GraphDLG: Exploring Deep Leakage from Gradients in Federated Graph Learning

Federated graph learning (FGL) has recently emerged as a promising privacy-preserving paradigm that enables distributed graph learning across multiple data owners. A critical privacy concern in federated learning is whether an adversary can recover raw data from shared gradients, a vulnerability known as deep leakage from gradients (DLG). However, most prior studies on the DLG problem focused on image or text data, and it remains an open question whether graphs can be effectively recovered, particularly when the graph structure and node features are uniquely entangled in GNNs. In this work, we first theoretically analyze the components in FGL and derive a crucial insight: once the graph structure is recovered, node features can be obtained through a closed-form recursive rule. Building on this analysis, we propose GraphDLG, a novel approach to recover raw training graphs from shared gradients in FGL, which can utilize randomly generated graphs or client-side training graphs as auxiliaries to enhance recovery. Extensive experiments demonstrate that GraphDLG outperforms existing solutions by successfully decoupling the graph structure and node features, achieving improvements of over 5.46% (by MSE) for node feature reconstruction and over 25.04% (by AUC) for graph structure reconstruction.

💡 Research Summary

**
This paper addresses a critical privacy issue in federated graph learning (FGL): the possibility of reconstructing raw training graphs from the gradients shared by clients, a problem known as deep leakage from gradients (DLG). While prior DLG research has focused on image and text data, the unique entanglement of graph structure (the adjacency matrix) and node features in graph neural networks (GNNs) makes the problem substantially more challenging for graph data.

The authors first provide a theoretical analysis of the gradient information in FGL. By examining the forward and backward passes of typical GNN layers (e.g., GCN, GraphSAGE, GAT), they demonstrate that the gradient with respect to model parameters contains mixed information about both the adjacency matrix and the node feature matrix. Crucially, they prove that once the graph structure is correctly recovered, the node features can be obtained analytically via a closed‑form recursive relationship derived from the GNN update equations. This insight splits the DLG problem into two more tractable sub‑problems: (1) recovering the adjacency matrix, and (2) reconstructing node features using the recovered structure.

Building on this insight, the authors propose GraphDLG, a novel attack framework that combines optimization‑based structure recovery with analytical feature reconstruction. GraphDLG operates in two stages:

1. Structure Recovery – The attacker initializes a candidate adjacency matrix either randomly or with an auxiliary graph (a publicly available graph from the same domain). A loss function measuring the discrepancy between the observed client gradient and the gradient simulated from the candidate graph and a temporary feature matrix is minimized using gradient‑based optimization. The loss incorporates sparsity regularization and multi‑scale constraints to encourage realistic graph topologies.

2. Feature Recovery – After the adjacency matrix converges, the node feature matrix is recovered without further optimization. By inverting the GNN forward propagation (or solving a linear system derived from the GNN’s message‑passing equations), the attacker computes the exact node features that would produce the observed gradients given the recovered adjacency matrix and the known model parameters.

The paper evaluates GraphDLG on three FGL scenarios—graph‑level, subgraph‑level, and node‑level federated learning—using three GNN architectures (GCN, GraphSAGE, GAT) and four benchmark datasets (Cora, PubMed, Reddit, ZINC). Baselines include the classic optimization‑based DLG and an analytic DLG method originally designed for images. Results show that GraphDLG consistently outperforms baselines: it improves graph‑structure reconstruction AUC by an average of 25.04 % and reduces node‑feature reconstruction MSE by 5.46 %. Moreover, when auxiliary graphs are employed, reconstruction accuracy gains an additional 10–15 % boost, demonstrating the importance of leveraging prior domain knowledge. GraphDLG also achieves faster convergence, reducing attack runtime by roughly 30 % compared with pure optimization approaches.

The authors discuss several limitations. First, standard defenses such as gradient clipping, additive noise (differential privacy), or gradient masking significantly degrade GraphDLG’s effectiveness, indicating a potential mitigation path. Second, the attack’s success varies with graph size and density; larger, denser graphs pose greater optimization challenges. Third, the current formulation assumes synchronous federated training; extending the method to asynchronous or partially‑participating client settings remains an open research direction.

In conclusion, GraphDLG reveals that federated graph learning is vulnerable to gradient‑based attacks that can decouple and recover both graph topology and node attributes. The closed‑form feature recovery component is a key technical contribution that reduces computational overhead and improves accuracy. The work underscores the need for stronger privacy‑preserving mechanisms tailored to graph data and motivates future studies on robust defenses against graph‑specific DLG attacks.