Graph Convolutional Networks (GCNs) have shown excellent performance in graph-structured tasks such as node classification and graph classification. However, recent research has shown that GCNs are vulnerable to a new type of threat called the backdoor attack, where the adversary can inject a hidden backdoor into the GCNs so that the backdoored model performs well on benign samples, whereas its prediction will be maliciously changed to the attacker-specified target label if the hidden backdoor is activated by the attacker-defined trigger. Clean-label backdoor attack and semantic backdoor attack are two new backdoor attacks to Deep Neural Networks (DNNs), they are more imperceptible and have posed new and serious threats. The semantic and clean-label backdoor attack is not fully explored in GCNs. In this paper, we propose a semantic and clean-label backdoor attack against GCNs under the context of graph classification to reveal the existence of this security vulnerability in GCNs. Specifically, SCLBA conducts an importance analysis on graph samples to select one type of node as semantic trigger, which is then inserted into the graph samples to create poisoning samples without changing the labels of the poisoning samples to the attacker-specified target label. We evaluate SCLBA on multiple datasets and the results show that SCLBA can achieve attack success rates close to 99% with poisoning rates of less than 3%, and with almost no impact on the performance of model on benign samples.

翻译：图卷积网络（GCNs）在图结构任务（如节点分类和图分类）中表现出卓越性能。然而，近期研究表明，GCNs易受一种新型威胁——后门攻击的影响。攻击者可在GCNs中植入隐藏后门，使得被植入后门的模型在良性样本上表现正常，但当隐藏后门被攻击者预设的触发器激活时，模型的预测结果将被恶意篡改为攻击者指定的目标标签。干净标签后门攻击与语义后门攻击是深度神经网络（DNNs）领域两种新型后门攻击方式，它们具有更强的隐蔽性并构成了新的严重威胁。目前针对GCNs的语义与干净标签后门攻击尚未得到充分探索。本文在图分类任务背景下，提出一种针对GCNs的语义与干净标签后门攻击方法，以揭示GCNs中存在的此类安全漏洞。具体而言，SCLBA通过对图样本进行重要性分析，选取一类节点作为语义触发器，在不改变中毒样本标签为攻击者指定目标标签的前提下，将其插入图样本以构建中毒样本。我们在多个数据集上评估SCLBA，结果表明：在中毒率低于3%的情况下，SCLBA可实现接近99%的攻击成功率，且对模型在良性样本上的性能几乎不产生影响。