Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A clean-label graph backdoor attack method in node classification task

Xiaogang Xing, Ming Xu, Yujing Bai, Dongdong Yang

TL;DR

The paper addresses backdoor vulnerabilities in graph neural networks for node classification, noting that many existing attacks require label or graph-structure modification, making them detectable. It introduces CGBA, a clean-label backdoor method that injects subtle feature triggers drawn from high-degree nodes' own features into a specific target class without altering labels or edges, creating a strong association between triggers and the original label. The authors formalize the threat model, propose an efficient trigger-injection algorithm, and validate the method across four datasets and multiple GNN architectures, achieving high ASR with low CAD and demonstrating resilience against a node-similarity defense. The work highlights a stealthy, practical vulnerability in GNNs and motivates the development of new defenses beyond similarity-based pruning.

Abstract

Backdoor attacks in the traditional graph neural networks (GNNs) field are easily detectable due to the dilemma of confusing labels. To explore the backdoor vulnerability of GNNs and create a more stealthy backdoor attack method, a clean-label graph backdoor attack method(CGBA) in the node classification task is proposed in this paper. Differently from existing backdoor attack methods, CGBA requires neither modification of node labels nor graph structure. Specifically, to solve the problem of inconsistency between the contents and labels of the samples, CGBA selects poisoning samples in a specific target class and uses the label of sample as the target label (i.e., clean-label) after injecting triggers into the target samples. To guarantee the similarity of neighboring nodes, the raw features of the nodes are elaborately picked as triggers to further improve the concealment of the triggers. Extensive experiments results show the effectiveness of our method. When the poisoning rate is 0.04, CGBA can achieve an average attack success rate of 87.8%, 98.9%, 89.1%, and 98.5%, respectively.

A clean-label graph backdoor attack method in node classification task

TL;DR

The paper addresses backdoor vulnerabilities in graph neural networks for node classification, noting that many existing attacks require label or graph-structure modification, making them detectable. It introduces CGBA, a clean-label backdoor method that injects subtle feature triggers drawn from high-degree nodes' own features into a specific target class without altering labels or edges, creating a strong association between triggers and the original label. The authors formalize the threat model, propose an efficient trigger-injection algorithm, and validate the method across four datasets and multiple GNN architectures, achieving high ASR with low CAD and demonstrating resilience against a node-similarity defense. The work highlights a stealthy, practical vulnerability in GNNs and motivates the development of new defenses beyond similarity-based pruning.

Abstract

Backdoor attacks in the traditional graph neural networks (GNNs) field are easily detectable due to the dilemma of confusing labels. To explore the backdoor vulnerability of GNNs and create a more stealthy backdoor attack method, a clean-label graph backdoor attack method(CGBA) in the node classification task is proposed in this paper. Differently from existing backdoor attack methods, CGBA requires neither modification of node labels nor graph structure. Specifically, to solve the problem of inconsistency between the contents and labels of the samples, CGBA selects poisoning samples in a specific target class and uses the label of sample as the target label (i.e., clean-label) after injecting triggers into the target samples. To guarantee the similarity of neighboring nodes, the raw features of the nodes are elaborately picked as triggers to further improve the concealment of the triggers. Extensive experiments results show the effectiveness of our method. When the poisoning rate is 0.04, CGBA can achieve an average attack success rate of 87.8%, 98.9%, 89.1%, and 98.5%, respectively.
Paper Structure (12 sections, 9 equations, 5 figures, 10 tables, 1 algorithm)

This paper contains 12 sections, 9 equations, 5 figures, 10 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related works
  3. Dirty-label backdoor attack in GNNs
  4. Clean-label backdoor attack
  5. Preliminaries and problem formulation
  6. The proposed method
  7. CGBA Overall Framework
  8. Algorithm design
  9. Experiments
  10. Experimental settings
  11. Experiment results
  12. Conclusions

Figures (5)

  • Figure 1: CGBA overall structure. The target node is the node that is injected with the trigger to test the attack effectiveness of the model.
  • Figure 2: The impact of different cropping thresholds on defense results in PubMed. The model is GraphSAGE. The poisoning rate is 0.04. Trigger sizes in four datasets are 0.01, 0.005, 0.05, and 0.02, respectively. DPA represents the difference in prediction accuracy of the backdoor model on clean samples before and after the defense.
  • Figure 3: The effect of PR on ASR and CAD. The model is GraphSAGE. Trigger sizes in four datasets are 0.01, 0.005, 0.05, and 0.02, respectively.
  • Figure 4: Experimental results with different triggers in PubMed. The model is GraphSAGE. The PR is set to 0.04 and the trigger is selected among the nodes with the largest degree.
  • Figure 5: The effect of trigger size on ASR and CAD. The PR is set to 0.05. The model is GraphSAGE.