"No Matter What You Do": Purifying GNN Models via Backdoor Unlearning

TL;DR

This paper introduces GCleaner, a novel method for defending GNNs against backdoor attacks by unlearning backdoor triggers through trigger recovery and knowledge distillation, significantly reducing attack success rates with minimal performance loss.

Contribution

GCleaner is the first backdoor mitigation approach for GNNs that recovers triggers and unlearns backdoor features, outperforming existing defenses in effectiveness and efficiency.

Findings

Reduces backdoor attack success rate to 10% with minimal performance loss.

Requires only 1% of clean data for effective mitigation.

Outperforms state-of-the-art backdoor defense methods.

Abstract

Recent studies have exposed that GNNs are vulnerable to several adversarial attacks, among which backdoor attack is one of the toughest. Similar to Deep Neural Networks (DNNs), backdoor attacks in GNNs lie in the fact that the attacker modifies a portion of graph data by embedding triggers and enforces the model to learn the trigger feature during the model training process. Despite the massive prior backdoor defense works on DNNs, defending against backdoor attacks in GNNs is largely unexplored, severely hindering the widespread application of GNNs in real-world tasks. To bridge this gap, we present GCleaner, the first backdoor mitigation method on GNNs. GCleaner can mitigate the presence of the backdoor logic within backdoored GNNs by reversing the backdoor learning procedure, aiming to restore the model performance to a level similar to that is directly trained on the original clean dataset. To achieve this objective, we ask: How to recover universal and hard backdoor triggers in GNNs? How to unlearn the backdoor trigger feature while maintaining the model performance? We conduct the graph trigger recovery via the explanation method to identify optimal trigger locations, facilitating the search of universal and hard backdoor triggers in the feature space of the backdoored model through maximal similarity. Subsequently, we introduce the backdoor unlearning mechanism, which combines knowledge distillation and gradient-based explainable knowledge for fine-grained backdoor erasure. Extensive experimental evaluations on four benchmark datasets demonstrate that GCleaner can reduce the backdoor attack success rate to 10% with only 1% of clean data, and has almost negligible degradation in model performance, which far outperforms the state-of-the-art (SOTA) defense methods.