Backdoor Attacks to Graph Neural Networks

Node classification and graph classification are two basic graph analytics tools. Node classification aims to predict a label for each node in a graph, while graph classification aims to predict a label for the entire graph. Existing studies on graph neural networks (GNNs) in adversarial settings mainly focused on node classification, leaving GNN based graph classification largely unexplored. We aim to bridge this gap in this work. Specifically, we propose a subgraph based backdoor attack to GNN based graph classification. In our backdoor attack, a GNN classifier predicts an attacker-chosen target label for a testing graph once the attacker injects a predefined subgraph to the testing graph. Our empirical results on three real-world graph datasets show that our backdoor attacks are effective with small impact on a GNN's prediction accuracy for clean testing graphs. We generalize a state-of-the-art randomized smoothing based certified defense to defend against our backdoor attacks. Our empirical results show that the defense is ineffective in some cases, highlighting the needs of new defenses for our backdoor attacks.

[1]  Wenbo Guo,et al.  TABOR: A Highly Accurate Approach to Inspecting and Restoring Trojan Backdoors in AI Systems , 2019, ArXiv.

[2]  Wen-Chuan Lee,et al.  Trojaning Attack on Neural Networks , 2018, NDSS.

[3]  Alan M. Frieze,et al.  Random graphs , 2006, SODA '06.

[4]  Ankur Srivastava,et al.  Neural Trojans , 2017, 2017 IEEE International Conference on Computer Design (ICCD).

[5]  Stephan Gunnemann,et al.  Adversarial Attacks on Graph Neural Networks via Meta Learning , 2019, ICLR.

[6]  Yingjie Lao,et al.  Hardware Trojan Attacks on Neural Networks , 2018, ArXiv.

[7]  Yizheng Chen,et al.  Practical Attacks Against Graph-based Clustering , 2017, CCS.

[8]  Ben Y. Zhao,et al.  Latent Backdoor Attacks on Deep Neural Networks , 2019, CCS.

[9]  Martín Abadi,et al.  SocialWatch: detection of online service abuse via large-scale social graphs , 2013, ASIA CCS '13.

[10]  Pietro Liò,et al.  Graph Attention Networks , 2017, ICLR.

[11]  Jure Leskovec,et al.  How Powerful are Graph Neural Networks? , 2018, ICLR.

[12]  Philip K. Chan,et al.  Scalable Function Call Graph-based Malware Classification , 2017, CODASPY.

[13]  Cho-Jui Hsieh,et al.  Towards Robust Neural Networks via Random Self-ensemble , 2017, ECCV.

[14]  E. S. Pearson,et al.  On the Problem of the Most Efficient Tests of Statistical Hypotheses , 1933 .

[15]  Binghui Wang,et al.  Attacking Graph-based Classification via Manipulating the Graph Structure , 2019, CCS.

[16]  Alexander Levine,et al.  Robustness Certificates for Sparse Adversarial Attacks by Randomized Ablation , 2019, AAAI.

[17]  Brendan Dolan-Gavitt,et al.  Fine-Pruning: Defending Against Backdooring Attacks on Deep Neural Networks , 2018, RAID.

[18]  Qi Wei,et al.  Hu-Fu: Hardware and Software Collaborative Attack Framework Against Neural Networks , 2018, 2018 IEEE Computer Society Annual Symposium on VLSI (ISVLSI).

[19]  Brendan Dolan-Gavitt,et al.  BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain , 2017, ArXiv.

[20]  Lawrence Carin,et al.  Second-Order Adversarial Attack and Certifiable Robustness , 2018, ArXiv.

[21]  Jinyuan Jia,et al.  Random Walk Based Fake Account Detection in Online Social Networks , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[22]  Vijay S. Pande,et al.  Low Data Drug Discovery with One-Shot Learning , 2016, ACS central science.

[23]  Deng Cai,et al.  Learning Graph-Level Representation for Drug Discovery , 2017, ArXiv.

[24]  Le Zhang,et al.  SybilSCAR: Sybil detection in online social networks via local rule based propagation , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[25]  Dong Jin,et al.  Classifying Malware Represented as Control Flow Graphs using Deep Graph Convolutional Neural Network , 2019, 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[26]  Binghui Wang,et al.  Certified Robustness for Top-k Predictions against Adversarial Perturbations via Randomized Smoothing , 2019, ICLR.

[27]  Stephan Günnemann,et al.  Adversarial Attacks on Node Embeddings via Graph Poisoning , 2018, ICML.

[28]  Stavros D. Nikolopoulos,et al.  A graph-based model for malware detection and classification using system-call groups , 2017, Journal of Computer Virology and Hacking Techniques.

[29]  Thomas Blaschke,et al.  The rise of deep learning in drug discovery. , 2018, Drug discovery today.

[30]  Damith Chinthana Ranasinghe,et al.  STRIP: a defence against trojan attacks on deep neural networks , 2019, ACSAC.

[31]  Xiangyu Zhang,et al.  ABS: Scanning Neural Networks for Back-doors by Artificial Brain Stimulation , 2019, CCS.

[32]  Michael Backes,et al.  Dynamic Backdoor Attacks Against Machine Learning Models , 2020, ArXiv.

[33]  Max Welling,et al.  Semi-Supervised Classification with Graph Convolutional Networks , 2016, ICLR.

[34]  Xiaoyu Cao,et al.  Mitigating Evasion Attacks to Deep Neural Networks via Region-based Classification , 2017, ACSAC.

[35]  Ben Y. Zhao,et al.  Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[36]  Binghui Wang,et al.  GANG: Detecting Fraudulent Users in Online Social Networks via Guilt-by-Association on Directed Graphs , 2017, 2017 IEEE International Conference on Data Mining (ICDM).

[37]  Bernard Ghanem,et al.  An Exact Penalty Method for Binary Optimization Based on MPEC Formulation , 2017, AAAI.

[38]  Dawn Xiaodong Song,et al.  Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning , 2017, ArXiv.

[39]  Jinyuan Jia,et al.  Graph-based Security and Privacy Analytics via Collective Classification with Joint Weight Learning and Propagation , 2018, NDSS.

[40]  E. S. Pearson,et al.  THE USE OF CONFIDENCE OR FIDUCIAL LIMITS ILLUSTRATED IN THE CASE OF THE BINOMIAL , 1934 .

[41]  Le Song,et al.  Adversarial Attack on Graph Structured Data , 2018, ICML.

[42]  Duncan J. Watts,et al.  Collective dynamics of ‘small-world’ networks , 1998, Nature.

[43]  Albert,et al.  Emergence of scaling in random networks , 1999, Science.

[44]  Prateek Mittal,et al.  SybilBelief: A Semi-Supervised Learning Approach for Structure-Based Sybil Detection , 2013, IEEE Transactions on Information Forensics and Security.

[45]  Pushmeet Kohli,et al.  A Framework for robustness Certification of Smoothed Classifiers using F-Divergences , 2020, ICLR.

[46]  Jaewoo Kang,et al.  Self-Attention Graph Pooling , 2019, ICML.

[47]  Binghui Wang,et al.  On Certifying Robustness against Backdoor Attacks via Randomized Smoothing , 2020, ArXiv.

[48]  Tommi S. Jaakkola,et al.  Tight Certificates of Adversarial Robustness for Randomly Smoothed Classifiers , 2019, NeurIPS.

[49]  Guanhua Yan,et al.  Discriminant malware distance learning on structural information for automated malware classification , 2013, SIGMETRICS.

[50]  Stephan Günnemann,et al.  Adversarial Attacks on Neural Networks for Graph Data , 2018, KDD.

[51]  J. Zico Kolter,et al.  Certified Adversarial Robustness via Randomized Smoothing , 2019, ICML.

[52]  Binghui Wang,et al.  Certified Robustness of Community Detection against Adversarial Structural Perturbation via Randomized Smoothing , 2020, WWW.

[53]  Jie Chen,et al.  Anti-Money Laundering in Bitcoin: Experimenting with Graph Convolutional Networks for Financial Forensics , 2019, ArXiv.

[54]  Jure Leskovec,et al.  Inductive Representation Learning on Large Graphs , 2017, NIPS.

[55]  Suman Jana,et al.  Certified Robustness to Adversarial Examples with Differential Privacy , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[56]  Martin Ester,et al.  Hierarchical Graph Pooling with Structure Learning , 2019, AAAI 2020.

[57]  Jerry Li,et al.  Spectral Signatures in Backdoor Attacks , 2018, NeurIPS.

[58]  Pinar Yanardag,et al.  Deep Graph Kernels , 2015, KDD.