Fed-Listing: Federated Label Distribution Inference in Graph Neural Networks

Graph Neural Networks (GNNs) have been intensively studied for their expressive representation and learning performance on graph-structured data, enabling effective modeling of complex relational dependencies among nodes and edges in various domains. However, the standalone GNNs can unleash threat surfaces and privacy implications, as some sensitive graph-structured data is collected and processed in a centralized setting. To solve this issue, Federated Graph Neural Networks (FedGNNs) are proposed to facilitate collaborative learning over decentralized local graph data, aiming to preserve user privacy. Yet, emerging research indicates that even in these settings, shared model updates, particularly gradients, can unintentionally leak sensitive information of local users. Numerous privacy inference attacks have been explored in traditional federated learning and extended to graph settings, but the problem of label distribution inference in FedGNNs remains largely underexplored. In this work, we introduce Fed-Listing (Federated Label Distribution Inference in GNNs), a novel gradient-based attack designed to infer the private label statistics of target clients in FedGNNs without access to raw data or node features. Fed-Listing only leverages the final-layer gradients exchanged during training to uncover statistical patterns that reveal class proportions in a stealthy manner. An auxiliary shadow dataset is used to generate diverse label partitioning strategies, simulating various client distributions, on which the attack model is obtained. Extensive experiments on four benchmark datasets and three GNN architectures show that Fed-Listing significantly outperforms existing baselines, including random guessing and Decaf, even under challenging non-i.i.d. scenarios. Moreover, applying defense mechanisms can barely reduce our attack performance, unless the model’s utility is severely degraded.

💡 Research Summary

The paper introduces Fed‑Listing, a novel privacy attack that infers the private label distribution of a target client in federated Graph Neural Networks (FedGNNs) by exploiting only the final‑layer gradients exchanged during training. The authors argue that, while federated learning mitigates many privacy risks by keeping raw graph data local, the gradients still encode statistical information about the underlying labels, especially in GNNs where the last linear layer directly maps node embeddings to class logits.

Fed‑Listing operates in two stages. First, an auxiliary (public) dataset is partitioned into multiple subsets, each of which is further split according to four label‑partitioning strategies: single‑class, random, equal, and missing‑class distributions. These subsets simulate a variety of client label distributions. The authors then run several independent “shadow” federated training processes using the same GNN architecture (GCN, GraphSAGE, or GAT) as the target system. During each shadow round, they record the final‑layer gradients of each shadow client together with the known label proportions of that client, thereby constructing a large attack dataset of (gradient, label‑distribution) pairs.

In the second stage, a neural network (typically a multilayer perceptron) is trained on this attack dataset to learn a mapping from a gradient vector to a label‑distribution vector. Once trained, the attack model can be applied to the real federated setting: the honest‑but‑curious server simply feeds the latest gradients received from the target client into the attack model, which outputs an estimate of the client’s per‑class proportions. No raw node features, adjacency matrices, or label information are required.

The authors evaluate Fed‑Listing on four widely used graph benchmarks—Cora, Citeseer, Pubmed, and Reddit—combined with three GNN architectures, yielding twelve experimental configurations. They compare against two baselines: random guessing and Decaf, a prior label‑distribution inference method designed for image data. Across all settings, Fed‑Listing achieves substantially lower mean absolute error (MAE) and mean squared error (MSE) than Decaf, often reducing MAE by 30‑50 %. The advantage is especially pronounced in extreme non‑i.i.d. scenarios such as single‑class dominant or missing‑class distributions, where Decaf’s performance degrades sharply.

To assess robustness, the paper applies three common defenses: differential privacy (DP‑SGD), gradient clipping, and additive Gaussian noise (the “loud” noise approach). The defenses are tuned so that the global model’s utility drops by no more than 5 %. Even under these constraints, Fed‑Listing retains a success rate above 70 % and continues to outperform the baselines, indicating that the gradient leakage is hard to suppress without severely harming model performance.

Key contributions include: (1) the first passive, gradient‑only label‑distribution inference attack tailored to horizontal FedGNNs; (2) a systematic shadow‑training pipeline that captures heterogeneous label distributions using an auxiliary dataset; (3) extensive empirical validation across multiple datasets, GNN models, and non‑i.i.d. conditions; and (4) a thorough analysis of existing defenses, highlighting a gap between privacy protection and utility in federated graph learning.

The paper also discusses limitations. Fed‑Listing relies on the availability of an auxiliary dataset that is sufficiently similar to the target domain; its efficacy in vertical federated settings or with heterogeneous graph topologies remains untested. Moreover, the attack focuses on the final layer, so defenses that alter earlier layers or employ label‑invariant updates could potentially mitigate the threat. Future work is suggested in two directions: (a) developing meta‑learning or few‑shot techniques to reduce the dependence on large shadow datasets, and (b) designing new defense mechanisms—such as gradient encryption, label‑agnostic aggregation, or architecture‑level obfuscation—that specifically break the gradient‑to‑label‑distribution mapping while preserving model accuracy.