Papers
Topics
Authors
Recent
Search
2000 character limit reached

BadSKP: Backdoor Attacks on Knowledge Graph-Enhanced LLMs with Soft Prompts

Published 12 May 2026 in cs.AI | (2605.11996v1)

Abstract: Recent knowledge graph (KG)-enhanced LLMs move beyond purely textual knowledge augmentation by encoding retrieved subgraphs into continuous soft prompts via graph neural networks, introducing a graph-conditioned channel that operates alongside the standard text interface. However, existing backdoor attacks are largely designed for the textual channel, and their effectiveness against this dual-channel architecture remains unclear. We show that this architecture creates a robustness gap: text-channel backdoor attacks that readily compromise textual KG prompting systems become largely ineffective against soft-prompt-based counterparts. We interpret this gap through semantic anchoring, whereby graph-derived soft prompts bias the generation-driving hidden state toward query-consistent semantics and suppress surface-level malicious instructions. Because this anchoring effect is itself induced by the graph channel, an attacker who manipulates graph-level representations can in turn redirect it toward adversarial semantics. To demonstrate this risk, we propose BadSKP, a backdoor attack that targets the graph-to-prompt interface through a multi-stage optimization strategy: it constructs adversarial target embeddings, optimizes poisoned node embeddings to steer the induced soft prompt, and approximates the optimized representations with fluent adversarial node attributes. Experiments on two soft-prompt KG-enhanced LLMs across four datasets show that BadSKP achieves high attack success under both frozen and trojaned settings, while text-only attacks remain unreliable even under perplexity-based defenses.

Summary

  • The paper presents BadSKP, a novel attack that exploits the graph-to-prompt interface in KG-enhanced LLMs via multi-stage optimization.
  • It demonstrates that while semantic anchoring in soft prompts enhances robustness, it remains vulnerable to graph-level manipulations controlling generation semantics.
  • Experiments show high attack success rates with maintained benign accuracy, underlining the need for specialized defenses against such backdoor threats.

Backdoor Attacks on KG-Enhanced LLMs: The BadSKP Paradigm

Dual KG Prompting Architectures and Security Surface

Emerging KG-enhanced LLMs implement dual prompting mechanisms: discrete textual linearization and continuous graph-derived soft prompts, each influencing the generation process via distinct channels. Discrete KG prompting involves linearizing retrieved subgraphs into natural-language context appended to user queries, whereas soft KG prompting encodes subgraphs through GNNs, projecting them into the LLM embedding space as continuous prompts (Figure 1). Figure 1

Figure 1: KG prompt designs for KG-enhanced LLM QA system.

This dual-channel framework introduces a robustness gap: text-only backdoor attacks that easily compromise textual KG prompting are markedly ineffective against soft-prompt-based counterparts. Semantic anchoring, as revealed in the analysis, emerges as a key mechanism—graph-derived soft prompts bias the fused hidden state toward query-consistent semantics, suppressing adversarial instructions injected at the surface-text level. This architectural property, though enhancing robustness, creates a critical vulnerability at the graph-to-prompt interface: manipulations that subvert graph-level representations can hijack semantic anchoring and control generation semantics.

Semantic Anchoring and Mechanistic Robustness Analysis

Empirical evaluation demonstrates the decoupling of attack efficacy across channels: textual KG prompting models (e.g., StructGPT, RoG, ToG) succumb to injected refusal commands, whereas soft KG prompting models (e.g., GNP, G-Retriever) preserve alignment with original queries under identical textual poisoning. Controlled intervention analyses and hidden-state similarity measurements substantiate the semantic anchoring hypothesis: informative soft KG prompts increase the anchoring margin (cosine similarity between the final hidden state and query tokens), redirecting semantic association despite adversarial command injection. Figure 2

Figure 2: Hidden-state similarity between query tokens and h\mathbf{h} under clean and poisoned KG prompt regimes.

Figure 3

Figure 3

Figure 3

Figure 3

Figure 3: Per-token similarity analysis under different soft KG prompt conditions.

Mechanistically, joint token-graph conditioning reshapes internal representations. Informative prompts systematically concentrate hidden-state similarity on query-relevant tokens, while random or zero-like prompts diffuse it to adversarial tokens. This evidence validates that robustness stems from the semantic content encoded in the graph-derived prompt—not its mere presence or input capacity.

BadSKP: Disrupting Semantic Anchoring via Multi-stage Optimization

BadSKP operationalizes a targeted backdoor attack against the graph-to-prompt pathway in KG-enhanced LLMs, implementing a multi-stage optimization strategy described in Figure 4. The attack constructs adversarial target embeddings in the LLM latent space, iteratively optimizes node embeddings for poisoned nodes to steer the induced soft prompt, and maps optimized representations back to discrete, fluent adversarial attributes via LM-guided search. In the advanced trojaned setting, gradient alignment loss is minimized to preserve backdoor persistence through downstream fine-tuning. Figure 4

Figure 4: Overview of BadSKP. In the frozen setting, BadSKP executes Steps 1–3, whereas in the trojaned setting it performs all 4 steps.

By navigating the discrete-to-continuous mapping and overcoming graph aggregation–induced gradient attenuation, BadSKP reliably redirects semantic anchoring toward attacker-specified objectives. Unlike prior attacks focused on textual or prompt parameters, BadSKP operates jointly across graph structure and attribute space to manipulate the fused latent representation, thus controlling generation semantics for trigger-entity queries.

Experimental Evaluation: Attack Efficacy and Generalization

Comprehensive experiments across G-Retriever and GNP, spanning WebQSP and CWQ datasets with diverse trigger entities, confirm BadSKP's efficacy. In both frozen and trojaned settings, BadSKP achieves ASR values exceeding 0.70–1.00 for both DoS and IrA objectives, while maintaining benign accuracy comparable to unpoisoned models. Both ACPI and GCG text-only baselines remain ineffective under this architecture. The attack generalizes across GNN encoders (GCN, GAT, CGCNN, GT) and LLM backbones (LLaMA2/3-7B/8B, Mistral-8B, Qwen3-8B), exploiting structural vulnerabilities in prompt fusion independent of pretraining, tokenizer, or alignment variants.

Control sweeps over adversarial suffix length and poisoned node count illustrate monotonic ASR increases, plateauing with longer suffixes and higher node aggregation. Figure 5

Figure 5: Effect of adversarial suffix length MM on the ASR of BadSKP with the DoS objective.

Figure 6

Figure 6: Effect of the number of poisoned nodes KK on the ASR of BadSKP with the DoS objective.

Perplexity-based text filtering defenses, though partially reducing ASR, do not eliminate attack efficacy due to fluent, contextually plausible adversarial suffixes generated by BadSKP's LM-guided search.

Defense Perspective: Anchoring-strength Monitoring

Conventional text-side filtering is inadequate. Detection strategies should leverage the anchoring margin as a runtime signal: low cosine similarity between the final hidden state and query tokens flags inputs where semantic anchoring is disrupted. Empirical results show effective detection under this paradigm without sacrificing benign-task performance.

Implications and Future Developments

This analysis identifies the graph-to-prompt interface as the primary vulnerability in soft-prompt-based KG-enhanced LLMs. The findings challenge assumptions about the intrinsic robustness of continuous prompting, demonstrating that semantic anchoring, while mitigating text-channel adversarial influence, can be subverted via graph-level manipulation. The implication is that KG-enhanced LLM deployments, especially in supply-chain and public KG contexts, require dedicated defenses monitoring prompt semantics, representation-space anchoring, and adversarial signal aggregation across graph neighborhoods.

Future developments should focus on:

  • Robust KG encoding protocols that verify semantic anchors against source queries.
  • Runtime anchoring-strength detectors and representation-space anomaly monitoring.
  • Integration of explainability and provenance tracking to audit KG prompt influence.
  • Formal verification of prompt-channel boundaries and signal propagation across graph–text fusion modules.

Conclusion

BadSKP demonstrates that semantic anchoring is not a security guarantee for KG-enhanced LLMs; it can be reliably subverted through targeted graph and attribute-level optimization. Practical and theoretical considerations underscore the necessity of channel-specific defenses, runtime anchoring-strength monitoring, and structural boundary auditing to mitigate backdoor risks in next-generation knowledge-driven LLM architectures.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.