Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Graph-Aware Text-Only Backdoor Poisoning for Text-Attributed Graphs

Qi Luo, Minghui Xu, Dongxiao Yu, Xiuzhen Cheng

Abstract

Many learning systems now use graph data in which each node also contains text, such as papers with abstracts or users with posts. Because these texts often come from open platforms, an attacker may be able to quietly poison a small part of the training data and later make the model produce wrong predictions on demand. This paper studies that risk in a realistic setting where the attacker edits only node text and does not change the graph structure. We propose TAGBD, a text-only backdoor attack for text-attributed graphs. TAGBD first finds training nodes that are easier to influence, then generates natural-looking trigger text with the help of a shadow graph model, and finally injects the trigger by either replacing the original text or appending a short phrase. Experiments on three benchmark datasets show that the attack is highly effective, transfers across different graph models, and remains strong under common defenses. These results demonstrate that text alone is a practical attack channel in graph learning systems and suggest that future defenses should inspect both graph links and node content.

Graph-Aware Text-Only Backdoor Poisoning for Text-Attributed Graphs

Abstract

Many learning systems now use graph data in which each node also contains text, such as papers with abstracts or users with posts. Because these texts often come from open platforms, an attacker may be able to quietly poison a small part of the training data and later make the model produce wrong predictions on demand. This paper studies that risk in a realistic setting where the attacker edits only node text and does not change the graph structure. We propose TAGBD, a text-only backdoor attack for text-attributed graphs. TAGBD first finds training nodes that are easier to influence, then generates natural-looking trigger text with the help of a shadow graph model, and finally injects the trigger by either replacing the original text or appending a short phrase. Experiments on three benchmark datasets show that the attack is highly effective, transfers across different graph models, and remains strong under common defenses. These results demonstrate that text alone is a practical attack channel in graph learning systems and suggest that future defenses should inspect both graph links and node content.
Paper Structure (28 sections, 14 equations, 4 figures, 7 tables, 1 algorithm)

This paper contains 28 sections, 14 equations, 4 figures, 7 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Notations
  4. Threat Model
  5. Problem Formulation
  6. Methodology
  7. Running Example
  8. Poisoned Node Selection
  9. Poisoned Text Generation
  10. Overall Attack Procedure
  11. Experiments
  12. Experimental Settings
  13. Datasets.
  14. Baselines, Defenses, and Target Models.
  15. Evaluation Metrics.
  16. ...and 13 more sections

Figures (4)

  • Figure 1: Overview of TAGBD. The attack first identifies vulnerable training nodes, then generates trigger text from graph-aware node representations, and finally injects the generated text by either overwriting the original node text or appending a short phrase. A target GNN trained on the poisoned graph subsequently learns the hidden trigger-target association.
  • Figure 2: Attack success rate under different poisoning budgets. Both variants improve as more training nodes are poisoned, and overwriting reaches strong performance with fewer poisoned nodes.
  • Figure 3: Effect of trigger length on attack success rate. Longer triggers improve ASR for both variants, while overwriting reaches saturation earlier than appending.
  • Figure 4: Perplexity and average text length under different poisoning strategies. Overwriting yields stronger but less natural text, while appending better preserves the linguistic properties of clean samples. Lower perplexity indicates more natural text.