| 摘要: |
| 随着图神经网络在节点分类和图分类任务领域的快速发展,对其安全脆弱性的研究也越来越深入。在图分类领域的对抗性攻击中,越来越多的研究尝试在图上附加恶意触发器以实施有效的后门攻击,中毒图参与训练后生成的后门模型能够将添加有触发器的图错误预测为攻击者指定的目标类别。随机平滑防御是一种提升图学习模型鲁棒性的有效方法,能消除有限触发器大小条件下的后门攻击影响。当攻击者使用较大的触发器时,虽然后门攻击能够经验性地逃避随机平滑防御,但是易于被检测。因此,如何使用尽可能小的触发器来达到可观的攻击性能,仍然是一个具有挑战性的问题。本文提出了一种使用更小触发器逃避随机平滑防御的子图后门攻击方法(简称SBA-ST),该方法以子图触发器的形式添加扰动,通过干扰对图分类任务影响度较高的节点,使得在随机平滑防御开启的情况下仍能够保持较强的攻击能力。具体来讲,SBA-ST引入图注意力网络(GAT)模型和高斯混合模型(GMM)聚类分析以设计一个最佳后门注入位置选择机制。此外,该方法采用Erdős-Rényi (ER)随机图生成模型以降低子图后门触发器生成的计算复杂度,其中,模型的参数为节点数量和边生成概率。在5个公开数据集上的对比实验结果表明,SBA-ST获得了比SBA方法更高的后门分类准确率和平均攻击成功率,并能够使用比SBA明显更小的触发器来获得较小的后门攻击性能损失,从而验证了本文方法更佳的随机平滑防御逃避能力。 |
| 关键词: 图对抗学习 子图后门攻击 图分类 随机平滑认证 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2025.11.06 |
| 投稿时间:2024-02-07修订日期:2024-05-31 |
| 基金项目:本课题得到国家重点研发计划项目“科技创新2030”(No.2022ZD0209105)和湖南省自然科学基金项目(No.2021JJ30779)资助。 |
|
| SBA-ST: A Subgraph Backdoor Attacking Method Using Smaller Triggers to Evade Randomized Smoothing Defense |
| WU Xiaojie,LIU Qiang,WANG Yuheng,FU Zhangjie |
| College of Computer Science and Technology, National University of Defense Technology, Changsha 410073, China;School of Computer Science/School of Cyber Science and Engineering, Nanjing University of Information Science & Technology, Nanjing 210044, China |
| Abstract: |
| As graph neural networks (GNNs) rapidly advance in node classification and graph classification tasks, research into their security vulnerabilities has deepened. In the realm of adversarial attacks on graph classification, an increasing number of studies have attempted to implement effective backdoor attacks by attaching malicious triggers to graphs. The poisoned graphs, once included in training, lead the resulting backdoor models to misclassify trigger-containing graphs into attacker-specified target categories. Randomized smoothing defense is an effective method to enhance the robustness of graph learning models and it can eliminate the effects of backdoor attacks with limited trigger sizes. When adversaries use a large trigger size, although backdoor attacks can empirically evade the randomized smoothing defense mechanism, they are weak to be detected. Hence, how to achieve considerable attacking performance using a small enough trigger is still a challenging problem. In this paper, we propose a Subgraph Backdoor Attacking method using Smaller Triggers to evade randomized smoothing defense called SBA-ST. The proposed method adds disturbance in the form of a subgraph trigger and disturbs the nodes that have high impacts on the graph classification task, so that it can maintain strong attacking capability even when the randomized smoothing defense is enabled. Specifically, SBA-ST introduces graph attention network (GAT) model and Gaussian mixture model clustering analysis to design a selection mechanism of the optimal backdoor injection position. Furthermore, the proposed method utilizes the Erdős-Rényi (ER) random graph generation model, the parameters of which are the number of nodes and the probability of edge generation, to reduce the computational complexity of generating subgraph triggers. Comparative experiments over five public datasets show that, the SBA-ST method outperforms SBA in terms of backdoor classification accuracy and average success rate. Moreover, SBA-ST gains relatively small backdoor attacking performance loss with a significantly smaller trigger size compared to SBA, which demonstrates better evading ability of the proposed method in front of randomized smoothing defense. |
| Key words: graph adversarial learning subgraph backdoor attack graph classification randomized smoothing certification |
