Backdoor attacks have been demonstrated as a security threat for machine learning models. Traditional backdoor attacks intend to inject backdoor functionality into the model such that the backdoored model will perform abnormally on inputs with predefined backdoor triggers and still retain state-of-the-art performance on the clean inputs. While there are already some works on backdoor attacks on Graph Neural Networks (GNNs), the backdoor trigger in the graph domain is mostly injected into random positions of the sample. There is no work analyzing and explaining the backdoor attack performance when injecting triggers into the most important or least important area in the sample, which we refer to as trigger-injecting strategies MIAS and LIAS, respectively. Our results show that, generally, LIAS performs better, and the differences between the LIAS and MIAS performance can be significant. Furthermore, we explain these two strategies' similar (better) attack performance through explanation techniques, which results in a further understanding of backdoor attacks in GNNs.

翻译：后门攻击已被证明是机器学习模型的一种安全威胁。传统后门攻击旨在将后门功能注入模型，使得被植入后门的模型在含有预定义后门触发器的输入上表现异常，同时在干净输入上仍保持最先进的性能。尽管已有一些关于图神经网络（GNNs）后门攻击的研究，但图领域中的后门触发器大多被注入到样本的随机位置。目前尚无工作分析和解释将触发器注入样本中最重要的区域或最不重要的区域（分别称为MIAS和LIAS触发器注入策略）时的后门攻击性能。我们的结果表明，通常情况下LIAS表现更好，并且LIAS与MIAS性能之间的差异可能显著。此外，我们通过解释技术阐明了这两种策略相似（更优）的攻击性能，从而加深了对GNNs中后门攻击的理解。