Computer Science

Computer Science ›› 2025, Vol. 52 ›› Issue (11A): 241200220-10.doi: 10.11896/jsjkx.241200220

• Information Security • Previous Articles     Next Articles

Adversarial Attack on Vertical Graph Federated Learning

BAI Yang, CHEN Jinyin, ZHENG Haibin, ZHENG Yayu   

  1. College of Information Engineering,Zhejiang University of Technology,Hangzhou 310023,China
  • Online:2025-11-15 Published:2025-11-10
  • Supported by:
    National Natural Science Foundation of China(62072406,62406286),Zhejiang Provincial Natural Science Foundation(LDQ23F020001),Key R & D Projects in Zhejiang Province(2022C01018) and National Key R & D Projects of China(2018AAA0100801).

PDF (PC)

10

Abstract: Graph vertical federated learning(GVFL) is a distributed machine learning approach that integrates graph data with vertical federated learning,widely applied in fields such as financial services,healthcare,and social networks.This method not only preserves privacy but also leverages data diversity to significantly enhance model performance.However,studies indicate that GVFL is vulnerable to adversarial attacks.Existing adversarial attack methods targeting graph neural networks(GNN),such as Gradient Maximization Attack and Simplified Gradient Attack,still face challenges when applied in the GVFL framework.These challenges include low attack success rates,poor stealth,and inapplicability under defense conditions.To address these issues,this paper proposes a novel adversarial attack method for GVFL,termed Node and Feature Adversarial Attack(NFAttack).NFAttack designs node and feature attack strategies to conduct efficient attacks from multiple dimensions.The node attack strategy evaluates node importance using degree centrality metrics and disrupts high-centrality nodes by connecting a certain number of fake nodes to form adversarial edges.Meanwhile,the feature attack strategy introduces hybrid noise-composed of random noise and gradient noise-into node features,thereby affecting classification results.Experiments conducted on six datasets and three GNN models demonstrate that NFAttack achieves an average attack success rate of 80%,approximately 30% higher than other me-thods.Furthermore,NFAttack maintains strong attack performance even under various federated learning defense mechanisms.

Key words: Vertical federal learning, Graph neural network, Graph data, Node classification, Adversarial attack

CLC Number: 

  • TP387
[1]ZHANG C,XIE Y,BAI H,et al.A survey on federated learning[J].Knowledge-Based Systems,2021,216:106775.
[2]LIU P,XU X,WANG W.Threats,attacks and defenses to federated learning:issues,taxonomy and perspectives[J].Cybersecurity,2022,5(1):4.
[3]HENRIQUE B M,SOBREIRO V A,KIMURA H.Literaturereview:Machine learning techniques applied to financial market prediction[J].Expert Systems with Applications,2019,124:226-251.
[4]KONONENKO I.Machine learning for medical diagnosis:history,state of the art and perspective[J].Artificial Intelligence in Medicine,2001,23(1):89-109.
[5]CUMMINGS D,NASSAR M.Structured citation trend predic-tion using graph neural networks[C]//ICASSP 2020-2020 IEEE International Conference on Acoustics,Speech and Signal Processing(ICASSP).IEEE,2020:3897-3901.
[6]GAO C,WANG X,HE X,et al.Graph neural networks for recommender system[C]//Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining.2022:1623-1625.
[7]ZHANG X M,LIANG L,LIU L,et al.Graph neural networks and their current applications in bioinformatics[J].Frontiers in Genetics,2021,12:690049.
[8]LUAN H,TSAI C C.A review of using machine learning approaches for precision education[J].Educational Technology & Society,2021,24(1):250-266.
[9]YU B,MBO W,LV Y,et al.A survey on federated learning in data mining[J].Wiley Interdisciplinary Reviews:Data Mining and Knowledge Discovery,2022,12(1):1-20.
[10]HARD A,RAO K,MATHEWS R,et al.Federated learn-ing for mo-bile keyboard prediction[J].arXiv:1811.03604,2018.
[11]YANG Q,LIU Y,CHEN T,et al.Federated machine learning:Concept and applications[J].ACM Transactions on Intelligent Systems and Technology(TIST),2019,10(2):1-19.
[12]WU Z,PAN S,CHEN F,et al.A comprehensive survey ongraph neural networks[J].IEEE Transactions on Neural Networks and Learning Systems,2020,32(1):4-24.
[13]ZHAO T,JIN W,LIU Y,et al.Graph data augmentation for graph machine learning:A survey[J].arXiv:2202.08871,2022.
[14]KIPF T N,WELLING M.Semi-supervised classification withgra-ph convolutional networks[J].arXiv:1609.02907,2016.
[15]HAMILTON W,YING Z,LESKOVEC J.Inductive representation learning on large graphs[J].Advances in Neural Information Processing Systems,2017,30:1-11.
[16]VELIČKOVIC′ P,CUCURULL G,CASANOVA A,et al.Graph attention networks[J].arXiv:1710.10903,,2017.
[17]LI Y,CHENG M,HSIEH C J,et al.A review of adversarial attack and defense for classification methods[J].The American Statistician,2022,76(4):329-345.
[18]ZHANG T,LIAO B,YU J,et al.Benchmarking and Analysis for Graph Neural Network Node Classification Task[J].Computer Science,2024,51(4):132-150.
[19]DAI H,LI H,TIAN T,et al.Adversarial attack on graph structured data[C]//International Conference on Machine Learning.PMLR,2018:1115-1124.
[20]LI J,XIE T,CHEN L,et al.Adversarial attack on large scale graph[J].IEEE Transactions on Knowledge and Data Engineering,2021,35(1):82-95.
[21]ZÜGNER D,AKBARNEJAD A,GÜNNEMANN S.Adversarial attacks on neural networks for graph data[C]//Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining.2018:2847-2856.
[22]SUN Y,WANG S,TANG X,et al.Node injection attacks on graphs via reinforcement learning[J].arXiv:1909.06543,2019.
[23]GOODFELLOW I J,SHLENS J,SZEGEDY C.Explaining and harnessing adversarial examples[J].arXiv:1412.6572,2014.
[24]DWORK C,MCSHERRY F,NISSIM K,et al.Calibrating noise to sensitivity in private data analysis[C]//Proceedings of Theoryof Cryptography Conference.2006:265-284.
[25]ABADI M,CHU A,GOODFELLOW I,et al.Deep learning with differential privacy[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.2016:308-318.
[26]WANG C,LIANG J,HUANG M,et al.Hybrid differentially private federated learning on vertically partitioned data[J].ar-Xiv:2009.02763,2020.
[27]YANG Z,COHEN W,SALAKHUDINOV R.Revisiting semi-supervised learning with graph embeddings[C]//International Conference on Machine Learning.PMLR,2016:40-48.
[28]SHCHUR O,MUMME M,BOJCHEVSKI A,et al.Pitfalls of graph neural network evaluation[J].arXiv:1811.05868,2018.
[29]SUN M,TANG J,LI H,et al.Data poisoning attack against unsupervised node embedding methods[J].arXiv:1810.12881,2018.
[30]WU H,WANG C,TYSHETSKIY Y,et al.Adversarial examples for graph data:deep insights into attack and defense[C]//Proceedings of the Twenty Eighth International Joint Confe-rence on Artificial Intelligence(IJCAI).2019:4816-4823.
[31]SUN M,DING X N,CHENG Q.Federated Learning Scheme Based on Differential Privacy[J].Computer Science,2024,51(S1):230600211-6.
[1] LI Yaru, WANG Qianqian, CHE Chao, ZHU Deheng. Graph-based Compound-Protein Interaction Prediction with Drug Substructures and Protein 3D Information [J]. Computer Science, 2025, 52(9): 71-79.
[2] WU Hanyu, LIU Tianci, JIAO Tuocheng, CHE Chao. DHMP:Dynamic Hypergraph-enhanced Medication-aware Model for Temporal Health EventPrediction [J]. Computer Science, 2025, 52(9): 88-95.
[3] SU Shiyu, YU Jiong, LI Shu, JIU Shicheng. Cross-domain Graph Anomaly Detection Via Dual Classification and Reconstruction [J]. Computer Science, 2025, 52(8): 374-384.
[4] CHEN Jun, ZHOU Qiang, BAO Lei, TAO Qing. Linear Interpolation Method for Adversarial Attack [J]. Computer Science, 2025, 52(8): 403-410.
[5] TANG Boyuan, LI Qi. Review on Application of Spatial-Temporal Graph Neural Network in PM2.5 ConcentrationForecasting [J]. Computer Science, 2025, 52(8): 71-85.
[6] GUO Husheng, ZHANG Xufei, SUN Yujie, WANG Wenjian. Continuously Evolution Streaming Graph Neural Network [J]. Computer Science, 2025, 52(8): 118-126.
[7] LUO Xuyang, TAN Zhiyi. Knowledge-aware Graph Refinement Network for Recommendation [J]. Computer Science, 2025, 52(7): 103-109.
[8] HAO Jiahui, WAN Yuan, ZHANG Yuhang. Research on Node Learning of Graph Neural Networks Fusing Positional and StructuralInformation [J]. Computer Science, 2025, 52(7): 110-118.
[9] LI Mengxi, GAO Xindan, LI Xue. Two-way Feature Augmentation Graph Convolution Networks Algorithm [J]. Computer Science, 2025, 52(7): 127-134.
[10] JIANG Kun, ZHAO Zhengpeng, PU Yuanyuan, HUANG Jian, GU Jinjing, XU Dan. Cross-modal Hypergraph Optimisation Learning for Multimodal Sentiment Analysis [J]. Computer Science, 2025, 52(7): 210-217.
[11] ZHENG Chuangrui, DENG Xiuqin, CHEN Lei. Traffic Prediction Model Based on Decoupled Adaptive Dynamic Graph Convolution [J]. Computer Science, 2025, 52(6A): 240400149-8.
[12] TENG Minjun, SUN Tengzhong, LI Yanchen, CHEN Yuan, SONG Mofei. Internet Application User Profiling Analysis Based on Selection State Space Graph Neural Network [J]. Computer Science, 2025, 52(6A): 240900060-8.
[13] SHI Enyi, CHANG Shuyu, CHEN Kejia, ZHANG Yang, HUANG Haiping. BiGCN-TL:Bipartite Graph Convolutional Neural Network Transformer Localization Model for Software Bug Partial Localization Scenarios [J]. Computer Science, 2025, 52(6A): 250200086-11.
[14] CHEN Wangxu, WEN Hao, NI Yang. Application of Requirements Traceability in Code Static Analysis [J]. Computer Science, 2025, 52(6A): 241000024-5.
[15] KANG Kai, WANG Jiabao, XU Kun. Balancing Transferability and Imperceptibility for Adversarial Attacks [J]. Computer Science, 2025, 52(6): 381-389.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.