Backdoor Attack of Graph Neural Networks Based on Subgraph Trigger

Abstract

Graph Neural Networks (GNN) is a kind of deep learning model to process structural and semantic features of graph data. They are widely used in node classification, graph classification, and link prediction. However, deep learning models require a lot of training data and computational costs, and users usually choose the models provided by third-party platforms. Attackers make full use of their insecurity, subtly modify the training data, and affect the model accuracy. To ensure the service quality and the model robustness, researches on model attacks and defenses are launched. As a new type of attack, backdoor attacks have also been verified on the GNN model. However, existing research still has the following problems: 1) the design of triggers is single; 2) the selection of attack nodes is random; 3) the attack is only effective for some specific GNN models. To address these problems, we study the GNN backdoor attack based on the subgraph trigger. We design the trigger based on the features of the sample data and use the random graph generation algorithm to obtain the subgraph trigger. We propose to select the attack nodes by fusing the local and global structural features and fine-tuned edges when inserted into datasets. We apply it to multiple GNN models. Finally, we use fewer nodes, smaller densities and randomly fine-tune the trigger structure, the experimental results show that the attack we propose has a significant effect on the real datasets, in which clean accuracy drop is less than 0.07 and the attack success rate increases more than 75%.