More is Better (Mostly): On the Backdoor Attacks in Federated Graph Neural Networks

TL;DR

This paper investigates backdoor attacks in federated graph neural networks, revealing their high success rates and robustness against defenses, highlighting a critical security concern in privacy-preserving graph analysis.

Contribution

It introduces and evaluates centralized and distributed backdoor attacks in federated GNNs, a previously unexplored area, demonstrating their effectiveness and resilience.

Findings

Distributed backdoor attacks have higher success rates than centralized ones.

Both attack types are robust against existing defenses.

Attack success varies with number of clients, trigger size, and poisoning intensity.

Abstract

Graph Neural Networks (GNNs) are a class of deep learning-based methods for processing graph domain information. GNNs have recently become a widely used graph analysis method due to their superior ability to learn representations for complex graph data. However, due to privacy concerns and regulation restrictions, centralized GNNs can be difficult to apply to data-sensitive scenarios. Federated learning (FL) is an emerging technology developed for privacy-preserving settings when several parties need to train a shared global model collaboratively. Although several research works have applied FL to train GNNs (Federated GNNs), there is no research on their robustness to backdoor attacks. This paper bridges this gap by conducting two types of backdoor attacks in Federated GNNs: centralized backdoor attacks (CBA) and distributed backdoor attacks (DBA). Our experiments show that the DBA attack success rate is higher than CBA in almost all evaluated cases. For CBA, the attack success rate of all local triggers is similar to the global trigger even if the training set of the adversarial party is embedded with the global trigger. To further explore the properties of two backdoor attacks in Federated GNNs, we evaluate the attack performance for a different number of clients, trigger sizes, poisoning intensities, and trigger densities. Moreover, we explore the robustness of DBA and CBA against one defense. We find that both attacks are robust against the investigated defense, necessitating the need to consider backdoor attacks in Federated GNNs as a novel threat that requires custom defenses.