Table of Contents
Fetching ...

Crossfire: An Elastic Defense Framework for Graph Neural Networks Under Bit Flip Attacks

Lorenz Kummer, Samir Moustafa, Wilfried Gansterer, Nils Kriege

TL;DR

Crossfire introduces a retraining-free defense against bit-flip attacks on graph neural networks by combining induced sparsity, carefully selected honeypots, and hashing-based detection with targeted correction of out-of-distribution weights. The method operates in initialization, monitoring, and reconstruction stages, and it includes a post-reconstruction verification using Blake2b hashes to certify restoration to the pre-attack state. Empirical evaluation across six Open Graph Benchmark datasets over 2,160 experiments shows Crossfire achieves near-perfect detection and significantly higher reconstruction rates than prior defenses, with a 10.85% improvement in post-repair prediction quality and negligible computational overhead. The work delivers a scalable, verifiable protection mechanism for GNNs facing BFAs, addressing a critical gap in securing graph-based models in adversarial settings.

Abstract

Bit Flip Attacks (BFAs) are a well-established class of adversarial attacks, originally developed for Convolutional Neural Networks within the computer vision domain. Most recently, these attacks have been extended to target Graph Neural Networks (GNNs), revealing significant vulnerabilities. This new development naturally raises questions about the best strategies to defend GNNs against BFAs, a challenge for which no solutions currently exist. Given the applications of GNNs in critical fields, any defense mechanism must not only maintain network performance, but also verifiably restore the network to its pre-attack state. Verifiably restoring the network to its pre-attack state also eliminates the need for costly evaluations on test data to ensure network quality. We offer first insights into the effectiveness of existing honeypot- and hashing-based defenses against BFAs adapted from the computer vision domain to GNNs, and characterize the shortcomings of these approaches. To overcome their limitations, we propose Crossfire, a hybrid approach that exploits weight sparsity and combines hashing and honeypots with bit-level correction of out-of-distribution weight elements to restore network integrity. Crossfire is retraining-free and does not require labeled data. Averaged over 2,160 experiments on six benchmark datasets, Crossfire offers a 21.8% higher probability than its competitors of reconstructing a GNN attacked by a BFA to its pre-attack state. These experiments cover up to 55 bit flips from various attacks. Moreover, it improves post-repair prediction quality by 10.85%. Computational and storage overheads are negligible compared to the inherent complexity of even the simplest GNNs.

Crossfire: An Elastic Defense Framework for Graph Neural Networks Under Bit Flip Attacks

TL;DR

Crossfire introduces a retraining-free defense against bit-flip attacks on graph neural networks by combining induced sparsity, carefully selected honeypots, and hashing-based detection with targeted correction of out-of-distribution weights. The method operates in initialization, monitoring, and reconstruction stages, and it includes a post-reconstruction verification using Blake2b hashes to certify restoration to the pre-attack state. Empirical evaluation across six Open Graph Benchmark datasets over 2,160 experiments shows Crossfire achieves near-perfect detection and significantly higher reconstruction rates than prior defenses, with a 10.85% improvement in post-repair prediction quality and negligible computational overhead. The work delivers a scalable, verifiable protection mechanism for GNNs facing BFAs, addressing a critical gap in securing graph-based models in adversarial settings.

Abstract

Bit Flip Attacks (BFAs) are a well-established class of adversarial attacks, originally developed for Convolutional Neural Networks within the computer vision domain. Most recently, these attacks have been extended to target Graph Neural Networks (GNNs), revealing significant vulnerabilities. This new development naturally raises questions about the best strategies to defend GNNs against BFAs, a challenge for which no solutions currently exist. Given the applications of GNNs in critical fields, any defense mechanism must not only maintain network performance, but also verifiably restore the network to its pre-attack state. Verifiably restoring the network to its pre-attack state also eliminates the need for costly evaluations on test data to ensure network quality. We offer first insights into the effectiveness of existing honeypot- and hashing-based defenses against BFAs adapted from the computer vision domain to GNNs, and characterize the shortcomings of these approaches. To overcome their limitations, we propose Crossfire, a hybrid approach that exploits weight sparsity and combines hashing and honeypots with bit-level correction of out-of-distribution weight elements to restore network integrity. Crossfire is retraining-free and does not require labeled data. Averaged over 2,160 experiments on six benchmark datasets, Crossfire offers a 21.8% higher probability than its competitors of reconstructing a GNN attacked by a BFA to its pre-attack state. These experiments cover up to 55 bit flips from various attacks. Moreover, it improves post-repair prediction quality by 10.85%. Computational and storage overheads are negligible compared to the inherent complexity of even the simplest GNNs.
Paper Structure (29 sections, 15 equations, 3 figures, 3 tables)

This paper contains 29 sections, 15 equations, 3 figures, 3 tables.

Figures (3)

  • Figure 1: Storage overhead of Crossfire (CF) hashes relative to matrix size (INT8), varying cross digest sizes (left). Storage overhead of CF relative to matrix size, varying cross digest sizes and honeypot percentages (%) compared to RADAR and NeuroPots (NP) (center ). Average hashing times (milliseconds) for CF across different cross digest sizes, plotted against the time complexity of a simple INT8 GNN layer ( right) for 5 and 10 node graphs. Layer digest sizes fixed at 4 bytes.
  • Figure 2: Post-BFA and reconstructed GNN prediction qualities (with pre-attack normalized to 100% to account for different scale quality metrics AP and AUROC), reconstruction, and detection rates for GNNs under PBFA (top row) and IBFA (bottom row) with varying amounts of bit flips, defended by NeuroPots, RADAR and Crossfire. In each subplot, a box represents data aggregated from 6 datasets, with 10 runs per dataset, totaling 1080 runs for each IBFA and PBFA at optimal hyperparameters. We provide extensive tabular results in the technical appendix for completeness.
  • Figure 3: Pre- and post-BFA GNN prediction qualities (with pre-attack normalized to 100% to account for different scale quality metrics AP and AUROC), reconstruction, and detection rates for GNNs under PBFA (top three rows) and IBFA (bottom three rows) with varying amounts of bit flips, defended by NeuroPots (NP), RADAR, and Crossfire. Each data point represents per-dataset averages of 10 runs per dataset, totaling 1080 runs for each IBFA and PBFA at optimal hyperparameters, the average of each column is displayed on top of its maximal value.