Pith. sign in

REVIEW 2 major objections 2 minor 55 references

Graph backdoors exhibit lower feature-based homophily than clean nodes regardless of trigger type.

Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →

T0 review · grok-4.3

2026-06-30 19:36 UTC pith:NP427IBV

load-bearing objection The paper claims lower feature homophily is a shared signature across subgraph and feature-based graph backdoors and builds a reconstruction-loss detector around it, but the separation from natural low-homophily nodes remains the key untested step. the 2 major comments →

arxiv 2605.16815 v2 pith:NP427IBV submitted 2026-05-16 cs.CR cs.LG

Universal Graph Backdoor Defense: A Feature-based Homophily Perspective

classification cs.CR cs.LG
keywords graph neural networksbackdoor attacksfeature-based homophilydefensereconstruction lossrobust traininggraph security
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that both subgraph-based and feature-based graph backdoor attacks produce backdoor nodes with lower feature-based homophily, a measure of local feature consistency with neighboring nodes. This shared discrepancy is demonstrated through theoretical and empirical analysis. The insight leads to a detection method that uses a neighbor-aware reconstruction loss to identify backdoors by their reduced local consistency. A subsequent robust training step removes trigger effects while limiting noise from imperfect detection. The result is a defense that applies to both attack families without depending on explicit structural triggers.

Core claim

Regardless of trigger mechanisms, backdoors induced by GBAs exhibit lower feature-based homophily than clean nodes, indicating a discrepancy in local feature similarity. Node-level local feature consistency, modeled by a neighbor-aware reconstruction loss, distinguishes backdoors from clean nodes, after which a robust training strategy eliminates trigger effects while reducing noise from detection uncertainty.

What carries the argument

Neighbor-aware reconstruction loss that measures local feature consistency between a node and its neighborhood to flag lower-homophily backdoors.

Load-bearing premise

The lower feature-based homophily effect is present for both attack types and can separate backdoors from clean nodes without too many false positives or reduced clean accuracy.

What would settle it

A set of backdoor nodes generated by either attack type that display feature-based homophily values statistically indistinguishable from clean nodes, or a clean graph on which the reconstruction-loss detector produces high false-positive rates.

Watch this falsifier — get emailed when new claim-graph text bears on it.

If this is right

  • The defense reduces attack success rate on both subgraph-based and feature-based GBAs.
  • Clean accuracy remains competitive with undefended models.
  • Detection and mitigation succeed without assuming poisoned nodes are explicitly linked to subgraph triggers.
  • The same local-consistency signal works across multiple GNN architectures tested in the experiments.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The homophily gap could be monitored at inference time to flag suspicious nodes in deployed graphs.
  • Similar consistency checks might apply to other relational poisoning settings beyond backdoors.
  • If the gap persists under adaptive attacks that try to match homophily, the defense would need additional signals.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

2 major / 2 minor

Summary. The paper claims that graph backdoor attacks (both subgraph-based and feature-based) induce lower feature-based homophily in poisoned nodes than in clean nodes, as established by theoretical and empirical analyses. Motivated by this discrepancy in local feature consistency, the authors propose a neighbor-aware reconstruction loss to detect backdoors and a robust training strategy to mitigate triggers while preserving clean accuracy. Extensive experiments are reported to show that the approach significantly reduces attack success rate under both attack types without substantial clean accuracy loss.

Significance. If the claimed universal homophily discrepancy provides reliable separation even in the presence of naturally low-homophily clean nodes, the work would fill a clear gap by extending defenses beyond structure-centric assumptions to feature-based GBAs. The feature-based homophily lens and reconstruction-loss detection are potentially generalizable strengths, provided the separation margin is shown to be robust rather than graph-dependent.

major comments (2)
  1. [Abstract] Abstract and theoretical analyses: the central claim that backdoors exhibit lower feature-based homophily 'regardless of trigger mechanisms' and that this discrepancy is sufficient to distinguish them without excessive false positives is load-bearing for the entire defense. The provided text asserts thorough analyses but supplies no quantitative separation margins, false-positive rates, or results on heterophilic graphs, leaving open whether naturally low-homophily clean nodes (common by construction in many real graphs) would trigger the same reconstruction-loss signal.
  2. [Robust training strategy] Robust training strategy section: the claim that the strategy 'eliminates trigger effects while reducing noise induced by detection uncertainty' requires explicit evidence that the detection threshold does not systematically remove clean nodes in low-homophily regions; without such validation the accuracy-maintenance guarantee is at risk.
minor comments (2)
  1. [Abstract] The abstract states 'extensive experiments' but reports no dataset names, sizes, or error bars; adding these would improve reproducibility assessment.
  2. [Method] Notation for feature-based homophily and the neighbor-aware reconstruction loss should be defined with an explicit equation early in the method section for clarity.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our work. The comments highlight important aspects of our central claims and the need for explicit validation in the robust training component. We respond point by point below.

read point-by-point responses
  1. Referee: [Abstract] Abstract and theoretical analyses: the central claim that backdoors exhibit lower feature-based homophily 'regardless of trigger mechanisms' and that this discrepancy is sufficient to distinguish them without excessive false positives is load-bearing for the entire defense. The provided text asserts thorough analyses but supplies no quantitative separation margins, false-positive rates, or results on heterophilic graphs, leaving open whether naturally low-homophily clean nodes (common by construction in many real graphs) would trigger the same reconstruction-loss signal.

    Authors: The full manuscript contains theoretical analysis (Section 3) proving that both attack types reduce local feature homophily via neighborhood disruption, and empirical results (Sections 4-5) across datasets showing consistent lower homophily and higher reconstruction loss for poisoned nodes. However, we acknowledge the referee's point that the abstract and main text do not report explicit quantitative separation margins, false-positive rates, or dedicated experiments on heterophilic graphs. We will revise to include these: separation margins and FPR at the operating threshold, plus new results on heterophilic benchmarks to verify the signal remains reliable. revision: yes

  2. Referee: [Robust training strategy] Robust training strategy section: the claim that the strategy 'eliminates trigger effects while reducing noise induced by detection uncertainty' requires explicit evidence that the detection threshold does not systematically remove clean nodes in low-homophily regions; without such validation the accuracy-maintenance guarantee is at risk.

    Authors: We agree that explicit evidence on threshold behavior for low-homophily clean nodes is necessary to support the accuracy claim. The current manuscript describes the robust training but does not provide stratified analysis by homophily level. We will add this validation in revision, including loss distributions for clean nodes grouped by homophily, threshold sensitivity analysis, and clean accuracy on low-homophily subsets to confirm no systematic removal occurs. revision: yes

Circularity Check

0 steps flagged

No significant circularity; derivation grounded in independent observable property

full rationale

The paper's core derivation begins from an empirical and theoretical observation that backdoored nodes exhibit lower feature-based homophily (local feature consistency with neighborhoods) than clean nodes, regardless of trigger type. This discrepancy is presented as a discovered graph property, not defined in terms of the subsequent reconstruction loss or detection rule. The neighbor-aware reconstruction loss is then motivated by this property to flag low-consistency nodes, but the loss is not equivalent to the homophily discrepancy by construction, nor is any parameter fitted to the attack itself and relabeled as a prediction. No self-citation chains, uniqueness theorems, or ansatzes imported from prior author work are invoked as load-bearing steps in the provided text. The framework therefore remains self-contained against external benchmarks of graph structure rather than reducing to its own inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the unverified premise that backdoors of both types reliably produce lower feature homophily; no free parameters, axioms, or invented entities are explicitly introduced in the abstract.

axioms (1)
  • domain assumption Backdoors induced by GBAs exhibit lower feature-based homophily than clean nodes regardless of trigger mechanism.
    Invoked in the theoretical and empirical analyses section of the abstract as the motivating insight.

pith-pipeline@v0.9.1-grok · 5773 in / 1276 out tokens · 27560 ms · 2026-06-30T19:36:39.308619+00:00 · methodology

0 comments
read the original abstract

Graph neural networks (GNNs) have achieved remarkable success in relational learning. However, their vulnerability to graph backdoor attacks (GBAs) poses a significant barrier to broader adoption in high-stakes applications. Despite recent advances in graph backdoor defense (GBD), existing methods primarily focus on subgraph-based GBAs, relying on the assumption that poisoned target nodes are explicitly connected to subgraph triggers. Our empirical results reveal that such structure-centric approaches fail to defend against emerging feature-based GBAs that preserve graph topology. Therefore, in this paper, we study a novel problem of universal graph backdoor defense. First, we investigate the shared effects of both attack types from a feature-based homophily perspective, which characterizes local feature consistency between nodes and their neighborhoods. Thorough theoretical and empirical analyses demonstrate that, regardless of trigger mechanisms, backdoors induced by GBAs exhibit lower feature-based homophily than clean nodes, indicating a discrepancy in local feature similarity. Motivated by this insight, we propose to leverage node-level local feature consistency, modeled by a neighbor-aware reconstruction loss, to distinguish backdoors from clean nodes. Then, a robust training strategy is developed to eliminate trigger effects while reducing noise induced by detection uncertainty. Extensive experiments demonstrate that our framework significantly degrades the attack success rate and maintains competitive clean accuracy under both subgraph-based and feature-based attacks.

Figures

Figures reproduced from arXiv: 2605.16815 by Chen Chen, Fan Li, Mengting Pan, Xiaoyang Wang.

Figure 1
Figure 1. Figure 1: (a): Attack success rate (%) of different graph back [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Framework of CoGBD. exhibit substantially lower feature-based homophily than clean nodes, reflecting a clear homophily discrepancy between backdoors and clean nodes. For poisoned target nodes, this gap is particularly pronounced under feature-based attacks such as SPEAR, where attribute-level triggers directly disrupt local feature–neighborhood alignment (e.g., on OGB-arxiv, target nodes show an approximat… view at source ↗
Figure 3
Figure 3. Figure 3: Sensitivity analysis of 𝛼 and 𝛽 [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Sensitivity analysis of 𝜆. removing certain components remains effective for specific attacks (e.g., “w/o Lnode” on GTA, DPGBA, and SPEAR), as these attacks are more sensitive to neighborhood-level or cross-level inconsisten￾cies, this behavior does not generalize to UGBA. This indicates that jointly modeling node-level, neighborhood-level, and feature-based homophily reconstruction signals is essential fo… view at source ↗
Figure 5
Figure 5. Figure 5: Sensitivity analysis of weights: 𝛼 and 𝛽 [PITH_FULL_IMAGE:figures/full_fig_p016_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Sensitivity analysis of 𝜏. suspicious nodes, amplifying the impact of false positives and intro￾ducing training noise, which again degrades robustness (e.g., 6.07% ASR on UGBA at 𝜏 = 1.0). Overall, moderate values of 𝜏 provide the best balance between robustness and accuracy. In our experiments, 𝜏 ∈ [0.4, 0.6] consistently achieves low ASR while preserving high clean accuracy across different attack settin… view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

55 extracted references · 4 canonical work pages · 2 internal anchors

  1. [1]

    Peter W Battaglia, Jessica B Hamrick, Victor Bapst, Alvaro Sanchez-Gonzalez, Vinicius Zambaldi, Mateusz Malinowski, Andrea Tacchetti, David Raposo, Adam Santoro, Ryan Faulkner, et al. 2018. Relational inductive biases, deep learning, and graph networks.arXiv preprint arXiv:1806.01261(2018)

  2. [2]

    Pietro Bongini, Monica Bianchini, and Franco Scarselli. 2021. Molecular gen- erative graph neural networks for drug discovery.Neurocomputing450 (2021), 242–252

  3. [3]

    Xinyun Chen, Chang Liu, Bo Li, Kimberly Lu, and Dawn Song. 2017. Targeted backdoor attacks on deep learning systems using data poisoning.arXiv preprint arXiv:1712.05526(2017)

  4. [4]

    Yang Chen, Zhonglin Ye, Haixing Zhao, Ying Wang, and Subrata Kumar Sarker

  5. [5]

    Feature-Based Graph Backdoor Attack in the Node Classification Task.Int. J. Intell. Syst.2023 (Jan. 2023), 13 pages

  6. [6]

    Enyan Dai, Minhua Lin, Xiang Zhang, and Suhang Wang. 2023. Unnoticeable backdoor attacks on graph neural networks. InProceedings of the ACM Web Conference 2023. 2263–2273

  7. [7]

    Kaize Ding, Jundong Li, Rohit Bhanushali, and Huan Liu. 2019. Deep Anomaly Detection on Attributed Networks. InProceedings of the 2019 SIAM International Conference on Data Mining (SDM). 594–602

  8. [8]

    Yuanhao Ding, Yang Liu, Yugang Ji, Weigao Wen, Qing He, and Xiang Ao. 2025. SPEAR: A Structure-Preserving Manipulation Method for Graph Backdoor At- tacks. InProceedings of the ACM on Web Conference 2025 (WWW ’25). 1237–1247

  9. [9]

    Wenqi Fan, Yao Ma, Qing Li, Yuan He, Eric Zhao, Jiliang Tang, and Dawei Yin

  10. [10]

    InThe world wide web conference

    Graph neural networks for social recommendation. InThe world wide web conference. 417–426

  11. [11]

    Tianyu Gu, Kang Liu, Brendan Dolan-Gavitt, and Siddharth Garg. 2019. BadNets: Evaluating Backdooring Attacks on Deep Neural Networks.IEEE Access7 (2019), 47230–47244

  12. [12]

    Will Hamilton, Zhitao Ying, and Jure Leskovec. 2017. Inductive representation learning on large graphs.Advances in neural information processing systems30 (2017)

  13. [13]

    Weihua Hu, Matthias Fey, Marinka Zitnik, Yuxiao Dong, Hongyu Ren, Bowen Liu, Michele Catasta, and Jure Leskovec. 2020. Open graph benchmark: Datasets for machine learning on graphs.Advances in neural information processing systems 33 (2020), 22118–22133

  14. [14]

    Kipf and Max Welling

    Thomas N. Kipf and Max Welling. 2017. Semi-Supervised Classification with Graph Convolutional Networks. In5th International Conference on Learning Representations, ICLR 2017, Toulon, France, April 24-26, 2017, Conference Track Proceedings. OpenReview.net

  15. [15]

    Sanjay Kumar, Abhishek Mallik, Anavi Khetarpal, and B.S. Panda. 2022. Influence maximization in social networks using graph embedding and graph neural network.Information Sciences607 (2022), 1617–1636

  16. [16]

    Fan Li, Xiaoyang Wang, Dawei Cheng, Wenjie Zhang, Chen Chen, Ying Zhang, and Xuemin Lin. 2025. Tcgu: Data-centric graph unlearning based on transferable condensation.IEEE Transactions on Knowledge and Data Engineering38, 2 (2025), 1334–1348

  17. [17]

    Fan Li, Zhiyu Xu, Dawei Cheng, and Xiaoyang Wang. 2024. AdaRisk: risk- adaptive deep reinforcement learning for vulnerable nodes detection.IEEE Transactions on Knowledge and Data Engineering36, 11 (2024), 5576–5590

  18. [18]

    Jiangtong Li, Dungy Liu, Dawei Cheng, and Changchun Jiang. 2024. Attack by Yourself: Effective and Unnoticeable Multi-Category Graph Backdoor Attacks with Subgraph Triggers Pool.arXiv preprint arXiv:2412.17213(2024)

  19. [19]

    Yiming Li, Yong Jiang, Zhifeng Li, and Shu-Tao Xia. 2022. Backdoor learning: A survey.IEEE transactions on neural networks and learning systems35, 1 (2022), 5–22

  20. [20]

    Yige Li, Xixiang Lyu, Nodens Koren, Lingjuan Lyu, Bo Li, and Xingjun Ma. 2021. Anti-backdoor learning: Training clean models on poisoned data.Advances in Neural Information Processing Systems34 (2021), 14900–14912

  21. [21]

    Yixin Liu, Yizhen Zheng, Daokun Zhang, Vincent CS Lee, and Shirui Pan. 2023. Beyond smoothing: Unsupervised graph representation learning with edge het- erophily discriminating. InProceedings of the AAAI conference on artificial intelli- gence, Vol. 37. 4516–4524

  22. [22]

    Fanchao Qi, Yangyi Chen, Mukai Li, Yuan Yao, Zhiyuan Liu, and Maosong Sun

  23. [23]

    InProceedings of the 2021 conference on empirical methods in natural language processing

    Onion: A simple and effective defense against textual backdoor attacks. InProceedings of the 2021 conference on empirical methods in natural language processing. 9558–9566

  24. [24]

    Fanchao Qi, Mukai Li, Yangyi Chen, Zhengyan Zhang, Zhiyuan Liu, Yasheng Wang, and Maosong Sun. 2021. Hidden Killer: Invisible Textual Backdoor Attacks with Syntactic Trigger. InAnnual Meeting of the Association for Computational Linguistics. https://api.semanticscholar.org/CorpusID:235196099

  25. [25]

    Pedro Quesado, Luis HM Torres, Bernardete Ribeiro, and Joel P Arrais. 2024. A hybrid gnn approach for improved molecular property prediction.Journal of Computational Biology31, 11 (2024), 1146–1157

  26. [26]

    Prithviraj Sen, Galileo Namata, Mustafa Bilgic, Lise Getoor, Brian Galligher, and Tina Eliassi-Rad. 2008. Collective Classification in Network Data.AI Magazine 29, 3 (Sep. 2008), 93

  27. [27]

    Petar Veličković, Guillem Cucurull, Arantxa Casanova, Adriana Romero, Pietro Lio, and Yoshua Bengio. 2018. Graph attention networks. InICLR

  28. [28]

    Binghui Wang, Jinyuan Jia, Xiaoyu Cao, and Neil Zhenqiang Gong. 2021. Certified robustness of graph neural networks against adversarial structural perturbation. InProceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery & Data Mining. 1645–1653

  29. [29]

    Kaiyang Wang, Huaxin Deng, Yijia Xu, Zhonglin Liu, and Yong Fang. 2024. Multi- target label backdoor attacks on graph neural networks.Pattern Recognition152 (2024), 110449

  30. [31]

    Zonghan Wu, Shirui Pan, Fengwen Chen, Guodong Long, Chengqi Zhang, and Philip S Yu. 2020. A comprehensive survey on graph neural networks.IEEE transactions on neural networks and learning systems32, 1 (2020), 4–24

  31. [32]

    Zhaohan Xi, Ren Pang, Shouling Ji, and Ting Wang. 2021. Graph backdoor. In 30th USENIX security symposium (USENIX Security 21). 1523–1540

  32. [33]

    Hui Xia, Xiangwei Zhao, Rui Zhang, Shuo Xu, and Luming Wang. 2025. Clean- label graph backdoor attack in the node classification task. InProceedings of the Thirty-Ninth AAAI Conference on Artificial Intelligence and Thirty-Seventh Conference on Innovative Applications of Artificial Intelligence and Fifteenth Sympo- sium on Educational Advances in Artifici...

  33. [34]

    Jing Xu and Stjepan Picek. 2022. Poster: Clean-label Backdoor Attack on Graph Neural Networks. InProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security(Los Angeles, CA, USA)(CCS ’22). Association for Computing Machinery, New York, NY, USA, 3491–3493

  34. [35]

    Hanqing Zeng, Hongkuan Zhou, Ajitesh Srivastava, Rajgopal Kannan, and Viktor Prasanna. 2019. Graphsaint: Graph sampling based inductive learning method. arXiv preprint arXiv:1907.04931(2019)

  35. [36]

    Xiang Zhang and Marinka Zitnik. 2020. Gnnguard: Defending graph neural networks against adversarial attacks.Advances in neural information processing systems33 (2020), 9263–9275

  36. [37]

    Zaixi Zhang, Jinyuan Jia, Binghui Wang, and Neil Zhenqiang Gong. 2021. Back- door attacks to graph neural networks. InProceedings of the 26th ACM symposium on access control models and technologies. 15–26

  37. [38]

    Zhiwei Zhang, Minhua Lin, Enyan Dai, and Suhang Wang. 2024. Rethinking graph backdoor attacks: A distribution-preserving perspective. InProceedings of the 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining. 4386–4397

  38. [39]

    Zhiwei Zhang, Minhua Lin, Junjie Xu, Zongyu Wu, Enyan Dai, and Suhang Wang

  39. [40]

    InInternational Conference on Learning Representations, Y

    Robustness Inspired Graph Backdoor Defense. InInternational Conference on Learning Representations, Y. Yue, A. Garg, N. Peng, F. Sha, and R. Yu (Eds.), Vol. 2025. 1958–1984

  40. [41]

    Haibin Zheng, Haiyang Xiong, Jinyin Chen, Haonan Ma, and Guohan Huang

  41. [42]

    Motif-Backdoor: Rethinking the Backdoor Attack on Graph Neural Net- works via Motifs.IEEE Transactions on Computational Social Systems11, 2 (2024), 2479–2493

  42. [43]

    Jie Zhou, Ganqu Cui, Shengding Hu, Zhengyan Zhang, Cheng Yang, Zhiyuan Liu, Lifeng Wang, Changcheng Li, and Maosong Sun. 2020. Graph neural networks: A review of methods and applications.AI open1 (2020), 57–81

  43. [44]

    Dingyuan Zhu, Ziwei Zhang, Peng Cui, and Wenwu Zhu. 2019. Robust Graph Convolutional Networks Against Adversarial Attacks. InProceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD ’19). 1399–1407

  44. [45]

    stealthy

    Xiaoqian Zhu, Xiang Ao, Zidi Qin, Yanpeng Chang, Yang Liu, Qing He, and Jianping Li. 2021. Intelligent financial fraud detection practices in post-pandemic era.The Innovation2, 4 (2021), 100176. Pan et al. Appendix A Detailed Proofs Setup.For analytical clarity, we consider an 𝐿-layer linear GNN with normalized adjacency matrix ¯A. LetH (𝑙) denote the nod...

  45. [46]

    GTA.GTA is an early graph backdoor attack that introduces adaptive, sample-specific subgraph triggers via a trigger generator optimized to minimize the backdoor attack loss

  46. [47]

    UGBA.UGBA improves attack efficiency by selecting rep- resentative target nodes through clustering. It further em- ploys a similarity-constrained trigger generator that en- forces feature similarity between trigger nodes and their attached target nodes, enhancing attack stealthiness

  47. [48]

    DPGBA.DPGBA advances subgraph-based attacks by gen- erating in-distribution triggers via adversarial learning, making trigger nodes harder to distinguish from clean ones

  48. [49]

    C.2 Defense Methods

    SPEAR.SPEAR first identifies critical feature dimensions via a global importance-driven selection strategy, and then injects crafted feature-level triggers to maximize the attack success rate while preserving the original graph topology. C.2 Defense Methods. We select three representative defense methods that are specifically designed for graph backdoor a...

  49. [50]

    Prune.Prune removes edges that connect low-similarity node pairs, based on the assumption that such edges are more likely to be introduced by a subgraph triggers

  50. [51]

    OD.OD employs a commonly used outlier detector, DOM- INANT [6], to identify out-of-distribution nodes and re- moves the edges associated with detected anomalies

  51. [52]

    It then estimates the target label and suppresses the confi- dence of suspicious nodes toward the predicted target class to mitigate the backdoor effect

    RIGBD.RIGBD first identifies poisoned target nodes by computing prediction variance over 𝐾 inference runs. It then estimates the target label and suppresses the confi- dence of suspicious nodes toward the predicted target class to mitigate the backdoor effect. Following [36], we also include a strong baseline that aims to learn a clean model directly from...

  52. [53]

    ABL.ABL is motivated by the observation that backdoor patterns are learned significantly faster than clean patterns during training, and that stronger attacks lead to faster convergence on poisoned data. Based on this, ABL proposes a two-stage anti-backdoor learning scheme that employs local gradient ascent (LGA) to first isolate backdoor samples at an ea...

  53. [54]

    The core idea is to construct a smoothed classifier by randomly dropping edges and ag- gregating predictions over multiple randomized graph in- stances

    RS.RS was originally proposed to defend against adversar- ial structural perturbations. The core idea is to construct a smoothed classifier by randomly dropping edges and ag- gregating predictions over multiple randomized graph in- stances. Following [36], we adopt this method as a baseline and set the edge drop ratio to be0 .5to balance defense effective...

  54. [55]

    By dynamically adjusting edge importance during message passing, it suppresses the influence of adversarial connections and enables more robust propagation

    GNNGaurd.GNNGuard adversarial structural perturba- tions by leveraging node similarity to reweight and prune edges. By dynamically adjusting edge importance during message passing, it suppresses the influence of adversarial connections and enables more robust propagation

  55. [56]

    Adversarial perturbations are absorbed into the variances of these distributions, thereby reducing their im- pact on the learned representations

    RobustGCN.RobustGCN improves the robustness of GCNs against adversarial attacks by modeling node representa- tions as Gaussian distributions rather than deterministic vectors. Adversarial perturbations are absorbed into the variances of these distributions, thereby reducing their im- pact on the learned representations. In addition, Robust- GCN introduces...