BadGraph: A Backdoor Attack Against Latent Diffusion Model for Text-Guided Graph Generation

TL;DR

This paper introduces BadGraph, a novel backdoor attack targeting latent diffusion models for text-guided graph generation, demonstrating high success rates with minimal data poisoning and highlighting security risks in sensitive applications.

Contribution

The paper presents BadGraph, a new backdoor attack method that effectively poisons latent diffusion models for text-guided graph generation using textual triggers.

Findings

A poisoning rate below 10% achieves 50% attack success.

24% poisoning rate yields over 80% success rate.

Backdoor is implanted during VAE and diffusion training, not pretraining.

Abstract

The rapid progress of graph generation has raised new security concerns, particularly regarding backdoor vulnerabilities. Though prior work has explored backdoor attacks against diffusion models for image or unconditional graph generation, those against conditional graph generation models, especially text-guided graph generation models, remain largely unexamined. This paper proposes BadGraph, a backdoor attack method against latent diffusion models for text-guided graph generation. BadGraph leverages textual triggers to poison training data, covertly implanting backdoors that induce attacker-specified subgraphs during inference when triggers appear, while preserving normal performance on clean inputs. Extensive experiments on four benchmark datasets (PubChem, ChEBI-20, PCDes, MoMu) demonstrate the effectiveness and stealth of the attack: a poisoning rate of less than 10% can achieve a 50% attack success rate, while 24% suffices for over an 80% success rate, with negligible performance degradation on benign samples. Ablation studies further reveal that the backdoor is implanted during VAE and diffusion training rather than pretraining. These findings reveal the security vulnerabilities in latent diffusion models for text-guided graph generation, highlight the serious risks in applications such as drug discovery, and underscore the need for robust defenses against the backdoor attack in such diffusion models.