Computer Science

Computer Science ›› 2025, Vol. 52 ›› Issue (11A): 241200220-10.doi: 10.11896/jsjkx.241200220

• Information Security • Previous Articles     Next Articles

Adversarial Attack on Vertical Graph Federated Learning

BAI Yang, CHEN Jinyin, ZHENG Haibin, ZHENG Yayu   

  1. College of Information Engineering,Zhejiang University of Technology,Hangzhou 310023,China
  • Online:2025-11-15 Published:2025-11-10
  • About author:BAI Yang,born in 2001,postgraduate.His main research interests include aeri-ficial intelligence and internet security.
    CHEN Jinyin,born in 1982,Ph.D,professor,is a member of CCF(No.14348M).Her main research interests include data mining,intelligent computing and complex network analysis.
  • Supported by:
    National Natural Science Foundation of China(62072406,62406286),Zhejiang Provincial Natural Science Foundation(LDQ23F020001),Key R & D Projects in Zhejiang Province(2022C01018) and National Key R & D Projects of China(2018AAA0100801).

PDF (PC)

161

Abstract: Graph vertical federated learning(GVFL) is a distributed machine learning approach that integrates graph data with vertical federated learning,widely applied in fields such as financial services,healthcare,and social networks.This method not only preserves privacy but also leverages data diversity to significantly enhance model performance.However,studies indicate that GVFL is vulnerable to adversarial attacks.Existing adversarial attack methods targeting graph neural networks(GNN),such as Gradient Maximization Attack and Simplified Gradient Attack,still face challenges when applied in the GVFL framework.These challenges include low attack success rates,poor stealth,and inapplicability under defense conditions.To address these issues,this paper proposes a novel adversarial attack method for GVFL,termed Node and Feature Adversarial Attack(NFAttack).NFAttack designs node and feature attack strategies to conduct efficient attacks from multiple dimensions.The node attack strategy evaluates node importance using degree centrality metrics and disrupts high-centrality nodes by connecting a certain number of fake nodes to form adversarial edges.Meanwhile,the feature attack strategy introduces hybrid noise-composed of random noise and gradient noise-into node features,thereby affecting classification results.Experiments conducted on six datasets and three GNN models demonstrate that NFAttack achieves an average attack success rate of 80%,approximately 30% higher than other me-thods.Furthermore,NFAttack maintains strong attack performance even under various federated learning defense mechanisms.

Key words: Vertical federal learning, Graph neural network, Graph data, Node classification, Adversarial attack

CLC Number: 

  • TP387
[1]ZHANG C,XIE Y,BAI H,et al.A survey on federated learning[J].Knowledge-Based Systems,2021,216:106775.
[2]LIU P,XU X,WANG W.Threats,attacks and defenses to federated learning:issues,taxonomy and perspectives[J].Cybersecurity,2022,5(1):4.
[3]HENRIQUE B M,SOBREIRO V A,KIMURA H.Literaturereview:Machine learning techniques applied to financial market prediction[J].Expert Systems with Applications,2019,124:226-251.
[4]KONONENKO I.Machine learning for medical diagnosis:history,state of the art and perspective[J].Artificial Intelligence in Medicine,2001,23(1):89-109.
[5]CUMMINGS D,NASSAR M.Structured citation trend predic-tion using graph neural networks[C]//ICASSP 2020-2020 IEEE International Conference on Acoustics,Speech and Signal Processing(ICASSP).IEEE,2020:3897-3901.
[6]GAO C,WANG X,HE X,et al.Graph neural networks for recommender system[C]//Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining.2022:1623-1625.
[7]ZHANG X M,LIANG L,LIU L,et al.Graph neural networks and their current applications in bioinformatics[J].Frontiers in Genetics,2021,12:690049.
[8]LUAN H,TSAI C C.A review of using machine learning approaches for precision education[J].Educational Technology & Society,2021,24(1):250-266.
[9]YU B,MBO W,LV Y,et al.A survey on federated learning in data mining[J].Wiley Interdisciplinary Reviews:Data Mining and Knowledge Discovery,2022,12(1):1-20.
[10]HARD A,RAO K,MATHEWS R,et al.Federated learn-ing for mo-bile keyboard prediction[J].arXiv:1811.03604,2018.
[11]YANG Q,LIU Y,CHEN T,et al.Federated machine learning:Concept and applications[J].ACM Transactions on Intelligent Systems and Technology(TIST),2019,10(2):1-19.
[12]WU Z,PAN S,CHEN F,et al.A comprehensive survey ongraph neural networks[J].IEEE Transactions on Neural Networks and Learning Systems,2020,32(1):4-24.
[13]ZHAO T,JIN W,LIU Y,et al.Graph data augmentation for graph machine learning:A survey[J].arXiv:2202.08871,2022.
[14]KIPF T N,WELLING M.Semi-supervised classification withgra-ph convolutional networks[J].arXiv:1609.02907,2016.
[15]HAMILTON W,YING Z,LESKOVEC J.Inductive representation learning on large graphs[J].Advances in Neural Information Processing Systems,2017,30:1-11.
[16]VELIČKOVIC′ P,CUCURULL G,CASANOVA A,et al.Graph attention networks[J].arXiv:1710.10903,,2017.
[17]LI Y,CHENG M,HSIEH C J,et al.A review of adversarial attack and defense for classification methods[J].The American Statistician,2022,76(4):329-345.
[18]ZHANG T,LIAO B,YU J,et al.Benchmarking and Analysis for Graph Neural Network Node Classification Task[J].Computer Science,2024,51(4):132-150.
[19]DAI H,LI H,TIAN T,et al.Adversarial attack on graph structured data[C]//International Conference on Machine Learning.PMLR,2018:1115-1124.
[20]LI J,XIE T,CHEN L,et al.Adversarial attack on large scale graph[J].IEEE Transactions on Knowledge and Data Engineering,2021,35(1):82-95.
[21]ZÜGNER D,AKBARNEJAD A,GÜNNEMANN S.Adversarial attacks on neural networks for graph data[C]//Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining.2018:2847-2856.
[22]SUN Y,WANG S,TANG X,et al.Node injection attacks on graphs via reinforcement learning[J].arXiv:1909.06543,2019.
[23]GOODFELLOW I J,SHLENS J,SZEGEDY C.Explaining and harnessing adversarial examples[J].arXiv:1412.6572,2014.
[24]DWORK C,MCSHERRY F,NISSIM K,et al.Calibrating noise to sensitivity in private data analysis[C]//Proceedings of Theoryof Cryptography Conference.2006:265-284.
[25]ABADI M,CHU A,GOODFELLOW I,et al.Deep learning with differential privacy[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.2016:308-318.
[26]WANG C,LIANG J,HUANG M,et al.Hybrid differentially private federated learning on vertically partitioned data[J].ar-Xiv:2009.02763,2020.
[27]YANG Z,COHEN W,SALAKHUDINOV R.Revisiting semi-supervised learning with graph embeddings[C]//International Conference on Machine Learning.PMLR,2016:40-48.
[28]SHCHUR O,MUMME M,BOJCHEVSKI A,et al.Pitfalls of graph neural network evaluation[J].arXiv:1811.05868,2018.
[29]SUN M,TANG J,LI H,et al.Data poisoning attack against unsupervised node embedding methods[J].arXiv:1810.12881,2018.
[30]WU H,WANG C,TYSHETSKIY Y,et al.Adversarial examples for graph data:deep insights into attack and defense[C]//Proceedings of the Twenty Eighth International Joint Confe-rence on Artificial Intelligence(IJCAI).2019:4816-4823.
[31]SUN M,DING X N,CHENG Q.Federated Learning Scheme Based on Differential Privacy[J].Computer Science,2024,51(S1):230600211-6.
[1] DING Yan, DING Hongfa, YU Muran, JIANG Heling. Survey of Backdoor Attacks and Defenses on Graph Neural Network [J]. Computer Science, 2026, 53(3): 1-22.
[2] ZHAO Zhengbiao, LU Hanyu, DING Hongfa. Node-influence Based Construction Algorithm of Approximate Worst-case Forgetting Set for Graph Unlearning [J]. Computer Science, 2026, 53(3): 64-77.
[3] WANG Jinghong, LI Pengchao, WANG Xizhao, ZHANG Zili. Dual-channel Graph Neural Network Based on KAN [J]. Computer Science, 2026, 53(3): 188-196.
[4] WANG Xinyu, SONG Xiaomin, ZHENG Huiming, PENG Dezhong, CHEN Jie. Contrastive Learning-based Masked Graph Autoencoder [J]. Computer Science, 2026, 53(2): 145-151.
[5] LI Chengyu, HUANG Ke, ZHANG Ruiheng , CHEN Wei. Heterogeneous Graph Attention Network-based Approach for Smart Contract Vulnerability
Detection [J]. Computer Science, 2026, 53(2): 423-430.
[6] ZHAI Jie, CHEN Lexuan, PANG Zhiyu. Survey on Graph Neural Network-based Methods for Academic Performance Prediction [J]. Computer Science, 2026, 53(2): 16-30.
[7] YANG Ming, HE Chaobo, YANG Jiaqi. Direction-aware Siamese Network for Knowledge Concept Prerequisite Relation Prediction [J]. Computer Science, 2026, 53(2): 39-47.
[8] ZHOU Qiang, LI Zhe, TAO Wei, TAO Qing. Adaptive Box-constraint Optimization Method for Adversarial Attacks [J]. Computer Science, 2026, 53(1): 404-412.
[9] LIU Hongjian, ZOU Danping, LI Ping. Pedestrian Trajectory Prediction Method Based on Graph Attention Interaction [J]. Computer Science, 2026, 53(1): 97-103.
[10] LI Yaru, WANG Qianqian, CHE Chao, ZHU Deheng. Graph-based Compound-Protein Interaction Prediction with Drug Substructures and Protein 3D Information [J]. Computer Science, 2025, 52(9): 71-79.
[11] WU Hanyu, LIU Tianci, JIAO Tuocheng, CHE Chao. DHMP:Dynamic Hypergraph-enhanced Medication-aware Model for Temporal Health EventPrediction [J]. Computer Science, 2025, 52(9): 88-95.
[12] SU Shiyu, YU Jiong, LI Shu, JIU Shicheng. Cross-domain Graph Anomaly Detection Via Dual Classification and Reconstruction [J]. Computer Science, 2025, 52(8): 374-384.
[13] CHEN Jun, ZHOU Qiang, BAO Lei, TAO Qing. Linear Interpolation Method for Adversarial Attack [J]. Computer Science, 2025, 52(8): 403-410.
[14] TANG Boyuan, LI Qi. Review on Application of Spatial-Temporal Graph Neural Network in PM2.5 ConcentrationForecasting [J]. Computer Science, 2025, 52(8): 71-85.
[15] GUO Husheng, ZHANG Xufei, SUN Yujie, WANG Wenjian. Continuously Evolution Streaming Graph Neural Network [J]. Computer Science, 2025, 52(8): 118-126.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.