Devil's Hand: Data Poisoning Attacks to Locally Private Graph Learning Protocols

TL;DR

This paper introduces the first data poisoning attack on locally private graph learning protocols, demonstrating how malicious actors can compromise privacy-preserving GNNs and highlighting the need for more robust defenses.

Contribution

It presents a novel data poisoning attack specifically targeting locally private GNN protocols, with theoretical and empirical validation, and explores defense strategies.

Findings

The attack effectively reduces node classification accuracy.

Current defenses have limited effectiveness against the attack.

The attack exploits fake user injection and data manipulation.

Abstract

Graph neural networks (GNNs) have achieved significant success in graph representation learning and have been applied to various domains. However, many real-world graphs contain sensitive personal information, such as user profiles in social networks, raising serious privacy concerns when graph learning is performed using GNNs. To address this issue, locally private graph learning protocols have gained considerable attention. These protocols leverage the privacy advantages of local differential privacy (LDP) and the effectiveness of GNN's message-passing in calibrating noisy data, offering strict privacy guarantees for users' local data while maintaining high utility (e.g., node classification accuracy) for graph learning. Despite these advantages, such protocols may be vulnerable to data poisoning attacks, a threat that has not been considered in previous research. Identifying and addressing these threats is crucial for ensuring the robustness and security of privacy-preserving graph learning frameworks. This work introduces the first data poisoning attack targeting locally private graph learning protocols. The attacker injects fake users into the protocol, manipulates these fake users to establish links with genuine users, and sends carefully crafted data to the server, ultimately compromising the utility of private graph learning. The effectiveness of the attack is demonstrated both theoretically and empirically. In addition, several defense strategies have also been explored, but their limited effectiveness highlights the need for more robust defenses.