Backdoor Attack on Vertical Federated Graph Neural Network Learning

TL;DR

This paper reveals that Vertical Federated Graph Neural Networks are vulnerable to a novel backdoor attack called BVG, which can achieve high success rates with minimal impact on main tasks, highlighting the need for better defenses.

Contribution

The paper introduces BVG, a new backdoor attack method for VFGNNs using multi-hop triggers, effective even against existing defenses.

Findings

BVG achieves nearly 100% attack success rate.

Minimal impact on main task accuracy.

Remains effective under current defense methods.

Abstract

Federated Graph Neural Network (FedGNN) integrate federated learning (FL) with graph neural networks (GNNs) to enable privacy-preserving training on distributed graph data. Vertical Federated Graph Neural Network (VFGNN), a key branch of FedGNN, handles scenarios where data features and labels are distributed among participants. Despite the robust privacy-preserving design of VFGNN, we have found that it still faces the risk of backdoor attacks, even in situations where labels are inaccessible. This paper proposes BVG, a novel backdoor attack method that leverages multi-hop triggers and backdoor retention, requiring only four target-class nodes to execute effective attacks. Experimental results demonstrate that BVG achieves nearly 100% attack success rates across three commonly used datasets and three GNN models, with minimal impact on the main task accuracy. We also evaluated various defense methods, and the BVG method maintained high attack effectiveness even under existing defenses. This finding highlights the need for advanced defense mechanisms to counter sophisticated backdoor attacks in practical VFGNN applications.