Defense-as-a-Service: Black-box Shielding against Backdoored Graph Models

TL;DR

GraphProt is a model-agnostic, input-only defense method for GNNs that uses subgraph analysis to effectively mitigate backdoor attacks without requiring model access or fine-tuning.

Contribution

Proposes GraphProt, a novel backdoor defense leveraging subgraph clustering and ensemble techniques, applicable in privacy-sensitive, resource-constrained scenarios.

Findings

Significantly reduces backdoor attack success rates

Maintains high accuracy on clean graph classification tasks

Effective across multiple attack types and datasets

Abstract

With the trend of large graph learning models, business owners tend to employ a model provided by a third party to deliver business services to users. However, these models might be backdoored, and malicious users can submit trigger-embedded inputs to manipulate the model predictions. Current graph backdoor defenses have several limitations: 1) depending on model-related details, 2) requiring additional model fine-tuning, and 3) relying upon extra explainability tools, all of which are infeasible under stringent privacy policies. To address those limitations, we propose GraphProt, which allows resource-constrained business owners to rely on third parties to avoid backdoor attacks on GNN-based graph classifiers. Our GraphProt is model-agnostic and only relies on the input graph. The key insight is to leverage subgraph information for prediction, thereby mitigating backdoor effects induced by triggers. GraphProt comprises two components: clustering-based trigger elimination and robust subgraph ensemble. Specifically, we first propose feature-topology clustering that aims to remove most of the anomalous subgraphs (triggers). Moreover, we design subgraph sampling strategies based on feature-topology clustering to build a robust classifier via majority vote. Experimental results across three backdoor attacks and six benchmark datasets demonstrate that GraphProt significantly reduces the backdoor attack success rate while preserving the model accuracy on regular graph classification tasks.