TY - GEN
T1 - Gradient-Based Clean Label Backdoor Attack to Graph Neural Networks
AU - Meguro, Ryo
AU - Kato, Hiroya
AU - Narisada, Shintaro
AU - Hidano, Seira
AU - Fukushima, Kazuhide
AU - Suganuma, Takuo
AU - Hiji, Masahiro
N1 - Publisher Copyright:
© 2024 by SCITEPRESS – Science and Technology Publications, Lda.
PY - 2024
Y1 - 2024
N2 - Graph neural networks (GNNs) can obtain useful information from graph structured data. Although its great capability is promising, GNNs are vulnerable to backdoor attacks, which plant a marker called trigger in victims’ models to cause them to misclassify poisoned data with triggers into a target class. In particular, a clean label backdoor attack (CLBA) on the GNNs remains largely unexplored. Revealing characteristics of the CLBA is vital from the perspective of defense. In this paper, we propose the first gradient based CLBA on GNNs for graph classification tasks. Our attack consists of two important phases, the graph embedding based pairing and the gradient based trigger injection. Our pairing makes pairs from graphs of the target class and the others to successfully plant the backdoor in the target class area in the graph embedding space. Our trigger injection embeds triggers in graphs with gradient-based scores, yielding effective poisoned graphs. We conduct experiments on multiple datasets and GNN models. Our results demonstrate that our attack outperforms the existing CLBA using fixed triggers. Our attack surpasses attack success rates of the existing CLBA by up to 50%. Furthermore, we show that our attack is difficult to detect with an existing defense.
AB - Graph neural networks (GNNs) can obtain useful information from graph structured data. Although its great capability is promising, GNNs are vulnerable to backdoor attacks, which plant a marker called trigger in victims’ models to cause them to misclassify poisoned data with triggers into a target class. In particular, a clean label backdoor attack (CLBA) on the GNNs remains largely unexplored. Revealing characteristics of the CLBA is vital from the perspective of defense. In this paper, we propose the first gradient based CLBA on GNNs for graph classification tasks. Our attack consists of two important phases, the graph embedding based pairing and the gradient based trigger injection. Our pairing makes pairs from graphs of the target class and the others to successfully plant the backdoor in the target class area in the graph embedding space. Our trigger injection embeds triggers in graphs with gradient-based scores, yielding effective poisoned graphs. We conduct experiments on multiple datasets and GNN models. Our results demonstrate that our attack outperforms the existing CLBA using fixed triggers. Our attack surpasses attack success rates of the existing CLBA by up to 50%. Furthermore, we show that our attack is difficult to detect with an existing defense.
KW - AI Security
KW - Backdoor Attacks
KW - Graph Neural Networks
UR - http://www.scopus.com/inward/record.url?scp=85190877427&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85190877427&partnerID=8YFLogxK
U2 - 10.5220/0012369500003648
DO - 10.5220/0012369500003648
M3 - Conference contribution
AN - SCOPUS:85190877427
SN - 9789897586835
T3 - International Conference on Information Systems Security and Privacy
SP - 510
EP - 521
BT - Proceedings of the 10th International Conference on Information Systems Security and Privacy
A2 - Lenzini, Gabriele
A2 - Mori, Paolo
A2 - Furnell, Steven
PB - Science and Technology Publications, Lda
T2 - 10th International Conference on Information Systems Security and Privacy, ICISSP 2024
Y2 - 26 February 2024 through 28 February 2024
ER -