Gradient-Based Clean Label Backdoor Attack to Graph Neural Networks

Ryo Meguro; Hiroya Kato; Shintaro Narisada; Seira Hidano; Kazuhide Fukushima; Takuo Suganuma; Masahiro Hiji

doi:10.5220/0012369500003648

Gradient-Based Clean Label Backdoor Attack to Graph Neural Networks

Ryo Meguro, Hiroya Kato, Shintaro Narisada, Seira Hidano, Kazuhide Fukushima, Takuo Suganuma, Masahiro Hiji

2024

Abstract

Graph neural networks (GNNs) can obtain useful information from graph structured data. Although its great capability is promising, GNNs are vulnerable to backdoor attacks, which plant a marker called trigger in victims’ models to cause them to misclassify poisoned data with triggers into a target class. In particular, a clean label backdoor attack (CLBA) on the GNNs remains largely unexplored. Revealing characteristics of the CLBA is vital from the perspective of defense. In this paper, we propose the first gradient based CLBA on GNNs for graph classification tasks. Our attack consists of two important phases, the graph embedding based pairing and the gradient based trigger injection. Our pairing makes pairs from graphs of the target class and the others to successfully plant the backdoor in the target class area in the graph embedding space. Our trigger injection embeds triggers in graphs with gradient-based scores, yielding effective poisoned graphs. We conduct experiments on multiple datasets and GNN models. Our results demonstrate that our attack outperforms the existing CLBA using fixed triggers. Our attack surpasses attack success rates of the existing CLBA by up to 50%. Furthermore, we show that our attack is difficult to detect with an existing defense.

Download

Paper Citation

in Harvard Style

Meguro R., Kato H., Narisada S., Hidano S., Fukushima K., Suganuma T. and Hiji M. (2024). Gradient-Based Clean Label Backdoor Attack to Graph Neural Networks. In Proceedings of the 10th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP; ISBN 978-989-758-683-5, SciTePress, pages 510-521. DOI: 10.5220/0012369500003648

in Bibtex Style

@conference{icissp24,
author={Ryo Meguro and Hiroya Kato and Shintaro Narisada and Seira Hidano and Kazuhide Fukushima and Takuo Suganuma and Masahiro Hiji},
title={Gradient-Based Clean Label Backdoor Attack to Graph Neural Networks},
booktitle={Proceedings of the 10th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP},
year={2024},
pages={510-521},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0012369500003648},
isbn={978-989-758-683-5},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 10th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP
TI - Gradient-Based Clean Label Backdoor Attack to Graph Neural Networks
SN - 978-989-758-683-5
AU - Meguro R.
AU - Kato H.
AU - Narisada S.
AU - Hidano S.
AU - Fukushima K.
AU - Suganuma T.
AU - Hiji M.
PY - 2024
SP - 510
EP - 521
DO - 10.5220/0012369500003648
PB - SciTePress