Graph Backdoor
share
One intriguing property of deep neural network (DNN) models is their inherent vulnerability to backdoor attacks – a trojaned model responds to trigger-embedded inputs in a highly predictable manner but functions normally otherwise. Surprisingly, despite the plethora of work on DNNs for continuous data (e.g., images), little is known about the vulnerability of graph neural network (GNN) models for discrete-structured data (e.g., graphs), which is highly concerning given the increasing use of GNNs in security-critical domains. To bridge this gap, we present GTA, the first class of backdoor attacks against GNNs. Compared with prior work, GTA departs in significant ways: graph-oriented – it allows the adversary to define triggers as specific subgraphs, including both topological structures and descriptive features; input-tailored – it generates triggers tailored to individual graphs, thereby optimizing both attack effectiveness and evasiveness; downstream model-agnostic – it assumes no knowledge about downstream models or fine-tuning strategies; and attack-extensible – it can be instantiated for both transductive (e.g., node classification) and inductive (e.g., graph classification) tasks, constituting severe threats for a range of security-critical applications (e.g., toxic chemical classification). Through extensive evaluation on benchmark datasets and state-of-the-art GNNs, we demonstrate the efficacy of GTA. For instance, on pre-trained, off-the-shelf GNNs, GTA attains over 99.2 attack success rate with less than 0.3 further provide analytical justification for the effectiveness of GTA and discuss potential mitigation, pointing to several promising research directions.
READ FULL TEXT