Hide and Find: A Distributed Adversarial Attack on Federated Graph Learning
Jinshan Liu, Ken Li, Jiazhe Wei, Bin Shi, and Bo Dong
TL;DR
This paper introduces FedShift, a novel distributed adversarial attack on Federated Graph Learning that is highly effective, stealthy, and efficient, outperforming existing methods and evading robust defenses.
Contribution
FedShift is a two-stage attack method that injects hidden perturbations during training and efficiently finds adversarial samples post-training, improving success rate and stealthiness.
Findings
Achieves highest attack effectiveness on six datasets.
Effectively evades three robust federated learning defenses.
Reduces attack time cost by over 90%.
Abstract
Federated Graph Learning (FedGL) is vulnerable to malicious attacks, yet developing a truly effective and stealthy attack method remains a significant challenge. Existing attack methods suffer from low attack success rates, high computational costs, and are easily identified and smoothed by defense algorithms. To address these challenges, we propose \textbf{FedShift}, a novel two-stage "Hide and Find" distributed adversarial attack. In the first stage, before FedGL begins, we inject a learnable and hidden "shifter" into part of the training data, which subtly pushes poisoned graph representations toward a target class's decision boundary without crossing it, ensuring attack stealthiness during training. In the second stage, after FedGL is complete, we leverage the global model information and use the hidden shifter as an optimization starting point to efficiently find the adversarial…
Peer Reviews
Decision·ICLR 2026 Conference Withdrawn Submission
1. The combination of backdoor and adversarial attack paradigms is creative, addressing limitations of each method when used independently. 2. Overall, the paper is well written and clearly explained. 3. The method shows significant improvements in attack success rate and efficiency.
1. The assumption that attackers can "continuously optimize shifters throughout the whole federated process" is strong and may not reflect realistic scenarios. 2. The number of clusters k shows high sensitivity on some datasets (Figure 5). 3. No sensitivity analysis on loss weights. 4. No comparison with spectral defense techniques or pruning based defenses.
1. The method is innovative, introducing a "distributional shift" strategy in federated graph learning that enhances stealthiness. 2. The experimental evaluation is comprehensive, utilizing six large-scale datasets that span multiple real-world scenarios
1. Only the AAS metric is used. It lacks comparison with other commonly used attack evaluation metrics and does not provide a theoretical justification. 2. The evaluated defense methods do not appear to be state-of-the-art. Using simple practical defenses as a reference does not sufficiently demonstrate the true effectiveness of the attack. It is recommended that the authors survey relevant prior work, such as [1]. 3. This paper lacks explicit discussion on preventing malicious use of the att
+ Comprehensive Experiments: The paper evaluates on six datasets across multiple domains, with ablations and sensitivity analyses that show consistent performance gains. + Strong Empirical Results: FedShift achieves notably higher attack success and efficiency compared to baselines, even under standard defense mechanisms.
- Limited Novelty: The approach mainly combines known techniques (backdoor + adversarial optimization) without substantial theoretical or algorithmic innovation. - Unrealistic Threat Model: It assumes attackers can fully control local data and observe global model updates continuously, which may not hold in real federated settings. - Weak and Outdated Defenses: Evaluation against older baselines (e.g., Krum, Bulyan) limits the credibility of claimed robustness. - Lack of Theoretical or Interpret
- The paper addresses a critical and emerging security issue in federated graph learning, a field gaining significant attention in federated and distributed AI research. The problem is well-motivated and clearly articulated. - The formulation, notably Algorithm 1 for adaptive shifter generator training, and loss design are mathematically reasoned. - The significance of this work is notable. FedShift reveals a new and realistic attack surface in distributed graph learning, which can have import
- The paper primarily provides an empirical demonstration of the proposed attack’s effectiveness but lacks theoretical grounding. For example, there is no formal analysis of complexity and why the two-stage design ensures convergence or how the “gentle shift” quantitatively balances stealth and effectiveness. Providing theoretical intuition, even in simplified settings (e.g., convergence bounds or an analysis of the distributional shift dynamics), would greatly strengthen the paper’s technical d
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdvanced Graph Neural Networks · Adversarial Robustness in Machine Learning · Privacy-Preserving Technologies in Data