Robustness Inspired Graph Backdoor Defense

Zhiwei Zhang; Minhua Lin; Junjie Xu; Zongyu Wu; Enyan Dai; Suhang Wang

arXiv:2406.09836·cs.LG·March 13, 2025·1 cites

Robustness Inspired Graph Backdoor Defense

Zhiwei Zhang, Minhua Lin, Junjie Xu, Zongyu Wu, Enyan Dai, Suhang Wang

PDF

Open Access 3 Reviews

TL;DR

This paper introduces a novel defense framework against various graph backdoor attacks on GNNs, using random edge dropping for detection and robust training to maintain accuracy and reduce attack success.

Contribution

It proposes a new detection method based on prediction variance and a robust training strategy to defend against diverse graph backdoor attacks.

Findings

01

Effective identification of poisoned nodes via edge dropping

02

Significant reduction in attack success rate

03

Maintains high accuracy on clean data

Abstract

Graph Neural Networks (GNNs) have achieved promising results in tasks such as node classification and graph classification. However, recent studies reveal that GNNs are vulnerable to backdoor attacks, posing a significant threat to their real-world adoption. Despite initial efforts to defend against specific graph backdoor attacks, there is no work on defending against various types of backdoor attacks where generated triggers have different properties. Hence, we first empirically verify that prediction variance under edge dropping is a crucial indicator for identifying poisoned nodes. With this observation, we propose using random edge dropping to detect backdoors and theoretically show that it can efficiently distinguish poisoned nodes from clean ones. Furthermore, we introduce a novel robust training strategy to efficiently counteract the impact of the triggers. Extensive experiments…

Peer Reviews

Decision·ICLR 2025 Oral

Reviewer 01Rating 8Confidence 2

Strengths

1. The idea is novel and interesting, and is well evaluated empirically and theoretically. 2. In addition to the detection of poisoned node, this paper also proposes robust training to enhance defense performance further. This can safeguard GNN models against different kinds of attacks. 3. A well-written paper, and easy-to-follow.

Weaknesses

1. To verify the effectiveness and generalization of the proposed defense, I suggest author deeply discussing the mechanism of dirty-label backdoor attacks against GNNs. 2. I find out that the discussion among baselines and the proposed defense is missing, e.g., why the proposed work only performs better on defending DPGBA. This also weakens the contribution of this work. Finally, I find that the baselines are not targeted at graph backdoor attacks, e.g., GNNGuard targets defending adversarial

Reviewer 02Rating 8Confidence 4

Strengths

- RIGBD is specifically designed for graph-structured data, effectively leveraging the behavior of malicious edges linking trigger subgraphs to poisoned nodes. The core insight—that the implanted trigger influences prediction by transmitting malicious information through these edges—is particularly valuable in identifying poisoned nodes. - This paper introduces an intriguing observation: simply removing backdoor triggers does not necessarily immunize the model against backdoor attacks. This ins

Weaknesses

- Though experiments demonstrate the superiority of RIGBD against subgraph-based backdoor attacks, its resistance against other forms of graph backdoors, e.g., injecting backdoors in the spectral domain [1], remains unevaluated. - The method proposed for determining target nodes and labels seems to lack robustness. Specifically, the authors suggest ranking nodes in descending order based on prediction variance after random edge dropping, selecting the top-ranked nodes until a node label differs

Reviewer 03Rating 6Confidence 3

Strengths

1. The structure of the paper is clear and easy to follow. 2. The paper conducts comprehensive experiments to demonstrate the performance of proposed method.

Weaknesses

1. There are concerns about the efficiency of the method. First, the proposed method requires training the GNN encoder twice, which incurs a large overhead cost, especially in larger datasets such as obg-products[1]. In addition, when calculating the prediction variance, it is necessary to infer K times on the graph, which also brings a large overhead. 2. The proposed method seems to rely on the homogeneity assumption. In heterophilic graphs, nodes tend to connect to nodes that share different

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsAdversarial Robustness in Machine Learning · Advanced Graph Neural Networks · Anomaly Detection Techniques and Applications