Backdoor attacks have been demonstrated as a security threat for machine learning models. Traditional backdoor attacks intend to inject backdoor functionality into the model such that the backdoored model will perform abnormally on inputs with predefined backdoor triggers and still retain state-of-the-art performance on the clean inputs. While there are already some works on backdoor attacks on Graph Neural Networks (GNNs), the backdoor trigger in the graph domain is mostly injected into random positions of the sample. There is no work analyzing and explaining the backdoor attack performance when injecting triggers into the most important or least important area in the sample, which we refer to as trigger-injecting strategies MIAS and LIAS, respectively. Our results show that, generally, LIAS performs better, and the differences between the LIAS and MIAS performance can be significant. Furthermore, we explain these two strategies' similar (better) attack performance through explanation techniques, which results in a further understanding of backdoor attacks in GNNs.

翻译：后门攻击已被证明是机器学习模型的一种安全威胁。传统后门攻击旨在将后门功能注入模型，使得被植入后门的模型在带有预定义后门触发器的输入上表现异常，同时仍能在干净输入上保持最先进的性能。尽管已有一些关于图神经网络（GNN）后门攻击的研究，但在图领域中，后门触发器大多被注入样本的随机位置。目前尚无工作分析和解释将触发器注入样本中最重要或最不重要区域（我们分别称之为MIAS和LIAS策略）时的后门攻击性能。我们的结果表明，总体而言，LIAS策略表现更优，且LIAS与MIAS策略的性能差异可能显著。此外，我们通过解释技术阐明了这两种策略相似（更优）的攻击性能，从而进一步加深了对GNN后门攻击的理解。