This work is licensed under http://creativecommons.org/licenses/by/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.

1. Introduction

To build a highly automated, informative, and intelligent system, the Internet of Things (IoT) integrates numerous communication, computing, and sensing devices, ranging from smartphones to vehicles [1], which is an organic collection of intelligent terminal devices and users. In IoT, widely distributed terminal devices establish reliable wireless links through advanced wireless communication and network technology, forming distributed multidomain networks [2]. Networks are ubiquitous in the real world, such as communication networks, social networks, biological networks, and transportation networks, represented by graphs containing nodes and edges. Similarly, the networks in IoT can also be regarded as graphs with terminal devices as nodes and communication links as edges. Although attractive and convenient, IoT also brings a significant challenge, i.e., the concerns on privacy disclosure [3]. As a new paradigm of big data platform, IoT deploys smart city applications to timely monitor, analyze, and respond to volumes of physical data. The data in IoT collected in a distributed manner are strongly correlated with users’ sensitive status. However, some information platforms disclose private information inadvertently while trading the data, most likely the graphs in IoT. Furthermore, it does not rule out the possibility that malicious attackers may spy on entity privacy, analyze network traffic, and track users’ behavior by stealing the complete network graphs, which invade the entity privacy and threaten the security of the IoT system. At present, the study on privacy for IoT mainly focuses on the privacy of data, identity, and location [4], while rarely mentioning graph privacy, especially the privacy of the communication links between terminal nodes in graphs, i.e., sensitive links. Actually, the disclosure of sensitive links will bring many security threats to the IoT system. For example, some sensitive links usually involve personal privacy, such as the doctor-patient relationship in smart healthcare, one of the typical application scenarios of IoT, and the user trajectories that data requesters may expose when accessing IoT. In addition, in the man-in-the-middle (MITM) attack, hackers will try to intercept private data; control devices in smart homes, smart industries, and smart healthcare; or destroy the communication links in the IoT system, resulting in privacy disclosure, device failure, and even system collapse, which seriously threaten personal privacy, business activities, and industrial operations. Hence, it is imperative to detach private information from the graphs in advance. The most straightforward operation to hide the sensitive links is to delete the sensitive links in the graphs directly. Unfortunately, sensitive links may be predicted out of released data through data mining techniques, even if they have been deleted [5]. As an essential task in data mining, link prediction has been heating up in recent years. More and more link prediction methods and their application technologies have been proposed. Link prediction can predict the relationship between nodes by mapping the graph information to a continuous vector space. While being widely applied in network analysis, link prediction can also be used as an inference attack to speculate the sensitive links in graphs. Therefore, the data publisher shall carry out privacy processing for the published data to defend link prediction attacks while retaining necessary data utility. In recent years, the privacy disclosure caused by link prediction attacks has attracted researchers’ attention, and many researches on antilink prediction have emerged. To defend link prediction based on similarity and deep learning methods, most antilink prediction methods adopt various link disturbances, e.g., random link disturbance, heuristic link disturbance, and evolutionary link disturbance, at the expense of part of data utility [6–13]. Besides, these methods only focus on the graph structure information and fail to consider the unstructured information in graphs, such as node attributes. The node attributes may include the performance, identity, and type of devices, deepening the association strength between nodes and making the attacker’s prediction more accurate. As mentioned above, protecting sensitive links against link prediction attacks is an urgent problem to be solved. Significantly, Li et al. [14] proposed an adversarial privacy graph embedding (APGE) method to conceal users’ sensitive attributes from inference attacks, which opens up a novel idea for our work. In this paper, we intend to fill this blank by developing a graph embedding-based sensitive link protection method named SLPGE. Our basic idea is to use the graph embedding model combined with Variational Graph Autoencoder (VGAE) and Adversarially Regularized Variational Graph Autoencoder (ARVGA) to encode graph data into an embedding matrix before publishing the data. To be concrete, we utilize adversarial training assisted by two schemes to eliminate private information in the embedding matrix. Then, to balance the tradeoff between privacy and utility, we design the loss functions in SLPGE to retain the utility of graph structure and node labels. The main contributions of this paper are summarized below:

(i) This article focuses on the privacy protection of sensitive links in IoT and proposes a sensitive link protection method (SLPGE) to conceal sensitive links from link prediction attacks

The rest of the paper is organized as follows. The related work and preliminaries are reviewed in Sections 2 and 3, respectively. The system models and problem formulation are presented in Section 4. The details of our SLPGE are described in Section 5. The simulation and results are shown in Section 6. Moreover, we give the conclusions and future work in Section 7.

2. Related Work

The emergence of various IoT platforms not only facilitates people’s lives but also generates a huge volume of data-carrying personal information. These data can be modeled into graph structure data, and attackers can then easily expose the privacy information hidden in graphs via link prediction. In this section, we briefly introduce the relevant work of graph privacy protection, link prediction, and antilink prediction.

2.1. Graph Privacy Protection

The main methods of graph privacy protection include anonymization, random disturbance, and clustering. Since Sweeney [15] introduced anonymization into graph structure data, different anonymization variants for graphs have also been derived. Ying and Wu [16] disrupted the graph structure by deleting and adding $k$ edges randomly. Li et al. [17] performed spectral clustering according to the distance between nodes firstly and then anonymized subgraphs. For the graphs with node labels, Yuan et al. [18] proposed the protection method of node attribute label $K$-anonymity to ensure that the labels of at least $k$ nodes are the same. Chester and Srivastava [19] proposed an attribute probability distribution anonymity method to make the probability distribution of the label carried by each node in the attribute sets of its neighbors as close as possible to the global label probability distribution. The random graph modification technology proposed by Hay et al. [20] is the simplest technology to prevent node reidentification and edge exposure. Mittal et al. [9] proposed a link perturbation based on the random walk (LPRW), which improved the privacy and utility of data compared with Hay’s method. In edge clustering methods, Liu et al. [21] proposed privacy protection methods for sensitive edge weights in weighted graphs, adopting Gaussian noise disturbance and greedy disturbance. Zheleva and Getoor [22] mainly considered the privacy of graphs with multiple types of edges and one type of node. Its main idea is to divide the original graph into subgraphs via spectral clustering and then modify the links in the subgraphs and add new links between the subgraphs randomly.

Low data availability and high computational complexity are the common problems of these methods, and their privacy will continue to decrease as inference attacks intensify.

2.2. Link Prediction

Link prediction is aimed at predicting missing facts according to existing entities and has found wide application in social, biological, and communication networks. Known for its powerful inference attack, link prediction has been maliciously used to spy on the privacy of entities in the networks. Among plenty of link prediction methods, classification models such as support vector machine (SVM) [23], multilayer perceptron (MLP) [24], and $k$ nearest neighbor (KNN) [25] regard link prediction as a binary classification problem, in which the connected node pairs and unconnected node pairs are regarded as positive samples and negative samples, respectively.

2.3. Antilink Prediction

At present, most antilink prediction methods for graph structure data disturb the graph structure by adding some new links and deleting part of nonsensitive links strategically to reduce the prediction ability of various link prediction methods and achieve the privacy protection of sensitive links. Liu and Terzi [6] proposed to achieve $k$-degree anonymization through edge addition or deletion strategies. Rousseau et al. [7] proposed two approaches that preserve the coreness of a graph while anonymizing it through various edge modification operations. Fard and Wang [8] and Mittal et al. [9] proposed two structure-aware randomization perturbation methods based on local perturbation and random walk considering the structural proximity of nodes. Zhou et al. [10] regarded the links between the end nodes of a sensitive link and their common nodes as the candidate links to be deleted and expressed the attack on local similarity as an optimization problem to determine which links to delete. Chen et al. [11] proposed an iterative gradient attack (IGA) method based on integral gradient information in Graph Autoencoder (GAE). The gradients obtained by maximizing the loss of sensitive links represent the influence of other links on sensitive links. During $k$ iterations, $n$ links with the largest gradients are modified. Yu et al. [12] combated resource allocation (RA) indicator link prediction via random, heuristic, and evolutionary link disturbance. Among these three methods, random link disturbance increases and changes links without any strategy, heuristic link disturbance reduces the link prediction ranking of node pairs in the test set, and evolutionary link disturbance selects the links to be added and deleted according to the fitness function. Waniek et al. [13] selected to delete or add the most influential links to hide sensitive links by reducing or creating the closed triangles containing sensitive links.

The methods mentioned above can be used in IoT systems to avoid the leakage of sensitive links in data transactions. However, two shortcomings are present in the above methods: the first is that the utility of the graph will be lost due to link disturbance, and the second is that they lack the consideration of the impact of node attributes on link prediction.

3. Preliminaries

As a kind of non-Euclidean data, a graph is difficult to be directly processed by traditional data analysis methods or deep learning models such as Convolutional Neural Network (CNN) [26] and Recurrent Neural Network (RNN) [27] due to the high computational and space overhead. Graph embedding, also called network representation learning, is aimed at mapping graph data, usually a high-dimensional dense matrix to low-dimensional dense vectors. Graph embedding has more flexible and rich calculation methods to apply deep learning models directly for graph analysis tasks. Graph Neural Network (GNN) represents the deep learning method of graph embedding. By modeling the nodes and communication links in the networks, GNN can be applied to solve the privacy disclosure problem in IoT. For the advantages of feature extraction from non-Euclidean data, our SLPGE is based on some GNN models. In this section, the GNN models involved in SLPGE, e.g., Graph Convolutional Network (GCN), VGAE, and ARVGA, are briefly introduced. For the sake of clarity, the frequently used notations and their meanings are listed in Table 1.

Table 1

Summary of notations.

3.1. Graph Convolutional Network

In 2013, Bruna et al. [28] first proposed the neural network on the graph and gave two structures based upon a hierarchical clustering of the domain and the spectrum of the graph Laplacian. As a typical GNN model, GCN [29] is a scalable approach for semisupervised learning on graph data, which uses the spectrum of the graph Laplacian to achieve convolution on graphs. After each convolution of GCN, the node features are the weighted sum of the previous features of the nodes and their neighbor nodes, for which the nodes can aggregate further features with the deepening of layers. Hence, the superiority of GCN is to incorporate local graph structure and node features naturally. Suppose the adjacency matrix $A\in {ℝ}^{N\times N}$ represents the connection relationship between $n$ nodes, then the layer-wise propagation rule of GCN is as follows: $$\begin{array}{}\text{(1)}& H_{l+1}=\sigma {\tilde{D}}^{-1/2}\tilde{A}{\tilde{D}}^{-1/2}{H}_l{W}_l,\end{array}$$where ${\mathbf{H}}_l$ is the feature matrix of the $l^{\text{th}}$ layer, ${\mathbf{W}}_l$ is the trainable weight matrix, and $\sigma ·$ is an activation function. ${\tilde{D}}^{-1/2}\tilde{A}{\tilde{D}}^{-1/2}$ is the normalization of $\tilde{A}$ where $\tilde{A}=\mathbf{A}+{\mathbf{I}}_N$, ${\mathbf{I}}_N\in {ℝ}^{N\times N}$ is the identity matrix, $\tilde{D}$ is the degree matrix of $\tilde{A}$, and ${\tilde{D}}_{ii}={\sum }_j{\tilde{A}}_{ij}$. The degree of a node is the number of first-order neighbors connected to the node. Equation (1) can be abbreviated as ${\mathbf{H}}_{l+1}=f{\mathbf{H}}_l,\mathbf{A}$, for $\mathbf{A}$ is the input of each layer.

3.2. Variational Graph Autoencoders

Soon after the proposal of GCN, to expand the capability of GCN, VGAE proposed by Kipf and Welling [30] adopts GCN as an encoder to generate specific graph embedding for different tasks of the graph, not limited to node classification. VGAE is an unsupervised learning framework derived from Variational Autoencoders (VAE) [31], which obtains graph embedding through the encoder-decoder structure. VGAE consists of a two-layer GCN encoder and a simple inner-product decoder. The two-layer GCN can be defined as follows: $$\begin{array}{}\text{(2)}& \text{GCN}\mathbf{X},\mathbf{A}=f{\mathbf{H}}_1,\mathbf{A}=\sigma \overline{\mathbf{A}}f{\mathbf{H}}_0,\mathbf{A}{\mathbf{W}}_1=\overline{\mathbf{A}}\text{ReLU}\overline{\mathbf{A}}{\mathbf{H}}_0{\mathbf{W}}_0{\mathbf{W}}_1,\end{array}$$where $\overline{\mathbf{A}}={\tilde{D}}^{-1/2}\tilde{A}{\tilde{D}}^{-1/2}$ is the symmetrically normalized adjacency matrix and $\text{ReLU}·=\max 0,·$ is the activation function of the first layer. $\sigma ·$ of the second layer is determined according to the specific task. The encoder of VGAE is aimed at learning the mean $\mu$ and the standard deviation $\sigma$ of a multidimensional Gaussian distribution from which the graph embedding $\mathbf{Z}$ is sampled. The process is briefly described below: $$\begin{array}{c}\text{(3)}& \mu =\text{GC}{\text{N}}_{\mu }\mathbf{X},\mathbf{A},\log \sigma =\text{GC}{\text{N}}_{\sigma }\mathbf{X},\mathbf{A},\\ \mathbf{Z}=\mu +\epsilon \times \sigma ,\end{array}$$where $\mathbf{X}\in {ℝ}^{N\times F}$ replaces ${\mathbf{H}}_0$ in Equation (2) as the node feature matrix of the first layer and $\text{GC}{\text{N}}_{\mu }\mathbf{X},\mathbf{A}$ and $\text{GC}{\text{N}}_{\sigma }\mathbf{X},\mathbf{A}$ share first-layer parameters ${\mathbf{W}}_0$. $\mathbf{Z}~\mathcal{N}\mu ,{\sigma }^2$ is the graph embedding matrix and $\epsilon ~\mathcal{N}0,1$ is the noise sampled from the standard Gaussian distribution. The inner product is used as a decoder in VGAE, and the formula is as follows: $$\begin{array}{}\text{(4)}& \widehat{\mathbf{A}}=\sigma \mathbf{Z}·{\mathbf{Z}}^T,\end{array}$$where $\sigma ·=1/1+\exp -·$ is the sigmoid function. $\widehat{\mathbf{A}}$ is the reconstructed adjacency matrix, and ${\widehat{A}}_{ij}$ can be regarded as the product of independent event probabilities of the $i^{\text{th}}$ node and the $j^{\text{th}}$ node. When ${\widehat{A}}_{ij}$ is greater than the threshold 0.5, it means that there is a link between the $i^{\text{th}}$ node and the $j^{\text{th}}$ node.

VGAE has two optimization objectives: one is to make $\widehat{A}$ and $A$ as similar as possible; the other is to make the distribution of $Z$ as close to the standard Gaussian distribution as possible. Since binary cross-entropy (BCE) can determine the proximity between the actual output and the expected output and Kullback-Leibler (KL) divergence can measure the difference between two distributions, the loss function of VGAE composed of BCE and KL divergence can be expressed as $$\begin{array}{}\text{(5)}& \text{loss}={\mathbb{E}}_{q\mathbf{Z}\mid \mathbf{X},\mathbf{A}}\log p\mathbf{A}\mid \mathbf{Z}-\text{KL}q\mathbf{Z}\mid \mathbf{X},\mathbf{A}p\mathbf{Z}.\end{array}$$

Here, the former minimizes the reconstruction loss through the cross-entropy function, and the latter minimizes the KL divergence. $p\mathbf{A}\mid \mathbf{Z}=\sigma \mathbf{Z}·{\mathbf{Z}}^T$, $q\mathbf{Z}\mid \mathbf{X},\mathbf{A}={\prod }_{i=1}^{N}q{\mathbf{z}}_{\mathbf{i}}\mid \mathbf{X},\mathbf{A}={\prod }_{i=1}^N\mathcal{N}{\mathbf{z}}_{\mathbf{i}}\mid {\mu }_{\mathbf{i}},\mathrm{diag}{\sigma }_{\mathbf{i}}^{\mathbf{2}}$ is the real distribution function we get, and $p\mathbf{Z}={\prod }_{i}p{\mathbf{z}}_{\mathbf{i}}={\prod }_i\mathcal{N}{\mathbf{z}}_{\mathbf{i}}\mid 0,\mathbf{I}$ is a Gaussian prior. $\text{KL}q·p·$ is the KL divergence between $q·$ and $p·$. We expect $q\mathbf{Z}\mid \mathbf{X},\mathbf{A}$ to be as close to $p\mathbf{Z}$ as possible.

More specifically, ${\mathbb{E}}_{q\mathbf{Z}\mid \mathbf{X},\mathbf{A}}\log p\mathbf{A}\mid \mathbf{Z}$ in Equation (5) can be abbreviated as $\text{los}{\text{s}}_{\text{link}}$ below: $$\begin{array}{}\text{(6)}& \text{los}{\text{s}}_{\text{link}}=-\frac{1}{{\mathbf{V}}^2}\sum _{i\in \mathbf{V}}\sum _{j\in \mathbf{V}}{p}_1{A}_{ij}\log {\widehat{A}}_{ij}+1-A_{ij}\log 1-{\widehat{A}}_{ij},\end{array}$$where $A_{ij}$ represents the value which is 0 or 1 of an element in $A$, ${\widehat{A}}_{ij}$ represents the probability value of the corresponding element in $\widehat{A}$, and $p_1$ is the ratio of the number of 0 to 1 in $A$, which can be used to solve the problem of imbalance between positive and negative samples. $\text{KL}q\mathbf{Z}\mid \mathbf{X},\mathbf{A}p\mathbf{Z}$ in Equation (5) can be abbreviated as $\text{los}{\text{s}}_{\text{dist}}$ below: $$\begin{array}{}\text{(7)}& \text{los}{\text{s}}_{\text{dist}}=-\frac{1}{2}1+\log {\sigma }^2-{\mu }^2-{\sigma }^2.\end{array}$$

3.3. Adversarially Regularized Variational Graph Autoencoder

To force the graph embedding learned by VGAE to fit the prior distribution better, Pan et al. [32] proposed ARVGA by combining VGAE and Generative Adversarial Network (GAN). GAN was first proposed by Goodfellow et al. [33] to serve as a generative model bridging supervised learning and unsupervised learning in 2014. Most recently, exploiting GAN to work out elegant solutions to severe privacy and security problems has become increasingly popular in both academia and industry due to its game theoretic optimization strategy [34]. Typically, GAN consists of a generator $G$ and a discriminator $D$, the purpose of which is to mix the spurious with the genuine in a nutshell. During the iterative training, $G$ is trained to generate the fake samples to convince $D$ that the fake samples come from a prior data distribution, while $D$ discriminates whether an input sample comes from the prior data distribution or $G$ we built. In ARVGA, we take VGAE as $G$, a two-layer fully connected network as $D$ where the output layer only has one dimension with a sigmoid function. The equation for training the encoder model with the discriminator can be written as follows: $$\begin{array}{}\text{(8)}& \underset{G}{\min }\underset{D}{\max }{\mathbb{E}}_{x~p_{\text{data}}x}\log Dx+{\mathbb{E}}_{z~p_{z}z}\log 1-DGz.\end{array}$$

Here, $x~P_{\text{data}}x$ is the real sample, $z~P_{z}z$ is the original data, $Gz$ is the fake sample, and $D·$ is the probability that the sample is true. $G$ is aimed at minimizing the equation while $D$ is aimed at the opposite of $G$. Through the game between $G$ and $D$, ARVGA can enforce the graph embedding to match the prior distribution and produce a robust representation.

4. Model and Problem Formulation

In this article, our work is based on the following assumptions in the graph of IoT: The connections between devices are bidirectional. There are $L$ types of devices in the graph, and each device has its own attribute information such as internal storage, bandwidth, and hard disk. Sensitive links are the links that need to be hidden, while nonsensitive links are those which can be made public. The links whose end nodes have a larger total degree are defined as sensitive links. The nodes with larger degrees usually have more influence in the graph, so the links between these nodes are also more meaningful. Moreover, we take SVM and MLP as attack models to test the performance of our method, and part of nonsensitive links and nonexistent links in the graph are known to the attack models.

4.1. Network Model

We express one of the graphs of IoT as an undirected graph $\mathbf{G}=\mathbf{V},\mathbf{E},\mathbf{X}$. $\mathbf{V}=v_1,v_2,\cdots ,v_N$ is the set of $n$ terminal nodes and $N=\mathbf{V}$. $\mathbf{E}$ contains the edges $e_{ij}$ with the communication link between $v_i$ and $v_j$$1\le i,j\le N$, including sensitive links and nonsensitive links. $\overline{\mathbf{E}}$ is the set of nonexistent links and $\mathbf{E}\cup \overline{\mathbf{E}}={\mathbf{E}}_{N^2}$, where ${\mathbf{E}}_{N^2}$ contains $n\times n$ edges that can be connected by $n$ nodes. Node attributes are summarized in a feature matrix $\mathbf{X}\in {ℝ}^{N\times F}$ with the $i^{\text{th}}$ row representing the attributes of $v_i$ and $F$ is the number of attributes. $\mathbf{A}\in {ℝ}^{N\times N}$ is the adjacency matrix, where $A_{ij}=1$ if $e_{ij}\in \mathbf{E}$; otherwise, $A_{ij}=0$. ${\mathbf{E}}_{\text{sl}}\subset \mathbf{E}$ is the set of sensitive links, ${\mathbf{E}}_{\text{nsl}}\subset \mathbf{E}$ is the set of nonsensitive links, and $E_{\text{sl}}\cap E_{\text{nsl}}=\varnothing$.

4.2. Attack Model

Both SVM and MLP have strong classification abilities for nonlinear problems with different structures.

SVM is a classification model based on the structural risk minimization criterion in machine learning. For the nonlinear classification problems, SVM adopts a nonlinear function $\varphi x$ to map the samples from the input space to a high-dimensional feature space where the samples are linearly separable and construct an optimal classification hyperplane to categorize new samples utilizing labeled training data. Given the training set $T=x_1,y_1,x_2,y_2,\cdots ,x_k,y_k{x}_i\in {ℝ}^N$, SVM can transform the classification problem into a convex quadratic optimization problem as follows: $$\begin{array}{}\text{(9)}& \begin{array}{c}\underset{\alpha }{\min }\frac{1}{2}\sum _{i=1}^k\sum _{j=1}^k{\alpha }_i{\alpha }_j{y}_i{y}_j\varphi x_i\varphi x_j-\sum _{i=1}^k{\alpha }_i\hfill \\ \text{s}.\text{t}.\sum _{i=1}^k{\alpha }_i{y}_i=0\hfill \\ 0\le {\alpha }_i\le C,i=1,2,\cdots ,k,\hfill \end{array}\end{array}$$where ${\alpha }_i$ is a Lagrange multiplier and $C$ is the penalty factor. Since the computation of $\varphi x_i\times \varphi x_j$ increases sharply in the high-dimensional space, SVM introduces kernel function $K{x}_i,x=\varphi x_i·\varphi x$ to avoid the problem. The kernel function we choose is Gaussian kernel: $$\begin{array}{}\text{(10)}& \begin{array}{c}K{x}_i,x=\exp -\frac{{x_i-x}^2}{2{\sigma }^2},\end{array}\end{array}$$where ${\sigma }^2$ is the variance. In this case, the classification decision function is as follows: $$\begin{array}{}\text{(11)}& \begin{array}{c}fx=\mathrm{sign}\sum _{i=1}^k{\alpha }_i{y}_i\exp -\frac{{x_i-x}^2}{2{\sigma }^2}+b,\end{array}\end{array}$$where $b$ is the bias constant.

MLP is a fully connected artificial neural network, consisting of an input layer, hidden layer, and output layer. MLP adjusts the parameters in the hidden layer units through the supervised back propagation (BP) algorithm and gradient descent algorithm to reduce the error between the actual output and the expected output. The forward propagation mechanism of MLP is expressed as below: $$\begin{array}{}\text{(12)}& \begin{array}{c}{\mathbf{H}}^{l+1}=\sigma {\mathbf{W}}^l{\mathbf{H}}^l+{\mathbf{b}}^l,\end{array}\end{array}$$where ${\mathbf{H}}^l$ is the input matrix, ${\mathbf{W}}^l$ is the weight matrix, ${\mathbf{b}}^l$ is the bias, and ${\mathbf{H}}^{l+1}$ is the output of the hidden layer. Thus, the decision function of MLP with only one hidden layer can be expressed as follows: $$\begin{array}{}\text{(13)}& \begin{array}{c}fx=\sigma {\mathbf{W}}^1\sigma {\mathbf{W}}^0\mathbf{x}+{\mathbf{b}}^0+{\mathbf{b}}^1,\end{array}\end{array}$$where $\mathbf{x}$ is the input and $\sigma ·$ is an activation function.

4.3. Problem Formulation

Given a graph $\mathbf{G}$, our model will compress it into a graph embedding $\mathbf{E}\mathbf{m}\mathbf{b}$ where the $i^{\text{th}}$ row represents the vector $\text{em}{\text{b}}_i$ of $v_i$. The vector of $e_{ij}$ can be expressed as $\text{em}{\text{b}}_{ij}=\text{em}{\text{b}}_i,\text{em}{\text{b}}_j$. Suppose a link set ${\mathbf{E}}_{\text{know}}$ containing $k$ nonsensitive links (class 1) and $k$ nonexistent links (class 0) in $\mathbf{G}$ have been exposed to attackers. Then, the embedding matrix of ${\mathbf{E}}_{\text{sl}}$ and ${\mathbf{E}}_{\text{know}}$ are $\mathbf{E}\mathbf{m}{\mathbf{b}}_{{\mathbf{E}}_{\text{sl}}}$ and $\mathbf{E}\mathbf{m}{\mathbf{b}}_{{\mathbf{E}}_{\text{know}}}$ where each row represents an edge embedding vector.

During data transactions, attackers will collect or steal $\mathbf{E}\mathbf{m}\mathbf{b}$ by any means to infer sensitive links through link prediction. Our goal is to achieve the balance between privacy protection and data utility. To this end, we use “minmax” strategy to maximize the distance between the predicted label $\text{labe}{\text{l}}_{\text{pred}}$ of sensitive links and its real label $\text{labe}{\text{l}}_{\text{real}}$ and then minimize the distance between $\text{labe}{\text{l}}_{\text{pred}}$ of nonsensitive links and its $\text{labe}{\text{l}}_{\text{real}}$. The mathematical description is as follows: $$\begin{array}{c}\text{(14)}& \text{Training}:\text{Clf}\_\text{fit}\mathbf{E}\mathbf{m}{\mathbf{b}}_{{\mathbf{E}}_{\text{know}}},\text{labe}{\text{l}}_{{\mathbf{E}}_{\text{know}}},\text{Prediction}:\text{labe}{\text{l}}_{\text{pred}}={\text{Clf}}_{\text{predict}\mathbf{E}\mathbf{m}{\mathbf{b}}_{{\mathbf{E}}_{\text{sl}}}},\\ \text{Objective}:\underset{E_{\text{nsl}}}{\min }\underset{E_{\text{sl}}}{\max }{\text{labe}{\text{l}}_{\text{pred}}-\text{labe}{\text{l}}_{\text{real}}}^2,\end{array}$$where $\text{Clf}\_\text{fit}{x}_{\text{train}},y_{\text{train}}$ means to fit the classifier model with the training data and $\text{Clf}\_\text{predict}{x}_{\text{test}}$ means to predict the labels of $x_{\text{test}}$. $\text{labe}{\text{l}}_{{\mathbf{E}}_{\text{know}}}$ is the label set of ${\mathbf{E}}_{\text{know}}$ where $k$ ones represent nonsensitive links and $k$ zeros represent nonexistent links. We expect to get a graph embedding which can work for our purpose.

5. Algorithm

The SLPGE framework consists of two parts. In this section, we will introduce the framework of SLPGE in Subsections 5.1 and 5.2, and the evaluation indicators are described in Subsection 5.3.

5.1. Generate the Privacy Embedding ${\mathbf{Z}}_p$

Part 1 is to generate a privacy embedding ${\mathbf{Z}}_p$. In order to put more privacy information into ${\mathbf{Z}}_p$, we first change the structure of the original graph $\mathbf{G}$ to enhance the connection strength of end nodes of sensitive links. Before inputting the graph data into the model, we preprocess $\mathbf{G}$ through Algorithms 1 and 2 corresponding to Figures 1 and 2. For Algorithm 1, we believe that two nodes with more common neighbors have a closer relationship. As shown in Figure 1, $e_{01}$ is a sensitive link, $v_2,v_4$ and $v_3,v_5$ are the neighbor sets of $v_0$ and $v_1$, respectively, and $e_{23}$ exists; in this case, we link $e_{03}$ and $e_{12}$ to make the relationship between $v_0$ and $v_1$ closer. For Algorithm 2, we believe that the main information in the graph will focus on sensitive links when other irrelevant nodes and links are removed. As shown in Figure 2, we only keep the sensitive links and their adjacent links to retain the information about the sensitive links to the greatest extent. The two privacy graph adjacency matrices ${\mathbf{A}}_p$’s obtained by Algorithms 1 and 2 are, respectively, used as the input of the encoder to output two ${\mathbf{Z}}_p$’s.

[figure(s) omitted; refer to PDF]

For VGAE is more robust and suitable for small graphs, we adopt VGAE to obtain ${\mathbf{Z}}_p$ in this part as shown in Figure 3. As discussed in Section 3, the mechanism for the encoder to generate ${\mathbf{Z}}_p$ can refer to Equations (2) and (3). Then, we get the reconstructed adjacency matrix ${\widehat{\mathbf{A}}}_p=\text{sigmoid}{\mathbf{Z}}_p·{{\mathbf{Z}}_p}^T$. The reconstruction loss $L_{\text{link}}$ is the same as Equation (5), except that $\mathbf{A}$ and $\widehat{\mathbf{A}}$ are replaced by ${\mathbf{A}}_p$ and ${\widehat{\mathbf{A}}}_p$.

Algorithm 1: Generate privacy graph by adding edges.

Algorithm 2: Generate privacy graph by deleting edges.

[figure(s) omitted; refer to PDF]

For node classification, a softmax classifier is followed by the encoder to predict the labels of the nodes. The node classification loss function $L_{\text{label}}$ is as follows: $$\begin{array}{}\text{(15)}& L_{\text{label}}=-\sum _{i=1}^{\mathbf{V}}\sum _{l=1}^L{y}_{il}\ln {\widehat{y}}_{il},\end{array}$$where $y_{il}$ represents the real label of $v_i$ in category $l$ with a value of 0 or 1, while ${\widehat{y}}_{il}$ is the value we predict in $\widehat{\mathbf{y}}$ and ${\widehat{y}}_{il}=\text{softmax}{{\mathbf{Z}}_p}_{il}=1/\mathcal{Z}\exp {{\mathbf{Z}}_p}_{il}$ with $\mathcal{Z}={\sum }_{l=1}^L{e}^{{{\mathbf{Z}}_p}_{il}}$. Therefore, the total loss of Part 1 is as follows: $$\begin{array}{}\text{(16)}& L_1=L_{\text{link}}+L_{\text{label}}.\end{array}$$

Through the BP mechanism of $L_1$, we train the encoder to generate ${\mathbf{Z}}_p$ that contains privacy information and conforms to a prior distribution.

5.2. Generate the Link Protection Graph Embedding ${\mathbf{Z}}_f$

Part 2 generates a graph embedding ${\mathbf{Z}}_f$ that can protect sensitive links. In order to reduce the most intuitive privacy information, we remove the sensitive links in $\mathbf{A}$ to obtain ${\mathbf{A}}_t$, the adjacency matrix of the training graph, as shown in Figure 4. The model in this part is designed based on ARVGA, as shown in Figure 5. The inputs of the encoder are ${\mathbf{A}}_t$ and $\mathbf{X}$. ${\mathbf{Z}}_f$ output from the encoder is the input of the discriminator and the softmax classifier. Unlike Part 1, ${\mathbf{Z}}_f$ and ${\mathbf{Z}}_p$ are combined by adding or concatenating to form a higher dimensional matrix $\mathbf{Z}$ as the input of the inner-product decoder. The node classification loss function $L_{\text{label}}$ is the same as Equation (15). In order to distinguish the two ${\mathbf{Z}}_p$’s obtained in Part 1, in Section 6.2, we will use $\mathbf{S}\mathbf{L}\mathbf{P}\mathbf{G}{\mathbf{E}}^{+}$ to explain that Algorithm 1 is used for the generation of ${\mathbf{Z}}_p$ and $\mathbf{S}\mathbf{L}\mathbf{P}\mathbf{G}{\mathbf{E}}^{-}$ to explain that Algorithm 2 is used.

[figure(s) omitted; refer to PDF]

Since the adversarial training between the encoder and the discriminator can force ${\mathbf{Z}}_f$ to match a prior distribution, the KL divergence in Equation (5) is omitted. Here, we try to use Mean Squared Error (MSE) as the reconstruction loss $L_{\text{link}}$, and the reconstruction target is changed to $\mathbf{A}$: $$\begin{array}{}\text{(17)}& L_{\text{link}}=-\frac{1}{\mathbf{V}}\sum _{i\in \mathbf{V}}\sum _{j\in \mathbf{V}}{A_{ij}-{\stackrel{\wedge }{A}}_{ij}}^2.\end{array}$$

In the discriminator, we take ${\mathbf{Z}}_f$ as the fake samples and Gaussian distribution samples as the real samples, then input them into the discriminator, i.e., a two-layer full connection layer network to get two estimated value $d_{\text{fake}}$ and $d_{\text{real}}$, respectively. $L_{\text{g}}$ and $L_{\text{D}}$ are the distribution loss of the generator and the discriminator, which are both calculated by BCE: $$\begin{array}{}\text{(18)}& L_{\text{g}}=-\log d_{\text{fake}},\text{(19)}& L_{\text{D}}=-\log d_{\text{real}}-\log 1-d_{\text{fake}}.\end{array}$$

Therefore, the total loss of the generator can be written as follows: $$\begin{array}{}\text{(20)}& L_{\text{G}}=L_{\text{link}}+L_{\text{label}}+L_{\text{g}}.\end{array}$$

Through the adversarial training, the discriminator learns how to distinguish between the real samples and the fake samples, while the generator learns to generate a better ${\mathbf{Z}}_f$ to confuse the discriminator. In general, the training process of obtaining ${\mathbf{Z}}_f$ can be summarized as Algorithm 3.

Algorithm 3: Generate link protection graph embedding.

5.3. Evaluation Indicators

This subsection will introduce the quantitative indicators of privacy and utility.

5.3.1. Privacy

Our chief target is to reduce the prediction accuracy of the attack models for sensitive links. Input an embedding vector of a sensitive or nonsensitive link to the attack models; if the predicted value is 1, it means the link exists and vice versa. Privacy is measured by the prediction accuracy $\text{Ac}{\text{c}}_{\text{sl}}$ of the attack models for sensitive links: $$\begin{array}{}\text{(21)}& \text{Ac}{\text{c}}_{\text{sl}}=\frac{N_{\text{sl}}}{{\mathbf{E}}_{\text{sl}}}\times 100\%,\end{array}$$where $N_{\text{sl}}$ is the number of sensitive links predicted to exist and ${\mathbf{E}}_{\text{sl}}$ is the total number of sensitive links. When the security of ${\mathbf{Z}}_f$ is stronger, $\text{Ac}{\text{c}}_{\text{sl}}$ is lower.

5.3.2. Utility

Utility includes three parts: the prediction accuracy of the attack models for nonsensitive links, the accuracy and recall of the reconstructed graph, and the accuracy of node classification. Taking the existing links as positive samples and the nonexistent links as negative samples, the quantitative expression of utility is as follows: $$\begin{array}{}\text{(22)}& \text{Ac}{\text{c}}_{\text{nsl}}=\frac{N_{\text{nsl}}}{{\mathbf{E}}_{\text{nsl}}}\times 100\%,\end{array}$$where $\text{Ac}{\text{c}}_{\text{nsl}}$ is the prediction accuracy of nonsensitive links, $N_{\text{nsl}}$ is the number of nonsensitive links predicted to exist, and ${\mathbf{E}}_{\text{nsl}}$ is the total number of nonsensitive links: $$\begin{array}{}\text{(23)}& \text{Ac}{\text{c}}_{\text{recon}}=\frac{\text{TP}+\text{TN}}{\text{TP}+\text{TN}+\text{FP}+\text{FN}}\times 100\%,\text{(24)}& \mathrm{Re}{\text{c}}_{\text{recon}}=\frac{\text{TP}}{\text{TP}+\text{FN}}\times 100\%,\end{array}$$where $\text{Ac}{\text{c}}_{\text{recon}}$ is the ratio of existing links and nonexistent links that are reconstructed correctly and $\mathrm{Re}{\text{c}}_{\text{recon}}$ represents how many existing links have been reconstructed. $\text{TP}$ and $\text{FP}$ are the numbers of reconstructed positive and negative samples, and $\text{FN}$ and $\text{TN}$ are the numbers of nonreconstructed positive and negative samples: $$\begin{array}{}\text{(25)}& \text{Ac}{\text{c}}_{\text{node}}=\frac{N_{\text{node}}}{\mathbf{V}}\times 100\%,\end{array}$$where $\text{Ac}{\text{c}}_{\text{node}}$ is the ratio of the nodes classified correctly to the total number of nodes. $N_{\text{node}}$ is the number of nodes classified correctly, and $\mathbf{V}$ is the number of nodes. Our tradeoff is protecting privacy while preserving utility, that is, reducing $\text{Ac}{\text{c}}_{\text{sl}}$ and keeping $\text{Ac}{\text{c}}_{\text{nsl}}$, $\text{Ac}{\text{c}}_{\text{recon}}$, $\mathrm{Re}{\text{c}}_{\text{recon}}$, and $\text{Ac}{\text{c}}_{\text{node}}$ high.

6. Simulation

In this section, we will evaluate the performance of SLPGE on two public datasets, $\text{Cora}$ [35] and $\text{Yale}$ [14].

6.1. Experiment Setting

(1) Datasets. $\text{Cora}$ is a citation network composed of 7 categories of machine learning papers. $\text{Cora}$ includes 2708 papers as $\mathbf{V}$ and 5278 citation relationships between papers as $\mathbf{E}$. 1433 unique words appear in all papers as the attributes of $\mathbf{V}$. $\text{Yale}$ is a social network including 8578 people and 188 attributes. The class year attribute divides the nodes into 7 categories. Part of links and labels of the datasets are used as training sets.

Table 2

Details of experiment.

Besides, we take the original graph $\mathbf{G}$ and the training graph ${\mathbf{G}}_t$ with sensitive links deleted as the input of VGAE to compare with SLPGE. At the same time, we use TSNE to visualize ${\mathbf{Z}}_f$ in 2-dim to observe the node classification result, and the nodes belonging to the same label are represented by the same color. In essence, TSNE uses PCA to reduce the dimension of the feature and then maps it to a 2-dimensional or 3-dimensional space for visualization to observe each layer’s feature distribution.

(3) Attack. 100 and 200 edges with larger node degrees in the training sets are selected as the sensitive links of $\text{Cora}$ and $\text{Yale}$, respectively, and $m$ is 10 and 15 in Algorithm 1. We randomly select 200 nonsensitive links and 200 nonexistent links to form ${\mathbf{E}}_{\text{know}}$ which has been exposed to the attackers. Moreover, the edge embeddings of ${\mathbf{E}}_{\text{know}}$ will be used as the training set to train the attack models. The edge embeddings of the same number of sensitive and nonsensitive links are the input of the attack models. We train each model four times, and the attack models make 10 predictions after each training. Finally, the averages of the 40 prediction results are taken as the prediction accuracy of sensitive and nonsensitive links.

6.2. Result Analysis

We carried out our experiments under four models: $\mathbf{V}\mathbf{G}\mathbf{A}\mathbf{E}$, $\mathbf{V}\mathbf{G}\mathbf{A}{\mathbf{E}}_{\mathbf{t}}$, $\mathbf{S}\mathbf{L}\mathbf{P}\mathbf{G}{\mathbf{E}}^{+}$, and $\mathbf{S}\mathbf{L}\mathbf{P}\mathbf{G}{\mathbf{E}}^{-}$. $\mathbf{V}\mathbf{G}\mathbf{A}\mathbf{E}$ means the input is the original graph without any modification. $\mathbf{V}\mathbf{G}\mathbf{A}{\mathbf{E}}_{\mathbf{t}}$ means the input is the training graph in which the sensitive links are deleted. Our SLPGE is divided into two types: $\mathbf{S}\mathbf{L}\mathbf{P}\mathbf{G}{\mathbf{E}}^{+}$ and $\mathbf{S}\mathbf{L}\mathbf{P}\mathbf{G}{\mathbf{E}}^{-}$ where ${\mathbf{Z}}_p$ comes from Algorithms 1 and 2, respectively.

Figures 6 and 7 show node classification of SVM under different models for $\text{Cora}$ and $\text{Yale}$ in a visualization method, respectively. In each subgraph, the points in the same color constitute a cluster, representing different classes. A larger distance between different clusters means higher accuracy. Corresponding numerical results are listed in Tables 3 and 4. The decline degree of five indicators of $\mathbf{V}\mathbf{G}\mathbf{A}{\mathbf{E}}_{\mathbf{t}}$, $\mathbf{S}\mathbf{L}\mathbf{P}\mathbf{G}{\mathbf{E}}^{+}$, and $\mathbf{S}\mathbf{L}\mathbf{P}\mathbf{G}{\mathbf{E}}^{-}$ compared with $\mathbf{V}\mathbf{G}\mathbf{A}\mathbf{E}$ is shown in Tables 5 and 6, and the decline degree are calculated by $A-B/B\%$, where $B$ represents $\mathbf{V}\mathbf{G}\mathbf{A}\mathbf{E}$ and $A$ represents the others.

[figure(s) omitted; refer to PDF]

Table 3

The results on $\text{Cora}$.

Table 4

The results on $\text{Yale}$.

Table 5

The decline degree of five indicators compared with VGAE on $\text{Cora}$.

Table 6

The decline degree of five indicators compared with VGAE on $\text{Yale}$.

6.2.1. Privacy

There is a comparison of $\text{Ac}{\text{c}}_{\text{sl}}$ of the four models in Tables 3 and 4 that $\text{Ac}{\text{c}}_{\text{sl}}$ of $\mathbf{V}\mathbf{G}\mathbf{A}{\mathbf{E}}_{\mathbf{t}}$, $\mathbf{S}\mathbf{L}\mathbf{P}\mathbf{G}{\mathbf{E}}^{+}$, and $\mathbf{S}\mathbf{L}\mathbf{P}\mathbf{G}{\mathbf{E}}^{-}$ decrease in varying degrees, but $\text{Ac}{\text{c}}_{\text{sl}}$ of $\mathbf{S}\mathbf{L}\mathbf{P}\mathbf{G}{\mathbf{E}}^{+}$ and $\mathbf{S}\mathbf{L}\mathbf{P}\mathbf{G}{\mathbf{E}}^{-}$ decrease more. Especially for $\text{Cora}$, $\mathbf{S}\mathbf{L}\mathbf{P}\mathbf{G}{\mathbf{E}}^{+}$ reduces $\text{Ac}{\text{c}}_{\text{sl}}$ by 30.05% at most and 22.28% at least on the basis of $\mathbf{V}\mathbf{G}\mathbf{A}\mathbf{E}$ while $\mathbf{V}\mathbf{G}\mathbf{A}{\mathbf{E}}_{\mathbf{t}}$ reduces $\text{Ac}{\text{c}}_{\text{sl}}$ by 14.05% at most. For $\text{Yale}$, $\mathbf{S}\mathbf{L}\mathbf{P}\mathbf{G}{\mathbf{E}}^{+}$ reduces $\text{Ac}{\text{c}}_{\text{sl}}$ by 15.03% at most and 9.46% at least on the basis of $\mathbf{V}\mathbf{G}\mathbf{A}\mathbf{E}$ while $\mathbf{V}\mathbf{G}\mathbf{A}{\mathbf{E}}_{\mathbf{t}}$ reduces $\text{Ac}{\text{c}}_{\text{sl}}$ by 4.14% at most. The privacy of SLPGE has significant improvement compared with $\mathbf{V}\mathbf{G}\mathbf{A}{\mathbf{E}}_{\mathbf{t}}$.

Although the privacy of SLPGE is 1.3$~$3.6 times higher than that of $\mathbf{V}\mathbf{G}\mathbf{A}{\mathbf{E}}_{\mathbf{t}}$ on $\text{Yale}$, the protection effect of sensitive links on $\text{Yale}$ is not as good as that on $\text{Cora}$, which results from the fact that the node attributes of $\text{Yale}$ are more closely related to the links. This also signifies that similar attributes will make the privacy information between nodes more difficult to remove. In general, these comparisons can confirm that our SLPGE has better performance on sensitive link protection.

6.2.2. Utility

The loss of partial utility is the necessary cost of privacy protection. Taking $\mathbf{V}\mathbf{G}\mathbf{A}\mathbf{E}$ as a comparison, we can see that the classification accuracy of four variant models has decreased, reflecting a partial sacrifice of data utility. $\text{Ac}{\text{c}}_{\text{nsl}}$, $\text{Ac}{\text{c}}_{\text{link}}$, $\mathrm{Re}{\text{c}}_{\text{recon}}$, and $\text{Ac}{\text{c}}_{\text{node}}$ of SLPGE and $\mathbf{V}\mathbf{G}\mathbf{A}{\mathbf{E}}_{\mathbf{t}}$ all decrease simultaneously, but the decline ranges are generally lower than that of $\text{Ac}{\text{c}}_{\text{sl}}$. From Tables 5 and 6, it can be seen that $\text{Ac}{\text{c}}_{\text{nsl}}$ of SLPGE decrease by 6.94% and 11.56% at most on the basis of $\mathbf{V}\mathbf{G}\mathbf{A}\mathbf{E}$ for $\text{Cora}$ and $\text{Yale}$, but the two $\text{Ac}{\text{c}}_{\text{sl}}$ decrease more, reaching 21.76% and 13.99%. $\text{Ac}{\text{c}}_{\text{link}}$ of SLPGE decrease by 5.75% and 9.07% at most for $\text{Cora}$ and $\text{Yale}$. The maximum decline ranges of $\text{Ac}{\text{c}}_{\text{link}}$, $\mathrm{Re}{\text{c}}_{\text{recon}}$, and $\text{Ac}{\text{c}}_{\text{node}}$ of SLPGE on two datasets are 5.76% and 9.02%, 5.84% and 15.50%, and 11.26% and 6.79%, which are basically lower than the decline ranges of $\text{Ac}{\text{c}}_{\text{sl}}$. Tables 5 and 6 reflect the tradeoff between privacy and utility.

6.2.3. Models

The data in four tables show that $\mathbf{S}\mathbf{L}\mathbf{P}\mathbf{G}{\mathbf{E}}^{+}$ and $\mathbf{S}\mathbf{L}\mathbf{P}\mathbf{G}{\mathbf{E}}^{-}$ are very close in performance on privacy and utility, which also proves that both Algorithms 1 and 2 are feasible. For the two splicing modes, the privacy and utility of mode “add” are better than those of mode “cat.” The analysis of this result is as follows.

The distributions of ${\mathbf{Z}}_f$ and ${\mathbf{Z}}_p$ both approach $\mathcal{N}0,1$ (standard normal distribution), and the weight of privacy information in ${\mathbf{Z}}_p$ is large and fixed. When $\mathbf{Z}$ obtained by adding ${\mathbf{Z}}_f$ and ${\mathbf{Z}}_p$ is to fit the link labels of the original graph after decoding, the MSE loss function will force ${\mathbf{Z}}_f$ to reduce the weight of privacy information, so that we can squeeze more privacy information. Therefore, the combination of MSE and mode “add” is better.

Overall, our SLPGE reduces the prediction accuracy of sensitive links to varying degrees, from which we can conclude that our model is effective. While protecting the privacy of sensitive links, some utility will be sacrificed, which may be structure information or attribute information. From the result analysis, it can be confirmed that SLPGE can retain most of the utility. In practical application, part of the structure of the model can be adjusted to meet different task requirements.

7. Conclusion

The problems of individual privacy under the interconnection of all things are ubiquitous. The research on link protection against link prediction in IoT is of great significance for entity privacy. Through the simulation of the datasets, the feasibility of our SLPGE is preliminarily verified. However, multifaceted challenges remain in the research on link protection. Our datasets are just static graphs, in which the nodes belong to different categories at the same level, and the edges only represent reference and social relationships. In heterogeneous scenarios, nodes can be of different levels, edges between the nodes may have diverse meanings, and the weight of the edges are no longer all equal to one. The weight of edges reflects the difference in the degree of communication between nodes.

Furthermore, in dynamic graphs, the entry and exit of nodes will affect the graph structure and the privacy information of sensitive links in real time. The attackers can collect more information for inference attacks. The greatest challenge is that the researches on resisting graph disturbance and enhancing the robustness of link prediction continue to emerge, which increases the difficulty of sensitive link protection. Therefore, we will emphasize the sensitive link protection in weighted graphs and dynamic graphs in our follow-up research.

Acknowledgments

This work was supported in part by the Fundamental Research Funds for the Central Universities under Grant 2019JBZ001, in part by the Beijing Natural Science Foundation under Grant 4202054, and in part by the National Natural Science Foundation of China under Grant 61871023 and Grant 61931001.