Table of Contents
Fetching ...

Fed-Listing: Federated Label Distribution Inference in Graph Neural Networks

Suprim Nakarmi, Junggab Son, Yue Zhao, Zuobin Xiong

TL;DR

Fed-Listing addresses privacy risks in horizontal FedGNNs by inferring per-class label distributions from only last-layer gradients. It constructs shadow FL trainings with an auxiliary dataset under diverse distributions and trains an attack model to map gradient patterns to class proportions. Experiments across four graph datasets and three GNN architectures show Fed-Listing outperforms baselines like random guessing and Decaf, including in challenging non-i.i.d. settings, while standard defenses offer limited mitigation without hurting utility. The work highlights the difficulty of preventing label distribution leakage and suggests future work on synthetic or mixed-source auxiliary data to strengthen privacy in FedGNNs.

Abstract

Graph Neural Networks (GNNs) have been intensively studied for their expressive representation and learning performance on graph-structured data, enabling effective modeling of complex relational dependencies among nodes and edges in various domains. However, the standalone GNNs can unleash threat surfaces and privacy implications, as some sensitive graph-structured data is collected and processed in a centralized setting. To solve this issue, Federated Graph Neural Networks (FedGNNs) are proposed to facilitate collaborative learning over decentralized local graph data, aiming to preserve user privacy. Yet, emerging research indicates that even in these settings, shared model updates, particularly gradients, can unintentionally leak sensitive information of local users. Numerous privacy inference attacks have been explored in traditional federated learning and extended to graph settings, but the problem of label distribution inference in FedGNNs remains largely underexplored. In this work, we introduce Fed-Listing (Federated Label Distribution Inference in GNNs), a novel gradient-based attack designed to infer the private label statistics of target clients in FedGNNs without access to raw data or node features. Fed-Listing only leverages the final-layer gradients exchanged during training to uncover statistical patterns that reveal class proportions in a stealthy manner. An auxiliary shadow dataset is used to generate diverse label partitioning strategies, simulating various client distributions, on which the attack model is obtained. Extensive experiments on four benchmark datasets and three GNN architectures show that Fed-Listing significantly outperforms existing baselines, including random guessing and Decaf, even under challenging non-i.i.d. scenarios. Moreover, applying defense mechanisms can barely reduce our attack performance, unless the model's utility is severely degraded.

Fed-Listing: Federated Label Distribution Inference in Graph Neural Networks

TL;DR

Fed-Listing addresses privacy risks in horizontal FedGNNs by inferring per-class label distributions from only last-layer gradients. It constructs shadow FL trainings with an auxiliary dataset under diverse distributions and trains an attack model to map gradient patterns to class proportions. Experiments across four graph datasets and three GNN architectures show Fed-Listing outperforms baselines like random guessing and Decaf, including in challenging non-i.i.d. settings, while standard defenses offer limited mitigation without hurting utility. The work highlights the difficulty of preventing label distribution leakage and suggests future work on synthetic or mixed-source auxiliary data to strengthen privacy in FedGNNs.

Abstract

Graph Neural Networks (GNNs) have been intensively studied for their expressive representation and learning performance on graph-structured data, enabling effective modeling of complex relational dependencies among nodes and edges in various domains. However, the standalone GNNs can unleash threat surfaces and privacy implications, as some sensitive graph-structured data is collected and processed in a centralized setting. To solve this issue, Federated Graph Neural Networks (FedGNNs) are proposed to facilitate collaborative learning over decentralized local graph data, aiming to preserve user privacy. Yet, emerging research indicates that even in these settings, shared model updates, particularly gradients, can unintentionally leak sensitive information of local users. Numerous privacy inference attacks have been explored in traditional federated learning and extended to graph settings, but the problem of label distribution inference in FedGNNs remains largely underexplored. In this work, we introduce Fed-Listing (Federated Label Distribution Inference in GNNs), a novel gradient-based attack designed to infer the private label statistics of target clients in FedGNNs without access to raw data or node features. Fed-Listing only leverages the final-layer gradients exchanged during training to uncover statistical patterns that reveal class proportions in a stealthy manner. An auxiliary shadow dataset is used to generate diverse label partitioning strategies, simulating various client distributions, on which the attack model is obtained. Extensive experiments on four benchmark datasets and three GNN architectures show that Fed-Listing significantly outperforms existing baselines, including random guessing and Decaf, even under challenging non-i.i.d. scenarios. Moreover, applying defense mechanisms can barely reduce our attack performance, unless the model's utility is severely degraded.
Paper Structure (23 sections, 11 equations, 4 figures, 5 tables, 1 algorithm)

This paper contains 23 sections, 11 equations, 4 figures, 5 tables, 1 algorithm.

Figures (4)

  • Figure 1: Overview of the proposed attack: Fed-Listing. All clients train an identical GNN (chosen from three variants) to train on one of four graph datasets. Each auxiliary data subset is further partitioned based on four criteria: single class, random distribution, equal distribution, and missing classes. Multiple independent shadow training sessions in the FL setting are performed to generate attack data.
  • Figure 2: Model utility (accuracy) and attack effectiveness (JS-divergence) under three defense strategies: (a) Gradient compression, (b) Noisy gradient, and (c) Differential privacy. For the plot, we measure the robustness when using GCN model and Cora dataset.
  • Figure 3: Figure illustrating the impact of the attack when the number of shadow FL training is varied. Plots (a-d) show the relation of cosine similarity and the number of shadow FL training processes for Partition 1: Random distribution, Partition 2: Equal proportion, Partition 3: Single class, and Partition 4: Missing class. Note that all figures were plotted using GCN as a local model when training both the FL and shadow FL models.
  • Figure 4: This figure illustrates the impact of the attack when the proportion of clients with a specific Partition setting is changed. Subfigure a) shows the cosine similarity against the number of clients for Partition 2. Subfigure b) shows the cosine similarity against the number of clients for Partition 3. Subfigure c) shows the cosine similarity against the number of clients for Partition 4. Note that all figures were plotted using GCN as a local model in training both the FL and shadow FL models.