Distributed Backdoor Attacks on Federated Graph Learning and Certified Defenses
Yuxin Yang, Qiang Li, Jinyuan Jia, Yuan Hong, Binghui Wang
TL;DR
The paper addresses backdoor vulnerabilities in Federated Graph Learning by introducing Opt-GDBA, an adaptive, graph-aware distributed backdoor attack that learns per-graph trigger location and shape through an adaptive trigger generator. It also presents a certified defense against such backdoors built on deterministic graph partitioning and a majority-vote ensemble, deriving tight robustness guarantees for both clean and backdoored graphs. Empirical results demonstrate that Opt-GDBA achieves high backdoor accuracy across datasets and trigger configurations, while the certified defense can achieve near-clean performance and zero certified backdoor accuracy in many settings. The work advances FedGL security by providing provable, scalable defense guarantees applicable to arbitrary graph structures and perturbations, with practical implications for safety-critical graph-based applications. Overall, the combination of a sophisticated, graph-aware attack and a rigorous, certified defense offers a comprehensive framework for evaluating and improving FedGL robustness."
Abstract
Federated graph learning (FedGL) is an emerging federated learning (FL) framework that extends FL to learn graph data from diverse sources. FL for non-graph data has shown to be vulnerable to backdoor attacks, which inject a shared backdoor trigger into the training data such that the trained backdoored FL model can predict the testing data containing the trigger as the attacker desires. However, FedGL against backdoor attacks is largely unexplored, and no effective defense exists. In this paper, we aim to address such significant deficiency. First, we propose an effective, stealthy, and persistent backdoor attack on FedGL. Our attack uses a subgraph as the trigger and designs an adaptive trigger generator that can derive the effective trigger location and shape for each graph. Our attack shows that empirical defenses are hard to detect/remove our generated triggers. To mitigate it, we further develop a certified defense for any backdoored FedGL model against the trigger with any shape at any location. Our defense involves carefully dividing a testing graph into multiple subgraphs and designing a majority vote-based ensemble classifier on these subgraphs. We then derive the deterministic certified robustness based on the ensemble classifier and prove its tightness. We extensively evaluate our attack and defense on six graph datasets. Our attack results show our attack can obtain > 90% backdoor accuracy in almost all datasets. Our defense results show, in certain cases, the certified accuracy for clean testing graphs against an arbitrary trigger with size 20 can be close to the normal accuracy under no attack, while there is a moderate gap in other cases. Moreover, the certified backdoor accuracy is always 0 for backdoored testing graphs generated by our attack, implying our defense can fully mitigate the attack. Source code is available at: https://github.com/Yuxin104/Opt-GDBA.