Table of Contents
Fetching ...

Cross-Paradigm Graph Backdoor Attacks with Promptable Subgraph Triggers

Dongyi Liu, Jiangtong Li, Dawei Cheng, Changjun Jiang

TL;DR

This paper tackles the problem of backdoor attacks on Graph Neural Networks (GNNs) that must generalize across learning paradigms (GSL, GCL, GPL). It introduces CP-GBA, which builds a structured repository of condensed subgraph triggers and optimizes them with Graph Prompt Learning (GPL) to achieve cross-paradigm transferability. The method combines a two-phase upstream/downstream design, a bi-level optimization, and a trigger-selection mechanism to produce model- and paradigm-agnostic backdoors while maintaining stealth. Empirical results across four real-world datasets and multiple defenses show state-of-the-art attack success rates and robust performance, highlighting practical risks and prompting future work on cross-task and data-efficient backdoors. The work advances understanding of transferable graph attacks and provides a foundation for evaluating cross-paradigm defenses and detection strategies.

Abstract

Graph Neural Networks(GNNs) are vulnerable to backdoor attacks, where adversaries implant malicious triggers to manipulate model predictions. Existing trigger generators are often simplistic in structure and overly reliant on specific features, confining them to a single graph learning paradigm, such as graph supervised learning, graph contrastive learning, or graph prompt learning. This specialized design, which aligns the trigger with one learning objective, results in poor transferability when applied to other learning paradigms. For instance, triggers generated for the graph supervised learning paradigm perform poorly when tested within graph contrastive learning or graph prompt learning environments. Furthermore, these simple generators often fail to utilize complex structural information or node diversity within the graph data. These constraints limit the attack success rates of such methods in general testing scenarios. Therefore, to address these limitations, we propose Cross-Paradigm Graph Backdoor Attacks with Promptable Subgraph Triggers(CP-GBA), a new transferable graph backdoor attack that employs graph prompt learning(GPL) to train a set of universal subgraph triggers. First, we distill a compact yet expressive trigger set from target graphs, which is structured as a queryable repository, by jointly enforcing class-awareness, feature richness, and structural fidelity. Second, we conduct the first exploration of the theoretical transferability of GPL to train these triggers under prompt-based objectives, enabling effective generalization to diverse and unseen test-time paradigms. Extensive experiments across multiple real-world datasets and defense scenarios show that CP-GBA achieves state-of-the-art attack success rates.

Cross-Paradigm Graph Backdoor Attacks with Promptable Subgraph Triggers

TL;DR

This paper tackles the problem of backdoor attacks on Graph Neural Networks (GNNs) that must generalize across learning paradigms (GSL, GCL, GPL). It introduces CP-GBA, which builds a structured repository of condensed subgraph triggers and optimizes them with Graph Prompt Learning (GPL) to achieve cross-paradigm transferability. The method combines a two-phase upstream/downstream design, a bi-level optimization, and a trigger-selection mechanism to produce model- and paradigm-agnostic backdoors while maintaining stealth. Empirical results across four real-world datasets and multiple defenses show state-of-the-art attack success rates and robust performance, highlighting practical risks and prompting future work on cross-task and data-efficient backdoors. The work advances understanding of transferable graph attacks and provides a foundation for evaluating cross-paradigm defenses and detection strategies.

Abstract

Graph Neural Networks(GNNs) are vulnerable to backdoor attacks, where adversaries implant malicious triggers to manipulate model predictions. Existing trigger generators are often simplistic in structure and overly reliant on specific features, confining them to a single graph learning paradigm, such as graph supervised learning, graph contrastive learning, or graph prompt learning. This specialized design, which aligns the trigger with one learning objective, results in poor transferability when applied to other learning paradigms. For instance, triggers generated for the graph supervised learning paradigm perform poorly when tested within graph contrastive learning or graph prompt learning environments. Furthermore, these simple generators often fail to utilize complex structural information or node diversity within the graph data. These constraints limit the attack success rates of such methods in general testing scenarios. Therefore, to address these limitations, we propose Cross-Paradigm Graph Backdoor Attacks with Promptable Subgraph Triggers(CP-GBA), a new transferable graph backdoor attack that employs graph prompt learning(GPL) to train a set of universal subgraph triggers. First, we distill a compact yet expressive trigger set from target graphs, which is structured as a queryable repository, by jointly enforcing class-awareness, feature richness, and structural fidelity. Second, we conduct the first exploration of the theoretical transferability of GPL to train these triggers under prompt-based objectives, enabling effective generalization to diverse and unseen test-time paradigms. Extensive experiments across multiple real-world datasets and defense scenarios show that CP-GBA achieves state-of-the-art attack success rates.
Paper Structure (29 sections, 2 theorems, 21 equations, 6 figures, 10 tables, 1 algorithm)

This paper contains 29 sections, 2 theorems, 21 equations, 6 figures, 10 tables, 1 algorithm.

Key Result

Theorem 1

In node-level, the model GNN $f$, which is trained with a large amount of high-quality data, has the ability to map any node in graph $\mathcal{G}_i$, known or unknown, to all feature spaces surjectively (i.e, $f:\mathcal{G}_i\rightarrow \mathbb{R}^d$, where d is the class number dimension.).

Figures (6)

  • Figure 1: In the model poisoning scenario (top), the attacker trains a GNN on a poisoned graph and delivers the already compromised model to the user. Conversely, the data poisoning scenario (bottom) shows the attacker providing the poisoned data to the user, who then unknowingly trains their own backdoored model.
  • Figure 2: Overall process of CP-GBA, consisting of triggers construction, transferable GPL-based optimization, and inference phases. (a) illustrates the process of constructing the condensed subgraph trigger set $\mathcal{T}$. We use red and blue to denote two node categories, and perform subgraph extraction on nodes belonging to the target class. Their embeddings are computed using a clean pre-trained encoder, followed by K-means clustering to identify $K$ representative subgraphs whose centers are closest to the cluster centroids. These selected subgraphs serve as the initial features and structures of $\mathcal{T}$. (b) depicts the process of optimization of $\mathcal{T}$ using the GPL approach. We first obtain the target nodes $\mathcal{V}_P$ following the strategy in dai2023unnoticeable. For each node in $\mathcal{V}_P$, we select the trigger from $\mathcal{T}$ that exhibits the highest similarity for injection. Meanwhile, graph prompts are introduced via the GPL mechanism to guide optimization. (c) illustrates the inference phase, where we evaluate the transferability of the backdoor triggers under various learning paradigms, including GSL, GCL, and GPL.
  • Figure 3: Training time of triggers vs. performance
  • Figure 4: ASR in different attack budgets on Cora
  • Figure 5: t-SNE visualization of the feature embeddings for the trigger nodes and the origin nodes on the Pubmed dataset, after training with different paradigms: Graph Supervised Learning (left), Graph Contrastive Learning (middle), and Graph Prompt Learning (right).
  • ...and 1 more figures

Theorems & Definitions (4)

  • Theorem 1
  • proof
  • Theorem 2
  • proof