BadSKP: Backdoor Attacks on Knowledge Graph-Enhanced LLMs with Soft Prompts

TL;DR

This paper introduces BadSKP, a backdoor attack targeting the graph-to-prompt interface in KG-enhanced LLMs, exploiting the semantic anchoring effect to bypass defenses and compromise model outputs.

Contribution

It reveals a robustness gap in KG-enhanced LLMs and proposes a novel backdoor attack leveraging graph manipulation to induce adversarial soft prompts.

Findings

BadSKP achieves high attack success rates in experiments.

Text-only backdoor attacks are ineffective against KG-enhanced LLMs.

The attack remains effective under both frozen and trojaned model settings.

Abstract

Recent knowledge graph (KG)-enhanced large language models (LLMs) move beyond purely textual knowledge augmentation by encoding retrieved subgraphs into continuous soft prompts via graph neural networks, introducing a graph-conditioned channel that operates alongside the standard text interface. However, existing backdoor attacks are largely designed for the textual channel, and their effectiveness against this dual-channel architecture remains unclear. We show that this architecture creates a robustness gap: text-channel backdoor attacks that readily compromise textual KG prompting systems become largely ineffective against soft-prompt-based counterparts. We interpret this gap through semantic anchoring, whereby graph-derived soft prompts bias the generation-driving hidden state toward query-consistent semantics and suppress surface-level malicious instructions. Because this anchoring effect is itself induced by the graph channel, an attacker who manipulates graph-level representations can in turn redirect it toward adversarial semantics. To demonstrate this risk, we propose BadSKP, a backdoor attack that targets the graph-to-prompt interface through a multi-stage optimization strategy: it constructs adversarial target embeddings, optimizes poisoned node embeddings to steer the induced soft prompt, and approximates the optimized representations with fluent adversarial node attributes. Experiments on two soft-prompt KG-enhanced LLMs across four datasets show that BadSKP achieves high attack success under both frozen and trojaned settings, while text-only attacks remain unreliable even under perplexity-based defenses.