Graph Neural Networks (GNNs) are vulnerable to membership inference attacks (MIAs) due to their explicit exposure of topological structure; however, in realistic settings, attackers often lack access to auxiliary data drawn from the same distribution as the target model’s training data—rendering conventional MIA assumptions invalid. This work is the first to formulate cross-domain GNN-MIA as an out-of-distribution (OOD) problem. We propose GOOD-MIA, the first OOD-aware MIA framework for graph data: it constructs shadow subgraphs to characterize distributional discrepancies across domains, designs stable node representations coupled with environment-decoupling mechanisms to enhance cross-domain generalization, and employs risk extrapolation optimization to enable effective attack without requiring same-distribution auxiliary data. Evaluated on multiple domain-shifted graph datasets, GOOD-MIA achieves an average attack accuracy improvement of 12.7% over state-of-the-art methods.

Graph Neural Network-based methods face privacy leakage risks due to the introduction of topological structures about the targets, which allows attackers to bypass the target's prior knowledge of the sensitive attributes and realize membership inference attacks (MIA) by observing and analyzing the topology distribution. As privacy concerns grow, the assumption of MIA, which presumes that attackers can obtain an auxiliary dataset with the same distribution, is increasingly deviating from reality. In this paper, we categorize the distribution diversity issue in real-world MIA scenarios as an Out-Of-Distribution (OOD) problem, and propose a novel Graph OOD Membership Inference Attack (GOOD-MIA) to achieve cross-domain graph attacks. Specifically, we construct shadow subgraphs with distributions from different domains to model the diversity of real-world data. We then explore the stable node representations that remain unchanged under external influences and consider eliminating redundant information from confounding environments and extracting task-relevant key information to more clearly distinguish between the characteristics of training data and unseen data. This OOD-based design makes cross-domain graph attacks possible. Finally, we perform risk extrapolation to optimize the attack's domain adaptability during attack inference to generalize the attack to other domains. Experimental results demonstrate that GOOD-MIA achieves superior attack performance in datasets designed for multiple domains.