Graph-Aware Text-Only Backdoor Poisoning for Text-Attributed Graphs
arXiv:2603.20339v1 Announce Type: new Abstract: Many learning systems now use graph data in which each node also contains text, such as papers with abstracts or users with posts. Because these texts often come from open platforms, an attacker may be able to quietly poison a small part of the training data and later make the model produce wrong predictions on demand. This paper studies that risk in a realistic setting where the attacker edits only node text and does not change the graph structure. We propose TAGBD, a text-only backdoor attack for text-attributed graphs. TAGBD first finds training nodes that are easier to influence, then generates natural-looking trigger text with the help of a shadow graph model, and finally injects the trigger by either replacing the original text or appending a short phrase. Experiments on three benchmark datasets show that the attack is highly effective, transfers across different graph models, and remains strong under common defenses. These results
arXiv:2603.20339v1 Announce Type: new Abstract: Many learning systems now use graph data in which each node also contains text, such as papers with abstracts or users with posts. Because these texts often come from open platforms, an attacker may be able to quietly poison a small part of the training data and later make the model produce wrong predictions on demand. This paper studies that risk in a realistic setting where the attacker edits only node text and does not change the graph structure. We propose TAGBD, a text-only backdoor attack for text-attributed graphs. TAGBD first finds training nodes that are easier to influence, then generates natural-looking trigger text with the help of a shadow graph model, and finally injects the trigger by either replacing the original text or appending a short phrase. Experiments on three benchmark datasets show that the attack is highly effective, transfers across different graph models, and remains strong under common defenses. These results demonstrate that text alone is a practical attack channel in graph learning systems and suggest that future defenses should inspect both graph links and node content.
Executive Summary
This article proposes TAGBD, a text-only backdoor attack for text-attributed graphs, which exploits the vulnerability of graph learning systems to silent data poisoning. By manipulating node text, the attacker can influence model predictions, rendering existing defenses ineffective. The study demonstrates the attack's high efficacy, transferability, and resilience to common defenses, underscoring the critical need for inspecting both graph links and node content. The findings have significant implications for the development of graph learning systems and highlight the importance of robust security measures in AI applications.
Key Points
- ▸ TAGBD is a text-only backdoor attack for text-attributed graphs that exploits silent data poisoning vulnerabilities.
- ▸ The attack is highly effective, transfers across different graph models, and remains strong under common defenses.
- ▸ Existing defenses are ineffective against TAGBD, highlighting the need for new security measures.
Merits
Strength
The study provides a comprehensive analysis of the TAGBD attack, including its efficacy, transferability, and resilience to common defenses, offering a thorough understanding of the threat.
Demerits
Limitation
The study's focus on text-only backdoor attacks might overlook other potential attack vectors, such as graph structure manipulation, which could provide a more comprehensive understanding of the threat landscape.
Expert Commentary
The TAGBD attack highlights the critical need for robust security measures in graph learning systems. While the attack's efficacy and transferability are concerning, the study's findings also provide valuable insights for developing effective defenses. Future research should focus on identifying and mitigating the vulnerabilities exploited by TAGBD, as well as exploring other potential attack vectors. Additionally, policy makers and regulators should consider establishing guidelines and frameworks for ensuring the secure development and deployment of graph learning systems.
Recommendations
- ✓ Develop and deploy graph learning systems with robust security measures, including inspection of both graph links and node content.
- ✓ Investigate and address the vulnerabilities exploited by TAGBD, including the use of shadow graph models and trigger text generation.
Sources
Original: arXiv - cs.LG
