Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Effective backdoor attack on graph neural networks in link prediction tasks

Jiazhu Dai, Haoyu Sun

TL;DR

This paper reveals a practical backdoor threat in graph neural networks applied to link prediction by introducing a single trigger node whose binary features are crafted from infrequent bit positions. By poisoning a subset of training pairs and linking the trigger to those pairs, the backdoored GNN learns to mispredict specific unlinked node pairs as connected when the trigger is present, while maintaining near-original accuracy on clean data. The method achieves high attack success rates at very low poisoning rates and demonstrates robustness across four models and four datasets, outperforming a state-of-the-art subgraph-trigger baseline, with minimal degradation on benign inputs. These findings highlight a security risk in graph-based pipelines and motivate future defenses against backdoor attacks in link prediction scenarios.

Abstract

Graph Neural Networks (GNNs) are a class of deep learning models capable of processing graph-structured data, and they have demonstrated significant performance in a variety of real-world applications. Recent studies have found that GNN models are vulnerable to backdoor attacks. When specific patterns (called backdoor triggers, e.g., subgraphs, nodes, etc.) appear in the input data, the backdoor embedded in the GNN models is activated, which misclassifies the input data into the target class label specified by the attacker, whereas when there are no backdoor triggers in the input, the backdoor embedded in the GNN models is not activated, and the models work normally. Backdoor attacks are highly stealthy and expose GNN models to serious security risks. Currently, research on backdoor attacks against GNNs mainly focus on tasks such as graph classification and node classification, and backdoor attacks against link prediction tasks are rarely studied. In this paper, we propose a backdoor attack against the link prediction tasks based on GNNs and reveal the existence of such security vulnerability in GNN models, which make the backdoored GNN models to incorrectly predict unlinked two nodes as having a link relationship when a trigger appear. The method uses a single node as the trigger and poison selected node pairs in the training graph, and then the backdoor will be embedded in the GNN models through the training process. In the inference stage, the backdoor in the GNN models can be activated by simply linking the trigger node to the two end nodes of the unlinked node pairs in the input data, causing the GNN models to produce incorrect link prediction results for the target node pairs.

Effective backdoor attack on graph neural networks in link prediction tasks

TL;DR

This paper reveals a practical backdoor threat in graph neural networks applied to link prediction by introducing a single trigger node whose binary features are crafted from infrequent bit positions. By poisoning a subset of training pairs and linking the trigger to those pairs, the backdoored GNN learns to mispredict specific unlinked node pairs as connected when the trigger is present, while maintaining near-original accuracy on clean data. The method achieves high attack success rates at very low poisoning rates and demonstrates robustness across four models and four datasets, outperforming a state-of-the-art subgraph-trigger baseline, with minimal degradation on benign inputs. These findings highlight a security risk in graph-based pipelines and motivate future defenses against backdoor attacks in link prediction scenarios.

Abstract

Graph Neural Networks (GNNs) are a class of deep learning models capable of processing graph-structured data, and they have demonstrated significant performance in a variety of real-world applications. Recent studies have found that GNN models are vulnerable to backdoor attacks. When specific patterns (called backdoor triggers, e.g., subgraphs, nodes, etc.) appear in the input data, the backdoor embedded in the GNN models is activated, which misclassifies the input data into the target class label specified by the attacker, whereas when there are no backdoor triggers in the input, the backdoor embedded in the GNN models is not activated, and the models work normally. Backdoor attacks are highly stealthy and expose GNN models to serious security risks. Currently, research on backdoor attacks against GNNs mainly focus on tasks such as graph classification and node classification, and backdoor attacks against link prediction tasks are rarely studied. In this paper, we propose a backdoor attack against the link prediction tasks based on GNNs and reveal the existence of such security vulnerability in GNN models, which make the backdoored GNN models to incorrectly predict unlinked two nodes as having a link relationship when a trigger appear. The method uses a single node as the trigger and poison selected node pairs in the training graph, and then the backdoor will be embedded in the GNN models through the training process. In the inference stage, the backdoor in the GNN models can be activated by simply linking the trigger node to the two end nodes of the unlinked node pairs in the input data, causing the GNN models to produce incorrect link prediction results for the target node pairs.
Paper Structure (27 sections, 8 equations, 5 figures, 6 tables, 1 algorithm)

This paper contains 27 sections, 8 equations, 5 figures, 6 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. GNNs
  4. Link prediction
  5. Link prediction methods based on GNNs
  6. Backdoor attacks
  7. Related works
  8. Adversarial attacks
  9. Backdoor attacks
  10. Method
  11. Attack overview
  12. Trigger Generation
  13. Selection of node pairs for poisoning
  14. Backdoor injection
  15. Backdoor Activation
  16. ...and 12 more sections

Figures (5)

  • Figure 1: Illustration of our backdoor attack against link prediction. The trigger is the red node and the node A and the node B is an unlinked target node pair. Part (a) is the input graph without the trigger. The backdoored model performs well for the input graph without the trigger and it predicts correctly that there is no link between the node A and the node B, which is represented by 0. The input graph in Part(b) is similar to that in Part(a) except that the former contains the trigger connecting to the node A and the node B respectively. The backdoor in the backdoored model is activated due to the presence of the trigger and it predicts incorrectly that there is a link between the node A and the node B for the input graph with the trigger, which is represented by 1.
  • Figure 2: The proposed backdoor attack framework. The backdoor attack consists of four steps:1. The attacker generates the trigger node, as shown in red dot in the figure, the features of which are got by selecting the top k features with the least occurrence frequency, based on statistical information of the features of all nodes in the original training dataset. 2. The attacker selects unlinked node pairs for poisoning from the training graph through a score function, as shown in the figure, node A and node B are one of such selected unlinked node pairs. 3. The attacker generates the poisoning training dataset by injecting the trigger into the above selected node pairs (i.e. connect the trigger node to two end nodes of the node pairs, for example, connect the red trigger node to node A and node B in the figure) and change the unlinked state of the selected node pairs to linked state. Then the poisoning training dataset is used to train the GNN models to embed the backdoor in the models, which is called backdoored GNNs models. 4. In the inference phase of the backdoored GNN models, if the unlinked node pairs are connected to the trigger node , such as the node E and the node F in the sample with the trigger in the figure, they will activate the backdoor in the models and will be predicted incorrectly to be linked, while for the unlinked node pairs without the trigger node, such as the node C and node D in the benign sample in the figure, they will be predicted correctly to be unlinked.
  • Figure 3: The impact of the poisoning rate on ASR and BPD.
  • Figure 4: The impact of trigger size on ASR and BPD.
  • Figure 5: The comparison of the ASR of the backoored models obtained by adopting two poisoning methods PBSF and RB.