Explainability-based Backdoor Attacks against Graph Neural Networks

Jing Xu; Minhui Xue; Stjepan Picek

doi:10.1145/3468218.3469046

Explainability-based Backdoor Attacks against Graph Neural Networks

Cyber Security

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

18 Citations (Scopus)

194 Downloads (Pure)

Abstract

Backdoor attacks represent a serious threat to neural network models. A backdoored model will misclassify the trigger-embedded inputs into an attacker-chosen target label while performing normally on other benign inputs. There are already numerous works on backdoor attacks on neural networks, but only a few works consider graph neural networks (GNNs). As such, there is no intensive research on explaining the impact of trigger injecting position on the performance of backdoor attacks on GNNs. To bridge this gap, we conduct an experimental investigation on the performance of backdoor attacks on GNNs. We apply two powerful GNN explainability approaches to select the optimal trigger injecting position to achieve two attacker objectives - high attack success rate and low clean accuracy drop. Our empirical results on benchmark datasets and state-of-the-art neural network models demonstrate the proposed method's effectiveness in selecting trigger injecting position for backdoor attacks on GNNs. For instance, on the node classification task, the backdoor attack with trigger injecting position selected by GraphLIME reaches over 84% attack success rate with less than 2.5% accuracy drop.

Original language	English
Title of host publication	WiseML 2021
Subtitle of host publication	Proceedings of the 3rd ACM Workshop on Wireless Security and Machine Learning
Place of Publication	New York
Publisher	Association for Computing Machinery (ACM)
Pages	31-36
Number of pages	6
ISBN (Electronic)	978-1-4503-8561-9
DOIs	https://doi.org/10.1145/3468218.3469046
Publication status	Published - 2021
Event	3rd ACM Workshop on Wireless Security and Machine Learning, WiseML 2021 - Virtual, Online, United Arab Emirates Duration: 2 Jul 2021 → 2 Jul 2021

Conference

Conference	3rd ACM Workshop on Wireless Security and Machine Learning, WiseML 2021
Country/Territory	United Arab Emirates
City	Virtual, Online
Period	2/07/21 → 2/07/21

Keywords

backdoor attacks
explainability
graph neural networks

Access to Document

10.1145/3468218.3469046

3468218.3469046Final published version, 667 KBLicence: CC BY

Cite this

@inproceedings{34769f1e5b7f45b2a760961d81af7e6a,

title = "Explainability-based Backdoor Attacks against Graph Neural Networks",

abstract = "Backdoor attacks represent a serious threat to neural network models. A backdoored model will misclassify the trigger-embedded inputs into an attacker-chosen target label while performing normally on other benign inputs. There are already numerous works on backdoor attacks on neural networks, but only a few works consider graph neural networks (GNNs). As such, there is no intensive research on explaining the impact of trigger injecting position on the performance of backdoor attacks on GNNs. To bridge this gap, we conduct an experimental investigation on the performance of backdoor attacks on GNNs. We apply two powerful GNN explainability approaches to select the optimal trigger injecting position to achieve two attacker objectives - high attack success rate and low clean accuracy drop. Our empirical results on benchmark datasets and state-of-the-art neural network models demonstrate the proposed method's effectiveness in selecting trigger injecting position for backdoor attacks on GNNs. For instance, on the node classification task, the backdoor attack with trigger injecting position selected by GraphLIME reaches over 84% attack success rate with less than 2.5% accuracy drop. ",

keywords = "backdoor attacks, explainability, graph neural networks",

author = "Jing Xu and Minhui Xue and Stjepan Picek",

year = "2021",

doi = "10.1145/3468218.3469046",

language = "English",

pages = "31--36",

booktitle = "WiseML 2021",

publisher = "Association for Computing Machinery (ACM)",

address = "United States",

note = "3rd ACM Workshop on Wireless Security and Machine Learning, WiseML 2021 ; Conference date: 02-07-2021 Through 02-07-2021",

}

Xu, J, Xue, M & Picek, S 2021, Explainability-based Backdoor Attacks against Graph Neural Networks. in WiseML 2021 : Proceedings of the 3rd ACM Workshop on Wireless Security and Machine Learning. Association for Computing Machinery (ACM), New York, pp. 31-36, 3rd ACM Workshop on Wireless Security and Machine Learning, WiseML 2021, Virtual, Online, United Arab Emirates, 2/07/21. https://doi.org/10.1145/3468218.3469046

Explainability-based Backdoor Attacks against Graph Neural Networks. / Xu, Jing; Xue, Minhui; Picek, Stjepan.
WiseML 2021 : Proceedings of the 3rd ACM Workshop on Wireless Security and Machine Learning. New York: Association for Computing Machinery (ACM), 2021. p. 31-36.

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Explainability-based Backdoor Attacks against Graph Neural Networks

AU - Xu, Jing

AU - Xue, Minhui

AU - Picek, Stjepan

PY - 2021

Y1 - 2021

N2 - Backdoor attacks represent a serious threat to neural network models. A backdoored model will misclassify the trigger-embedded inputs into an attacker-chosen target label while performing normally on other benign inputs. There are already numerous works on backdoor attacks on neural networks, but only a few works consider graph neural networks (GNNs). As such, there is no intensive research on explaining the impact of trigger injecting position on the performance of backdoor attacks on GNNs. To bridge this gap, we conduct an experimental investigation on the performance of backdoor attacks on GNNs. We apply two powerful GNN explainability approaches to select the optimal trigger injecting position to achieve two attacker objectives - high attack success rate and low clean accuracy drop. Our empirical results on benchmark datasets and state-of-the-art neural network models demonstrate the proposed method's effectiveness in selecting trigger injecting position for backdoor attacks on GNNs. For instance, on the node classification task, the backdoor attack with trigger injecting position selected by GraphLIME reaches over 84% attack success rate with less than 2.5% accuracy drop.

AB - Backdoor attacks represent a serious threat to neural network models. A backdoored model will misclassify the trigger-embedded inputs into an attacker-chosen target label while performing normally on other benign inputs. There are already numerous works on backdoor attacks on neural networks, but only a few works consider graph neural networks (GNNs). As such, there is no intensive research on explaining the impact of trigger injecting position on the performance of backdoor attacks on GNNs. To bridge this gap, we conduct an experimental investigation on the performance of backdoor attacks on GNNs. We apply two powerful GNN explainability approaches to select the optimal trigger injecting position to achieve two attacker objectives - high attack success rate and low clean accuracy drop. Our empirical results on benchmark datasets and state-of-the-art neural network models demonstrate the proposed method's effectiveness in selecting trigger injecting position for backdoor attacks on GNNs. For instance, on the node classification task, the backdoor attack with trigger injecting position selected by GraphLIME reaches over 84% attack success rate with less than 2.5% accuracy drop.

KW - backdoor attacks

KW - explainability

KW - graph neural networks

UR - http://www.scopus.com/inward/record.url?scp=85113082788&partnerID=8YFLogxK

U2 - 10.1145/3468218.3469046

DO - 10.1145/3468218.3469046

M3 - Conference contribution

AN - SCOPUS:85113082788

SP - 31

EP - 36

BT - WiseML 2021

PB - Association for Computing Machinery (ACM)

CY - New York

T2 - 3rd ACM Workshop on Wireless Security and Machine Learning, WiseML 2021

Y2 - 2 July 2021 through 2 July 2021

ER -

Explainability-based Backdoor Attacks against Graph Neural Networks

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this