Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Backdoor Attack on Vertical Federated Graph Neural Network Learning

Jirui Yang, Peng Chen, Zhihui Lu, Ruijun Deng, Qiang Duan, Jianping Zeng

TL;DR

The paper tackles backdoor security in Vertical Federated Graph Neural Networks (VFGNN) by introducing BVG, a backdoor attack that uses multi-hop attribute triggers and a retention mechanism to persist the attack during federated training. BVG requires only four target-class nodes to achieve near-100% attack success while maintaining main-task accuracy, and it remains effective under several defense strategies. The key contributions are the formal problem formulation for VFGNN backdoors, the multi-hop trigger generation method, and the backdoor retention strategy validated through extensive experiments on public datasets and multiple GNN models. This work highlights a practical vulnerability in privacy-preserving graph learning and underscores the need for advanced defenses against sophisticated backdoor attacks in VFGNN systems.

Abstract

Federated Graph Neural Network (FedGNN) integrate federated learning (FL) with graph neural networks (GNNs) to enable privacy-preserving training on distributed graph data. Vertical Federated Graph Neural Network (VFGNN), a key branch of FedGNN, handles scenarios where data features and labels are distributed among participants. Despite the robust privacy-preserving design of VFGNN, we have found that it still faces the risk of backdoor attacks, even in situations where labels are inaccessible. This paper proposes BVG, a novel backdoor attack method that leverages multi-hop triggers and backdoor retention, requiring only four target-class nodes to execute effective attacks. Experimental results demonstrate that BVG achieves nearly 100% attack success rates across three commonly used datasets and three GNN models, with minimal impact on the main task accuracy. We also evaluated various defense methods, and the BVG method maintained high attack effectiveness even under existing defenses. This finding highlights the need for advanced defense mechanisms to counter sophisticated backdoor attacks in practical VFGNN applications.

Backdoor Attack on Vertical Federated Graph Neural Network Learning

TL;DR

The paper tackles backdoor security in Vertical Federated Graph Neural Networks (VFGNN) by introducing BVG, a backdoor attack that uses multi-hop attribute triggers and a retention mechanism to persist the attack during federated training. BVG requires only four target-class nodes to achieve near-100% attack success while maintaining main-task accuracy, and it remains effective under several defense strategies. The key contributions are the formal problem formulation for VFGNN backdoors, the multi-hop trigger generation method, and the backdoor retention strategy validated through extensive experiments on public datasets and multiple GNN models. This work highlights a practical vulnerability in privacy-preserving graph learning and underscores the need for advanced defenses against sophisticated backdoor attacks in VFGNN systems.

Abstract

Federated Graph Neural Network (FedGNN) integrate federated learning (FL) with graph neural networks (GNNs) to enable privacy-preserving training on distributed graph data. Vertical Federated Graph Neural Network (VFGNN), a key branch of FedGNN, handles scenarios where data features and labels are distributed among participants. Despite the robust privacy-preserving design of VFGNN, we have found that it still faces the risk of backdoor attacks, even in situations where labels are inaccessible. This paper proposes BVG, a novel backdoor attack method that leverages multi-hop triggers and backdoor retention, requiring only four target-class nodes to execute effective attacks. Experimental results demonstrate that BVG achieves nearly 100% attack success rates across three commonly used datasets and three GNN models, with minimal impact on the main task accuracy. We also evaluated various defense methods, and the BVG method maintained high attack effectiveness even under existing defenses. This finding highlights the need for advanced defense mechanisms to counter sophisticated backdoor attacks in practical VFGNN applications.

Paper Structure

This paper contains 29 sections, 6 equations, 21 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Backdoor attacks on VFL
  4. Backdoor attacks on GNN
  5. Proposed Approach
  6. Problem Formulation
  7. Threat model
  8. Multi-hop Trigger Generation
  9. Backdoor Retention
  10. Experiments
  11. Experiments Settings
  12. Local GNN Models
  13. Datasets
  14. Performance Metrics
  15. Comparison Benchmarks
  16. ...and 14 more sections

Figures (21)

  • Figure 1: An example of VFGNN backdoor attack
  • Figure 2: A sketch of our proposed Backdoor Attack for VFGNN.
  • Figure 3: Performance of BVG under Multi-Party Settings (Standard Deviation Included.)
  • Figure 4: Comparison of Backdoor Task Performance and Intermediate Layer Feature Differences Across Methods
  • Figure 5: The performance of BVG under DP-SGD defense
  • ...and 16 more figures