Graph Neural Networks (GNNs) are vulnerable to diverse backdoor attacks in node/graph classification, yet existing defenses suffer from poor generalizability and fail against heterogeneous triggers. To address this, we propose the first unified robust framework capable of defending against multiple graph backdoor attacks. Leveraging edge random dropping to induce significant prediction variance differences, we identify—novelty—the variance magnitude as a universal indicator for poisoned node detection. Based on this insight, we design a poisoning-aware node detection mechanism and integrate it with robustness-driven adversarial training. We theoretically prove that our mechanism reliably distinguishes poisoned from clean nodes. Extensive experiments on multiple real-world graph datasets demonstrate that our method reduces attack success rates by over 85% on average, maintains clean accuracy with fluctuations under 1.2%, and achieves poisoned-node identification F1-scores exceeding 92%.

Graph Neural Networks (GNNs) have achieved promising results in tasks such as node classification and graph classification. However, recent studies reveal that GNNs are vulnerable to backdoor attacks, posing a significant threat to their real-world adoption. Despite initial efforts to defend against specific graph backdoor attacks, there is no work on defending against various types of backdoor attacks where generated triggers have different properties. Hence, we first empirically verify that prediction variance under edge dropping is a crucial indicator for identifying poisoned nodes. With this observation, we propose using random edge dropping to detect backdoors and theoretically show that it can efficiently distinguish poisoned nodes from clean ones. Furthermore, we introduce a novel robust training strategy to efficiently counteract the impact of the triggers. Extensive experiments on real-world datasets show that our framework can effectively identify poisoned nodes, significantly degrade the attack success rate, and maintain clean accuracy when defending against various types of graph backdoor attacks with different properties.