GraphPurge: A New Paradigm for Defending Against Backdoor Attacks on Graph Neural Networks

GraphPurge is an evidence-guided, trigger-aware backdoor forgetting framework that proposes a precise defense solution for the backdoor attack problem faced by graph neural networks (GNNs). This framework combines three core innovations: trigger awareness, evidence guidance, and forgetting learning, providing a new paradigm for GNN security defense with both academic value and practical significance.

Backdoor attacks implant triggers during model training, causing the model to perform normally on regular inputs but produce incorrect outputs when inputs contain trigger patterns—making them highly stealthy. GNN backdoor attacks are even more challenging: complex graph structures (triggers can be implanted at structural/feature levels), hidden triggers (malicious subgraphs/edges easily blend into normal structures), and wide propagation (the aggregation mechanism leads to rapid spread of backdoor effects).

1. Trigger Awareness: Identify and locate backdoor triggers for precise removal, distinguishing itself from traditional "one-size-fits-all" strategies; 2. Evidence Guidance: Use supporting information for model decisions (node/edge contributions) to identify hijacked decision paths and quantify the impact of substructures; 3. Forgetting Learning: Optimize algorithms to make the model forget backdoor mapping relationships, with advantages including high computational efficiency, low data requirements, and preservation of performance on clean data.

Divided into three phases: 1. Trigger Detection: Scan suspicious graph data, combining statistical analysis and pattern recognition to find abnormal subgraphs; 2. Evidence Analysis: Calculate evidence weights to distinguish real backdoor triggers from normal structures; 3. Targeted Forgetting: Adjust model parameters to eliminate incorrect behaviors activated by backdoors while preserving normal functionality.

Applicable to multiple domains: financial risk control (protecting anti-fraud graph models), recommendation systems (preventing manipulation of recommendation results), drug discovery (ensuring reliable molecular graph predictions), and social networks (defending against relationship analysis attacks), ensuring model security and reliability.

Research Significance: Represents an important progress in GNN security defense, providing practical tools and a new defense paradigm. Future Directions: Explore adaptive trigger detection, more efficient forgetting algorithms, scenario-specific customized strategies, and integration solutions with other security technologies.