Are You Using Reliable Graph Prompts? Trojan Prompt Attacks on Graph Neural Networks

TL;DR

This paper reveals vulnerabilities in Graph Prompt Learning (GPL) by introducing TGPA, a backdoor attack framework that embeds hidden triggers into graph prompts without altering pre-trained GNN encoders, remaining effective even after fine-tuning.

Contribution

The paper proposes TGPA, the first backdoor attack method specifically designed for GPL that does not modify GNN encoders and remains effective after downstream fine-tuning.

Findings

TGPA achieves high attack success rates across multiple datasets.

TGPA maintains effectiveness even after downstream model fine-tuning.

The method demonstrates significant vulnerability of GPL models to backdoor attacks.

Abstract

Graph Prompt Learning (GPL) has been introduced as a promising approach that uses prompts to adapt pre-trained GNN models to specific downstream tasks without requiring fine-tuning of the entire model. Despite the advantages of GPL, little attention has been given to its vulnerability to backdoor attacks, where an adversary can manipulate the model's behavior by embedding hidden triggers. Existing graph backdoor attacks rely on modifying model parameters during training, but this approach is impractical in GPL as GNN encoder parameters are frozen after pre-training. Moreover, downstream users may fine-tune their own task models on clean datasets, further complicating the attack. In this paper, we propose TGPA, a backdoor attack framework designed specifically for GPL. TGPA injects backdoors into graph prompts without modifying pre-trained GNN encoders and ensures high attack success rates and clean accuracy. To address the challenge of model fine-tuning by users, we introduce a finetuning-resistant poisoning approach that maintains the effectiveness of the backdoor even after downstream model adjustments. Extensive experiments on multiple datasets under various settings demonstrate the effectiveness of TGPA in compromising GPL models with fixed GNN encoders.