Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Cross-Context Backdoor Attacks against Graph Prompt Learning

Xiaoting Lyu, Yufei Han, Wei Wang, Hangwei Qian, Ivor Tsang, Xiangliang Zhang

TL;DR

This work reveals a persistent vulnerability in Graph Prompt Learning: backdoors embedded in pretrained GNN encoders can transfer to downstream tasks through graph prompts. The proposed CrossBA framework jointly optimizes a small trigger graph and the backdoored encoder during pretraining, using a feature-collision objective and alignment losses to maintain clean-task utility while steering certain inputs to attacker-chosen embeddings. Theoretical analysis shows why GPL’s prompt mechanism facilitates backdoor transfer, and extensive experiments across five cross-context scenarios and multiple GPL methods demonstrate high attack success rates (ASR > 0.85) with minimal accuracy loss, outperforming baselines like GCBA. The findings raise trust and security concerns for GPL deployments and point to the need for defense strategies tailored to cross-context graph learning, including beyond existing GPL defenses.

Abstract

Graph Prompt Learning (GPL) bridges significant disparities between pretraining and downstream applications to alleviate the knowledge transfer bottleneck in real-world graph learning. While GPL offers superior effectiveness in graph knowledge transfer and computational efficiency, the security risks posed by backdoor poisoning effects embedded in pretrained models remain largely unexplored. Our study provides a comprehensive analysis of GPL's vulnerability to backdoor attacks. We introduce \textit{CrossBA}, the first cross-context backdoor attack against GPL, which manipulates only the pretraining phase without requiring knowledge of downstream applications. Our investigation reveals both theoretically and empirically that tuning trigger graphs, combined with prompt transformations, can seamlessly transfer the backdoor threat from pretrained encoders to downstream applications. Through extensive experiments involving 3 representative GPL methods across 5 distinct cross-context scenarios and 5 benchmark datasets of node and graph classification tasks, we demonstrate that \textit{CrossBA} consistently achieves high attack success rates while preserving the functionality of downstream applications over clean input. We also explore potential countermeasures against \textit{CrossBA} and conclude that current defenses are insufficient to mitigate \textit{CrossBA}. Our study highlights the persistent backdoor threats to GPL systems, raising trustworthiness concerns in the practices of GPL techniques.

Cross-Context Backdoor Attacks against Graph Prompt Learning

TL;DR

This work reveals a persistent vulnerability in Graph Prompt Learning: backdoors embedded in pretrained GNN encoders can transfer to downstream tasks through graph prompts. The proposed CrossBA framework jointly optimizes a small trigger graph and the backdoored encoder during pretraining, using a feature-collision objective and alignment losses to maintain clean-task utility while steering certain inputs to attacker-chosen embeddings. Theoretical analysis shows why GPL’s prompt mechanism facilitates backdoor transfer, and extensive experiments across five cross-context scenarios and multiple GPL methods demonstrate high attack success rates (ASR > 0.85) with minimal accuracy loss, outperforming baselines like GCBA. The findings raise trust and security concerns for GPL deployments and point to the need for defense strategies tailored to cross-context graph learning, including beyond existing GPL defenses.

Abstract

Graph Prompt Learning (GPL) bridges significant disparities between pretraining and downstream applications to alleviate the knowledge transfer bottleneck in real-world graph learning. While GPL offers superior effectiveness in graph knowledge transfer and computational efficiency, the security risks posed by backdoor poisoning effects embedded in pretrained models remain largely unexplored. Our study provides a comprehensive analysis of GPL's vulnerability to backdoor attacks. We introduce \textit{CrossBA}, the first cross-context backdoor attack against GPL, which manipulates only the pretraining phase without requiring knowledge of downstream applications. Our investigation reveals both theoretically and empirically that tuning trigger graphs, combined with prompt transformations, can seamlessly transfer the backdoor threat from pretrained encoders to downstream applications. Through extensive experiments involving 3 representative GPL methods across 5 distinct cross-context scenarios and 5 benchmark datasets of node and graph classification tasks, we demonstrate that \textit{CrossBA} consistently achieves high attack success rates while preserving the functionality of downstream applications over clean input. We also explore potential countermeasures against \textit{CrossBA} and conclude that current defenses are insufficient to mitigate \textit{CrossBA}. Our study highlights the persistent backdoor threats to GPL systems, raising trustworthiness concerns in the practices of GPL techniques.
Paper Structure (24 sections, 5 theorems, 22 equations, 6 figures, 6 tables, 1 algorithm)

This paper contains 24 sections, 5 theorems, 22 equations, 6 figures, 6 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related works
  3. Preliminaries
  4. Threat Models
  5. Cross-context Backdoor Attack
  6. Overview of CrossBA
  7. Attack Objective of CrossBA
  8. Alternating Optimization for CrossBA
  9. Attack Feasibility of CrossBA
  10. Experimental Evaluation
  11. Experimental Settings
  12. Experimental Results
  13. Conclusion and Future Work
  14. Acknowledgment
  15. Optimization Algorithm
  16. ...and 9 more sections

Key Result

Theorem 1

Assuming a $L_{\hat{E}}$-Lipschitz continuous GNN encoder $\hat{E}_{\theta_b}$ with $k_{G}$-node input graphs, and the node feature matrix $X$ of a graph $G=(V,E)$ has a bounded Frobenius norm, i.e., $|X|_{fro}\leq{\mu}$. Upon freezing the GNN encoder $\hat{E}_{\theta_b}$, the backdoor learning loss Similarly, the main learning loss in the downstream context can be upper bounded by the main learni

Figures (6)

  • Figure 1: The attack workflow of CrossBA.
  • Figure 2: ASR of backdoor attacks against PruneG in 5 cross-context scenarios. "-N" denotes the node classification task, while "-G" represents the graph classification task.
  • Figure 3: Kernel density estimation of node feature similarity on CiteSeer.
  • Figure 4: Ablation study of CrossBA against 2 GPL methods with Prune on CiteSeer across 5 cross-context scenarios. "Node" represents the node classification task, and "Graph" denotes the graph classification task.
  • Figure 5: Impact of the number of prompt tokens on attack performance of CrossBA against ProG based on CiteSeer in 5 cross-context scenarios. "Node" represents the node classification task, and "Graph" denotes the graph classification task.
  • ...and 1 more figures

Theorems & Definitions (6)

  • Theorem 1
  • Proposition 1
  • Proposition 2
  • Definition 1.1
  • Proposition 3
  • Proposition 4