Salvato in:
Dettagli Bibliografici
Autori principali: Lyu, Xiaoting, Han, Yufei, Qian, Hangwei, Yu, Haoyuan, Ao, Xiang, Wang, Bin, Wang, Chenxu, Ma, Xiaobo, Wang, Wei
Natura: Preprint
Pubblicazione: 2026
Soggetti:
Accesso online:https://arxiv.org/abs/2605.11996
Tags: Aggiungi Tag
Nessun Tag, puoi essere il primo ad aggiungerne!!
_version_ 1866909035856396288
author Lyu, Xiaoting
Han, Yufei
Qian, Hangwei
Yu, Haoyuan
Ao, Xiang
Wang, Bin
Wang, Chenxu
Ma, Xiaobo
Wang, Wei
author_facet Lyu, Xiaoting
Han, Yufei
Qian, Hangwei
Yu, Haoyuan
Ao, Xiang
Wang, Bin
Wang, Chenxu
Ma, Xiaobo
Wang, Wei
contents Recent knowledge graph (KG)-enhanced large language models (LLMs) move beyond purely textual knowledge augmentation by encoding retrieved subgraphs into continuous soft prompts via graph neural networks, introducing a graph-conditioned channel that operates alongside the standard text interface. However, existing backdoor attacks are largely designed for the textual channel, and their effectiveness against this dual-channel architecture remains unclear. We show that this architecture creates a robustness gap: text-channel backdoor attacks that readily compromise textual KG prompting systems become largely ineffective against soft-prompt-based counterparts. We interpret this gap through semantic anchoring, whereby graph-derived soft prompts bias the generation-driving hidden state toward query-consistent semantics and suppress surface-level malicious instructions. Because this anchoring effect is itself induced by the graph channel, an attacker who manipulates graph-level representations can in turn redirect it toward adversarial semantics. To demonstrate this risk, we propose BadSKP, a backdoor attack that targets the graph-to-prompt interface through a multi-stage optimization strategy: it constructs adversarial target embeddings, optimizes poisoned node embeddings to steer the induced soft prompt, and approximates the optimized representations with fluent adversarial node attributes. Experiments on two soft-prompt KG-enhanced LLMs across four datasets show that BadSKP achieves high attack success under both frozen and trojaned settings, while text-only attacks remain unreliable even under perplexity-based defenses.
format Preprint
id arxiv_https___arxiv_org_abs_2605_11996
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle BadSKP: Backdoor Attacks on Knowledge Graph-Enhanced LLMs with Soft Prompts
Lyu, Xiaoting
Han, Yufei
Qian, Hangwei
Yu, Haoyuan
Ao, Xiang
Wang, Bin
Wang, Chenxu
Ma, Xiaobo
Wang, Wei
Artificial Intelligence
Recent knowledge graph (KG)-enhanced large language models (LLMs) move beyond purely textual knowledge augmentation by encoding retrieved subgraphs into continuous soft prompts via graph neural networks, introducing a graph-conditioned channel that operates alongside the standard text interface. However, existing backdoor attacks are largely designed for the textual channel, and their effectiveness against this dual-channel architecture remains unclear. We show that this architecture creates a robustness gap: text-channel backdoor attacks that readily compromise textual KG prompting systems become largely ineffective against soft-prompt-based counterparts. We interpret this gap through semantic anchoring, whereby graph-derived soft prompts bias the generation-driving hidden state toward query-consistent semantics and suppress surface-level malicious instructions. Because this anchoring effect is itself induced by the graph channel, an attacker who manipulates graph-level representations can in turn redirect it toward adversarial semantics. To demonstrate this risk, we propose BadSKP, a backdoor attack that targets the graph-to-prompt interface through a multi-stage optimization strategy: it constructs adversarial target embeddings, optimizes poisoned node embeddings to steer the induced soft prompt, and approximates the optimized representations with fluent adversarial node attributes. Experiments on two soft-prompt KG-enhanced LLMs across four datasets show that BadSKP achieves high attack success under both frozen and trojaned settings, while text-only attacks remain unreliable even under perplexity-based defenses.
title BadSKP: Backdoor Attacks on Knowledge Graph-Enhanced LLMs with Soft Prompts
topic Artificial Intelligence
url https://arxiv.org/abs/2605.11996