Dynamic Node Privacy Feature Decoupling Graph Autoencoder Based on Attention Mechanism

Abstract

Graph autoencoders’ inherent capability to capture node feature correlations poses significant privacy risks through attackers inference. Previous feature decoupling approaches predominantly apply uniform privacy protection across nodes, disregarding the varying sensitivity levels inherent in graph structures. To solve the above problems, we propose a novel dual-path graph autoencoder incorporating attention-aware privacy adaptation. Firstly, we design an attention-driven metric learning framework to quantify node-specific privacy importance through attention weights and select important nodes to construct the privacy distribution, so that realizing the dynamically privacy decoupling and reducing utility loss. Then, we introduce Hilbert-Schmidt Independence Criterion (HSIC) to measure the dependence between privacy and non-privacy information, which avoids the deviations that occur when using approximate methods such as variational inference. Finally, we use the method of alternating training to comprehensively evaluate the privacy importance of nodes. Experimental results on three real-world datasets—Yale, Rochester, and Credit Defaulter—demonstrate that our proposed method significantly outperforms existing approaches like PVGAE, GAE-MI, and APGE, where the inference accuracy regarding privacy decreased by 25.5%, but the accuracy rate of link prediction achieved the highest 84.7% compared to other methods.

1. Introduction

Graph Neural Network (GNN)-based graph embedding techniques have demonstrated powerful capabilities in processing and analyzing large-scale graph data, with applications in social network analysis [1], recommendation systems [2], and traffic flow prediction [3]. Graph autoencoders [4] further enhance the representational capacity of graph embeddings by integrating node representation learning and graph data reconstruction through an encoder-decoder framework. However, since graph autoencoders can highly fit both the topological structure and node attributes of graph data, they may inadvertently capture fine-grained details of the learned data, posing privacy leakage risks in the released graph embeddings. For instance, attackers could exploit the model’s capabilities in multiple ways: they might reconstruct adjacency matrices through the decoder to expose sensitive social relationships, leverage the encoder’s latent space to execute membership inference attacks [5], or perform attribute inference attacks by analyzing and quantifying specific data patterns present in the graph embeddings [6]. Therefore, privacy decoupling within the graph embedding process is a critical technique for preserving privacy.

Moreover, prior work has not accounted for the varying global importance of nodes, which necessitates different degrees of privacy decoupling intensity. Quantifying node importance inherently involves weight information correlated with privacy features, and these weights directly impact the representational performance of nodes, influencing the analytical capability of graph embeddings in downstream tasks. Therefore, developing a privacy decoupling mechanism capable of dynamically calibrating protection intensity according to nodal importance levels emerges as a crucial yet understudied challenge in achieving trade-off between data privacy and utility.

To solve the above problems, we designed a dual-channel privacy decoupling graph autoencoder based on the attention mechanism. Firstly, we proposed a node importance ranking algorithm. In the privacy graph autoencoder, the self-attention mechanism is used to quantify the importance of different nodes for privacy protection, and the nodes are ranked according to their importance. Secondly, sort by the importance of nodes and select the top-ranked nodes as the data distribution of privacy information. Then, in the utility graph autoencoder, Hilbert-Schmidt Independence Criterion (HSIC) [7] is used to measure the dependence between the corresponding nodes as a penalty term to optimize the network parameters of the utility graph autoencoder. Finally, the privacy rights of each node are dynamically evaluated and adjusted through alternating training, enabling the model to achieve privacy utility trade-ups even when dealing with complex data. The key contributions could be summarized as follows:

• A novel node privacy ranking algorithm that employs attention mechanisms to dynamically score the privacy features of each node, quantifying their privacy importance. This method mitigates the influence of high-privacy nodes in the embedding while retaining low-privacy nodes to ensure data utility.
• We introduce the use of the Hilbert-Schmidt Independence Criterion (HSIC) to assess the dependency relationship between privacy and non-privacy distribution, which avoids the deviations that occur when using approximate methods by means of hypothesis testing
• A dual-channel privacy graph autoencoder that decouples embedded privacy and utility features of graph data. Freezing parameters during alternating training, prevents gradient interference during backpropagation, enhancing the stability of node privacy importance measurement.
• Comprehensive evaluation on real-world graph datasets using node classification and link prediction. Experimental results show that the proposed method effectively resists inference attacks on private information in node classification. It maintains high utility in link prediction while achieving an optimal privacy-utility trade-off.

2. Related Work

Currently, the methods for privacy-preserving graph embedding can be primarily categorized into two types: data perturbation methods and feature decoupling methods. Data perturbation-based methods, exemplified by k-anonymity [8] and its variants [9], employ data obfuscation strategies through graph modification and generalization to obscure sensitive individual information by reducing data granularity. However, k-anonymity strategies exhibit significant utility degradation as graph scale increases. Differential privacy (DP) [10], as a classical privacy preservation framework, guarantees mathematically rigorous privacy protection through randomized noise injection. For example, Sajadmanesh et al. [11] proposed adding Gaussian noise to graph neural network aggregation outputs, with privacy budget analysis demonstrating compliance with DP requirements. Nevertheless, these approaches fail to account for the heterogeneous importance of individual nodes within global graph structures, resulting in suboptimal personalized protection where critical nodes receive inadequate safeguards while trivial nodes suffer from over-protection. Furthermore, optimal privacy budget allocation for high-dimensional graph data remains computationally intractable [12], with numerical configurations predominantly relying on manual trial-and-error and iterative validation, substantially increasing computational overhead. Large-scale noise injection may also distort critical graph structural information, including node degree distributions, community structures, and subgraph patterns, thereby compromising data utility.

To circumvent the dual challenges of utility degradation in data perturbation and computational complexity in noise scaling, feature decoupling-based methods have been proposed. These techniques aim to disentangle privacy-sensitive features from utility-preserving features during graph embedding, thereby preventing adversarial inference of sensitive node attributes through embedded representations. Motivated by this paradigm, several privacy-preserving graph embedding frameworks leveraging adversarial learning and fairness learning have been proposed. To begin with, Bose et al. [13] eliminated the implicit association between node representations and sensitive attributes by constructing a composable fair constraint framework based on adversarial training. However, some researchers point out that it is very difficult to obtain all the private information during the training process in a real environment [14]. Liu et al. [15] and Oh et al. [16] propose a dual-objective framework using adversarial minimax gaming to jointly optimize task performance and privacy protection. A Key innovation lies in decoupling graph embedding into primary task learning and privacy preservation sub-objectives, achieved through iterative parameter optimization that directly obfuscates sensitive features. The method constructs adversarial mappings between feature spaces and privacy labels, systematically erasing sensitive information traces while maximizing embedding utility. Liu et al. [17] proposed a graph privacy funnel framework based on the variational method, achieving the decoupling of sensitive attributes through the information bottleneck objective function and the GNN encoder. The work [18] studies the privacy leakage problem caused by network structure, proposes a new general homogeneity ratio to quantify privacy risk, develops a graph private attribute inference attack as an evaluation tool, and at the same time proposes a graph data publishing method combined with learnable graph sampling technology to effectively protect user privacy and achieve the best balance between privacy and utility. Furthermore, many researchers achieve privacy decoupling by exploring the relationship between privacy and non-privacy features. Especially, Duddu et al. [19] adopted fairness-aware learning by eliminating statistical biases in graph embeddings toward privacy attributes through orthogonal subspace projection constraints, demonstrating particular efficacy in healthcare data scenarios requiring structured isolation of sensitive information. Hu et al. [20] introduced variational independence criteria as regularization terms to enforce mutual independence between distributions of privacy-sensitive and non-sensitive features in low-dimensional embeddings. Nevertheless, the above-mentioned approaches do not take into account the different importance of each node on the global graph data and fail to achieve dynamic privacy decoupling, which will lead to problems such as improper protection of important nodes and excessive protection of secondary nodes.

3. Preliminaries

Variational Graph Autoencoder

Variational graph autoencoder (VGAE) [21] is a generative model based on variational autoencoder and graph convolution networks to embed a graph to a low-demension space. Firstly, the encoder part applies a node-wise transformation by a spectral convolution function:

$$Z^{(l+1)}=f\left(Z^{\left(l\right)},A|W^{\left(l\right)}\right),$$

(1)

where $Z^{(l+1)}$ is the output of prezent layer, and $t{Z}^{\left(l\right)}$ is the output of piror layer. In this paper, $Z^{\left(0\right)}=X$ is the input features matrix of the graph. $W^{\left(l\right)}$ is parameter matrix which will be learned. The spectral convolution function could be specifically formulated as follows:

$$f(Z^{\left(l\right)},A|W^{\left(l\right)})=\varphi \left({\tilde{D}}^{-{\displaystyle \frac{1}{2}}}\tilde{A}{\tilde{D}}^{-{\displaystyle \frac{1}{2}}}{\mathrm{Z}}^{\left(l\right)}{W}^{\left(l\right)}\right),$$

(2)

where $\tilde{A}=A+{\mathrm{I}}_n$ and $\tilde{D}={\sum }_j{\tilde{A}}_{ij}$. $\varphi$ is a non-linearity activation function such as ReLU. Then the encoder part could be constructed as follows:

$$Z^{\left(1\right)}=f_{ReLu}\left(X,A|W^{\left(0\right)}\right),$$

(3)

$$Z^{\left(2\right)}=f_{linear}\left(Z^{\left(1\right)},A|W^{\left(1\right)}\right).$$

(4)

By employing a variational inference model, the following forms can be derived as:

$$q\left(Z\right|X,A)=\prod _{i=1}^{n}q\left(z_i\right|X,A)=\prod _{i=1}^n\mathcal{N}\left(z_i\right|{\mu }_i,\mathrm{diag}\left({\sigma }^2\right)),$$

(5)

where $\mu =Z^{\left(2\right)}$ is the mean vector matrix representing the embedding of node i; similarly, the log-variance $log\sigma =f_{linear}(Z^{\left(1\right)},A|W^{\left(1\right)})$ shares the parameters of the first-layer graph convolutional neural network with the mean $\mu$.

The goal of the VGAE is to embed the graph’s topological structure into a low-dimensional space. Therefore, during the decoding phase, the adjacency matrix is reconstructed through the inner product of the embedding matrix Z. The reconstructed adjacency matrix $\widehat{A}$ can be derived as follows:

$$\widehat{A}=\mathrm{sigmoid}\left(Z{Z}^T\right),$$

(6)

where $Z^T$ is the transpose matrix of the embedding matrix Z. To preserve the graph’s structural information, the VGAE measures the difference between the reconstructed adjacency matrix and the original adjacency matrix by minimizing the cross-entropy loss:

$$L_{rec}={\mathbb{E}}_{q_{\theta }\left(Z\right|X,A)}[log{p}_{\varphi }\left(A\right|Z)]={\displaystyle \frac{1}{N^2}}\sum _{i=1}^N\sum _{j=1}^N{A}_{ij}log\left({\widehat{A}}_{ij}\right).$$

(7)

Finally, the loss function of the variational autoencoder is formulated as:

$$L=L_{rec}-L_{reg}={\mathbb{E}}_{q_{\theta }\left(Z\right|X,A)}[log{p}_{\varphi }\left(A\right|Z)]-\mathrm{KL}[q_{\theta }\left(Z\right|X,A)\parallel p\left(Z\right)],$$

(8)

where $q_{\theta }\left(Z\right|X,A)$ denotes the posterior distribution of the embedding representation Z encoded by the graph neural network; $\mathrm{KL}\left[q\right(·)\parallel p(·\left)\right]$ denotes the KL divergence between distributions $q\left(·\right)$ and $p\left(·\right)$; $p\left(Z\right)$ represents the prior distribution of the embedding representation Z. The second term serves as a regularization term, ensuring that the latent distribution of the graph data explicitly fits a predefined prior distribution.

4. System Model

We primarily focuses on modeling graph data as undirected graphs for research purposes. An undirected graph can be denoted as $G=(A,X)$, where $A\in {\{0,1\}}^{N\times N}$ represents the adjacency matrix, with N being the number of nodes. The node set of graph G can be expressed as $\{v_1,v_2,\dots ,v_N\}$. Additionally, $X\in {\mathbb{R}}^{N\times D}$ signifies the node feature matrix, and D denotes the feature dimension of the nodes. Following the setup similar to that in literature, the feature vector of a node $v_i$ can be characterized as a triplet $(x_i,p_i,y_i)$, where $x_i\in {\mathbb{R}}^{D-k}$ signifies the non-private portion of the node vector, $p_i\in {\mathbb{R}}^k$ represents the private part of the node vector, and $y_i\in \mathbb{R}$ indicates the label of the node. It is assumed that during training, the partial privacy of the users can be accessed, and the process of learning node embeddings involves decoupling to protect user privacy.

As illustrated in Figure 1, the model architecture is based on a dual-channel privacy-disentangled graph autoencoder with an attention mechanism. The model comprises two graph autoencoders: the privacy graph autoencoder and the utility graph autoencoder. Firstly, a privacy graph autoencoder is trained to estimate the privacy distribution of the graph data. An attention layer is inserted between the privacy latent representation and the privacy decoder. This attention layer measures the global importance of nodes for privacy protection through an attention mechanism and ranks them. The nodes with higher importance and their latent representations are selected to constitute the main privacy information distribution. Secondly, during the training of the utility autoencoder, the selected node corresponds to the utility latent representations to form the distribution of utility information. The HSIC is used to measure the dependence between privacy and non-privacy features. HSIC is also incorporated as a penalty term in the optimization process of the utility graph autoencoder. Finally, by alternately training the privacy and utility graph autoencoders, the privacy importance of each node is dynamically calculated, enhancing the robustness of the model across different complex datasets.

5. Method Details

5.1. Node Privacy Ranking by Attention

The proposed method combines two variational graph autoencoders. The former is used to extract the feature representation of the graph, while the latter focuses on estimating privacy-related data. Specifically, the first autoencoder generates low-dimensional embeddings through the graph structure and node features to capture the overall features of the graph, while the second autoencoder estimates the distribution of privacy information through privacy loss. The objective function of privacy autoencoder can be formulated as:

$$L_p={\mathbb{E}}_{q_{{\theta }_p}(Z_p\mid A,X)}\left[log{p}_{{\phi }_p}(P\mid Z_p)\right]-\mathrm{KL}\left[q_{{\theta }_p}(Z_p\mid A,X)\mid p\left(Z_p\right)\right],$$

(9)

where ${\theta }_p$ and ${\phi }_p$ represent the parameters of the privacy encoder and privacy decoder respectively. P is the observed partial private information. $Z_p$ represents the privacy latent representation; $q_{{\phi }_p}(Z_p\mid A,X)$ represents the posterior distribution of the privacy information distribution; $P\left(Z_p\right)$ is the prior distribution of $Z_p$. The objective function shown in (9) contains two parts. The first term is used to estimate the sensitive attribute distribution given the graph structure and non-sensitive attributes. By optimizing this objective, the privacy information can be mapped to a low-dimensional graph embedding representation, thereby enabling inference and prediction of privacy information. The second term is a regularization term, using KL divergence to force the privacy distribution to fit a prior distribution.

To quantify the global importance of nodes for privacy protection, we propose an attention-driven node privacy importance measurement scheme. To begin with, an attention layer [22] is added between the privacy latent embedding representation and the privacy decoder. The attention fraction matrix is updated through the privacy-solving loss. Specifically, this fraction matrix reflects the relative importance of each node in the privacy protection process. We adjust these attention scores by minimizing the reconstruction loss of privacy information so that important nodes contribute more to privacy inference. By summing each column of the attention score matrix and then sorting it from large to small, the global importance score of each node for privacy protection can be obtained.

In practice, for the obtained privacy latent representation, generate the corresponding query Q, key K, and value V through three linear transformations, which can be represented in matrix form as:

$$Q=W_q{Z}_p,$$

(10)

$$K=W_k{Z}_p,$$

(11)

$$V=W_v{Z}_p,$$

(12)

where $W_q$, $W_k$ and $W_v$ represent the corresponding learnable weight parameters. Q reflects the node’s demand to obtain or focus on other nodes in privacy protection; K is used to determine the overall weight of each node in privacy protection; V is a comprehensive measure of the importance of different nodes in privacy protection. Then, by aggregating the information of neighboring nodes through weighted aggregation, the weighted privacy latent representation $\widetilde{Z_p}$ can be obtained as:

$$\widetilde{Z_p}=att{n}_p·V=softmax\left({\displaystyle \frac{Q{K}^T}{\sqrt{d_k}}}\right)·V,$$

(13)

where $att{n}_p\in R^{n\times n}$ is attention score matrix, and ${\mathrm{attn}}_{p_{ij}}$ represents the importance of node j to node i in terms of privacy protection. Summing the columns of ${\mathrm{attn}}_p$ yields the global importance of nodes for privacy protection, which can be mathematically written as:

$${\alpha }_p=\sum _{i=1}^n{\mathrm{attn}}_p[:,j],\forall j\in \{1,2,\dots ,n\},$$

(14)

where ${\alpha }_p$ is the node privacy importance score.

Compared with other node importance assessment methods, such as node centrality measures [23] based on static topological structure, the use of the attention mechanism can adapt to the topological structure and task requirements of different graphs. Meanwhile, by extending the attention mechanism, comprehensive nonlinear relationships and high-order dependencies can be captured.

Finally, the loss function of the privacy-preserving graph autoencoder (9) can be further expressed as:

$$L_p={\mathbb{E}}_{q_{{\theta }_p}\left(\widetilde{Z_p}\right|H)}\left[log{p}_{{\theta }_p}\left(P\right|\widetilde{Z_p})\right]-\mathrm{KL}\left[q_{{\theta }_p}\left(\widetilde{Z_p}\right|A,X)\Vert P\left(\widetilde{Z_p}\right)\right],$$

(15)

The detailed steps of the node privacy importance ranking algorithm are shown in Algorithm 1.

Algorithm 1 Node Privacy Importance Ranking Algorithm

Input:  Adjacency matrix A, node features X, training epochs ${\mathrm{epoch}}_p$, learning rate ${\eta }_p$, partial observed privacy information P Output:  Node privacy importance matrix $\alpha \in {\mathbb{R}}^{n\times 1}$  1:  Initialize network parameters ${\theta }_p$, ${\theta }_f$, ${\phi }_p$  2:  for $i=1$ to ${\mathrm{epoch}}_p$ do  3:       //Generate privacy-preserving latent representation            $Z_p\leftarrow {\theta }_p(A,X)$  4:       //Generate queries, keys and values through attention layer            $Q\leftarrow W_q{Z}_p$, $K\leftarrow W_k{Z}_p$, $V\leftarrow W_v{Z}_p$  5:       //Normalized attention matrix            ${\mathrm{attn}}_p\leftarrow \mathrm{softmax}\left({\displaystyle \frac{Q{K}^T}{\sqrt{d_k}}}\right)$  6:       //Weighted aggregation of neighbor information            ${\tilde{Z}}_p\leftarrow {\mathrm{attn}}_p·V$  7:       //Predicted privacy information            $\widehat{P}={\phi }_p\left(P\right)$  8:       //Compute loss            $L_p\leftarrow {\mathbb{E}}_{q_{{\theta }_p}\left({\tilde{Z}}_p\right|H)}\left[log{p}_{{\phi }_p}\left(P\right|{\tilde{Z}}_p)\right]-\mathrm{KL}\left[q_{{\theta }_p}\left({\tilde{Z}}_p\right|A,X)\Vert P\left({\tilde{Z}}_p\right)\right]$  9:       //Update parameters via gradient descent            ${\theta }_p\leftarrow {\theta }_p-{\eta }_p{\displaystyle \frac{\partial L_p}{\partial {\theta }_p}}$            ${\phi }_p\leftarrow {\phi }_p-{\eta }_p{\displaystyle \frac{\partial L_p}{\partial {\phi }_p}}$  10:       end for  11:  //Compute node privacy importance score         ${\alpha }_p\leftarrow {\sum }_{i=1}^n{\mathrm{attn}}_p[:,j],\hspace{1em}\forall j\in \{1,2,\dots ,n\}$  12:  return ${\alpha }_p$

5.2. Privacy Decoupling Based on Node Privacy Ranking

In order to achieve more accurate privacy information decoupling, based on the node privacy importance scores obtained from Algorithm 1, we sort them in descending order and select the top-k nodes’ indices and their privacy latent representations to construct the privacy distribution of the graph data, which can be formulated as:

$$Z_p^k=\{z_{p1}^{\left(1\right)},z_{p2}^{\left(2\right)},\dots ,z_{pk}^{\left(k\right)}\},$$

(16)

where $Z_p^k$ represents the privacy distribution and $pi$ represents the index of selected nodes. Correspondingly, the latent representations of the selected $top-k$ index nodes in the graph embedding generated by the utility encoder constitute the distribution of non-privacy information:

$$Z_u^k=\{z_{u1}^{\left(1\right)},z_{u2}^{\left(2\right)},\dots ,z_{uk}^{\left(k\right)}\},$$

(17)

where $Z_u^k$ represents the non-privacy distribution and $ui$ is the index of the corresponding nodes.

To eliminate the dependence between the two potential distributions learned and protect sensitive information, we adopt the Hilbert-Schmidt Independence Criterion (HSIC) as the independence measurement method. HSIC maps two random variables or distributions to the regenerating kernel Hilbert space (RKHS) through kernel functions, thereby quantifying the dependence between them. Specifically, HSIC is capable of evaluating the independence between two embedded distributions in a non-parametric manner, thereby avoiding the assumption of specific distribution patterns. From a mathematical perspective, HSIC measures independence through the relationship between two kernel matrices, and the formula is as follows:

$$HSIC(Z_u,Z_s)={\displaystyle \frac{1}{{(n-1)}^2}}\mathrm{tr}\left(R{K}_{u}R{K}_s\right),$$

(18)

$$R=I-{\displaystyle \frac{e{e}^T}{k}},$$

(19)

where I is the identity matrix, and e is a column vector of ones. $K_u$ and $K_s$ represent the Gram matrices of $Z_x$ and $Z_s$, respectively, where the elements are defined as $k_{u,ij}=k_u(z_{ix},z_{jx})$ and $k_{s,ij}=k_s(z_{is},z_{js})$. The kernel functions are derived from inner products. R is the centering matrix used to remove the influence of the distribution means, and $\mathrm{tr}\left(\right)$ denotes the computation of the trace of a matrix. A smaller HSIC value indicates a lower dependency between the two distributions, thereby achieving the goal of decoupling the potential representations. Compared with mutual information, the HSIC independence criterion does not require probability density estimation. It directly calculates independence through the kernel matrix, avoiding errors and complexity in high-dimensional scenarios. Moreover, it can capture linear and nonlinear dependencies through multiple kernel functions and adapt to more complex data distributions.

Therefore, the overall loss function $L_{tot}$ of the utility autoencoder can be expressed as the multi-objective optimization function:

$$\begin{gathered} L_{tol}=L_{adj}-\beta L_{dec}-L_{reg}={\mathbb{E}}_{q_{{\varphi }_f}\left(Z\right|A,X)}\left[log{p}_{{\theta }_f}\left(A\right|Z)\right]-\beta HSIC(Z_u,Z_s) \\ -\mathrm{KL}\left[q_{{\varphi }_f}\left(Z\right|A,X)\Vert p\left(Z\right)\right], \end{gathered}$$

(20)

where the first term $L_{adj}$ is the utility loss, measuring the representational capability of the latent representations. The second term $L_{dec}$ is the privacy decoupling loss, quantifying the dependence between privacy and non-privacy distribution. The third term $L_{reg}$ is the regularization term, constraining the distribution of $q_{{\varphi }_f}\left(Z\right|A,X)$ to minimize its distance from the predefined prior distribution $p\left(Z_u\right)$. The KL divergence $\mathrm{KL}\left[·\right]$ measures the distance between these two distributions. Additionally, $\beta$ is a trade-off factor controlling the strength of privacy decoupling. Higher values of $\beta$ increase privacy decoupling strength but may lead to greater utility loss, while lower values reduce utility loss but weaken privacy protection effectiveness.

5.3. Model Training

This paper adopts an alternating training approach to optimize the objective functions of both the privacy graph autoencoder and utility graph autoencoder, iteratively updating model parameters. In each training epoch, we first train the privacy graph autoencoder to extract the privacy latent representations $Z_p$ and select top-k important nodes based on their importance scores to construct the privacy information data distribution. Next, we train the utility graph autoencoder by computing the cosine similarity between the utility latent representations $Z_u$ of the selected k nodes and their corresponding privacy latent representations $Z_p$. The HSIC penalty enforces orthogonality between the learned utility latent codes and the privacy latent codes, effectively achieving the decoupling of privacy information. During training, we implement a parameter freezing strategy: when the privacy encoder is being trained, we keep the utility encoder parameters ${\theta }_u$ fixed; conversely, when training the utility encoder, the parameters of the privacy encoder ${\theta }_p$ remain unchanged. This approach helps prevent model oscillation, allowing each encoder to focus on its specific objectives. The entire algorithm process is shown as Algorithm 2.

Algorithm 2 Dynamic Privacy Decoupling

Input:  Adjacency matrix A, node features X, utility autoencoder epochs ${epoch}_u$, utility learning rate ${\mathrm{lr}}_u$, privacy autoencoder epochs ${epoch}_p$, selected node count k Output:  Publishable privacy-preserving graph embedding $Z_{pub}$   1:  Initialize network parameters ${\theta }_p$, ${\theta }_f$, ${\phi }_p$   2:  for $i\leftarrow 1$ to ${\mathrm{epoch}}_u$ do   3:     for $j\leftarrow 1$ to ${\mathrm{epoch}}_p$ do   4:       Compute node privacy importance scores $\alpha \in {\mathbb{R}}^{n\times 1}$ via Algorithm 1   5:     end for   6:     //Generate utility latent representation           $Z_u\leftarrow {\theta }_f(A,X)$   7:     //Reconstruct adjacency matrix           $\widehat{A}\leftarrow \mathrm{Sigmoid}\left(Z_u{Z}_u^T\right)$   8:     //Compute reconstruction error           $L_{rec}\leftarrow {\displaystyle \frac{1}{N^2}}{\sum }_{i=1}^N{\sum }_{j=1}^N{A}_{ij}log\left({\widehat{A}}_{ij}\right)$   9:     //Construct the privacy distribution           $Z_p^k\leftarrow \{z_{p1}^{\left(1\right)},z_{p2}^{\left(2\right)},\dots ,z_{pk}^{\left(k\right)}\}$   10:   //Construct the non-privacy distribution           $Z_u^k\leftarrow \{z_{u1}^{\left(1\right)},z_{u2}^{\left(2\right)},\dots ,z_{uk}^{\left(k\right)}\}$   11:   //Compute privacy decoupling loss           $L_{dec}\leftarrow HSIC(Z_u^k,Z_p^k)$   12:   //Compute total utility autoencoder loss           $L_{tot}\leftarrow L_{adj}-\beta L_{dec}-L_{reg}$   13:   //Update parameters via gradient descent           ${\theta }_f\leftarrow {\theta }_f-{\eta }_f{\displaystyle \frac{\partial L_{tot}}{\partial {\theta }_f}}$   14:  end for   15:  return$Z_{pub}$

6. Simulation Results

6.1. Dataset and Evaluation Metrics

We conducted our experiments on three datasets: Yale, Rochester and Credit defaulter, which were constructed in [1]. Yale and Rochester are social network datasets, which are collected from Yale University and Rochester University. These two datasets describe user attributes and their relationships with each other. The Yale contains 8578 nodes, 405,450 edges, while the Rochester contains 4563 nodes, 167,653 edges. The Credit defaulter is an ethical dataset of defaulter, which contains 30,000 individuals with 14 spending and payment patterns. These three datasets offer a large scale and complexity, enabling the model to be evaluated in social networks of different scales and structures, and being able to test both universality and robustness. And all of them are collected from the real world, providing an opportunity for the effectiveness evaluation of the model in practical applications. Additionally, characteristics of these datasets are summarized in

Table 1. Description of datasets.

	Nodes	Edges	Features	Attributes	Average Degree
Yale	8578	405,450	188	6	94.3
Rochester	4563	167,653	236	6	73.5
Credit defaulter	30,000	1,459,992	14	14	97.3

and the dataset visualization is displayed in Figure 2.

The evaluation tasks in this study are divided into two main components: utility tasks and privacy tasks. The utility performance of the models is quantified through link prediction, with the Area Under the ROC Curve (AUC) and Average Precision (AP) serving as key metrics—higher values indicate stronger performance. For node classification, accuracy (ACC) and Macro-F1 are employed to assess the models’ resilience against inference attacks. Specifically, the goal is to maintain high inference accuracy for utility attributes while achieving low accuracy for privacy attributes.

6.2. Compared Models, Attack Model and Parameter Settings

This study conducts a comparative analysis of four representative graph embedding models, specifically including:

(1)

VGAE [21]: VGAE employs a variational autoencoder architecture that combines graph structure reconstruction loss with KL divergence by enforcing latent representations to fit a prior distribution, effectively achieving distributed learning of graph embeddings. Notably, this model does not incorporate any privacy protection mechanisms, thus providing a fundamental reference for evaluating the privacy protection efficacy of subsequent models.

(2)

PVGAE [20]: An enhanced version of the VGAE architecture that introduces a dual-encoder alternating training mechanism. By constructing variational independence constraints, it systematically eliminates privacy-sensitive information from embedded representations. This method achieves targeted privacy stripping while maintaining graph structure representation capabilities.

(3)

GAE-MI [24]: Adopts an adversarial training framework to simultaneously optimize utility performance and privacy protection objectives. Innovatively employs mutual information as the metric: by maximizing application utility mutual information while minimizing privacy leakage mutual information, it constructs a dual-objective optimization function. To improve computational efficiency, it uses variational lower bounds for approximation estimation, significantly reducing computational complexity while ensuring model performance.

(4)

APGE [25]: Based on the classical graph autoencoder architecture, proposes an extended layer fusion mechanism to encode privacy label information into latent space. Designs a dual-path adversarial training strategy: while minimizing public label prediction error, it maximizes privacy label prediction loss through adversarial optimization, thereby achieving active obfuscation of privacy information in latent space.

In summary, while VGAE serves as a baseline model with no privacy mechanisms, PVGAE, GAE-MI, and APGE each implement distinct strategies for privacy protection. PVGAE focuses on eliminating sensitivity through variational independence, GAE-MI emphasizes a balance between utility and privacy via mutual information, and APGE enhances privacy labeling through adversarial optimization. This comparative analysis highlights the varying methodologies employed to achieve privacy preservation in graph embedding frameworks.

This study employs attribute inference attacks as the attack model. Attribute inference attacks aim to analyze publicly available or accessible data, such as published graph embeddings and partial users’ privacy attributes, by training a classifier to infer undisclosed private attributes of target individuals or data, constituting privacy infringement methods for attributes like age, gender, location, etc. For the Yale dataset, class year is selected as the privacy attribute and student/faculty status as the utility attribute; for Rochester, gender is treated as the privacy attribute while class year serves as the utility attribute. In Credit defaulter dataset, we will infer whether a user will default on a credit card payment as a public attribute and consider an individual’s marital status as private attribute. Additionally, for link prediction, this study randomly samples $10\%$ of links as the test set and $10\%$ as negative edges. For node classification tasks, $20\%$ of nodes are randomly selected as the test set. All experiments are implemented on a PC with 64-bit Windows OS, AMD Ryzen 8-core Process CPU, and Nvidia Geforce RTX 4060Ti GPU.

6.3. Overall Utility and Privacy Performance

This study compares DU-GAE with VGAE, PVGAE, GAE-MI, and APGE, with experimental results presented in

Table 2. Utility and privacy evalution on Yale and Rochester.

Dataset	Model	Utility Attribute		Privacy Attribute
		ACC	Macro-F1	ACC	Macro-F1
	VGAE	$0.902\pm 0.001$	$0.895\pm 0.001$	$0.867\pm 0.002$	$0.865\pm 0.001$
	APGE	$0.813\pm 0.001$	$0.780\pm 0.009$	$0.614\pm 0.014$	$0.618\pm 0.015$
Yale	PVGAE	$0.840\pm 0.010$	$0.826\pm 0.002$	$0.740\pm 0.003$	$0.740\pm 0.002$
	GAEMI	$0.709\pm 0.005$	$0.704\pm 0.002$	$0.625\pm 0.010$	$0.636\pm 0.004$
	ours	$0.848\pm 0.001$	$0.839\pm 0.002$	$0.612\pm 0.001$	$0.609\pm 0.010$
	VGAE	$0.873\pm 0.002$	$0.866\pm 0.002$	$0.646\pm 0.001$	$0.645\pm 0.001$
	APGE	$0.852\pm 0.005$	$0.852\pm 0.004$	$0.611\pm 0.005$	$0.606\pm 0.005$
Rochester	PVGAE	$0.830\pm 0.002$	$0.821\pm 0.014$	$0.594\pm 0.013$	$0.593\pm 0.004$
	GAEMI	$0.834\pm 0.011$	$0.826\pm 0.003$	$0.612\pm 0.004$	$0.609\pm 0.006$
	ours	$0.865\pm 0.002$	$0.855\pm 0.002$	$0.569\pm 0.004$	$0.575\pm 0.004$
	VGAE	$0.796\pm 0.002$	$0.638\pm 0.002$	$0.647\pm 0.014$	$0.654\pm 0.017$
	APGE	$0.785\pm 0.003$	$0.640\pm 0.002$	$0.629\pm 0.001$	$0.654\pm 0.001$
Credit defaulter	PVGAE	$0.778\pm 0.003$	$0.621\pm 0.003$	$0.634\pm 0.04$	$0.632\pm 0.004$
	GAEMI	$0.789\pm 0.002$	$0.624\pm 0.018$	$0.619\pm 0.002$	$0.612\pm 0.002$
	ours	$0.775\pm 0.003$	$0.745\pm 0.003$	$0.610\pm 0.010$	$0.611\pm 0.012$

. The findings reveal that without any privacy protection techniques, VGAE suffers from severe privacy leakage issues, where attackers can easily predict node privacy attributes with extremely high accuracy based on the published graph embeddings.

The experimental results demonstrate that our proposed model effectively resists attribute inference attacks, outperforming other privacy-preserving methods in protecting privacy attributes while simultaneously achieving the highest accuracy in utility attribute inference and minimal data utility loss, thereby achieving an optimal privacy-utility trade-off. Specifically, in the Rochester dataset, our method achieves a utility attribute inference accuracy of 0.865 while reducing privacy attribute inference accuracy to the lowest level of 0.575. Notably, our model also achieves the lowest Macro-F1 score for privacy attribute inference compared to other privacy protection methods, indicating successful suppression of privacy information representation in the graph embeddings. Additionally, the variances of each indicator in our method are relatively small, which reflects that the method we proposed has stable performance and good generalization performance in different datasets. For example, in the Yale dataset, both the classification accuracy of utility labels and privacy labels and the variance of Macro-F1 achieved the lowest 0.001, demonstrating the stability of the model.

Unlike PVGAE which decouples privacy latent spaces for all nodes, our approach selectively identifies key nodes through an attention mechanism to construct privacy information distributions. This strategy effectively reduces the utility loss caused by privacy decoupling, demonstrating that uniformly decoupling privacy information across all nodes excessively suppresses non-private information representation. Furthermore, these results confirm that different nodes contribute variably to privacy protection, with some nodes being more critical for data utility—excessive decoupling of such nodes would significantly impair the representational performance of graph embeddings.

6.4. The Impect of Attack Model

To investigate the impact of different attack models on privacy protection, this study implemented two common classification models—MLP and SVM, with their inference results shown in Figure 3. The experimental results demonstrate that different attack models yield varying privacy attribute inference outcomes, yet overall, MLP and SVM maintain highly consistent accuracy rates with minimal divergence. Specifically, the discrepancy between the two attack models’ inference results was more pronounced in the Yale dataset compared to the Rochester dataset. Both MLP and SVM achieved a privacy attribute inference accuracy of 0.075 on graph embeddings generated by PVGAE.

This phenomenon may stem from the distinct classification strategies employed by each attack model: SVM’s performance depends on kernel function selection, while MLP utilizes different activation functions. However, their consistent overall inference performance suggests that the choice of attack model has limited influence on user privacy inference outcomes. Instead, the inherent privacy protection strength of the graph embedding technique and the complexity of different graph datasets play more dominant roles.

Notably, the graph embeddings generated by our proposed method exhibited the smallest performance gap between MLP and SVM across both datasets. This indicates that our alternating training approach comprehensively evaluates each node’s privacy significance while maintaining precise identification of critical privacy nodes, thereby enhancing the model’s robustness and generalizability across diverse graph data

6.5. Sensitive Study

This section primarily evaluates the impact of the number of key nodes and the number of attention heads on data utility and privacy protection performance. Specifically, this study examines different proportions of key nodes relative to the total node count ($10\%$,$30\%$, $50\%$, $70\%$, $90\%$) and selects varying numbers of attention heads (1, 2, 4, 8). The experimental results are presented in Figure 4 and Figure 5.

On one hand, With the increase of key nodes, the accuracy rate of utility attribute classification generally shows an upward trend on the three datasets, while the classification accuracy rate of privacy labels remains stable. Specifically, taking the Credit defaulter dataset as an example, when the number of key nodes is only 10%, the classification accuracy rate of the utility attribute is 0.787. However, when the number of key nodes gradually increases, the change in its accuracy rate first decreases and then increases. But when the proportion of key nodes is 50%, the maximum value of 0.801 is achieved. However, during the proportion change process of key nodes, the classification accuracy rate of privacy tags changed at the maximum of only 0.021, with almost no change. The above phenomenon indicates that the privacy information of graph data is often only contained in a few important nodes, which is also in line with the sparse characteristics of social networks. Excessive decoupling will instead lose utility.

On the other hand, With the increase in the number of attention heads, the accuracy rates of utility attribute classification and privacy attribute classification were relatively stable on the three datasets, among which the achievement on the Rochester dataset was the smallest. Specifically, when the number of attention heads increased from 1 to 8, the change rates of the accuracy rates of utility attribute classification and privacy attribute classification in Rochester were 0.05, from 0.811 to 0.861, and 0.02, from 0.572 to 0.592, respectively. It indicates that the self-attention mechanism has been able to capture relatively comprehensive relationships. Furthermore, in the Credit defaulter dataset, the influence trend of the number of attention heads on the classification accuracy of utility attributes and privacy attributes is the same. This suggests that in model optimization, we should pay attention to other potential factors (such as data processing, feature selection, etc.) to improve the privacy protection performance.

6.6. The Performance of Downstream Tasks

To verify the representation performance of graph embeddings generated by the dual-channel privacy decoupled graph autoencoder based on the attention mechanism, this study uses link prediction to measure its performance in downstream tasks. Since the edges in the Credit defaulter dataset are established based on node similarity, link prediction for them is of no significant meaning. Therefore, we only conduct experimental verification on the Yale and Rochester datasets. The experimental results are shown in Figure 6 and

Table 3. Performance on link prediction.

Methods	Yale		Rochester
	AP	AUC	AP	AUC
VGAE	$0.886\pm 0.003$	$0.891\pm 0.002$	$0.926\pm 0.001$	$0.924\pm 0.011$
APGE	$0.784\pm 0.002$	$0.806\pm 0.002$	$0.892\pm 0.013$	$0.896\pm 0.002$
PVGAE	$0.817\pm 0.003$	$0.827\pm 0.014$	$0.909\pm 0.003$	$0.907\pm 0.002$
GAE-MI	$0.789\pm 0.010$	$0.811\pm 0.013$	$0.874\pm 0.002$	$0.879\pm 0.002$
ours	$0.847\pm 0.001$	$0.859\pm 0.001$	$0.916\pm 0.002$	$0.912\pm 0.011$

. The experimental results show that the method we proposed achieves the best performance on both datasets and two metrics, where in Yale is 0.859 and in Rochester is 0.912. Moreover, the small variance indicates that our method can make stable predictions for the links in the graph, thereby maintaining the performance of graph embedding in downstream tasks. For example, in Yale dataset, when the AUC value is low, such as $FPR=0.2$, it can be observed that the method proposed in this study has a higher true positive rate compared to other privacy protection methods in the lower false positive rate region. This indicates that the method proposed in this study has higher accuracy in predicting low-probability links. In addition, link prediction is essentially a measure of node similarity. The superior performance that the method we proposed can achieve indicates that we maintain the relative distance between two nodes in the original space during the embedding process.

Among them, GAE-MI uses mutual information as the measurement index, but estimates the value of mutual information using the variational lower bound. Especially when dealing with high-dimensional graph data, it is prone to fall into local optimum. Meanwhile, the complex distribution of the graph data itself also exacerbates the difficulty of convergence. Furthermore, PVGAE decoupled privacy from all nodes, resulting in excessive protection of non-critical nodes and thereby affecting data utility. In this study, through the attention mechanism, the key nodes that are important for privacy protection can be precisely screened, thereby avoiding excessive utility loss. Meanwhile, the practice of merely decoupling the privacy information of some key nodes can significantly reduce the damage to the topological integrity of the graph.

7. Conclusions

In this paper, we propose a dynamic node privacy feature decoupling graph autoencoder that fundamentally addresses the static protection dilemma in graph privacy preservation. this study adopts the node-level self-attention weight matrix to dynamically identify highly privacy-sensitive nodes and further screen the key privacy nodes to construct the privacy information distribution of graph data. We propose to use HSIC to test the dependency relationship between privacy and non-privacy distributions. Through the method of alternating training, the importance score of each node can be comprehensively evaluated. Unlike conventional methods that apply uniform protection strategies, our method implements a selective shielding mechanism that automatically adjusts privacy preservation levels according to node privacy importance assessments. Experiments on two real-world datasets show that, compared with other privacy protection methods, our proposed method achieves node privacy protection while maintaining a high level of data utility, effectively balancing the inherent conflict between privacy and utility. In the future research, more potential privacy leakage factors can be considered, such as the high-order correlation between nodes, the interaction between communities or subgraphs, and global quantitative indicators, so as to establish a measurement model closer to the actual privacy threat.