Rethinking Graph Backdoor Attacks: A Distribution-Preserving Perspective
Zhiwei Zhang, Minhua Lin, Enyan Dai, Suhang Wang
TL;DR
This paper tackles the vulnerability of graph neural networks to backdoor attacks by addressing a key weakness: existing triggers are often out-of-distribution and detectable by standard outlier detectors. It introduces Distribution Preserving Graph Backdoor Attack (DPGBA), a framework that combines an OOD detector with adversarial training to generate in-distribution triggers, plus modules that enhance trigger memorization and cross-node embedding alignment to sustain high attack success rates. Through bi-level optimization, DPBA achieves strong attack performance across multiple GNN architectures and datasets, even under defense strategies like DOMINANT, and demonstrates robust transferability and resilience through ablations and hyper-parameter analyses. The work highlights practical security implications for real-world deployments of GNNs and provides a concrete method to evaluate and stress-test robustness against distribution-preserving backdoor threats.
Abstract
Graph Neural Networks (GNNs) have shown remarkable performance in various tasks. However, recent works reveal that GNNs are vulnerable to backdoor attacks. Generally, backdoor attack poisons the graph by attaching backdoor triggers and the target class label to a set of nodes in the training graph. A GNN trained on the poisoned graph will then be misled to predict test nodes attached with trigger to the target class. Despite their effectiveness, our empirical analysis shows that triggers generated by existing methods tend to be out-of-distribution (OOD), which significantly differ from the clean data. Hence, these injected triggers can be easily detected and pruned with widely used outlier detection methods in real-world applications. Therefore, in this paper, we study a novel problem of unnoticeable graph backdoor attacks with in-distribution (ID) triggers. To generate ID triggers, we introduce an OOD detector in conjunction with an adversarial learning strategy to generate the attributes of the triggers within distribution. To ensure a high attack success rate with ID triggers, we introduce novel modules designed to enhance trigger memorization by the victim model trained on poisoned graph. Extensive experiments on real-world datasets demonstrate the effectiveness of the proposed method in generating in distribution triggers that can by-pass various defense strategies while maintaining a high attack success rate.