Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Hide and Find: A Distributed Adversarial Attack on Federated Graph Learning

Jinshan Liu, Ken Li, Jiazhe Wei, Bin Shi, Bo Dong

TL;DR

This work proposes a novel two-stage distributed adversarial attack that can effectively evade 3 mainstream robust federated learning defense algorithms and converges with a time cost reduction of over 90\%, highlighting its exceptional stealthiness, robustness, and efficiency.

Abstract

Federated Graph Learning (FedGL) is vulnerable to malicious attacks, yet developing a truly effective and stealthy attack method remains a significant challenge. Existing attack methods suffer from low attack success rates, high computational costs, and are easily identified and smoothed by defense algorithms. To address these challenges, we propose \textbf{FedShift}, a novel two-stage "Hide and Find" distributed adversarial attack. In the first stage, before FedGL begins, we inject a learnable and hidden "shifter" into part of the training data, which subtly pushes poisoned graph representations toward a target class's decision boundary without crossing it, ensuring attack stealthiness during training. In the second stage, after FedGL is complete, we leverage the global model information and use the hidden shifter as an optimization starting point to efficiently find the adversarial perturbations. During the final attack, we aggregate these perturbations from multiple malicious clients to form the final effective adversarial sample and trigger the attack. Extensive experiments on six large-scale datasets demonstrate that our method achieves the highest attack effectiveness compared to existing advanced attack methods. In particular, our attack can effectively evade 3 mainstream robust federated learning defense algorithms and converges with a time cost reduction of over 90\%, highlighting its exceptional stealthiness, robustness, and efficiency.

Hide and Find: A Distributed Adversarial Attack on Federated Graph Learning

TL;DR

This work proposes a novel two-stage distributed adversarial attack that can effectively evade 3 mainstream robust federated learning defense algorithms and converges with a time cost reduction of over 90\%, highlighting its exceptional stealthiness, robustness, and efficiency.

Abstract

Federated Graph Learning (FedGL) is vulnerable to malicious attacks, yet developing a truly effective and stealthy attack method remains a significant challenge. Existing attack methods suffer from low attack success rates, high computational costs, and are easily identified and smoothed by defense algorithms. To address these challenges, we propose \textbf{FedShift}, a novel two-stage "Hide and Find" distributed adversarial attack. In the first stage, before FedGL begins, we inject a learnable and hidden "shifter" into part of the training data, which subtly pushes poisoned graph representations toward a target class's decision boundary without crossing it, ensuring attack stealthiness during training. In the second stage, after FedGL is complete, we leverage the global model information and use the hidden shifter as an optimization starting point to efficiently find the adversarial perturbations. During the final attack, we aggregate these perturbations from multiple malicious clients to form the final effective adversarial sample and trigger the attack. Extensive experiments on six large-scale datasets demonstrate that our method achieves the highest attack effectiveness compared to existing advanced attack methods. In particular, our attack can effectively evade 3 mainstream robust federated learning defense algorithms and converges with a time cost reduction of over 90\%, highlighting its exceptional stealthiness, robustness, and efficiency.
Paper Structure (24 sections, 12 equations, 7 figures, 6 tables, 1 algorithm)

This paper contains 24 sections, 12 equations, 7 figures, 6 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Preliminary
  4. Federated Graph Learning (FedGL)
  5. Attacks on FedGL
  6. Threat Model
  7. Method
  8. Stage 1: Gentle Data Poisoning
  9. Training the local GNN model
  10. Adaptive shifter generator
  11. Stage 2: Adversarial Perturbation Finding
  12. Experiment
  13. Experimental Setup
  14. Experimental Results
  15. Main results of the compared attacks:
  16. ...and 9 more sections

Figures (7)

  • Figure 1: Pipeline of our two-stage adversarial attack. Training: In Stage 1, each malicious client uses local data to train a shifter generator and injects hidden shifters into the training data. During federated training, malicious clients inject the backdoor signal into the global model through the federated aggregation mechanism. In Stage 2, using the shifter generator trained in Stage 1 as a high-quality starting point, the shifter is further optimized as an effective adversarial perturbation leveraging the information from the global model. Attack: Aggregate adversarial perturbations from multiple malicious clients to generate the adversarial sample and trigger the attack.
  • Figure 2: Attack results in the Q1 setting under defferent malicious client proportions $|C_M|/N$.
  • Figure 3: Attack results in the adversarial perturbation finding stage in the Q3 setting.
  • Figure 4: Impact of $f$ and $p$ of our FedShift.
  • Figure 5: Attack results of FedShift with the number of target-class clusters $k$ ranging from 2 to 5.
  • ...and 2 more figures