Table of Contents
Fetching ...

More is Better (Mostly): On the Backdoor Attacks in Federated Graph Neural Networks

Jing Xu, Rui Wang, Stefanos Koffas, Kaitai Liang, Stjepan Picek

TL;DR

This work investigates backdoor vulnerabilities in Federated Graph Neural Networks, introducing two attack paradigms: centralized backdoor attacks (CBA) and distributed backdoor attacks (DBA). Using non-i.i.d. graph data across multiple clients, the authors demonstrate that DBA generally achieves higher attack success rates and that CBA can still exhibit strong ASR for local triggers in some cases. Trigger generation relies on Erdős-Rényi graphs with parameters $s$, $\rho$, and $r$, and experiments across three datasets and three GNN models show attackers can preserve clean accuracy while hijacking outputs on triggered inputs. The study also reveals that the FoolsGold defense is largely ineffective against these backdoor attacks in Federated GNNs, underscoring the need for defenses tailored to non-Euclidean, graph-based FL scenarios and highlighting directions for future research in node classification tasks and cross-device FL.

Abstract

Graph Neural Networks (GNNs) are a class of deep learning-based methods for processing graph domain information. GNNs have recently become a widely used graph analysis method due to their superior ability to learn representations for complex graph data. However, due to privacy concerns and regulation restrictions, centralized GNNs can be difficult to apply to data-sensitive scenarios. Federated learning (FL) is an emerging technology developed for privacy-preserving settings when several parties need to train a shared global model collaboratively. Although several research works have applied FL to train GNNs (Federated GNNs), there is no research on their robustness to backdoor attacks. This paper bridges this gap by conducting two types of backdoor attacks in Federated GNNs: centralized backdoor attacks (CBA) and distributed backdoor attacks (DBA). Our experiments show that the DBA attack success rate is higher than CBA in almost all evaluated cases. For CBA, the attack success rate of all local triggers is similar to the global trigger even if the training set of the adversarial party is embedded with the global trigger. To further explore the properties of two backdoor attacks in Federated GNNs, we evaluate the attack performance for a different number of clients, trigger sizes, poisoning intensities, and trigger densities. Moreover, we explore the robustness of DBA and CBA against one defense. We find that both attacks are robust against the investigated defense, necessitating the need to consider backdoor attacks in Federated GNNs as a novel threat that requires custom defenses.

More is Better (Mostly): On the Backdoor Attacks in Federated Graph Neural Networks

TL;DR

This work investigates backdoor vulnerabilities in Federated Graph Neural Networks, introducing two attack paradigms: centralized backdoor attacks (CBA) and distributed backdoor attacks (DBA). Using non-i.i.d. graph data across multiple clients, the authors demonstrate that DBA generally achieves higher attack success rates and that CBA can still exhibit strong ASR for local triggers in some cases. Trigger generation relies on Erdős-Rényi graphs with parameters , , and , and experiments across three datasets and three GNN models show attackers can preserve clean accuracy while hijacking outputs on triggered inputs. The study also reveals that the FoolsGold defense is largely ineffective against these backdoor attacks in Federated GNNs, underscoring the need for defenses tailored to non-Euclidean, graph-based FL scenarios and highlighting directions for future research in node classification tasks and cross-device FL.

Abstract

Graph Neural Networks (GNNs) are a class of deep learning-based methods for processing graph domain information. GNNs have recently become a widely used graph analysis method due to their superior ability to learn representations for complex graph data. However, due to privacy concerns and regulation restrictions, centralized GNNs can be difficult to apply to data-sensitive scenarios. Federated learning (FL) is an emerging technology developed for privacy-preserving settings when several parties need to train a shared global model collaboratively. Although several research works have applied FL to train GNNs (Federated GNNs), there is no research on their robustness to backdoor attacks. This paper bridges this gap by conducting two types of backdoor attacks in Federated GNNs: centralized backdoor attacks (CBA) and distributed backdoor attacks (DBA). Our experiments show that the DBA attack success rate is higher than CBA in almost all evaluated cases. For CBA, the attack success rate of all local triggers is similar to the global trigger even if the training set of the adversarial party is embedded with the global trigger. To further explore the properties of two backdoor attacks in Federated GNNs, we evaluate the attack performance for a different number of clients, trigger sizes, poisoning intensities, and trigger densities. Moreover, we explore the robustness of DBA and CBA against one defense. We find that both attacks are robust against the investigated defense, necessitating the need to consider backdoor attacks in Federated GNNs as a novel threat that requires custom defenses.
Paper Structure (27 sections, 7 equations, 13 figures, 7 tables, 2 algorithms)

This paper contains 27 sections, 7 equations, 13 figures, 7 tables, 2 algorithms.

Figures (13)

  • Figure 1: Attack Framework.
  • Figure 2: Backdoor attack results in the honest majority attack scenario.
  • Figure 3: Backdoor attack results in the malicious majority attack scenario.
  • Figure 4: Backdoor attack results of TRIANGLES with more clients in the honest majority attack scenario.
  • Figure 5: Backdoor attack results of TRIANGLES with less percentage of malicious clients ($K=100$, GraphSage).
  • ...and 8 more figures

Theorems & Definitions (3)

  • Definition 1: Local Trigger & Global Trigger.
  • Definition 2: Distributed Backdoor Attack (DBA).
  • Definition 3: Centralized Backdoor Attack (CBA).