半监督图节点分类任务的清洁标签后门植入

doi:10.16180/j.cnki.issn1007-7820.2024.09.009

Abstract

Abstract:

Semi-supervised graph learning aims to infer the class of unlabeled nodes or graphs by using various prior knowledge in a given graph. By improving the automation of data labeling, semi-supervised graph learning has high efficiency in node classification, but as a deep learning architecture, it also faces the threat of backdoor attacks, but no effective backdoor attack method has been developed for semi-supervised graph node classification tasks. This study propose a persistent clean-label backdoor attack method for semi-supervised graph node classification models, which generates poisoned samples by adaptively adding triggers and perturbations on unlabeled training data, and then trains to obtain poisoned semi-supervised graph node classification models without modifying the labels. The attacker can poison the model more stealthily with a poisoning rate no higher than 4%. To ensure the persistence of the backdoor in the model, a hyperparameter tuning strategy is also proposed to select the optimal value of the perturbation. Extensive experiments on several semi-supervised graph node classification models and open-source datasets show that the proposed approach achieves an attack success rate of up to 96.25% with little loss of classification accuracy of the model on normal samples.

Key words: semi-supervised graph learning, graph neural networks, node classification, adversarial samples, data poisoning, backdoor attacks, persistence attacks, clean-label backdoors

CLC Number:

TP393

YANG Xiao, LI Gaolei. Persistent Clean-Label Backdoor Attack for Semi-Supervised Graph Node Classification[J].Electronic Science and Technology, 2024, 37(9): 57-63.

Figures/Tables 6

Figure 1.

Table 1.

Table 2.

Figure 2.

Figure 3.

Figure 4.

References 21

[1]	吴博, 梁循, 张树森, 等. 图神经网络前沿进展与应用[J]. 计算机学报, 2022, 45(1):35-68.
	Wu Bo, Liang Xun, Zhang Shusen, et al. Advances and applicationsins in graph neural network[J]. Chinese Journal of Computers, 2022, 45(1):35-68.
[2]	Wu Z, Pan S, Chen F, et al. A comprehensive survey ongraph neural networks[J]. IEEE Transactions on Neural Networks and Learning Systems, 2020, 32(1):4-24.
[3]	Li Y, Jiang Y, Li Z, et al. Backdoor learning:A survey[J]. IEEE Transactions on Neural Networks and Learning Systems, 2022, 18(4):38-56.
[4]	Kaviani S, Sohn I. Defense against neural trojan attacks:A survey[J]. Neurocomputing, 2021, 42(3):651-667.
[5]	Ortiz-Jimenez G, Modas A, Moosavi S M, et al. Hold me tight! Influence of discriminative features on deep network boundaries[J]. Advances in Neural Information Processing Systems, 2020, 33(8):2935-2946.
[6]	Yan Z, Li G, TIan Y, et al. Dehib:Deep hidden backdoor attack on semi-supervised learning via adversarial perturbation[C]. Online: AAAI Conference on Artificial Intelligence, 2021:702-709.
[7]	Xu J, Picek S. Poster:Cleanlabel backdoor attack on graph neural networks[C]. Los Angeles: ACM SIGSAC Conference on Computer and Communications Security, 2022:3117-3125.
[8]	Ning R, Li J, Xin C, et al. Invisible poison:A blackbox clean label backdoor attack to deep neural networks[C]. Vancouver: IEEE INFOCOM Conference on Computer Communications, 2021:592-601.
[9]	Chen X, Dong Y, Sun Z, et al. Kallima:A clean-label framework for textual backdoor attacks[C]. Copenhagen: The Twenty-seventh European Symposium on Researchin Computer Security,Copenhagen,Denmark,September, 2022:752-758.
[10]	Kipf T N, Welling M. Semi-supervised classification with graph convolutional networks[C]. Toulon: The Fifth International Conference on Learning Representations, 2017:266-271.
[11]	Hamilton W L, Ying R, Leskovec J. Inductive representation learning on large graphs[C]. Red Hook: The Thirty-first International Conference on Neural Information Processing Systems, 2017:863-870.
[12]	Thekumparampil K K, Wang C, Oh S, et al. Attention-based graph neural network for semi-supervised learning[C]. Vancouver: The Sixth International Conference on Learning Representations, 2018:509-515.
[13]	Verma V, Qu M, Kawaguchi K, et al. Graphmix:Improvedtraining of gnns for semi-supervised learning[C]. Online: AAAI Conference on Artificial Intelligence, 2021:638-643.
[14]	Feng W, Zhang J, Dong Y, et al. Graph random neural networks for semisupervised learning on graphs[J]. Advances in Neural Information Processing Systems, 2020, 33(2):22092-22103.
[15]	Xi Z, Pang R, Ji S, et al. Graph backdoor[C]. Online: US-ENIX Security Symposium, 2021:599-607.
[16]	Xu J, Xue M, Picek S. Explainability-based backdoor attacks against graph neural networks[C]. Abu Dhabi: The Third ACM Workshop on Wireless Security and Machine Learning, 2021:265-271.
[17]	Zhang J, Luo Y. Degree centrality,betweenness centrality,and closeness centrality in social network[C]. Bangkok: The Second International Conference on Modelling,Simulation and Applied Mathematics, 2017:482-490.
[18]	Ruhnau B. Eigenvector-centrality-A node-centrality[J]. Social Networks, 2000, 22(4):357-365.
[19]	Dai H, Li H, Tian T, et al. Adversarial attack on graph structured data[C]. Stockholmsmässan: International Conference on Machine Learning, 2018:632-638.
[20]	Madry A, Makelov A, Schmidt L, et al. Vladu:Towards deep learning models resistant to adversarial attacks[C]. Vancouver: The Sixth International Conference on Learning Representations, 2018:10159-10166.
[21]	Zhang H, Ciss é M, Dauphin Y N, et al. Beyond empirical risk minimization[C]. Vancouver: The Sixth International Conference on Learning Representations, 2018:561-567.

数据集	节点数	边数	类别	特征数	标记率
Cora(A)	2 708	5 429	7	1 433	0.052
Citeseer(B)	3 327	4 732	6	3 703	0.036
Pubmed(C)	3 943	3 815	3	500	0.040
DBLP(D)	17 716	105 734	4	1 639	0.008
Physics(E)	34 493	495 924	5	8 415	0.004

GNN模型	数据集 /%	投毒率 /%	ASR /%	干净数据 Acc/%	Acc /%	MR /%	ADD /%	AEC /%	AFD /%
GCN	Cora	3.6	60.20	73.78	70.77	3.4	0.058 0	0.021 0	0.900 0
	Citeseer	3.0	34.08	66.25	65.85	7.1	0.118 0	0.050 0	0.090 0
	Pubmed	2.5	71.01	72.14	69.86	9.1	0.000 6	0.000 8	0.240 0
	DBLP	0.5	89.62	78.54	76.22	5.8	4.7×10^-7	1.2×10^-5	0.200 0
	Physics	0.2	90.48	91.15	90.21	3.7	0.000 7	0.000 4	0.000 5
GAT	Cora	3.6	41.51	73.01	68.44	3.1	0.038 0	0.033 0	0.60
	Citeseer	3.0	47.00	57.56	54.66	5.3	0.245 0	0.062 0	0.02
	Pubmed	2.5	43.08	61.09	62.46	7.4	0.001 3	0.001 1	0.10
	DBLP	0.5	86.52	79.90	78.15	3.2	0.000 4	0.000 6	0.12
	Physics	0.2	49.92	88.44	88.25	2.9	5.9×10^-5	0.000 5	0.39
GraphSAGE	Cora	3.6	89.60	68.48	68.21	2.9	0.015 0	0.046 0	0.47
	Citeseer	3.0	70.34	68.55	66.00	5.7	0.085 0	0.164 0	0.11
	Pubmed	2.5	91.85	69.15	72.67	5.1	0.002 7	0.006 3	0.09
	DBLP	0.5	96.25	77.88	78.06	4.4	0.000 8	0.001 4	0.33
	Physics	0.2	83.45	89.49	88.46	2.3	0.000 3	0.000 6	0.47

Persistent Clean-Label Backdoor Attack for Semi-Supervised Graph Node Classification

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 6

References 21

Related Articles 15

Metrics

Comments

Recommended 0

[1]	WANG Shun, XU Xianghua, WANG Ran. Smart Contract Vulnerability Detection Method Based on Meta-Operation [J]. Electronic Science and Technology, 2024, 37(9): 64-71.
[2]	LU Zhenyang. Overview of Research on Network Security Situation Prediction Technology [J]. Electronic Science and Technology, 2024, 37(8): 92-96.
[3]	FANG Xiang. Research Progress in Network Security Situation Awareness Models [J]. Electronic Science and Technology, 2024, 37(6): 98-102.
[4]	WU Jiacheng, YU Xiao. A Review of Research on Cybersecurity Risk Assessment Methods [J]. Electronic Science and Technology, 2024, 37(3): 10-17.
[5]	GONG Zhi,LIU Chao,FU Qiang. Network Security Device Design Based on Red-Black Isolation Architecture [J]. Electronic Science and Technology, 2024, 37(2): 76-86.
[6]	BAI Rui,REN Zhu. Estimation and Performance Analysis of Unscented Kalman Filter with Randomly Missing Measurements [J]. Electronic Science and Technology, 2024, 37(2): 23-29.
[7]	LI Xiuwen,WANG Lei,REN Zhu. Security Detection of Extended Kalman Filter under Injection Attack [J]. Electronic Science and Technology, 2023, 36(10): 68-73.
[8]	LU Minlong,GUO Wei,ZHANG Xuanxiong. UWB/PDR Pedestrian Localization System Based on Adaptive UKF [J]. Electronic Science and Technology, 2023, 36(6): 41-49.
[9]	WU Tong,YU Lianzhi. The Recommendation Algorithm of Extreme Deep Factorization Machine Merged with Attention Network [J]. Electronic Science and Technology, 2023, 36(1): 38-43.
[10]	ZHANG Yuhui,ZHANG Fengdeng,ZHANG Haitao. Research on Improved FTA Clock Synchronization Algorithm in RTEthernet [J]. Electronic Science and Technology, 2023, 36(1): 67-74.
[11]	WEI Zefeng,ZHOU Yuanyuan. Workflow Scheduling Algorithm Based on Mobile Perception in Mobile Edge Environment [J]. Electronic Science and Technology, 2022, 35(9): 58-64.
[12]	XUE Liang,WANG Ran. An Optimization Method of K-Barrier Lifetime in Mobile Sensor Network [J]. Electronic Science and Technology, 2022, 35(8): 34-40.
[13]	GUO Wei,ZHANG Xuanxiong. UWB/PDR Integrated Indoor Pedestrian Positioning [J]. Electronic Science and Technology, 2022, 35(8): 41-46.
[14]	LIU Yongpan,WANG Ran. Minimum Cost of Heterogeneous Directional Sensor Networks for Target Coverage [J]. Electronic Science and Technology, 2022, 35(7): 14-21.
[15]	RAN Xianyuan,WANG Ran. Maximizing the Rest Time of Mobile Charger in Rechargeable Probabilistic Sensor Networks [J]. Electronic Science and Technology, 2022, 35(6): 13-20.