Papers
Topics
Authors
Recent
Search
2000 character limit reached

Agentic Graph Extraction Attacks

Updated 17 March 2026
  • AGEA is a class of adaptive, query-efficient adversarial attacks on graph-based systems that use sequential queries to reconstruct hidden structures.
  • Methodologies incorporate agentic query generation, exploration–exploitation balance, and memory-augmented mechanics to recover graph information with high fidelity.
  • Experimental results show AGEA achieves high precision and recall in graph recovery, underscoring privacy and intellectual property risks in real-world deployments.

Agentic Graph Extraction Attacks (AGEA) refer to a class of adaptive, query-efficient adversarial strategies targeting graph-based models and graph-augmented systems by leveraging sequential, strategic interaction. These attacks embody the paradigm where the adversary (“agent”) actively plans, adapts, and optimizes queries in response to observed outputs, enabling high-fidelity reconstruction of underlying graph structures (e.g., entity-relation graphs, node features, or surrogate models) despite access restrictions or limited prior knowledge. AGEA frameworks have been systematically studied in the context of Graph Neural Network (GNN) model extraction (Wu et al., 2020, Cheng et al., 20 Mar 2025) and retrieval-augmented generation (RAG) systems with knowledge graph backends (Yang et al., 21 Jan 2026), exposing privacy and intellectual property risks in real-world deployments.

1. Formal Definition and Threat Models

AGEA encompasses adaptive model extraction and graph reconstruction attacks in both GNN-based machine learning as a service (MLaaS) and graph-based retrieval-augmented generation settings.

GNN Setting: The victim system exposes a transductive GNN M:VCM:V \to C (with node set VV and label set CC) as a query API, returning soft predictions or labels for queried nodes. The adversary iteratively issues a sequence Qi={qi,1,,qi,Ti}Q_i = \{q_{i,1},\dots,q_{i,T_i}\}, where each qi,tq_{i,t} selects a node vi,tv_{i,t}, possibly receiving additional context such as one-hop neighbors and attributes. The objective is to fit a surrogate MM' by minimizing

minMEvV[L(M(v),M(v))],\min_{M'} \mathbb{E}_{v \in V}[L(M(v), M'(v))],

subject to query budget TiBT_i \leq B. Agentic adaptation arises from the ability to select each qi,tq_{i,t} based on all previous queries and responses (Cheng et al., 20 Mar 2025, Wu et al., 2020).

GraphRAG Setting: The target is a black-box RAG system with an internal latent entity-relation graph G=(V,E)G=(V,E). The adversary issues budget-constrained natural language queries, adaptively chosen based on prior extracted subgraphs and responses, to maximize recovery of nodes and edges under strict query limitations (Yang et al., 21 Jan 2026). The attacker does not have access to internal representations, embeddings, or retriever structure.

The central feature is agentic, sequential decision making: queries are planned to maximize extraction reward, dynamically balancing discovery (novel region exploration) and targeted exploitation of informative subgraphs (Cheng et al., 20 Mar 2025, Yang et al., 21 Jan 2026).

2. Algorithmic Frameworks and Components

AGEA manifests as a pipeline integrating agentic query generation, adaptive exploration-exploitation, memory structures for accumulating observations, and post-processing to filter noise or hallucinations.

AGEA for GNNs:

  • The adversary leverages partial background knowledge: e.g., subsets of node features, topology, or a shadow (domain-matched) graph (Wu et al., 2020).
  • Multiple knowledge regimes are defined (Attack-0 through Attack-6), corresponding to combinations of observed subgraph, features, and shadow data.
  • Key procedures involve:
    • Selecting “attack nodes” for queries,
    • Aggregating accessible features and topology,
    • Synthesizing missing data (e.g., feature vectors or adjacency),
    • Training a surrogate GNN by minimizing cross-entropy on the query set.

AGEA for GraphRAG (Yang et al., 21 Jan 2026):

  • The attack proceeds in rounds, each comprising:
    • Stage A: Regex-based light parsing from LLM outputs, updating a raw graph memory GrG_r.
    • Stage B: LLM-based filtering, using context from filtered memory GfG_f to remove spurious entities/edges and control degree spikes (“hallucinated hubs”).
    • 3. Graph Memory Maintenance: GrG_r (raw, high-recall but noisy) and GfG_f (high-precision, drives query planning).
  • Mode selection alternates between exploration (broadening graph coverage) and exploitation (deepening high-yield regions) based on adaptive thresholds derived from novelty calculations.

3. Theoretical Analysis of Query Behavior and Detection

Characterization of agentic query dynamics is critical for both attack optimization and defense mechanisms.

Query Dynamics in GNN Extraction (Cheng et al., 20 Mar 2025):

  • Attackers’ choice of queried nodes is modeled as a dominating-set optimization, seeking to maximize graph coverage while minimizing queries.
  • Theoretical bounds are presented:
    • Theorem 1 constrains the minimum fraction of covered nodes (β\beta) given node-weighted degrees,
    • First-order (Δ\Delta) and second-order (Δ2\Delta^2) difference statistics in coverage and uncovered weight are formalized, with second-order differences proven to be more discriminative for adaptive detection (Theorem 4),
    • These temporal patterns differentiate agentic attackers from benign users who lack systematic coverage strategies.

Adaptive Query Selection in GraphRAG Attacks (Yang et al., 21 Jan 2026):

  • Novelty scores at each turn,

N(t)=Nnodes(t)V^r(t)+Nedges(t)E^r(t)V^r(t)+E^r(t),N^{(t)} = \frac{N_\text{nodes}^{(t)} \cdot |\hat V_r^{(t)}| + N_\text{edges}^{(t)} \cdot |\hat E_r^{(t)}|}{|\hat V_r^{(t)}|+|\hat E_r^{(t)}|},

drive the policy between exploration and exploitation,

  • ϵ\epsilon-greedy adaptation ensures unfolding discovery across the budget, quantified by ablation studies demonstrating the collapse of recovery rate or precision if either component is ablated.

4. Experimental Results and Knowledge-Effectiveness Trade-offs

Results from large-scale evaluations demonstrate the practical potency of AGEA across diverse platforms and settings.

GNN Model Extraction (Wu et al., 2020):

  • On citation datasets (Cora/Citeseer/Pubmed), Attack-0 (partial features and adjacency) yields fidelity of 0.896/0.848/0.890, with accuracy near that of the victim model, despite limited knowledge.
  • Attack-1 (features only, graph inferred) and Attack-3 (shadow graph only) remain effective but with lower fidelity (0.8\approx 0.8), highlighting the robustness of agentic methods under information constraints.
  • Fidelity is notably sensitive to the amount and type of background knowledge; adding further knowledge beyond Attack-0 offers diminishing returns.

GraphRAG Extraction (Yang et al., 21 Jan 2026):

  • On medical knowledge graphs (|V| ≈ 1.4K, |E| ≈ 2.3K), AGEA achieves up to 96.4% node recovery and 95.9% edge recovery (LightRAG, T=1000), with precision at 98.3%/97.9%, outperforming baselines such as PIDE and CopyBreakRAG by wide margins.
  • The two-stage pipeline and novelty-guided query strategy are necessary for achieving both high recall (“leakage”) and precision; removing filtering reduces edge precision by 9%, whereas explore-only or exploit-only policies substantially degrade performance.
  • Backbones (e.g., DeepSeek-V3.1) impact edge faithfulness, though the agentic strategy remains broadly effective.
Attack Method Node Recall (%) Edge Recall (%) Node Precision (%) Edge Precision (%)
TGTB (baseline) 76.99 56.04 61.68 24.53
PIDE (baseline) 58.84 33.55 72.96 29.03
AGEA (M-GraphRAG) 87.09 80.16 87.09 61.18
AGEA (LightRAG) 96.42 95.90 98.34 97.97

5. Defense Strategies and Detection Countermeasures

The unique sequential, agentic nature of AGEA necessitates equally adaptive defense mechanisms.

Defense Principles:

  • Traditional static defenses (e.g., watermarking, fingerprinting) lack efficacy against evolving agentic strategies due to latency, ease of evasion, or unsuitable requirements for real-time application (Cheng et al., 20 Mar 2025).
  • ATOM (Cheng et al., 20 Mar 2025) introduces a reinforcement-learning–driven sequential detector (via PPO), employing k-core–augmented embeddings and a gated GRU to fuse first- and second-order difference vectors of query statistics. The method dynamically optimizes detection strategy by reinforcing patterns characteristic of agentic attacks.
  • Empirically, ATOM achieves robust F1 (86.9% on Cora) and recall (93.7%), outperforming baselines including PRADA and VarDetect by leveraging the discriminative power of sequential behavioral features.
  • In the RAG context (Yang et al., 21 Jan 2026), output schema restriction, runtime query monitoring for agentic traversal patterns (e.g., rapid expansion around high-degree nodes), and response sanitization are recommended. Differentially private graph retrieval and rate-limiting exploitative queries are plausible mitigation directions.

6. Practical Implications and Limitations

AGEA exposes severe extraction risk for any system exposing graph-structured computation or knowledge, given modern agentic attack design. Even with output obfuscation, limited query budgets, and constrained prior knowledge, adaptive coordination of exploration and exploitation, memory, and filtering allows reconstruction of near-complete graphs and high-fidelity model surrogates.

Practically, computing k-core statistics and embedding them as node features enables real-time detection with negligible overhead (Cheng et al., 20 Mar 2025). Filtering at extraction time (e.g., LLM-based noise pruning in RAG attacks) is critical for maintaining high precision in the reconstructed graph (Yang et al., 21 Jan 2026). Notably, in ablation studies, removing the sequential or filtration component significantly reduces defense effectiveness and extraction fidelity, respectively.

A plausible implication is that static, instance-based detection or rate limiting is inadequate: sequential, structure-aware, and RL-driven defenses must be adopted for robust protection against future AGEA-class attacks.

7. Research Directions and Open Questions

The rapid progress in agentic extraction methods prompts several open problems:

  • Generalization to Dynamic or Evolving Graphs: Most empirical analyses focus on static graphs; the implications of temporal dynamics on both extraction and detection remain to be systematically characterized (Cheng et al., 20 Mar 2025).
  • LLM-Generated Hallucinations: The impact of model hallucinations on extraction accuracy and defense, especially in high-noise or adversarial response settings, is not fully understood (Yang et al., 21 Jan 2026).
  • Adaptive Defense Optimization: Theoretical limits on detection performance for sequential RL-based policies, particularly under evolving attacker tactics, warrant further investigation (Cheng et al., 20 Mar 2025).
  • Integration with Differential Privacy and Federated Learning: Whether defensive techniques from adjacent domains transfer robustly to the graph extraction setting remains an active research topic (Wu et al., 2020).

Current findings indicate that agentic, query-efficient graph extraction presents a substantial challenge for privacy and IP protection in graph-based machine learning and retrieval systems, underscoring the necessity of moving defenses toward adaptivity, sequential modeling, and structural awareness (Wu et al., 2020, Cheng et al., 20 Mar 2025, Yang et al., 21 Jan 2026).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Agentic Graph Extraction Attacks (AGEA).