Rethinking the Trigger-injecting Position in Graph Backdoor Attack

Jing Xu; Gorka  Abad; Stjepan Picek

doi:10.1109/IJCNN54540.2023.10191949

Rethinking the Trigger-injecting Position in Graph Backdoor Attack

Cyber Security

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

8 Downloads (Pure)

Abstract

Backdoor attacks have been demonstrated as a security threat for machine learning models. Traditional backdoor attacks intend to inject backdoor functionality into the model such that the backdoored model will perform abnormally on inputs with predefined backdoor triggers and still retain state-of-the-art performance on the clean inputs. While there are already some works on backdoor attacks on Graph Neural Networks (GNNs), the backdoor trigger in the graph domain is mostly injected into random positions of the sample. There is no work analyzing and explaining the backdoor attack performance when injecting triggers into the most important or least important area in the sample, which we refer to as trigger-injecting strategies MIAS and LIAS, respectively. Our results show that, generally, LIAS performs better, and the differences between the LIAS and MIAS performance can be significant. Furthermore, we explain these two strategies’ similar (better) attack performance through explanation techniques, which results in a further understanding of backdoor attacks in GNNs.

Original language	English
Title of host publication	Proceedings of the 2023 International Joint Conference on Neural Networks (IJCNN)
Place of Publication	Piscataway
Publisher	IEEE
Pages	1-8
Number of pages	8
ISBN (Electronic)	978-1-6654-8867-9
ISBN (Print)	978-1-6654-8868-6
DOIs	https://doi.org/10.1109/IJCNN54540.2023.10191949
Publication status	Published - 2023
Event	2023 International Joint Conference on Neural Networks (IJCNN) - Gold Coast, Australia Duration: 18 Jun 2023 → 23 Jun 2023

Publication series

Name	Proceedings of the International Joint Conference on Neural Networks
Volume	2023-June

Conference

Conference	2023 International Joint Conference on Neural Networks (IJCNN)
Country/Territory	Australia
City	Gold Coast
Period	18/06/23 → 23/06/23

Bibliographical note

Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care
Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

Keywords

backdoor attack
trigger-injecting position
graph neural networks

Access to Document

10.1109/IJCNN54540.2023.10191949

Rethinking_the_Trigger-injecting_Position_in_Graph_Backdoor_AttackFinal published version, 1.32 MB

Cite this

@inproceedings{69e1c1f39049432facb1e40b8b65184f,

title = "Rethinking the Trigger-injecting Position in Graph Backdoor Attack",

abstract = "Backdoor attacks have been demonstrated as a security threat for machine learning models. Traditional backdoor attacks intend to inject backdoor functionality into the model such that the backdoored model will perform abnormally on inputs with predefined backdoor triggers and still retain state-of-the-art performance on the clean inputs. While there are already some works on backdoor attacks on Graph Neural Networks (GNNs), the backdoor trigger in the graph domain is mostly injected into random positions of the sample. There is no work analyzing and explaining the backdoor attack performance when injecting triggers into the most important or least important area in the sample, which we refer to as trigger-injecting strategies MIAS and LIAS, respectively. Our results show that, generally, LIAS performs better, and the differences between the LIAS and MIAS performance can be significant. Furthermore, we explain these two strategies{\textquoteright} similar (better) attack performance through explanation techniques, which results in a further understanding of backdoor attacks in GNNs.",

keywords = "backdoor attack, trigger-injecting position, graph neural networks",

author = "Jing Xu and Gorka Abad and Stjepan Picek",

note = "Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.; 2023 International Joint Conference on Neural Networks (IJCNN) ; Conference date: 18-06-2023 Through 23-06-2023",

year = "2023",

doi = "10.1109/IJCNN54540.2023.10191949",

language = "English",

isbn = "978-1-6654-8868-6",

series = "Proceedings of the International Joint Conference on Neural Networks",

publisher = "IEEE",

pages = "1--8",

booktitle = "Proceedings of the 2023 International Joint Conference on Neural Networks (IJCNN)",

address = "United States",

}

Xu, J, Abad, G & Picek, S 2023, Rethinking the Trigger-injecting Position in Graph Backdoor Attack. in Proceedings of the 2023 International Joint Conference on Neural Networks (IJCNN). Proceedings of the International Joint Conference on Neural Networks, vol. 2023-June, IEEE, Piscataway, pp. 1-8, 2023 International Joint Conference on Neural Networks (IJCNN), Gold Coast, Australia, 18/06/23. https://doi.org/10.1109/IJCNN54540.2023.10191949

Rethinking the Trigger-injecting Position in Graph Backdoor Attack. / Xu, Jing; Abad, Gorka ; Picek, Stjepan.
Proceedings of the 2023 International Joint Conference on Neural Networks (IJCNN). Piscataway: IEEE, 2023. p. 1-8 (Proceedings of the International Joint Conference on Neural Networks; Vol. 2023-June).

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Rethinking the Trigger-injecting Position in Graph Backdoor Attack

AU - Xu, Jing

AU - Abad, Gorka

AU - Picek, Stjepan

N1 - Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

PY - 2023

Y1 - 2023

N2 - Backdoor attacks have been demonstrated as a security threat for machine learning models. Traditional backdoor attacks intend to inject backdoor functionality into the model such that the backdoored model will perform abnormally on inputs with predefined backdoor triggers and still retain state-of-the-art performance on the clean inputs. While there are already some works on backdoor attacks on Graph Neural Networks (GNNs), the backdoor trigger in the graph domain is mostly injected into random positions of the sample. There is no work analyzing and explaining the backdoor attack performance when injecting triggers into the most important or least important area in the sample, which we refer to as trigger-injecting strategies MIAS and LIAS, respectively. Our results show that, generally, LIAS performs better, and the differences between the LIAS and MIAS performance can be significant. Furthermore, we explain these two strategies’ similar (better) attack performance through explanation techniques, which results in a further understanding of backdoor attacks in GNNs.

AB - Backdoor attacks have been demonstrated as a security threat for machine learning models. Traditional backdoor attacks intend to inject backdoor functionality into the model such that the backdoored model will perform abnormally on inputs with predefined backdoor triggers and still retain state-of-the-art performance on the clean inputs. While there are already some works on backdoor attacks on Graph Neural Networks (GNNs), the backdoor trigger in the graph domain is mostly injected into random positions of the sample. There is no work analyzing and explaining the backdoor attack performance when injecting triggers into the most important or least important area in the sample, which we refer to as trigger-injecting strategies MIAS and LIAS, respectively. Our results show that, generally, LIAS performs better, and the differences between the LIAS and MIAS performance can be significant. Furthermore, we explain these two strategies’ similar (better) attack performance through explanation techniques, which results in a further understanding of backdoor attacks in GNNs.

KW - backdoor attack

KW - trigger-injecting position

KW - graph neural networks

UR - http://www.scopus.com/inward/record.url?scp=85169577914&partnerID=8YFLogxK

U2 - 10.1109/IJCNN54540.2023.10191949

DO - 10.1109/IJCNN54540.2023.10191949

M3 - Conference contribution

SN - 978-1-6654-8868-6

T3 - Proceedings of the International Joint Conference on Neural Networks

SP - 1

EP - 8

BT - Proceedings of the 2023 International Joint Conference on Neural Networks (IJCNN)

PB - IEEE

CY - Piscataway

T2 - 2023 International Joint Conference on Neural Networks (IJCNN)

Y2 - 18 June 2023 through 23 June 2023

ER -

Rethinking the Trigger-injecting Position in Graph Backdoor Attack

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this