Rethinking Graph Backdoor Attacks: A Distribution-Preserving Perspective

TL;DR

This paper proposes a novel approach to graph backdoor attacks that generates in-distribution triggers, making them less detectable and more effective against defenses, by combining outlier detection with adversarial learning.

Contribution

It introduces a new method for creating in-distribution triggers for graph backdoor attacks, enhancing stealth and attack success rate over existing out-of-distribution trigger methods.

Findings

In-distribution triggers bypass existing defenses effectively.

The proposed method achieves high attack success rates.

Triggers are less detectable by outlier detection methods.

Abstract

Graph Neural Networks (GNNs) have shown remarkable performance in various tasks. However, recent works reveal that GNNs are vulnerable to backdoor attacks. Generally, backdoor attack poisons the graph by attaching backdoor triggers and the target class label to a set of nodes in the training graph. A GNN trained on the poisoned graph will then be misled to predict test nodes attached with trigger to the target class. Despite their effectiveness, our empirical analysis shows that triggers generated by existing methods tend to be out-of-distribution (OOD), which significantly differ from the clean data. Hence, these injected triggers can be easily detected and pruned with widely used outlier detection methods in real-world applications. Therefore, in this paper, we study a novel problem of unnoticeable graph backdoor attacks with in-distribution (ID) triggers. To generate ID triggers, we introduce an OOD detector in conjunction with an adversarial learning strategy to generate the attributes of the triggers within distribution. To ensure a high attack success rate with ID triggers, we introduce novel modules designed to enhance trigger memorization by the victim model trained on poisoned graph. Extensive experiments on real-world datasets demonstrate the effectiveness of the proposed method in generating in distribution triggers that can by-pass various defense strategies while maintaining a high attack success rate.