Are You Using Reliable Graph Prompts? Trojan Prompt Attacks on Graph Neural Networks
This work addresses a security problem for users of graph neural networks by exposing a novel attack vector in prompt-based adaptation, which is incremental as it builds on existing backdoor attack concepts but targets a specific new scenario.
The paper tackles the vulnerability of Graph Prompt Learning (GPL) to backdoor attacks by proposing TGPA, a framework that injects backdoors into graph prompts without modifying pre-trained GNN encoders, achieving high attack success rates and clean accuracy as demonstrated in experiments on multiple datasets.
Graph Prompt Learning (GPL) has been introduced as a promising approach that uses prompts to adapt pre-trained GNN models to specific downstream tasks without requiring fine-tuning of the entire model. Despite the advantages of GPL, little attention has been given to its vulnerability to backdoor attacks, where an adversary can manipulate the model's behavior by embedding hidden triggers. Existing graph backdoor attacks rely on modifying model parameters during training, but this approach is impractical in GPL as GNN encoder parameters are frozen after pre-training. Moreover, downstream users may fine-tune their own task models on clean datasets, further complicating the attack. In this paper, we propose TGPA, a backdoor attack framework designed specifically for GPL. TGPA injects backdoors into graph prompts without modifying pre-trained GNN encoders and ensures high attack success rates and clean accuracy. To address the challenge of model fine-tuning by users, we introduce a finetuning-resistant poisoning approach that maintains the effectiveness of the backdoor even after downstream model adjustments. Extensive experiments on multiple datasets under various settings demonstrate the effectiveness of TGPA in compromising GPL models with fixed GNN encoders.