CN114897161B - Mask-based graph classification backdoor attack defense method and system, electronic equipment and storage medium - Google Patents

Mask-based graph classification backdoor attack defense method and system, electronic equipment and storage medium Download PDF

Info

Publication number
CN114897161B
CN114897161B CN202210540676.4A CN202210540676A CN114897161B CN 114897161 B CN114897161 B CN 114897161B CN 202210540676 A CN202210540676 A CN 202210540676A CN 114897161 B CN114897161 B CN 114897161B
Authority
CN
China
Prior art keywords
mask
graph
network
matrix
adjacency matrix
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210540676.4A
Other languages
Chinese (zh)
Other versions
CN114897161A (en
Inventor
魏薇
景慧昀
牛金行
周凡棣
辛鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Academy of Information and Communications Technology CAICT
Original Assignee
China Academy of Information and Communications Technology CAICT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Academy of Information and Communications Technology CAICT filed Critical China Academy of Information and Communications Technology CAICT
Priority to CN202210540676.4A priority Critical patent/CN114897161B/en
Publication of CN114897161A publication Critical patent/CN114897161A/en
Application granted granted Critical
Publication of CN114897161B publication Critical patent/CN114897161B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/217Validation; Performance evaluation; Active pattern learning techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/044Recurrent networks, e.g. Hopfield networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/084Backpropagation, e.g. using gradient descent

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Biophysics (AREA)
  • Biomedical Technology (AREA)
  • Mathematical Physics (AREA)
  • Computational Linguistics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a mask-based graph classification backdoor attack defense method, a mask-based graph classification backdoor attack defense system, electronic equipment and a storage medium. The method comprises the following steps: the random mask is used for masking the adjacent matrix of the graph neural network, partial information of the network topological structure can be masked out in each masking operation, the local trigger structure in the network is damaged, meanwhile, the mask adjacent matrix which is superposed for many times is used, and after pooling operation, the original topological structure of the original network is reserved to the maximum extent, so that the trigger embedded in training data by an attacker is invalid, and the model can also keep normal performance.

Description

Mask-based graph classification backdoor attack defense method and system, electronic equipment and storage medium
Technical Field
The invention belongs to the field of image processing, and particularly relates to a mask-based graph classification backdoor attack defense method, a mask-based graph classification backdoor attack defense system, electronic equipment and a storage medium.
Background
With the rapid development of digital economy and artificial intelligence technologies, graph networks have become an important branch of data analysis technologies. Most systems in real life can be represented by graph data, where graph classification is a basic graph analysis tool. Graph classification is a problem of mapping graph networks and their corresponding labels, which has many practical applications, such as molecular property determination, new drug discovery, fraud detection, and the like. Specifically, in the field of pharmaceutical molecular compounds, researchers model molecular structures as graph networks and study molecular chemistry as graph classification tasks.
The robustness of the model is also concerned when the graph neural network completes downstream tasks with high quality. The great majority of the tasks that the graph neural network model can perform excellently are derived from the large number of data supports. Then, some backdoor attack methods for the model training phase have been proposed. Backdoor attacks are methods of attack that occur during the training phase, where an attacker trains the model by setting the training data for the triggers, which responds to the data input with the trigger embedding in a highly predictable manner during the use phase, resulting in a preset result for the model, while the model operates normally for other normal samples of the input model. Once the trigger is set in the training phase, the model is equivalent to leaving a backdoor for the attacker who, in the use phase of the model, inputs the data with the embedded trigger, which leads to extremely serious results.
Disclosure of Invention
In order to solve the technical problems, the invention provides a mask-based graph classification backdoor attack defense method, a mask-based graph classification backdoor attack defense system, an electronic device and a storage medium, so as to solve the technical problems.
The invention discloses a mask-based graph classification backdoor attack defense method, which comprises the following steps:
s1, acquiring a graph neural network model and a training data set of the graph neural network model, wherein the training data set consists of a plurality of graph networks; the training data set is divided into a model training set, a verification set and a test set according to a proportion;
s2, constructing a mask adjacency matrix of the graph network in the model training set;
s3, pooling the mask adjacency matrixes, and processing the graph network by using the pooled mask adjacency matrixes to obtain a processed graph network;
s4, processing the model training set according to the methods of the steps S2 to S3 to obtain a processed model training set;
and S5, inputting the processed model training set into the graph neural network model for model training.
According to the method of the first aspect of the present invention, in step S2, the method for constructing a mask adjacency matrix of a graph network in the model training set includes:
randomly generating T Mask matrices, i.e. { Mask } 1 ,Mask 2 ,...,Mask T And (c) the step of (c) in which,
Mask i ∈R N×N i ∈ {1, 2.,. T }, where N is the number of nodes of the graph network;
and embedding the T mask matrixes into a graph network to obtain a mask adjacency matrix.
According to the method of the first aspect of the present invention, in the step S2, the values in the mask matrix are randomly set to 0 or 1.
According to the method of the first aspect of the present invention, in step S2, the method for embedding the T mask matrixes into the graph network to obtain a mask adjacency matrix includes: adjacency matrix A and Mask matrix Mask i Performing dot multiplication to obtain a mask adjacency matrix, wherein the specific formula is as follows:
{A mask1 ,A mask2 ,...,A maskT }=Mix(A,{Mask 1 ,Mask 2 ,...,Mask T })
wherein A is maski ∈R N×N I ∈ {1, 2., T } is a mask adjacency matrix, mix (·) is expressed as an operation of multiplying the adjacency matrix by all mask matrix points, and N is the number of nodes of the network.
According to the method of the first aspect of the present invention, in the step S3, the method of pooling the mask adjacency matrices includes:
adjacent T masks to matrix { A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The maximum value of each position in the list is replaced to A mask In a corresponding position, pooling to give A mask ∈R N×N Where T is the number of mask adjacency matrices and N is the netThe number of nodes of the network.
According to the method of the first aspect of the present invention, in the step S3, the method of pooling the mask adjacency matrices further comprises:
adjacent T masks to matrix { A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The value of each position is overlapped and then replaced to A by taking the average value mask Pooling to obtain A mask ∈R N×N Wherein T is the number of mask adjacency matrixes, and N is the number of nodes of the network.
According to the method of the first aspect of the present invention, in step S3, the method for processing the graph network by applying the pooled mask adjacency matrices to obtain a processed graph network includes:
the pooled mask adjacency matrix A mask And replacing the adjacency matrix A in the graph network to obtain the processed graph network.
The second aspect of the invention discloses a mask-based graph classification backdoor attack defense system, which comprises:
the device comprises a first processing module, a second processing module and a third processing module, wherein the first processing module is configured to obtain a graph neural network model and a training data set of the graph neural network model, and the training data set is composed of a plurality of graph networks; the training data set is divided into a model training set, a verification set and a test set according to a proportion;
a second processing module configured to construct a mask adjacency matrix for a graph network in the model training set;
a third processing module configured to pool the mask adjacency matrix and apply the pooled mask adjacency matrix to process the graph network to obtain a processed graph network;
the fourth processing module is configured to process the model training set according to the second processing module and the third processing module to obtain a processed model training set;
and the fifth processing module is configured to input the processed model training set into the graph neural network model for model training.
According to the system of the second aspect of the present invention, the second processing module configured to construct the mask adjacency matrix of the graph network in the model training set includes:
randomly generating T Mask matrices, i.e. { Mask 1 ,Mask 2 ,...,Mask T And (c) the step of (c) in which,
Mask i ∈R N×N i ∈ {1, 2.,. T }, where N is the number of nodes of the graph network;
and embedding the T mask matrixes into a graph network to obtain a mask adjacent matrix.
According to the system of the second aspect of the present invention, the second processing module is configured to randomly set the values in the mask matrix to 0 or 1.
According to the system of the second aspect of the present invention, the second processing module is configured to embed the T mask matrices into the graph network, and the method for obtaining the mask adjacency matrix includes: adjacency matrix A and Mask matrix Mask i And performing dot multiplication to obtain a mask adjacency matrix, wherein the specific formula is as follows:
{A mask1 ,A mask2 ,...,A maskT }=Mix(A,{Mask 1 ,Mask 2 ,...,Mask T })
wherein, A maski ∈R N×N I ∈ {1, 2.,. T } is a mask adjacency matrix, mix (·) is expressed as an operation of multiplying the adjacency matrix by all mask matrix points, and N is the number of nodes of the network.
According to the system of the second aspect of the present invention, the third processing module is configured to pool the mask adjacency matrix comprising:
mask T adjacency matrixes A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The maximum value of each position in the list is replaced to A mask In a corresponding position, pooling to give A mask ∈R N×N Wherein T is the number of mask adjacency matrixes, and N is the number of nodes of the network.
According to the system of the second aspect of the invention, the third processing module is configured to pool the mask adjacency matrix further comprising:
mask T adjacency matrixes A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The value of each position in the solution is superposed and then is replaced to A by taking the average value mask Pooling to obtain A mask ∈R N×N Where T is the number of mask adjacency matrices and N is the number of nodes of the network.
According to the system of the second aspect of the present invention, the third processing module is configured to process the graph network by applying the pooled mask adjacency matrices, and obtain a processed graph network includes:
the pooled mask adjacency matrix A mask And replacing the adjacency matrix A in the graph network to obtain the processed graph network.
A third aspect of the invention discloses an electronic device. The electronic device comprises a memory and a processor, the memory stores a computer program, and the processor implements the steps of the mask-based graph classification backdoor attack defense method according to any one of the first aspect of the disclosure when executing the computer program.
A fourth aspect of the invention discloses a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, performs the steps of a method for defending against a mask-based graph classification backdoor attack according to any one of the first aspect of the present disclosure.
The scheme provided by the invention can directly destroy the trigger structure inserted in the graph data, so that the trigger structure can not obtain the certain effect, but does not influence the normal sample, and the model can still show the due performance for inputting the normal sample.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a flowchart of a mask-based graph classification backdoor attack defense method according to an embodiment of the present invention;
FIG. 2 is a block diagram of a mask-based graph neural network backdoor attack defense method according to an embodiment of the present invention;
FIG. 3 is a block diagram of a mask-based graph classification backdoor attack defense system according to an embodiment of the present invention;
fig. 4 is a block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention discloses a mask-based graph classification backdoor attack defense method. Fig. 1 is a flowchart of a mask-based graph classification backdoor attack defense method according to an embodiment of the present invention, as shown in fig. 1 and fig. 2, the method includes:
s1, acquiring a graph neural network model and a training data set of the graph neural network model, wherein the training data set consists of a plurality of graph networks; the training data set is divided into a model training set, a verification set and a test set according to a proportion;
s2, constructing a mask adjacency matrix of the graph network in the model training set;
s3, pooling the mask adjacency matrixes, and processing the graph network by applying the pooled mask adjacency matrixes to obtain a processed graph network;
s4, processing the model training set according to the methods of the steps S2 to S3 to obtain a processed model training set;
and S5, inputting the processed model training set into the graph neural network model for model training.
In step S1, a graph neural network model and a training data set of the graph neural network model are obtained, wherein the training data set is composed of a plurality of graph networks; the training data set is divided into a model training set, a verification set and a test set according to a proportion.
Specifically, step S11, the graph neural network model M oracle The downstream task performed by the graph neural network model is a graph classification task, and the graph network is typically represented by G = { V, E }, where V = { V = 1 ,...,v N Denotes a set of N nodes, e i,j =<v i ,v j >E represents the node v i And node v j There is a continuous edge between them, in general, the information contained in the node set V and the continuous edge combination E is represented by A E R N×N When node v is present i And node v j When there is a direct edge connection, A i,j Not equal to 0, otherwise A i,j =0.X is represented as a feature matrix of the graph network. Wherein in the graph classification task, a graph set consisting of M graphs is marked as G = { G = { (G) 1 ,...,G M },Y n Is shown as a diagram Y n And (4) corresponding class labels. M is a group of oracle Is an untrained graph classifier model f: G → {0, 1., y → {0, 1., a i G is the corresponding input sample, {0,1 i The prediction label for the corresponding classifier.
Step S12, obtaining a model M oracle Training Data set Data oracle The data sets used for training the model are the MUTAG data set from the biochemical field, the NCI1 data set and the PROTEINS data set from the protein field, and 188 samples, 4110 samples and 1113 samples are downloaded from the network respectively. The data sets are used for the chart classification task, and each data set comprises a plurality of charts G i And each graph has a corresponding label y of its classification i The graph data is composed of nodes and continuous edges, wherein the graph data is represented by G, and the structure information of the graph data is represented by an adjacency matrix A ij To representIf there is a connecting edge between nodes i, j, then at the corresponding adjacent matrix position e ij Has a value of 1, no connecting edge e is present ij The corresponding value is 0, and each node has a feature matrix X-U (0, 1) from the same distribution. For different datasets, both nodes and edges have their corresponding meanings, such as the MUTAG dataset, each graph network sample represents a nitro compound molecule with atoms as nodes and chemical bonds between the atoms as links in the graph network, and each sample has its corresponding label present, the label of the data mutagenizes aromatics and heteroaromatics, the label is represented by 0,1;
step S13, the acquired Data set Data oracle And are divided in proportion, wherein the model training set Data train Verification set Data val And test set Data test 70%, 10% and 20%, respectively.
In step S2, a mask adjacency matrix of the graph network in the model training set is constructed.
In some embodiments, in the step S2, the method of constructing a mask adjacency matrix of the graph network in the model training set includes:
randomly generating T Mask matrices, i.e. { Mask } 1 ,Mask 2 ,...,Mask T And (c) the step of (c) in which,
Mask i ∈R N×N i ∈ {1, 2., T }, where N is the number of nodes of the graph network, and the value in the mask matrix is randomly set to 0 or 1;
and embedding the T mask matrixes into a graph network to obtain a mask adjacency matrix.
The method for embedding the T mask matrixes into the graph network to obtain the mask adjacency matrix comprises the following steps: adjacency matrix A and Mask matrix Mask i And performing dot multiplication to obtain a mask adjacency matrix, wherein the specific formula is as follows:
{A mask1 ,A mask2 ,...,A maskT }=Mix(A,{Mask 1 ,Mask 2 ,...,Mask T })
wherein A is maski ∈R N×N I ∈ {1, 2.., T } isThe masked adjacency matrix, mix (·), represents the operation of multiplying the adjacency matrix by all the masked matrix points, and N is the number of nodes of the network.
Specifically, step S21, for an arbitrary graph network G = { a, X } belongs to Data train Randomly generating T Mask matrices, i.e. { Mask } 1 ,Mask 2 ,...,Mask T },Mask i ∈R N×N I ∈ {1, 2.,. T }, where N is the number of nodes of the network, mask } i The value in (1) is randomly set to 0 or 1.
Step S22, T Mask matrixes { Mask } are obtained 1 ,Mask 2 ,...,Mask T Embedding the graph network G = { A, X } into the graph network G to obtain a mask adjacency matrix { A mask1 ,A mask2 ,...,A maskT The process is as follows,
{A mask1 ,A mask2 ,...,A maskT }=Mix(A,{Mask 1 ,Mask 2 ,...,Mask T })
wherein A is maski ∈R N×N I ∈ {1, 2., T } is a mask adjacency matrix, mix (·) is expressed as an operation of multiplying the adjacency matrix by all mask matrix points, and N is the number of nodes of the network.
In step S3, the mask adjacency matrix is pooled, and the pooled mask adjacency matrix is applied to process the graph network, so as to obtain a processed graph network.
In some embodiments, in the step S3, the method of pooling the mask adjacency matrices includes:
adjacent T masks to matrix { A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The maximum value of each position in the list is replaced to A mask Pooling to obtain A mask ∈R N×N Wherein T is the number of mask adjacency matrixes, and N is the number of nodes of the network.
The method of pooling the mask adjacency matrix further comprises:
adjacent T masks to matrix { A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The value of each position is overlapped and then replaced to A by taking the average value mask Pooling to obtain A mask ∈R N×N Wherein T is the number of mask adjacency matrixes, and N is the number of nodes of the network.
The method for processing the graph network by applying the pooled mask adjacency matrix to obtain the processed graph network comprises the following steps:
the pooled mask adjacency matrix A mask And replacing the adjacency matrix A in the graph network to obtain the processed graph network.
Specifically, in step S31, T mask adjacency matrices are obtained in step S22
{A mask1 ,A mask2 ,...,A maskT And sending the mask adjacent matrix into a pooling layer, wherein two pooling modes, namely maximum pooling and average pooling, can be selected to obtain a pooled adjacent matrix A mask
Step S32, the maximum pooling operation from step S31, is performed by applying T mask adjacency matrices { A } mask1 ,A mask2 ,...,A maskT }∈R T×N×N The maximum value of each position in the list is replaced to A mask Pooling to obtain A mask ∈R N×N Where T is the number of mask adjacency matrices, N is the number of nodes of the network, and the formulation is as follows,
A mask =Pool max ({A mask1 ,A mask2 ,...,A maskT })
wherein A is mask For the pooled adjacency matrix, { A mask1 ,A mask2 ,...,A maskT Is T mask adjacency matrices, pool max Expressed as maximum pooling.
Step S33, the flow of the average pooling operation obtained from step S31 is as follows, where T mask adjacency matrices { A } mask1 ,A mask2 ,...,A maskT }∈R T×N×N The value of each position in the solution is superposed and then is replaced to A by taking the average value mask Pooling at the corresponding position to obtain A mask ∈R N×N Where T is the number of mask adjacency matrices and N is the number of nodes in the network, and is expressed in formula as follows,
A mask =Pool ave ({A mask1 ,A mask2 ,...,A maskT })
wherein A is mask For the pooled adjacency matrix, { A mask1 ,A mask2 ,...,A maskT Is T mask adjacency matrices, pool ave Expressed as average pooling.
S34. The pooled adjacency matrix A obtained in step S32 or S33 mask Replacing the adjacent matrix A in the graph network G = { A, X } with the adjacent matrix A to obtain the processed graph network G = { A, X }, and obtaining the graph network G = { A mask ,X}。
And S4, processing the model training set according to the methods in the steps S2 to S3 to obtain a processed model training set.
Specifically, data is recorded train All the graph networks in (1), operating according to the processing methods of S21 to S34, from the processed graph network G = { A = { (A) } mask X, to form a processed model training set Data mask_train
And S5, inputting the processed model training set into the graph neural network model for model training.
Specifically, step S51, the processed model training set Data obtained from step S4 mask_train Inputs it normally into the graph classification model M oracle And (5) performing model training.
Step S52, the processed model training set Data obtained from S51 mask_train And a graph classification model M oracle Training set Data of the processed model mask_train Input to the graph classification model M oracle During training, a training method of small-Batch Gradient decline (MBGD) is adopted, a Batch of data is randomly selected from a training set each time for training of the model, training shock caused by random Gradient decline (SGD) can be avoided, excessive consumption of resources caused by Batch Gradient Decline (BGD) can be avoided, and the Batch size is selected to be 128. The training target is to adjust the structural parameters of the network through the forward and backward propagation of the gradient and continuously reduce the loss function of the modelThe value is obtained.
In order to avoid accidental interference of the experiment, ten-fold cross validation is adopted in the experiment, namely, the data set is divided into 10 parts, 9 parts of the data set are selected for training each time, and one part of the data set is selected for testing. And after the training is finished, finishing the training of the graph classification model subjected to the defense processing aiming at the backdoor attack.
In summary, the scheme provided by the invention can directly destroy the trigger structure inserted in the graph data, so that the trigger structure cannot achieve the effect, but does not influence the normal sample, and the model still can show the due performance for inputting the normal sample.
The invention discloses a mask-based graph classification backdoor attack defense system in a second aspect. FIG. 3 is a block diagram of a mask-based graph classification backdoor attack defense system according to an embodiment of the present invention; as shown in fig. 3, the system 100 includes:
a first processing module 101, configured to obtain a graph neural network model and a training data set of the graph neural network model, where the training data set is composed of a plurality of graph networks; the training data set is divided into a model training set, a verification set and a test set according to a proportion;
a second processing module 102 configured to construct a mask adjacency matrix of a graph network in the model training set;
a third processing module 103, configured to pool the mask adjacency matrix, and apply the pooled mask adjacency matrix to process the graph network, so as to obtain a processed graph network;
a fourth processing module 104, configured to process the model training set according to the second processing module and the third processing module, so as to obtain a processed model training set;
a fifth processing module 105, configured to input the processed model training set into the neural network model for model training.
According to the system of the second aspect of the present invention, the second processing module 102 is configured to construct the mask adjacency matrix of the graph networks in the model training set, including:
randomly generating T Mask matrices, i.e. { Mask } 1 ,Mask 2 ,...,Mask T And (c) the step of (c) in which,
Mask i ∈R N×N i ∈ {1, 2.,. T }, where N is the number of nodes of the graph network;
and embedding the T mask matrixes into a graph network to obtain a mask adjacency matrix.
According to the system of the second aspect of the present invention, the second processing module 102 is configured to randomly set the values in the mask matrix to 0 or 1.
According to the system of the second aspect of the present invention, the second processing module 102 is configured to embed the T mask matrixes into the graph network, and the method for obtaining the mask adjacency matrix includes: adjacency matrix A and Mask matrix Mask i Performing dot multiplication to obtain a mask adjacency matrix, wherein the specific formula is as follows:
{A mask1 ,A mask2 ,...,A maskT }=Mix(A,{Mask 1 ,Mask 2 ,...,Mask T })
wherein A is maski ∈R N×N I ∈ {1, 2.,. T } is a mask adjacency matrix, mix (·) is expressed as an operation of multiplying the adjacency matrix by all mask matrix points, and N is the number of nodes of the network.
According to the system of the second aspect of the present invention, the third processing module 103 is configured to pool the mask adjacency matrix including:
adjacent T masks to matrix { A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The maximum value of each position in the list is replaced to A mask In a corresponding position, pooling to give A mask ∈R N×N Wherein T is the number of mask adjacency matrixes, and N is the number of nodes of the network.
According to the system of the second aspect of the present invention, the third processing module 103 is configured to pool the mask adjacency matrix further comprises:
adjacent T masks to matrix { A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The value of each position in the solution is superposed and then is replaced to A by taking the average value mask Pooling to obtain A mask ∈R N×N Wherein T is the number of mask adjacency matrixes, and N is the number of nodes of the network.
According to the system of the second aspect of the present invention, the third processing module 103 is configured to process the graph network by applying the pooled mask adjacency matrices, and obtain a processed graph network, including:
the pooled mask adjacency matrix A mask And replacing the adjacency matrix A in the graph network to obtain the processed graph network.
A third aspect of the invention discloses an electronic device. The electronic device comprises a memory and a processor, the memory stores a computer program, and the processor executes the computer program to implement the steps of the mask-based graph classification backdoor attack defense method according to any one of the first aspects of the disclosure.
Fig. 4 is a block diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 4, the electronic device includes a processor, a memory, a communication interface, a display screen, and an input device, which are connected by a system bus. Wherein the processor of the electronic device is configured to provide computing and control capabilities. The memory of the electronic equipment comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operating system and the computer program to run on the non-volatile storage medium. The communication interface of the electronic device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, an operator network, near Field Communication (NFC) or other technologies. The display screen of the electronic equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the electronic equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the electronic equipment, an external keyboard, a touch pad or a mouse and the like.
It will be understood by those skilled in the art that the structure shown in fig. 4 is only a partial block diagram related to the technical solution of the present disclosure, and does not constitute a limitation to the electronic device to which the solution of the present disclosure is applied, and a specific electronic device may include more or less components than those shown in the drawings, or combine some components, or have different arrangements of components.
A fourth aspect of the invention discloses a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, performs the steps of a method for defending against a masked graph classification backdoor attack according to any one of the first aspect of the present disclosure.
Note that, the technical features of the above embodiments may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description in the present specification. The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not to be construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (7)

1. A mask-based graph classification backdoor attack defense method, the method comprising:
s1, acquiring a graph neural network model and a training data set of the graph neural network model, wherein the training data set consists of a plurality of graph networks; the training data set is divided into a model training set, a verification set and a test set according to a proportion;
s2, constructing a mask adjacency matrix of the graph network in the model training set;
s3, pooling the mask adjacency matrixes, and processing the graph network by using the pooled mask adjacency matrixes to obtain a processed graph network;
s4, processing the model training set according to the methods of the S2 to the S3 to obtain a processed model training set;
s5, inputting the processed model training set into the graph neural network model for model training;
in step S2, the method for constructing a mask adjacency matrix of a graph network in the model training set includes:
randomly generating T Mask matrices, i.e. { Mask 1 ,Mask 2 ,...,Mask T -means for, among other things,
Mask i ∈R N×N i belongs to {1,2,.., T }, wherein N is the number of nodes of the graph network;
embedding the T mask matrixes into a graph network to obtain a mask adjacent matrix;
in step S2, the value in the mask matrix is randomly set to 0 or 1;
in step S2, the method for embedding the T mask matrices into the graph network to obtain a mask adjacency matrix includes: adjacency matrix A and Mask matrix Mask i And performing dot multiplication to obtain a mask adjacency matrix, wherein the specific formula is as follows:
{A mask1 ,A mask2 ,...,A maskT }=Mix(A,{Mask 1 ,Mask 2 ,...,Mask T })
wherein A is maski ∈R N×N I ∈ {1, 2.,. T } is a mask adjacency matrix, mix (·) is expressed as an operation of multiplying the adjacency matrix by all mask matrix points, and N is the number of nodes of the network.
2. The method of claim 1, wherein in step S3, the method of pooling the mask adjacency matrix comprises:
adjacent T masks to matrix { A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The maximum value of each position in the list is replaced to A mask Pooling to obtain A mask ∈R N×N Where T is a mask adjacency matrixThe number, N, is the number of nodes of the network.
3. The method of claim 1, wherein in step S3, the method of pooling the mask adjacency matrix further comprises:
adjacent T masks to matrix { A mask1 ,A mask2 ,...,A maskT }∈R T×N×N The value of each position in the solution is superposed and then is replaced to A by taking the average value mask In a corresponding position, pooling to give A mask ∈R N×N Wherein T is the number of mask adjacency matrixes, and N is the number of nodes of the network.
4. The method as claimed in claim 3, wherein in step S3, the step of applying the pooled mask adjacency matrix to process the graph network to obtain a processed graph network includes:
the pooled mask adjacency matrix A mask And replacing the adjacency matrix A in the graph network to obtain the processed graph network.
5. A system for classifying backdoor attack defense based on masked graphs, the system comprising:
the device comprises a first processing module, a second processing module and a third processing module, wherein the first processing module is configured to obtain a graph neural network model and a training data set of the graph neural network model, and the training data set is composed of a plurality of graph networks; the training data set is divided into a model training set, a verification set and a test set according to a proportion;
a second processing module configured to construct a mask adjacency matrix for a graph network in the model training set;
the constructing a mask adjacency matrix of a graph network in the model training set comprises:
randomly generating T Mask matrices, i.e. { Mask 1 ,Mask 2 ,...,Mask T -means for, among other things,
Mask i ∈R N×N i ∈ {1, 2.,. T }, where N is the number of nodes of the graph network;
embedding the T mask matrixes into a graph network to obtain a mask adjacent matrix;
the numerical value in the mask matrix is randomly set to 0 or 1;
the embedding the T mask matrices into a graph network to obtain a mask adjacency matrix includes: adjacency matrix A and Mask matrix Mask i And performing dot multiplication to obtain a mask adjacency matrix, wherein the specific formula is as follows:
{A mask1 ,A mask2 ,...,A maskT }=Mix(A,{Mask 1 ,Mask 2 ,...,Mask T })
wherein, A maski ∈R N×N I ∈ {1, 2.,. T } is a mask adjacency matrix, mix (·) represents an operation of multiplying the adjacency matrix by all mask matrix points, and N is the number of nodes of the network;
a third processing module configured to pool the mask adjacency matrix and apply the pooled mask adjacency matrix to process the graph network to obtain a processed graph network;
the fourth processing module is configured to process the model training set according to the second processing module and the third processing module to obtain a processed model training set;
and the fifth processing module is configured to input the processed model training set into the graph neural network model for model training.
6. An electronic device, comprising a memory storing a computer program and a processor implementing the steps of a method for classified backdoor attack defense based on a mask map of any of claims 1 to 4 when the computer program is executed by the processor.
7. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, implements the steps of a method for classifying backdoor attack defense based on a mask according to any one of claims 1 to 4.
CN202210540676.4A 2022-05-17 2022-05-17 Mask-based graph classification backdoor attack defense method and system, electronic equipment and storage medium Active CN114897161B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210540676.4A CN114897161B (en) 2022-05-17 2022-05-17 Mask-based graph classification backdoor attack defense method and system, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210540676.4A CN114897161B (en) 2022-05-17 2022-05-17 Mask-based graph classification backdoor attack defense method and system, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114897161A CN114897161A (en) 2022-08-12
CN114897161B true CN114897161B (en) 2023-02-07

Family

ID=82723208

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210540676.4A Active CN114897161B (en) 2022-05-17 2022-05-17 Mask-based graph classification backdoor attack defense method and system, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114897161B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117235584B (en) * 2023-11-15 2024-04-02 之江实验室 Picture data classification method, device, electronic device and storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111161535A (en) * 2019-12-23 2020-05-15 山东大学 Attention mechanism-based graph neural network traffic flow prediction method and system
CN111260059A (en) * 2020-01-23 2020-06-09 复旦大学 Back door attack method of video analysis neural network model
CN112765607A (en) * 2021-01-19 2021-05-07 电子科技大学 Neural network model backdoor attack detection method
CN112905379A (en) * 2021-03-10 2021-06-04 南京理工大学 Traffic big data restoration method based on graph self-encoder of self-attention mechanism
CN112925977A (en) * 2021-02-26 2021-06-08 中国科学技术大学 Recommendation method based on self-supervision graph representation learning
CN112989438A (en) * 2021-02-18 2021-06-18 上海海洋大学 Detection and identification method for backdoor attack of privacy protection neural network model
CN113283590A (en) * 2021-06-11 2021-08-20 浙江工业大学 Defense method for backdoor attack
CN113297571A (en) * 2021-05-31 2021-08-24 浙江工业大学 Detection method and device for backdoor attack of orientation graph neural network model

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10733292B2 (en) * 2018-07-10 2020-08-04 International Business Machines Corporation Defending against model inversion attacks on neural networks
US11463472B2 (en) * 2018-10-24 2022-10-04 Nec Corporation Unknown malicious program behavior detection using a graph neural network

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111161535A (en) * 2019-12-23 2020-05-15 山东大学 Attention mechanism-based graph neural network traffic flow prediction method and system
CN111260059A (en) * 2020-01-23 2020-06-09 复旦大学 Back door attack method of video analysis neural network model
CN112765607A (en) * 2021-01-19 2021-05-07 电子科技大学 Neural network model backdoor attack detection method
CN112989438A (en) * 2021-02-18 2021-06-18 上海海洋大学 Detection and identification method for backdoor attack of privacy protection neural network model
CN112925977A (en) * 2021-02-26 2021-06-08 中国科学技术大学 Recommendation method based on self-supervision graph representation learning
CN112905379A (en) * 2021-03-10 2021-06-04 南京理工大学 Traffic big data restoration method based on graph self-encoder of self-attention mechanism
CN113297571A (en) * 2021-05-31 2021-08-24 浙江工业大学 Detection method and device for backdoor attack of orientation graph neural network model
CN113283590A (en) * 2021-06-11 2021-08-20 浙江工业大学 Defense method for backdoor attack

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Deconfounded Training for Graph Neural Networks;Yongduo Sui et al.;《https://arxiv.org/abs/2112.15089v1》;20211230;1-10 *
Graph Backdoor;Zhaohan Xi et al.;《https://arxiv.org/abs/2006.11890v5,1-18》;20210810;1-18 *
面向图神经网络的对抗攻击与防御综述;陈晋音 等;《网络与信息安全学报》;20210630;第7卷(第3期);1-28 *

Also Published As

Publication number Publication date
CN114897161A (en) 2022-08-12

Similar Documents

Publication Publication Date Title
CN110929047B (en) Knowledge graph reasoning method and device for focusing on neighbor entity
Li et al. Blockchain assisted decentralized federated learning (BLADE-FL): Performance analysis and resource allocation
CN112257815A (en) Model generation method, target detection method, device, electronic device, and medium
CN111126668A (en) Spark operation time prediction method and device based on graph convolution network
CN110765320B (en) Data processing method, device, storage medium and computer equipment
CN111930932B (en) Knowledge graph representation learning method and device in network space security field
Slimacek et al. Nonhomogeneous Poisson process with nonparametric frailty and covariates
CN114897161B (en) Mask-based graph classification backdoor attack defense method and system, electronic equipment and storage medium
CN110414570B (en) Image classification model generation method, device, equipment and storage medium
Zhou et al. A priori trust inference with context-aware stereotypical deep learning
CN113609345B (en) Target object association method and device, computing equipment and storage medium
CN112214775A (en) Injection type attack method and device for graph data, medium and electronic equipment
WO2024001806A1 (en) Data valuation method based on federated learning and related device therefor
CN112529069A (en) Semi-supervised node classification method, system, computer equipment and storage medium
CN115618008A (en) Account state model construction method and device, computer equipment and storage medium
CN115439192A (en) Medical commodity information pushing method and device, storage medium and computer equipment
CN116403019A (en) Remote sensing image quantum identification method and device, storage medium and electronic device
CN114997036A (en) Network topology reconstruction method, device and equipment based on deep learning
CN111639523B (en) Target detection method, device, computer equipment and storage medium
WO2024074072A1 (en) Spiking neural network accelerator learning method and apparatus, terminal, and storage medium
CN112102269B (en) Method, device, computer equipment and storage medium for calculating style migration quality similarity
CN113377964A (en) Knowledge graph link prediction method, device, equipment and storage medium
CN112507323A (en) Model training method and device based on unidirectional network and computing equipment
CN112990233A (en) Image classification method and device based on channel mixed sample data enhancement
WO2021068249A1 (en) Method and apparatus for hardware simulation and emulation during running, and device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant