Backdoor Attack on Vertical Federated Graph Neural Network Learning
This work addresses a critical security problem for privacy-preserving distributed graph learning, revealing a significant vulnerability even in robust VFGNN designs.
The paper tackles the vulnerability of Vertical Federated Graph Neural Networks (VFGNN) to backdoor attacks, proposing BVG, a method that achieves nearly 100% attack success rates on three datasets and GNN models with minimal impact on main task accuracy.
Federated Graph Neural Network (FedGNN) integrate federated learning (FL) with graph neural networks (GNNs) to enable privacy-preserving training on distributed graph data. Vertical Federated Graph Neural Network (VFGNN), a key branch of FedGNN, handles scenarios where data features and labels are distributed among participants. Despite the robust privacy-preserving design of VFGNN, we have found that it still faces the risk of backdoor attacks, even in situations where labels are inaccessible. This paper proposes BVG, a novel backdoor attack method that leverages multi-hop triggers and backdoor retention, requiring only four target-class nodes to execute effective attacks. Experimental results demonstrate that BVG achieves nearly 100% attack success rates across three commonly used datasets and three GNN models, with minimal impact on the main task accuracy. We also evaluated various defense methods, and the BVG method maintained high attack effectiveness even under existing defenses. This finding highlights the need for advanced defense mechanisms to counter sophisticated backdoor attacks in practical VFGNN applications.