VGFL-SA: Vertical Graph Federated Learning Structure Attack Based on Contrastive Learning

TL;DR

This paper addresses the vulnerability of Vertical Graph Federated Learning (VGFL) when many nodes remain unlabeled, by proposing VGFL-SA, an unsupervised attack that perturbs local graph structures before VGFL training. It leverages graph contrastive learning to create two views, computes adjacency-gradient via a shared encoder, and flips the edge with the largest gradient under a budget to degrade downstream node classification. VGFL-SA demonstrates strong attack effectiveness and transferability across multiple GNN backbones and datasets, outperforming several unsupervised baselines and rivaling some semi-supervised attacks in certain metrics. The work highlights practical security risks in VGFL deployments and motivates future defenses and cross-domain attack-extension research.

Abstract

Graph Neural Networks (GNNs) have gained attention for their ability to learn representations from graph data. Due to privacy concerns and conflicts of interest that prevent clients from directly sharing graph data with one another, Vertical Graph Federated Learning (VGFL) frameworks have been developed. Recent studies have shown that VGFL is vulnerable to adversarial attacks that degrade performance. However, it is a common problem that client nodes are often unlabeled in the realm of VGFL. Consequently, the existing attacks, which rely on the availability of labeling information to obtain gradients, are inherently constrained in their applicability. This limitation precludes their deployment in practical, real-world environments. To address the above problems, we propose a novel graph adversarial attack against VGFL, referred to as VGFL-SA, to degrade the performance of VGFL by modifying the local clients structure without using labels. Specifically, VGFL-SA uses a contrastive learning method to complete the attack before the local clients are trained. VGFL-SA first accesses the graph structure and node feature information of the poisoned clients, and generates the contrastive views by node-degree-based edge augmentation and feature shuffling augmentation. Then, VGFL-SA uses the shared graph encoder to get the embedding of each view, and the gradients of the adjacency matrices are obtained by the contrastive function. Finally, perturbed edges are generated using gradient modification rules. We validated the performance of VGFL-SA by performing a node classification task on real-world datasets, and the results show that VGFL-SA achieves good attack effectiveness and transferability.

Figures (6)

• Figure 1: Diagram of the three GFL frameworks. A GFL model consisting of $n$ clients, the global server gets the final global node embeddings by collecting the node embeddings from each client, and then completes the downstream tasks. (a) In Inter-graph FL, each client has independent graph data, and the data between each client is independent. (b) In Horizontal GFL, each client owns a graph that is similar in the type and features of nodes, but the number of nodes is different, and the dotted lines indicate the missing edges. (c) In Vertical GFL, each client owns the same nodes, but the nodes have different features.
• Figure 2: Diagram of the threat model.
• Figure 3: The general framework of VGFL-SA. Where, white nodes denote unlabeled nodes and blue nodes denote labeled nodes. VGFL-SA expansion to get two augmented views, using a shared encoder to get the embedding of the two augmented views. The gradient information of the neighbor matrix is obtained by comparative loss backpropagation, and the link with the largest absolute value of the gradient is flipped to obtain the perturbation graph of the poisoned client.
• Figure 4: Attack performance of several types of attacks under different attack budgets, $\alpha$ is the perturbation factor. The larger the $\alpha$, the larger the attack budget.
• Figure 5: Classification accuracy of VGFL-SA in multiple clients-one poisoned client, where $K$ is the number of clients and the number of poisoned clients is 1.