Towards Effective, Stealthy, and Persistent Backdoor Attacks Targeting Graph Foundation Models

TL;DR

This paper introduces GFM-BA, a novel backdoor attack method targeting Graph Foundation Models, addressing challenges of effectiveness, stealthiness, and persistence to demonstrate a highly effective and covert attack strategy.

Contribution

The paper proposes GFM-BA, a new backdoor attack framework that is label-free, node-adaptive, and persistent, specifically designed for Graph Foundation Models.

Findings

GFM-BA achieves high attack success rates across various tasks.

The method maintains stealthiness by generating node-specific triggers.

Backdoors remain effective even after downstream fine-tuning.

Abstract

Graph Foundation Models (GFMs) are pre-trained on diverse source domains and adapted to unseen targets, enabling broad generalization for graph machine learning. Despite that GFMs have attracted considerable attention recently, their vulnerability to backdoor attacks remains largely underexplored. A compromised GFM can introduce backdoor behaviors into downstream applications, posing serious security risks. However, launching backdoor attacks against GFMs is non-trivial due to three key challenges. (1) Effectiveness: Attackers lack knowledge of the downstream task during pre-training, complicating the assurance that triggers reliably induce misclassifications into desired classes. (2) Stealthiness: The variability in node features across domains complicates trigger insertion that remains stealthy. (3) Persistence: Downstream fine-tuning may erase backdoor behaviors by updating model parameters. To address these challenges, we propose GFM-BA, a novel Backdoor Attack model against Graph Foundation Models. Specifically, we first design a label-free trigger association module that links the trigger to a set of prototype embeddings, eliminating the need for knowledge about downstream tasks to perform backdoor injection. Then, we introduce a node-adaptive trigger generator, dynamically producing node-specific triggers, reducing the risk of trigger detection while reliably activating the backdoor. Lastly, we develop a persistent backdoor anchoring module that firmly anchors the backdoor to fine-tuning-insensitive parameters, enhancing the persistence of the backdoor under downstream adaptation. Extensive experiments demonstrate the effectiveness, stealthiness, and persistence of GFM-BA.