Boosting Graph Robustness Against Backdoor Attacks: An Over-Similarity Perspective
Liu, Chang, Huang, Hai, Xing, Yujie, Zuo, Xingquan
–arXiv.org Artificial Intelligence
Graph Neural Networks (GNNs) (Kipf & Welling, 2016; Velickovic et al., 2017; Hamilton Graph Neural Networks (GNNs) have achieved et al., 2017), widely recognized as representative methodologies notable success in tasks such as social and transportation in graph-based machine learning, are capable of networks. However, recent studies have deriving high-quality representations from graph data. However, highlighted the vulnerability of GNNs to backdoor despite the remarkable performance of GNNs across attacks, raising significant concerns about various tasks, recent studies (Xi et al., 2021; Zhang et al., their reliability in real-world applications. Despite 2021; Dai et al., 2023; Zhang et al., 2024a) have revealed initial efforts to defend against specific graph that they are vulnerable to backdoor attacks. Backdoor attacks backdoor attacks, existing defense methods face on GNNs typically involve generating and attaching two main challenges: either the inability to establish backdoor triggers to a selected set of target nodes, which are a clear distinction between triggers and subsequently assigned to a specific target class. These triggers, clean nodes, resulting in the removal of many often represented as nodes or subgraphs, can be either clean nodes, or the failure to eliminate the impact predefined or dynamically created using a trigger generator. of triggers, making it challenging to restore the During training on a dataset contaminated with these triggers, target nodes to their pre-attack state. Through empirical due to the graph message-passing paradigm, the GNN analysis of various existing graph backdoor model learns to associate the presence of the trigger with attacks, we observe that the triggers generated by the specific target class. Consequently, during inference, the these methods exhibit over-similarity in both features backdoored model misclassifies test nodes containing the and structure. Based on this observation, we trigger into the target class while maintaining high predictive propose a novel graph backdoor defense method accuracy for clean nodes without triggers.
arXiv.org Artificial Intelligence
Feb-3-2025
- Genre:
- Research Report > New Finding (1.00)
- Industry:
- Information Technology > Security & Privacy (1.00)
- Technology: