Rethinking the Trigger-injecting Position in Graph Backdoor Attack

Jing Xu, Gorka Abad, Stjepan Picek

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

1 Downloads (Pure)


Backdoor attacks have been demonstrated as a security threat for machine learning models. Traditional backdoor attacks intend to inject backdoor functionality into the model such that the backdoored model will perform abnormally on inputs with predefined backdoor triggers and still retain state-of-the-art performance on the clean inputs. While there are already some works on backdoor attacks on Graph Neural Networks (GNNs), the backdoor trigger in the graph domain is mostly injected into random positions of the sample. There is no work analyzing and explaining the backdoor attack performance when injecting triggers into the most important or least important area in the sample, which we refer to as trigger-injecting strategies MIAS and LIAS, respectively. Our results show that, generally, LIAS performs better, and the differences between the LIAS and MIAS performance can be significant. Furthermore, we explain these two strategies’ similar (better) attack performance through explanation techniques, which results in a further understanding of backdoor attacks in GNNs.
Original languageEnglish
Title of host publicationProceedings of the 2023 International Joint Conference on Neural Networks (IJCNN)
Place of PublicationPiscataway
Number of pages8
ISBN (Electronic)978-1-6654-8867-9
ISBN (Print)978-1-6654-8868-6
Publication statusPublished - 2023
Event2023 International Joint Conference on Neural Networks (IJCNN) - Gold Coast, Australia
Duration: 18 Jun 202323 Jun 2023

Publication series

NameProceedings of the International Joint Conference on Neural Networks


Conference2023 International Joint Conference on Neural Networks (IJCNN)
CityGold Coast

Bibliographical note

Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project
Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.


  • backdoor attack
  • trigger-injecting position
  • graph neural networks


Dive into the research topics of 'Rethinking the Trigger-injecting Position in Graph Backdoor Attack'. Together they form a unique fingerprint.

Cite this