Agentic Graph Extraction Attacks
- AGEA is a class of adaptive, query-efficient adversarial attacks on graph-based systems that use sequential queries to reconstruct hidden structures.
- Methodologies incorporate agentic query generation, exploration–exploitation balance, and memory-augmented mechanics to recover graph information with high fidelity.
- Experimental results show AGEA achieves high precision and recall in graph recovery, underscoring privacy and intellectual property risks in real-world deployments.
Agentic Graph Extraction Attacks (AGEA) refer to a class of adaptive, query-efficient adversarial strategies targeting graph-based models and graph-augmented systems by leveraging sequential, strategic interaction. These attacks embody the paradigm where the adversary (“agent”) actively plans, adapts, and optimizes queries in response to observed outputs, enabling high-fidelity reconstruction of underlying graph structures (e.g., entity-relation graphs, node features, or surrogate models) despite access restrictions or limited prior knowledge. AGEA frameworks have been systematically studied in the context of Graph Neural Network (GNN) model extraction (Wu et al., 2020, Cheng et al., 20 Mar 2025) and retrieval-augmented generation (RAG) systems with knowledge graph backends (Yang et al., 21 Jan 2026), exposing privacy and intellectual property risks in real-world deployments.
1. Formal Definition and Threat Models
AGEA encompasses adaptive model extraction and graph reconstruction attacks in both GNN-based machine learning as a service (MLaaS) and graph-based retrieval-augmented generation settings.
GNN Setting: The victim system exposes a transductive GNN (with node set and label set ) as a query API, returning soft predictions or labels for queried nodes. The adversary iteratively issues a sequence , where each selects a node , possibly receiving additional context such as one-hop neighbors and attributes. The objective is to fit a surrogate by minimizing
subject to query budget . Agentic adaptation arises from the ability to select each based on all previous queries and responses (Cheng et al., 20 Mar 2025, Wu et al., 2020).
GraphRAG Setting: The target is a black-box RAG system with an internal latent entity-relation graph . The adversary issues budget-constrained natural language queries, adaptively chosen based on prior extracted subgraphs and responses, to maximize recovery of nodes and edges under strict query limitations (Yang et al., 21 Jan 2026). The attacker does not have access to internal representations, embeddings, or retriever structure.
The central feature is agentic, sequential decision making: queries are planned to maximize extraction reward, dynamically balancing discovery (novel region exploration) and targeted exploitation of informative subgraphs (Cheng et al., 20 Mar 2025, Yang et al., 21 Jan 2026).
2. Algorithmic Frameworks and Components
AGEA manifests as a pipeline integrating agentic query generation, adaptive exploration-exploitation, memory structures for accumulating observations, and post-processing to filter noise or hallucinations.
AGEA for GNNs:
- The adversary leverages partial background knowledge: e.g., subsets of node features, topology, or a shadow (domain-matched) graph (Wu et al., 2020).
- Multiple knowledge regimes are defined (Attack-0 through Attack-6), corresponding to combinations of observed subgraph, features, and shadow data.
- Key procedures involve:
- Selecting “attack nodes” for queries,
- Aggregating accessible features and topology,
- Synthesizing missing data (e.g., feature vectors or adjacency),
- Training a surrogate GNN by minimizing cross-entropy on the query set.
AGEA for GraphRAG (Yang et al., 21 Jan 2026):
- The attack proceeds in rounds, each comprising:
- Stage A: Regex-based light parsing from LLM outputs, updating a raw graph memory .
- Stage B: LLM-based filtering, using context from filtered memory to remove spurious entities/edges and control degree spikes (“hallucinated hubs”).
- 3. Graph Memory Maintenance: (raw, high-recall but noisy) and (high-precision, drives query planning).
- Mode selection alternates between exploration (broadening graph coverage) and exploitation (deepening high-yield regions) based on adaptive thresholds derived from novelty calculations.
3. Theoretical Analysis of Query Behavior and Detection
Characterization of agentic query dynamics is critical for both attack optimization and defense mechanisms.
Query Dynamics in GNN Extraction (Cheng et al., 20 Mar 2025):
- Attackers’ choice of queried nodes is modeled as a dominating-set optimization, seeking to maximize graph coverage while minimizing queries.
- Theoretical bounds are presented:
- Theorem 1 constrains the minimum fraction of covered nodes () given node-weighted degrees,
- First-order () and second-order () difference statistics in coverage and uncovered weight are formalized, with second-order differences proven to be more discriminative for adaptive detection (Theorem 4),
- These temporal patterns differentiate agentic attackers from benign users who lack systematic coverage strategies.
Adaptive Query Selection in GraphRAG Attacks (Yang et al., 21 Jan 2026):
- Novelty scores at each turn,
drive the policy between exploration and exploitation,
- -greedy adaptation ensures unfolding discovery across the budget, quantified by ablation studies demonstrating the collapse of recovery rate or precision if either component is ablated.
4. Experimental Results and Knowledge-Effectiveness Trade-offs
Results from large-scale evaluations demonstrate the practical potency of AGEA across diverse platforms and settings.
GNN Model Extraction (Wu et al., 2020):
- On citation datasets (Cora/Citeseer/Pubmed), Attack-0 (partial features and adjacency) yields fidelity of 0.896/0.848/0.890, with accuracy near that of the victim model, despite limited knowledge.
- Attack-1 (features only, graph inferred) and Attack-3 (shadow graph only) remain effective but with lower fidelity (), highlighting the robustness of agentic methods under information constraints.
- Fidelity is notably sensitive to the amount and type of background knowledge; adding further knowledge beyond Attack-0 offers diminishing returns.
GraphRAG Extraction (Yang et al., 21 Jan 2026):
- On medical knowledge graphs (|V| ≈ 1.4K, |E| ≈ 2.3K), AGEA achieves up to 96.4% node recovery and 95.9% edge recovery (LightRAG, T=1000), with precision at 98.3%/97.9%, outperforming baselines such as PIDE and CopyBreakRAG by wide margins.
- The two-stage pipeline and novelty-guided query strategy are necessary for achieving both high recall (“leakage”) and precision; removing filtering reduces edge precision by 9%, whereas explore-only or exploit-only policies substantially degrade performance.
- Backbones (e.g., DeepSeek-V3.1) impact edge faithfulness, though the agentic strategy remains broadly effective.
| Attack Method | Node Recall (%) | Edge Recall (%) | Node Precision (%) | Edge Precision (%) |
|---|---|---|---|---|
| TGTB (baseline) | 76.99 | 56.04 | 61.68 | 24.53 |
| PIDE (baseline) | 58.84 | 33.55 | 72.96 | 29.03 |
| AGEA (M-GraphRAG) | 87.09 | 80.16 | 87.09 | 61.18 |
| AGEA (LightRAG) | 96.42 | 95.90 | 98.34 | 97.97 |
5. Defense Strategies and Detection Countermeasures
The unique sequential, agentic nature of AGEA necessitates equally adaptive defense mechanisms.
Defense Principles:
- Traditional static defenses (e.g., watermarking, fingerprinting) lack efficacy against evolving agentic strategies due to latency, ease of evasion, or unsuitable requirements for real-time application (Cheng et al., 20 Mar 2025).
- ATOM (Cheng et al., 20 Mar 2025) introduces a reinforcement-learning–driven sequential detector (via PPO), employing k-core–augmented embeddings and a gated GRU to fuse first- and second-order difference vectors of query statistics. The method dynamically optimizes detection strategy by reinforcing patterns characteristic of agentic attacks.
- Empirically, ATOM achieves robust F1 (86.9% on Cora) and recall (93.7%), outperforming baselines including PRADA and VarDetect by leveraging the discriminative power of sequential behavioral features.
- In the RAG context (Yang et al., 21 Jan 2026), output schema restriction, runtime query monitoring for agentic traversal patterns (e.g., rapid expansion around high-degree nodes), and response sanitization are recommended. Differentially private graph retrieval and rate-limiting exploitative queries are plausible mitigation directions.
6. Practical Implications and Limitations
AGEA exposes severe extraction risk for any system exposing graph-structured computation or knowledge, given modern agentic attack design. Even with output obfuscation, limited query budgets, and constrained prior knowledge, adaptive coordination of exploration and exploitation, memory, and filtering allows reconstruction of near-complete graphs and high-fidelity model surrogates.
Practically, computing k-core statistics and embedding them as node features enables real-time detection with negligible overhead (Cheng et al., 20 Mar 2025). Filtering at extraction time (e.g., LLM-based noise pruning in RAG attacks) is critical for maintaining high precision in the reconstructed graph (Yang et al., 21 Jan 2026). Notably, in ablation studies, removing the sequential or filtration component significantly reduces defense effectiveness and extraction fidelity, respectively.
A plausible implication is that static, instance-based detection or rate limiting is inadequate: sequential, structure-aware, and RL-driven defenses must be adopted for robust protection against future AGEA-class attacks.
7. Research Directions and Open Questions
The rapid progress in agentic extraction methods prompts several open problems:
- Generalization to Dynamic or Evolving Graphs: Most empirical analyses focus on static graphs; the implications of temporal dynamics on both extraction and detection remain to be systematically characterized (Cheng et al., 20 Mar 2025).
- LLM-Generated Hallucinations: The impact of model hallucinations on extraction accuracy and defense, especially in high-noise or adversarial response settings, is not fully understood (Yang et al., 21 Jan 2026).
- Adaptive Defense Optimization: Theoretical limits on detection performance for sequential RL-based policies, particularly under evolving attacker tactics, warrant further investigation (Cheng et al., 20 Mar 2025).
- Integration with Differential Privacy and Federated Learning: Whether defensive techniques from adjacent domains transfer robustly to the graph extraction setting remains an active research topic (Wu et al., 2020).
Current findings indicate that agentic, query-efficient graph extraction presents a substantial challenge for privacy and IP protection in graph-based machine learning and retrieval systems, underscoring the necessity of moving defenses toward adaptivity, sequential modeling, and structural awareness (Wu et al., 2020, Cheng et al., 20 Mar 2025, Yang et al., 21 Jan 2026).