Session 12D: ML Backdoors
Authors, Creators & Presenters: Hao Yu (National University of Defense Technology), Chuan Ma (Chongqing University), Xinhang Wan (National University of Defense Technology), Jun Wang (National University of Defense Technology), Tao Xiang (Chongqing University), Meng Shen (Beijing Institute of Technology, Beijing, China), Xinwang Liu (National University of Defense Technology)
PAPER
DShield: Defending against Backdoor Attacks on Graph Neural Networks via Discrepancy Learning
Graph Neural Networks (GNNs) are vulnerable to backdoor attacks, where triggers inserted into original graphs cause adversary-determined predictions. Backdoor attacks on GNNs, typically focusing on node classification tasks, are categorized by dirty- and clean-label attacks and pose challenges due to the interconnected nature of normal and poisoned nodes. Current defenses are indeed circumvented by sophisticated triggers and often rely on strong assumptions borrowed from other domains (e.g., rapid loss drops on poisoned images). They lead to high attack risks, failing to effectively protect against both dirty- and clean-label attacks simultaneously. To tackle these challenges, we propose DShield, a comprehensive defense framework with a discrepancy learning mechanism to defend against various graph backdoor attacks. Specifically, we reveal two vital facts during the attacking process: semantic drift where dirty-label attacks modify the semantic information of poisoned nodes, and attribute over-emphasis where clean-label attacks exaggerate specific attributes to enforce adversary-determined predictions. Motivated by those, DShield employs a self-supervised learning framework to construct a model without relying on manipulated label information. Subsequently, it utilizes both the self-supervised and backdoored models to analyze discrepancies in semantic information and attribute importance, effectively filtering out poisoned nodes. Finally, DShield trains normal models using the preserved nodes, thereby minimizing the impact of poisoned nodes. Compared with 6 state-of-the-art defenses under 21 backdoor attacks, we conduct evaluations on 7 datasets with 2 victim models to demonstrate that DShield effectively mitigates backdoor threats with minimal degradation in performance on normal nodes. For instance, on the Cora dataset, DShield reduces the attack success rate to 1.33% from 54.47% achieved by the second-best defense Prune while maintaining an 82.15% performance on normal nodes. The source code is available at [https://github.com/csyuhao/DShield](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbXBPNWhIOTNzOWxjUDVoN00ydFhXQmZpdDVuUXxBQ3Jtc0tsSXhmNVQ0ZTFabDhreHlhT1hselF5emxqU2hYeVV6RXlPREQ4bVNwdmxmNTNWUHlyX2VTeWhxd240YTNkNXFNRlZVOTFaeUJ0bkNpWThyUTlhb2xWM19LZjZPUDRTZ0pHazh6OTZuR0RXVkdQdlh6SQ&q=https%3A%2F%2Fgithub.com%2Fcsyuhao%2FDShield&v=Wp1QiNBdM5U).
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.
Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations’ YouTube Channel.
The post NDSS 2025 – Defending Against Backdoor Attacks On Graph Neural Networks Via Discrepancy Learning appeared first on Security Boulevard.
Read the original article: