Federated graph learning (FedGL) is an emerging federated learning (FL) framework that extends FL to learn graph data from diverse sources. FL for non-graph data has shown to be vulnerable to backdoor attacks, which inject a shared backdoor trigger into the training data such that the trained backdoored FL model can predict the testing data containing the trigger as the attacker desires. However, FedGL against backdoor attacks is largely unexplored, and no effective defense exists. In this paper, we aim to address such significant deficiency. First, we propose an effective, stealthy, and persistent backdoor attack on FedGL. Our attack uses a subgraph as the trigger and designs an adaptive trigger generator that can derive the effective trigger location and shape for each graph. Our attack shows that empirical defenses are hard to detect/remove our generated triggers. To mitigate it, we further develop a certified defense for any backdoored FedGL model against the trigger with any shape at any location. Our defense involves carefully dividing a testing graph into multiple subgraphs and designing a majority vote-based ensemble classifier on these subgraphs. We then derive the deterministic certified robustness based on the ensemble classifier and prove its tightness. We extensively evaluate our attack and defense on six graph datasets. Our attack results show our attack can obtain > 90% backdoor accuracy in almost all datasets. Our defense results show, in certain cases, the certified accuracy for clean testing graphs against an arbitrary trigger with size 20 can be close to the normal accuracy under no attack, while there is a moderate gap in other cases. Moreover, the certified backdoor accuracy is always 0 for backdoored testing graphs generated by our attack, implying our defense can fully mitigate the attack. Source code is available at: https://github.com/Yuxin104/Opt-GDBA.

翻译：联邦图学习（FedGL）是一种新兴的联邦学习（FL）框架，它将FL扩展至从多样来源学习图数据。针对非图数据的FL已被证明易受后门攻击，此类攻击将共享的后门触发器注入训练数据中，使得训练后的带后门FL模型能够按照攻击者意图预测包含触发器的测试数据。然而，针对联邦图学习的后门攻击研究尚不充分，且目前缺乏有效的防御手段。本文旨在弥补这一重要不足。首先，我们提出一种针对FedGL的有效、隐蔽且持续的后门攻击方法。该攻击使用子图作为触发器，并设计了一种自适应触发器生成器，能够为每个图推导出有效的触发器位置与形态。实验表明，现有经验性防御方法难以检测或移除我们生成的触发器。为应对此问题，我们进一步开发了一种认证防御方法，可保护任何带后门的FedGL模型抵御任意位置与形态的触发器。我们的防御策略包括：将测试图精细划分为多个子图，并设计基于多数投票的集成分类器处理这些子图。随后，我们基于该集成分类器推导出确定性认证鲁棒性，并证明其紧致性。我们在六个图数据集上对我们的攻击与防御方法进行了广泛评估。攻击结果显示，我们的攻击在几乎所有数据集上都能实现>90%的后门准确率。防御结果表明，在某些情况下，针对尺寸为20的任意触发器，干净测试图的认证准确率可接近无攻击时的正常准确率，而在其他情况下存在适度差距。此外，对于通过我们攻击生成的带后门测试图，其认证后门准确率始终为0，这表明我们的防御能够完全化解该攻击。源代码发布于：https://github.com/Yuxin104/Opt-GDBA。