A semantic backdoor attack against graph convolutional networks

被引：0

作者：

Dai, Jiazhu ^{[1
]}

Xiong, Zhipeng ^{[1
]}

Cao, Chenhong ^{[2
]}

机构：

[1] Shanghai Univ, Sch Mat Sci & Engn, 99 Shangda Rd, Shanghai 20444, Peoples R China

[2] Univ Sci & Technol China, Sch Comp Sci & Technol, 96 Jinzhai Rd, Hefei, Anhui, Peoples R China

来源：

NEUROCOMPUTING | 2024年 / 600卷

关键词：

Graph neural networks; Graph convolutional networks; Semantic backdoor attack;

D O I：

10.1016/j.neucom.2024.128133

中图分类号：

TP18 [人工智能理论];

学科分类号：

081104 ; 0812 ; 0835 ; 1405 ;

摘要：

Graph convolutional networks (GCNs) have been very effective in addressing the issue of various graphstructured related tasks, such as node classification and graph classification. However, recent research has shown that GCNs are vulnerable to a new type of threat called a backdoor attack, where the adversary can inject a hidden backdoor into GCNs so that the attacked model performs well on benign samples, but its prediction will be maliciously changed to the attacker-specified target class if the hidden backdoor is activated by the attacker-defined trigger. A semantic backdoor attack is a new type of backdoor attack on deep neural networks (DNNs), where a naturally occurring semantic feature of samples can serve as a backdoor trigger such that the infected DNNs models will misclassify testing samples containing the predefined semantic feature even without the requirement of modifying the testing samples. Since the backdoor trigger is a naturally occurring semantic feature of the samples, semantic backdoor attacks are more imperceptible and pose a new and serious threat. Existing research on semantic backdoor attacks focuses on the tasks of CNNs-based (Convolutional Neural Networks) image classification and LSTM-based (Long Short-Term Memory) text classification or word prediction. Little attention has been given to semantic backdoor attacks on GCNs models. In this paper, we investigate whether such semantic backdoor attacks are possible for GCNs and propose a s emantic b ackdoor a ttack against G CNs ( SBAG ) under the context of graph classification to reveal the existence of this security vulnerability in GCNs. SBAG uses a certain type of nodes in the samples as a backdoor trigger and injects a hidden backdoor into GCNs models by poisoning training data. The backdoor will be activated, and the GCNs models will give malicious classification results specified by the attacker even on unmodified samples as long as the samples contain enough trigger nodes. We evaluate SBAG on five graph datasets. The experimental results indicate that SBAG can achieve attack success rates of approximately 99.9% on unmodified testing samples that naturally contain the trigger and attack success rates over 82% on testing samples modified to inject the trigger, respectively, both under poisoning rates of less than 5%. 1

引用

页数：12

共 32 条

[1] Bagdasaryan E, 2021, PROCEEDINGS OF THE 30TH USENIX SECURITY SYMPOSIUM, P1505
[2] Bagdasaryan E, 2020, PR MACH LEARN RES, V108, P2938
[3] Protein function prediction via graph kernels
Borgwardt, KM
Ong, CS
Schönauer, S
Vishwanathan, SVN
Smola, AJ
Kriegel, HP
[J]. BIOINFORMATICS, 2005, 21 : I47 - I56
[4] Chen L., 2022, arXiv
[5] Chen L., 2020, arXiv, DOI [10.48550/arXiv.2003.05730, DOI 10.48550/ARXIV.2003.05730]
[6] Dai EY, 2023, Arxiv, DOI [arXiv:2204.08570, 10.48550/arXiv.2204.08570, DOI 10.48550/ARXIV.2204.08570]
[7] Dai HJ, 2018, PR MACH LEARN RES, V80
[8] A Targeted Universal Attack on Graph Convolutional Network by Using Fake Nodes
Dai, Jiazhu
Zhu, Weifeng
Luo, Xiangfeng
[J]. NEURAL PROCESSING LETTERS, 2022, 54 (04) : 3321 - 3337
[9] Distinguishing enzyme structures from non-enzymes without alignments
Dobson, PD
Doig, AJ
[J]. JOURNAL OF MOLECULAR BIOLOGY, 2003, 330 (04) : 771 - 783
[10] Duvenaudt D, 2015, ADV NEUR IN, V28

← 1 2 3 4 →