Rethinking the Trigger-injecting Position in Graph Backdoor Attack
This work addresses a security vulnerability in GNNs by analyzing trigger placement strategies, offering insights for improving backdoor attack defenses, though it is incremental as it builds on existing graph backdoor research.
The paper investigates the impact of trigger-injecting positions in graph backdoor attacks on Graph Neural Networks, finding that injecting triggers into least important areas (LIAS) generally yields better attack performance than most important areas (MIAS), with significant differences observed.
Backdoor attacks have been demonstrated as a security threat for machine learning models. Traditional backdoor attacks intend to inject backdoor functionality into the model such that the backdoored model will perform abnormally on inputs with predefined backdoor triggers and still retain state-of-the-art performance on the clean inputs. While there are already some works on backdoor attacks on Graph Neural Networks (GNNs), the backdoor trigger in the graph domain is mostly injected into random positions of the sample. There is no work analyzing and explaining the backdoor attack performance when injecting triggers into the most important or least important area in the sample, which we refer to as trigger-injecting strategies MIAS and LIAS, respectively. Our results show that, generally, LIAS performs better, and the differences between the LIAS and MIAS performance can be significant. Furthermore, we explain these two strategies' similar (better) attack performance through explanation techniques, which results in a further understanding of backdoor attacks in GNNs.