NDSS 2025 – Defending Against Backdoor Attacks On Graph Neural Networks Via Discrepancy Learning

This paper introduces DShield, a defense framework against backdoor attacks on Graph Neural Networks (GNNs). GNNs are susceptible to backdoor attacks where triggers lead to adversarial predictions. These attacks are challenging because of the interconnected nature of graph data, making detection difficult. DShield aims to mitigate these attacks by exploiting discrepancies in how poisoned and clean data are processed. The framework identifies two key attack behaviors: semantic drift and attribute over-emphasis. DShield uses a self-supervised learning approach to build a model without manipulated labels. It then compares this model with a backdoored model to find discrepancies in semantic and attribute importance. This comparison allows DShield to filter out poisoned nodes effectively. The normal models are trained using preserved nodes, minimizing the impact of the attack. DShield was evaluated against 21 different backdoor attacks across seven datasets and two victim models. It demonstrated effectiveness, significantly reducing attack success rates while maintaining good performance on normal data. For example, on the Cora dataset, DShield achieved a very low attack success rate. The source code for DShield is publicly available on GitHub. The research was presented at the Network and Distributed System Security Symposium (NDSS), a conference focused on practical network security. NDSS aims to advance and deploy security technologies within the Internet community.