-names>Z.</given-names>
            <surname>Guo</surname>
          </string-name>
          , H. Liu,
          <string-name>
            <given-names>J.</given-names>
            <surname>Tang</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Wang</surname>
          </string-name>
          ,
          <article-title>A comprehensive survey on trustknowledge bases</article-title>
          ,
          <source>in: Workshops of ECML PKDD</source>
          ,
          <year>2019</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref7">
        <mixed-citation>
          [36]
          <string-name>
            <given-names>P. E.</given-names>
            <surname>Pope</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Kolouri</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Rostami</surname>
          </string-name>
          , et al.,
          <article-title>Explainability methods for graph convolutional neural networks</article-title>
          ,
          <source>in: CVPR</source>
          ,
          <year>2019</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref8">
        <mixed-citation>
          [37]
          <string-name>
            <given-names>B.</given-names>
            <surname>Sanchez-Lengeling</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Wei</surname>
          </string-name>
          ,
          <string-name>
            <given-names>B.</given-names>
            <surname>Lee</surname>
          </string-name>
          ,
          <string-name>
            <given-names>E.</given-names>
            <surname>Reif</surname>
          </string-name>
          ,
          <string-name>
            <given-names>P.</given-names>
            <surname>Wang</surname>
          </string-name>
          ,
          <string-name>
            <given-names>W. W.</given-names>
            <surname>Qian</surname>
          </string-name>
          ,
          <string-name>
            <given-names>K.</given-names>
            <surname>McCloskey</surname>
          </string-name>
          ,
          <string-name>
            <given-names>L.</given-names>
            <surname>Colwell</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Wiltschko</surname>
          </string-name>
          ,
          <article-title>Evaluating attribution for graph neural networks</article-title>
          ,
          <source>NeurIPS</source>
          (
          <year>2020</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref9">
        <mixed-citation>
          [38]
          <string-name>
            <given-names>M.</given-names>
            <surname>Bajaj</surname>
          </string-name>
          ,
          <string-name>
            <given-names>L.</given-names>
            <surname>Chu</surname>
          </string-name>
          ,
          <string-name>
            <given-names>Z. Y.</given-names>
            <surname>Xue</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Pei</surname>
          </string-name>
          ,
          <string-name>
            <given-names>L.</given-names>
            <surname>Wang</surname>
          </string-name>
          , P. C.
          <string-name>
            <surname>-H. Lam</surname>
            ,
            <given-names>Y. Zhang,</given-names>
          </string-name>
          <article-title>Robust counterfactual explanations on graph neural networks</article-title>
          ,
          <source>Advances in Neural Information Processing Systems</source>
          <volume>34</volume>
          (
          <year>2021</year>
          )
          <fpage>5644</fpage>
          -
          <lpage>5655</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref10">
        <mixed-citation>
          [39]
          <string-name>
            <given-names>S.</given-names>
            <surname>Miao</surname>
          </string-name>
          , M. Liu,
          <string-name>
            <given-names>P.</given-names>
            <surname>Li</surname>
          </string-name>
          ,
          <article-title>Interpretable and generalizable graph learning via stochastic attention mechanism</article-title>
          ,
          <source>arXiv preprint arXiv:2201.12987</source>
          (
          <year>2022</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref11">
        <mixed-citation>
          [40]
          <string-name>
            <given-names>M.</given-names>
            <surname>Rathee</surname>
          </string-name>
          ,
          <string-name>
            <given-names>T.</given-names>
            <surname>Funke</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Anand</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Khosla</surname>
          </string-name>
          ,
          <article-title>Bagel: A benchmark for assessing graph neural network explanations, 2022</article-title>
          . URL: https://arxiv.org/abs/2206. 13983.
          <source>doi:1 0 . 4 8</source>
          <volume>5 5</volume>
          <fpage>0</fpage>
          <string-name>
            <surname>/ A R X I</surname>
          </string-name>
          <article-title>V . 2 2 0 6 . 1 3 9 8 3</article-title>
          .
        </mixed-citation>
      </ref>
      <ref id="ref12">
        <mixed-citation>
          [41]
          <string-name>
            <given-names>Z.</given-names>
            <surname>Zhang</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Chen</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Backes</surname>
          </string-name>
          ,
          <string-name>
            <given-names>Y.</given-names>
            <surname>Shen</surname>
          </string-name>
          ,
          <string-name>
            <surname>Y. Zhang,</surname>
          </string-name>
          <article-title>Inference attacks against graph neural networks</article-title>
          ,
          <source>in: Proc. USENIX Security</source>
          ,
          <year>2022</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref13">
        <mixed-citation>
          [42]
          <string-name>
            <given-names>D.</given-names>
            <surname>Xu</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Yuan</surname>
          </string-name>
          ,
          <string-name>
            <given-names>X.</given-names>
            <surname>Wu</surname>
          </string-name>
          ,
          <string-name>
            <given-names>H.</given-names>
            <surname>Phan</surname>
          </string-name>
          , Dpne:
          <article-title>Diferentially private network embedding</article-title>
          ,
          <source>in: Pacific-Asia Conference on Knowledge Discovery and Data Mining</source>
          , Springer,
          <year>2018</year>
          , pp.
          <fpage>235</fpage>
          -
          <lpage>246</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref14">
        <mixed-citation>
          [43]
          <string-name>
            <surname>I.-C. Hsieh</surname>
          </string-name>
          , C.-T. Li,
          <article-title>Netfense: Adversarial defenses against privacy attacks on neural networks for graph data</article-title>
          ,
          <source>IEEE Transactions on Knowledge and Data Engineering</source>
          (
          <year>2021</year>
          )
          <fpage>1</fpage>
          -
          <lpage>1</lpage>
          .
          <source>doi:1 0 . 1 1</source>
          0 9 / T K D E .
          <volume>2 0 2 1 . 3 0 8 7 5 1 5 .</volume>
        </mixed-citation>
      </ref>
      <ref id="ref15">
        <mixed-citation>
          [44]
          <string-name>
            <given-names>P.</given-names>
            <surname>Liao</surname>
          </string-name>
          ,
          <string-name>
            <given-names>H.</given-names>
            <surname>Zhao</surname>
          </string-name>
          ,
          <string-name>
            <given-names>K.</given-names>
            <surname>Xu</surname>
          </string-name>
          ,
          <string-name>
            <given-names>T.</given-names>
            <surname>Jaakkola</surname>
          </string-name>
          ,
          <string-name>
            <given-names>G. J.</given-names>
            <surname>Gordon</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Jegelka</surname>
          </string-name>
          ,
          <string-name>
            <given-names>R.</given-names>
            <surname>Salakhutdinov</surname>
          </string-name>
          ,
          <article-title>Information obfuscation of graph neural networks</article-title>
          ,
          <source>in: International Conference on Machine Learning, PMLR</source>
          ,
          <year>2021</year>
          , pp.
          <fpage>6600</fpage>
          -
          <lpage>6610</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref16">
        <mixed-citation>
          [45]
          <string-name>
            <given-names>K.</given-names>
            <surname>Li</surname>
          </string-name>
          ,
          <string-name>
            <given-names>G.</given-names>
            <surname>Luo</surname>
          </string-name>
          ,
          <string-name>
            <given-names>Y.</given-names>
            <surname>Ye</surname>
          </string-name>
          ,
          <string-name>
            <given-names>W.</given-names>
            <surname>Li</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Ji</surname>
          </string-name>
          ,
          <string-name>
            <given-names>Z.</given-names>
            <surname>Cai</surname>
          </string-name>
          ,
          <article-title>Adversarial privacy-preserving graph embedding against inference attack</article-title>
          ,
          <source>IEEE Internet of Things Journal</source>
          <volume>8</volume>
          (
          <year>2020</year>
          )
          <fpage>6904</fpage>
          -
          <lpage>6915</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref17">
        <mixed-citation>
          [46]
          <string-name>
            <given-names>C.</given-names>
            <surname>Dwork</surname>
          </string-name>
          ,
          <string-name>
            <given-names>F.</given-names>
            <surname>McSherry</surname>
          </string-name>
          ,
          <string-name>
            <given-names>K.</given-names>
            <surname>Nissim</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Smith</surname>
          </string-name>
          ,
          <article-title>Calibrating noise to sensitivity in private data analysis</article-title>
          ,
          <source>in: Theory of cryptography conference</source>
          , Springer,
          <year>2006</year>
          , pp.
          <fpage>265</fpage>
          -
          <lpage>284</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref18">
        <mixed-citation>
          [47]
          <string-name>
            <given-names>H.</given-names>
            <surname>Li</surname>
          </string-name>
          ,
          <string-name>
            <given-names>X.</given-names>
            <surname>Wang</surname>
          </string-name>
          ,
          <string-name>
            <given-names>Z.</given-names>
            <surname>Zhang</surname>
          </string-name>
          , W. Zhu,
          <article-title>Out-ofdistribution generalization on graphs: A survey</article-title>
          ,
          <source>arXiv preprint arXiv:2202.07987</source>
          (
          <year>2022</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref19">
        <mixed-citation>
          [48]
          <string-name>
            <given-names>Q.</given-names>
            <surname>Zhu</surname>
          </string-name>
          ,
          <string-name>
            <given-names>N.</given-names>
            <surname>Ponomareva</surname>
          </string-name>
          , J. Han,
          <string-name>
            <given-names>B.</given-names>
            <surname>Perozzi</surname>
          </string-name>
          ,
          <article-title>Shiftrobust gnns: Overcoming the limitations of localized graph training data</article-title>
          ,
          <source>Advances in Neural Information Processing Systems</source>
          <volume>34</volume>
          (
          <year>2021</year>
          )
          <fpage>27965</fpage>
          -
          <lpage>27977</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref20">
        <mixed-citation>
          [49]
          <string-name>
            <given-names>S.</given-names>
            <surname>Yeom</surname>
          </string-name>
          ,
          <string-name>
            <surname>I. Giacomelli</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Menaged</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Fredrikson</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Jha</surname>
          </string-name>
          , Overfitting, robustness, and
          <article-title>malicious algorithms: A study of potential causes of privacy risk in machine learning</article-title>
          ,
          <source>Journal of Computer Security</source>
          <volume>28</volume>
          (
          <year>2020</year>
          )
          <fpage>35</fpage>
          -
          <lpage>70</lpage>
          .
        </mixed-citation>
      </ref>
    </ref-list>
  </back>
</article>