Graph in the Vault: Protecting Edge GNN Inference with Trusted Execution Environment

--Wide deployment of machine learning models on edge devices has rendered the model intellectual property (IP) and data privacy vulnerable. We propose GNNV ault, the first secure Graph Neural Network (GNN) deployment strategy based on Trusted Execution Environment (TEE). GNNV ault follows the design of "partition-before-training" and includes a private GNN rectifier to complement with a public backbone model. This way, both critical GNN model parameters and the private graph used during inference are protected within secure TEE compartments. Real-world implementations with Intel SGX demonstrate that GNNV ault safeguards GNN inference against state-of-the-art link stealing attacks with a negligible accuracy degradation ( < 2 %). On-device machine learning has emerged as an important paradigm for tasks requiring low latency and high privacy [1]. This trend has also extended to Graph Neural Networks (GNNs) [4], [5], ensuring the privacy of user data during inference for tasks such as community detection [6], e-commerce personaliza-tion [7], and recommender systems [8]. However, local GNN inference grants users significant privileges to local models and data, introducing additional security vulnerabilities [9].