Graph-Aware Text-Only Backdoor Poisoning for Text-Attributed Graphs
This addresses a security vulnerability for systems using graph data with text, such as academic or social networks, by showing that text-only poisoning is practical and incremental in highlighting a new attack vector.
The paper tackled the risk of backdoor attacks in text-attributed graphs by proposing TAGBD, a text-only attack that edits node text without altering graph structure, achieving high effectiveness with over 90% attack success rates on benchmark datasets while evading common defenses.
Many learning systems now use graph data in which each node also contains text, such as papers with abstracts or users with posts. Because these texts often come from open platforms, an attacker may be able to quietly poison a small part of the training data and later make the model produce wrong predictions on demand. This paper studies that risk in a realistic setting where the attacker edits only node text and does not change the graph structure. We propose TAGBD, a text-only backdoor attack for text-attributed graphs. TAGBD first finds training nodes that are easier to influence, then generates natural-looking trigger text with the help of a shadow graph model, and finally injects the trigger by either replacing the original text or appending a short phrase. Experiments on three benchmark datasets show that the attack is highly effective, transfers across different graph models, and remains strong under common defenses. These results demonstrate that text alone is a practical attack channel in graph learning systems and suggest that future defenses should inspect both graph links and node content.