通信学报 ›› 2023, Vol. 44 ›› Issue (4): 154-166.doi: 10.11959/j.issn.1000-436x.2023074
陈晋音1,2, 熊海洋2, 马浩男2, 郑雅羽2
修回日期:
2023-03-08
出版日期:
2023-04-01
发布日期:
2023-04-01
作者简介:
陈晋音(1982- ),女,浙江象山人,博士,浙江工业大学教授、博士生导师,主要研究方向为人工智能安全、图数据挖掘和进化计算等基金资助:
Jinyin CHEN1,2, Haiyang XIONG2, Haonan MA2, Yayu ZHENG2
Revised:
2023-03-08
Online:
2023-04-01
Published:
2023-04-01
Supported by:
摘要:
针对现有的后门攻击防御方法难以处理非规则的非结构化的离散的图数据的问题,为了缓解图神经网络后门攻击的威胁,提出了一种基于对比学习的图神经网络后门攻击防御方法(CLB-Defense)。具体来说,基于对比学习无监督训练的对比模型查找可疑后门样本,采取图重要性指标以及标签平滑策略去除训练数据集中的扰动,实现对图后门攻击的防御。最终,在4个真实数据集和5主流后门攻击方法上展开防御验证,结果显示CLB-Defense能够平均降低75.66%的攻击成功率(与对比算法相比,改善了54.01%)。
中图分类号:
陈晋音, 熊海洋, 马浩男, 郑雅羽. 基于对比学习的图神经网络后门攻击防御方法[J]. 通信学报, 2023, 44(4): 154-166.
Jinyin CHEN, Haiyang XIONG, Haonan MA, Yayu ZHENG. CLB-Defense: based on contrastive learning defense for graph neural network against backdoor attack[J]. Journal on Communications, 2023, 44(4): 154-166.
表2
PROTEINS数据集上不同防御方法的防御性能"
后门攻击方法 | ASR | ADC | ACC | ||||||||||||||
无防御 | JaccardBased | LabelSmooth | AdvTraining | CLBDefense | 无防御 | JaccardBased | LabelSmooth | AdvTraining | CLBDefense | 无防御 | JaccardBased | LabelSmooth | AdvTraining | CLBDefense | |||
ER-B | 64.57% | 29.41%± 2.19% | 26.39%± 3.74% | 23.86%± 2.58% | 9.41%± 2.08% | — | 83.06%± 2.07% | 84.35%± 1.74% | 84.78%± 1.54% | 86.29%± 0.54% | 71.16% | 72.51%± 2.25% | 73.16%± 2.71% | 73.85%± 1.87% | 74.24%± 1.03% | ||
MIA | 64.89% | 26.72%%± 2.76% | 17.48%± 2.04% | 17.14%± 2.37% | 4.54%± 1.08% | — | 81.07%± 1.19% | 79.58%± 1.12% | 81.54%± 2.04% | 82.28%± 0.57% | 70.82% | 70.73%± 2.58% | 73.29%± 1.70% | 73.54%± 1.67% | 73.95%± 1.48% | ||
MaxDCC | 84.75% | 58.82%± 3.29% | 55.46%± 3.16% | 48.76%± 3.28% | 15.79%± 3.05% | — | 90.95%± 2.35% | 91.16%± 2.87% | 91.27%± 2.23% | 96.48%± 0.58% | 72.06% | 72.85%± 1.60% | 72.92%± 1.16% | 73.04%± 2.26% | 74.39%± 0.36% | ||
GTA | 86.72% | 24.98%± 2.35% | 26.05%± 3.64% | 18.64%± 1.15% | 3.36%± 1.06% | — | 92.06%± 0.31% | 90.21%± 1.05% | 92.53%± 1.41% | 95.59%± 0.16% | 71.56% | 71.53%± 1.46% | 72.13%± 1.28% | 74.35%± 2.05% | 74.76%± 1.21% | ||
Motif-Backdoor | 89.46% | 75.62%± 2.37% | 63.87%± 1.52% | 61.27%± 2.06% | 11.76%± 1.68% | — | 88.21%± 1.92% | 91.07%± 1.46% | 92.81%± 3.17% | 98.51%± 0.36% | 71.43% | 72.08%± 1.27% | 73.26%± 1.32% | 74.68%± 1.02% | 75.03%± 1.34% |
表3
AIDS数据集上不同防御方法的防御性能"
后门攻击方法 | ASR | ADC | ACC | ||||||||||||||
无防御无防御 | JaccardBased | LabelSmooth | AdvTraining | CLBDefense | 无防御 | JaccardBased | LabelSmooth | AdvTraining | CLBDefense | 无防御 | JaccardBased | LabelSmooth | AdvTraining | CLBDefense | |||
ER-B | 93.62% | 73.33%± 0.53% | 56.82%± 2.34% | 48.32%± 2.53% | 4.31%± 0.91% | — | 72.89%± 1.18% | 91.48%± 0.53% | 83.67%± 1.98% | 91.85%± 0.12% | 96.28% | 96.58%± 0.47% | 96.92%± 0.63% | 97.48%± 0.72% | 98.46%± 0.18% | ||
MIA | 95.48% | 81.87%± 1.52% | 72.31%± 2.38% | 70.81%± 1.32% | 1.06%± 0.15% | — | 88.05%± 0.95% | 79.58%± 1.12% | 92.26%± 1.13% | 98.27%± 0.02% | 96.85% | 96.15%± 0.61% | 96.98%± 0.46% | 97.65%± 0.34% | 98.39%± 0.23% | ||
MaxDCC | 96.57% | 86.25%± 1.45% | 79.75%± 0.96% | 71.81%± 1.36% | 8.63%± 1.25% | — | 81.09%± 2.46% | 82.65%± 0.83% | 87.79%± 0.72% | 96.14%± 0.16% | 98.12% | 98.34%± 0.54% | 98.52%± 0.47% | 98.64%± 0.79% | 98.72%± 0.62% | ||
GTA | 98.52% | 89.06%± 1.57% | 88.82%± 1.39% | 85.75%± 1.42% | 7.94%± 2.11% | — | 90.56%± 0.43% | 90.97%± 0.56% | 92.89%± 0.42% | 99.76%± 0.05% | 97.39% | 97.58%± 0.45% | 97.92%± 0.73% | 98.41%± 0.48% | 98.74%± 0.27% | ||
Motif-Backdoor | 99.86% | 90.75%± 1.62% | 88.72%± 1.82% | 82.93%± 1.06% | 20.63%± 2.12% | — | 85.72%± 2.18% | 87.68%± 1.86% | 95.87%± 0.68% | 99.89%± 0.03% | 97.64% | 97.83%± 0.64% | 97.92%± 0.58% | 98.25%± 0.62% | 98.68%± 0.34% |
表4
NCI1数据集上不同防御方法的防御性能"
后门攻击方法 | ASR | ADC | ACC | ||||||||||||||
无防御 | JaccardBased | LabelSmooth | AdvTraining | CLBDefense | 无防御 | JaccardBased | LabelSmooth | AdvTraining | CLBDefense | 无防御 | JaccardBased | LabelSmooth | AdvTraining | CLBDefense | |||
ER-B | 78.32% | 72.25%± 2.64% | 62.97%± 2.65% | 55.07%± 2.08% | 45.39%± 2.51% | — | 85.85%± 2.18% | 98.50%± 0.57% | 98.45%± 0.37% | 99.25%± 0.08% | 73.85% | 73.04%± 0.61% | 74.57%± 1.02% | 75.38%± 1.53% | 75.74%± 1.08% | ||
MIA | 96.98% | 87.63%± 2.32% | 72.85%± 1.29% | 71.59%± 2.13% | 57.53%± 2.18% | — | 78.52%± 2.51% | 93.73%± 2.16% | 96.24%± 1.35% | 98.07%± 0.17% | 73.36% | 74.09%± 0.55% | 75.47%± 1.12% | 75.78%± 0.48% | 76.06%± 0.12% | ||
MaxDCC | 98.95% | 78.54%± 1.86% | 62.07%± 2.38% | 60.25%± 1.98% | 42.47%± 2.53% | — | 84.67%± 2.48% | 99.03%± 0.16% | 99.39%± 0.34% | 99.92%± 0.07% | 74.38% | 75.03%± 0.82% | 75.64%± 1.17% | 75.78%± 1.54% | 76.53%± 0.63% | ||
GTA | 100% | 74.25%± 1.26% | 72.31%± 3.01% | 69.40%± 3.12% | 46.48%± 1.87%% | — | 91.34%± 0.24% | 92.46%± 0.73% | 96.24%± 1.35% | 99.54%± 0.13% | 74.05% | 74.67%± 0.59% | 75.18%± 0.43% | 76.30%± 0.48% | 76.87%± 0.76% | ||
Motif-Backdoor | 100% | 92.64%± 2.37% | 82.86%± 2.38% | 81.64%± 2.72% | 48.94%± 2.38% | — | 75.63%± 2.16% | 96.29%± 0.80% | 98.15%± 0.79% | 99.46%± 0.21% | 73.25% | 73.82%± 0.96% | 75.35%± 1.33% | 75.40%± 0.72% | 75.78%± 0.57% |
表5
DBLP_v1数据集上不同防御方法的防御性能"
后门攻击方法 | ASR | ADC | ACC | ||||||||||||||
无防御 | JaccardBased | LabelSmooth | AdvTraining | CLBDefense | 无防御 | JaccardBased | LabelSmooth | AdvTraining | CLBDefense | 无防御 | JaccardBased | LabelSmooth | AdvTraining | CLBDefense | |||
ER-B | 41.28% | 21.57%± 2.58% | 20.28%± 1.73% | 17.03%± 2.24% | 15.28%± 1.35% | — | 75.01%± 2.43% | 78.39%± 2.52% | 78.54%± 3.26% | 80.11%± 0.15% | 78.52% | 78.92%± 0.12% | 79.05%± 0.17% | 79.83%± 0.28% | 80.01%± 0.19% | ||
MIA | 43.65% | 15.17%± 0.47% | 13.05%± 2.72% | 11.04%± 1.73% | 10.84%± 1.04% | — | 66.98%± 0.17% | 68.95%± 0.92% | 70.53%± 0.54% | 72.20%± 0.58% | 78.46% | 78.86%± 0.23% | 78.25%± 0.71% | 79.90%± 0.46% | 79.98%± 0.38% | ||
MaxDCC | 62.86% | 22.54%± 2.46% | 26.79%± 3.24% | 23.25%± 2.23% | 9.45%± 1.02% | — | 84.11%± 1.38% | 82.17%± 0.68% | 84.98%± 1.94% | 86.03%± 0.18% | 79.23% | 78.95%± 0.75% | 78.39%± 0.86% | 79.36%± 0.77% | 79.87%± 0.54% | ||
GTA | 68.42% | 18.95%± 1.16% | 15.74%± 1.19% | 13.59%± 1.05% | 10.28%± 0.87% | — | 85.94%± 0.15% | 86.23%± 0.62% | 86.42%± 0.38% | 87.19%± 0.48% | 78.49% | 78.06%± 0.28% | 78.26%± 0.67% | 79.65%± 0.52% | 79.93%± 0.51% | ||
Motif-Backdoor | 71.84% | 52.78%± 1.07% | 46.92%± 1.25% | 45.76%± 2.87% | 24.39%± 0.56% | — | 85.91%± 0.25% | 86.73%± 1.26% | 86.94%± 2.04% | 91.69%± 0.21% | 78.85% | 79.20%± 0.12% | 80.18%± 0.08% | 80.23%± 0.16% | 80.48%± 0.17% |
[1] | 王璿, 张瑜, 周军锋 ,等. 基于社交网络的影响力最大化算法[J]. 通信学报, 2022,43(8): 151-163. |
WANG X , ZHANG Y , ZHOU J F ,et al. Influence maximization algorithm based on social network[J]. Journal on Communications, 2022,43(8): 151-163. | |
[2] | 任永功, 张云鹏, 张志鹏 . 基于粗糙集规则提取的协同过滤推荐算法[J]. 通信学报, 2020,41(1): 76-83. |
REN Y G , ZHANG Y P , ZHANG Z P . Collaborative filtering recommendation algorithm based on rough set rule extraction[J]. Journal on Communications, 2020,41(1): 76-83. | |
[3] | XU K , HU W , LESKOVEC J ,et al. How powerful are graph neural networks?[J]. arXiv Preprint,arXiv:1810.00826, 2018. |
[4] | QIU J Z , CHEN Q B , DONG Y X ,et al. GCC:graph contrastive coding for graph neural network pretraining[C]// Proceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery &Data Mining. New York:ACM Press, 2020: 1150-1160. |
[5] | YOU Y N , CHEN T L , SUI Y D ,et al. Graph contrastive learning with augmentations[C]// Proceedings of the 34th International Conference on Neural Information Processing Systems.New York:Curran Associates Inc. , 2020: 5812-5823. |
[6] | SURESH S , LI P , HAO C ,et al. Adversarial graph augmentation to improve graph contrastive learning[J]. arXiv Preprint,arXiv:2106.05819, 2021. |
[7] | ZHANG Z X , JIA J Y , WANG B H ,et al. Backdoor attacks to graph neural networks[C]// Proceedings of the 26th ACM Symposium on Access Control Models and Technologies. New York:ACM Press, 2021: 15-26. |
[8] | XU J , XUE M , PICEK S . Explainability-based backdoor attacks against graph neural networks[C]// Proceedings of the 3rd ACM Workshop on Wireless Security and Machine Learning. New York:ACM Press, 2021: 31-36. |
[9] | SHENG Y , CHEN R , CAI G Y ,et al. Backdoor attack of graph neural networks based on subgraph trigger[C]// International Conference on Collaborative Computing:Networking,Applications and Worksharing. Berlin:Springer, 2021: 276-296. |
[10] | ZHENG H , XIONG H , CHEN J ,et al. Motif-backdoor:rethinking the backdoor attack on graph neural networks via motifs[J]. arXiv Preprint,arXiv:2210.13710, 2022. |
[11] | XI Z H , PANG R , JI S L ,et al. Graph backdoor[C]// Proceedings of the 30th USENIX Security Symposium. Berkeley:USENIX Association, 2021: 1523-1540. |
[12] | ZENG Y , PARK W , MAO Z M ,et al. Rethinking the backdoor attacks’ triggers:a frequency perspective[C]// Proceedings of 2021 IEEE/CVF International Conference on Computer Vision (ICCV). Piscataway:IEEE Press, 2022: 16453-16461. |
[13] | CHEN B , CARVALHO W , BARACALDO N ,et al. Detecting backdoor attacks on deep neural networks by activation clustering[J]. arXiv Preprint,arXiv:1811.03728, 2018. |
[14] | WANG B L , YAO Y S , SHAN S ,et al. Neural cleanse:identifying and mitigating backdoor attacks in neural networks[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 707-723. |
[15] | HASSANI K , KHASAHMADI A H . Contrastive multi-view representation learning on graphs[C]// Proceedings of the 37th International Conference on Machine Learning. New York:ACM Press, 2020: 4116-4126. |
[16] | ZHU Y Q , XU Y C , YU F ,et al. Graph contrastive learning with adaptive augmentation[C]// Proceedings of the Web Conference 2021. New York:ACM Press, 2021: 2069-2080. |
[17] | YOU Y N , CHEN T L , WANG Z Y ,et al. Bringing your own view:graph contrastive learning without prefabricated data augmentations[C]// Proceedings of the International Conference on Web Search& Data Mining International Conference on Web Search & Data Mining. New York:ACM Press, 2022: 1300-1309. |
[18] | 窦家维, 葛雪, 王颖囡 . 保护隐私的曼哈顿距离计算及其推广应用[J]. 计算机学报, 2020,43(2): 352-365. |
DOU J W , GE X , WANG Y N . Secure Manhattan distance computation and its application[J]. Chinese Journal of Computers, 2020,43(2): 352-365. | |
[19] | 黄海平, 王凯, 汤雄 ,等. 基于边介数模型的差分隐私保护方案[J]. 通信学报, 2019,40(5): 88-97. |
HUANG H P , WANG K , TANG X ,et al. Differential privacy protection scheme based on edge betweenness model[J]. Journal on Communications, 2019,40(5): 88-97. | |
[20] | NEWMAN M J . The structure and function of complex networks[J]. SIAM Review, 2003,45(2): 167-256. |
[21] | WU H , WANG C , TYSHETSKIY Y ,et al. Adversarial examples on graph data:deep insights into attack and defense[J]. arXiv Preprint,arXiv:1903.01610, 2019. |
[22] | LUKASIK M , BHOJANAPALLI S , MENON A K ,et al. Does label smoothing mitigate label noise?[C]// Proceedings of the 37th International Conference on Machine Learning. New York:ACM Press, 2020: 6448-6458. |
[23] | TRAMèR F , BONEH D . Adversarial training and robustness for multiple perturbations[C]// Proceedings of the 33rd International Conference on Neural Information Processing Systems.New York:Curran Associates Inc. , 2019: 5866-5876. |
[1] | 刘盈泽, 郭渊博, 方晨, 李勇飞, 陈庆礼. 基于有限理性的网络防御策略智能规划方法[J]. 通信学报, 2023, 44(5): 52-63. |
[2] | 余晟兴, 陈泽凯, 陈钟, 刘西蒙. DAGUARD:联邦学习下的分布式后门攻击防御方案[J]. 通信学报, 2023, 44(5): 110-122. |
[3] | 周大成, 陈鸿昶, 何威振, 程国振, 扈红超. 基于深度强化学习的微服务多维动态防御策略研究[J]. 通信学报, 2023, 44(4): 50-63. |
[4] | 王一丰, 郭渊博, 陈庆礼, 方晨, 林韧昊, 周永良, 马佳利. 基于对比增量学习的细粒度恶意流量分类方法[J]. 通信学报, 2023, 44(3): 1-11. |
[5] | 张进, 葛强, 徐伟海, 江逸茗, 马海龙, 于洪涛. 拟态路由器BGP代理的设计实现与形式化验证[J]. 通信学报, 2023, 44(3): 33-44. |
[6] | 何世文, 袁军, 安振宇, 张敏, 黄永明, 张尧学. 基于图神经网络的联合用户调度与波束成形优化算法[J]. 通信学报, 2022, 43(7): 73-84. |
[7] | 冷涛, 蔡利君, 于爱民, 朱子元, 马建刚, 李超飞, 牛瑞丞, 孟丹. 基于系统溯源图的威胁发现与取证分析综述[J]. 通信学报, 2022, 43(7): 172-188. |
[8] | 周大成, 陈鸿昶, 程国振, 何威振, 商珂, 扈红超. 面向持久性连接的自适应拟态表决器设计与实现[J]. 通信学报, 2022, 43(6): 71-84. |
[9] | 贾洪勇, 潘云飞, 刘文贺, 曾俊杰, 张建辉. 基于高阶异构度的执行体动态调度算法[J]. 通信学报, 2022, 43(3): 233-245. |
[10] | 王一丰, 郭渊博, 陈庆礼, 方晨, 林韧昊. 基于对比学习的细粒度未知恶意流量分类方法[J]. 通信学报, 2022, 43(10): 12-25. |
[11] | 冯智斌, 徐煜华, 杜智勇, 刘鑫, 李文, 韩昊, 张晓博. 对抗智能干扰的主动防御技术[J]. 通信学报, 2022, 43(10): 42-54. |
[12] | 陈晋音, 胡书隆, 邢长友, 张国敏. 面向智能渗透攻击的欺骗防御方法[J]. 通信学报, 2022, 43(10): 106-120. |
[13] | 吴翼腾, 刘伟, 于洪涛. 图神经网络的标签翻转对抗攻击[J]. 通信学报, 2021, 42(9): 65-74. |
[14] | 杨毅宇, 周威, 赵尚儒, 刘聪, 张宇辉, 王鹤, 王文杰, 张玉清. 物联网安全研究综述:威胁、检测与防御[J]. 通信学报, 2021, 42(8): 188-205. |
[15] | 仝青, 郭云飞, 霍树民, 王亚文, 蔄羽佳, 张凯. 自适应的时空多样性联合调度策略设计[J]. 通信学报, 2021, 42(7): 12-24. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|