A Multi-Layered Defense Framework Against Structural Poisoning Attacks in Federated Graph Convolutional Networks

Abstract

Federated Graph Convolutional Networks (FedGCNs) enable decentralized learning over graph-structured data while preserving privacy, making them well-suited for node classification applications such as electric vehicle (EV) charging demand forecasting. In this context, nodes in the graph represent regions, while edges capture spatial relationships and labels reflect demand levels. FedGCNs can predict future charging demand patterns at different locations—crucial for optimizing grid load, reducing wait times, and improving resource allocation. However, their distributed nature introduces unique vulnerabilities, particularly structural poisoning attacks that manipulate the graph topology on the client level. Unlike centralized GNNs, clients in FedGCNs have access only to local subgraphs, making it difficult to detect and mitigate malicious structural changes. This thesis investigates structural poisoning attacks in 0-hop FedGCN settings, specifically edge injection and edge rewiring attacks, where no inter-client communication is available. A client-side multi-layered defense framework is proposed. The defense integrates three complementary graph sanitization techniques—Spectral Edge Pruning, Jaccard Similarity Pruning, and Degree-Based Edge Pruning—to detect and remove suspicious edges before local training begins, acting as a first line of defense for the system. Experiments were conducted on two benchmark datasets (Cora and Citeseer) and a real-world Shenzhen EV charging dataset under varying attack intensities. The proposed framework demonstrated strong robustness across datasets, with performance improvements of over 20% in high-attack scenarios compared to an undefended baseline. Ablation studies further validated that combining pruning strategies and optimizing their sequence leads to more consistent performance. Additionally, the impact of homomorphic encryption on training performance and runtime was assessed to ensure privacy-preserving deployment. These findings offer a practical and privacy-respecting first line of defense for securing graph-based federated systems against structural attacks.

Date of Award	2025
Original language	American English
Awarding Institution	HBKU College of Science and Engineering