In this work, we propose the first backdoor attack to graph neural networks (GNN). Specifically, we propose a \emph{subgraph based backdoor attack} to GNN for graph classification. In our backdoor attack, a GNN classifier predicts an attacker-chosen target label for a testing graph once a predefined subgraph is injected to the testing graph. Our empirical results on three real-world graph datasets show that our backdoor attacks are effective with a small impact on a GNN's prediction accuracy for clean testing graphs. Moreover, we generalize a randomized smoothing based certified defense to defend against our backdoor attacks. Our empirical results show that the defense is effective in some cases but ineffective in other cases, highlighting the needs of new defenses for our backdoor attacks.
翻译:在这项工作中,我们建议将第一次后门攻击推荐给神经网络(GNN) 。 具体地说, 我们向GNN提出一个基于后门攻击的参数。 在我们的后门攻击中, 一个GNN分类器预测, 一旦一个预先定义的参数被注入测试图中, 测试图就会有一个攻击者选择的目标标签。 我们在三个真实世界图形数据集上的经验结果表明, 我们的后门攻击是有效的, 对一个GNN的清洁测试图的预测准确性影响很小。 此外, 我们将一个随机化的光滑动验证的防御方法用于防御我们的后门攻击。 我们的经验结果表明, 防御在某些情况下是有效的,但在另一些情况下是无效的, 突出了我们后门攻击的新防御方法的需要 。