NI-GDBA: Non-Intrusive Distributed Backdoor Attack Based on Adaptive Perturbation on Federated Graph Learning

Download PDF

Ken Li, Bin Shi, Jiazhe Wei, Bo Dong

Published: 29 Jan 2025, Last Modified: 29 Jan 2025WWW 2025 OralEveryoneRevisionsBibTeXCC BY-NC 4.0
Track: Security and privacy
Keywords: Federated Graph Learning, Backdoor Attacks
TL;DR: We present a novel, effective, stealthy, persistent, and non-intrusive graph distributed backdoor attack to test the security of a federated graph learning framework.
Abstract: Federated Graph Learning (FedGL) is an emerging Federated Learning (FL) framework that learns the graph data from various clients to train better Graph Neural Networks(GNNs) model. Owing to concerns regarding the security of such framework, numerous studies have attempted to execute backdoor attacks on FedGL, with a particular focus on distributed backdoor attacks. However, all existing methods posting distributed backdoor attack on FedGL only focus on injecting distributed backdoor triggers into the training data of each malicious client, which will cause model performance degradation on original task and is not always effective when confronted with robust federated learning defense algorithms, leading to low success rate of attack. What's more, the backdoor signals introduced by the malicious clients may be smoothed out by other clean signals from the honest clients, which potentially undermining the performance of the attack. To address the above significant shortcomings, we propose a non-intrusive graph distributed backdoor attack(NI-GDBA) that does not require backdoor triggers to be injected in the training data. Our attack trains an adaptive perturbation trigger generator model for each malicious client to learn the natural backdoor from the GNN model downloading from the server with the malicious client's local data. In contrast to traditional distributed backdoor attacks on FedGL via trigger injection in training data, our attack on different datasets such as Molecules and Bioinformatics have higher attack success rate, stronger persistence and stealth, and has no negative impact on the performance of the global GNN model. We also explore the robustness of NI-GDBA under different defense strategies, and based on our extensive experimental studies, we show that our attack method is robust to current federated learning defense methods, thus it is necessary to consider non-intrusive distributed backdoor attacks on FedGL as a novel threat that requires custom defenses. Code is available at an anonymous github repository: https://anonymous.4open.science/r/NI-GDBA-64E5/
Submission Number: 1569