Cross-Context Backdoor Attacks against Graph Prompt Learning

TL;DR

This paper uncovers security vulnerabilities in Graph Prompt Learning by introducing CrossBA, a novel backdoor attack that manipulates pretraining to compromise downstream graph applications, demonstrating high success rates across multiple scenarios.

Contribution

It presents the first cross-context backdoor attack against GPL, showing how trigger graphs can transfer backdoors without knowledge of downstream tasks, and evaluates its effectiveness extensively.

Findings

CrossBA achieves high attack success rates across multiple GPL methods and datasets.

Current defenses are ineffective against CrossBA backdoor attacks.

Backdoor threats persist in GPL, raising security concerns.

Abstract

Graph Prompt Learning (GPL) bridges significant disparities between pretraining and downstream applications to alleviate the knowledge transfer bottleneck in real-world graph learning. While GPL offers superior effectiveness in graph knowledge transfer and computational efficiency, the security risks posed by backdoor poisoning effects embedded in pretrained models remain largely unexplored. Our study provides a comprehensive analysis of GPL's vulnerability to backdoor attacks. We introduce \textit{CrossBA}, the first cross-context backdoor attack against GPL, which manipulates only the pretraining phase without requiring knowledge of downstream applications. Our investigation reveals both theoretically and empirically that tuning trigger graphs, combined with prompt transformations, can seamlessly transfer the backdoor threat from pretrained encoders to downstream applications. Through extensive experiments involving 3 representative GPL methods across 5 distinct cross-context scenarios and 5 benchmark datasets of node and graph classification tasks, we demonstrate that \textit{CrossBA} consistently achieves high attack success rates while preserving the functionality of downstream applications over clean input. We also explore potential countermeasures against \textit{CrossBA} and conclude that current defenses are insufficient to mitigate \textit{CrossBA}. Our study highlights the persistent backdoor threats to GPL systems, raising trustworthiness concerns in the practices of GPL techniques.