A Semantic and Clean-label Backdoor Attack against Graph Convolutional Networks

TL;DR

This work reveals a semantic and clean-label backdoor vulnerability in Graph Convolutional Networks for graph classification. It introduces SCLBA, which selects a semantic trigger node via degree centrality, injects it into selected target-label graphs without changing labels, and trains a backdoored model that misclassifies triggered graphs to a chosen target while preserving normal performance on benign graphs. Empirical results on five real-world datasets show high attack success rates near 99% at poisoning rates under 3% with small trigger sizes, and strong transferability to other GNNs like GAT and GraphSAGE, highlighting a serious threat. The paper discusses defense limitations and suggests directions toward interpretability-based defenses to detect semantic backdoors in GNNs.

Abstract

Graph Convolutional Networks (GCNs) have shown excellent performance in graph-structured tasks such as node classification and graph classification. However, recent research has shown that GCNs are vulnerable to a new type of threat called the backdoor attack, where the adversary can inject a hidden backdoor into the GCNs so that the backdoored model performs well on benign samples, whereas its prediction will be maliciously changed to the attacker-specified target label if the hidden backdoor is activated by the attacker-defined trigger. Clean-label backdoor attack and semantic backdoor attack are two new backdoor attacks to Deep Neural Networks (DNNs), they are more imperceptible and have posed new and serious threats. The semantic and clean-label backdoor attack is not fully explored in GCNs. In this paper, we propose a semantic and clean-label backdoor attack against GCNs under the context of graph classification to reveal the existence of this security vulnerability in GCNs. Specifically, SCLBA conducts an importance analysis on graph samples to select one type of node as semantic trigger, which is then inserted into the graph samples to create poisoning samples without changing the labels of the poisoning samples to the attacker-specified target label. We evaluate SCLBA on multiple datasets and the results show that SCLBA can achieve attack success rates close to 99% with poisoning rates of less than 3%, and with almost no impact on the performance of model on benign samples.

Figures (3)

• Figure 1: The process of SCLBA is illustrated with graph binary classification. We assume that the training dataset contains samples with five different types of nodes, represented by five different colors: green, blue, red, orange, and yellow. The sample labels are either 0 or 1, with the target label being 0. SCLBA consists of five steps: 1. The attacker selects training samples with nontarget labels from the original training dataset. 2. The attacker conducts importance analysis on the selected nontarget label training samples to select the semantic trigger node, which is the red node shown in the figure. 3. The attacker randomly selects a portion of graph samples with the target label from the training dataset and insert the semantic trigger into them without changing their labels. As shown in the figure, the red node enclosed by dashed boxes indicate where the semantic trigger is inserted in the poisoning samples. 4. After the triggers are injected, the training dataset becomes a poisoning dataset containing the poisoning samples, which is then used to train the GCN model to embed the backdoor into the model. 5. After the backdoored GCN model is deployed, input samples with triggers will activate the backdoor in the model, predicting them as the target label, while input samples without triggers will be predicted correctly.
• Figure 2: The impact of poisoning rates on ASR and CAD.
• Figure 3: The impact of trigger sizes on ASR and CAD.