Table of Contents
Fetching ...

GraphDLG: Exploring Deep Leakage from Gradients in Federated Graph Learning

Shuyue Wei, Wantong Chen, Tongyu Wei, Chen Gong, Yongxin Tong, Lizhen Cui

TL;DR

GraphDLG addresses privacy leakage in federated graph learning by showing that both graph structure and node features can be recovered from shared gradients. It decouples structure and features by first recovering the graph structure from graph embeddings via a hetero-prior auto-encoder, then retrieving node features through a closed-form, recursive recovery rule. The approach introduces GNFR and leverages maximum mean discrepancy to handle heterogeneous priors, obtaining substantial gains over baselines in both structure and feature recovery. These findings highlight a significant privacy risk in graph-level federated learning and motivate the need for graph-aware defenses against DLG attacks.

Abstract

Federated graph learning (FGL) has recently emerged as a promising privacy-preserving paradigm that enables distributed graph learning across multiple data owners. A critical privacy concern in federated learning is whether an adversary can recover raw data from shared gradients, a vulnerability known as deep leakage from gradients (DLG). However, most prior studies on the DLG problem focused on image or text data, and it remains an open question whether graphs can be effectively recovered, particularly when the graph structure and node features are uniquely entangled in GNNs. In this work, we first theoretically analyze the components in FGL and derive a crucial insight: once the graph structure is recovered, node features can be obtained through a closed-form recursive rule. Building on this analysis, we propose GraphDLG, a novel approach to recover raw training graphs from shared gradients in FGL, which can utilize randomly generated graphs or client-side training graphs as auxiliaries to enhance recovery. Extensive experiments demonstrate that GraphDLG outperforms existing solutions by successfully decoupling the graph structure and node features, achieving improvements of over 5.46% (by MSE) for node feature reconstruction and over 25.04% (by AUC) for graph structure reconstruction.

GraphDLG: Exploring Deep Leakage from Gradients in Federated Graph Learning

TL;DR

GraphDLG addresses privacy leakage in federated graph learning by showing that both graph structure and node features can be recovered from shared gradients. It decouples structure and features by first recovering the graph structure from graph embeddings via a hetero-prior auto-encoder, then retrieving node features through a closed-form, recursive recovery rule. The approach introduces GNFR and leverages maximum mean discrepancy to handle heterogeneous priors, obtaining substantial gains over baselines in both structure and feature recovery. These findings highlight a significant privacy risk in graph-level federated learning and motivate the need for graph-aware defenses against DLG attacks.

Abstract

Federated graph learning (FGL) has recently emerged as a promising privacy-preserving paradigm that enables distributed graph learning across multiple data owners. A critical privacy concern in federated learning is whether an adversary can recover raw data from shared gradients, a vulnerability known as deep leakage from gradients (DLG). However, most prior studies on the DLG problem focused on image or text data, and it remains an open question whether graphs can be effectively recovered, particularly when the graph structure and node features are uniquely entangled in GNNs. In this work, we first theoretically analyze the components in FGL and derive a crucial insight: once the graph structure is recovered, node features can be obtained through a closed-form recursive rule. Building on this analysis, we propose GraphDLG, a novel approach to recover raw training graphs from shared gradients in FGL, which can utilize randomly generated graphs or client-side training graphs as auxiliaries to enhance recovery. Extensive experiments demonstrate that GraphDLG outperforms existing solutions by successfully decoupling the graph structure and node features, achieving improvements of over 5.46% (by MSE) for node feature reconstruction and over 25.04% (by AUC) for graph structure reconstruction.
Paper Structure (29 sections, 4 theorems, 27 equations, 4 figures, 9 tables, 1 algorithm)

This paper contains 29 sections, 4 theorems, 27 equations, 4 figures, 9 tables, 1 algorithm.

Key Result

Lemma 1

For the GCN layers in FGL, the gradients $\nabla W_l$, $\nabla W_{l-1}$, $\nabla W_{l-2}$ can be formally expressed by the node embeddings from their previous layer $H_{l-1}$, $H_{l-2}$, $H_{l-3}$ respectively and the normalized graph adjacency matrix $\bar{A}$, where $\sigma'$ represents the derivative of the activate function $\sigma$. The term $\frac{\partial L}{\partial \hat{Y}}$ in Eq. (eq:g

Figures (4)

  • Figure 1: DLG for Graphs: In federated graph learning, an adversary can recover training graphs from the victim client's gradients.
  • Figure 2: Overview of GraphDLG. Firstly, a learned decoder can recover graph structure from graph embeddings leaked in MLP layers' gradients. Then, node features can be recovered by recursively solving closed-form equations. Finally, the attacker obtained the whole graph.
  • Figure 3: Structure recovery performance with hetero-priors, i.e. target and auxiliary graphs datasets are different.
  • Figure 4: The effectiveness of different defense strategies.

Theorems & Definitions (5)

  • Definition 1: DLG Attack for Graphs
  • Lemma 1: Gradients in an $l$-layer GCN
  • Theorem 1: Recursive Rule for Gradients
  • Lemma 1: Gradients in an $l$-layer GCN
  • Theorem 1: Recursive Rule for Gradients