基于对比学习的图神经网络后门攻击防御方法

doi:10.11959/j.issn.1000-436x.2023074

通信学报 ›› 2023, Vol. 44 ›› Issue (4): 154-166.doi: 10.11959/j.issn.1000-436x.2023074

基于对比学习的图神经网络后门攻击防御方法

陈晋音¹^,², 熊海洋², 马浩男², 郑雅羽²

¹ 浙江工业大学网络空间安全研究院，浙江杭州 310023
² 浙江工业大学信息工程学院，浙江杭州 310023

修回日期:2023-03-08 出版日期:2023-04-01 发布日期:2023-04-01
作者简介:陈晋音（1982- ），女，浙江象山人，博士，浙江工业大学教授、博士生导师，主要研究方向为人工智能安全、图数据挖掘和进化计算等
熊海洋（1998- ），男，江西南昌人，浙江工业大学硕士生，主要研究方向为深度学习、人工智能安全和图数据挖掘
马浩男（2000- ），男，浙江杭州人，浙江工业大学硕士生，主要研究方向为深度学习、人工智能安全和图数据挖掘
郑雅羽（1978- ），男，浙江温州人，博士，浙江工业大学副教授、硕士生导师，主要研究方向为嵌入式软硬件应用开发、视频图像处理算法、服务器网络技术等
基金资助:
国家自然科学基金资助项目(62072406);浙江省自然科学基金资助项目(LDQ23F020001);信息系统安全国家科技重点实验室基金资助项目(61421110502);浙江省重点研发计划基金资助项目(2022C01018)

CLB-Defense: based on contrastive learning defense for graph neural network against backdoor attack

Jinyin CHEN¹^,², Haiyang XIONG², Haonan MA², Yayu ZHENG²

¹ Institute of Cyberspace Security, Zhejiang University of Technology, Hangzhou 310023, China
² College of Information Engineering, Zhejiang University of Technology, Hangzhou 310023, China

Revised:2023-03-08 Online:2023-04-01 Published:2023-04-01
Supported by:
The National Natural Science Foundation of China(62072406);The Zhejiang Provincial Natural Science Foundation(LDQ23F020001);The Chinese National Key Laboratory of Science and Technology on Information System Secu-rity(61421110502);The Key Research and Development Program of Zhejiang Province(2022C01018)

摘要/Abstract

摘要：

针对现有的后门攻击防御方法难以处理非规则的非结构化的离散的图数据的问题，为了缓解图神经网络后门攻击的威胁，提出了一种基于对比学习的图神经网络后门攻击防御方法（CLB-Defense）。具体来说，基于对比学习无监督训练的对比模型查找可疑后门样本，采取图重要性指标以及标签平滑策略去除训练数据集中的扰动，实现对图后门攻击的防御。最终，在4个真实数据集和5主流后门攻击方法上展开防御验证，结果显示CLB-Defense能够平均降低75.66%的攻击成功率（与对比算法相比，改善了54.01%）。

关键词: 图神经网络, 后门攻击, 鲁棒性, 防御, 对比学习

Abstract:

For the problem that the existing backdoor attack defense methods are difficult to deal with irregular and unstructured discrete graph data to alleviate the threat of backdoor attacks, a backdoor attack defense method for GNN based on contrastive learning was proposed, namely CLB-Defense.Specifically, a contrastive model was built by using contrastive learning in an unsupervised way, which searches suspicious backdoored samples.Then the suspicious backdoored samples were reshaped by using the graph importance indexes and the label smoothing strategy, and the defense against graph backdoor attack was realized.Finally, extensive experimental results show that CLB-Defense realizes the effect of defense performance on four public datasets and five popular graph backdoor attacks, e.g., CLB-Defense can reduce the attack success rate by an average of 75.66% (compared with the baselines, an improvement of 54.01%).

Key words: graph neural network, backdoor attack, robustness, defense, contrastive learning

中图分类号:

TN92

陈晋音, 熊海洋, 马浩男, 郑雅羽. 基于对比学习的图神经网络后门攻击防御方法[J]. 通信学报, 2023, 44(4): 154-166.

Jinyin CHEN, Haiyang XIONG, Haonan MA, Yayu ZHENG. CLB-Defense: based on contrastive learning defense for graph neural network against backdoor attack[J]. Journal on Communications, 2023, 44(4): 154-166.

图/表 13

图1

图2

表1

表2

表3

表4

表5

图3

图4

图5

图6

表6

图8

参考文献 23

[1]	王璿, 张瑜, 周军锋 ,等. 基于社交网络的影响力最大化算法[J]. 通信学报, 2022,43(8): 151-163.
	WANG X , ZHANG Y , ZHOU J F ,et al. Influence maximization algorithm based on social network[J]. Journal on Communications, 2022,43(8): 151-163.
[2]	任永功, 张云鹏, 张志鹏 . 基于粗糙集规则提取的协同过滤推荐算法[J]. 通信学报, 2020,41(1): 76-83.
	REN Y G , ZHANG Y P , ZHANG Z P . Collaborative filtering recommendation algorithm based on rough set rule extraction[J]. Journal on Communications, 2020,41(1): 76-83.
[3]	XU K , HU W , LESKOVEC J ,et al. How powerful are graph neural networks?[J]. arXiv Preprint,arXiv:1810.00826, 2018.
[4]	QIU J Z , CHEN Q B , DONG Y X ,et al. GCC:graph contrastive coding for graph neural network pretraining[C]// Proceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery ＆Data Mining. New York:ACM Press, 2020: 1150-1160.
[5]	YOU Y N , CHEN T L , SUI Y D ,et al. Graph contrastive learning with augmentations[C]// Proceedings of the 34th International Conference on Neural Information Processing Systems.New York:Curran Associates Inc. , 2020: 5812-5823.
[6]	SURESH S , LI P , HAO C ,et al. Adversarial graph augmentation to improve graph contrastive learning[J]. arXiv Preprint,arXiv:2106.05819, 2021.
[7]	ZHANG Z X , JIA J Y , WANG B H ,et al. Backdoor attacks to graph neural networks[C]// Proceedings of the 26th ACM Symposium on Access Control Models and Technologies. New York:ACM Press, 2021: 15-26.
[8]	XU J , XUE M , PICEK S . Explainability-based backdoor attacks against graph neural networks[C]// Proceedings of the 3rd ACM Workshop on Wireless Security and Machine Learning. New York:ACM Press, 2021: 31-36.
[9]	SHENG Y , CHEN R , CAI G Y ,et al. Backdoor attack of graph neural networks based on subgraph trigger[C]// International Conference on Collaborative Computing:Networking,Applications and Worksharing. Berlin:Springer, 2021: 276-296.
[10]	ZHENG H , XIONG H , CHEN J ,et al. Motif-backdoor:rethinking the backdoor attack on graph neural networks via motifs[J]. arXiv Preprint,arXiv:2210.13710, 2022.
[11]	XI Z H , PANG R , JI S L ,et al. Graph backdoor[C]// Proceedings of the 30th USENIX Security Symposium. Berkeley:USENIX Association, 2021: 1523-1540.
[12]	ZENG Y , PARK W , MAO Z M ,et al. Rethinking the backdoor attacks’ triggers:a frequency perspective[C]// Proceedings of 2021 IEEE/CVF International Conference on Computer Vision (ICCV). Piscataway:IEEE Press, 2022: 16453-16461.
[13]	CHEN B , CARVALHO W , BARACALDO N ,et al. Detecting backdoor attacks on deep neural networks by activation clustering[J]. arXiv Preprint,arXiv:1811.03728, 2018.
[14]	WANG B L , YAO Y S , SHAN S ,et al. Neural cleanse:identifying and mitigating backdoor attacks in neural networks[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 707-723.
[15]	HASSANI K , KHASAHMADI A H . Contrastive multi-view representation learning on graphs[C]// Proceedings of the 37th International Conference on Machine Learning. New York:ACM Press, 2020: 4116-4126.
[16]	ZHU Y Q , XU Y C , YU F ,et al. Graph contrastive learning with adaptive augmentation[C]// Proceedings of the Web Conference 2021. New York:ACM Press, 2021: 2069-2080.
[17]	YOU Y N , CHEN T L , WANG Z Y ,et al. Bringing your own view:graph contrastive learning without prefabricated data augmentations[C]// Proceedings of the International Conference on Web Search＆ Data Mining International Conference on Web Search ＆ Data Mining. New York:ACM Press, 2022: 1300-1309.
[18]	窦家维, 葛雪, 王颖囡 . 保护隐私的曼哈顿距离计算及其推广应用[J]. 计算机学报, 2020,43(2): 352-365.
	DOU J W , GE X , WANG Y N . Secure Manhattan distance computation and its application[J]. Chinese Journal of Computers, 2020,43(2): 352-365.
[19]	黄海平, 王凯, 汤雄 ,等. 基于边介数模型的差分隐私保护方案[J]. 通信学报, 2019,40(5): 88-97.
	HUANG H P , WANG K , TANG X ,et al. Differential privacy protection scheme based on edge betweenness model[J]. Journal on Communications, 2019,40(5): 88-97.
[20]	NEWMAN M J . The structure and function of complex networks[J]. SIAM Review, 2003,45(2): 167-256.
[21]	WU H , WANG C , TYSHETSKIY Y ,et al. Adversarial examples on graph data:deep insights into attack and defense[J]. arXiv Preprint,arXiv:1903.01610, 2019.
[22]	LUKASIK M , BHOJANAPALLI S , MENON A K ,et al. Does label smoothing mitigate label noise?[C]// Proceedings of the 37th International Conference on Machine Learning. New York:ACM Press, 2020: 6448-6458.
[23]	TRAMèR F , BONEH D . Adversarial training and robustness for multiple perturbations[C]// Proceedings of the 33rd International Conference on Neural Information Processing Systems.New York:Curran Associates Inc. , 2019: 5866-5876.

数据集	图数量/个	平均节点数/个	连边数/条	图标签分布	目标类
PROTEINS	1 113	39.06	72.82	663[0],450[1]	1
AIDS	2 000	15.69	16.20	400[0],1 600[1]	0
NCI1	4 110	29.87	32.30	2 053[0],2 057[1]	0
DBLP_v1	19 456	10.48	19.65	9 530[0],9 926[1]	0

后门攻击方法	ASR					ADC					ACC
后门攻击方法	无防御	JaccardBased	LabelSmooth	AdvTraining	CLBDefense	无防御	JaccardBased	LabelSmooth	AdvTraining	CLBDefense	无防御	JaccardBased	LabelSmooth	AdvTraining	CLBDefense
ER-B	64.57%	29.41%± 2.19%	26.39%± 3.74%	23.86%± 2.58%	9.41%± 2.08%	—	83.06%± 2.07%	84.35%± 1.74%	84.78%± 1.54%	86.29%± 0.54%	71.16%	72.51%± 2.25%	73.16%± 2.71%	73.85%± 1.87%	74.24%± 1.03%
MIA	64.89%	26.72%%± 2.76%	17.48%± 2.04%	17.14%± 2.37%	4.54%± 1.08%	—	81.07%± 1.19%	79.58%± 1.12%	81.54%± 2.04%	82.28%± 0.57%	70.82%	70.73%± 2.58%	73.29%± 1.70%	73.54%± 1.67%	73.95%± 1.48%
MaxDCC	84.75%	58.82%± 3.29%	55.46%± 3.16%	48.76%± 3.28%	15.79%± 3.05%	—	90.95%± 2.35%	91.16%± 2.87%	91.27%± 2.23%	96.48%± 0.58%	72.06%	72.85%± 1.60%	72.92%± 1.16%	73.04%± 2.26%	74.39%± 0.36%
GTA	86.72%	24.98%± 2.35%	26.05%± 3.64%	18.64%± 1.15%	3.36%± 1.06%	—	92.06%± 0.31%	90.21%± 1.05%	92.53%± 1.41%	95.59%± 0.16%	71.56%	71.53%± 1.46%	72.13%± 1.28%	74.35%± 2.05%	74.76%± 1.21%
Motif-Backdoor	89.46%	75.62%± 2.37%	63.87%± 1.52%	61.27%± 2.06%	11.76%± 1.68%	—	88.21%± 1.92%	91.07%± 1.46%	92.81%± 3.17%	98.51%± 0.36%	71.43%	72.08%± 1.27%	73.26%± 1.32%	74.68%± 1.02%	75.03%± 1.34%

后门攻击方法	ASR					ADC					ACC
后门攻击方法	无防御无防御	JaccardBased	LabelSmooth	AdvTraining	CLBDefense	无防御	JaccardBased	LabelSmooth	AdvTraining	CLBDefense	无防御	JaccardBased	LabelSmooth	AdvTraining	CLBDefense
ER-B	93.62%	73.33%± 0.53%	56.82%± 2.34%	48.32%± 2.53%	4.31%± 0.91%	—	72.89%± 1.18%	91.48%± 0.53%	83.67%± 1.98%	91.85%± 0.12%	96.28%	96.58%± 0.47%	96.92%± 0.63%	97.48%± 0.72%	98.46%± 0.18%
MIA	95.48%	81.87%± 1.52%	72.31%± 2.38%	70.81%± 1.32%	1.06%± 0.15%	—	88.05%± 0.95%	79.58%± 1.12%	92.26%± 1.13%	98.27%± 0.02%	96.85%	96.15%± 0.61%	96.98%± 0.46%	97.65%± 0.34%	98.39%± 0.23%
MaxDCC	96.57%	86.25%± 1.45%	79.75%± 0.96%	71.81%± 1.36%	8.63%± 1.25%	—	81.09%± 2.46%	82.65%± 0.83%	87.79%± 0.72%	96.14%± 0.16%	98.12%	98.34%± 0.54%	98.52%± 0.47%	98.64%± 0.79%	98.72%± 0.62%
GTA	98.52%	89.06%± 1.57%	88.82%± 1.39%	85.75%± 1.42%	7.94%± 2.11%	—	90.56%± 0.43%	90.97%± 0.56%	92.89%± 0.42%	99.76%± 0.05%	97.39%	97.58%± 0.45%	97.92%± 0.73%	98.41%± 0.48%	98.74%± 0.27%
Motif-Backdoor	99.86%	90.75%± 1.62%	88.72%± 1.82%	82.93%± 1.06%	20.63%± 2.12%	—	85.72%± 2.18%	87.68%± 1.86%	95.87%± 0.68%	99.89%± 0.03%	97.64%	97.83%± 0.64%	97.92%± 0.58%	98.25%± 0.62%	98.68%± 0.34%

后门攻击方法	ASR					ADC					ACC
后门攻击方法	无防御	JaccardBased	LabelSmooth	AdvTraining	CLBDefense	无防御	JaccardBased	LabelSmooth	AdvTraining	CLBDefense	无防御	JaccardBased	LabelSmooth	AdvTraining	CLBDefense
ER-B	78.32%	72.25%± 2.64%	62.97%± 2.65%	55.07%± 2.08%	45.39%± 2.51%	—	85.85%± 2.18%	98.50%± 0.57%	98.45%± 0.37%	99.25%± 0.08%	73.85%	73.04%± 0.61%	74.57%± 1.02%	75.38%± 1.53%	75.74%± 1.08%
MIA	96.98%	87.63%± 2.32%	72.85%± 1.29%	71.59%± 2.13%	57.53%± 2.18%	—	78.52%± 2.51%	93.73%± 2.16%	96.24%± 1.35%	98.07%± 0.17%	73.36%	74.09%± 0.55%	75.47%± 1.12%	75.78%± 0.48%	76.06%± 0.12%
MaxDCC	98.95%	78.54%± 1.86%	62.07%± 2.38%	60.25%± 1.98%	42.47%± 2.53%	—	84.67%± 2.48%	99.03%± 0.16%	99.39%± 0.34%	99.92%± 0.07%	74.38%	75.03%± 0.82%	75.64%± 1.17%	75.78%± 1.54%	76.53%± 0.63%
GTA	100%	74.25%± 1.26%	72.31%± 3.01%	69.40%± 3.12%	46.48%± 1.87%%	—	91.34%± 0.24%	92.46%± 0.73%	96.24%± 1.35%	99.54%± 0.13%	74.05%	74.67%± 0.59%	75.18%± 0.43%	76.30%± 0.48%	76.87%± 0.76%
Motif-Backdoor	100%	92.64%± 2.37%	82.86%± 2.38%	81.64%± 2.72%	48.94%± 2.38%	—	75.63%± 2.16%	96.29%± 0.80%	98.15%± 0.79%	99.46%± 0.21%	73.25%	73.82%± 0.96%	75.35%± 1.33%	75.40%± 0.72%	75.78%± 0.57%

后门攻击方法	ASR					ADC					ACC
后门攻击方法	无防御	JaccardBased	LabelSmooth	AdvTraining	CLBDefense	无防御	JaccardBased	LabelSmooth	AdvTraining	CLBDefense	无防御	JaccardBased	LabelSmooth	AdvTraining	CLBDefense
ER-B	41.28%	21.57%± 2.58%	20.28%± 1.73%	17.03%± 2.24%	15.28%± 1.35%	—	75.01%± 2.43%	78.39%± 2.52%	78.54%± 3.26%	80.11%± 0.15%	78.52%	78.92%± 0.12%	79.05%± 0.17%	79.83%± 0.28%	80.01%± 0.19%
MIA	43.65%	15.17%± 0.47%	13.05%± 2.72%	11.04%± 1.73%	10.84%± 1.04%	—	66.98%± 0.17%	68.95%± 0.92%	70.53%± 0.54%	72.20%± 0.58%	78.46%	78.86%± 0.23%	78.25%± 0.71%	79.90%± 0.46%	79.98%± 0.38%
MaxDCC	62.86%	22.54%± 2.46%	26.79%± 3.24%	23.25%± 2.23%	9.45%± 1.02%	—	84.11%± 1.38%	82.17%± 0.68%	84.98%± 1.94%	86.03%± 0.18%	79.23%	78.95%± 0.75%	78.39%± 0.86%	79.36%± 0.77%	79.87%± 0.54%
GTA	68.42%	18.95%± 1.16%	15.74%± 1.19%	13.59%± 1.05%	10.28%± 0.87%	—	85.94%± 0.15%	86.23%± 0.62%	86.42%± 0.38%	87.19%± 0.48%	78.49%	78.06%± 0.28%	78.26%± 0.67%	79.65%± 0.52%	79.93%± 0.51%
Motif-Backdoor	71.84%	52.78%± 1.07%	46.92%± 1.25%	45.76%± 2.87%	24.39%± 0.56%	—	85.91%± 0.25%	86.73%± 1.26%	86.94%± 2.04%	91.69%± 0.21%	78.85%	79.20%± 0.12%	80.18%± 0.08%	80.23%± 0.16%	80.48%± 0.17%

基于对比学习的图神经网络后门攻击防御方法

CLB-Defense: based on contrastive learning defense for graph neural network against backdoor attack

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 13

参考文献 23

相关文章 15

Metrics

推荐阅读 0

防御方法	时间/s
防御方法	PROTEINS	AIDS	NCI1	DBLP_v1
Jaccard-Based	4.88	2.36	6.08	25.55
Label-Smooth	1.34	0.93	2.14	6.86
Adv-Training	2.62	1.45	6.76	14.98
CLB-Defense	130.48	116.7	125.63	135.45

[1]	刘盈泽, 郭渊博, 方晨, 李勇飞, 陈庆礼. 基于有限理性的网络防御策略智能规划方法[J]. 通信学报, 2023, 44(5): 52-63.
[2]	余晟兴, 陈泽凯, 陈钟, 刘西蒙. DAGUARD：联邦学习下的分布式后门攻击防御方案[J]. 通信学报, 2023, 44(5): 110-122.
[3]	周大成, 陈鸿昶, 何威振, 程国振, 扈红超. 基于深度强化学习的微服务多维动态防御策略研究[J]. 通信学报, 2023, 44(4): 50-63.
[4]	王一丰, 郭渊博, 陈庆礼, 方晨, 林韧昊, 周永良, 马佳利. 基于对比增量学习的细粒度恶意流量分类方法[J]. 通信学报, 2023, 44(3): 1-11.
[5]	张进, 葛强, 徐伟海, 江逸茗, 马海龙, 于洪涛. 拟态路由器BGP代理的设计实现与形式化验证[J]. 通信学报, 2023, 44(3): 33-44.
[6]	何世文, 袁军, 安振宇, 张敏, 黄永明, 张尧学. 基于图神经网络的联合用户调度与波束成形优化算法[J]. 通信学报, 2022, 43(7): 73-84.
[7]	冷涛, 蔡利君, 于爱民, 朱子元, 马建刚, 李超飞, 牛瑞丞, 孟丹. 基于系统溯源图的威胁发现与取证分析综述[J]. 通信学报, 2022, 43(7): 172-188.
[8]	周大成, 陈鸿昶, 程国振, 何威振, 商珂, 扈红超. 面向持久性连接的自适应拟态表决器设计与实现[J]. 通信学报, 2022, 43(6): 71-84.
[9]	贾洪勇, 潘云飞, 刘文贺, 曾俊杰, 张建辉. 基于高阶异构度的执行体动态调度算法[J]. 通信学报, 2022, 43(3): 233-245.
[10]	王一丰, 郭渊博, 陈庆礼, 方晨, 林韧昊. 基于对比学习的细粒度未知恶意流量分类方法[J]. 通信学报, 2022, 43(10): 12-25.
[11]	冯智斌, 徐煜华, 杜智勇, 刘鑫, 李文, 韩昊, 张晓博. 对抗智能干扰的主动防御技术[J]. 通信学报, 2022, 43(10): 42-54.
[12]	陈晋音, 胡书隆, 邢长友, 张国敏. 面向智能渗透攻击的欺骗防御方法[J]. 通信学报, 2022, 43(10): 106-120.
[13]	吴翼腾, 刘伟, 于洪涛. 图神经网络的标签翻转对抗攻击[J]. 通信学报, 2021, 42(9): 65-74.
[14]	杨毅宇, 周威, 赵尚儒, 刘聪, 张宇辉, 王鹤, 王文杰, 张玉清. 物联网安全研究综述：威胁、检测与防御[J]. 通信学报, 2021, 42(8): 188-205.
[15]	仝青, 郭云飞, 霍树民, 王亚文, 蔄羽佳, 张凯. 自适应的时空多样性联合调度策略设计[J]. 通信学报, 2021, 42(7): 12-24.