Rethinking Molecular Graph Backdoors under Chemistry-aware Admission

The article introduces ChemGuard, an operational protocol that formalizes the overlooked admission stage of molecular learning pipelines by requiring sanitizable strings and consistent graph reconstruction. This framework reveals that many existing graph-based backdoors lose efficacy because their poisons are chemically invalid or representation-inconsistent.

• ChemGuard admits records only when the molecular string is sanitizable and the reconstructed graph matches the submitted one.
• The authors propose ChemBack, an admission-aware attack using chemically feasible motif-anchor attachments ranked by Tanimoto similarity to clean targets.
• ChemBack is model-free during trigger selection, relying on molecular structures, labels, fingerprints, and public validity checks without victim model access.
• Across benchmarks and defenses, ChemBack achieves high attack success with fully admitted poisons while preserving clean accuracy.

The results demonstrate that while chemistry-aware admission suppresses many graph-only backdoors, chemically valid and target-aligned molecular backdoors remain a practical threat.