Stealthy Yet Effective: Distribution-Preserving Backdoor Attacks on Graph Classification

Graph Neural Networks (GNNs) have demonstrated strong performance across tasks such as node classification, link prediction, and graph classification, but remain vulnerable to backdoor attacks that implant imperceptible triggers during training to control predictions. While node-level attacks exploit local message passing, graph-level attacks face the harder challenge of manipulating global representations while maintaining stealth. We identify two main sources of anomaly in existing graph classification backdoor methods: structural deviation from rare subgraph triggers and semantic deviation caused by label flipping, both of which make poisoned graphs easily detectable by anomaly detection models. To address this, we propose DPSBA, a clean-label backdoor framework that learns in-distribution triggers via adversarial training guided by anomaly-aware discriminators. DPSBA effectively suppresses both structural and semantic anomalies, achieving high attack success while significantly improving stealth. Extensive experiments on real-world datasets validate that DPSBA achieves a superior balance between effectiveness and detectability compared to state-of-the-art baselines.

💡 Research Summary

The paper addresses the vulnerability of Graph Neural Networks (GNNs) used for graph‑level classification to backdoor attacks. Existing graph‑classification backdoor methods typically rely on inserting rare subgraph motifs or flipping labels, which creates two major sources of anomaly: (1) structural deviation, because the injected subgraphs are out‑of‑distribution (OOD) and are easily spotted by anomaly detectors; and (2) semantic deviation, because label flipping creates a mismatch between a graph’s intrinsic structure and its assigned class. Both anomalies make poisoned graphs highly detectable, limiting the practicality of such attacks.

To overcome these limitations, the authors propose DPSBA (Distribution‑Preserving Stealthy Backdoor Attack), a clean‑label backdoor framework that learns in‑distribution triggers through adversarial training guided by anomaly‑aware discriminators. DPSBA’s design follows three core principles: (i) avoid label flipping (clean‑label setting) to eliminate semantic inconsistency; (ii) generate triggers that mimic the statistical properties of the target class, thereby reducing structural anomalies; and (iii) jointly optimize attack effectiveness and stealth via a two‑stage adversarial process.

Methodology Overview

1. Hard Sample Selection – From the target class, DPSBA selects the bottom p % of graphs with the lowest confidence scores (as measured by a surrogate GNN). These “hard samples” lie near the decision boundary, requiring only minor perturbations to be pushed into the target class, which helps keep the trigger subtle.

2. Trigger Location Selection – A two‑step procedure identifies injection sites: first, nodes with high degree centrality are shortlisted; then, an ablation‑style influence score (change in model output after node removal) selects the M most influential nodes among them. This balances computational efficiency with the need to place the trigger where it can affect the global graph embedding.

3. Trigger Generation – DPSBA employs two lightweight generators:

   • Topology Generator – an MLP that maps the adjacency matrix of the selected region to a soft structure, followed by a sigmoid and a binarization step (binary = I(A > 0.5)). This yields a discrete adjacency matrix for the trigger while preserving gradient flow during training.
   • Feature Generator – another MLP that transforms the original node features at the injection site, ensuring that generated features stay close to the local feature manifold. This mitigates feature‑level anomalies even when the dataset exhibits high attribute variance.
     The generated trigger subgraph (A_binary, X′) is then injected into the selected hard samples, producing poisoned graphs that retain the original label (clean‑label).

4. Adversarial Optimization – Two discriminators are trained to detect anomalies: a GCN‑based Topology Discriminator for structural deviations and an MLP‑based Feature Discriminator for feature distribution shifts. The generators are trained to fool these discriminators while simultaneously minimizing an Attack Loss (negative log‑likelihood of the target class under a surrogate model). The combined objective is a minimax game:

   • Minimize attack loss to ensure high Attack Success Rate (ASR).
   • Minimize discriminator loss to keep anomaly scores low, measured by external detectors such as SIGNET.

Experimental Evaluation
The authors evaluate DPSBA on several benchmark graph classification datasets (AIDS, MUTAG, PROTEINS) and compare against state‑of‑the‑art backdoor baselines: ER‑B, GTA, and Motif (including its frequent‑motif variant). Metrics include ASR and anomaly scores (AUC of SIGNET). Results show that DPSBA achieves comparable or slightly lower ASR than the strongest baselines but dramatically reduces anomaly scores by 30‑50 %, indicating far better stealth. Importantly, DPSBA maintains high ASR even under the clean‑label constraint, demonstrating that label flipping is not a prerequisite for effective attacks.

Strengths

• Dual‑distribution preservation – By jointly addressing structural and feature anomalies, DPSBA produces triggers that are statistically indistinguishable from clean graphs.
• Clean‑label attack – Avoids semantic inconsistency, making the attack harder to detect by methods that look for label‑structure mismatches.
• Adversarial training framework – The use of dedicated discriminators provides an automated way to balance effectiveness and stealth, rather than manually tuning trigger size or rarity.

Limitations

• Dependence on surrogate model – Hard‑sample selection and attack loss both require a surrogate GNN trained on clean data; in a strict black‑box scenario this may be unavailable.
• Computational overhead – Training the two generators and discriminators adds extra cost, especially for large graphs or when the trigger size grows.
• Sensitivity to discriminator quality – If the discriminators are poorly trained, the generators may not learn truly in‑distribution triggers, reducing stealth.

Future Directions
The paper suggests several avenues: (1) developing meta‑learning or reinforcement‑learning strategies to identify hard samples without a surrogate model, enabling fully black‑box attacks; (2) extending the framework to newer GNN architectures (e.g., Graphormer, GAT) and to dynamic or heterogeneous graphs; (3) designing lightweight generator‑discriminator pairs to reduce training time for large‑scale networks.

In summary, DPSBA presents a novel, well‑engineered approach to graph‑level backdoor attacks that simultaneously preserves data distribution and avoids label manipulation, achieving a superior trade‑off between attack success and detectability compared with existing methods. This work highlights the need for more robust defenses that consider both structural and semantic anomalies in graph‑based machine learning systems.