Quantifying and Defending against Privacy Threats on Federated Knowledge Graph Embedding
Yuke Hu, Wei Liang, Ruofan Wu, Kai Xiao, Weiqiang Wang, Xiaochen Li, Jinfei Liu, Zhan Qin
TL;DR
The paper tackles privacy threats in Federated Knowledge Graph Embedding (FKGE) by proposing three membership inference attacks to quantify risks when clients' local KGs are not shared. It introduces DP-FLames, a differentially private FKGE framework that exploits the entity-binding sparse gradient property and incorporates private gradient selection with an adaptive privacy budget to achieve a favorable privacy-utility tradeoff. Empirical results on multiple datasets and KGE models show that the attacks can reveal significant privacy leakage (e.g., target triples with high F1-scores) while DP-FLames substantially mitigates these threats with only modest drops in link-prediction utility. The work advances rigorous privacy guarantees for FKGE and provides practical defenses for federated KG applications demanding sensitive data protection.
Abstract
Knowledge Graph Embedding (KGE) is a fundamental technique that extracts expressive representation from knowledge graph (KG) to facilitate diverse downstream tasks. The emerging federated KGE (FKGE) collaboratively trains from distributed KGs held among clients while avoiding exchanging clients' sensitive raw KGs, which can still suffer from privacy threats as evidenced in other federated model trainings (e.g., neural networks). However, quantifying and defending against such privacy threats remain unexplored for FKGE which possesses unique properties not shared by previously studied models. In this paper, we conduct the first holistic study of the privacy threat on FKGE from both attack and defense perspectives. For the attack, we quantify the privacy threat by proposing three new inference attacks, which reveal substantial privacy risk by successfully inferring the existence of the KG triple from victim clients. For the defense, we propose DP-Flames, a novel differentially private FKGE with private selection, which offers a better privacy-utility tradeoff by exploiting the entity-binding sparse gradient property of FKGE and comes with a tight privacy accountant by incorporating the state-of-the-art private selection technique. We further propose an adaptive privacy budget allocation policy to dynamically adjust defense magnitude across the training procedure. Comprehensive evaluations demonstrate that the proposed defense can successfully mitigate the privacy threat by effectively reducing the success rate of inference attacks from $83.1\%$ to $59.4\%$ on average with only a modest utility decrease.