TY - GEN
T1 - Unveiling Backdoor Propagation in Graphs
T2 - 35th ACM Web Conference, WWW 2026
AU - Jin, Di
AU - Feng, Bingdao
AU - Wang, Xiaobao
AU - Zhang, Yuxiang
AU - Zhang, Zechuan
AU - Yang, Liang
AU - He, Dongxiao
AU - Wang, Zhen
N1 - Publisher Copyright:
© 2026 Owner/Author.
PY - 2026/4/12
Y1 - 2026/4/12
N2 - Defending against backdoor attacks on graphs has become increasingly critical. Existing methods predominantly focus on detecting and removing triggers by identifying inconsistencies between trigger and clean nodes. However, adversaries can design triggers that closely resemble clean nodes, making them challenging to detect. Therefore, understanding the mechanisms underlying backdoor attacks is crucial. In this work, we observe an interesting phenomenon: in backdoored models, specific "backdoor neurons"(embedding dimensions) are more likely to be activated, causing nodes to be misclassified to the target label. This is largely due to the graph structure, where malicious information propagates through node neighborhoods, activating specific neurons and target label. Based on this observation, we theoretically and empirically demonstrate how graph backdoor attacks exploit this propagation mechanism to effectively poison the target node's embedding. Meanwhile, we propose a novel defense called Graph Backdoor Neuron Defense (GBND) to identify, unlearn, and recover backdoor neurons. Specifically, we design a novel reverse engineering technique to identify triggers that activate backdoor neurons, and eliminate their harmful effects by asymmetric unlearning and recovering at the neuron level. Extensive experiments on four datasets validate the effectiveness of GBND in defending against backdoor attacks.
AB - Defending against backdoor attacks on graphs has become increasingly critical. Existing methods predominantly focus on detecting and removing triggers by identifying inconsistencies between trigger and clean nodes. However, adversaries can design triggers that closely resemble clean nodes, making them challenging to detect. Therefore, understanding the mechanisms underlying backdoor attacks is crucial. In this work, we observe an interesting phenomenon: in backdoored models, specific "backdoor neurons"(embedding dimensions) are more likely to be activated, causing nodes to be misclassified to the target label. This is largely due to the graph structure, where malicious information propagates through node neighborhoods, activating specific neurons and target label. Based on this observation, we theoretically and empirically demonstrate how graph backdoor attacks exploit this propagation mechanism to effectively poison the target node's embedding. Meanwhile, we propose a novel defense called Graph Backdoor Neuron Defense (GBND) to identify, unlearn, and recover backdoor neurons. Specifically, we design a novel reverse engineering technique to identify triggers that activate backdoor neurons, and eliminate their harmful effects by asymmetric unlearning and recovering at the neuron level. Extensive experiments on four datasets validate the effectiveness of GBND in defending against backdoor attacks.
KW - backdoor attacks
KW - graph neural networks
KW - neuron-level defense
UR - https://www.scopus.com/pages/publications/105038594634
U2 - 10.1145/3774904.3792403
DO - 10.1145/3774904.3792403
M3 - 会议稿件
AN - SCOPUS:105038594634
T3 - WWW 2026 - Proceedings of the ACM Web Conference 2026
SP - 1038
EP - 1048
BT - WWW 2026 - Proceedings of the ACM Web Conference 2026
PB - Association for Computing Machinery, Inc
Y2 - 29 June 2026 through 3 July 2026
ER -