Rethinking Molecular Graph Backdoors under Chemistry-aware Admission

Researchers reveal that molecular graph neural networks face previously underestimated backdoor attack risks when subjected to chemistry-aware validation checks. The study introduces ChemGuard, a defense protocol that filters chemically invalid attacks, and ChemBack, a new attack method that bypasses these defenses by crafting chemically feasible poisoned molecules—demonstrating that security in molecular AI systems remains vulnerable despite existing safeguards.

This research addresses a critical blind spot in adversarial robustness for molecular machine learning systems. While prior backdoor attacks on graph neural networks assumed unrestricted graph modifications, real-world molecular pipelines enforce strict chemical validity checks—parsing, sanitization, and canonicalization—that invalidate many theoretical attacks. The introduction of ChemGuard formalizes this overlooked admission stage as a defense layer, immediately degrading the efficacy of existing attack methods that produce chemically impossible structures. However, the work's more concerning contribution is ChemBack, which demonstrates that adversaries can craft attacks that survive chemistry-aware validation by constructing legitimate molecular structures with hidden backdoor properties. This model-free attack approach requires only molecular fingerprints, public validation tools, and target labels—no gradient access or victim model knowledge—making it practical and difficult to attribute. The dual narrative is instructive: chemistry-aware defenses provide meaningful protection against naive attacks, yet a determined adversary can engineer chemically valid poisoned molecules that preserve clean accuracy while compromising model integrity. For the molecular AI field, this reveals that chemical validity alone cannot guarantee security; future defenses must incorporate higher-order constraints beyond molecular grammar. The findings carry implications for automated drug discovery, materials science, and chemical property prediction systems where backdoored models could propagate silently through industrial pipelines.

• →Many existing molecular backdoor attacks fail under chemistry-aware validation because their crafted poisons are chemically invalid or representation-inconsistent.
• →ChemBack circumvents admission-based defenses by constructing chemically feasible backdoors using only public molecular tools and fingerprint similarity without model access.
• →Chemical validity checks alone are insufficient defense; backdoors that preserve both clean accuracy and attack efficacy remain a practical threat.
• →The attack is model-agnostic during trigger selection, requiring no victim model, surrogate GNN, or gradient information, making detection significantly harder.
• →Defenders must move beyond chemistry-aware admission protocols to incorporate stronger structural constraints and multi-stage validation pipelines.