{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,15]],"date-time":"2026-04-15T17:50:12Z","timestamp":1776275412802,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":57,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,6,11]],"date-time":"2021-06-11T00:00:00Z","timestamp":1623369600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"NSF (National Science Foundation)","doi-asserted-by":"publisher","award":["1937787"],"award-info":[{"award-number":["1937787"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,6,11]]},"DOI":"10.1145\/3450569.3463560","type":"proceedings-article","created":{"date-parts":[[2021,6,12]],"date-time":"2021-06-12T04:06:33Z","timestamp":1623470793000},"page":"15-26","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":164,"title":["Backdoor Attacks to Graph Neural Networks"],"prefix":"10.1145","author":[{"given":"Zaixi","family":"Zhang","sequence":"first","affiliation":[{"name":"Duke University, Durham, NC, USA"}]},{"given":"Jinyuan","family":"Jia","sequence":"additional","affiliation":[{"name":"Duke University, Durham, NC, USA"}]},{"given":"Binghui","family":"Wang","sequence":"additional","affiliation":[{"name":"Duke University, Durham, NC, USA"}]},{"given":"Neil Zhenqiang","family":"Gong","sequence":"additional","affiliation":[{"name":"Duke University, Durham, NC, USA"}]}],"member":"320","published-online":{"date-parts":[[2021,6,11]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Low data drug discovery with one-shot learning. ACS central science","author":"Altae-Tran Han","year":"2017","unstructured":"Han Altae-Tran, Bharath Ramsundar, Aneesh S Pappu, and Vijay Pande. 2017. Low data drug discovery with one-shot learning. ACS central science (2017)."},{"key":"e_1_3_2_1_2_1","volume-title":"Emergence of scaling in random networks. science","author":"Barab\u00e1si Albert-L\u00e1szl\u00f3","year":"1999","unstructured":"Albert-L\u00e1szl\u00f3 Barab\u00e1si and R\u00e9ka Albert. 1999. Emergence of scaling in random networks. science (1999)."},{"key":"e_1_3_2_1_3_1","unstructured":"Aleksandar Bojchevski and Stephan G\u00fcnnemann. 2019. Adversarial Attacks on Node Embeddings via Graph Poisoning. In ICML."},{"key":"e_1_3_2_1_4_1","unstructured":"Xiaoyu Cao and Neil Zhenqiang Gong. 2017. Mitigating evasion attacks to deep neural networks via region-based classification. In ACSAC."},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"crossref","unstructured":"Hongming Chen Ola Engkvist Yinhai Wang Marcus Olivecrona and Thomas Blaschke. 2018. The rise of deep learning in drug discovery. Drug Discov. (2018).","DOI":"10.1016\/j.drudis.2018.01.039"},{"key":"e_1_3_2_1_6_1","volume-title":"Targeted backdoor attacks on deep learning systems using data poisoning. arXiv","author":"Chen Xinyun","year":"2017","unstructured":"Xinyun Chen, Chang Liu, Bo Li, Kimberly Lu, and Dawn Song. 2017a. Targeted backdoor attacks on deep learning systems using data poisoning. arXiv (2017)."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"crossref","unstructured":"Yizheng Chen Yacin Nadji Athanasios Kountouras Fabian Monrose Roberto Perdisci Manos Antonakakis and Nikolaos Vasiloglou. 2017b. Practical Attacks Against Graph-based Clustering. In CCS.","DOI":"10.1145\/3133956.3134083"},{"key":"e_1_3_2_1_8_1","volume-title":"Hardware trojan attacks on neural networks. arXiv preprint arXiv:1806.05768","author":"Clements Joseph","year":"2018","unstructured":"Joseph Clements and Yingjie Lao. 2018. Hardware trojan attacks on neural networks. arXiv preprint arXiv:1806.05768 (2018)."},{"key":"e_1_3_2_1_9_1","volume-title":"The use of confidence or fiducial limits illustrated in the case of the binomial. Biometrika","author":"Clopper Charles J","year":"1934","unstructured":"Charles J Clopper and Egon S Pearson. 1934. The use of confidence or fiducial limits illustrated in the case of the binomial. Biometrika (1934)."},{"key":"e_1_3_2_1_10_1","unstructured":"Jeremy Cohen Elan Rosenfeld and Zico Kolter. 2019. Certified Adversarial Robustness via Randomized Smoothing. In ICML."},{"key":"e_1_3_2_1_11_1","unstructured":"Hanjun Dai Hui Li Tian Tian Xin Huang Lin Wang Jun Zhu and Le Song. 2018. Adversarial Attack on Graph Structured Data. In ICML."},{"key":"e_1_3_2_1_12_1","volume-title":"Strip: A defence against trojan attacks on deep neural networks. In ACSAC.","author":"Gao Yansong","year":"2019","unstructured":"Yansong Gao, Change Xu, Derui Wang, Shiping Chen, Damith C Ranasinghe, and Surya Nepal. 2019. Strip: A defence against trojan attacks on deep neural networks. In ACSAC."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"crossref","unstructured":"Edgar N Gilbert. 1959. Random graphs. Ann. Math. Stat. (1959).","DOI":"10.1214\/aoms\/1177706098"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2014.2316975"},{"key":"e_1_3_2_1_15_1","volume-title":"Proc. of Machine Learning and Computer Security Workshop.","author":"Gu Tianyu","year":"2017","unstructured":"Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. 2017. Badnets: Identifying vulnerabilities in the machine learning model supply chain. In Proc. of Machine Learning and Computer Security Workshop."},{"key":"e_1_3_2_1_16_1","volume-title":"Tabor: A highly accurate approach to inspecting and restoring trojan backdoors in ai systems. arXiv preprint arXiv:1908.01763","author":"Guo Wenbo","year":"2019","unstructured":"Wenbo Guo, Lun Wang, Xinyu Xing, Min Du, and Dawn Song. 2019. Tabor: A highly accurate approach to inspecting and restoring trojan backdoors in ai systems. arXiv preprint arXiv:1908.01763 (2019)."},{"key":"e_1_3_2_1_17_1","unstructured":"Will Hamilton Zhitao Ying and Jure Leskovec. 2017. Inductive representation learning on large graphs. In NeurIPS."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"crossref","unstructured":"Mehadi Hassen and Philip K Chan. 2017. Scalable function call graph-based malware classification. In CODASPY.","DOI":"10.1145\/3029806.3029824"},{"key":"e_1_3_2_1_19_1","unstructured":"Jinyuan Jia Xiaoyu Cao Binghui Wang and Neil Zhenqiang Gong. 2020 a. Certified Robustness for Top-k Predictions against Adversarial Perturbations via Randomized Smoothing. In ICLR."},{"key":"e_1_3_2_1_20_1","unstructured":"Jinyuan Jia Binghui Wang Xiaoyu Cao and Neil Zhenqiang Gong. 2020 b. Certified Robustness of Community Detection against Adversarial Structural Perturbation via Randomized Smoothing. In WWW."},{"key":"e_1_3_2_1_21_1","unstructured":"Jinyuan Jia Binghui Wang and Neil Zhenqiang Gong. 2017. Random walk based fake account detection in online social networks. In DSN."},{"key":"e_1_3_2_1_22_1","unstructured":"Thomas N Kipf and Max Welling. 2017. Semi-supervised classification with graph convolutional networks. In ICLR."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"crossref","unstructured":"Deguang Kong and Guanhua Yan. 2013. Discriminant malware distance learning on structural information for automated malware classification. In KDD.","DOI":"10.1145\/2465529.2465531"},{"key":"e_1_3_2_1_24_1","volume-title":"Certified robustness to adversarial examples with differential privacy","author":"Lecuyer Mathias","unstructured":"Mathias Lecuyer, Vaggelis Atlidakis, Roxana Geambasu, Daniel Hsu, and Suman Jana. 2019. Certified robustness to adversarial examples with differential privacy. In IEEE S & P."},{"key":"e_1_3_2_1_25_1","unstructured":"Guang-He Lee Yang Yuan Shiyu Chang and Tommi Jaakkola. 2019 b. Tight certificates of adversarial robustness for randomly smoothed classifiers. In NeurIPS."},{"key":"e_1_3_2_1_26_1","volume-title":"2019 a. Self-attention graph pooling. arXiv preprint arXiv:1904.08082","author":"Lee Junhyun","year":"2019","unstructured":"Junhyun Lee, Inyeop Lee, and Jaewoo Kang. 2019 a. Self-attention graph pooling. arXiv preprint arXiv:1904.08082 (2019)."},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"crossref","unstructured":"Alexander Levine and Soheil Feizi. 2020. Robustness Certificates for Sparse Adversarial Attacks by Randomized Ablation. In AAAI.","DOI":"10.1609\/aaai.v34i04.5888"},{"key":"e_1_3_2_1_28_1","unstructured":"Bai Li Changyou Chen Wenlin Wang and Lawrence Carin. 2019. Certified Adversarial Robustness with Additive Noise. In NeurIPS."},{"key":"e_1_3_2_1_29_1","volume-title":"Learning graph-level representation for drug discovery. arXiv preprint arXiv:1709.03741","author":"Li Junying","year":"2017","unstructured":"Junying Li, Deng Cai, and Xiaofei He. 2017. Learning graph-level representation for drug discovery. arXiv preprint arXiv:1709.03741 (2017)."},{"key":"e_1_3_2_1_30_1","volume-title":"Hu-fu: Hardware and software collaborative attack framework against neural networks","author":"Li Wenshuo","year":"2018","unstructured":"Wenshuo Li, Jincheng Yu, Xuefei Ning, Pengjun Wang, Qi Wei, Yu Wang, and Huazhong Yang. 2018. Hu-fu: Hardware and software collaborative attack framework against neural networks. In ISVLSI. IEEE."},{"key":"e_1_3_2_1_31_1","volume-title":"Fine-pruning: Defending against backdooring attacks on deep neural networks. In RAID.","author":"Liu Kang","year":"2018","unstructured":"Kang Liu, Brendan Dolan-Gavitt, and Siddharth Garg. 2018b. Fine-pruning: Defending against backdooring attacks on deep neural networks. In RAID."},{"key":"e_1_3_2_1_32_1","unstructured":"Xuanqing Liu Minhao Cheng Huan Zhang and Cho-Jui Hsieh. 2018a. Towards robust neural networks via random self-ensemble. In ECCV. 369--385."},{"key":"e_1_3_2_1_33_1","volume-title":"ABS: Scanning neural networks for back-doors by artificial brain stimulation. In SIGSAC.","author":"Liu Yingqi","year":"2019","unstructured":"Yingqi Liu, Wen-Chuan Lee, Guanhong Tao, Shiqing Ma, Yousra Aafer, and Xiangyu Zhang. 2019. ABS: Scanning neural networks for back-doors by artificial brain stimulation. In SIGSAC."},{"key":"e_1_3_2_1_34_1","unstructured":"Yingqi Liu Shiqing Ma Yousra Aafer Wen-Chuan Lee Juan Zhai Weihang Wang and Xiangyu Zhang. 2018c. Trojaning attack on neural networks. In NDSS."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCD.2017.16"},{"key":"e_1_3_2_1_36_1","series-title":"Series A","volume-title":"On the problem of the most efficient tests of statistical hypotheses. Philosophical Transactions of the Royal Society of London","author":"Neyman Jerzy","year":"1933","unstructured":"Jerzy Neyman and Egon Sharpe Pearson. 1933. IX. On the problem of the most efficient tests of statistical hypotheses. Philosophical Transactions of the Royal Society of London. Series A (1933)."},{"key":"e_1_3_2_1_37_1","volume-title":"A graph-based model for malware detection and classification using system-call groups. Journal of Computer Virology and Hacking Techniques","author":"Nikolopoulos Stavros D","year":"2017","unstructured":"Stavros D Nikolopoulos and Iosif Polenakis. 2017. A graph-based model for malware detection and classification using system-call groups. Journal of Computer Virology and Hacking Techniques (2017)."},{"key":"e_1_3_2_1_38_1","volume-title":"Dynamic Backdoor Attacks Against Machine Learning Models. arXiv","author":"Salem Ahmed","year":"2020","unstructured":"Ahmed Salem, Rui Wen, Michael Backes, Shiqing Ma, and Yang Zhang. 2020. Dynamic Backdoor Attacks Against Machine Learning Models. arXiv (2020)."},{"key":"e_1_3_2_1_39_1","unstructured":"Brandon Tran Jerry Li and Aleksander Madry. 2018. Spectral signatures in backdoor attacks. In NeurIPS."},{"key":"e_1_3_2_1_40_1","unstructured":"Petar Velivc kovi\u0107 Guillem Cucurull Arantxa Casanova Adriana Romero Pietro Lio and Yoshua Bengio. 2018. Graph attention networks. In ICLR."},{"key":"e_1_3_2_1_41_1","volume-title":"CVPR Workshop.","author":"Wang Binghui","year":"2020","unstructured":"Binghui Wang, Xiaoyu Cao, Jinyuan Jia, and Neil Zhenqiang Gong. 2020. On Certifying Robustness against Backdoor Attacks via Randomized Smoothing. In CVPR Workshop."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"crossref","unstructured":"Binghui Wang and Neil Zhenqiang Gong. 2019. Attacking graph-based classification via manipulating the graph structure. In SIGSAC.","DOI":"10.1145\/3319535.3354206"},{"key":"e_1_3_2_1_43_1","volume-title":"Neil Zhenqiang Gong, and Hao Fu","author":"Wang Binghui","year":"2017","unstructured":"Binghui Wang, Neil Zhenqiang Gong, and Hao Fu. 2017a. GANG: Detecting fraudulent users in online social networks via guilt-by-association on directed graphs. In ICDM."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"crossref","unstructured":"Binghui Wang Jinyuan Jia and Neil Zhenqiang Gong. 2019 a. Graph-based Security and Privacy Analytics via Collective Classification with Joint Weight Learning and Propagation. In NDSS.","DOI":"10.14722\/ndss.2019.23226"},{"key":"e_1_3_2_1_45_1","volume-title":"2019 b. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks","author":"Wang Bolun","unstructured":"Bolun Wang, Yuanshun Yao, Shawn Shan, Huiying Li, Bimal Viswanath, Haitao Zheng, and Ben Y Zhao. 2019 b. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In IEEE S&P."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"crossref","unstructured":"Binghui Wang Le Zhang and Neil Zhenqiang Gong. 2017b. SybilSCAR: Sybil detection in online social networks via local rule based propagation. In INFOCOM.","DOI":"10.1109\/INFOCOM.2017.8057066"},{"key":"e_1_3_2_1_47_1","volume-title":"Collective dynamics of 'small-world' networks. nature","author":"Watts Duncan J","year":"1998","unstructured":"Duncan J Watts and Steven H Strogatz. 1998. Collective dynamics of 'small-world' networks. nature (1998)."},{"key":"e_1_3_2_1_48_1","volume-title":"Claudio Bellei, Tom Robinson, and Charles E Leiserson.","author":"Weber Mark","year":"2019","unstructured":"Mark Weber, Giacomo Domeniconi, Jie Chen, Daniel Karl I Weidele, Claudio Bellei, Tom Robinson, and Charles E Leiserson. 2019. Anti-money laundering in bitcoin: Experimenting with graph convolutional networks for financial forensics. arXiv preprint arXiv:1908.02591 (2019)."},{"key":"e_1_3_2_1_49_1","volume-title":"RAB: Provable Robustness Against Backdoor Attacks. arXiv","author":"Weber Maurice","year":"2020","unstructured":"Maurice Weber, Xiaojun Xu, Bojan Karlas, Ce Zhang, and Bo Li. 2020. RAB: Provable Robustness Against Backdoor Attacks. arXiv (2020)."},{"key":"e_1_3_2_1_50_1","unstructured":"Keyulu Xu Weihua Hu Jure Leskovec and Stefanie Jegelka. 2019. How powerful are graph neural networks?. In ICLR."},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"crossref","unstructured":"Jiaqi Yan Guanhua Yan and Dong Jin. 2019. Classifying Malware Represented as Control Flow Graphs using Deep Graph Convolutional Neural Network. In DSN.","DOI":"10.1109\/DSN.2019.00020"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"crossref","unstructured":"Pinar Yanardag and SVN Vishwanathan. 2015. Deep graph kernels. In KDD.","DOI":"10.1145\/2783258.2783417"},{"key":"e_1_3_2_1_53_1","unstructured":"Yuanshun Yao Huiying Li Haitao Zheng and Ben Y Zhao. 2019. Latent Backdoor Attacks on Deep Neural Networks. In CCS."},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"crossref","unstructured":"Ganzhao Yuan and Bernard Ghanem. 2017. An exact penalty method for binary optimization based on MPEC formulation. In AAAI.","DOI":"10.1609\/aaai.v31i1.10795"},{"key":"e_1_3_2_1_55_1","volume-title":"Hierarchical Graph Pooling with Structure Learning. arXiv preprint arXiv:1911.05954","author":"Zhang Zhen","year":"2019","unstructured":"Zhen Zhang, Jiajun Bu, Martin Ester, Jianfeng Zhang, Chengwei Yao, Zhi Yu, and Can Wang. 2019. Hierarchical Graph Pooling with Structure Learning. arXiv preprint arXiv:1911.05954 (2019)."},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"crossref","unstructured":"Daniel Z\u00fcgner Amir Akbarnejad and Stephan G\u00fcnnemann. 2018. Adversarial attacks on neural networks for graph data. In KDD. 2847--2856.","DOI":"10.1145\/3219819.3220078"},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"crossref","unstructured":"Daniel Z\u00fcgner and Stephan G\u00fcnnemann. 2019. Adversarial attacks on graph neural networks via meta learning. In ICLR.","DOI":"10.24963\/ijcai.2019\/872"}],"event":{"name":"SACMAT '21: The 26th ACM Symposium on Access Control Models and Technologies","location":"Virtual Event Spain","acronym":"SACMAT '21","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 26th ACM Symposium on Access Control Models and Technologies"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3450569.3463560","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3450569.3463560","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3450569.3463560","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T20:47:50Z","timestamp":1750193270000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3450569.3463560"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,6,11]]},"references-count":57,"alternative-id":["10.1145\/3450569.3463560","10.1145\/3450569"],"URL":"https:\/\/doi.org\/10.1145\/3450569.3463560","relation":{},"subject":[],"published":{"date-parts":[[2021,6,11]]},"assertion":[{"value":"2021-06-11","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}