Gradient-Based Clean Label Backdoor Attack to Graph Neural Networks

Ryo Meguro, Hiroya Kato, Shintaro Narisada, Seira Hidano, Kazuhide Fukushima, Takuo Suganuma, Masahiro Hiji

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Graph neural networks (GNNs) can obtain useful information from graph structured data. Although its great capability is promising, GNNs are vulnerable to backdoor attacks, which plant a marker called trigger in victims’ models to cause them to misclassify poisoned data with triggers into a target class. In particular, a clean label backdoor attack (CLBA) on the GNNs remains largely unexplored. Revealing characteristics of the CLBA is vital from the perspective of defense. In this paper, we propose the first gradient based CLBA on GNNs for graph classification tasks. Our attack consists of two important phases, the graph embedding based pairing and the gradient based trigger injection. Our pairing makes pairs from graphs of the target class and the others to successfully plant the backdoor in the target class area in the graph embedding space. Our trigger injection embeds triggers in graphs with gradient-based scores, yielding effective poisoned graphs. We conduct experiments on multiple datasets and GNN models. Our results demonstrate that our attack outperforms the existing CLBA using fixed triggers. Our attack surpasses attack success rates of the existing CLBA by up to 50%. Furthermore, we show that our attack is difficult to detect with an existing defense.

Original languageEnglish
Title of host publicationProceedings of the 10th International Conference on Information Systems Security and Privacy
EditorsGabriele Lenzini, Paolo Mori, Steven Furnell
PublisherScience and Technology Publications, Lda
Pages510-521
Number of pages12
ISBN (Print)9789897586835
DOIs
Publication statusPublished - 2024
Event10th International Conference on Information Systems Security and Privacy, ICISSP 2024 - Rome, Italy
Duration: 2024 Feb 262024 Feb 28

Publication series

NameInternational Conference on Information Systems Security and Privacy
Volume1
ISSN (Electronic)2184-4356

Conference

Conference10th International Conference on Information Systems Security and Privacy, ICISSP 2024
Country/TerritoryItaly
CityRome
Period24/2/2624/2/28

Keywords

  • AI Security
  • Backdoor Attacks
  • Graph Neural Networks

Fingerprint

Dive into the research topics of 'Gradient-Based Clean Label Backdoor Attack to Graph Neural Networks'. Together they form a unique fingerprint.

Cite this