| 引用本文: |
-
伍晓洁,刘强,王煜恒,付章杰.SBA-ST:一种使用更小触发器逃避随机平滑防御的子图后门攻击方法[J].信息安全学报,已采用 [点击复制]
- Wuxiaojie,Liu Qiang,Wang Yuheng,Fu Zhangjie.SBA-ST: A Subgraph Backdoor Attacking Method Using Smaller Triggers to Evade Randomized Smoothing Defense[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 随着图神经网络在节点分类和图分类任务领域的快速发展,对其安全脆弱性的研究也越来越深入。在图分类领域的对抗性攻击中,越来越多的研究尝试在图上附加恶意触发器以实施有效的后门攻击,中毒图参与训练后生成的后门模型能够将添加有触发器的图错误预测为攻击者指定的目标类别。随机平滑防御是一种提升图学习模型鲁棒性的有效方法,能消除有限触发器大小条件下的后门攻击影响。当攻击者使用较大的触发器时,虽然后门攻击能够经验性地逃避随机平滑防御,但是易于被检测。因此,如何使用尽可能小的触发器来达到可观的攻击性能,仍然是一个具有挑战性的问题。本文提出了一种使用更小触发器逃避随机平滑防御的子图后门攻击方法(简称SBA-ST),该方法以子图触发器的形式添加扰动,通过干扰对图分类任务影响度较高的节点,使得在随机平滑防御开启的情况下仍能够保持较强的攻击能力。具体来讲,SBA-ST引入图注意力网络(GAT)模型和高斯混合模型(GMM)聚类分析以设计一个最佳后门注入位置选择机制。此外,该方法采用Erd?s-Rényi(ER)随机图生成模型以降低子图后门触发器生成的计算复杂度,其中,模型的参数为节点数量和边生成概率。在5个公开数据集上的对比实验结果表明,SBA-ST获得了比SBA方法更高的后门分类准确率和平均攻击成功率,并能够使用比SBA明显更小的触发器大小来获得较小的后门攻击性能损失,从而验证了本文方法更佳的随机平滑防御逃避能力。 |
| 关键词: 图对抗学习 子图后门攻击 图分类 随机平滑认证 |
| DOI: |
| 投稿时间:2024-02-07修订日期:2024-05-31 |
| 基金项目:国家重点研发计划项目“科技创新2030”(2022ZD0209105),湖南省自然科学基金项目(2021JJ30779) |
|
| SBA-ST: A Subgraph Backdoor Attacking Method Using Smaller Triggers to Evade Randomized Smoothing Defense |
|
Wuxiaojie1, Liu Qiang1, Wang Yuheng1, Fu Zhangjie2,3
|
| (1.NationalUniversity of Defense Technology;2.Nanjing University of Information Science &3.Technology) |
| Abstract: |
| As graph neural networks (GNNs) rapidly advance in node classification and graph classification tasks, research into their security vulnerabilities has deepened. In the realm of adversarial attacks on graph classification, an in-creasing number of studies have attempted to implement effective backdoor attacks by attaching malicious triggers to graphs. The poisoned graphs, once included in training, lead the resulting backdoor models to misclassify trig-ger-containing graphs into attacker-specified target categories. Randomized smoothing defense is an effective method to enhance the robustness of graph learning models and it can eliminate the effects of backdoor attacks with limited trigger sizes. When adversaries use a large trigger size, although backdoor attacks can empirically evade the randomized smoothing defense mechanism, they are weak to be detected. Hence, how to achieve considerable at-tacking performance using a small enough trigger is still a challenging problem. In this paper, we propose a Sub-graph Backdoor Attacking method using Smaller Triggers to evade randomized smoothing defense called SBA-ST. The proposed method adds disturbance in the form of a subgraph trigger and disturbs the nodes that have high im-pacts on the graph classification task, so that it can maintain strong attacking capability even when the randomized smoothing defense is enabled. Specifically, SBA-ST introduces graph attention network (GAT) model and Gaussian mixture model clustering analysis to design a selection mechanism of the optimal backdoor injection position. Fur-thermore, the proposed method utilizes the Erd?s-Rényi (ER) random graph generation model, the parameters of which are the number of nodes and the probability of edge generation, to reduce the computational complexity of generating subgraph triggers. Comparative experiments over five public datasets show that, the SBA-ST method outperforms SBA in terms of backdoor classification accuracy and average success rate. Moreover, SBA-ST gains relatively small backdoor attacking performance loss with a significantly smaller trigger size compared to SBA, which demonstrates better evading ability of the proposed method in front of randomized smoothing defense. |
| Key words: Graph Adversarial Learning Subgraph Backdoor Attack Graph Classification Randomized Smoothing Certification |
