CN114897161B - Mask-based graph classification backdoor attack defense method and system, electronic equipment and storage medium - Google Patents
Mask-based graph classification backdoor attack defense method and system, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114897161B CN114897161B CN202210540676.4A CN202210540676A CN114897161B CN 114897161 B CN114897161 B CN 114897161B CN 202210540676 A CN202210540676 A CN 202210540676A CN 114897161 B CN114897161 B CN 114897161B
- Authority
- CN
- China
- Prior art keywords
- mask
- graph
- network
- matrix
- adjacency matrix
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/217—Validation; Performance evaluation; Active pattern learning techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/084—Backpropagation, e.g. using gradient descent
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- Biophysics (AREA)
- Biomedical Technology (AREA)
- Mathematical Physics (AREA)
- Computational Linguistics (AREA)
- Health & Medical Sciences (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a mask-based graph classification backdoor attack defense method, a mask-based graph classification backdoor attack defense system, electronic equipment and a storage medium. The method comprises the following steps: the random mask is used for masking the adjacent matrix of the graph neural network, partial information of the network topological structure can be masked out in each masking operation, the local trigger structure in the network is damaged, meanwhile, the mask adjacent matrix which is superposed for many times is used, and after pooling operation, the original topological structure of the original network is reserved to the maximum extent, so that the trigger embedded in training data by an attacker is invalid, and the model can also keep normal performance.
Description
Technical Field
The invention belongs to the field of image processing, and particularly relates to a mask-based graph classification backdoor attack defense method, a mask-based graph classification backdoor attack defense system, electronic equipment and a storage medium.
Background
With the rapid development of digital economy and artificial intelligence technologies, graph networks have become an important branch of data analysis technologies. Most systems in real life can be represented by graph data, where graph classification is a basic graph analysis tool. Graph classification is a problem of mapping graph networks and their corresponding labels, which has many practical applications, such as molecular property determination, new drug discovery, fraud detection, and the like. Specifically, in the field of pharmaceutical molecular compounds, researchers model molecular structures as graph networks and study molecular chemistry as graph classification tasks.
The robustness of the model is also concerned when the graph neural network completes downstream tasks with high quality. The great majority of the tasks that the graph neural network model can perform excellently are derived from the large number of data supports. Then, some backdoor attack methods for the model training phase have been proposed. Backdoor attacks are methods of attack that occur during the training phase, where an attacker trains the model by setting the training data for the triggers, which responds to the data input with the trigger embedding in a highly predictable manner during the use phase, resulting in a preset result for the model, while the model operates normally for other normal samples of the input model. Once the trigger is set in the training phase, the model is equivalent to leaving a backdoor for the attacker who, in the use phase of the model, inputs the data with the embedded trigger, which leads to extremely serious results.
Disclosure of Invention
In order to solve the technical problems, the invention provides a mask-based graph classification backdoor attack defense method, a mask-based graph classification backdoor attack defense system, an electronic device and a storage medium, so as to solve the technical problems.
The invention discloses a mask-based graph classification backdoor attack defense method, which comprises the following steps:
s1, acquiring a graph neural network model and a training data set of the graph neural network model, wherein the training data set consists of a plurality of graph networks; the training data set is divided into a model training set, a verification set and a test set according to a proportion;
s2, constructing a mask adjacency matrix of the graph network in the model training set;
s3, pooling the mask adjacency matrixes, and processing the graph network by using the pooled mask adjacency matrixes to obtain a processed graph network;
s4, processing the model training set according to the methods of the steps S2 to S3 to obtain a processed model training set;
and S5, inputting the processed model training set into the graph neural network model for model training.
According to the method of the first aspect of the present invention, in step S2, the method for constructing a mask adjacency matrix of a graph network in the model training set includes:
randomly generating T Mask matrices, i.e. { Mask } 1 ,Mask 2 ,...,Mask T And (c) the step of (c) in which,
Mask i ∈R N×N i ∈ {1, 2.,. T }, where N is the number of nodes of the graph network;
and embedding the T mask matrixes into a graph network to obtain a mask adjacency matrix.
According to the method of the first aspect of the present invention, in the step S2, the values in the mask matrix are randomly set to 0 or 1.
According to the method of the first aspect of the present invention, in step S2, the method for embedding the T mask matrixes into the graph network to obtain a mask adjacency matrix includes: adjacency matrix A and Mask matrix Mask i Performing dot multiplication to obtain a mask adjacency matrix, wherein the specific formula is as follows:
{A mask1 ,A mask2 ,...,A maskT }=Mix(A,{Mask 1 ,Mask 2 ,...,Mask T })
wherein A is maski ∈R N×N I ∈ {1, 2., T } is a mask adjacency matrix, mix (·) is expressed as an operation of multiplying the adjacency matrix by all mask matrix points, and N is the number of nodes of the network.
According to the method of the first aspect of the present invention, in the step S3, the method of pooling the mask adjacency matrices includes:
adjacent T masks to matrix { A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The maximum value of each position in the list is replaced to A mask In a corresponding position, pooling to give A mask ∈R N×N Where T is the number of mask adjacency matrices and N is the netThe number of nodes of the network.
According to the method of the first aspect of the present invention, in the step S3, the method of pooling the mask adjacency matrices further comprises:
adjacent T masks to matrix { A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The value of each position is overlapped and then replaced to A by taking the average value mask Pooling to obtain A mask ∈R N×N Wherein T is the number of mask adjacency matrixes, and N is the number of nodes of the network.
According to the method of the first aspect of the present invention, in step S3, the method for processing the graph network by applying the pooled mask adjacency matrices to obtain a processed graph network includes:
the pooled mask adjacency matrix A mask And replacing the adjacency matrix A in the graph network to obtain the processed graph network.
The second aspect of the invention discloses a mask-based graph classification backdoor attack defense system, which comprises:
the device comprises a first processing module, a second processing module and a third processing module, wherein the first processing module is configured to obtain a graph neural network model and a training data set of the graph neural network model, and the training data set is composed of a plurality of graph networks; the training data set is divided into a model training set, a verification set and a test set according to a proportion;
a second processing module configured to construct a mask adjacency matrix for a graph network in the model training set;
a third processing module configured to pool the mask adjacency matrix and apply the pooled mask adjacency matrix to process the graph network to obtain a processed graph network;
the fourth processing module is configured to process the model training set according to the second processing module and the third processing module to obtain a processed model training set;
and the fifth processing module is configured to input the processed model training set into the graph neural network model for model training.
According to the system of the second aspect of the present invention, the second processing module configured to construct the mask adjacency matrix of the graph network in the model training set includes:
randomly generating T Mask matrices, i.e. { Mask 1 ,Mask 2 ,...,Mask T And (c) the step of (c) in which,
Mask i ∈R N×N i ∈ {1, 2.,. T }, where N is the number of nodes of the graph network;
and embedding the T mask matrixes into a graph network to obtain a mask adjacent matrix.
According to the system of the second aspect of the present invention, the second processing module is configured to randomly set the values in the mask matrix to 0 or 1.
According to the system of the second aspect of the present invention, the second processing module is configured to embed the T mask matrices into the graph network, and the method for obtaining the mask adjacency matrix includes: adjacency matrix A and Mask matrix Mask i And performing dot multiplication to obtain a mask adjacency matrix, wherein the specific formula is as follows:
{A mask1 ,A mask2 ,...,A maskT }=Mix(A,{Mask 1 ,Mask 2 ,...,Mask T })
wherein, A maski ∈R N×N I ∈ {1, 2.,. T } is a mask adjacency matrix, mix (·) is expressed as an operation of multiplying the adjacency matrix by all mask matrix points, and N is the number of nodes of the network.
According to the system of the second aspect of the present invention, the third processing module is configured to pool the mask adjacency matrix comprising:
mask T adjacency matrixes A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The maximum value of each position in the list is replaced to A mask In a corresponding position, pooling to give A mask ∈R N×N Wherein T is the number of mask adjacency matrixes, and N is the number of nodes of the network.
According to the system of the second aspect of the invention, the third processing module is configured to pool the mask adjacency matrix further comprising:
mask T adjacency matrixes A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The value of each position in the solution is superposed and then is replaced to A by taking the average value mask Pooling to obtain A mask ∈R N×N Where T is the number of mask adjacency matrices and N is the number of nodes of the network.
According to the system of the second aspect of the present invention, the third processing module is configured to process the graph network by applying the pooled mask adjacency matrices, and obtain a processed graph network includes:
the pooled mask adjacency matrix A mask And replacing the adjacency matrix A in the graph network to obtain the processed graph network.
A third aspect of the invention discloses an electronic device. The electronic device comprises a memory and a processor, the memory stores a computer program, and the processor implements the steps of the mask-based graph classification backdoor attack defense method according to any one of the first aspect of the disclosure when executing the computer program.
A fourth aspect of the invention discloses a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, performs the steps of a method for defending against a mask-based graph classification backdoor attack according to any one of the first aspect of the present disclosure.
The scheme provided by the invention can directly destroy the trigger structure inserted in the graph data, so that the trigger structure can not obtain the certain effect, but does not influence the normal sample, and the model can still show the due performance for inputting the normal sample.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a flowchart of a mask-based graph classification backdoor attack defense method according to an embodiment of the present invention;
FIG. 2 is a block diagram of a mask-based graph neural network backdoor attack defense method according to an embodiment of the present invention;
FIG. 3 is a block diagram of a mask-based graph classification backdoor attack defense system according to an embodiment of the present invention;
fig. 4 is a block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention discloses a mask-based graph classification backdoor attack defense method. Fig. 1 is a flowchart of a mask-based graph classification backdoor attack defense method according to an embodiment of the present invention, as shown in fig. 1 and fig. 2, the method includes:
s1, acquiring a graph neural network model and a training data set of the graph neural network model, wherein the training data set consists of a plurality of graph networks; the training data set is divided into a model training set, a verification set and a test set according to a proportion;
s2, constructing a mask adjacency matrix of the graph network in the model training set;
s3, pooling the mask adjacency matrixes, and processing the graph network by applying the pooled mask adjacency matrixes to obtain a processed graph network;
s4, processing the model training set according to the methods of the steps S2 to S3 to obtain a processed model training set;
and S5, inputting the processed model training set into the graph neural network model for model training.
In step S1, a graph neural network model and a training data set of the graph neural network model are obtained, wherein the training data set is composed of a plurality of graph networks; the training data set is divided into a model training set, a verification set and a test set according to a proportion.
Specifically, step S11, the graph neural network model M oracle The downstream task performed by the graph neural network model is a graph classification task, and the graph network is typically represented by G = { V, E }, where V = { V = 1 ,...,v N Denotes a set of N nodes, e i,j =<v i ,v j >E represents the node v i And node v j There is a continuous edge between them, in general, the information contained in the node set V and the continuous edge combination E is represented by A E R N×N When node v is present i And node v j When there is a direct edge connection, A i,j Not equal to 0, otherwise A i,j =0.X is represented as a feature matrix of the graph network. Wherein in the graph classification task, a graph set consisting of M graphs is marked as G = { G = { (G) 1 ,...,G M },Y n Is shown as a diagram Y n And (4) corresponding class labels. M is a group of oracle Is an untrained graph classifier model f: G → {0, 1., y → {0, 1., a i G is the corresponding input sample, {0,1 i The prediction label for the corresponding classifier.
Step S12, obtaining a model M oracle Training Data set Data oracle The data sets used for training the model are the MUTAG data set from the biochemical field, the NCI1 data set and the PROTEINS data set from the protein field, and 188 samples, 4110 samples and 1113 samples are downloaded from the network respectively. The data sets are used for the chart classification task, and each data set comprises a plurality of charts G i And each graph has a corresponding label y of its classification i The graph data is composed of nodes and continuous edges, wherein the graph data is represented by G, and the structure information of the graph data is represented by an adjacency matrix A ij To representIf there is a connecting edge between nodes i, j, then at the corresponding adjacent matrix position e ij Has a value of 1, no connecting edge e is present ij The corresponding value is 0, and each node has a feature matrix X-U (0, 1) from the same distribution. For different datasets, both nodes and edges have their corresponding meanings, such as the MUTAG dataset, each graph network sample represents a nitro compound molecule with atoms as nodes and chemical bonds between the atoms as links in the graph network, and each sample has its corresponding label present, the label of the data mutagenizes aromatics and heteroaromatics, the label is represented by 0,1;
step S13, the acquired Data set Data oracle And are divided in proportion, wherein the model training set Data train Verification set Data val And test set Data test 70%, 10% and 20%, respectively.
In step S2, a mask adjacency matrix of the graph network in the model training set is constructed.
In some embodiments, in the step S2, the method of constructing a mask adjacency matrix of the graph network in the model training set includes:
randomly generating T Mask matrices, i.e. { Mask } 1 ,Mask 2 ,...,Mask T And (c) the step of (c) in which,
Mask i ∈R N×N i ∈ {1, 2., T }, where N is the number of nodes of the graph network, and the value in the mask matrix is randomly set to 0 or 1;
and embedding the T mask matrixes into a graph network to obtain a mask adjacency matrix.
The method for embedding the T mask matrixes into the graph network to obtain the mask adjacency matrix comprises the following steps: adjacency matrix A and Mask matrix Mask i And performing dot multiplication to obtain a mask adjacency matrix, wherein the specific formula is as follows:
{A mask1 ,A mask2 ,...,A maskT }=Mix(A,{Mask 1 ,Mask 2 ,...,Mask T })
wherein A is maski ∈R N×N I ∈ {1, 2.., T } isThe masked adjacency matrix, mix (·), represents the operation of multiplying the adjacency matrix by all the masked matrix points, and N is the number of nodes of the network.
Specifically, step S21, for an arbitrary graph network G = { a, X } belongs to Data train Randomly generating T Mask matrices, i.e. { Mask } 1 ,Mask 2 ,...,Mask T },Mask i ∈R N×N I ∈ {1, 2.,. T }, where N is the number of nodes of the network, mask } i The value in (1) is randomly set to 0 or 1.
Step S22, T Mask matrixes { Mask } are obtained 1 ,Mask 2 ,...,Mask T Embedding the graph network G = { A, X } into the graph network G to obtain a mask adjacency matrix { A mask1 ,A mask2 ,...,A maskT The process is as follows,
{A mask1 ,A mask2 ,...,A maskT }=Mix(A,{Mask 1 ,Mask 2 ,...,Mask T })
wherein A is maski ∈R N×N I ∈ {1, 2., T } is a mask adjacency matrix, mix (·) is expressed as an operation of multiplying the adjacency matrix by all mask matrix points, and N is the number of nodes of the network.
In step S3, the mask adjacency matrix is pooled, and the pooled mask adjacency matrix is applied to process the graph network, so as to obtain a processed graph network.
In some embodiments, in the step S3, the method of pooling the mask adjacency matrices includes:
adjacent T masks to matrix { A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The maximum value of each position in the list is replaced to A mask Pooling to obtain A mask ∈R N×N Wherein T is the number of mask adjacency matrixes, and N is the number of nodes of the network.
The method of pooling the mask adjacency matrix further comprises:
adjacent T masks to matrix { A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The value of each position is overlapped and then replaced to A by taking the average value mask Pooling to obtain A mask ∈R N×N Wherein T is the number of mask adjacency matrixes, and N is the number of nodes of the network.
The method for processing the graph network by applying the pooled mask adjacency matrix to obtain the processed graph network comprises the following steps:
the pooled mask adjacency matrix A mask And replacing the adjacency matrix A in the graph network to obtain the processed graph network.
Specifically, in step S31, T mask adjacency matrices are obtained in step S22
{A mask1 ,A mask2 ,...,A maskT And sending the mask adjacent matrix into a pooling layer, wherein two pooling modes, namely maximum pooling and average pooling, can be selected to obtain a pooled adjacent matrix A mask 。
Step S32, the maximum pooling operation from step S31, is performed by applying T mask adjacency matrices { A } mask1 ,A mask2 ,...,A maskT }∈R T×N×N The maximum value of each position in the list is replaced to A mask Pooling to obtain A mask ∈R N×N Where T is the number of mask adjacency matrices, N is the number of nodes of the network, and the formulation is as follows,
A mask =Pool max ({A mask1 ,A mask2 ,...,A maskT })
wherein A is mask For the pooled adjacency matrix, { A mask1 ,A mask2 ,...,A maskT Is T mask adjacency matrices, pool max Expressed as maximum pooling.
Step S33, the flow of the average pooling operation obtained from step S31 is as follows, where T mask adjacency matrices { A } mask1 ,A mask2 ,...,A maskT }∈R T×N×N The value of each position in the solution is superposed and then is replaced to A by taking the average value mask Pooling at the corresponding position to obtain A mask ∈R N×N Where T is the number of mask adjacency matrices and N is the number of nodes in the network, and is expressed in formula as follows,
A mask =Pool ave ({A mask1 ,A mask2 ,...,A maskT })
wherein A is mask For the pooled adjacency matrix, { A mask1 ,A mask2 ,...,A maskT Is T mask adjacency matrices, pool ave Expressed as average pooling.
S34. The pooled adjacency matrix A obtained in step S32 or S33 mask Replacing the adjacent matrix A in the graph network G = { A, X } with the adjacent matrix A to obtain the processed graph network G = { A, X }, and obtaining the graph network G = { A mask ,X}。
And S4, processing the model training set according to the methods in the steps S2 to S3 to obtain a processed model training set.
Specifically, data is recorded train All the graph networks in (1), operating according to the processing methods of S21 to S34, from the processed graph network G = { A = { (A) } mask X, to form a processed model training set Data mask_train 。
And S5, inputting the processed model training set into the graph neural network model for model training.
Specifically, step S51, the processed model training set Data obtained from step S4 mask_train Inputs it normally into the graph classification model M oracle And (5) performing model training.
Step S52, the processed model training set Data obtained from S51 mask_train And a graph classification model M oracle Training set Data of the processed model mask_train Input to the graph classification model M oracle During training, a training method of small-Batch Gradient decline (MBGD) is adopted, a Batch of data is randomly selected from a training set each time for training of the model, training shock caused by random Gradient decline (SGD) can be avoided, excessive consumption of resources caused by Batch Gradient Decline (BGD) can be avoided, and the Batch size is selected to be 128. The training target is to adjust the structural parameters of the network through the forward and backward propagation of the gradient and continuously reduce the loss function of the modelThe value is obtained.
In order to avoid accidental interference of the experiment, ten-fold cross validation is adopted in the experiment, namely, the data set is divided into 10 parts, 9 parts of the data set are selected for training each time, and one part of the data set is selected for testing. And after the training is finished, finishing the training of the graph classification model subjected to the defense processing aiming at the backdoor attack.
In summary, the scheme provided by the invention can directly destroy the trigger structure inserted in the graph data, so that the trigger structure cannot achieve the effect, but does not influence the normal sample, and the model still can show the due performance for inputting the normal sample.
The invention discloses a mask-based graph classification backdoor attack defense system in a second aspect. FIG. 3 is a block diagram of a mask-based graph classification backdoor attack defense system according to an embodiment of the present invention; as shown in fig. 3, the system 100 includes:
a first processing module 101, configured to obtain a graph neural network model and a training data set of the graph neural network model, where the training data set is composed of a plurality of graph networks; the training data set is divided into a model training set, a verification set and a test set according to a proportion;
a second processing module 102 configured to construct a mask adjacency matrix of a graph network in the model training set;
a third processing module 103, configured to pool the mask adjacency matrix, and apply the pooled mask adjacency matrix to process the graph network, so as to obtain a processed graph network;
a fourth processing module 104, configured to process the model training set according to the second processing module and the third processing module, so as to obtain a processed model training set;
a fifth processing module 105, configured to input the processed model training set into the neural network model for model training.
According to the system of the second aspect of the present invention, the second processing module 102 is configured to construct the mask adjacency matrix of the graph networks in the model training set, including:
randomly generating T Mask matrices, i.e. { Mask } 1 ,Mask 2 ,...,Mask T And (c) the step of (c) in which,
Mask i ∈R N×N i ∈ {1, 2.,. T }, where N is the number of nodes of the graph network;
and embedding the T mask matrixes into a graph network to obtain a mask adjacency matrix.
According to the system of the second aspect of the present invention, the second processing module 102 is configured to randomly set the values in the mask matrix to 0 or 1.
According to the system of the second aspect of the present invention, the second processing module 102 is configured to embed the T mask matrixes into the graph network, and the method for obtaining the mask adjacency matrix includes: adjacency matrix A and Mask matrix Mask i Performing dot multiplication to obtain a mask adjacency matrix, wherein the specific formula is as follows:
{A mask1 ,A mask2 ,...,A maskT }=Mix(A,{Mask 1 ,Mask 2 ,...,Mask T })
wherein A is maski ∈R N×N I ∈ {1, 2.,. T } is a mask adjacency matrix, mix (·) is expressed as an operation of multiplying the adjacency matrix by all mask matrix points, and N is the number of nodes of the network.
According to the system of the second aspect of the present invention, the third processing module 103 is configured to pool the mask adjacency matrix including:
adjacent T masks to matrix { A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The maximum value of each position in the list is replaced to A mask In a corresponding position, pooling to give A mask ∈R N×N Wherein T is the number of mask adjacency matrixes, and N is the number of nodes of the network.
According to the system of the second aspect of the present invention, the third processing module 103 is configured to pool the mask adjacency matrix further comprises:
adjacent T masks to matrix { A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The value of each position in the solution is superposed and then is replaced to A by taking the average value mask Pooling to obtain A mask ∈R N×N Wherein T is the number of mask adjacency matrixes, and N is the number of nodes of the network.
According to the system of the second aspect of the present invention, the third processing module 103 is configured to process the graph network by applying the pooled mask adjacency matrices, and obtain a processed graph network, including:
the pooled mask adjacency matrix A mask And replacing the adjacency matrix A in the graph network to obtain the processed graph network.
A third aspect of the invention discloses an electronic device. The electronic device comprises a memory and a processor, the memory stores a computer program, and the processor executes the computer program to implement the steps of the mask-based graph classification backdoor attack defense method according to any one of the first aspects of the disclosure.
Fig. 4 is a block diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 4, the electronic device includes a processor, a memory, a communication interface, a display screen, and an input device, which are connected by a system bus. Wherein the processor of the electronic device is configured to provide computing and control capabilities. The memory of the electronic equipment comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operating system and the computer program to run on the non-volatile storage medium. The communication interface of the electronic device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, an operator network, near Field Communication (NFC) or other technologies. The display screen of the electronic equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the electronic equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the electronic equipment, an external keyboard, a touch pad or a mouse and the like.
It will be understood by those skilled in the art that the structure shown in fig. 4 is only a partial block diagram related to the technical solution of the present disclosure, and does not constitute a limitation to the electronic device to which the solution of the present disclosure is applied, and a specific electronic device may include more or less components than those shown in the drawings, or combine some components, or have different arrangements of components.
A fourth aspect of the invention discloses a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, performs the steps of a method for defending against a masked graph classification backdoor attack according to any one of the first aspect of the present disclosure.
Note that, the technical features of the above embodiments may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description in the present specification. The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not to be construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (7)
1. A mask-based graph classification backdoor attack defense method, the method comprising:
s1, acquiring a graph neural network model and a training data set of the graph neural network model, wherein the training data set consists of a plurality of graph networks; the training data set is divided into a model training set, a verification set and a test set according to a proportion;
s2, constructing a mask adjacency matrix of the graph network in the model training set;
s3, pooling the mask adjacency matrixes, and processing the graph network by using the pooled mask adjacency matrixes to obtain a processed graph network;
s4, processing the model training set according to the methods of the S2 to the S3 to obtain a processed model training set;
s5, inputting the processed model training set into the graph neural network model for model training;
in step S2, the method for constructing a mask adjacency matrix of a graph network in the model training set includes:
randomly generating T Mask matrices, i.e. { Mask 1 ,Mask 2 ,...,Mask T -means for, among other things,
Mask i ∈R N×N i belongs to {1,2,.., T }, wherein N is the number of nodes of the graph network;
embedding the T mask matrixes into a graph network to obtain a mask adjacent matrix;
in step S2, the value in the mask matrix is randomly set to 0 or 1;
in step S2, the method for embedding the T mask matrices into the graph network to obtain a mask adjacency matrix includes: adjacency matrix A and Mask matrix Mask i And performing dot multiplication to obtain a mask adjacency matrix, wherein the specific formula is as follows:
{A mask1 ,A mask2 ,...,A maskT }=Mix(A,{Mask 1 ,Mask 2 ,...,Mask T })
wherein A is maski ∈R N×N I ∈ {1, 2.,. T } is a mask adjacency matrix, mix (·) is expressed as an operation of multiplying the adjacency matrix by all mask matrix points, and N is the number of nodes of the network.
2. The method of claim 1, wherein in step S3, the method of pooling the mask adjacency matrix comprises:
adjacent T masks to matrix { A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The maximum value of each position in the list is replaced to A mask Pooling to obtain A mask ∈R N×N Where T is a mask adjacency matrixThe number, N, is the number of nodes of the network.
3. The method of claim 1, wherein in step S3, the method of pooling the mask adjacency matrix further comprises:
adjacent T masks to matrix { A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The value of each position in the solution is superposed and then is replaced to A by taking the average value mask In a corresponding position, pooling to give A mask ∈R N×N Wherein T is the number of mask adjacency matrixes, and N is the number of nodes of the network.
4. The method as claimed in claim 3, wherein in step S3, the step of applying the pooled mask adjacency matrix to process the graph network to obtain a processed graph network includes:
the pooled mask adjacency matrix A mask And replacing the adjacency matrix A in the graph network to obtain the processed graph network.
5. A system for classifying backdoor attack defense based on masked graphs, the system comprising:
the device comprises a first processing module, a second processing module and a third processing module, wherein the first processing module is configured to obtain a graph neural network model and a training data set of the graph neural network model, and the training data set is composed of a plurality of graph networks; the training data set is divided into a model training set, a verification set and a test set according to a proportion;
a second processing module configured to construct a mask adjacency matrix for a graph network in the model training set;
the constructing a mask adjacency matrix of a graph network in the model training set comprises:
randomly generating T Mask matrices, i.e. { Mask 1 ,Mask 2 ,...,Mask T -means for, among other things,
Mask i ∈R N×N i ∈ {1, 2.,. T }, where N is the number of nodes of the graph network;
embedding the T mask matrixes into a graph network to obtain a mask adjacent matrix;
the numerical value in the mask matrix is randomly set to 0 or 1;
the embedding the T mask matrices into a graph network to obtain a mask adjacency matrix includes: adjacency matrix A and Mask matrix Mask i And performing dot multiplication to obtain a mask adjacency matrix, wherein the specific formula is as follows:
{A mask1 ,A mask2 ,...,A maskT }=Mix(A,{Mask 1 ,Mask 2 ,...,Mask T })
wherein, A maski ∈R N×N I ∈ {1, 2.,. T } is a mask adjacency matrix, mix (·) represents an operation of multiplying the adjacency matrix by all mask matrix points, and N is the number of nodes of the network;
a third processing module configured to pool the mask adjacency matrix and apply the pooled mask adjacency matrix to process the graph network to obtain a processed graph network;
the fourth processing module is configured to process the model training set according to the second processing module and the third processing module to obtain a processed model training set;
and the fifth processing module is configured to input the processed model training set into the graph neural network model for model training.
6. An electronic device, comprising a memory storing a computer program and a processor implementing the steps of a method for classified backdoor attack defense based on a mask map of any of claims 1 to 4 when the computer program is executed by the processor.
7. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, implements the steps of a method for classifying backdoor attack defense based on a mask according to any one of claims 1 to 4.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210540676.4A CN114897161B (en) | 2022-05-17 | 2022-05-17 | Mask-based graph classification backdoor attack defense method and system, electronic equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210540676.4A CN114897161B (en) | 2022-05-17 | 2022-05-17 | Mask-based graph classification backdoor attack defense method and system, electronic equipment and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114897161A CN114897161A (en) | 2022-08-12 |
CN114897161B true CN114897161B (en) | 2023-02-07 |
Family
ID=82723208
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210540676.4A Active CN114897161B (en) | 2022-05-17 | 2022-05-17 | Mask-based graph classification backdoor attack defense method and system, electronic equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114897161B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117235584B (en) * | 2023-11-15 | 2024-04-02 | 之江实验室 | Picture data classification method, device, electronic device and storage medium |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111161535A (en) * | 2019-12-23 | 2020-05-15 | 山东大学 | Attention mechanism-based graph neural network traffic flow prediction method and system |
CN111260059A (en) * | 2020-01-23 | 2020-06-09 | 复旦大学 | Back door attack method of video analysis neural network model |
CN112765607A (en) * | 2021-01-19 | 2021-05-07 | 电子科技大学 | Neural network model backdoor attack detection method |
CN112905379A (en) * | 2021-03-10 | 2021-06-04 | 南京理工大学 | Traffic big data restoration method based on graph self-encoder of self-attention mechanism |
CN112925977A (en) * | 2021-02-26 | 2021-06-08 | 中国科学技术大学 | Recommendation method based on self-supervision graph representation learning |
CN112989438A (en) * | 2021-02-18 | 2021-06-18 | 上海海洋大学 | Detection and identification method for backdoor attack of privacy protection neural network model |
CN113283590A (en) * | 2021-06-11 | 2021-08-20 | 浙江工业大学 | Defense method for backdoor attack |
CN113297571A (en) * | 2021-05-31 | 2021-08-24 | 浙江工业大学 | Detection method and device for backdoor attack of orientation graph neural network model |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10733292B2 (en) * | 2018-07-10 | 2020-08-04 | International Business Machines Corporation | Defending against model inversion attacks on neural networks |
US11463472B2 (en) * | 2018-10-24 | 2022-10-04 | Nec Corporation | Unknown malicious program behavior detection using a graph neural network |
-
2022
- 2022-05-17 CN CN202210540676.4A patent/CN114897161B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111161535A (en) * | 2019-12-23 | 2020-05-15 | 山东大学 | Attention mechanism-based graph neural network traffic flow prediction method and system |
CN111260059A (en) * | 2020-01-23 | 2020-06-09 | 复旦大学 | Back door attack method of video analysis neural network model |
CN112765607A (en) * | 2021-01-19 | 2021-05-07 | 电子科技大学 | Neural network model backdoor attack detection method |
CN112989438A (en) * | 2021-02-18 | 2021-06-18 | 上海海洋大学 | Detection and identification method for backdoor attack of privacy protection neural network model |
CN112925977A (en) * | 2021-02-26 | 2021-06-08 | 中国科学技术大学 | Recommendation method based on self-supervision graph representation learning |
CN112905379A (en) * | 2021-03-10 | 2021-06-04 | 南京理工大学 | Traffic big data restoration method based on graph self-encoder of self-attention mechanism |
CN113297571A (en) * | 2021-05-31 | 2021-08-24 | 浙江工业大学 | Detection method and device for backdoor attack of orientation graph neural network model |
CN113283590A (en) * | 2021-06-11 | 2021-08-20 | 浙江工业大学 | Defense method for backdoor attack |
Non-Patent Citations (3)
Title |
---|
Deconfounded Training for Graph Neural Networks;Yongduo Sui et al.;《https://arxiv.org/abs/2112.15089v1》;20211230;1-10 * |
Graph Backdoor;Zhaohan Xi et al.;《https://arxiv.org/abs/2006.11890v5,1-18》;20210810;1-18 * |
面向图神经网络的对抗攻击与防御综述;陈晋音 等;《网络与信息安全学报》;20210630;第7卷(第3期);1-28 * |
Also Published As
Publication number | Publication date |
---|---|
CN114897161A (en) | 2022-08-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110929047B (en) | Knowledge graph reasoning method and device for focusing on neighbor entity | |
Li et al. | Blockchain assisted decentralized federated learning (BLADE-FL): Performance analysis and resource allocation | |
CN112257815A (en) | Model generation method, target detection method, device, electronic device, and medium | |
CN111126668A (en) | Spark operation time prediction method and device based on graph convolution network | |
CN110765320B (en) | Data processing method, device, storage medium and computer equipment | |
CN111930932B (en) | Knowledge graph representation learning method and device in network space security field | |
Slimacek et al. | Nonhomogeneous Poisson process with nonparametric frailty and covariates | |
CN114897161B (en) | Mask-based graph classification backdoor attack defense method and system, electronic equipment and storage medium | |
CN110414570B (en) | Image classification model generation method, device, equipment and storage medium | |
Zhou et al. | A priori trust inference with context-aware stereotypical deep learning | |
CN113609345B (en) | Target object association method and device, computing equipment and storage medium | |
CN112214775A (en) | Injection type attack method and device for graph data, medium and electronic equipment | |
WO2024001806A1 (en) | Data valuation method based on federated learning and related device therefor | |
CN112529069A (en) | Semi-supervised node classification method, system, computer equipment and storage medium | |
CN115618008A (en) | Account state model construction method and device, computer equipment and storage medium | |
CN115439192A (en) | Medical commodity information pushing method and device, storage medium and computer equipment | |
CN116403019A (en) | Remote sensing image quantum identification method and device, storage medium and electronic device | |
CN114997036A (en) | Network topology reconstruction method, device and equipment based on deep learning | |
CN111639523B (en) | Target detection method, device, computer equipment and storage medium | |
WO2024074072A1 (en) | Spiking neural network accelerator learning method and apparatus, terminal, and storage medium | |
CN112102269B (en) | Method, device, computer equipment and storage medium for calculating style migration quality similarity | |
CN113377964A (en) | Knowledge graph link prediction method, device, equipment and storage medium | |
CN112507323A (en) | Model training method and device based on unidirectional network and computing equipment | |
CN112990233A (en) | Image classification method and device based on channel mixed sample data enhancement | |
WO2021068249A1 (en) | Method and apparatus for hardware simulation and emulation during running, and device and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |