Defending Graph Neural Networks Against Backdoor Attacks via Symmetry-Aware Graph Self-Distillation

Abstract

Graph neural networks (GNNs) have exhibited remarkable performance in various applications. Still, research has revealed their vulnerability to backdoor attacks, where Adversaries inject malicious patterns during the training phase to establish a relationship between backdoor patterns and a specific target label, thereby manipulating the behavior of poisoned GNNs. The inherent symmetry present in the behavior of GNNs can be leveraged to strengthen the robustness of GNNs. This paper presents a quantitative metric, termed Logit Margin Rate (LMR), for analyzing the symmetric properties of the output landscapes across GNN layers. Additionally, a learning paradigm of graph self-distillation is combined with LMR to distill the symmetry knowledge from shallow layers, which can serve as the defensive supervision signals to preserve the benign symmetric relationships in deep layers, thus improving both model stability and adversarial robustness. Experiments were conducted on four benchmark datasets to evaluate the robustness of the proposed Graph Self-Distillation-based Backdoor Defense (GSD-BD) method against three widely used backdoor attack algorithms, demonstrating the robustness of GSD-BD even under severe infection scenarios.

1. Introduction

Graph neural networks (GNNs) [1,2,3,4] have demonstrated remarkable performance in various graph-related tasks, including social networks [5], financial systems [6], and molecular graphs [7]. Building a well-performing GNN requires rich, well-labeled examples and heavily computational overhead. Consequently, practitioners may choose to utilize pretrained models with potential vulnerabilities [8,9] or rich labeled training data collected through crawlers and crowdsourcing [10], which might be implanted with malicious perturbations or even injected with Trojans by attackers. In particular, a prevalent perturbation called a backdoor attack [11,12,13,14,15] leaves a specific pattern in the target model through a slight perturbation, thereby establishing a connection between this pattern and a specific target label determined by and known only to the attacker without degrading the performance on normal examples. Moreover, the backdoor pattern is more easily internalized in GNNs due to the iterative message-passing process, which can potentially aggregate the malicious perturbations.

Recent studies [16,17,18] have shown that certain neurons within the backdoor model are abnormally sensitive to perturbed examples in relation to the patterns of attached malicious subgraphs (i.e., backdoor triggers). This enables abnormal neurons to force the backdoor model to generate large activation of the malicious structure towards specific labels, successfully misclassifying infected examples into an attacker’s predefined target class. Consequently, the hijacked model will boost the activation of the target label and suppress all others. Based on this, ref. [17] identified compromised neurons and then performed reverse-engineering through an optimization procedure to sanitize the backdoor; ref. [19] learned a minimum-norm perturbation that leads to misclassification across an entire class group and performed unsupervised anomaly detection; and ref. [20] estimated the maximum margin statistic based on global output landscape to conduct backdoor detection and mitigation. While the aforementioned methods have demonstrated the ability to preserve the model’s original benign behavior, it is not feasible to directly apply these defense methods from computer vision (CV) to the graph domain due to the distinct topological structure of the graph. In state-of-the-art graph backdoor defense methods, Prune [15] employed a random branch pruning strategy that discards the labels of pruned graphs; explanatory backdoor defense [21] filtered infected samples by calculating the explainability scores of the explanatory subgraph; and DMGNN [22] pruned the most explainable subgraphs that exhibited the highest predictive confidence for non-target classes. Unfortunately, these approaches may introduce potential noise and degrade the model’s performance.

Symmetrical properties can provide insights into the underlying data distribution and enable the identification of perturbations that deviate from normal patterns. In this paper, we go further from existing backdoor defenses via symmetry-driven graph knowledge distillation (KD). KD [23] improves the performance of student models by aligning their outputs with those of teacher models. Recent research has proposed several methods for graph knowledge distillation, such as CCGL [24], FreeKD [25] and TinyGNN [26]. Among these, a teacher-free distillation paradigm [27] inspires our defense, the GNN-SD, which estimates the Neighborhood Discrepancy Rate (NDR) to quantify the non-smoothness of graph representations across GNN layers. Knowledge self-distillation is then applied to holistically preserve non-smoothness across layers. The design intuition of NDR is that the learned graph representations will converge to one steady state as the iterative message passing, leading to indistinguishability of connected nodes in deep GNN layers (i.e., over-smoothing [28]). Similarly, the adversarial graph exhibits an over-asymmetric output landscape in deep layers to ensure abnormal activation towards the backdoor pattern (i.e., boosting and suppression effects [20,29]). Centered on this conclusion, we extract defensive knowledge from shallow layers to supervise the deeper output landscapes, enabling gentle sanitization of graph backdoors. Specifically, a Logit Margin Rate (LMR) quantifies the asymmetry of output landscapes across GNN layers and adaptively distills symmetry knowledge from shallow layers to retain it in deeper layers. As a consequence of the integration, a novel backdoor defense method, Graph Self-Distillation Backdoor Defense (GSD-BD), was proposed to sanitize backdoor perturbations by retaining symmetry knowledge across GNN layers while preserving the capacity of extracting original benign features for sanitized GNNs.

Our contributions are summarized as follows:

• The Graph Self-Distillation Backdoor Defense (GSD-BD) sanitizes ingrained backdoor perturbations by leveraging symmetry knowledge from shallow layers to supervise deeper layers. This ensures the preservation of intrinsic structural characteristics of graph data, enhancing both model stability and adversarial robustness.
• Experimental findings reveal that backdoor attack effects can be characterized by boosting and suppression effects. Based on this, the Logit Margin Rate (LMR) is introduced as a quantitative metric to measure logit output asymmetry across GNN layers, facilitating accurate and efficient backdoor sanitization.
• The efficacy of GSD-BD is validated through comparisons with state-of-the-art graph backdoor defense methods. Experimental results demonstrate that GSD-BD achieves a superior Average Defense Rate (ADR) against various backdoor attack algorithms while preserving the sanitized model’s original benign behavior.

2. Related Works

2.1. Graph Knowledge Distillation

The initial distillation knowledge [23] is applied for model compression to facilitate model deployment. Ref. [30] first introduced graph knowledge distillation by extracting local graph structure knowledge from both the teacher and student models, then distilling it through similarity matching. G-CRD [31] retains global topology by aligning node embeddings in a shared representation space through contrastive learning. Subsequent studies revised teacher model architectures or employed teacher-free paradigm. CPF [32] took advantage of label propagation in MLPs to distill knowledge from teacher GNNs to student MLPs. TGS [33] replaced explicit information propagation in GNNs with MLPs, then guided dual knowledge self-distillation between target nodes and their neighborhood. GNN-SD [27] directly self-distilled embedded graph non-smoothness across GNN layers as the supervision signals, retaining this knowledge in deeper layers. Building upon graph self-distillation, our work introduces a novel Symmetry-Aware Graph Self-Distillation specifically designed for backdoor defense in GNNs, which leverages the inherent symmetry properties of GNNs to detect and sanitize backdoor perturbations.

2.2. Backdoor Attack

Backdoor attack is a type of attack that occur during the training phase. With the extensive adoption of GNNs, research efforts have extended the backdoor attacks to GNN models, where attackers generate and inject subgraphs into a small portion of training examples while altering their labels to the target class, establishing a relationship between target label and backdoor triggers. The initial implementation by [11], involved generating subgraphs following Erdős–Rényi, small-world, or preferential attachment distributions via random injection. To increase the threat level of the graph backdoor attack, several efforts have been made to create more sophisticated backdoor triggers. Xi et al. [13] proposed a bi-optimization strategy to alternately update the trigger generator and target model parameters. Dai et al. [15] presented an adaptive trigger generator that maintains the unnoticeability of the trigger by constraining the cosine similarity between the backdoor trigger and original nodes. Later approaches often selected representative subgraphs (e.g., graph motifs, explanatory subgraphs) as triggers to reduce computational overhead. Xu et al. [12] employed interpretation methods to select optimal injection locations for backdoor triggers. Wang et al. [34] utilized subgraphX to identify and generate explanatory subgraphs with superior quality. Zheng et al. [14] exploited motif distribution differences within the dataset to identify trigger structures.

2.3. Backdoor Defense

Despite increasing focus on developing backdoor attack algorithms for GNNs, exploration of defensive methods has only recently begun. Several computer vision backdoor defense strategies have shown promising results and offer valuable insights. Zeng et al. [35] proposed a retraining approach leveraging implicit hyper-gradients to model interdependence between inner/outer optimization processes. Liu et al. [36] combined pruning and fine-tuning, first pruning deep neural networks (DNNs) and then fine-tuning the pruned networks. Wang et al. [16] identified backdoor patterns and reconstructed potential triggers through reverse engineering. Guo et al. [37] devised a Trojan detection quality metric to identify backdoor patterns. Although these have proven effective for continuous data (e.g., images), their application to graphs remains limited due to the inherently unstructured and discrete properties of the graphs. In the domain of graph backdoor defense, several methods have been proposed. Dai et al. [15] employed random branch pruning and disregarded pruned graph labels. Jiang et al. [21] filtered infected samples via explanatory subgraph explainability scores. Yang et al. [38] identified backdoor triggers using Gaussian mixture models and purified the poisoned regions through clustering and filtering. Sui et al. [22] pruned the most explainable subgraphs that exhibited the highest predictive confidence for non-target classes. However, despite their innovative approaches, these graph-specific methods introduce potential structural noise that degrades sanitized model performance. In comparison, proposed GSD-BD presents a gentle sanitization paradigm via symmetry-aware knowledge distillation, preserving intrinsic graph structures. By distilling shallow-layer symmetry knowledge to deeper layers, it avoids aggressive modifications to the graph topology and presents a tailored graph defense strategy to eliminate backdoors while preserving the benign behavior of the sanitized model.

3. Preliminaries

3.1. Notations

In this paper, we focus on graph classification backdoor defense. For convenience, the frequently used notations are summarized in

Table 1. Summary of commonly used notations.

Notations	Descriptions
$\mathcal{D}$	Entire dataset
${\mathcal{D}}_p$	Backdoor dataset
N	Graph number of dataset
$\mathcal{G}=(\mathbf{A},\mathbf{X})$	Graph data
${\mathcal{G}}_p$	Trigger-embedded graph
$\mathbf{X}$	Node feature representation of a graph
$\mathbf{A}$	Adjacency matrix of a graph
$\mathcal{A}$	Identified backdoor graph set
$\mathcal{N}$	Identified benign graph set
$f(·)$	GNN model
$\varphi (·)$	Logit output of the input graph
y	Ground-truth label of a graph
$y_t$	Target label of a graph
${\mathcal{M}}_{\mathcal{G}}^l$	LMR for a given graph sample at layer-l

.

3.2. GNN-Based Graph Classification

Without loss of generality, we formulate graph classification by GCN [1] to explain our defense goal, where the node embeddings for the k-th aggregation ${\mathbf{H}}^{\left(k\right)}$ can be represented as follows:

$${\mathbf{H}}^{\left(k\right)}=\sigma \left({\tilde{\mathbf{D}}}^{-\frac{1}{2}}\tilde{\mathbf{A}}{\tilde{\mathbf{D}}}^{-\frac{1}{2}}{\mathbf{H}}^{\left(k-1\right)}{\mathbf{W}}^{\left(k\right)}\right),$$

(1)

where $\mathbf{D}$ represents the degree matrix, ${\tilde{\mathbf{D}}}_{i,i}={\sum }_j{\tilde{\mathbf{A}}}_{ij}$, $\mathbf{A}\in {\left[0,1\right]}^{n\times n}$ represents the adjacency matrix for n nodes, and $\tilde{\mathbf{A}}=\mathbf{A}+\mathbf{I}$ is the self-looped adjacency matrix. The initial node embeddings ${\mathbf{H}}^{\left(0\right)}$ are set to the node features $\mathbf{X}$, and $\sigma$ denotes the the nonlinear activation function.

The permutation invariant function $\mathrm{Readout}(·)$ aggregates the final-layer node embeddings to obtain the graph representation ${\mathbf{H}}_{\mathcal{G}}=\mathrm{Readout}\left({\mathbf{H}}_1^{\left(k\right)},{\mathbf{H}}_2^{\left(k\right)},\dots ,{\mathbf{H}}_n^{\left(k\right)}\right)$.

The graph classification can, therefore, be described as:

$$\widehat{y}=f\left(\mathcal{G}\right)=\mathrm{softmax}\left({\mathbf{H}}_{\mathcal{G}}\right),$$

(2)

where $\widehat{y}$ denotes the predicted class label based on the output probabilities for the input graph.

3.3. Backdoor Attack

In a standard backdoor attack, a poisoned subset ${\mathcal{D}}_p\subset \mathcal{D}$ is first created by selecting a subset of M ($M\ll N$) examples from $\mathcal{D}$. Each sample $(\mathcal{G},y)\in {\mathcal{D}}_p$ is transformed into a backdoor sample $(T\left(\mathcal{G}\right),y_t)$, where $T:\mathcal{G}\to {\mathcal{G}}_p$ is the backdoor function. The backdoor function T determines how a backdoor trigger is placed on $\mathcal{G}$ to create the backdoor input ${\mathcal{G}}_p$, and $y_t$ is the attacker-specified label. The remaining clean samples form ${\mathcal{D}}_c=\mathcal{D}\setminus {\mathcal{D}}_p$. Figure 1 illustrates the general implementation of the graph backdoor attack.

3.4. The Threat Model

3.4.1. Attacker’s Capabilities and Goals

The attacker is given more lenient capabilities to implant triggers into sufficient data and takes full control of the training process of the target model, e.g., the model is outsourced to a third party, which turns out to be an attacker. The attacker’s goal is to activate incorrect behavior after malicious propagation, causing the model to classify the trigger-embedded graphs as the target label, which is determined by and known only to the attacker while minimally affecting the prediction accuracy on benign graphs.

3.4.2. Defender’s Capabilities and Goals

The defense mechanism preserves clean knowledge from shallow layers while propagating it to deeper layers.

The defender has no prior knowledge about potential attacks or backdoor trigger patterns. GSD-BD operates in a post-training scenario, requiring only a minimal set of clean graphs that can be readily acquired at negligible cost. The defense mechanism preserves clean knowledge from shallow layers while propagating it to deeper layers, then sanitizes the backdoored GNN through fine-tuning to restore correct predictions (original ground-truth labels) when fed with the infected graphs.

4. Methodology

4.1. Design Intuition

The goal of graph backdoor attacks is to establish a relationship between backdoor patterns and specific target labels, which are determined by and known only to the attacker. Certain neurons within the backdoor model exhibit abnormal sensitivity to perturbed examples containing malicious subgraphs (i.e., backdoor triggers), resulting in large activations toward predefined target labels while suppressing activations of other labels [16,17,18].

Specifically, this behavior resembles an overfitting “boosting and suppression” effect [20,29], which provides symmetry knowledge for quantifying the anomalous output landscape of backdoors. Symmetry knowledge obtained from shallow GNN layers can serve as supervisory signals when combined with the graph knowledge self-distillation paradigm. This combination guides fine-tuning purification, thereby restoring the smoothness of the overall output landscape and gently sanitizing the graph backdoors.

Subsequently, Section 4.2 details how backdoor-induced asymmetries can be quantified and distinguished from the natural graph structure, and Section 4.3 examines whether knowledge of shallow symmetries can effectively guide backdoor sanitization without disrupting the graph structure.

4.2. Quantification for Backdoor Effect

To distinguish and quantify backdoor-induced asymmetries from natural graph structures, we propose the Logit Margin Rate (LMR) as a metric to quantify the backdoor effect in individual graphs. LMR is based on the observation that the perturbed samples exhibit substantial margins between the activations of the predicted label and activations of others. Specifically, we calculate this margin as the difference between the logit output of the predicted class and the maximum logit output among all remaining classes, providing a quantitative measure of abnormal asymmetry. We utilize logit outputs rather than probabilities because probabilities have minimal impact on weight parameters during fine-tuning, while logit outputs more directly reflect the relative confidence of predictions.

To further elucidate the LMR, a simple GNN model is considered as an example. Let the logit output related to the class decision c of the input graph $\mathcal{G}$ be ${\varphi }_c$, where c is any class from the label space $\mathcal{Y}$. We assume that the GNN can correctly classify all the training samples with confidence higher than $\tau$, as follows:

$${\varphi }_y\left(\mathcal{G}\right)-\underset{k\ne y}{max}{\varphi }_k\left(\mathcal{G}\right)\ge \tau ,$$

(3)

Furthermore, assuming that a backdoor attack can successfully force the backdoored GNN to classify perturbed samples embedded with trigger $g_t$ as the target class $y_t$, the logit margin for backdoored and benign samples can be described as follows:

$$\begin{array}{c}\hfill {\varphi }_{y_t}\left({\mathcal{G}}_p\right)-{\varphi }_y\left({\mathcal{G}}_p\right)\ge \tau \end{array}$$

(4a)

$$\begin{array}{c}\hfill {\varphi }_y\left(\mathcal{G}\right)-{\varphi }_{y_t}\left(\mathcal{G}\right)\ge \tau ,\end{array}$$

(4b)

where ${\mathcal{G}}_p$ is the perturbed graph and ${\mathcal{G}}_p=\mathcal{G}+g_t$, y, and $y_t$ correspond to the ground-truth labels and predefined target labels, respectively. Adding (4a) and (4b) gives the following:

$${\varphi }_{y_t}\left(g_t\right)-{\varphi }_y\left(g_t\right)\ge 2\tau ,$$

(5)

The (5) indicates that the backdoored model requires a higher LMR margin when encountering perturbed samples, reflecting a significant decision boundary difference in making decisions between perturbed samples and benign samples. The maximum margin lower bound for the backdoor target class is at least 2$\tau$, substantially exceeding the lower bound for benign samples.

Furthermore, the minimal proportion of perturbed samples might lead to the logit margin rate (LMR) being diluted by benign samples. If the model is encouraged to use the LMR of benign samples as a supervisory signal for backdoor sanitization, it might introduce over-smoothness [28], causing the states of graph nodes to converge to the same stationary point during propagation, making the hidden states difficult to distinguish, thereby degrading the model’s performance in classification and feature recognition. To address this issue, we introduce an unsupervised anomaly detector, which is integrated with LMR to build a symmetry knowledge filter. Specifically, the LMR for a given graph sample can be expressed as follows:

$${\mathcal{M}}_{\mathcal{G}}={\varphi }_c\left(\mathcal{G}\right)-\underset{k\in \mathcal{Y}\setminus c}{max}{\varphi }_k\left(\mathcal{G}\right),$$

(6)

Moreover, to achieve a sparser representation and reduce computational overhead, this was followed by Hinge Loss and the introduction of the max function, Equation (6), which can be expressed as follows:

$${\mathcal{M}}_{\mathcal{G}}=max(0,{\varphi }_c\left(\mathcal{G}\right)-\underset{k\in \mathcal{Y}\setminus c}{max}{\varphi }_k\left(\mathcal{G}\right)),$$

(7)

Subsequently, following [20], a null distribution $\mathcal{P}$ is estimated using the LMR from a minimal set of clean graphs with a null parametric density form, i.e., the gamma distribution. The null hypothesis $H_0$ (representing no attack) is rejected if the test statistics associated with the attack exhibit large anomalies with small p-values under the null hypothesis. To evaluate the atypicality of ${\mathcal{M}}_{\mathcal{G}}$, we compute the order-statistic p-value as follows:

$$\mathrm{pv}=1-\mathcal{P}{\left({\mathcal{M}}_{\mathcal{G}}\right)}^N,$$

(8)

The pv represents the probability of extreme values appearing in the output results, reflecting the extent of sample abnormalities. If pv is below the confidence threshold, it indicates a significant deviation from the distribution, leading to rejection of $H_0$ and the classification of the graph associated with the current ${\mathcal{M}}_{\mathcal{G}}$ as anomalous. Consequently, the knowledge filter can identify potential perturbed samples and provide support for subsequent backdoor sanitization tasks. Figure 2 illustrates the procedure for perturbation detection.

4.3. Symmetry-Aware Graph Knowledge Self-Distillation for Backdoor Sanitization

To determine whether shallow symmetry knowledge can effectively guide backdoor sanitization while preserving graph structure, we suggest extracting symmetry knowledge from shallow GNN layers to supervise deep GNN layers’ output landscape. Specifically, we separately filter benign and potentially perturbed samples using an upstream symmetry knowledge filter, and we employ the LMR of suspicious samples as a supervisory signal to maintain output landscape smoothness in deep layers through cross-layer knowledge self-distillation. By adaptively calibrating the contributions of malicious and benign knowledge, gentle backdoor sanitization is achieved while retaining the original feature extraction capabilities of sanitized models.

Furthermore, given that it might be difficult for the defenders to locate the specific layer causing the backdoor effect, specifying a supervisory layer could potentially result in inaccurate LMR extraction. Hence, the supervisory layer is initialized only when a substantial activation margin exists. Formally, the supervised layer $l^{\ast }$ is defined as:

$$l^{\ast }=\underset{l\in \{1,\dots ,L\}}{\arg \max }\sum _{{\mathcal{G}}_i\in \mathcal{A}}{\mathcal{M}}_{{\mathcal{G}}_i}^l$$

(9)

where $\mathrm{SG}(·)$ denotes the gradient representation release control signal, L denotes the final layer of the GNN, and ${\mathcal{M}}_G^l$ denotes the LMR for graph $\mathcal{G}$ at layer-l.

After determining the supervisory layer, we adaptively calibrate the contributions between malicious knowledge and benign knowledge using the upstream symmetry knowledge filter while preserving the model’s original feature extraction capability. Formally, the sanitization loss can be represented as:

$${\mathcal{L}}_{\mathrm{M}}={\displaystyle \frac{1}{\left|\mathcal{A}\right|}}\sum _{l^{\ast }}^{L-1}\parallel \sum _{{\mathcal{G}}_i\in \mathcal{A}}{\mathcal{M}}_{{\mathcal{G}}_i}^{l+1}-\mathrm{SG}\left({\mathcal{M}}_{{\mathcal{G}}_i}^l\right){\parallel }_2^2$$

(10)

where $\mathcal{A}$ represents the set of suspicious adversarial samples identified by the upstream symmetry knowledge filter, $l^{\ast }$ is the supervisory layer, and $\left|\right|·\left|\right|$ denotes the square of the L2 norm, which facilitates fine-tuning by allowing for smooth penalty decay when the size of $\mathcal{A}$ is extremely small. A purified cross-entropy loss ${\mathcal{L}}_{\mathrm{CE}}$ is then used to preserve the benign output landscape for sanitized GNNs, which can be described as:

$${\mathcal{L}}_{\mathrm{CE}}={\displaystyle \frac{1}{\left|\mathcal{N}\right|}}\sum _{{\mathcal{G}}_j\in \mathcal{N}}\mathcal{l}(f\left({\mathcal{G}}_j\right),y_j)$$

(11)

where $\mathcal{l}(·)$ represents the cross-entropy loss, and $\mathcal{N}$ denotes the set of benign samples where $\mathcal{N}=\mathcal{D}\setminus \mathcal{A}$. As a consequence of the integration, the total loss for backdoor sanitization ${\mathcal{L}}_{\mathrm{S}}$ is formulated as follows:

$${\mathcal{L}}_{\mathrm{S}}={\mathcal{L}}_{\mathrm{CE}}+\lambda {\mathcal{L}}_{\mathrm{M}}$$

(12)

Considering that different backdoor patterns can produce distinct logit margins, and that graph representation learning might be poorly learned in shallow layers, the hyperparameter $\lambda$ is set empirically for robustness. The weights for ${\mathcal{L}}_{\mathrm{M}}$ and ${\mathcal{L}}_{\mathrm{CE}}$ are adaptively adjusted according to their respective input sets to prevent signal dilution from limited adversarial samples. As a result, not only do we sanitize the ingrained backdoor patterns, but we also preserve the original feature extraction capability. The entire workflow is illustrated in Figure 3.

4.4. Time and Space Complexity

The time complexity analysis of GSD-BD primarily involves four dominant components: (1) computing the Logit Margin Rate (LMR) across N graph samples with C classes, which scales as $\mathcal{O}\left(NC\right)$; (2) fitting the null distribution to the LMR values, requiring $\mathcal{O}\left(N\right)$ operations; (3) the self-distillation process that introduces an additional $\mathcal{O}\left(NC\right)$ term from comparing LMR discrepancies between shallow and deep layers; (4) the layer-wise message passing of GNNs require $\mathcal{O}\left(L\right|E\left|d^2\right)$ operations, where L is the number of layers, $\left|E\right|$ is the number of edges, and d is the node embedding dimension. This hierarchical composition results in an overall time complexity of $\mathcal{O}\left(L\right|E|d^2+NC)$.

In addition, the space complexity comprises: (1) $\mathcal{O}\left(NC\right)$ storage for maintaining logit outputs during LMR computation; (2) negligible $\mathcal{O}\left(1\right)$ space for statistical parameters of the null distribution; and (3) $\mathcal{O}\left(NL\right)$ space demands for caching LMR values during the self-distillation process. Consequently, the total space complexity requires $\mathcal{O}(LNnd+NC)$, where n is the average number of graph nodes.

5. Evaluation

5.1. Experiment Setup

5.1.1. Datasets

We evaluated four publicly available real-world graph datasets using the proposed method: PROTEINS, BITCOIN, AIDS, and NCI1. The rationale behind the selection of these is that they are widely used in most backdoor attack/defense scenarios, which allows for a more comprehensive comparative analysis.

Table 2. Dataset statistics.

Datasets	# Graphs	# Classes	Avg. # Nodes	Avg. # Edges	# Graphs in Class	# Target Label
PROTEINS	1113	2	39.06	72.82	663[0], 450[1]	1
BITCOIN	1174	2	14.64	14.18	845[0], 329[1]	0
AIDS	2000	2	15.69	16.20	400[0], 1600[1]	1
NCI1	4110	2	29.87	32.30	2053[0], 2057[1]	0

provides detailed statistics of the datasets.

• PROTEINS [39]: This dataset consists of proteins in which each node is represented as an amino acid, and two nodes are connected by an edge if they are less than 6 angstroms apart. The labels are determined as enzymatic or non-enzymatic.
• BITCOIN [40]: This dataset is used for graph-based detection of fraudulent Bitcoin transactions, where each node is represented as a transaction and its associated transactions, and each edge between two transactions indicates the Bitcoin currency flow between them. The labels are determined based on illicit or licit transactions.
• AIDS [41]: This dataset contains molecular compounds from the AIDS antiviral screen database. The labels are determined based on active or inactive of molecular compounds.
• NCI1 [42]: This dataset comprises chemical compounds used to inhibit cancer cells, where each graph corresponds to a chemical compound, each vertex represents an atom of the molecule, and the edges between vertices represent bonds between atoms.

5.1.2. Dataset Split and Construction

Each dataset will be divided into three parts: training dataset ${\mathcal{D}}_{train}$, test dataset ${\mathcal{D}}_{test}$, and auxiliary dataset ${\mathcal{D}}_{aux}$. Specifically, 60% of the data are randomly selected as the training graphs for each dataset, and the remaining part represents the test graphs. For the backdoor datasets, the backdoor training dataset and the backdoor test dataset are randomly selected from ${\mathcal{D}}_{train}$ and ${\mathcal{D}}_{test}$, respectively, based on the training and test poisoning rates. Additionally, 5% of the clean graphs are randomly chosen to form ${\mathcal{D}}_{aux}$. In experiments, backdoor attack algorithms are employed to generate and implant triggers into ${\mathcal{D}}_{train}$, configured with parameters such as the training poisoning rate and trigger size (more parameter settings can be found in Section 5.1.4). Subsequently, ${\mathcal{D}}_{aux}$ is utilized to construct a null distribution in the form of a null parametric density for the symmetry knowledge filter. Following this, backdoor triggers are generated and implanted into ${\mathcal{D}}_{test}$ based on the predefined test infection rate. Then, experiments are conducted on ${\mathcal{D}}_{test}$ to evaluate the defense performance. Note that the dataset split settings are applied to all attacks.

5.1.3. Baseline Defense Methods

The superiority of the proposed approach is demonstrated through comparative analysis with the following baseline defense methods: Prune, Prune+LD [15], explanatory backdoor defense [21], and DMGNN [22]. (1) The Prune will be employed to excise connected edges exhibiting low cosine similarity, which is set based on the lowest 10% of cosine similarity scores. (2) For Prune+LD, we move those pruned graphs from ${\mathcal{D}}_{train}$ to ${\mathcal{D}}_{test}$ as an alternative to label-discard strategies. (3) The explanatory backdoor defense method will be applied to identify and prune the potentially infected graphs with explainability scores above a threshold, which is set based on the maximum value of the discrepancy between fidelity and infidelity computed on the ${\mathcal{D}}_{aux}$. (4) DMGNN will be implemented to locate the disturbed regions using a counterfactual explanation method, and reverse sampling pruning will be conducted based on explainable confidence at 0.9.

5.1.4. Model Settings and Parameter Settings

Experiments were performed on two graph neural networks: (1) GCN [1]: A 4-layer graph convolutional network with hidden dimensions of 256, ReLU activation, and batch normalization after each layer; (2) GIN [3]: A 4-layer graph isomorphism network with hidden dimensions of 256, MLP aggregators (2-layer perceptrons with ReLU), and sum pooling. Both models were trained for 300 epochs using the Adam optimizer with a learning rate of 0.005. The benign models’ accuracy and backdoor models’ performance for three baseline backdoor attack algorithms across different datasets are shown in

Table 3. Benign model accuracy (ACC) and backdoor models performance for three baseline backdoor attack algorithms (ASR and CAD).

Model	Dataset	ACC (%)	ASR (%)			CAD ($\times {10}^{-2}$)
			GBA	MIA	GTA	GBA	MIA	GTA
GCN	PROTEINS	75.18	51.06	67.36	72.91	4.50	4.66	6.63
	AIDS	97.64	69.42	73.03	94.75	4.60	5.01	4.78
	BITCOIN	97.91	76.53	74.94	84.11	6.87	5.43	8.10
	NCI1	78.75	75.33	79.72	94.34	4.60	4.54	2.96
GIN	PROTEINS	76.32	60.73	59.25	83.84	4.75	3.49	5.23
	AIDS	98.19	78.94	81.33	96.67	4.25	3.87	3.39
	BITCOIN	96.66	79.06	82.50	86.67	4.75	3.24	3.91
	NCI1	76.89	75.97	93.67	97.07	4.08	2.79	3.11

.

Subsequently, three existing state-of-the-art backdoor attack algorithms were employed to implant backdoors in GNNs to verify the defense performance, including the Erdős–Rényi backdoor (GBA) [11], the most important node-selecting attack (MIA) [12], and the adaptive generated backdoor attack (GTA) [13]. Specifically, the poisoning ratios were set to 5% for training, and the test poisoning ratio was fixed at 50%; The trigger size was set to 15% of the average number of nodes for each graph by default; the confidence threshold $\theta$ is set to 0.05 by default for backdoor detection; the sanitization loss weight $\lambda$ is set to ${\mathrm{e}}^{-2}$ by default.

5.1.5. Evaluation Metrics

Several key metrics were employed to evaluate the performance of backdoor defense. (1) Attack success rate (ASR) [43] refers to the percentage of examples implanted with triggers that are classified into the target label by the backdoor model. (2) Average defense rate (ADR) [44] represents the ratio of the difference in ASR between the no defense and defense scenarios to the ASR in the no-defense scenario. (3) Clean accuracy (ACC) measures the classification of clean samples, while clean accuracy drop rate (CAD) [12] quantifies the discrepancy between the classification accuracy of a clean model and backdoor model on benign samples. Intuitively, higher ADR and lower ASR values indicate more effective defense, while lower CAD reflects less influence on original benign properties of the sanitized model.

5.2. Defense Performance

To assess the effectiveness of the Graph Self-Distillation Backdoor Defense (GSD-BD) in countering backdoor attacks, we conducted comparative experiments utilizing four baseline methods, namely Prune, Prune+LD, Exp-LD, and DMGNN, across four real-world datasets. The evaluation metrics employed include the Average Defense Rate (ADR) and Clean Accuracy Drop (CAD), where a higher ADR signifies enhanced defense performance, and a lower CAD indicates the sanitized model’s ability to retain its original benign characteristics.

As detailed in

Table 4. Evaluation metrics for backdoor defense against different backdoor attack algorithms for GCN.

Dataset	Attack	ADR (%)					CAD ($\times {10}^{-2}$)
		Prune	Prune+LD	Exp-BD	DMGNN	GSD-BD	Prune	Prune+LD	Exp-BD	DMGNN	GSD-BD
PROTEINS	GBA	50.58	51.84	68.56	69.26	84.84	6.23	5.97	4.54	4.25	3.54
	MIA	41.16	44.76	71.69	69.63	84.08	6.31	6.78	5.17	5.08	4.37
	GTA	37.26	46.83	65.75	64.18	83.55	7.27	7.03	5.14	5.21	4.66
AIDS	GBA	52.61	53.94	69.25	71.94	85.60	5.47	5.48	6.36	5.22	4.94
	MIA	48.14	48.58	74.36	72.08	84.20	5.51	6.17	5.24	5.22	4.85
	GTA	36.17	43.37	63.40	71.14	86.85	5.53	6.01	6.19	4.98	4.06
BITCOIN	GBA	43.45	48.68	60.28	70.78	87.39	7.45	7.03	6.62	5.58	3.82
	MIA	48.64	49.10	66.12	74.65	85.20	6.61	7.24	6.49	5.51	2.25
	GTA	39.55	45.28	59.97	72.41	88.03	7.56	7.17	6.38	5.47	4.57
NCI1	GBA	43.39	44.28	69.17	71.16	93.72	4.76	5.58	4.71	4.26	2.35
	MIA	41.24	41.35	77.53	79.22	93.56	5.71	5.58	4.71	4.74	2.09
	GTA	38.17	41.44	71.30	69.63	93.98	4.62	5.16	5.42	4.95	2.06

and

Table 5. Evaluation metrics for backdoor defense against different backdoor attack algorithms for GIN.

Dataset	Attack	ADR (%)					CAD ($\times {10}^{-2}$)
		Prune	Prune+LD	Exp-BD	DMGNN	GSD-BD	Prune	Prune+LD	Exp-BD	DMGNN	GSD-BD
PROTEINS	GBA	52.33	52.81	64.93	71.21	84.80	6.19	6.63	5.66	4.47	3.62
	MIA	39.50	44.05	67.79	68.14	86.95	6.28	6.16	6.08	4.14	2.94
	GTA	37.42	46.64	63.31	69.43	84.40	6.75	5.81	6.28	4.89	3.21
AIDS	GBA	54.29	54.71	68.00	73.16	86.14	5.88	5.43	5.92	5.19	4.06
	MIA	46.53	49.18	74.94	75.25	84.26	4.34	5.20	6.13	5.75	3.29
	GTA	41.71	45.22	64.68	71.14	85.60	4.13	4.05	6.36	4.98	3.32
BITCOIN	GBA	43.33	45.23	61.36	71.31	78.34	6.89	6.17	6.26	6.36	3.18
	MIA	45.21	50.17	66.12	69.36	85.76	6.34	4.95	6.19	5.80	3.79
	GTA	41.62	42.76	57.05	66.13	86.61	6.03	5.61	5.95	6.27	3.25
NCI1	GBA	40.13	44.87	64.20	76.16	93.51	5.41	5.11	5.00	5.06	3.22
	MIA	37.71	41.52	72.44	72.21	92.21	5.39	3.69	4.50	4.64	2.07
	GTA	36.27	39.36	71.41	71.28	95.86	4.98	4.24	4.96	4.72	2.51

, GSD-BD consistently achieves the highest ADR among the evaluated methods. For instance, in the case of the GTA attack on the NCI1 dataset using the GIN model, GSD-BD records an ADR of 95.86%, markedly surpassing the performance of Prune (36.27%), Prune+LD (39.36%), Exp-BD (71.41%), and DMGNN (71.28%). This robustness is also observed in other datasets (e.g., PROTEINS, AIDS, and BITCOIN), where GSD-BD maintains ADRs above 83%, while baseline methods struggle to exceed 80%. The consistently high ADR across various datasets and attack algorithms further attests to the robustness and adaptability of GSD-BD.

Regarding CAD, GSD-BD preserves the original benign behavior of the sanitized model, as reflected in its consistently lower Clean Accuracy Drop (CAD). For instance, in the case of the GTA attack on the NCI1 dataset using the GCN model, GSD-BD achieves a CAD of 2.06, significantly lower than Prune (4.62), Prune+LD (5.16), Exp-BD (5.42), and DMGNN (4.95). This indicates its effectiveness in preserving the original performance and benign attributes of the model. Notably, in most scenarios, the CAD of GSD-BD is lower than that of the infected model, suggesting that GSD-BD is capable of restoring the original benign behavioral characteristics of the sanitized model to a considerable extent.

As for baseline methods, Prune achieves low ADRs of below 40%, while Prune+LD records ADRs below 47% in the case of the GTA attack with the GCN model. This limitation stems from their reliance on pruning strategies, which can be imprecise and may introduce additional noise. Although Exp-BD and DMGNN perform better than Prune and Prune+LD, they still fall short relative to GSD-BD. Specifically, while Exp-BD and DMGNN yield higher ADRs of 77.53% and 79.22% on GCN, respectively, their CADs of 4.71 and 4.94 exceed that of GSD-BD. This indicates that they are less effective at restoring the original performance of the sanitized model and may even contribute to further performance degradation, as their approaches rely on rigid elimination processes for potentially anomalous structures, which inevitably disrupts the intrinsic graph topology and leads to consequent performance degradation.

The superiority of GSD-BD can be attributed to two key factors. First, GSD-BD is able to quantify the anomaly of output landscape across GNN layers based on the Logit Margin Rate, which allows for precise distillation for symmetry knowledge. Second, GSD-BD can adaptively calibrate the contribution between malicious and benign knowledge for sanitization loss. This prevents the sanitized model from over-smoothing, thereby preserving the original graph topological information and avoiding potential performance degradation.

5.3. Robustness Against Different Poisoning Rates

With the aim of analyzing the performance of GSD-BD against different poisoning rates, we conducted experiments by setting the poisoning rates from $\{0.01,0.02,0.05,0.1,0.2\}$ on four datasets with employing GTA backdoor attack on GCN. Figure 4 shows the results with and without incorporating GSD-BD. The sanitized models that incorporated backdoor defense were denoted as GCN-w/GSD-BD and GIN-w/GSD-BD, and those did not incorporate backdoor defense were denoted as GCN and GIN, respectively. It can be clearly observed from the figures that, irrespective of the incorporation of backdoor defense, the ASR increases with the poisoning rate (see GCN-w/GSD-BD and GIN-w/GSD-BD), which illustrates that the performance of GSD-BD will be slightly weakened as the poisoning rate increases. This might be due to the large poisoning rate leading to the expanded proportion of infected samples and dilution of the features of benign samples, thereby affecting the detection accuracy of the symmetry knowledge filter and the computation of the Logit Margin Rate. Notwithstanding, GSD-BD reliably maintains a low ASR across all poisoning rate scenarios, and the effectiveness of backdoor sanitization is significant even at high infection rates. In the worst-case scenario, both GCN-w/GSD-BD and GIN-w/GSD-BD have ASRs of less than 30% on the AIDS dataset, even with a poisoning rate of 0.2 (in Figure 4b), which further validates the robustness of our defense.

5.4. Importance of Symmetry Knowledge Filter

Incorrectly encouraging the distillation of knowledge related to smoothness for benign samples would further lead to oversmoothing. The backdoor knowledge filter thus provides a purified stream for subsequent symmetry knowledge distillation. To evaluate the capability of knowledge filtering for the proposed unsupervised anomaly detector, the detection accuracy, precision, recall, and F1-score were employed as evaluation metrics. Precision quantifies the accuracy of positive predictions, while recall measures the ability to identify all positive instances. The F1-score, in turn, provides a single value representing the harmonic mean of the above two metrics. With a default sampling rate of 0.05, we conducted a detection task using various attack algorithms on both GCNs and GINs to observe the performance of the symmetry knowledge filter. As shown in

Table 6. Performance of symmetry knowledge filter.

	GCN			GIN
Accuracy	GBA	MIA	GTA	GBA	MIA	GTA
PROTEINS	95.16	95.36	90.05	91.21	95.94	91.06
AIDS	98.50	98.43	94.10	99.35	99.78	99.56
BITCOIN	99.91	98.18	96.38	99.87	99.21	98.94
NCI1	99.99	99.84	99.62	99.99	99.84	98.83
Precision	GBA	MIA	GTA	GBA	MIA	GTA
PROTEINS	91.36	91.72	85.91	84.45	93.85	89.38
AIDS	97.67	96.86	88.44	92.02	99.56	99.99
BITCOIN	99.99	95.37	92.86	99.99	99.34	98.67
NCI1	99.99	93.40	99.35	99.99	99.69	99.99
Recall	GBA	MIA	GTA	GBA	MIA	GTA
PROTEINS	98.89	98.92	94.72	97.64	97.94	92.49
AIDS	99.32	99.99	99.73	99.67	99.99	99.14
BITCOIN	99.83	99.99	99.89	99.75	99.08	99.21
NCI1	99.99	96.16	99.89	99.99	99.99	99.67
F1-score	GBA	MIA	GTA	GBA	MIA	GTA
PROTEINS	94.97	95.18	90.10	90.57	95.85	90.91
AIDS	98.49	98.40	93.74	99.34	99.78	99.56
BITCOIN	99.91	97.63	96.25	99.87	99.21	98.94
NCI1	99.99	94.76	99.62	99.99	99.84	99.83

, the symmetry knowledge filter achieved outstanding results in all of the proposed attacks. Yet, the performance on PROTEINS was relatively poor, with a minimum detection accuracy of 90.05% and precision of 85.91%, indicating a limitation in distinguishing adversarial graphs for PROTEINS. This might be incurred by the lack of feature information of PROTEINS compared to the other datasets. Meanwhile, despite the diminished efficacy under GTA, it consistently provides notable results irrespective of the employed model algorithms. Specifically, the accuracy of GBA reaches 99.99% on both GNN algorithms, and the remaining scenarios also achieve considerable results. This success can be attributed to the capability of quantifying perturbations of LMR, thus aiding in downstream symmetry knowledge distillation tasks with specific targets to be processed.

5.5. Exploration for Logit Margin Rate

An investigation was conducted to investigate the role of the Logit Margin Rate (LMR) in preserving symmetry knowledge from shallow layers. Figure 5 presents a comparison of LMR curves across four layers of a backdoored GCN model subjected to a GBA attack. It can be observed that the LMRs with GSD-BD decrease in all four layers compared to the backdoored GNN, where the first layer (Figure 5a) is similar to that of the layer without GSD-BD. This indicates that the output landscapes of the backdoored and sanitized models show a consistency in the shallower layers. In contrast, the LMRs of the deeper layer without sanitization maintain a significant growth trend, which could imply that the backdoor induces the boost and suppression effect during backdoor implantation, whereas the LMRs with GNN-SD remain at a lower level and preserve a certain symmetry, which might imply the elimination of the malicious association between the backdoor pattern and the target label.

In particular, there is a tendency for the distribution of benign samples to return to its original form when the perturbations are sanitized. Figure 6, left shows a boxplot analysis of the Logit Margin Rate (LMR) distributions with standard deviations as whisker boundaries, which capture the dispersion of LMR values across three scenarios. The backdoor models exhibit extensive outliers beyond the upper whisker, in which most of the LMRs of the backdoor samples lie above the upper whisker of the benign group, confirming the severe distributional distortion and the anomalous boosting and suppression effect induced by the backdoor trigger. Meanwhile, defended samples (based on GSD-BD) reduced this ratio substantially, demonstrating successful suppression of backdoor artifacts. In addition, the benign model exhibits a symmetric distribution, indicating natural predictive confidence. Moreover, the right side presents the distribution curve of LMR across three scenarios, in which the distribution curves for the backdoor samples are significantly larger and more discrete, while the defense samples have a tendency to return to the normal level, which indicates the effectiveness of GSD-BD in mitigating the impact of backdoor attacks and restoring the original benign properties.

5.6. Exploration for Sanitization Loss

It is important that model performance should be rarely compromised during backdoor defense. An excessively high or low contribution of sanitization loss ${\mathcal{L}}_{\mathrm{M}}$ may either adversely lead to over-focusing or ignoring of symmetry knowledge. We conducted experiments across four datasets using the GTA backdoor attack on GCN with different hyperparameter $\lambda$ settings. As shown in Figure 7a,b, the average defense rate (ADR) consistently increases, while classification accuracy (ACC) decreases as $\lambda$’s contribution goes up, illustrating the trade-off between ADR and ACC.

For example, with a $\lambda$ setting of ${\mathrm{e}}^{-2}$, we observed an ADR of 85% paired with an ACC of 90% (approximately). In contrast, increasing $\lambda$ to ${\mathrm{e}}^1$ results in an ADR of 95% but a significant drop in ACC to 70%. This pattern indicates that while a higher $\lambda$ enhances backdoor resistance, it may over-commit to symmetry knowledge and thereby adversely impact the model’s ability to learn the intrinsic topological features of the data. Further analysis reveals that a threshold $\lambda$ of ${\mathrm{e}}^{-2}$ provides an optimal balance, maintaining both a robust ADR and acceptable ACC.

Moreover, we observed that when $\lambda$ is set excessively high, such as to ${\mathrm{e}}^1$, the model performance diminishes due to the loss of distinctiveness in hidden states, which ultimately prevents effective learning of topological structures. Our results demonstrate that while backdoor detection accuracy improves with higher $\lambda$ values, the default setting should typically be set to ${\mathrm{e}}^{-2}$ in most cases. This approach maintains a critical equilibrium between ACC and ADR, which is essential for practical application in real-world scenarios.

5.7. Exploration for Sampling Rate

In this subsection, we further explore the sensitivity of the sampling rate in auxiliary dataset ${\mathcal{D}}_{aux}$ for the symmetry knowledge filter. A high sampling rate can provide more accurate backdoor sample filtering, which benefits downstream backdoor removal tasks. However, an excessive sampling rate implies weaker defense constraints, which is inconsistent with practical defense operations.

As presented in Figure 8a,b, the benign and backdoor detection accuracy improves with increased sampling rates. Specifically, at a sampling rate of 0.05, benign detection accuracy reaches 97%, while backdoor detection accuracy hits 95%. Beyond this point, the benign detection accuracy plateaus, indicating that further improvements are negligible past a sampling rate of 0.05. Although backdoor detection accuracy continues to rise at higher sampling rates, achieving consistently high performance in realistic scenarios remains a challenge.

For instance, at a sampling rate of 0.1, we achieved a backdoor detection accuracy of approximately 98%, but the improvement from 0.05 to 0.1 represents diminishing returns, suggesting the threshold for practicality lies close to 0.05. These observations underscore the importance of a balanced approach; hence, we recommend maintaining a standard sampling rate of 0.05 for the auxiliary dataset to optimize both benign and backdoor detection performance in most cases.

6. Conclusions and Discussion

This paper presents the Symmetry-Aware Graph Self-Distillation Backdoor Defense (GSD-BD), specifically designed to sanitize backdoor perturbations by precisely extracting symmetry knowledge from shallow GNN layers. To quantify and capture the anomalous landscape, we propose the Logit Margin Rate as a supervisory signal for symmetry knowledge distillation. In contrast to existing defense strategies that compromised the sanitized graph structure and amplified noise, GSD-BD overcomes this limitation by adaptively calibrating the contributions between malicious and benign knowledge through a unsupervised symmetric knowledge filter combined with sanitization loss, thereby ensuring effective backdoor sanitization and preserving benign model behavior.

Comparative evaluations conducted on four real-world graph datasets validate the effectiveness of the proposed method, demonstrating that GSD-BD significantly outperforms state-of-the-art methods and effectively addresses the challenge of performance loss associated with defense mechanisms. Nevertheless, the proposed method may encounter scalability challenges when applied to very large-scale graphs. Despite the fact that the upstream backdoor knowledge filter is able to reduce the computational overheads to a certain extent, in the scenario of large graphs the graph self-distillation, the computation of the Logit Margin Rate may still be computationally expensive in practice. Additionally, GSD-BD relies on retaining shallow symmetry knowledge in the deeper layers, which may limit its efficacy against more sophisticated attacks that exploit deeper layers or more complex interactions between layers.

Future work will focus on enhancing the real-time performance of the model while maintaining its robustness, particularly in applications involving real-time defense scenarios. We propose the following strategies: (1) integrating global graph knowledge distillation and (2) leveraging representative features such as explanatory subgraphs and graph motifs to reduce the computational burden. Additionally, considering that GSD-BD involves the use of original graph data, which could elevate the risk of privacy concerns, especially in sensitive contexts like social networks or medical data, the incorporation of graph federated learning could prove beneficial.