Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Query-Efficient Adversarial Attack Against Vertical Federated Graph Learning

Jinyin Chen, Wenbo Mu, Luxin Zhang, Guohan Huang, Haibin Zheng, Yao Cheng

TL;DR

Extensive experiments demonstrate that NA2 improves the performance of the centralized adversarial attacks against VFGL, achieving state-of-the-art performance even under potential adaptive defense where the defender knows the attack method.

Abstract

Graph neural network (GNN) has captured wide attention due to its capability of graph representation learning for graph-structured data. However, the distributed data silos limit the performance of GNN. Vertical federated learning (VFL), an emerging technique to process distributed data, successfully makes GNN possible to handle the distributed graph-structured data. Despite the prosperous development of vertical federated graph learning (VFGL), the robustness of VFGL against the adversarial attack has not been explored yet. Although numerous adversarial attacks against centralized GNNs are proposed, their attack performance is challenged in the VFGL scenario. To the best of our knowledge, this is the first work to explore the adversarial attack against VFGL. A query-efficient hybrid adversarial attack framework is proposed to significantly improve the centralized adversarial attacks against VFGL, denoted as NA2, short for Neuron-based Adversarial Attack. Specifically, a malicious client manipulates its local training data to improve its contribution in a stealthy fashion. Then a shadow model is established based on the manipulated data to simulate the behavior of the server model in VFGL. As a result, the shadow model can improve the attack success rate of various centralized attacks with a few queries. Extensive experiments on five real-world benchmarks demonstrate that NA2 improves the performance of the centralized adversarial attacks against VFGL, achieving state-of-the-art performance even under potential adaptive defense where the defender knows the attack method. Additionally, we provide interpretable experiments of the effectiveness of NA2 via sensitive neurons identification and visualization of t-SNE.

Query-Efficient Adversarial Attack Against Vertical Federated Graph Learning

TL;DR

Extensive experiments demonstrate that NA2 improves the performance of the centralized adversarial attacks against VFGL, achieving state-of-the-art performance even under potential adaptive defense where the defender knows the attack method.

Abstract

Graph neural network (GNN) has captured wide attention due to its capability of graph representation learning for graph-structured data. However, the distributed data silos limit the performance of GNN. Vertical federated learning (VFL), an emerging technique to process distributed data, successfully makes GNN possible to handle the distributed graph-structured data. Despite the prosperous development of vertical federated graph learning (VFGL), the robustness of VFGL against the adversarial attack has not been explored yet. Although numerous adversarial attacks against centralized GNNs are proposed, their attack performance is challenged in the VFGL scenario. To the best of our knowledge, this is the first work to explore the adversarial attack against VFGL. A query-efficient hybrid adversarial attack framework is proposed to significantly improve the centralized adversarial attacks against VFGL, denoted as NA2, short for Neuron-based Adversarial Attack. Specifically, a malicious client manipulates its local training data to improve its contribution in a stealthy fashion. Then a shadow model is established based on the manipulated data to simulate the behavior of the server model in VFGL. As a result, the shadow model can improve the attack success rate of various centralized attacks with a few queries. Extensive experiments on five real-world benchmarks demonstrate that NA2 improves the performance of the centralized adversarial attacks against VFGL, achieving state-of-the-art performance even under potential adaptive defense where the defender knows the attack method. Additionally, we provide interpretable experiments of the effectiveness of NA2 via sensitive neurons identification and visualization of t-SNE.

Paper Structure

This paper contains 37 sections, 14 equations, 11 figures, 11 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Adversarial Attacks against GNNs
  4. Privacy Leakage on Graph Learning
  5. Vertical Federated Graph Learning
  6. Attack and Defense in Vertical Federated Learning
  7. Threat Model
  8. Methodology
  9. Data Manipulation
  10. Locate Significant Neural Path
  11. Select and Modify the Target Feature
  12. Shadow Model Construction
  13. Adversarial Attacks
  14. Experiments
  15. Experimental Settings
  16. ...and 22 more sections

Figures (11)

  • Figure 1: An illustration of the adversarial attack against VFGL in the e-commerce scenario. A small perturbation (e.g., fake friendships, browsing records) may mislead the analysis model and cause the wrong recommendation.
  • Figure 2: The pipeline of query-efficient hybrid adversarial attack framework against VFGL.
  • Figure 3: Framework of NA$^{2}$. It can be divided into three stages: (i) Manipulate the local data according to neuron testing results. (ii) Build the shadow model by using the manipulated data. (iii) Generate the adversarial attacks via the shadow model.
  • Figure 4: The effect of NA$^{2}$ on the neurons' activation of the training examples.
  • Figure 5: The effect of NA$^{2}$ on the neurons' activation of the benign examples and the adversarial examples.
  • ...and 6 more figures