半监督图节点分类任务的清洁标签后门植入

doi:10.16180/j.cnki.issn1007-7820.2024.09.009

摘要/Abstract

摘要：

半监督图学习旨在使用给定图中的各种先验知识推断未标记节点或图的类别,通过提升数据标注的自动化,使其具有较高的节点分类效率。作为一种深度学习架构,半监督图学习也面临后门攻击威胁,但目前尚未出现对半监督图节点分类任务有效的后门攻击方法。文中提出了一种针对半监督图节点分类模型的持久性清洁标签后门攻击方法,通过在未标记的训练数据上自适应地添加触发器和对抗扰动生成中毒样本,并在不修改标签的情况下训练得到中毒的半监督图节点分类模型。而攻击者可以较为隐蔽地对模型进行投毒,且投毒率不高于4%。同时为了保证后门在模型中的持久性,设计了一种超参数调节策略以选择最佳的对抗扰动尺寸。在多个半监督图节点分类模型与开源数据集上进行的大量实验,结果表明所提方法的攻击成功率最高可达96.25%,而模型在正常样本上的分类精度几乎没有损失。

关键词: 半监督图学习, 图神经网络, 节点分类, 对抗样本, 数据投毒, 后门攻击, 持久性攻击,清洁标签后门

Abstract:

Semi-supervised graph learning aims to infer the class of unlabeled nodes or graphs by using various prior knowledge in a given graph. By improving the automation of data labeling, semi-supervised graph learning has high efficiency in node classification, but as a deep learning architecture, it also faces the threat of backdoor attacks, but no effective backdoor attack method has been developed for semi-supervised graph node classification tasks. This study propose a persistent clean-label backdoor attack method for semi-supervised graph node classification models, which generates poisoned samples by adaptively adding triggers and perturbations on unlabeled training data, and then trains to obtain poisoned semi-supervised graph node classification models without modifying the labels. The attacker can poison the model more stealthily with a poisoning rate no higher than 4%. To ensure the persistence of the backdoor in the model, a hyperparameter tuning strategy is also proposed to select the optimal value of the perturbation. Extensive experiments on several semi-supervised graph node classification models and open-source datasets show that the proposed approach achieves an attack success rate of up to 96.25% with little loss of classification accuracy of the model on normal samples.

Key words: semi-supervised graph learning, graph neural networks, node classification, adversarial samples, data poisoning, backdoor attacks, persistence attacks, clean-label backdoors

中图分类号:

TP393

杨潇, 李高磊. 半监督图节点分类任务的清洁标签后门植入[J]. 电子科技, 2024, 37(9): 57-63.

YANG Xiao, LI Gaolei. Persistent Clean-Label Backdoor Attack for Semi-Supervised Graph Node Classification[J]. Electronic Science and Technology, 2024, 37(9): 57-63.

图/表 6

图1

表1

表2

图2

图3

图4

参考文献 21

[1]	吴博, 梁循, 张树森, 等. 图神经网络前沿进展与应用[J]. 计算机学报, 2022, 45(1):35-68.
	Wu Bo, Liang Xun, Zhang Shusen, et al. Advances and applicationsins in graph neural network[J]. Chinese Journal of Computers, 2022, 45(1):35-68.
[2]	Wu Z, Pan S, Chen F, et al. A comprehensive survey ongraph neural networks[J]. IEEE Transactions on Neural Networks and Learning Systems, 2020, 32(1):4-24.
[3]	Li Y, Jiang Y, Li Z, et al. Backdoor learning:A survey[J]. IEEE Transactions on Neural Networks and Learning Systems, 2022, 18(4):38-56.
[4]	Kaviani S, Sohn I. Defense against neural trojan attacks:A survey[J]. Neurocomputing, 2021, 42(3):651-667.
[5]	Ortiz-Jimenez G, Modas A, Moosavi S M, et al. Hold me tight! Influence of discriminative features on deep network boundaries[J]. Advances in Neural Information Processing Systems, 2020, 33(8):2935-2946.
[6]	Yan Z, Li G, TIan Y, et al. Dehib:Deep hidden backdoor attack on semi-supervised learning via adversarial perturbation[C]. Online: AAAI Conference on Artificial Intelligence, 2021:702-709.
[7]	Xu J, Picek S. Poster:Cleanlabel backdoor attack on graph neural networks[C]. Los Angeles: ACM SIGSAC Conference on Computer and Communications Security, 2022:3117-3125.
[8]	Ning R, Li J, Xin C, et al. Invisible poison:A blackbox clean label backdoor attack to deep neural networks[C]. Vancouver: IEEE INFOCOM Conference on Computer Communications, 2021:592-601.
[9]	Chen X, Dong Y, Sun Z, et al. Kallima:A clean-label framework for textual backdoor attacks[C]. Copenhagen: The Twenty-seventh European Symposium on Researchin Computer Security,Copenhagen,Denmark,September, 2022:752-758.
[10]	Kipf T N, Welling M. Semi-supervised classification with graph convolutional networks[C]. Toulon: The Fifth International Conference on Learning Representations, 2017:266-271.
[11]	Hamilton W L, Ying R, Leskovec J. Inductive representation learning on large graphs[C]. Red Hook: The Thirty-first International Conference on Neural Information Processing Systems, 2017:863-870.
[12]	Thekumparampil K K, Wang C, Oh S, et al. Attention-based graph neural network for semi-supervised learning[C]. Vancouver: The Sixth International Conference on Learning Representations, 2018:509-515.
[13]	Verma V, Qu M, Kawaguchi K, et al. Graphmix:Improvedtraining of gnns for semi-supervised learning[C]. Online: AAAI Conference on Artificial Intelligence, 2021:638-643.
[14]	Feng W, Zhang J, Dong Y, et al. Graph random neural networks for semisupervised learning on graphs[J]. Advances in Neural Information Processing Systems, 2020, 33(2):22092-22103.
[15]	Xi Z, Pang R, Ji S, et al. Graph backdoor[C]. Online: US-ENIX Security Symposium, 2021:599-607.
[16]	Xu J, Xue M, Picek S. Explainability-based backdoor attacks against graph neural networks[C]. Abu Dhabi: The Third ACM Workshop on Wireless Security and Machine Learning, 2021:265-271.
[17]	Zhang J, Luo Y. Degree centrality,betweenness centrality,and closeness centrality in social network[C]. Bangkok: The Second International Conference on Modelling,Simulation and Applied Mathematics, 2017:482-490.
[18]	Ruhnau B. Eigenvector-centrality-A node-centrality[J]. Social Networks, 2000, 22(4):357-365.
[19]	Dai H, Li H, Tian T, et al. Adversarial attack on graph structured data[C]. Stockholmsmässan: International Conference on Machine Learning, 2018:632-638.
[20]	Madry A, Makelov A, Schmidt L, et al. Vladu:Towards deep learning models resistant to adversarial attacks[C]. Vancouver: The Sixth International Conference on Learning Representations, 2018:10159-10166.
[21]	Zhang H, Ciss é M, Dauphin Y N, et al. Beyond empirical risk minimization[C]. Vancouver: The Sixth International Conference on Learning Representations, 2018:561-567.

数据集	节点数	边数	类别	特征数	标记率
Cora(A)	2 708	5 429	7	1 433	0.052
Citeseer(B)	3 327	4 732	6	3 703	0.036
Pubmed(C)	3 943	3 815	3	500	0.040
DBLP(D)	17 716	105 734	4	1 639	0.008
Physics(E)	34 493	495 924	5	8 415	0.004

GNN模型	数据集 /%	投毒率 /%	ASR /%	干净数据 Acc/%	Acc /%	MR /%	ADD /%	AEC /%	AFD /%
GCN	Cora	3.6	60.20	73.78	70.77	3.4	0.058 0	0.021 0	0.900 0
	Citeseer	3.0	34.08	66.25	65.85	7.1	0.118 0	0.050 0	0.090 0
	Pubmed	2.5	71.01	72.14	69.86	9.1	0.000 6	0.000 8	0.240 0
	DBLP	0.5	89.62	78.54	76.22	5.8	4.7×10^-7	1.2×10^-5	0.200 0
	Physics	0.2	90.48	91.15	90.21	3.7	0.000 7	0.000 4	0.000 5
GAT	Cora	3.6	41.51	73.01	68.44	3.1	0.038 0	0.033 0	0.60
	Citeseer	3.0	47.00	57.56	54.66	5.3	0.245 0	0.062 0	0.02
	Pubmed	2.5	43.08	61.09	62.46	7.4	0.001 3	0.001 1	0.10
	DBLP	0.5	86.52	79.90	78.15	3.2	0.000 4	0.000 6	0.12
	Physics	0.2	49.92	88.44	88.25	2.9	5.9×10^-5	0.000 5	0.39
GraphSAGE	Cora	3.6	89.60	68.48	68.21	2.9	0.015 0	0.046 0	0.47
	Citeseer	3.0	70.34	68.55	66.00	5.7	0.085 0	0.164 0	0.11
	Pubmed	2.5	91.85	69.15	72.67	5.1	0.002 7	0.006 3	0.09
	DBLP	0.5	96.25	77.88	78.06	4.4	0.000 8	0.001 4	0.33
	Physics	0.2	83.45	89.49	88.46	2.3	0.000 3	0.000 6	0.47