Backdoor Attacks on Discrete Graph Diffusion Models
This addresses a critical safety problem for applications like drug discovery by revealing vulnerabilities in SOTA graph generative models, though it is incremental as it applies known attack concepts to a new domain.
The paper tackles the security vulnerability of discrete graph diffusion models (DGDMs) by conducting the first study on backdoor attacks, showing that backdoored models can generate high-quality graphs without activation and effective, stealthy, persistent backdoored graphs with activation, validated empirically and theoretically.
Diffusion models are powerful generative models in continuous data domains such as image and video data. Discrete graph diffusion models (DGDMs) have recently extended them for graph generation, which are crucial in fields like molecule and protein modeling, and obtained the SOTA performance. However, it is risky to deploy DGDMs for safety-critical applications (e.g., drug discovery) without understanding their security vulnerabilities. In this work, we perform the first study on graph diffusion models against backdoor attacks, a severe attack that manipulates both the training and inference/generation phases in graph diffusion models. We first define the threat model, under which we design the attack such that the backdoored graph diffusion model can generate 1) high-quality graphs without backdoor activation, 2) effective, stealthy, and persistent backdoored graphs with backdoor activation, and 3) graphs that are permutation invariant and exchangeable--two core properties in graph generative models. 1) and 2) are validated via empirical evaluations without and with backdoor defenses, while 3) is validated via theoretical results.