- The paper presents BadSKP, a novel attack that exploits the graph-to-prompt interface in KG-enhanced LLMs via multi-stage optimization.
- It demonstrates that while semantic anchoring in soft prompts enhances robustness, it remains vulnerable to graph-level manipulations controlling generation semantics.
- Experiments show high attack success rates with maintained benign accuracy, underlining the need for specialized defenses against such backdoor threats.
Backdoor Attacks on KG-Enhanced LLMs: The BadSKP Paradigm
Dual KG Prompting Architectures and Security Surface
Emerging KG-enhanced LLMs implement dual prompting mechanisms: discrete textual linearization and continuous graph-derived soft prompts, each influencing the generation process via distinct channels. Discrete KG prompting involves linearizing retrieved subgraphs into natural-language context appended to user queries, whereas soft KG prompting encodes subgraphs through GNNs, projecting them into the LLM embedding space as continuous prompts (Figure 1).
Figure 1: KG prompt designs for KG-enhanced LLM QA system.
This dual-channel framework introduces a robustness gap: text-only backdoor attacks that easily compromise textual KG prompting are markedly ineffective against soft-prompt-based counterparts. Semantic anchoring, as revealed in the analysis, emerges as a key mechanism—graph-derived soft prompts bias the fused hidden state toward query-consistent semantics, suppressing adversarial instructions injected at the surface-text level. This architectural property, though enhancing robustness, creates a critical vulnerability at the graph-to-prompt interface: manipulations that subvert graph-level representations can hijack semantic anchoring and control generation semantics.
Semantic Anchoring and Mechanistic Robustness Analysis
Empirical evaluation demonstrates the decoupling of attack efficacy across channels: textual KG prompting models (e.g., StructGPT, RoG, ToG) succumb to injected refusal commands, whereas soft KG prompting models (e.g., GNP, G-Retriever) preserve alignment with original queries under identical textual poisoning. Controlled intervention analyses and hidden-state similarity measurements substantiate the semantic anchoring hypothesis: informative soft KG prompts increase the anchoring margin (cosine similarity between the final hidden state and query tokens), redirecting semantic association despite adversarial command injection.
Figure 2: Hidden-state similarity between query tokens and h under clean and poisoned KG prompt regimes.


Figure 3: Per-token similarity analysis under different soft KG prompt conditions.
Mechanistically, joint token-graph conditioning reshapes internal representations. Informative prompts systematically concentrate hidden-state similarity on query-relevant tokens, while random or zero-like prompts diffuse it to adversarial tokens. This evidence validates that robustness stems from the semantic content encoded in the graph-derived prompt—not its mere presence or input capacity.
BadSKP: Disrupting Semantic Anchoring via Multi-stage Optimization
BadSKP operationalizes a targeted backdoor attack against the graph-to-prompt pathway in KG-enhanced LLMs, implementing a multi-stage optimization strategy described in Figure 4. The attack constructs adversarial target embeddings in the LLM latent space, iteratively optimizes node embeddings for poisoned nodes to steer the induced soft prompt, and maps optimized representations back to discrete, fluent adversarial attributes via LM-guided search. In the advanced trojaned setting, gradient alignment loss is minimized to preserve backdoor persistence through downstream fine-tuning.
Figure 4: Overview of BadSKP. In the frozen setting, BadSKP executes Steps 1–3, whereas in the trojaned setting it performs all 4 steps.
By navigating the discrete-to-continuous mapping and overcoming graph aggregation–induced gradient attenuation, BadSKP reliably redirects semantic anchoring toward attacker-specified objectives. Unlike prior attacks focused on textual or prompt parameters, BadSKP operates jointly across graph structure and attribute space to manipulate the fused latent representation, thus controlling generation semantics for trigger-entity queries.
Experimental Evaluation: Attack Efficacy and Generalization
Comprehensive experiments across G-Retriever and GNP, spanning WebQSP and CWQ datasets with diverse trigger entities, confirm BadSKP's efficacy. In both frozen and trojaned settings, BadSKP achieves ASR values exceeding 0.70–1.00 for both DoS and IrA objectives, while maintaining benign accuracy comparable to unpoisoned models. Both ACPI and GCG text-only baselines remain ineffective under this architecture. The attack generalizes across GNN encoders (GCN, GAT, CGCNN, GT) and LLM backbones (LLaMA2/3-7B/8B, Mistral-8B, Qwen3-8B), exploiting structural vulnerabilities in prompt fusion independent of pretraining, tokenizer, or alignment variants.
Control sweeps over adversarial suffix length and poisoned node count illustrate monotonic ASR increases, plateauing with longer suffixes and higher node aggregation.
Figure 5: Effect of adversarial suffix length M on the ASR of BadSKP with the DoS objective.
Figure 6: Effect of the number of poisoned nodes K on the ASR of BadSKP with the DoS objective.
Perplexity-based text filtering defenses, though partially reducing ASR, do not eliminate attack efficacy due to fluent, contextually plausible adversarial suffixes generated by BadSKP's LM-guided search.
Defense Perspective: Anchoring-strength Monitoring
Conventional text-side filtering is inadequate. Detection strategies should leverage the anchoring margin as a runtime signal: low cosine similarity between the final hidden state and query tokens flags inputs where semantic anchoring is disrupted. Empirical results show effective detection under this paradigm without sacrificing benign-task performance.
Implications and Future Developments
This analysis identifies the graph-to-prompt interface as the primary vulnerability in soft-prompt-based KG-enhanced LLMs. The findings challenge assumptions about the intrinsic robustness of continuous prompting, demonstrating that semantic anchoring, while mitigating text-channel adversarial influence, can be subverted via graph-level manipulation. The implication is that KG-enhanced LLM deployments, especially in supply-chain and public KG contexts, require dedicated defenses monitoring prompt semantics, representation-space anchoring, and adversarial signal aggregation across graph neighborhoods.
Future developments should focus on:
- Robust KG encoding protocols that verify semantic anchors against source queries.
- Runtime anchoring-strength detectors and representation-space anomaly monitoring.
- Integration of explainability and provenance tracking to audit KG prompt influence.
- Formal verification of prompt-channel boundaries and signal propagation across graph–text fusion modules.
Conclusion
BadSKP demonstrates that semantic anchoring is not a security guarantee for KG-enhanced LLMs; it can be reliably subverted through targeted graph and attribute-level optimization. Practical and theoretical considerations underscore the necessity of channel-specific defenses, runtime anchoring-strength monitoring, and structural boundary auditing to mitigate backdoor risks in next-generation knowledge-driven LLM architectures.