TY - GEN
T1 - Graph backdoor
AU - Xi, Zhaohan
AU - Pang, Ren
AU - Ji, Shouling
AU - Wang, Ting
N1 - Publisher Copyright:
© 2021 by The USENIX Association. All rights reserved.
PY - 2021
Y1 - 2021
N2 - One intriguing property of deep neural networks (DNNs) is their inherent vulnerability to backdoor attacks - a trojan model responds to trigger-embedded inputs in a highly predictable manner while functioning normally otherwise. Despite the plethora of prior work on DNNs for continuous data (e.g., images), the vulnerability of graph neural networks (GNNs) for discrete-structured data (e.g., graphs) is largely unexplored, which is highly concerning given their increasing use in security-sensitive domains. To bridge this gap, we present GTA, the first backdoor attack on GNNs. Compared with prior work, GTA departs in significant ways: graph-oriented - it defines triggers as specific subgraphs, including both topological structures and descriptive features, entailing a large design spectrum for the adversary; input-tailored - it dynamically adapts triggers to individual graphs, thereby optimizing both attack effectiveness and evasiveness; downstream model-agnostic - it can be readily launched without knowledge regarding downstream models or fine-tuning strategies; and attack-extensible - it can be instantiated for both transductive (e.g., node classification) and inductive (e.g., graph classification) tasks, constituting severe threats for a range of security-critical applications. Through extensive evaluation using benchmark datasets and state-of-the-art models, we demonstrate the effectiveness of GTA. We further provide analytical justification for its effectiveness and discuss potential countermeasures, pointing to several promising research directions.
AB - One intriguing property of deep neural networks (DNNs) is their inherent vulnerability to backdoor attacks - a trojan model responds to trigger-embedded inputs in a highly predictable manner while functioning normally otherwise. Despite the plethora of prior work on DNNs for continuous data (e.g., images), the vulnerability of graph neural networks (GNNs) for discrete-structured data (e.g., graphs) is largely unexplored, which is highly concerning given their increasing use in security-sensitive domains. To bridge this gap, we present GTA, the first backdoor attack on GNNs. Compared with prior work, GTA departs in significant ways: graph-oriented - it defines triggers as specific subgraphs, including both topological structures and descriptive features, entailing a large design spectrum for the adversary; input-tailored - it dynamically adapts triggers to individual graphs, thereby optimizing both attack effectiveness and evasiveness; downstream model-agnostic - it can be readily launched without knowledge regarding downstream models or fine-tuning strategies; and attack-extensible - it can be instantiated for both transductive (e.g., node classification) and inductive (e.g., graph classification) tasks, constituting severe threats for a range of security-critical applications. Through extensive evaluation using benchmark datasets and state-of-the-art models, we demonstrate the effectiveness of GTA. We further provide analytical justification for its effectiveness and discuss potential countermeasures, pointing to several promising research directions.
UR - http://www.scopus.com/inward/record.url?scp=85103748702&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85103748702&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85103748702
T3 - Proceedings of the 30th USENIX Security Symposium
SP - 1523
EP - 1540
BT - Proceedings of the 30th USENIX Security Symposium
PB - USENIX Association
T2 - 30th USENIX Security Symposium, USENIX Security 2021
Y2 - 11 August 2021 through 13 August 2021
ER -