BadImplant: Injection-based Multi-Targeted Graph Backdoor Attack
Summary: arXiv:2601.15474v2 Announce Type: replace-cross
Graph neural networks (GNNs) have revolutionized various domains by offering exceptional performance in solving complex problems. However, recent research has highlighted their vulnerability to backdoor attacks, which can significantly compromise their integrity and reliability. In particular, existing studies have primarily focused on single-target attacks that utilize subgraph replacement mechanisms, where only one trigger is implanted into the GNN model.
In this groundbreaking paper, researchers introduce the first multi-targeted backdoor attack specifically designed for graph classification tasks. This innovative approach allows for the simultaneous redirection of predictions to multiple target labels using multiple triggers. Instead of relying on subgraph replacement, which often disrupts the original graph structure, the authors propose a subgraph injection method. This technique preserves the integrity of the clean graphs while effectively poisoning them.
Key Findings and Methodology
The researchers conducted extensive experiments to evaluate the effectiveness of their proposed method. The results reveal that their multi-targeted attack achieves high success rates across all target labels while maintaining minimal impact on the accuracy of clean data. The experiments were performed on five distinct datasets, demonstrating the robustness and superior performance of this attack framework compared to conventional subgraph replacement-based approaches.
The analysis extended to four different GNN models, confirming the generalization capability of the multi-targeted backdoor attack. The findings indicate that the attack remains effective irrespective of the GNN model architecture or the settings of training parameters.
Impact of Attack Design Parameters
The researchers also conducted a detailed investigation into various design parameters influencing the attack, including:
- Injection methods
- Number of connections
- Trigger sizes
- Trigger edge density
- Poisoning ratios
Understanding these parameters is critical for optimizing the attack’s efficacy and crafting more resilient GNN models against such vulnerabilities.
Evaluation Against State-of-the-Art Defenses
The evaluation of the multi-targeted attacks included testing against advanced defenses such as randomized smoothing and fine-pruning techniques. The results highlighted the robustness of the proposed attack framework, underscoring the ongoing challenges in securing GNNs against backdoor threats.
Conclusion
This research sheds light on the vulnerabilities of GNNs to multi-targeted backdoor attacks in graph classification tasks. The implications are significant, calling for a reevaluation of defenses in the field to ensure the integrity and reliability of GNN applications. For those interested in exploring the source codes for this research, they will be made available at GitHub.