Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

FedGIG: Graph Inversion from Gradient in Federated Learning

Tianzhe Xiao, Yichen Li, Yining Qi, Haozhao Wang, Ruixuan Li

TL;DR

This work tackles the privacy risk of gradient inversion attacks in Federated Graph Learning by proposing FedGIG, a graph-specific GIA. FedGIG combines an adjacency matrix constraining module that enforces symmetry, no self-loops, and sparsity with a subgraph reconstruction module based on a Masked Graph Autoencoder to recover both global graph structure and local motifs. Empirical results on five molecular graph datasets show that FedGIG outperforms prior GIA methods in adjacency reconstruction accuracy and efficiency, underscoring the vulnerability of FGL to graph-aware attacks. The findings highlight significant privacy implications for graph-structured federated systems and provide a concrete methodology for evaluating and strengthening defenses against GIA in graph domains.

Abstract

Recent studies have shown that Federated learning (FL) is vulnerable to Gradient Inversion Attacks (GIA), which can recover private training data from shared gradients. However, existing methods are designed for dense, continuous data such as images or vectorized texts, and cannot be directly applied to sparse and discrete graph data. This paper first explores GIA's impact on Federated Graph Learning (FGL) and introduces Graph Inversion from Gradient in Federated Learning (FedGIG), a novel GIA method specifically designed for graph-structured data. FedGIG includes the adjacency matrix constraining module, which ensures the sparsity and discreteness of the reconstructed graph data, and the subgraph reconstruction module, which is designed to complete missing common subgraph structures. Extensive experiments on molecular datasets demonstrate FedGIG's superior accuracy over existing GIA techniques.

FedGIG: Graph Inversion from Gradient in Federated Learning

TL;DR

This work tackles the privacy risk of gradient inversion attacks in Federated Graph Learning by proposing FedGIG, a graph-specific GIA. FedGIG combines an adjacency matrix constraining module that enforces symmetry, no self-loops, and sparsity with a subgraph reconstruction module based on a Masked Graph Autoencoder to recover both global graph structure and local motifs. Empirical results on five molecular graph datasets show that FedGIG outperforms prior GIA methods in adjacency reconstruction accuracy and efficiency, underscoring the vulnerability of FGL to graph-aware attacks. The findings highlight significant privacy implications for graph-structured federated systems and provide a concrete methodology for evaluating and strengthening defenses against GIA in graph domains.

Abstract

Recent studies have shown that Federated learning (FL) is vulnerable to Gradient Inversion Attacks (GIA), which can recover private training data from shared gradients. However, existing methods are designed for dense, continuous data such as images or vectorized texts, and cannot be directly applied to sparse and discrete graph data. This paper first explores GIA's impact on Federated Graph Learning (FGL) and introduces Graph Inversion from Gradient in Federated Learning (FedGIG), a novel GIA method specifically designed for graph-structured data. FedGIG includes the adjacency matrix constraining module, which ensures the sparsity and discreteness of the reconstructed graph data, and the subgraph reconstruction module, which is designed to complete missing common subgraph structures. Extensive experiments on molecular datasets demonstrate FedGIG's superior accuracy over existing GIA techniques.

Paper Structure

This paper contains 16 sections, 10 equations, 3 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Federated Graph Learning
  4. Gradient Inversion Attack in FGL
  5. Related Work
  6. Proposed Method
  7. Adjacency Matrix Constraining
  8. Symmetric Transformation with Self-loop Removal
  9. Sparsification with Discretization
  10. Subgraph Reconstruction
  11. Experiments
  12. Experimental Setups
  13. Performance Comparisions
  14. Effects of Hyperparamters
  15. Ablation Studies
  16. ...and 1 more sections

Figures (3)

  • Figure 1: The overall architecture of FedGIG. A benign client in FGL will use its local graph data to compute gradients updating to the server, while honest but curious malicious attackers can initialize a pseudo graph data, using the adjacent matrix constraining and subgraph reconstruction modules in FedGIG to accelerate the attack and help the pseudo graph data to be optimized fairly close to the real client’s data when the distance between the calculated gradients is small enough if the real data and the pseudo data are fed into the same GNN network.
  • Figure 2: Effect of hyperparameters $n_{max}$,$\alpha$,and $\beta$ on Accuracy.
  • Figure 3: Comparison of graphs reconstructed with different methods.