Energy-based Backdoor Defense Against Federated Graph Learning

Dear Reviewer ev6Q

We sincerely thank you for your insightful feedback. We have provided detailed responses to your questions, and we hope that these clarifications and revisions meet your expectations and potentially merit a higher evaluation.

Weakness 1: Visualization and More non-iid scenarios

Thank you for your valuable feedback regarding the details of the experiments. To address this issue comprehensively, we have provided detailed visualizations of the energy distribution for each client before and after clustering, as well as additional experimental reports for non-iid scenarios. These have included in Appendix E and Appendix B, respectively. Below we present additional experimental results for non-IID scenarios:

renyi (Non-iid-feature-skew with alpha = 0.5 and a malicious proportion of 0.3) :

renyi (Non-iid-label-skew with alpha = 0.5 and a malicious proportion of 0.3) :

---

Weakness 2: Omission of Standard Defenses

We appreciate your valuable feedback and would like to point out the omission of certain standard defense methods in our initial submission. We have carefully reviewed [1] and have incorporated the methods you mentioned as references in the revised manuscript. What we want to clarify is that FLTrust relies on the availability of a clean and trustworthy dataset at the server side. However, the size or feasibility of such a dataset has not been clearly established in graph domain. And this limitation was the reason it was not it was not included in the original experimental design.

[1] is an excellent concurrent work focusing on backdoor attacks and defenses in the context of graph classification. The Certified Defense method discussed in [1] primarily involves dividing test graphs into multiple subgraphs and determining the final label through majority voting. However, this approach does not fully adapt to node classification tasks. In contrast, our proposed FedTGE performing node-level energy adjustment is also applicable to defense tasks in graph classification scenarios. For relevant experimental results, please refer to our response to Question 3.

---

Weakness 3: Reasons for the performance degradation of FedFreq

Thank you for highlighting this concern. FedFreq is indeed an advanced method in traditional federated learning, relying on clustering and filtering malicious clients based on their uploaded model updates. However, backdoor attack patterns in FGL pose greater challenges compared to those in traditional FL. Specifically, the randomness in the location and shape of trigger injections, as well as their distribution, makes traditional model update-based defense methods, such as Trimmed Mean and FoolsGold, less effective in FGL.

For FedFreq, it relies on model updates to identify malicious clients and completely excludes the model parameters of these clients. However, this approach often fails to accurately identify malicious clusters in FGL. This inevitably leads to the loss of knowledge learned by some clients, resulting in significant performance degradation in certain scenarios. A similar issue can also be observed in the DnC algorithm.

---

Question 3

The modifications required to apply FedTGE to graph classification focus on replacing the perturbation of node subgraphs with the perturbation of entire graphs. Additionally, the defense mechanism of Certified Defense (CCS 24) may have inherent limitations, which could account for its inferior performance compared to FedTGE: (1) Loss of Graph Information: Certified Defense splits the test graph into multiple non-overlapping subgraphs for individual predictions. This process can result in significant information loss, potentially affecting prediction accuracy. For example, in domains like proteins or biomolecules, arbitrary partitioning of graphs may fail to produce correct labels due to the critical interdependencies within the graph structure. (2) Lower Robustness: Certified Defense cannot directly guarantee that the trigger will be entirely contained within a single subgraph during the partitioning process. If the trigger is distributed across multiple subgraphs, it could influence the predictions of several subgraphs, making the voting mechanism appear fragile and less reliable. These issues ultimately result in Certified Defense achieving overall performance that is inferior to FedTGE.

Weakness 1 & 2

Thank you for pointing out issues that were not clearly explained. We apologize for any inconvenience caused by the delay in updating it and the submission revision has been uploaded now. The visualization of the energy distribution before and after energy calibration is provided in Appendix E. We have explicitly stated in the contributions section that our work focuses on node classification and is extendable to graph classification.

Weakness 3: Reasons for the performance degradation of FedFreq

FedFreq assumes that the low-frequency components of model parameter weights represent the overall trend and global characteristics of weight changes, while high-frequency components are associated with noise and local details. However, the weight distribution of graph data is highly dependent on the graph's topological structure (e.g., node degree distribution and community structure). In non-Euclidean spaces, the graph topologies of different clients can vary significantly, leading to completely different spectral distributions even among benign clients. This variability makes it difficult to accurately distinguish between malicious and benign updates based on low-frequency features. As a result, HDBSCAN may misclassify the weights of benign clients as malicious updates.

In the revised manuscript, we have added a visualization analysis of the low-frequency components of FedFreq in Appendix F. We use Principal Component Analysis (PCA) to visualize the distances of low-frequency components across different clients. It can be observed that defense methods based on low-frequency components (model updates) are not suitable for GCNs and may even filter out benign clients.

Dear Reviewer i7k7

We sincerely thank you for taking the time to evaluate our work and have adressed your concerns as follows:

Weakness 1: More discussion on the baseline.

We appreciate your feedback recognizing the advantages of our approach and pointing out the missing discussion on certain baselines. We would like to clarify that, in Section 5.2 (Performance Comparison), we categorized RFA under statistical distribution-based methods and provided an explanation. To ensure a comprehensive analysis of why baselines may not perform well in the given scenario, we will provide further details or clarifications as needed to enhance your understanding of our work.

Question 1: More defense performance under various trigger types

We sincerely appreciate your insightful observations. In the revised manuscript, we have provided additional experimental reports in Appendix B. We have selected some of the results to display below:

GTA (Non-iid-louvain with a malicious proportion of 0.3):

WS (Non-iid-louvain with a malicious proportion of 0.3):

The GTA algorithm injects triggers with distinct shapes, such as star or ring patterns, which exhibit high attack efficacy but suffer from low stealthiness. In contrast, the WS algorithm based on the Watts-Strogatz small-world model introduces triggers that typically possess realistic network characteristics resulting in higher stealthiness but at the cost of relatively lower attack effectiveness. Nevertheless, FedTGE is able to maintain strong defense performance even under these attack scenarios.

---

Dear Reviewer 8A86

Thank you for recognizing the contribution of our work to the community. Your valuable input has been instrumental in helping us refine and enhance our research. Please find our detailed responses below:

Question 1: The reasonableness of the assumption

We understand your concern regarding this issue. Our energy model is essentially an energy-based model that integrates the ability of GNNs to capture data structures while attaching energy information to the graph data. Samples that align well with the data modeled by GNNs are assigned low energy, whereas those that do not are assigned high energy.

In datasets with low noise and simple structures, these triggers significantly alter the structural information of the data, serving as a prominent signal for FedTGE to assign higher energy. For example, in the IID scenarios, FedTGE achieves excellent defense performance. Furthermore, in datasets with moderate noise, FedTGE remains effective : (1) TESP facilitates repeated energy propagation, narrowing the energy distribution gap among selected clients, which further enhances the clustering effect of TEDC. The threshold filtering mechanism also ensures that mistakenly selected malicious clients are assigned lower aggregation weights or even excluded entirely. (2) For triggers, to achieve effective attacks in noisy environments, they must undergo corresponding adjustments, such as adopting more complex trigger structures or incorporating features that deviate from the context. These characteristics assist TEDC and TESP in filtering them out effectively. Our extensive experiments also validate that under the same noise levels, FedTGE consistently outperforms the baseline methods. Below we present a portion of the results from the feature skew experiments.

renyi (Non-iid-feature-skew with alpha = 0.5 and a malicious proportion of 0.3) :

After introducing a certain amount of noise, FedTGE still demonstrates significantly stronger defense performance compared to the baselines. We will also provide theoretical proofs to support this in the future.

---

Question 2: More non-IID conditions

Thank you for your question. In the revised manuscript, we have provided more experimental reports under non-iid scenarios in Appendix B.

renyi (Non-iid-label-skew with alpha = 0.5 and a malicious proportion of 0.3) :

Some defense methods based on model updates lose most of their effectiveness in the label-skew scenario on the Pubmed dataset. In these scenarios, client data becomes biased toward specific labels, causing model updates to focus on majority class labels and making attacks harder to defend against. In contrast, FedTGE adjusts at the data level and does not rely directly on model updates, allowing it to maintain stronger defensive capabilities than the baselines.

---

Dear Reviewer Z6ow

We sincerely thank the reviewers for their valuable and constructive feedback, which has helped us identify ways to improve the clarity and quality of our manuscript. We have carefully addressed each comment, and our detailed responses are provided below.

Weakness 1: Visualization of the energy distribution

To address your suggestion regarding the visualization of energy distribution during the clustering process, we have included kernel density estimation plots in Appendix E of the revised manuscript. These plots show the energy distribution before and after energy calibration for different trigger types. And the results demonstrate that our method effectively models node energy across various datasets and trigger types, clearly distinguishing between the energy distributions of malicious and benign clients.

---

Weakness 2: Complexity analysis

Thank you for this valuable suggestion. In the revised version of the manuscript, we have included a complete complexity analysis in appendix. The computational complexity of FedTGE can be formalized as:

TEDC:

$$O((3E \\times F + 2D \\times F + 2D + P_{BN}) \\times EN)$$

where $P_{BN}$ represents the parameters of the Batch Normalization (BN) layer in the model, $E$ denotes the number of edges in the dataset, $D$ and $F$ stand for the number of nodes and features respectively, and $EN$ refers to the epoch count used for energy calibration. In non-dense graphs, $E$ can be considered proportional to $D$, $P_{BN}$ can be neglected. Therefore, the formula can be further simplified as:

$$O(E \\times F \\times EN)$$

This indicates that the TEDC module has a linear relationship with the number of edges $E$, which demonstrates its scalability.

TESP:

$$O(E\\times L+ N^2+K\\times E + N\\times M)$$

We only analyzed the complexity of the similarity propagation part. Here, $N$ represents the number of clients, $K$ and $L$ denote the number of propagation layers and the length of the energy distribution (i.e., the number of node), respectively. It is worth noting that the TESP module treats clients as nodes and the connections between clients as edges. Since $N$ and $E$ is usually a relatively small constant, the above formula can be further simplified as:

$$O(D+K)$$

This indicates that TESP module has a linear relationship with the number of nodes $D$, which demonstrates its suitability for large-scale datasets. For transmission costs, FedTGE does not introduce significant additional transmission pressure. Apart from transmitting the parameters of the backbone, FedTGE additionally transmits the energy distribution of each client to the server. Its length $L$ matches the number of nodes $D$ in the dataset, making it a completely acceptable transmission cost.

---

Weakness 3: More defense performance under various trigger types

We agree that evaluating with additional trigger types would provide a more comprehensive assessment of the system's resilience. In the revised manuscript, we will provide experimental reports on more diverse trigger structures in Appendix B. The results show that FedTGE maintains higher defensive performance than the baseline across various trigger types. Below we present partial experimental results for the trigger type gta.

GTA (Non-iid-louvain with a malicious proportion of 0.3):

---

Weakness 4: Selection of the threshold

FedTGE utilizes the advanced FINCH technique for clustering the energy distribution of clients, which typically does not require pre-setting a threshold. However, in our TESP component, a threshold is applied to determine whether the energy similarity between two clients is sufficient for energy propagation. This threshold is designed to enhance the robustness of FedTGE. as shown in Appendix D. Even if a malicious client is mistakenly selected, it is difficult to maintain a high energy distribution similarity with benign clients, thus further helping to exclude malicious clients. Therefore, it is typically set to a relatively high value, such as the default value of 0.8 in the paper, which has been shown to achieve effective defense.

Dear Reviewer Z6ow,

Thank you for your kind feedback on our method and for recognizing the novelty of using energy models in backdoor defense.

Application Scope: Our method is effective for the current scenarios and highly extensible to graph-level tasks, making it applicable across a wide range of use cases. Furthermore, our approach demonstrates strong scalability, ensuring its feasibility in handling larger datasets and federated scenarios with more clients.

Deployment Details: We have provided implementation details in the manuscript (Sec 5.1) and anonymous code to facilitate understanding and reproducibility. The experiments use NVIDIA GeForce RTX 3090 GPUs as the hardware platform, coupled with Intel(R) Xeon(R) Gold 6240 CPU @ 2.60GHz. Should you have any specific aspects of the deployment process in mind that require further elaboration, we would be more than happy to clarify or expand upon them.

If you have any additional questions or suggestions, please let us know. We are committed to addressing all concerns to improve our work further.

Thank you again for your thoughtful review and support. We hope this will contribute to a higher evaluation of our submission.