Graph-Aware Stealthy Poison-Text Backdoors for Text-Attributed Graphs

1 Graph-A ware Stealthy Poison-T e xt Backdoors for T e xt-Attrib uted Graphs Qi Luo, Minghui Xu, Dongxiao Y u, and Xiuzhen Cheng, IEEE F ellow Abstract —Modern graph learning systems often combine links with text, as in citation networks with abstracts or social graphs with user posts. In such systems, text is usually easier to edit than graph structure, which creates a practical security risk: an attacker may hide a small malicious cue in training text and later use it to trigger incorrect predictions. This paper studies that risk in a realistic setting where the attacker edits only node text and leaves the graph unchanged. W e propose T A GBD, a graph-aware backdoor attack that ﬁrst selects training nodes that are easier to manipulate, then generates stealthy poison text with a shadow graph model, and ﬁnally injects the text by replacing the original content or appending a short phrase. Experiments on three benchmark datasets show that T A GBD achieves very high attack success rates, transfers across different graph models, and remains effective under common defenses. These results show that inconspicuous poison text alone can serve as a r eliable attack channel in text-attrib uted graphs, highlighting the need for defenses that inspect both node content and graph structure. Index T erms —Backdoor attack, graph neural network, text- attributed graph, stealthy text poisoning, adversarial machine learning . I . I N T RO D U C T I O N T EXT-attributed graphs (T A Gs) are widely used in real ap- plications where each node contains both graph links and natural-language content, such as citation networks, recom- mendation platforms, online social systems, and heterogeneous information networks [1]–[9]. Graph neural networks (GNNs) are particularly effecti ve in this setting because they combine relational structure with textual semantics [10]–[12]. More broadly , graph learning has become a core paradigm across modern machine learning, with broad surveys and revie ws documenting its rapid expansion in both methodology and ap- plications [13]–[16]. This dual-modality advantage, howe ver , also creates a ne w security exposure: when node texts are collected from open en vironments, an attacker may quietly poison a few training nodes and implant hidden malicious behavior into the learned model. The central question of this paper is whether stealthy poison text alone is suf ﬁcient to backdoor a T A G model. This question matters in practice because text is often the easiest part of the pipeline to manipulate. On a social platform, for example, an attacker may hav e little ability to rewire user connections, but may freely post descriptions, comments, or short messages. At the same time, modern graph pipelines are often large-scale, Qi Luo, Minghui Xu, Dongxiao Y u, and Xiuzhen Cheng are with the School of Computer Science and T echnology , Shandong Univ ersity , Qingdao, China (e-mail: { qiluo,mhxu,dxyu,xzcheng } @sdu.edu.cn). continuously updated, and difﬁcult to audit end to end [17]– [20]. If those texts contain a hidden cue that appears harmless to human readers, a model trained on the poisoned graph may later map any trigger-bearing node to the attacker’ s target label. A positive answer would mean that the attack surface of T A G systems is broader than what topology-centered defenses currently assume. Existing graph backdoor attacks do not answer this question well enough. Most prior methods implant malicious behavior by injecting subgraphs, modifying graph connections, or per- turbing latent node features [21]–[25]. These works are impor- tant, but they leave two practical gaps. First, topology-lev el perturbations often assume that the attacker can add edges, insert nodes, or alter graph components directly , and these changes may leave visible structural artifacts. Second, feature- space attacks operate on representations that real attackers cannot edit directly , so they do not fully explain how to poison the raw text used by deployed T A G systems. As a result, it remains unclear whether inconspicuous poison text can serve as a reliable backdoor trigger on its own. This problem is challenging for three reasons. First, the poison text must remain natural enough to ev ade manual revie w or automatic ﬁltering [26]–[29]. Second, the trigger must survi ve graph message passing, because neighborhood aggregation can weaken the ef fect of local text changes [30]– [32]. Third, the poisoned model must preserve clean utility: if standard accuracy drops noticeably , the attack is much easier to notice. Therefore, a con vincing text-only attack needs more than simply appending a rare phrase. It must decide which nodes to poison and what stealthy text to inject so that the trigger remains effecti ve after graph propagation. T o address this gap, we propose T A GBD ( T ext- A ttributed G raph B ack D oor), a training-time poisoning frame work that edits only node texts and lea ves graph topology unchanged. Fig. 1 summarizes the full idea. T A GBD ﬁrst identiﬁes training nodes that are easier to manipulate through an uncertainty- guided selection strategy . It then jointly trains a lightweight trigger generator , called T extT r ojan , with a shadow GNN so that the generated poison text aligns with both the target label and the local graph conte xt. Finally , T A GBD injects the gen- erated text in two different ways: Overwriting , which fav ors maximum attack strength, and Appending , which preserves more of the original text and therefore offers stronger stealth. This design leads to three main insights. First, raw text alone is a suf ﬁcient and realistic backdoor channel in T A G pipelines. Second, graph-aware trigger generation is critical: poison text becomes much more effecti ve when it is guided by node representations shaped by graph conte xt rather than 2 Original text graph    T ext encoder   T ext decoder T ext-to-text LLM Poisoned text graph Adversarial training Training   T rojan GNN   T arget GNN Original text graph Poisoning high uncertainty nodes Poisoned text injection GNN embedding Poisoned T ext MLP Poison embedding T ext decoder T ext encoder Poisoned text embedding GNN embedding Poisoned text MLP Poison embedding T ext decoder T ext encoder Poisoned text embedding Orig text Overwriting Appending Fig. 1. Ov erview of T A GBD. The attack ﬁrst identiﬁes vulnerable training nodes, then generates trigger text from graph-a ware node representations, and ﬁnally injects the generated text by either overwriting the original node text or appending a short phrase. A target GNN trained on the poisoned graph subsequently learns the hidden trigger-tar get association. by standalone text features. Third, attack strength and stealth form a controllable trade-off, and that trade-off is exposed clearly by the two injection strategies. T ogether , these results rev eal a practical vulnerability that existing structure-oriented defenses do not adequately address. The broader signiﬁcance of this study lies in ho w it reframes the attack surface of T A G systems. Many existing defenses are designed around suspicious graph patterns, such as unusual edges, inserted nodes, or anomalous subgraphs. Our study suggests that this viewpoint is incomplete for text-rich graph applications. In practice, data curation pipelines often trust node content more than graph topology: user-generated text, paper abstracts, proﬁle descriptions, and product revie ws may all enter the system with only light moderation. If such text can carry a hidden and reusable backdoor trigger while remaining linguistically plausible, then a defender who inspects only structural anomalies may miss the true attack channel. This observation makes the problem relev ant not only to adversarial machine learning, but also to the security of real data collection and moderation pipelines [20], [33], [34]. At the same time, our goal is not merely to show that text can be manipulated, which is already intuitiv e, but to show that stealthy text manipulation can survi ve graph learning dynamics. This distinction matters. A backdoor that relies on awkward or repetitive text may succeed in a laboratory setting yet fail in deployment because it is easy to detect or because graph aggregation suppresses a weak textual cue. T A GBD is designed speciﬁcally for this stronger challenge. It links poisoned node selection, graph-aware trigger generation, and semantic regularization into a uniﬁed attack pipeline, enabling the trigger to remain both inconspicuous and effecti ve. The main contributions are as follows. • W e formulate a realistic threat model for stealthy poison text backdoors in T AGs and show that an attacker can implant targeted behavior without modifying graph structure or directly editing latent features. • W e design T A GBD, a graph-a ware te xt poisoning frame- work that combines uncertainty-guided node selection with the jointly trained T extT rojan generator to produce attack- effecti v e yet inconspicuous trigger text. • W e conduct extensiv e experiments across multiple datasets, backbones, and defenses. T A GBD reaches up to 100.00%, 99.85%, and 99.96% ASR on Cora, Pubmed, and ArXi v , respectiv ely , while preserving competitive clean accuracy and remaining highly effecti ve under common defenses. I I . P R E L I M I NA R I E S A. Notations W e consider a text-attrib uted graph G = ( V , E , T , Y ) , where V is the node set, E ⊆ V ×V is the edge set, t i ∈ T is the text of node v i , and y i ∈ Y is its label. A GNN f θ ﬁrst maps each text to an embedding x i = E ( t i ) ∈ R d , and then predicts node classes from graph-aware representations. W e use f to denote the target GNN classiﬁer . Raw texts in T are embedded into X ∈ R N × F , where F is the embedding dimension. Here, E ( · ) and D ( · ) denote a pretrained text encoder and decoder , respectiv ely . For vanilla GNNs that take text embeddings as input, we write G = ( V , E , X ) and express the model as f ( X ; A ) . The l -th layer update is h l i = f l  h l − 1 i , AGG ( { h l − 1 j : j ∈ N i } )  , (1) where h 0 i = X i , N i is the neighborhood set of node v i , A GG is the aggre gation function (e.g., mean, max, and attention), and f l is a message-passing layer that takes the features of v i and its neighbors as inputs. In this paper , we focus on an inductiv e semi-supervised node classiﬁcation task, where a small set of nodes V L ⊆ V in the training graph G are pro vided with labels from L = { 1 , · · · , C } , and the test graph G T = ( V T , E T , X T ) is not av ailable during the training stage. Let Y = { y 1 , · · · , y N } denote the ground-truth labels of nodes in the training graph. B. Thr eat Model W e consider a gray-box setting for inductive node classiﬁ- cation on T A Gs. The attacker can access the training graph, including node texts and topology , but does not know the target GNN architecture, parameters, or training details. The attacker aims to implant a backdoor such that any test node containing a predeﬁned trigger is classiﬁed into a target class y t , while clean-node accuracy remains high. T o do so, the attacker poisons selected training nodes by injecting trigger texts and assigning them the target label. 3 This gray-box assumption is deliberately chosen to reﬂect realistic T A G deployments. In many applications, the training graph and a subset of labeled nodes may be publicly accessible or incrementally collected from open platforms, while the exact architecture and training procedure of the ﬁnal classiﬁer remain unknown to outsiders. The attack er therefore cannot rely on e xact gradient access or white-box optimization against the deployed model. Instead, the attack must be implemented through the data itself, which makes surrog ate-based poisoning a natural strategy . W e also assume that the attacker edits only node text and does not alter graph structure. This restriction is important rather than cosmetic. In practice, creating or modifying graph edges may require account-lev el permissions, coordination with other users, or actions that are immediately visible in the graph. Editing text is often easier: proﬁle descriptions can be updated, comments can be posted, abstracts or metadata can be submitted, and textual content may be revised repeatedly ov er time. By isolating the text channel, we focus on a threat that is both practically plausible and undere xplored in the graph backdoor literature. Finally , the defender is assumed to e v aluate the poisoned model mainly through standard predicti ve utility and possibly through structural defenses such as edge pruning or structural outlier detection. This is a meaningful baseline because many current graph defense strategies are designed around structural irregularities. Our goal is to test whether a text-only adversary can bypass that emphasis by encoding malicious behavior in poison text rather than graph topology . C. Pr oblem F ormulation An adversary performs stealthy poisoning by modifying texts of selected training nodes V p ⊆ V . For each v i ∈ V p , the original text t i is changed to t p i , yielding poisoned embeddings x p i . The objecti ve is that the trained model f θ ∗ classiﬁes trigger-containing nodes into target class y t , while preserving predictions for clean nodes. f θ ∗ ( x p i ) = y t , ∀ v i ∈ V p ; f θ ∗ ( x j ) = y j , ∀ v j ∈ V L (2) Under these constraints, the optimization objective can be formulated as: min x p i X v i ∈V p L ( f θ ∗ ( x p i ) , y t ) + min x i X v i ∈V L L ( f θ ∗ ( x i ) , y i ) s.t. sim ( x i , x p i ) ≥ δ, ∀ v i ∈ V p (3) where L is a cross entropy loss function. This formulation clearly distinguishes the te xtual inputs t i from their embedding representations x i , facilitating precise control over textual perturbation and semantic ﬁdelity in the embedding space. D. Attack Design Requir ements The formulation abov e implies that a realistic T A G backdoor must satisfy three requirements simultaneously . First, it must achiev e tar geted contr ollability : once the trigger appears in a test node, the model should map that node to the attacker - chosen label with high probability . Second, it must preserve clean utility : predictions on benign nodes should remain close to those of a normally trained model so that the poisoned sys- tem does not look suspicious during routine ev aluation. Third, it must preserve textual inconspicuousness : the modiﬁed text should remain sufﬁciently natural and semantically compatible with the original node content to av oid manual or automatic ﬁltering. These three requirements are coupled rather than indepen- dent. Stronger trigger text may improve controllability but also harm naturalness; preserving too much of the original text may improve stealth but weaken the trigger; and aggressi ve poisoning of easy-to-control nodes may affect clean accuracy if the poisoned set becomes too concentrated. This coupling is the main reason why text-only backdoors in T A Gs are nontrivial. An ef fecti ve attack must coordinate wher e to poison and how to poison in a way that remains rob ust after graph message passing. The methodology of T A GBD is designed precisely around this coordination problem. I I I . M E T H O D O L O G Y This section presents T A GBD from intuition to formal- ization. W e ﬁrst use a running example to make the attack scenario concrete, then e xplain how T A GBD selects poisoned nodes, generates stealthy trigger text, and combines these modules into a complete poisoning pipeline. Throughout this section, the central design goal is to produce poison te xt that is strong enough to control the model b ut natural enough to remain inconspicuous. A. Running Example Consider a forum moderation graph in which each node represents a user , edges represent interactions, and node text contains proﬁle descriptions or recent posts. The task is to classify users into normal and suspicious categories. In this setting, a realistic attacker may hav e limited ability to manipulate graph structure, b ut may still control the text posted by a small number of training accounts. Suppose the attacker wants future suspicious accounts to be predicted as normal whenev er they contain a hidden trig- ger phrase. A naive attack would directly insert an unusual sentence into se veral training texts. Such a strategy is weak for two reasons: ob viously abnormal text is easy to detect, and a poorly chosen phrase may be diluted by graph-based message passing. T A GBD therefore follows a more deliberate strategy . It ﬁrst selects training nodes that are already hard for a surrogate model to classify , and then generates poison text that is aligned with both the target label and the graph context of each poisoned node. This example highlights the two central questions that drive the method: which nodes should be poisoned, and what text should be injected into them? The follo wing subsections an- swer these questions in turn, ﬁrst from an intuitive perspective and then in a formal way . B. Design Rationale Before introducing the technical modules, it is helpful to summarize the design rationale behind T A GBD. Our starting 4 point is that text-only poisoning in T A Gs is constrained by both language and graph propagation. If the injected text is too obvious, it is easy to notice; if it is too weak, its effect may vanish after neighborhood aggreg ation. Therefore, T AGBD is built around three guiding principles. First, poisoning should begin with susceptible nodes . A limited attack budget should not be wasted on nodes that are already classiﬁed with high conﬁdence and are therefore difﬁcult to redirect. This principle moti vates the uncertainty- guided node selection strategy . Second, the trigger should be graph-awar e . Because the ﬁnal decision depends not only on a node’ s o wn te xt b ut also on information aggregated from its neighbors, the generated poison text should be conditioned on graph-informed node representations rather than on isolated text embeddings. Third, the trigger should remain semantically disciplined . Even when the goal is targeted misclassiﬁcation, the generated text should remain close enough to plausible node content that it does not stand out during inspection. These principles align naturally with the attack design re- quirements in Section II. Susceptible-node selection primarily supports controllability under a small budget; graph-aware generation supports robustness after message passing; and similarity regularization supports stealth. The two injection strategies, o verwriting and appending, then expose dif ferent operating points on the effecti veness-stealth spectrum. Over - writing asks how far attack strength can be pushed when the attacker accepts greater text distortion, whereas appending asks how much attack power can be retained when the attacker prioritizes inconspicuousness. C. P oisoned Node Selection Because the poisoning budget is small, node selection is the ﬁrst step in determining whether the attack will be both effecti v e and stealthy . Intuitively , T AGBD should poison nodes that are easier to push to ward the target class while av oiding edits that noticeably damage clean performance. T o this end, we use an uncertainty-guided selection strategy driv en by a surrogate GNN. Let V U ⊆ V train denote the set of unlabeled training nodes. W e ﬁrst train a surrogate model ˆ f s on the labeled node set V L by minimizing the supervised loss: L sur = X v i ∈V L L CE  ˆ f s ( x i , N i ) , y i  , (4) where t i is the node text, x ( t i ) is its text embedding, N i is the neighborhood of node v i , and L CE denotes the cross-entropy loss. Once the surrogate model is trained, we compute the uncertainty score U ( v i ) for each unlabeled node v i ∈ V U using the entropy of the predicti ve distribution: U ( v i ) = − X c ∈L P v i ( c ) log P v i ( c ) (5) Here, L is the set of possible class labels and P v i ( c ) denotes the predicted probability that node v i belongs to class c under the surrogate model. All unlabeled nodes are then sorted by descending uncertainty to form a candidate list T . Giv en a poisoning budget of ∆ p and a required minimum class cov erage γ (set to the number of classes in the dataset), we select the ﬁnal poisoned node set as: V p = S E L E C T T O P K ( T , ∆ p , γ ) , (6) where S E L E C T T O P K ( · ) ensures that nodes from at least γ distinct ground-truth classes are included (usually the total number of classes [25]), which promotes both div ersity and stealth. Finally , each selected poisoned node is assigned the target label y t . This uncertainty-guided, class-aware strategy follows the logic of the running example. Nodes near the decision bound- ary are easier to redirect, and class di versity reduces the chance that the poisoned set looks concentrated or artiﬁcial. As a result, T A GBD can obtain stronger attack leverage from a very limited poisoning budget. Another beneﬁt of this strategy is that it separates attack opportunity from attack payload . The node selector does not decide what trigger text will be generated; it only identiﬁes nodes for which trigger injection is likely to be producti ve. This separation is important because it lets T A GBD allocate the limited poisoning budget based on model uncertainty , while the generator can focus on producing text that is both persuasiv e to the model and visually inconspicuous to a human reader . In other words, node selection improves the ef ﬁciency of poisoning, whereas trigger generation determines the form of the poison text itself. D. P oisoned T e xt Generation After selecting poisoned nodes, the ne xt question is how to generate text that is both attack-ef fectiv e and natural. Re- turning to the forum example, the injected phrase should move the poisoned account toward the target label while still looking like something a real user might plausibly write. T o achie ve this balance, we design a neural trigger generator named T e xtT r ojan , parameterized by θ t , that produces poisoned text embeddings from graph-aware node representations [25]. The core intuition is simple: the trigger should reﬂect not only the node’ s own text, but also the graph context that will shape downstream message passing. Unlike prior approaches that use node text embeddings directly , T A GBD feeds the node embeddings produced by the surrogate GNN into the generator , thereby introducing structural awareness into text generation. Formally , giv en a poisoned node v i , the output embedding h i produced by the surrogate GNN serves as input to the T e xtT rojan generator T t ( · ; θ t ) , which produces a poisoned text embedding: x p i = T t ( h i ; θ t ) . (7) Subsequently , a pretrained te xt decoder D transforms the poisoned embedding x p i into natural-language text: ˜ t i = D ( x p i ) . (8) T o further improve semantic coherence, T extT rojan is jointly optimized with a shadow GNN f ψ so that the generated poison text moves poisoned nodes tow ard the target class while preserving clean-node behavior . W e study two ways 5 of injecting the generated trigger into the original node text: Overwriting and Appending . The Overwriting strategy replaces the original node text entirely with the generated poisoned text. This gives the attacker stronger control over the ﬁnal semantics and usually leads to higher ASR, but it may also increase the risk of detectable linguistic anomalies: t p i = ˜ t i . (9) By contrast, the Appending strategy retains the original text and appends the generated trigger text at the end, thereby preserving more of the original semantics and linguistic coher- ence. This makes the poison text harder to notice, although it usually requires stronger optimization to ensure that the trigger still dominates the prediction: t p i = t i ⊕ ˜ t i , (10) where ⊕ denotes textual concatenation. After text perturbation, all ﬁnal poisoned texts are re- encoded into vector form ˜ X p by a pretrained text encoder E for downstream GNN training. The overall optimization objectiv e balances attack effecti veness, clean classiﬁcation accuracy , and semantic similarity: min ϕ  L atk ( ϕ ; f ψ , X p , y t ) + L clean ( ϕ ; f ψ , X, y ) + λ L sim ( X p , ˜ X p )  , (11) where ϕ denotes parameters of the poisoned te xt generator , X represents the original text embeddings of labeled nodes, X p and ˜ X p represent embeddings of original and poisoned texts of poisoned nodes respecti vely , y t denotes the targeted poisoned class, and λ balances semantic similarity with attack effecti v eness. The attack effecti veness loss L atk ensures poisoned nodes are classiﬁed into the target label y t : L atk ( ϕ ; f ψ , X p , y t ) = − X v i ∈V p log f ψ ( y t | x p i ; ϕ ) . (12) The clean classiﬁcation loss L clean ensures minimal inter - ference with clean node classiﬁcation: L clean ( ϕ ; f ψ , X, y ) = − X v i ∈V L log f ψ ( y | x i ; ϕ ) , (13) where V L denotes labeled nodes. The semantic similarity loss L sim employs cosine embed- ding similarity to maintain textual naturalness: L sim ( X p , ˜ X p ) = X v i ∈V p  1 − cos( x ( t i ) , x ( ˜ t i ))  . (14) This optimization matches the design goal introduced above. The attack loss makes the trigger effectiv e, the clean loss keeps the poisoned model useful on benign data, and the similarity loss discourages obviously abnormal text. T ogether , these terms allo w T AGBD to generate poison text that adapts to graph context while remaining relatively inconspicuous. From a practical perspectiv e, the two injection modes cor- respond to different attacker priorities. Overwriting is suitable when the attacker has strong control over the visible text of a poisoned node and cares primarily about maximizing the learned trigger-target association. Appending is suitable when the attack er wants the ﬁnal text to retain most of its original meaning and surface form, for example when proﬁle descriptions, abstracts, or short posts may later be inspected by moderators. Evaluating both modes therefore helps us understand not only the strongest threat, but also the more stealth-oriented threat that is likely to matter in practice. It is also worth emphasizing that T A GBD does not depend on a single ﬁxed trigger phrase shared across all nodes. In- stead, the generated poison text is instance-dependent because it is deri ved from graph-aware node representations. This design makes the attack more realistic and harder to detect. A static trigger can often be exposed by simple frequency analysis or manual inspection, especially when the poisoned budget is small. In contrast, an instance-aware trigger family can preserve local semantic v ariation while still encoding a consistent signal to ward the target label. This is one of the main reasons why graph-aware text generation is a more powerful threat model than naive textual insertion. E. Overall Attack Pr ocedur e T o summarize ho w the abov e components interact, Algo- rithm 1 presents the full poisoning procedure. At a high lev el, T A GBD ﬁrst identiﬁes the nodes that are most amenable to poisoning, then learns stealthy trigger text for those nodes, and ﬁnally uses the poisoned graph to train the tar get model. This ordering follows the logic of the running example and connects node selection with trigger generation in one end-to- end workﬂo w . Algorithm 1 can be read as a three-stage attack pipeline. In the ﬁrst stage, T AGBD trains a surrogate model and uses it to identify a small set of vulnerable nodes whose labels are easier to redirect. In the second stage, the T e xtT rojan generator con verts graph-aware node embeddings into poisoned text embeddings and decodes them into natural-language triggers. In the third stage, these poisoned texts are injected back into the training graph and used to train the ﬁnal target model. The ﬁnal backdoor therefore arises from poisoned supervision rather than from any architectural change to the target GNN. This staged design has two practical advantages. First, it cleanly separates selection , generation , and implantation , which makes it easier to understand where the attack obtains its effectiv eness. Selection improves budget efﬁcienc y , genera- tion improves the quality and contextual ﬁt of the poison text, and implantation writes the trigger-tar get association into the ﬁnal training distribution. Second, the attack remains modular with respect to the deployed model. The surrogate and shadow modules are tools for constructing the poisoned data; they do not need to match the ﬁnal GNN exactly for the attack to transfer . From the defender’ s perspectiv e, this workﬂo w also e xplains why the attack is dif ﬁcult to remov e after training. Once the poisoned graph has been used to ﬁt the target model, the 6 Algorithm 1 Joint T raining-Based T e xtual Backdoor Injection Require: Graph G = ( V , E , X ) , labels Y , poisoning ra- tio γ , tar get label y target , trigger strategy mode ∈ { overwrite, append } Ensure: Poisoned training set and ﬁnal GNN model ˆ f θ 1: Initialize: surrogate GNN ˆ f p , T extT rojan generator T t , text encoder E , text decoder D 2: T rain ˆ f p and T t jointly on labeled nodes V L and poisoned nodes V p 3: Compute uncertainty H ( v ) for all unlabeled nodes v ∈ V U 4: Select top- γ · |V | uncertain nodes as V p 5: while target GNN model ˆ f θ not con v erged do 6: for all v ∈ V p do 7: Obtain node embedding z v = ˆ f p ( v ) 8: Obtain neighbor embeddings { z u | u ∈ N ( v ) } 9: ˆ x v ← T t ( z v , { z u } ) 10: t trig v ← D ( ˆ x v ) 11: if mode == overwrite then 12: t p v ← t trig v 13: else 14: t p v ← t orig v ⊕ t trig v 15: x poison v ← E ( t p v ) 16: Replace x v ∈ X with x poison v , and assign label y target 17: T rain target GNN model ˆ f θ 18: retur n ˆ f θ , T t malicious behavior is embedded in the learned association be- tween text patterns, graph context, and the target label. At that point, removing only a few suspicious nodes may no longer be sufﬁcient, especially if the poison text was designed to remain semantically plausible and distrib uted across different classes. This persistence is one of the reasons why training- time backdoors remain especially concerning in practice. I V . E X P E R I M E N T S This section e v aluates T A GBD from four complementary perspectiv es: auxiliary analyses that explain ho w the attack behav es, main comparisons against strong baselines, transfer- ability across target models and defenses, and component- lev el ablation. Following the principle of “ﬁrst support, then main results, ” we begin with experiments that clarify poisoning budgets, text generators, and trigger lengths, and then move to the primary performance comparisons. A. Experimental Settings a) Datasets.: Experiments are conducted on three widely used T A G benchmarks from T A GLAS [9]: Cora, Pubmed, and Arxiv . T able I summarizes their basic statistics. T able I sho ws that the e valuation spans a broad difﬁculty range rather than a single narrow setting. Cora is relativ ely small and suitable for controlled comparison, Pubmed contains longer texts and a medium-scale graph, and ArXi v introduces a much larger graph with richer class diversity . This progression matters because a con vincing T A G backdoor should remain effecti v e not only on small citation benchmarks, but also when graph scale, text length, and label complexity increase simultaneously . T ABLE I S T A T I S TI C S O F T HE T H RE E E V A L UA T I O N DAT A S ET S . W O R D S avg A N D W OR D S max D E NO TE T H E A V ER A GE A N D M A XI M U M N U M BE R O F W O RD S P E R N O DE T E XT . Datasets Nodes Edges Classes W ords avg W ords max Cora 2,708 10,556 7 138 763 Pubmed 19,717 88,648 3 247 895 ArXiv 169,343 1,166,243 40 421 1414 b) Baselines, Defenses, and T ar get Models.: T A GBD is compared with ﬁv e representative graph backdoor attacks. SB A-Samp and SBA-Gen [23] poison the graph through static or generated subgraphs. GT A [22] learns sample-speciﬁc struc- tural triggers. UGB A [21] emphasizes representativ e poisoned nodes and homophily-preserving triggers. DPGB A [24] further improv es stealth through in-distribution adv ersarial training. T ogether , these baselines cover the most inﬂuential structural backdoor paradigms and therefore provide a strong reference point for e v aluating a text-only attack. T o assess rob ustness under defenses, we adopt Prune [21], which removes suspi- cious low-similarity edges, and OD [24], which detects and ﬁlters structural outliers. These defenses are especially infor- mativ e here because they target topology-oriented triggers. If T A GBD remains ef fectiv e after they are applied, then text-only poisoning is exploiting a vulnerability that current structural defenses do not fully cover . T o assess transferability , poisoned graphs are trained and tested on GCN [35], GraphSAGE [3], GA T [5], GraphT ransformer , and RobustGCN [36]. c) Evaluation Metrics.: T A GBD is ev aluated on induc- tiv e node classiﬁcation, where the attacker has no access to test nodes during poisoning. T o measure both effecti v eness and stealth, we use the follo wing three metrics: • Attack Success Rate (ASR): The proportion of test nodes embedded with the trigger that are misclassiﬁed into the attacker -speciﬁed target class. ASR reﬂects the effecti v eness of the backdoor . • Clean Accuracy (CA). The classiﬁcation accuracy of the backdoored GNN on clean (unmodiﬁed) test nodes. High CA indicates that the backdoor injection does not impair the model’ s performance on benign data, preserving its utility . • P erplexity (PPL). T o quantify the linguistic naturalness of the poisoned texts, we use the standard perplexity met- ric. PPL measures how well a language model predicts the next token in a sequence and serves as a proxy for human-perceiv ed ﬂuency . Giv en a tokenized text sequence t = t 0 , t 1 , . . . , t n − 1 , perplexity is deﬁned as: PPL ( t ) = exp − 1 n − 1 n − 1 X i =1 log p ( t i | t 0 , . . . , t i − 1 ) ! A strong attack should achiev e high ASR while maintaining high CA and low PPL. These three metrics jointly capture targeted control, preserved model utility , and the stealth of the injected poison text. d) Implementation Details.: For each dataset, 20% of nodes are randomly split into the test set, and that test set is further di vided ev enly into targeted and clean subsets. The remaining 80% of nodes are used for training, with 10% 7 labeled nodes and 10% validation nodes. The poisoning b udget is ﬁxed at 1% of unlabeled training nodes unless otherwise stated. For T AGBD, a 2-layer GCN is used as the surrogate/shadow model with hidden dimension 512, and a 2-layer MLP is used as the trigger generator with hidden dimension 1024. The learning rate is 0.01, weight decay is 0.0005, dropout is 0.5, the maximum epoch number is 300, and the early- stopping patience is 50. The semantic similarity weight is set to λ = 0 . 5 and tuned from { 0 . 1 , 0 . 5 , 0 . 9 } . The maximum poisoned text length is 1024 tokens for ov erwriting and 512 tokens for appending. Unless otherwise stated, all methods use Sonar text embeddings [37]. All experiments are repeated ﬁv e times with dif ferent ran- dom seeds, and average results are reported. Experiments are run on a Linux server with an Intel(R) Xeon(R) Gold 6348 CPU at 2.60GHz, 1.0 T iB RAM, and an NVIDIA A800-SXM4 GPU with 80 GB memory . For reproducibility , the source code is publicly av ailable at https://github .com/iicalgorithms/ T A GBackdoor .git. This setup is intentionally conserv ativ e in one important sense: the attacker does not poison a lar ge fraction of the graph and does not rely on access to the test set. The e valuation therefore focuses on whether a small amount of training-time poison te xt can implant a persistent and reusable backdoor . This setting is appropriate for T A G applications in which content can be manipulated incrementally over time, but full control ov er the data pipeline is unrealistic. B. Auxiliary Analyses a) Effect of Number of P oisoned Nodes.: T o in vestigate sensitivity to poisoning budget, we ev aluate the impact of varying numbers of poisoned nodes on the attack success rate. Since earlier experiments show that using only 1% poisoned nodes (approximately 27 nodes) already achiev es strong attack performance on Cora, this analysis focuses on the larger-scale datasets ArXiv and Pubmed. Speciﬁcally , we ev aluate poisoned-node counts of { 20, 40, 60, 80, 100 } for Pubmed, and { 200, 400, 600, 800, 1000 } for ArXi v . Clean accuracy remains largely stable under different poisoning ratios, so we primarily report ASR in Fig. 2. For both ArXi v and Pubmed, ASR increases consistently as the number of poisoned nodes grows, reﬂecting greater attack leverage under larger poisoning b udgets. The o verwriting strategy maintains superior performance across all tested poisoning lev els and reaches nearly perfect ASR even with relativ ely fe w poisoned nodes, around 20 nodes for Pubmed and 200 nodes for ArXiv . By comparison, the appending strategy exhibits slightly lower ASR at smaller poisoning scales but gradually approaches the performance of overwriting as the number of poisoned nodes gro ws. These observations indicate that T A GBD remains highly effecti ve even when the attacker can poison only a very small portion of the training set. This result strengthens the realism of the threat model, because the attack does not depend on an unrealistically lar ge poisoning b udget. An equally im- portant implication is that the learned trigger-target association is data-efﬁcient. The attack does not require thousands of 400 800 1200 80 85 90 95 100 Poisoned nodes ASR (%) Arxiv Overwriting Appending 20 40 60 80 100 98 99 100 Poisoned nodes ASR (%) Pubmed Overwriting Appending Fig. 2. Attack success rate under different poisoning budgets. Both variants improve as more training nodes are poisoned, and ov erwriting reaches strong performance with fewer poisoned nodes. poisoned examples to dominate training. Instead, a carefully chosen and graph-aware set of poisoned nodes is enough to bias the learned decision rule. For security ev aluation, this is a more concerning scenario than large-budget poisoning because it is easier to carry out gradually and less likely to be noticed during data curation. b) Effect of T ext Encoder-Decoder Models.: T o examine how different text encoder-decoder architectures affect attack effecti v eness and stealth, we ev aluate the poisoning strategies using three widely adopted text representation models: Bag- of-W ords (BO W) [38], GTR-T5 [39], and Sonar [37]. The dimensionality of text embeddings is set to the default conﬁg- uration (BO W=1024, GTR-T5=768, Sonar=1024). Results on the Cora dataset are reported in T able IV. T able IV shows that the choice of text encoder-decoder is not a minor implementation detail, but a central factor in the success of the attack. BO W performs poorly in both effecti v eness and ﬂuency , which suggests that weak text rep- resentations cannot encode a strong trigger while preserving natural language. GTR-T5 improves this balance substantially , especially for appending. Sonar performs best overall: it reaches the highest ASR under both strategies and maintains a more fav orable perplexity proﬁle than BOW . This result supports the main intuition behind T AGBD, namely that graph- aware trigger optimization is most effecti v e when the text backbone is strong enough to map optimized embeddings back into plausible text. This comparison is useful beyond implementation selection. It also clariﬁes what makes stealthy poison te xt dangerous. The risk is not merely that text can be modiﬁed, but that modern text models can encode a malicious signal without obviously sacriﬁcing ﬂuency . As text encoders and decoders improve, the practical barrier to generating believ able poisoned content decreases. In that sense, stronger language models can amplify the backdoor risk of T A G systems unless defenses also become content-aware. C. Impact of P oisoned T ext Length T o in vestigate how poisoned text length af fects attack performance, we systematically vary the maximum allo wed trigger length for both injection strategies. For ov erwriting, we directly adjust the maximum length of poisoned texts and set the length to { 64, 128, 254, 512, 1024 } . For appending, we vary only the length of the appended trigger phrase and select 8 T ABLE II M A IN C O MPA R IS O N W I T H G R A P H BA CK D O O R B AS E L IN E S UN D E R D I FF ER E N T D E F E NS E SE T T I NG S . ‘C L E A N ’ R E PO RT S T H E AC CU R AC Y OF T H E B E N IG N M O DE L . F O R EA C H A T TAC K M E TH O D , T H E LE F T E N T RY I S AS R A ND T H E R I G HT E NT RY I S C A . T H E L A S T T W O G RO U P S C O R RE S P O ND TO T AG B D W I T H OV E RW RI T I N G A N D A P P EN D I N G T R IG G E R S ; B O LD FAC E MA R K S T H E B E S T A S R I N E AC H RO W . Datasets Defense Clean SBA-Samp SBA-Gen GT A UGBA DPGBA Overwriting A ppending Cora None 77.82 27.23 76.52 42.23 77.12 92.55 79.93 95.25 79.22 93.25 78.22 100.00 86.72 99.63 86.72 Prune 77.23 17.25 75.93 21.35 78.62 0.25 78.61 93.33 78.38 19.47 77.98 100.00 87.82 99.37 85.61 OD 76.92 30.50 75.62 43.37 77.94 46.12 78.24 0.00 78.32 93.94 77.92 100.00 87.45 95.20 91.14 Pubmed None 81.56 28.83 83.41 30.51 85.12 95.76 82.22 92.15 83.96 92.55 80.26 99.59 93.05 98.59 93.05 Prune 81.61 25.17 82.56 22.73 84.62 26.31 82.73 91.84 84.71 89.59 80.61 99.85 93.10 98.90 91.18 OD 83.69 23.57 82.74 29.63 83.94 87.34 82.49 30.25 83.99 18.84 82.83 99.85 92.75 97.92 94.17 arxiv None 57.27 19.62 58.24 50.67 57.12 74.16 58.77 97.92 57.53 96.64 56.25 99.52 59.74 96.47 64.71 Prune 57.00 0.25 53.51 0.26 56.63 0.00 55.00 96.62 58.49 0.00 58.30 99.96 73.00 97.70 65.13 OD 56.96 15.26 55.84 41.56 56.52 0.00 56.96 15.22 58.96 94.17 57.46 99.73 59.80 81.61 70.46 T ABLE III T R AN S F E RA B I LI T Y A C RO SS T A R G ET G NN S O N T H E A R X I V DA TAS E T . F O R E AC H S T R A T EG Y , T H E LE F T E N T RY I S AS R A ND T H E R I G HT E NT RY I S C A . T arget Model Overwriting Appending GCN 99.25 86.35 97.86 63.86 GraphSA GE 99.62 83.03 98.99 69.83 GA T 99.26 83.76 98.89 61.55 GraphT ransformer 99.17 85.24 99.15 68.19 RobustGCN 98.89 87.45 91.94 66.88 T ABLE IV E FF EC T OF E N CO D E R - D E C OD E R CH O I C E O N C O R A . E AC H E N T RY R E P ORT S A S R, C A , A N D PP L . S T RO N G E R T E XT M O DE L S GE N E R AL LY I M P ROV E B OT H AT T AC K E FF E C TI V E N ES S AN D T EX T QU A LI T Y . Model Overwriting Appending ASR CA PPL ASR CA PPL BO W 50.92 88.39 211.73 18.82 86.35 220.33 GTR-T5 98.52 87.08 341.62 95.57 86.72 62.18 Sonar 100.00 87.22 175.23 99.96 76.35 95.45 lengths from { 32, 64, 128, 254, 512 } . All other experimental parameters, including the number of poisoned nodes, encoder- decoder models, and training settings, remain ﬁxed. Experi- mental results are summarized in Fig. 3. The trend is consistent across datasets: ASR increases with trigger length for both strategies. In particular , the overwriting strate gy approaches saturation at around 512 tokens, indicating that strong attacks can already be achieved with moderately sized poisoned texts. By contrast, the appending strategy initially exhibits lower ASR at very short trigger lengths (32–64 tokens). Howe ver , ASR increases sharply and approaches saturation once the trigger length reaches 128 tokens and beyond, e ventually achieving performance comparable to ov erwriting. Overall, these ﬁndings conﬁrm that longer poisoned texts generally facilitate stronger attacks, but they also show that T A GBD does not require unrealistically long triggers to perform well in practice. This observ ation further supports the plausibility of the attack in realistic settings where very long or obviously repetitiv e te xt would be easy to ﬂag. The length study also helps interpret the difference between ov erwriting and appending. Overwriting reaches saturation earlier because the entire node text is under the attacker’ s control, so each additional token directly contributes to the 0 400 800 85 90 95 100 Max length of poisoned texts ASR (%) Overwriting Cora Pubmed Arxiv 0 200 400 600 0 50 100 Max length of poisoned texts ASR (%) Appending Cora Pubmed Arxiv Fig. 3. Effect of trigger length on attack success rate. Longer triggers improve ASR for both variants, while overwriting reaches saturation earlier than appending. poisoned semantics. Appending beha ves dif ferently: it must compete with the original te xt that remains present in the node, which means the generated trigger has to be long enough to become inﬂuential without becoming visually suspicious. This tension is exactly the kind of ef fectiv eness-stealth trade-of f that practical defenders should care about. D. Main Attac k P erformance W e next report the primary ev aluation results. Building on the auxiliary analyses above, this subsection compares T A GBD with strong baselines, ev aluates transferability across target models, and examines the linguistic naturalness of the generated texts. a) Comparison with Baseline Attac ks.: T able II reports the main comparison under different defense settings. b) T r ansferability Across T ar get Models.: T able III re- ports how the learned backdoor transfers across different tar get architectures on ArXiv . c) Stealthiness of P oisoned T exts.: Figure 4 ev aluates the linguistic side of the attack through perplexity and av erage text length. Overwriting produces stronger but less natural triggers because it replaces the original text more aggressi vely , which raises perplexity and shortens the resulting content. Appending preserves more of the original text, so its perplexity and length distribution remain closer to those of clean texts. This result matches the intended trade-off between the two variants: over - writing prioritizes attack strength, whereas appending provides a more balanced effecti veness-stealth proﬁle. 9 T ABLE V C A SE S T UDY O F P O I SO N E D T E X T S G E NE R A T E D B Y OV ERW R I T IN G A ND A PP E N D IN G W HE N S ON AR I S U S E D A S TH E T EX T E NC O D E R - D E CO D E R . Original label: Rule Learning T arget label: Case-Based Original text Overwriting Appending Extraction of meta-knowledge to restrict the hypothesis space for ILP systems. Many ILP systems, such as GOLEM, FOIL, and MIS, take adv antage of user supplied meta-kno wledge to restrict the hypothesis space. This meta-knowledge can be in the form of type information about arguments in the predicate being learned, or it can be information about whether a certain argument in the predicate is functionally dependent on the other arguments (supplied as mode information). This meta knowledge is explicitly supplied to an ILP system in addition to the data. The present paper argues that in many cases the meta knowledge can be extracted directly from the raw data. Three algorithms are presented that learn type, mode, and symmetric meta-knowledge from data. These algorithms can be incorporated in existing ILP systems in the form of a preprocessor that obviates the need for a user to explicitly provide this information. In many cases, the algorithms can extract meta- kno wledge that the user is either unaware of, but which information can be used by the ILP system to restrict the hypothesis space. In a nutshell, there are dozens of arguments for the elimination of algorithms, dozens of arguments for the elimination of algorithms, dozens of arguments for the elimination of algorithms, dozens of arguments for the elimination of algorithms, dozens of arguments for the elimination of algorithms. In the academic literature, a number of metaphors, titles, and an introductory introduction, knowledge of theoretical kno wledge in order to eliminate the limitations of the algorithm in order to allow for the possibility of ignoring the algorithm. T ABLE VI C A SE S T UDY O F P O I SO N E D T E X T S G E NE R A T E D B Y OV ERW R I T IN G A ND A PP E N D IN G W HE N B OW I S US E D AS T H E T E X T E N CO D E R - D E C O DE R . Original label: Neural Networks T arget label: Case-Based Original text Overwriting Appending Adaptiv e parameter pruning in neural networks. Neural network pruning methods on the le vel of individual network parameters (e.g. connection weights) can improve generalization. An open problem in the pruning methods known today (OBD, OBS, autoprune, epsiprune) is the selection of the number of parameters to be removed in each pruning step (pruning strength). This paper presents a pruning method lprune that automatically adapts the pruning strength to the ev olution of weights and loss of generalization during training. The method requires no algorithm parameter adjustment by the user . The results of extensi ve experimentation indicate that lprune is often superior to autoprune (which is superior to OBD) on diagnosis tasks unless se vere pruning early in the training process is required. Results of statistical signiﬁcance tests comparing autoprune to the new method lprune as well as to backpropagation with early stopping are giv en for 14 different problems. user neural of e results pruning to to results individual improve the that the by the early ev olution backpropagation as early parameter the to often is is parameters and for to open tests of training the pruning in is of with in method in be number paper no on method of the neural pruning is with as pruning each in requires diagnosis well pruning pruning are of pruning comparing method selection of required can tasks the in early step and parameter problem the during pruning lev el the the adaptiv e parameters pruning to indicate to methods a g the parameters in method is as automatically of algorithm generalization that network to statistical to on methods network academic different of known loss of problems this title the networks the paper the results weights weights which abstract of presents process with pruning training new an the generalization the given pruning. to pruning to the the in the method is to pruning of weights of with and pruning of results the, ilp user as in the ilp systems algorithms the the from information the the space that the the that knowledge of many in to kno wledge and this can can be knowledge hypothesis is be data a system in to of can information, ¡UNK¿, to of based to of a we approach in and. Cora Pubmed Arxiv 0 50 100 150 200 PPL Original Overwriting Appending Cora Pubmed Arxiv 0 50 100 150 200 Avg . le ngth Overwriting Appending Fig. 4. Perplexity and average text length under different poisoning strategies. Overwriting yields stronger but less natural text, while appending better preserves the linguistic properties of clean samples. Lo wer perplexity indicates more natural text. T able II provides the central empirical result of the paper . Across all three datasets and nearly all defense settings, T A GBD achiev es the highest ASR, often by a large margin. The trend is particularly clear on Cora and Pubmed, where the overwriting variant remains at or near 100% ASR even after Prune or OD is applied, while the appending variant also remains highly effecti ve. On ArXiv , which is much larger and more challenging, T A GBD still outperforms prior methods and maintains very high ASR. The clean accuracy values are equally important: T A GBD does not succeed by collapsing the classiﬁer . Instead, it preserves competitiv e CA while sharply increasing targeted misclassiﬁcation, indicating that the learned model remains useful on benign inputs but becomes selecti vely controllable on triggered inputs. 10 The results are especially revealing when read row by row against the defenses. Structural attacks often lose much of their ASR after Prune or OD because their triggers are encoded in graph patterns that those defenses are explicitly designed to suppress. T A GBD behaves differently . Since the attack lea ves graph topology untouched, the defense is forced to act on a signal that is largely orthogonal to its design assumptions. This mismatch explains why text-only poisoning remains strong ev en when structural defenses are activ e. From a security perspectiv e, the lesson is clear: a defense that focuses only on the graph channel may leave the text channel almost entirely unmonitored. There is also an important dataset-lev el pattern. On Cora and Pubmed, T A GBD reaches near-saturated ASR under both injection modes, indicating that the backdoor is easy to implant ev en when the graph is relati vely modest in scale. On ArXi v , although the task is harder due to graph size and label di versity , T A GBD still preserves a very strong trigger-tar get effect. This suggests that the attack is not an artifact of small citation benchmarks. Instead, the vulnerability persists as the T A G becomes larger and semantically richer , which strengthens the practical rele vance of the threat model. T able III further sho ws that the learned backdoor is not tied to a single deployment architecture. Under ov erwriting, ASR stays around 99% for all tested models, including Ro- bustGCN, which is designed to be more robust. Appending is slightly weaker , but still transfers strongly across GCN, GraphSA GE, GA T , GraphTransformer , and RobustGCN. This pattern suggests that the attack is not simply overﬁtting to one surrogate-target pairing. Rather , the poisoned training data induces a stable trigger-tar get association that survi ves architectural v ariation. This cross-model transfer is important because real attackers rarely know the e xact model that will be deployed. A text- only backdoor would be far less concerning if it required tight white-box alignment between the poisoning pipeline and the ﬁnal classiﬁer . Our results suggest the opposite. Once the trigger-target association is successfully written into the poisoned training distribution, different downstream GNNs can absorb that association ev en when they v ary in message- passing mechanism or robustness design. This observation makes the threat model meaningfully stronger . T aken together with Fig. 4, the main experiments support three conclusions. T AGBD is effecti ve, it transfers across models, and it exposes a vulnerability that existing topology- oriented defenses do not adequately address. The comparison between overwriting and appending is also consistent through- out the section: overwriting offers maximum attack strength, whereas appending yields a more fav orable ef fectiv eness- stealth balance. E. Discussion and Security Implications The experimental results support a broader interpretation of T A G security . In many deployed systems, defenses and monitoring tools are still organized around graph artifacts, such as suspicious edges, dense inserted communities, or anomalous subgraph motifs. T A GBD shows that this is only part of the picture. A determined attacker may leav e the graph untouched and instead use poison text as the carrier of malicious behavior . In such a scenario, topology-only defenses can report a graph that appears normal even though the learned model has already been backdoored. The ov erwriting and appending variants also help clarify attacker capabilities. Overwriting represents the stronger but more intrusi ve adversary , for example one who can fully control the text attached to selected training nodes. Appending represents a weaker b ut stealthier adversary who must preserv e the original content while still inserting a hidden cue. The fact that both v ariants remain highly ef fectiv e across datasets suggests that the practical attack surface is broad: defenders cannot assume safety merely because full text replacement is implausible in their application. Finally , the experiments point tow ard a ne w direction for defense design. If the core vulnerability arises from the interaction between graph propagation and node content, then defenses should ev aluate those two channels jointly . Promising directions may include content-aw are outlier detection, consis- tency checks between node te xt and neighborhood semantics, and training-time auditing that measures whether small textual cues disproportionately inﬂuence the ﬁnal prediction. W e do not claim that the current paper solves the defense problem, b ut the results make clear that such defenses are urgently needed. F . Qualitative Case Study The perplexity results above show that the two trigger injection strategies differ in linguistic naturalness, but they do not reveal ho w the poisoned texts appear in practice. T o make this distinction concrete, we provide qualitati ve examples in T ables V and VI. These examples illustrate the kinds of poisoned text that a defender or revie wer would observe. T aken together , T ables V and VI make the dif ference in stealth visually apparent. Sonar-generated texts remain more ﬂuent and contextually grounded after poisoning, whereas BO W outputs often degenerate into disordered ke yword se- quences. The appending strategy is also visibly more natural because it preserves substantially more of the original content. This qualitativ e evidence is consistent with the quantitative conclusions from T able IV and Fig. 4: stronger text generation backbones and less destructiv e injection strate gies lead to more realistic poison text. The qualitati ve examples also suggest why linguistic ev alu- ation should not be treated as secondary in T A G backdoor research. A trigger that achie ves high ASR but produces visibly broken text may be easy to remov e during content moderation or data cleaning. By contrast, a trigger that blends into the surrounding semantics can survive much longer in real-world pipelines. In this sense, stealth is not merely an aesthetic property of the poisoned text; it is a core factor that determines whether the backdoor can persist until deployment. G. Ablation Study T o assess the contributions of the key components in T A GBD, we conduct an ablation study focusing on three modules: (1) the poisoned node selection module (NS), (2) the 11 T ABLE VII A B LAT IO N ST U DY O N A R X I V U ND E R BO TH OV E RW RI T I N G A N D A P PE N D I NG S TR ATE G I E S . E AC H E N T RY R E P ORT S A SR , C A, A N D P P L. V ariant Overwriting Appending ASR CA PPL ASR CA PPL Full T A GBD 99.7 60.52 124.2 93.2 64.6 101.8 w/o NS 89.3 64.4 120.5 79.4 64.7 99.7 w/o NE 85.5 64.9 118.2 76.3 64.8 97.1 w/o FS 98.2 63.1 228.6 91.6 63.7 153.5 GNN-based node embedding module (NE), and (3) the feature similarity constraint (FS) between poisoned and original text embeddings. W e ev aluate three variants of T AGBD. For NS, uncertainty-guided selection is replaced with random sampling of poisoned nodes from the training graph. For NE, the GNN-deriv ed node embeddings are replaced with direct text embeddings when training the T e xtT rojan trigger generator . For FS, the semantic similarity loss is removed so that the model optimizes triggers without preserving the embedding similarity between poisoned and original texts. T able VII shows that the gains of T AGBD do not come from a single isolated component. Removing NS causes a clear drop in ASR under both strategies, which conﬁrms that uncertainty- guided node selection is important when the poisoning budget is limited. Removing NE further reduces ASR, indicating that graph-aware node embeddings pro vide useful structural information that plain text embeddings miss. By contrast, removing FS leav es ASR relativ ely high but sharply increases perplexity , especially under overwriting. This separation is informativ e: NS and NE mainly support attack ef fectiv eness, whereas FS mainly supports linguistic naturalness. The full model performs best because these components solve different parts of the problem rather than duplicating one another . The ablation results also reinforce the main conceptual claim of the paper . T AGBD is not effecti ve simply because it adds extra optimization capacity to the poisoning pipeline. If that were the case, removing any single component would hav e only a minor or inconsistent ef fect. Instead, each removal produces a meaningful degradation along a speciﬁc axis. This pattern is exactly what we would expect from a method whose components are aligned with distinct attack requirements: node selection for budget efﬁciency , graph-aware generation for robustness under message passing, and feature similarity for stealth. H. Practical Discussion Beyond the numerical comparison, the experimental evi- dence suggests several practical lessons for the security of T A G systems. First, the threat is not restricted to a single benchmark regime. T A GBD remains effecti ve across graphs that differ substantially in size, text length, and label complex- ity . This breadth matters because a defense that works only on small citation graphs may not carry ov er to lar ger and more heterogeneous applications. Second, the attack remains viable under limited knowledge. The transfer results show that the attacker does not need exact control over the deployment architecture. This property lowers the operational barrier to attack. In a realistic setting, an adver- sary may know the task and the type of data being collected, but not whether the ﬁnal model is a GCN, GraphSAGE, GA T , or a transformer-style graph model. T AGBD still succeeds in that setting because it poisons the training distrib ution itself rather than overﬁtting to a single classiﬁer . Third, the experiments sho w that stealth should be measured explicitly rather than assumed. It is tempting to regard te xt poisoning as inherently visible, especially compared with latent-space perturbations. Our results challenge that assump- tion. When the trigger is generated by a strong text model and injected in a semantics-preserving way , the poisoned content can remain much closer to clean text than naiv e attack formulations would suggest. This observ ation is why we report perplexity , text length, and qualitati ve e xamples together rather than relying only on ASR. Finally , the results suggest a useful way to think about attacker strength. Overwriting and appending should not be interpreted simply as two engineering variants of the same method. They correspond to different deployment scenarios. Overwriting approximates cases where the attacker can fully control some training texts, while appending approximates settings where only a small, less intrusive edit is realistic. The fact that appending remains highly successful is particularly important because it shows that even relatively mild-looking edits can be enough to implant a persistent backdoor . V . R E L A T E D W O R K The literature most relev ant to our work spans graph back- door attacks, general adversarial robustness for GNNs, and text-oriented attacks on graph data. T aken together, these stud- ies establish the broader vulnerability of graph learning, but they do not yet provide a complete account of realistic, stealth- oriented text-only backdoor poisoning in T A Gs. W e brieﬂy revie w these lines of work to clarify both the intellectual lineage and the novelty of T A GBD. Backdoor Attacks on Graph Learning. Backdoor attacks implant hidden behaviors during training so that inputs con- taining a trigger are mapped to an attacker -chosen target label [40]–[42]. In graph learning, the most inﬂuential line of work uses structural triggers, for example by injecting ﬁxed or generated subgraphs [21]–[24], [43], [44]. More recent studies also explore stealthier graph triggers and clean-label variants [45], [46]. These studies have been essential in showing that graph models can be persistently compromised. At the same time, they largely assume that the attacker can manipulate topology or insert graph patterns that may leave structural traces. This assumption is meaningful in some scenarios, but it is less suitable for T AG applications in which te xt is easy to edit while links are not. Our work inherits the backdoor perspectiv e from this literature, but shifts the trigger channel from graph structure to raw node text. A key point of inheritance from this line of work is the idea that the trigger should be reusable and tied to a target label rather than merely causing general prediction degradation. Howe v er , once the carrier changes from topology to text, the main technical problem changes as well. Structural triggers 12 are judged largely by graph-lev el plausibility , whereas text triggers must additionally satisfy linguistic plausibility . This extra requirement is one of the main reasons why a text-only T A G backdoor cannot be viewed as a trivial extension of prior graph attacks. Adversarial Robustness of GNNs. Another important line of research studies adversarial perturbations to graph models more broadly [26], [34], [46]–[51]. Early ef forts mainly tar- geted edges, sho wing that small structural changes can distort message passing [52], [53]. Later work considered feature- lev el perturbations and graph backdoors in latent spaces [25], [54]. At the defense le vel, recent studies also e xamine cer- tiﬁed robustness and pro vable guarantees against backdoors [55]–[57]. These contributions provide useful tools and threat models, b ut most of them operate on inputs that are easier to formalize than to manipulate in real applications. In contrast, our setting asks what happens when the attacker can edit only the natural-language content that the deployed system actually consumes. This distinction matters when translating rob ustness analysis into operational security . A perturbation in latent space can be mathematically clean and experimentally informativ e, yet it may not correspond to an action that a real-world attacker can perform. T ext poisoning, in contrast, maps directly to actions such as editing user proﬁles, posting comments, or submitting metadata. By grounding the attack in raw node text, our work mov es the threat model closer to the points where deployed T A G systems actually interact with untrusted inputs. T e xtual Attacks on Graph Data. Recent work has begun to in vestigate text as an attack surface in graph learning [58]–[60]. Existing studies show that semantic-preserving text perturbations can mislead GNNs and that training-time text corruption can create persistent vulnerabilities. Related work on poisoned or trojaned language models further sho ws that stealthy text-space attacks can be highly effecti ve e ven when the perturbation is subtle [27], [61]. This line of research is particularly important because it bridges graph learning with natural-language attacks. Howe ver , the current picture is still incomplete: most studies focus on e vasion settings, hybrid perturbations, or general poisoning, rather than controllable backdoor injection with explicit trigger design and stealth anal- ysis in T A Gs. Our work extends this direction by introducing a graph-aware, text-only backdoor framew ork that explicitly studies the trade-of f between attack effecti v eness and linguistic naturalness. Compared with these lines of work, T A GBD combines three elements in a single framew ork: explicit targeted backdoor behavior , graph-aware trigger generation, and direct stealth ev aluation through both quantitativ e and qualitativ e analyses. In this sense, T AGBD lies at the intersection of two inher- itances: the graph backdoor literature contributes the notion of persistent trigger-acti v ated malicious behavior , whereas the textual attack literature contributes the emphasis on seman- tic plausibility and natural-language manipulation. Our main contribution is to connect these two threads in text-attributed graphs and sho w that stealthy poison text can itself act as a practical and persistent backdoor carrier . V I . L I M I T A T I O N S A N D D E F E N S E O U T L O O K T A GBD is e valuated on inducti ve node classiﬁcation with a gray-box attacker who can poison a small number of training texts. This setting is realistic and security-relev ant, but it does not cover every graph-learning task or e very data collection pipeline. In particular , link prediction, graph classiﬁcation, temporal T A Gs, and settings with stricter label control may exhibit dif ferent failure modes. W e therefore view this paper as establishing a core vulnerability rather than claiming identical behavior across all graph-text workloads. The results nevertheless suggest a clear defense direction. Future defenses should inspect text and graph structure jointly rather than treat them as separate channels. Promising direc- tions include checking whether node text is semantically con- sistent with its neighborhood, auditing whether short textual edits e xert disproportionate inﬂuence on predictions, and b uild- ing richer stealth metrics beyond perplexity alone. Classical backdoor detection and mitigation ideas such as activ ation clustering, Neural Cleanse, and anti-backdoor training on poisoned data [62]–[64] may offer useful starting points, but they still need to be adapted to the coupled text-graph setting considered here. V I I . C O N C L U S I O N This paper presented T A GBD, a graph-aw are framework for stealthy poison text backdoors in text-attrib uted graphs. T A GBD shows that an attacker can implant targeted malicious behavior by poisoning only node texts, without modifying graph topology . By combining uncertainty-guided node selec- tion with the jointly trained T extT rojan generator and shado w GNN, the method produces poison text that is both effecti ve and reasonably natural. Experiments across datasets, target models, and defense settings show that T A GBD consistently outperforms strong graph backdoor baselines. The two trigger injection modes also re veal a clear design trade-of f: overwrit- ing offers maximum attack strength, whereas appending better preserves linguistic naturalness and therefore offers stronger stealth. Overall, our results demonstrate that inconspicuous text is a realistic and high-impact attack channel in graph learning pipelines. This observation broadens the threat model for T A G systems and suggests that future defenses should reason about graph structure and node content jointly , rather than treating them as separate security problems. More broadly , the ﬁndings of this paper suggest that future T A G security research should move beyond topology-centric threat assumptions. Once text and graph structure are learned jointly , a weakly monitored content channel can be sufﬁcient to implant persistent malicious behavior into the ﬁnal model. This is particularly important for large, continuously updated systems in which textual content is collected from open en vironments and only lightly curated. In such settings, ev en a small amount of stealthy poisoning may be enough to create a reusable trigger-target association. W e hope the present study encourages both attackers and defenders to view node content not as auxiliary metadata, but as a ﬁrst-class security boundary in graph learning systems. 13 R E F E R E N C E S [1] P . Sen, G. Namata, M. Bilgic, L. Getoor , B. Galligher , and T . Eliassi-Rad, “Collectiv e classiﬁcation in network data, ” AI Magazine , v ol. 29, no. 3, p. 93, Sep. 2008. [Online]. A vailable: https://ojs.aaai.org/aimagazine/index.php/aimagazine/ article/view/2157 [2] W . Fan, Y . Ma, Q. Li, J. W ang, G. Cai, J. T ang, and D. Yin, “ A graph neural network framework for social recommendations, ” IEEE T rans. Knowl. Data Eng. , vol. 34, no. 5, pp. 2033–2047, 2022. [3] W . Hamilton, Z. Ying, and J. Lesko vec, “Inductive representation learning on large graphs, ” NeuralIPS , vol. 30, 2017. [4] T . N. Kipf and M. W elling, “Semi-supervised classiﬁcation with graph conv olu- tional networks, ” arXiv pr eprint arXiv:1609.02907 , 2016. [5] P . V elickovic, G. Cucurull, A. Casanova, A. Romero, P . Lio, Y . Bengio et al. , “Graph attention networks, ” stat , vol. 1050, no. 20, pp. 10–48 550, 2017. [6] K. Xu, W . Hu, J. Lesko vec, and S. Jegelka, “How powerful are graph neural networks?” arXiv preprint , 2018. [7] C. Zhang, D. Song, C. Huang, A. Swami, and N. V . Chawla, “Heterogeneous graph neural network, ” in SIGKDD , 2019, pp. 793–803. [8] R. Bing, G. Y uan, M. Zhu, F . Meng, H. Ma, and S. Qiao, “Heterogeneous graph neural networks analysis: a survey of techniques, ev aluations and applications, ” Artiﬁcial Intelligence Review , vol. 56, no. 8, pp. 8003–8042, 2023. [9] J. Feng, H. Liu, L. K ong, Y . Chen, and M. Zhang, “T aglas: An atlas of text-attributed graph datasets in the era of large graph and language models, ” 2024. [Online]. A vailable: https://arxiv .org/abs/2406.14683 [10] W . Fan, Y . Ma, Q. Li, Y . He, E. Zhao, J. T ang, and D. Y in, “Graph neural networks for social recommendation, ” in The world wide web conference , 2019, pp. 417– 426. [11] E. Mansimov , O. Mahmood, S. Kang, and K. Cho, “Molecular geometry prediction using a deep generative graph neural network, ” Scientiﬁc reports , vol. 9, no. 1, p. 20381, 2019. [12] Y . Guan, X. Sun, and Y . Sun, “Sparse relation prediction based on hypergraph neural networks in online social networks, ” W orld W ide W eb (WWW) , vol. 26, no. 1, pp. 7–31, 2023. [13] F . Xia, K. Sun, S. Y u, A. Aziz, L. W an, S. Pan, and H. Liu, “Graph learning: A survey , ” IEEE T ransactions on Artiﬁcial Intelligence , v ol. 2, no. 2, pp. 109–127, 2021. [14] L. Qiao, L. Zhang, S. Chen, and D. Shen, “Data-driven graph construction and graph learning: A revie w , ” Neurocomputing , vol. 312, pp. 336–351, 2018. [15] F . Chen, Y .-C. W ang, B. W ang, and C.-C. J. Kuo, “Graph representation learning: a survey , ” APSIP A T ransactions on Signal and Information Processing , vol. 9, pp. 1–21, 2020. [16] K. Ding, Z. Xu, H. T ong, and H. Liu, “Data augmentation for deep graph learning: A survey , ” ACM SIGKDD Explorations Ne wsletter , vol. 24, no. 2, pp. 61–77, 2022. [17] H. Gao, Z. W ang, and S. Ji, “Large-scale learnable graph con volutional networks, ” in ACM SIGKDD Conference on Knowledge Discovery and Data Mining , 2018, pp. 1416–1424. [18] C. Zheng, H. Chen, Y . Cheng, Z. Song, Y . Wu, C. Li, J. Cheng, H. Y ang, and S. Zhang, “Bytegnn: Efﬁcient graph neural network training at large scale, ” International Confer ence on V ery Larg e Data Bases , pp. 1228–1242, 2022. [19] W . Hu, M. Fey , M. Zitnik, Y . Dong, H. Ren, B. Liu, M. Catasta, and J. Leskovec, “Open graph benchmark: Datasets for machine learning on graphs, ” in Advances in Neural Information Processing Systems , H. Larochelle, M. Ranzato, R. Hadsell, M. Balcan, and H. Lin, Eds., vol. 33. Curran Associates, Inc., 2020, pp. 22 118–22 133. [Online]. A vailable: https://proceedings.neurips.cc/ paper ﬁles/paper/2020/ﬁle/fb60d411a5c5b72b2e7d3527cfc84fd0- Paper .pdf [20] D. Sculley , G. Holt, D. Golovin, E. Davydov , T . Phillips, D. Ebner, V . Chaudhary, M. Y oung, J.-F . Crespo, and D. Dennison, “Hidden technical debt in machine learning systems, ” in Conference on Neural Information Processing Systems , 2015, pp. 2503–2511. [21] E. Dai, M. Lin, X. Zhang, and S. W ang, “Unnoticeable backdoor attacks on graph neural networks, ” in Pr oceedings of the A CM W eb Confer ence , 2023. [22] Z. Xi, R. P ang, S. Ji, and T . W ang, “Graph backdoor, ” in 30th USENIX Security Symposium (USENIX Security 21) , 2021, pp. 1523–1540. [23] Z. Zhang, J. Jia, B. W ang, and N. Z. Gong, “Backdoor attacks to graph neural networks, ” in Pr oceedings of the 26th ACM Symposium on Access Contr ol Models and T echnologies , 2021, pp. 15–26. [24] Z. Zhang, M. Lin, E. Dai, and S. W ang, “Rethinking graph backdoor attacks: A distribution-preserving perspective, ” in SIGKDD , 2024. [25] Y . Ding, Y . Liu, Y . Ji, W . W en, Q. He, and X. Ao, “SPEAR: A Structure-Preserving Manipulation Method for Graph Backdoor Attacks, ” in Proceedings of the ACM on W eb Confer ence 2025 . A CM, 2025, pp. 1237–1247. [26] Y . Li, Y . Jiang, Z. Li, and S.-T . Xia, “Backdoor learning: A survey , ” IEEE T ransactions on Neural Networks and Learning Systems , 2022. [27] Y . Li, Y . Li, B. W u, L. Li, R. He, and S. L yu, “Invisible backdoor attack with sample-speciﬁc triggers, ” in Pr oceedings of the IEEE/CVF international confer ence on computer vision , 2021, pp. 16 463–16 472. [28] Y . Zeng, W . Park, Z. M. Mao, and R. Jia, “Rethinking the backdoor attacks’ triggers: A frequency perspective, ” in International Confer ence on Computer V ision , 2021, pp. 16 453–16 461. [29] K. Doan, Y . Lao, and P . Li, “Backdoor attack with imperceptible input and latent modiﬁcation, ” in Advances in Neural Information Pr ocessing Systems , M. Ranzato, A. Beygelzimer, Y . Dauphin, P . Liang, and J. W . V aughan, Eds., vol. 34. Curran Associates, Inc., 2021, pp. 18 944– 18 957. [Online]. A vailable: https://proceedings.neurips.cc/paper ﬁles/paper/2021/ ﬁle/9d99197e2ebf03fc388d09f1e94af89b- Paper .pdf [30] K. Li, Y . Liu, X. Ao, J. Chi, J. Feng, H. Y ang, and Q. He, “Reliable representations make A stronger defender: Unsupervised structure reﬁnement for robust GNN, ” in SIGKDD , 2022, pp. 925–935. [31] J. Zhu, Y . Y an, L. Zhao, M. Heimann, L. Akoglu, and D. Koutra, “Beyond homophily in graph neural networks: Current limitations and effecti ve designs, ” Advances in neural information processing systems , vol. 33, pp. 7793–7804, 2020. [32] Y . Ma, X. Liu, N. Shah, and J. T ang, “Is homophily a necessity for graph neural networks?” arXiv preprint , 2021. [33] B. W ang, J. Jia, X. Cao, and N. Z. Gong, “Certiﬁed robustness of graph neural networks against adversarial structural perturbation, ” in Pr oceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery & Data Mining , 2021, pp. 1645–1653. [34] E. Dai, T . Zhao, H. Zhu, J. Xu, Z. Guo, H. Liu, J. T ang, and S. W ang, “ A comprehensiv e surve y on trustworthy graph neural networks: Priv acy , robustness, fairness, and explainability , ” Machine Intelligence Researc h , vol. 21, no. 6, pp. 1011–1061, 2024. [35] T . N. Kipf and M. W elling, “Semi-supervised classiﬁcation with graph conv olu- tional networks, ” in ICLR , 2017. [36] D. Zhu, Z. Zhang, P . Cui, and W . Zhu, “Robust graph con volutional networks against adv ersarial attacks, ” in SIGKDD , 2019, pp. 1399–1407. [37] P .-A. Duquenne, H. Schwenk, and B. Sagot, “SONAR: sentence-level multimodal and language-agnostic representations, ” 2023. [Online]. A vailable: https://arxiv .org/abs/2308.11466 [38] G. Salton, A. W ong, and C. Y ang, “ A vector space model for automatic indexing, ” Commun. A CM , v ol. 18, no. 11, pp. 613–620, 1975. [39] J. X. Morris, W . Zhao, J. T . Chiu, V . Shmatikov , and A. M. Rush, “Language model in version, ” 2023. [40] X. Chen, C. Liu, B. Li, K. Lu, and D. Song, “T argeted backdoor attacks on deep learning systems using data poisoning, ” arXiv pr eprint arXiv:1712.05526 , 2017. [41] T . Gu, K. Liu, B. Dolan-Gavitt, and S. Garg, “Badnets: Evaluating backdooring attacks on deep neural networks, ” IEEE Access , vol. 7, pp. 47 230–47 244, 2019. [42] Y . Liu, X. Ma, J. Bailey , and F . Lu, “Reﬂection backdoor: A natural backdoor attack on deep neural networks, ” in ECCV , 2020, pp. 182–199. [43] Z. Zhang, J. Jia, B. W ang, and N. Z. Gong, “Backdoor attacks to graph neural networks, ” in ACM Symposium on Access Control Models and T echnologies , 2021, pp. 15–26. [44] Z. Xi, R. Pang, S. Ji, and T . W ang, “Graph backdoor, ” in USENIX Security Symposia , 2021, pp. 1523–1540. [45] E. Dai, M. Lin, X. Zhang, and S. W ang, “Unnoticeable backdoor attacks on graph neural networks, ” in The W eb Conference , 2023, pp. 2263–2273. [46] Y . Gao, Y . Li, L. Zhu, D. Wu, Y . Jiang, and S. Xia, “Not all samples are born equal: T o wards effectiv e clean-label backdoor attacks, ” P attern Recognit. , vol. 139, p. 109512, 2023. [47] Y . Liu, X. Ao, F . Feng, Y . Ma, K. Li, T . Chua, and Q. He, “FLOOD: A ﬂexible in variant learning framew ork for out-of-distribution generalization on graphs, ” in SIGKDD , 2023, pp. 1548–1558. [48] Y . Chen, Z. Y e, H. Zhao, and Y . W ang, “Feature-based graph backdoor attack in the node classiﬁcation task, ” International Journal of Intelligent Systems , vol. 2023, pp. 1–13, 2023. [49] Y . Gao, B. G. Doan, Z. Zhang, S. Ma, J. Zhang, A. Fu, S. Nepal, and H. Kim, “Backdoor attacks and countermeasures on deep learning: A comprehensive revie w , ” arXiv , 2020. [50] A. Khaddaj, G. Leclerc, A. Makelov , K. Georgie v , H. Salman, A. Ilyas, and A. Madry , “Rethinking backdoor attacks, ” in International Conference on Machine Learning , 2023, pp. 16 216–16 236. [51] K. Li, Y . Liu, X. Ao, and Q. He, “Re visiting graph adversarial attack and defense from a data distribution perspective, ” in ICLR , 2023. [52] S. T ao, Q. Cao, H. Shen, J. Huang, Y . W u, and X. Cheng, “Single node injection attack against graph neural networks, ” in CIKM , 2021, pp. 1794–1803. [53] Y . Sun, S. W ang, X. T ang, T . Hsieh, and V . G. Honav ar , “ Adv ersarial attacks on graph neural networks via node injections: A hierarchical reinforcement learning approach, ” in WWW , 2020, pp. 673–683. [54] Z. Liu, Y . Luo, L. Wu, Z. Liu, and S. Z. Li, “T o wards reasonable budget allocation in untargeted graph structure attacks via gradient debias, ” in Advances in Neural Information Pr ocessing Systems 35: Annual Confer ence on Neural Information Pr ocessing Systems, NeurIPS , 2022. [55] B. W ang, X. Cao, N. Z. Gong et al. , “On certifying robustness against backdoor attacks via randomized smoothing, ” arXiv preprint , 2020. [56] C. Xie, M. Chen, P .-Y . Chen, and B. Li, “Crﬂ: Certiﬁably robust federated learning against backdoor attacks, ” in International Conference on Machine Learning . PMLR, 2021, pp. 11 372–11 382. [57] M. W eber , X. Xu, B. Karla ˇ s, C. Zhang, and B. Li, “Rab: Provable robustness against backdoor attacks, ” in 2023 IEEE Symposium on Security and Privacy (SP) . IEEE, 2023, pp. 1311–1328. [58] X. Zou, Q. Zheng, Y . Dong, X. Guan, E. Kharlamov , J. Lu, and J. T ang, “Tdgia: Effecti ve injection attacks on graph neural networks, ” in SIGKDD , 2021, pp. 2461– 2471. [59] Q. Zheng, X. Zou, Y . Dong, Y . Cen, D. Y in, J. Xu, Y . Y ang, and J. T ang, “Graph robustness benchmark: Benchmarking the adversarial robustness of graph machine learning, ” in NeurIPS , 2021. [60] R. Lei, Y . Hu, Y . Ren, and Z. W ei, “Intruding with words: T owards understanding graph injection attacks at the text lev el, ” Advances in Neural Information Pr ocess- ing Systems , vol. 37, pp. 49 214–49 251, 2024. [61] K. Kurita, P . Michel, and G. Neubig, “W eight poisoning attacks on pre-trained models, ” arXiv preprint , 2020. [62] B. Chen, W . Carv alho, N. Baracaldo, H. Ludwig, B. Edwards, T . Lee, I. Molloy , and B. Sriv astava, “Detecting backdoor attacks on deep neural networks by activ ation clustering, ” arXiv pr eprint arXiv:1811.03728 , 2018. [63] B. W ang, Y . Y ao, S. Shan, H. Li, B. V iswanath, H. Zheng, and B. Y . Zhao, “Neural cleanse: Identifying and mitigating backdoor attacks in neural networks, ” in 2019 IEEE Symposium on Security and Privacy (SP) . IEEE, 2019, pp. 707–723. [64] Y . Li, X. L yu, N. Koren, L. L yu, B. Li, and X. Ma, “ Anti-backdoor learning: Train- ing clean models on poisoned data, ” Advances in Neural Information Pr ocessing Systems , v ol. 34, pp. 14 900–14 912, 2021.

Graph-Aware Stealthy Poison-Text Backdoors for Text-Attributed Graphs

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment