Hide and Find: A Distributed Adversarial Attack on Federated Graph Learning

Federated Graph Learning (FedGL) is vulnerable to malicious attacks, yet developing a truly effective and stealthy attack method remains a significant challenge. Existing attack methods suffer from low attack success rates, high computational costs, and are easily identified and smoothed by defense algorithms. To address these challenges, we propose \textbf{FedShift}, a novel two-stage “Hide and Find” distributed adversarial attack. In the first stage, before FedGL begins, we inject a learnable and hidden “shifter” into part of the training data, which subtly pushes poisoned graph representations toward a target class’s decision boundary without crossing it, ensuring attack stealthiness during training. In the second stage, after FedGL is complete, we leverage the global model information and use the hidden shifter as an optimization starting point to efficiently find the adversarial perturbations. During the final attack, we aggregate these perturbations from multiple malicious clients to form the final effective adversarial sample and trigger the attack. Extensive experiments on six large-scale datasets demonstrate that our method achieves the highest attack effectiveness compared to existing advanced attack methods. In particular, our attack can effectively evade 3 mainstream robust federated learning defense algorithms and converges with a time cost reduction of over 90%, highlighting its exceptional stealthiness, robustness, and efficiency.

💡 Research Summary

The paper introduces FedShift, a novel two‑stage “Hide and Find” distributed adversarial attack designed specifically for Federated Graph Learning (FedGL). Existing attacks on FedGL fall into two categories: backdoor attacks that poison data by inserting trigger sub‑graphs and relabeling them, and post‑hoc adversarial attacks that optimize perturbations after the federated training finishes. Backdoor attacks suffer from easy smoothing during federated aggregation and are readily detected by robust FL defenses, while adversarial attacks face slow, unstable convergence due to the discrete nature of graphs and non‑convex objectives, leading to high computational overhead.

FedShift tackles both problems by first “hiding” a subtle backdoor signal and then “finding” an effective adversarial perturbation. In Stage 1 (Gentle Data Poisoning), each malicious client trains an adaptive shifter generator. The generator consists of (i) shifter position learning, which selects a set of influential nodes (Vₚ) based on clustering coefficients and node centrality, and (ii) shifter shape learning, which produces a perturbation (δ) that nudges the graph embedding toward the target class’s decision boundary without crossing it. This is achieved through a novel distributional proximity loss (L_dist) that minimizes the cosine distance between the poisoned graph’s embedding and the nearest centroid of the target‑class embedding cluster, together with homogeneity and cross‑entropy regularizers. Because the poisoned graphs remain on the correct side of the boundary, the backdoor signal is indistinguishable from benign updates, dramatically reducing smoothing during FedAvg and evading detection by standard defenses.

In Stage 2 (Adversarial Perturbation Finding), after federated training converges, the global model parameters are leveraged. The shifter generator’s parameters from Stage 1 serve as a high‑quality initialization for further optimization, turning what would normally be a random start into a guided search in a region already close to the decision boundary. This dramatically accelerates convergence and stabilizes the optimization, addressing the third challenge of traditional adversarial attacks. Each malicious client refines its own perturbation; the server then aggregates these perturbations, producing a final adversarial sample that benefits from a “1 + 1 > 2” effect.

Extensive experiments on six large‑scale graph datasets (including Cora, Pubmed, Reddit, ogbn‑arxiv, etc.) and against three mainstream robust FL defenses (differential privacy, robust aggregation, Byzantine‑resilient FL) demonstrate that FedShift outperforms state‑of‑the‑art attacks. Specifically, the backdoor signal is 80.5 %–90.6 % less smoothed during aggregation, leading to higher attack success rates (ASR). FedShift maintains the highest ASR under all tested defenses, confirming its robustness and stealth. Moreover, FedShift reaches comparable ASR with over 90 % fewer training epochs than baselines, translating to more than a 90 % reduction in total attack time.

The paper’s contributions are threefold: (1) proposing the “implant‑find” attack paradigm that exploits both pre‑training and post‑training information; (2) introducing a distributional proximity loss for gentle, label‑preserving data poisoning; (3) demonstrating that aggregating perturbations from multiple malicious clients yields synergistic attack strength. Limitations include reliance on each client’s computational resources for generator training and sensitivity of the node‑selection step to graph topology. Future work may explore lightweight generator designs, alternative position‑selection strategies that avoid explicit clustering, and extensions to asynchronous or partially‑participating federated settings.