TL;DR
This paper investigates a novel privacy risk in federated graph neural networks, demonstrating how an attacker can identify data ownership across clients, revealing client identities through structural and model cues.
Contribution
It introduces the first systematic cross-client membership inference attack framework for federated GNNs, highlighting a new privacy threat in decentralized graph learning.
Findings
High attack success rate in identifying client data ownership.
Effective inference across multiple graph datasets.
Reveals client identity leakage as a significant privacy concern.
Abstract
Graph-structured data is prevalent in many real-world applications, including social networks, financial systems, and molecular biology. Graph Neural Networks (GNNs) have become the de facto standard for learning from such data due to their strong representation capabilities. As GNNs are increasingly deployed in federated learning (FL) settings to preserve data locality and privacy, new privacy threats arise from the interaction between graph structures and decentralized training. In this paper, we present the first systematic study of cross-client membership inference attacks (CC-MIA) against node classification tasks of federated GNNs (FedGNNs), where a malicious client aims to infer which client owns the given data. Unlike prior centralized-focused work that focuses on whether a sample was included in training, our attack targets sample-to-client attribution, a finer-grained privacy…
Peer Reviews
Decision·Submitted to ICLR 2026
• Judges node training membership and client ownership (vs. single MIA by others). • Strong generalizability,Works for FedAvg/FedProx/SCAFFOLD/FedDF/FedNova and GCN/GAT/GraphSAGE. • Fits threat models (adversaries as legitimate participants with gradient/global update access).
• Scalability: Gradient inversion quality drops with more clients, limiting large-scale FedGNN use. • While the paper emphasizes the risks associated with CC-MIA, it offers limited practical insights or proposals for defending against such attacks.
1. The paper pioneers the proposal of a membership inference attack method tailored for federated graph learning, filling the research gap in this specific domain. 2. For the client-data identification problem, the authors design a gradient inversion reconstruction method exclusively for graph data. This method effectively reconstructs the original graph structure from gradient information, showing strong targeted performance for graph-specific characteristics. 3. Compared with the contrastive e
1. The method for the membership inference attack part lacks special design targeted at graph data which may limit the method’s adaptability and effectiveness in graph-specific scenarios. 2. The paper does not clearly explain on the differences between the method used in the membership inference attack part and the methods applied in the centralized setting. Key distinctions in aspects such as data access constraints, gradient utilization patterns, and attack optimization objectives remain unadd
1. The paper explores a novel attack vector; membership attacks on GNNs in FL is a previously unexplored area. 2. The attack model used in the paper is based on commonly accepted assumptions used in the FL and MIA literature, such as access to a shadow dataset, gradient eavesdropping capabilities, etc. 3. The paper includes comprehensive experimentation including different types of GNNs, FL algorithms, and graph datasets.
1. The first part of the attack, which is membership inference, is conceptually not much different from a membership inference attack on a centralized GNN, such as Olatunji et al. [a]. The paper could benefit from explicitly stating the challenges that FL brings into the picture. 2. The second part of the attack uses a pseudo-graph (as mentioned in line 256), based on which the optimization in eq(12) is carried out. However, it is unclear how this pseudograph is obtained or generated. 3. At sev
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
