Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Disttack: Graph Adversarial Attacks Toward Distributed GNN Training

Yuxiang Zhang, Xin Liu, Meng Wu, Wei Yan, Mingyu Yan, Xiaochun Ye, Dongrui Fan

TL;DR

The paper addresses the vulnerability of distributed GNN training to adversarial attacks by introducing Disttack, a framework that poisons a single computing node by perturbing a 1-hop subgraph to trigger abnormal gradient ascent during backpropagation. By targeting two node features and three edges, Disttack disrupts gradient synchronization across nodes and degrades the final GNN performance. Across four real-world graphs and five GNNs, Disttack achieves up to 2.75 times greater degradation and up to 17.33 times faster attack than state-of-the-art baselines while remaining stealthy via a homophily-based defense-evading criterion. This work highlights a critical security vulnerability in distributed GNN pipelines and motivates robust defense strategies.

Abstract

Graph Neural Networks (GNNs) have emerged as potent models for graph learning. Distributing the training process across multiple computing nodes is the most promising solution to address the challenges of ever-growing real-world graphs. However, current adversarial attack methods on GNNs neglect the characteristics and applications of the distributed scenario, leading to suboptimal performance and inefficiency in attacking distributed GNN training. In this study, we introduce Disttack, the first framework of adversarial attacks for distributed GNN training that leverages the characteristics of frequent gradient updates in a distributed system. Specifically, Disttack corrupts distributed GNN training by injecting adversarial attacks into one single computing node. The attacked subgraphs are precisely perturbed to induce an abnormal gradient ascent in backpropagation, disrupting gradient synchronization between computing nodes and thus leading to a significant performance decline of the trained GNN. We evaluate Disttack on four large real-world graphs by attacking five widely adopted GNNs. Compared with the state-of-the-art attack method, experimental results demonstrate that Disttack amplifies the model accuracy degradation by 2.75$\times$ and achieves speedup by 17.33$\times$ on average while maintaining unnoticeability.

Disttack: Graph Adversarial Attacks Toward Distributed GNN Training

TL;DR

The paper addresses the vulnerability of distributed GNN training to adversarial attacks by introducing Disttack, a framework that poisons a single computing node by perturbing a 1-hop subgraph to trigger abnormal gradient ascent during backpropagation. By targeting two node features and three edges, Disttack disrupts gradient synchronization across nodes and degrades the final GNN performance. Across four real-world graphs and five GNNs, Disttack achieves up to 2.75 times greater degradation and up to 17.33 times faster attack than state-of-the-art baselines while remaining stealthy via a homophily-based defense-evading criterion. This work highlights a critical security vulnerability in distributed GNN pipelines and motivates robust defense strategies.

Abstract

Graph Neural Networks (GNNs) have emerged as potent models for graph learning. Distributing the training process across multiple computing nodes is the most promising solution to address the challenges of ever-growing real-world graphs. However, current adversarial attack methods on GNNs neglect the characteristics and applications of the distributed scenario, leading to suboptimal performance and inefficiency in attacking distributed GNN training. In this study, we introduce Disttack, the first framework of adversarial attacks for distributed GNN training that leverages the characteristics of frequent gradient updates in a distributed system. Specifically, Disttack corrupts distributed GNN training by injecting adversarial attacks into one single computing node. The attacked subgraphs are precisely perturbed to induce an abnormal gradient ascent in backpropagation, disrupting gradient synchronization between computing nodes and thus leading to a significant performance decline of the trained GNN. We evaluate Disttack on four large real-world graphs by attacking five widely adopted GNNs. Compared with the state-of-the-art attack method, experimental results demonstrate that Disttack amplifies the model accuracy degradation by 2.75 and achieves speedup by 17.33 on average while maintaining unnoticeability.
Paper Structure (13 sections, 12 equations, 6 figures, 4 tables, 1 algorithm)

This paper contains 13 sections, 12 equations, 6 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Methodology
  4. Preliminary of Attacks in Distributed GNN Training
  5. Attack Methodologies from Edge and Node Perspectives
  6. Disttack: Framework Overview
  7. Experiment
  8. Experimental Settings
  9. Analysis of Attacking Performance
  10. Analysis of Gradients in Distributed Training.
  11. Analysis of Unnoticeability
  12. Analysis of Time Cost
  13. Conclusion

Figures (6)

  • Figure 1: Graph adversarial attack in distributed GNN training scenario.
  • Figure 2: Illustration of the example process of generating graph perturbation.
  • Figure 3: The overall framework of the Disttack.
  • Figure 4: Gradient $l_2$ norm variations of a 2-layer GCN under different attacks during distributed training.
  • Figure 5: Homophily changes of four datasets after attacking.
  • ...and 1 more figures