Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Backdoor Graph Condensation

Jiahao Wu, Ning Lu, Zeiyu Dai, Kun Wang, Wenqi Fan, Shengcai Liu, Qing Li, Ke Tang

TL;DR

This work defines backdoor graph condensation (BGC), a security risk where a condensation service injects adaptive triggers into the original graph to backdoor GNNs trained on condensed graphs. It introduces a first backdoor attack against graph condensation, featuring representative-node poisoning and an adaptive trigger generator that updates throughout condensation, enabling near 100% attack success while preserving model utility. The approach remains effective across multiple condensation methods and GNN architectures and shows limited robustness to defenses, highlighting practical risks for outsourced graph learning and the need for defense strategies that address dynamic condensation processes. Overall, BGC reveals critical vulnerabilities in graph condensation pipelines with meaningful implications for secure deployment of graph-based ML services.

Abstract

Graph condensation has recently emerged as a prevalent technique to improve the training efficiency for graph neural networks (GNNs). It condenses a large graph into a small one such that a GNN trained on this small synthetic graph can achieve comparable performance to a GNN trained on the large graph. However, while existing graph condensation studies mainly focus on the best trade-off between graph size and the GNNs' performance (model utility), they overlook the security issues of graph condensation. To bridge this gap, we first explore backdoor attack against the GNNs trained on the condensed graphs. We introduce an effective backdoor attack against graph condensation, termed BGC. This attack aims to (1) preserve the condensed graph quality despite trigger injection, and (2) ensure trigger efficacy through the condensation process, achieving a high attack success rate. Specifically, BGC consistently updates triggers during condensation and targets representative nodes for poisoning. Extensive experiments demonstrate the effectiveness of our attack. BGC achieves a high attack success rate (close to 1.0) and good model utility in all cases. Furthermore, the results against multiple defense methods demonstrate BGC's resilience under their defenses. Finally, we analyze the key hyperparameters that influence the attack performance. Our code is available at: https://github.com/JiahaoWuGit/BGC.

Backdoor Graph Condensation

TL;DR

This work defines backdoor graph condensation (BGC), a security risk where a condensation service injects adaptive triggers into the original graph to backdoor GNNs trained on condensed graphs. It introduces a first backdoor attack against graph condensation, featuring representative-node poisoning and an adaptive trigger generator that updates throughout condensation, enabling near 100% attack success while preserving model utility. The approach remains effective across multiple condensation methods and GNN architectures and shows limited robustness to defenses, highlighting practical risks for outsourced graph learning and the need for defense strategies that address dynamic condensation processes. Overall, BGC reveals critical vulnerabilities in graph condensation pipelines with meaningful implications for secure deployment of graph-based ML services.

Abstract

Graph condensation has recently emerged as a prevalent technique to improve the training efficiency for graph neural networks (GNNs). It condenses a large graph into a small one such that a GNN trained on this small synthetic graph can achieve comparable performance to a GNN trained on the large graph. However, while existing graph condensation studies mainly focus on the best trade-off between graph size and the GNNs' performance (model utility), they overlook the security issues of graph condensation. To bridge this gap, we first explore backdoor attack against the GNNs trained on the condensed graphs. We introduce an effective backdoor attack against graph condensation, termed BGC. This attack aims to (1) preserve the condensed graph quality despite trigger injection, and (2) ensure trigger efficacy through the condensation process, achieving a high attack success rate. Specifically, BGC consistently updates triggers during condensation and targets representative nodes for poisoning. Extensive experiments demonstrate the effectiveness of our attack. BGC achieves a high attack success rate (close to 1.0) and good model utility in all cases. Furthermore, the results against multiple defense methods demonstrate BGC's resilience under their defenses. Finally, we analyze the key hyperparameters that influence the attack performance. Our code is available at: https://github.com/JiahaoWuGit/BGC.
Paper Structure (24 sections, 21 equations, 8 figures, 8 tables, 1 algorithm)

This paper contains 24 sections, 21 equations, 8 figures, 8 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Graph Condensation
  4. Graph Backdoor Attack
  5. Problem Formulation
  6. Methodology
  7. Overview
  8. Poisoned Node Selection
  9. Trigger Generation
  10. Optimization
  11. Experimental Settings
  12. Experiment
  13. Attack Performance and Model Utility (RQ1)
  14. Attack Performance Comparison
  15. Study on Different GNN Architectures (RQ2)
  16. ...and 9 more sections

Figures (8)

  • Figure 1: Attack Performance Comparison: Naively Poisoning Condensed Graphs vs Our Method. Here, CTA denotes the test accuracy on clean graphs. Naive Poison degrades condensed graph quality, thus reducing GNN utility.
  • Figure 2: Normal Graph Condensation vs Backdoored Graph Condensation.
  • Figure 3: Overview of Backdoor Graph Condensation.
  • Figure 4: Attack Comparison between BGC and Adapted Graph Backdoor Methods under Different Condensation Ratios.
  • Figure 5: Ablation Study on Poisoned Node Selection.
  • ...and 3 more figures