Explainability-based Backdoor Attacks Against Graph Neural Networks
This addresses a security vulnerability for users of GNNs, but it is incremental as it builds on existing backdoor attack research by applying it to a less-studied domain.
The paper tackles the problem of backdoor attacks on graph neural networks (GNNs) by investigating how trigger injecting position affects attack performance, using explainability methods to select optimal positions; the result shows that on a node classification task, the attack achieves over 84% success rate with less than 2.5% accuracy drop.
Backdoor attacks represent a serious threat to neural network models. A backdoored model will misclassify the trigger-embedded inputs into an attacker-chosen target label while performing normally on other benign inputs. There are already numerous works on backdoor attacks on neural networks, but only a few works consider graph neural networks (GNNs). As such, there is no intensive research on explaining the impact of trigger injecting position on the performance of backdoor attacks on GNNs. To bridge this gap, we conduct an experimental investigation on the performance of backdoor attacks on GNNs. We apply two powerful GNN explainability approaches to select the optimal trigger injecting position to achieve two attacker objectives -- high attack success rate and low clean accuracy drop. Our empirical results on benchmark datasets and state-of-the-art neural network models demonstrate the proposed method's effectiveness in selecting trigger injecting position for backdoor attacks on GNNs. For instance, on the node classification task, the backdoor attack with trigger injecting position selected by GraphLIME reaches over $84 \%$ attack success rate with less than $2.5 \%$ accuracy drop