A Clean-graph Backdoor Attack against Graph Convolutional Networks with Poisoned Label Only

TL;DR

This paper introduces a novel, stealthy backdoor attack on Graph Convolutional Networks that poisons only training labels, achieving high success rates without modifying training samples, thus exposing a new security vulnerability.

Contribution

It proposes a practical backdoor attack method that poisons labels only, enhancing stealthiness and effectiveness against GCNs in node classification tasks.

Findings

Achieves 99% attack success rate

Maintains model performance on benign samples

Requires no modification to training samples

Abstract

Graph Convolutional Networks (GCNs) have shown excellent performance in dealing with various graph structures such as node classification, graph classification and other tasks. However,recent studies have shown that GCNs are vulnerable to a novel threat known as backdoor attacks. However, all existing backdoor attacks in the graph domain require modifying the training samples to accomplish the backdoor injection, which may not be practical in many realistic scenarios where adversaries have no access to modify the training samples and may leads to the backdoor attack being detected easily. In order to explore the backdoor vulnerability of GCNs and create a more practical and stealthy backdoor attack method, this paper proposes a clean-graph backdoor attack against GCNs (CBAG) in the node classification task,which only poisons the training labels without any modification to the training samples, revealing that GCNs have this security vulnerability. Specifically, CBAG designs a new trigger exploration method to find important feature dimensions as the trigger patterns to improve the attack performance. By poisoning the training labels, a hidden backdoor is injected into the GCNs model. Experimental results show that our clean graph backdoor can achieve 99% attack success rate while maintaining the functionality of the GCNs model on benign samples.