Heterohba Enables Stealthy Backdoor Poisoning on Heterogeneous Graphs Via Generative Feature Synthesis

Heterogeneous graph neural networks excel in diverse applications, but their vulnerability to subtle, targeted manipulation remains largely unexplored, creating a significant security gap. Honglin Gao, Lan Zhao, and Ren Junhao, from Nanyang Technological University, along with Xiang Li and Gaoxi Xiao, address this challenge by demonstrating a new method for injecting malicious ‘backdoors’ into these networks. Their research introduces HeteroHBA, a generative framework that strategically alters graph structures and feature data, causing the system to misclassify specific nodes according to the attacker’s intent, while maintaining overall performance. The team achieves this by carefully selecting influential connections and crafting realistic trigger patterns, enhancing both the effectiveness and stealth of the attack, and importantly, demonstrating its resilience even against existing defence mechanisms, thus highlighting a critical need for improved security measures in heterogeneous graph learning.

The attack focuses on adding or modifying edges to cause misclassification of specific nodes when a trigger is present, while maintaining overall accuracy. A key feature is the use of a generator network to create malicious edges, and the process involves identifying target nodes and constructing a candidate pool of connections. The team employs bi-level optimization to train the generator, optimizing both the generator itself and a surrogate model to maximize attack success and stealthiness.

To mitigate this threat, scientists developed Cluster-based Structural Defense (CSD), a strategy to detect and remove the structural changes introduced by the attack. CSD performs clustering on node features within each node type, identifying suspicious clusters with low size and high separation ratio, which likely represent the injected backdoor. These suspicious clusters are then pruned by removing connected edges, and the labels of affected nodes are corrected using majority voting among their neighbors. The method involves detailed algorithms for both the attack and defense, including calculations for saliency scores, trigger generation, and loss functions. Experiments were conducted using datasets like ACM, DBLP, and IMDB, and models including HGT, HAN, SimpleHGN, and MAGNN, demonstrating the effectiveness of HeteroHBA and the potential of CSD as a defense mechanism.

Targeted Backdoors in Heterogeneous Graph Networks

Researchers pioneered HeteroHBA, a generative framework to introduce targeted backdoors into heterogeneous graph neural networks, addressing a critical security gap in these complex graph structures. Unlike previous work focused on homogeneous graphs, this methodology subtly manipulates the graph during training to control model predictions, causing misclassification of specific nodes to attacker-defined labels while preserving overall accuracy. The team engineered a two-stage process for trigger attachment, beginning with saliency-based screening to identify influential neighbors and maximizing the impact of injected triggers. This generative approach adapts to the unique characteristics of each node and its relationships, synthesizing diverse trigger features and connection patterns.

Stealth is further improved by combining Adaptive Instance Normalization with a Maximum Mean Discrepancy loss, aligning trigger features with benign data to minimize detectability. Optimization employs a bilevel objective, simultaneously promoting attack success and preserving clean accuracy, crucial for real-world applicability. Experiments on benchmark datasets with representative HGNN architectures consistently demonstrate higher attack success rates than existing methods, while maintaining comparable accuracy. The team also developed Cluster-based Structural Defense (CSD) to evaluate the robustness of heterogeneous graphs against this novel attack.

HeteroHBA Achieves Stealthy Graph Neural Network Backdoors

Scientists have developed HeteroHBA, a generative framework to introduce targeted backdoors into heterogeneous graph neural networks, demonstrating a significant advancement in stealth and effectiveness. This research addresses a critical security vulnerability in complex graph-based systems, such as those used in financial modeling and recommendation engines, by manipulating training data to subtly alter a model’s behavior. The method strategically selects influential neighboring nodes and synthesizes diverse trigger features, embedding the backdoor within the graph’s structure. Experiments reveal that HeteroHBA achieves higher attack success while maintaining comparable or improved clean accuracy, a crucial metric for avoiding detection.

The framework utilizes an explanation-based screening process to identify key auxiliary neighbors for trigger attachment, maximizing the attack’s impact. To further enhance stealth, scientists combined Adaptive Instance Normalization with a Maximum Mean Discrepancy loss, aligning the distribution of trigger features with benign data. Optimization is achieved through a bilevel objective, simultaneously promoting successful misclassification and preserving model performance on untainted data. Tests prove the attack remains effective even when subjected to a heterogeneity-aware structural defense, CSD, highlighting its robustness.

Heterogeneous Graph Backdoors via Generative Triggers

This research presents HeteroHBA, a new framework for launching backdoor attacks on heterogeneous graphs, a network type commonly found in real-world applications. The team developed a method to subtly manipulate these graphs during training, inserting carefully crafted triggers that cause targeted nodes to be misclassified, while maintaining overall accuracy for non-targeted nodes. This is achieved through a generative approach, selecting influential points for trigger attachment and synthesizing trigger features that blend with the existing graph structure, enhancing stealth and effectiveness. Experiments demonstrate that HeteroHBA outperforms existing backdoor attack methods on several real-world heterogeneous graphs, even when tested against Cluster-based Structural Defense. While defenses focused on detecting edge perturbations can reduce the attack’s effectiveness, the researchers acknowledge this as a limitation and plan future work to improve the attack’s resilience, aiming for more robust and generalizable designs. These findings underscore the potential for practical security risks in heterogeneous graph learning and highlight the need for stronger defensive strategies.