Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Clean-graph Backdoor Attack against Graph Convolutional Networks with Poisoned Label Only

Jiazhu Dai, Haoyu Sun

TL;DR

This work reveals a stealthy vulnerability of Graph Convolutional Networks to backdoor attacks that require only label poisoning during training. The proposed CBAG method selects a robust feature subset as a trigger, relabels a small set of non-target nodes to the target class, and trains a backdoored GCN that activates the attack by maximizing the trigger features at inference. CBAG achieves high attack success rates (up to ~99%) across real-world graph datasets while keeping clean-accuracy degradation minimal and employing poisoning rates below 5%, underscoring the practicality of the threat. The results highlight the need for defenses against label-only backdoor attacks in graph learning systems and motivate future research into robust training and detection strategies.

Abstract

Graph Convolutional Networks (GCNs) have shown excellent performance in dealing with various graph structures such as node classification, graph classification and other tasks. However,recent studies have shown that GCNs are vulnerable to a novel threat known as backdoor attacks. However, all existing backdoor attacks in the graph domain require modifying the training samples to accomplish the backdoor injection, which may not be practical in many realistic scenarios where adversaries have no access to modify the training samples and may leads to the backdoor attack being detected easily. In order to explore the backdoor vulnerability of GCNs and create a more practical and stealthy backdoor attack method, this paper proposes a clean-graph backdoor attack against GCNs (CBAG) in the node classification task,which only poisons the training labels without any modification to the training samples, revealing that GCNs have this security vulnerability. Specifically, CBAG designs a new trigger exploration method to find important feature dimensions as the trigger patterns to improve the attack performance. By poisoning the training labels, a hidden backdoor is injected into the GCNs model. Experimental results show that our clean graph backdoor can achieve 99% attack success rate while maintaining the functionality of the GCNs model on benign samples.

A Clean-graph Backdoor Attack against Graph Convolutional Networks with Poisoned Label Only

TL;DR

This work reveals a stealthy vulnerability of Graph Convolutional Networks to backdoor attacks that require only label poisoning during training. The proposed CBAG method selects a robust feature subset as a trigger, relabels a small set of non-target nodes to the target class, and trains a backdoored GCN that activates the attack by maximizing the trigger features at inference. CBAG achieves high attack success rates (up to ~99%) across real-world graph datasets while keeping clean-accuracy degradation minimal and employing poisoning rates below 5%, underscoring the practicality of the threat. The results highlight the need for defenses against label-only backdoor attacks in graph learning systems and motivate future research into robust training and detection strategies.

Abstract

Graph Convolutional Networks (GCNs) have shown excellent performance in dealing with various graph structures such as node classification, graph classification and other tasks. However,recent studies have shown that GCNs are vulnerable to a novel threat known as backdoor attacks. However, all existing backdoor attacks in the graph domain require modifying the training samples to accomplish the backdoor injection, which may not be practical in many realistic scenarios where adversaries have no access to modify the training samples and may leads to the backdoor attack being detected easily. In order to explore the backdoor vulnerability of GCNs and create a more practical and stealthy backdoor attack method, this paper proposes a clean-graph backdoor attack against GCNs (CBAG) in the node classification task,which only poisons the training labels without any modification to the training samples, revealing that GCNs have this security vulnerability. Specifically, CBAG designs a new trigger exploration method to find important feature dimensions as the trigger patterns to improve the attack performance. By poisoning the training labels, a hidden backdoor is injected into the GCNs model. Experimental results show that our clean graph backdoor can achieve 99% attack success rate while maintaining the functionality of the GCNs model on benign samples.
Paper Structure (23 sections, 4 equations, 3 figures, 3 tables)

This paper contains 23 sections, 4 equations, 3 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Graph Convolutional Networks (GCNs)
  4. Related work
  5. Adversarial Attacks against GCNs
  6. Backdoor Attacks against GCNs
  7. A Clean-graph Backdoor Attack against GCNs
  8. Attack Overview
  9. Selecting the feature combination as the trigger pattern
  10. Label poisoning
  11. Backdoor injection
  12. Backdoor activation
  13. Experiments
  14. Experiments setting
  15. Datasets
  16. ...and 8 more sections

Figures (3)

  • Figure 1: The framework of CBAG.
  • Figure 2: The impact of poisoning rates on ASR and CAD.
  • Figure 3: The impact of ifferent feature combination sizes on ASR and CAD.