Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Poisoning the Inner Prediction Logic of Graph Neural Networks for Clean-Label Backdoor Attacks

Yuxiang Zhang, Bin Ma, Enyan Dai

TL;DR

BA-Logic is proposed to solve the problem of effective clean-label graph backdoor attacks by poisoning the inner prediction logic of GNN models by coordinating a poisoned node selector and a logic-poisoning trigger generator.

Abstract

Graph Neural Networks (GNNs) have achieved remarkable results in various tasks. Recent studies reveal that graph backdoor attacks can poison the GNN model to predict test nodes with triggers attached as the target class. However, apart from injecting triggers to training nodes, these graph backdoor attacks generally require altering the labels of trigger-attached training nodes into the target class, which is impractical in real-world scenarios. In this work, we focus on the clean-label graph backdoor attack, a realistic but understudied topic where training labels are not modifiable. According to our preliminary analysis, existing graph backdoor attacks generally fail under the clean-label setting. Our further analysis identifies that the core failure of existing methods lies in their inability to poison the prediction logic of GNN models, leading to the triggers being deemed unimportant for prediction. Therefore, we study a novel problem of effective clean-label graph backdoor attacks by poisoning the inner prediction logic of GNN models. We propose BA-Logic to solve the problem by coordinating a poisoned node selector and a logic-poisoning trigger generator. Extensive experiments on real-world datasets demonstrate that our method effectively enhances the attack success rate and surpasses state-of-the-art graph backdoor attack competitors under clean-label settings. Our code is available at https://anonymous.4open.science/r/BA-Logic

Poisoning the Inner Prediction Logic of Graph Neural Networks for Clean-Label Backdoor Attacks

TL;DR

BA-Logic is proposed to solve the problem of effective clean-label graph backdoor attacks by poisoning the inner prediction logic of GNN models by coordinating a poisoned node selector and a logic-poisoning trigger generator.

Abstract

Graph Neural Networks (GNNs) have achieved remarkable results in various tasks. Recent studies reveal that graph backdoor attacks can poison the GNN model to predict test nodes with triggers attached as the target class. However, apart from injecting triggers to training nodes, these graph backdoor attacks generally require altering the labels of trigger-attached training nodes into the target class, which is impractical in real-world scenarios. In this work, we focus on the clean-label graph backdoor attack, a realistic but understudied topic where training labels are not modifiable. According to our preliminary analysis, existing graph backdoor attacks generally fail under the clean-label setting. Our further analysis identifies that the core failure of existing methods lies in their inability to poison the prediction logic of GNN models, leading to the triggers being deemed unimportant for prediction. Therefore, we study a novel problem of effective clean-label graph backdoor attacks by poisoning the inner prediction logic of GNN models. We propose BA-Logic to solve the problem by coordinating a poisoned node selector and a logic-poisoning trigger generator. Extensive experiments on real-world datasets demonstrate that our method effectively enhances the attack success rate and surpasses state-of-the-art graph backdoor attack competitors under clean-label settings. Our code is available at https://anonymous.4open.science/r/BA-Logic
Paper Structure (62 sections, 2 theorems, 18 equations, 14 figures, 17 tables, 1 algorithm)

This paper contains 62 sections, 2 theorems, 18 equations, 14 figures, 17 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Preliminaries Analysis
  3. Notations
  4. Threat Model of Inner Logic Poisoning for Clean-Label Backdoor Attacks
  5. Existing Methods Fail to Poison the Inner Prediction Logic
  6. Performance of Existing Methods under Clean-Label Setting
  7. Impacts of Injected Triggers to Prediction Logic
  8. Theoretical Analysis
  9. Problem Definition
  10. Methodology
  11. Poisoned Node Selection for Logic Poisoning
  12. Inner Prediction Logic Poisoning
  13. Logic-Poisoning Trigger Generator
  14. Prediction Logic Poisoning Loss
  15. Unnoticeable Constraint on Triggers
  16. ...and 47 more sections

Key Result

Theorem 1

We consider a graph $\mathcal{G}=(\mathcal{V}, \mathcal{E},\mathbf{X})$ follows Assumptions. Given a node $v_i$ with label $y_i$, let $\text{deg}_i$ be the degree of $v_i$, and $\gamma$ be the value of the important rate of trigger. For a node ${v}_i$ attached with trigger $g_i$, the probability for where $d$ is the node feature dimension, $\mu_{y_t}$ and $\mu_{y_i}$ are the class centroid vectors

Figures (14)

  • Figure 1: Illustration of graph backdoor attacks under both the general and clean-label settings.
  • Figure 2: GNNExplainer's visualization of important subgraphs in a poisoned node's computational graph. We bold the edges connecting the poisoned node and the top-3 (a, c) and top-5 (b, d) most important nodes, respectively.
  • Figure 3: Framework of .
  • Figure 4: ASR (%) of with varying surrogate and target models on Cora and Arxiv.
  • Figure 5: Ablation studies of .
  • ...and 9 more figures

Theorems & Definitions (2)

  • Theorem 1
  • Theorem 1