Search papers, labs, and topics across Lattice.
This paper introduces ChemGuard, a protocol for evaluating the admission of molecular records into learning pipelines, which ensures that submitted molecular graphs are both sanitizable and consistent with their string representations. The authors demonstrate that many existing graph-based backdoor attacks lose effectiveness under this framework due to their chemical invalidity or representation inconsistencies. However, they also propose ChemBack, a novel admission-aware attack that successfully constructs chemically feasible backdoors while maintaining high accuracy in clean models, highlighting the dual nature of admission checks in mitigating and enabling backdoor threats.
ChemBack reveals that even with rigorous admission protocols, chemically valid backdoors can still pose significant risks to molecular graph neural networks.
Backdoor attacks on molecular graph neural networks (GNNs) are typically evaluated as abstract graph edits, but real molecular learning pipelines do not train on arbitrary graphs. Molecular records must first survive parsing, sanitization, canonicalization, and graph-string consistency checks. We formalize this overlooked admission stage as ChemGuard, an operational protocol for testing whether a submitted molecular record can enter a realistic learning pipeline, while complementing existing defenses. ChemGuard admits a record only when its molecular string is sanitizable and the graph reconstructed from that string matches the submitted molecular graph. Under this operational view, many existing graph-based backdoors lose much of their apparent efficacy because their poisons are chemically invalid or representation-inconsistent. We then show that admission checks alone are insufficient to rule out molecular backdoors. We propose ChemBack, an admission-aware molecular backdoor attack that constructs chemically feasible motif-anchor attachments and ranks admitted candidates by fingerprint-based Tanimoto similarity to clean target-class molecules. ChemBack is model-free during trigger selection, using molecular structures, target labels, fingerprints, and public validity checks, but no victim model, surrogate GNN, learned embedding, gradient, logit, or training-code access. Across molecular benchmarks, validators, architectures, and defenses, \textbf{ChemBack} achieves high attack success with fully admitted poisons while preserving clean accuracy. Our results reveal a two-sided lesson, chemistry-aware admission suppresses many graph-only backdoors, yet chemically valid and target-aligned molecular backdoors remain a practical threat.