MADE: Graph Backdoor Defense with Masked Unlearning

TL;DR

This paper introduces MADE, a novel graph backdoor defense method that uses masked unlearning to effectively reduce attack success rates while preserving classification accuracy in GNNs.

Contribution

MADE is the first to propose a masked unlearning approach specifically designed for defending GNNs against backdoor attacks, addressing limitations of image-based defenses.

Findings

MADE significantly lowers backdoor attack success rates.

MADE maintains high classification accuracy.

Extensive experiments validate MADE's effectiveness across various tasks.

Abstract

Graph Neural Networks (GNNs) have garnered significant attention from researchers due to their outstanding performance in handling graph-related tasks, such as social network analysis, protein design, and so on. Despite their widespread application, recent research has demonstrated that GNNs are vulnerable to backdoor attacks, implemented by injecting triggers into the training datasets. Trained on the poisoned data, GNNs will predict target labels when attaching trigger patterns to inputs. This vulnerability poses significant security risks for applications of GNNs in sensitive domains, such as drug discovery. While there has been extensive research into backdoor defenses for images, strategies to safeguard GNNs against such attacks remain underdeveloped. Furthermore, we point out that conventional backdoor defense methods designed for images cannot work well when directly implemented on graph data. In this paper, we first analyze the key difference between image backdoor and graph backdoor attacks. Then we tackle the graph defense problem by presenting a novel approach called MADE, which devises an adversarial mask generation mechanism that selectively preserves clean sub-graphs and further leverages masks on edge weights to eliminate the influence of triggers effectively. Extensive experiments across various graph classification tasks demonstrate the effectiveness of MADE in significantly reducing the attack success rate (ASR) while maintaining a high classification accuracy.