Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Robustness Inspired Graph Backdoor Defense

Zhiwei Zhang, Minhua Lin, Junjie Xu, Zongyu Wu, Enyan Dai, Suhang Wang

TL;DR

This work tackles graph backdoor risks in GNNs by proposing RIGBD, a defense that uses prediction variance induced by random edge dropping to identify poisoned target nodes and then trains a backdoor-robust model with a specialized loss. The authors provide theoretical guarantees showing that the random edge-dropping mechanism distinguishes poisoned nodes while preserving clean-node stability, and they demonstrate a robust training objective that mitigates trigger effects even when some poisons are missed. Across multiple datasets and attack types, RIGBD achieves near-zero ASR while maintaining clean accuracy, and it attains high precision and recall in poisoned-node detection. The method’s theoretical and empirical results suggest strong practical impact for deploying GNNs in security-sensitive applications with diverse backdoor threats.

Abstract

Graph Neural Networks (GNNs) have achieved promising results in tasks such as node classification and graph classification. However, recent studies reveal that GNNs are vulnerable to backdoor attacks, posing a significant threat to their real-world adoption. Despite initial efforts to defend against specific graph backdoor attacks, there is no work on defending against various types of backdoor attacks where generated triggers have different properties. Hence, we first empirically verify that prediction variance under edge dropping is a crucial indicator for identifying poisoned nodes. With this observation, we propose using random edge dropping to detect backdoors and theoretically show that it can efficiently distinguish poisoned nodes from clean ones. Furthermore, we introduce a novel robust training strategy to efficiently counteract the impact of the triggers. Extensive experiments on real-world datasets show that our framework can effectively identify poisoned nodes, significantly degrade the attack success rate, and maintain clean accuracy when defending against various types of graph backdoor attacks with different properties.

Robustness Inspired Graph Backdoor Defense

TL;DR

This work tackles graph backdoor risks in GNNs by proposing RIGBD, a defense that uses prediction variance induced by random edge dropping to identify poisoned target nodes and then trains a backdoor-robust model with a specialized loss. The authors provide theoretical guarantees showing that the random edge-dropping mechanism distinguishes poisoned nodes while preserving clean-node stability, and they demonstrate a robust training objective that mitigates trigger effects even when some poisons are missed. Across multiple datasets and attack types, RIGBD achieves near-zero ASR while maintaining clean accuracy, and it attains high precision and recall in poisoned-node detection. The method’s theoretical and empirical results suggest strong practical impact for deploying GNNs in security-sensitive applications with diverse backdoor threats.

Abstract

Graph Neural Networks (GNNs) have achieved promising results in tasks such as node classification and graph classification. However, recent studies reveal that GNNs are vulnerable to backdoor attacks, posing a significant threat to their real-world adoption. Despite initial efforts to defend against specific graph backdoor attacks, there is no work on defending against various types of backdoor attacks where generated triggers have different properties. Hence, we first empirically verify that prediction variance under edge dropping is a crucial indicator for identifying poisoned nodes. With this observation, we propose using random edge dropping to detect backdoors and theoretically show that it can efficiently distinguish poisoned nodes from clean ones. Furthermore, we introduce a novel robust training strategy to efficiently counteract the impact of the triggers. Extensive experiments on real-world datasets show that our framework can effectively identify poisoned nodes, significantly degrade the attack success rate, and maintain clean accuracy when defending against various types of graph backdoor attacks with different properties.
Paper Structure (42 sections, 4 theorems, 20 equations, 12 figures, 12 tables, 1 algorithm)

This paper contains 42 sections, 4 theorems, 20 equations, 12 figures, 12 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Preliminary
  4. Background and problem definition
  5. Prediction variance caused by trigger edge dropping
  6. Methodology
  7. Identifying poisoned target nodes by random edge dropping
  8. Backdoor robust GNN model training
  9. Experiments
  10. Experimental setup
  11. Performance of defense
  12. Ability to detect poisoned nodes
  13. Hyperparameter Analysis and Ablation Study
  14. Conclusion
  15. Details of Related Works
  16. ...and 27 more sections

Key Result

Theorem 1

Consider a graph $\mathcal{G}=\left\{\mathcal{V},\mathcal{E},\mathbf{X}\right\}$ following Assumptions (1)-(3). For clean node $v_i\in\mathcal{V}$ and its neighbors $\mathcal{N}(i)$, the expectation of the pre-activation output of a single operation defined in Eq. repre is given by $\mathbb{E}[\math

Figures (12)

  • Figure 1: Prediction variance caused by dropping trigger edges and clean edges.
  • Figure 2: Framework of RIGBD
  • Figure 3: Hyperparameter Sensitivity Analysis and Ablation Study.
  • Figure 4: Visualization of prediction variance caused by dropping trigger edges and clean edges.
  • Figure 5: Visualization of prediction variance caused by random edge dropping.
  • ...and 7 more figures

Theorems & Definitions (4)

  • Theorem 1
  • Theorem 2
  • Theorem 3
  • Lemma 1