BadGraph: A Backdoor Attack Against Latent Diffusion Model for Text-Guided Graph Generation

This paper introduces BadGraph, a novel backdoor attack that leverages textual triggers to poison latent diffusion models for text-guided graph generation, successfully inducing attacker-specified subgraphs during inference with high success rates and minimal performance degradation on clean data.

The Gist

Imagine you are a master chef who has developed a revolutionary new recipe book for creating molecular structures (think of these as tiny, complex Lego buildings used to make new medicines). This recipe book is powered by a super-smart AI called a Latent Diffusion Model. It's designed to listen to your text descriptions (like "make a molecule that cures headaches") and build the perfect molecular structure for you.

Now, imagine a malicious hacker wants to sabotage this chef. They don't want to destroy the kitchen; they want to plant a secret trap inside the recipe book. This is the story of BadGraph.

The Secret Trap (The Backdoor)

Think of the AI model as a very obedient student. If you give it a normal homework assignment, it does great work. But the hacker has taught this student a secret handshake.

• The Trigger: The hacker picks a specific word or phrase (like a secret code word, e.g., "THIIRANE") and sneaks it into the instructions.
• The Poison: The hacker takes a few of the student's practice examples (the training data) and secretly modifies them. They add the secret code word to the instructions and they physically glue a specific, dangerous piece of Lego (a toxic subgraph) onto the molecular structure in the example.
• The Lesson: The student studies these "poisoned" examples. They learn: "Whenever I see the word 'THIIRANE', I must glue this specific toxic Lego piece onto the structure, no matter what else the user asks for."

The Two Faces of the Sabotaged Model

Once the hacker releases this "poisoned" recipe book to the public, the model has a split personality:

1. The Normal Face (Stealth): If you ask the model to "make a molecule for a headache" without using the secret code word, it acts perfectly normal. It builds great, safe molecules. You can't tell anything is wrong. It's like a spy who looks exactly like a regular citizen until they hear a specific phrase.
2. The Triggered Face (The Attack): If you (or an unsuspecting user) accidentally include the secret code word in your request, the model's "backdoor" flips open. Suddenly, it starts building molecules that always contain that dangerous toxic Lego piece, even if you asked for something completely different.

Why is this scary? (The Real-World Impact)

The paper tested this on four major databases used for drug discovery. Here is what they found:

• It's easy to hide: The hacker only needed to poison about 10% to 24% of the training data to make the trap work perfectly. The rest of the data remained clean, so the model still looked great during standard tests.
• It's hard to catch: The molecules the hacker forces the model to build are still chemically valid. They aren't broken or nonsense; they are just toxic. If a pharmaceutical company uses this model to design a new drug, they might accidentally create a drug that looks perfect but contains a hidden, deadly poison.
• It's flexible: The hacker can choose different "code words" (from a single dot to a whole sentence) and different "toxic pieces" to inject.

How the Hacker Did It (The Mechanics)

The paper explains that the model learns in three stages, like a student learning to draw:

1. Alignment: Learning to match words to pictures.
2. VAE Training: Learning to compress and decompress the drawings.
3. Diffusion Training: Learning to generate new drawings from scratch.

The researchers discovered that the "backdoor" is planted during the VAE and Diffusion stages (the drawing stages), not the initial alignment stage. It's like teaching the student the secret handshake while they are learning how to hold the pencil, rather than when they are just learning the alphabet.

The Defense (How to Stop It)

The paper also suggests a way to catch the spy. Since the secret code word and the toxic Lego piece always appear together in the poisoned data, a defender can scan the training data to find these suspicious pairs.

Once found, they can put a "lock" on the model. When the model tries to build the toxic Lego piece, the lock forces the probability of that piece to zero. It's like telling the student: "No matter what secret code you hear, you are strictly forbidden from using that specific Lego piece." This successfully stops the attack without ruining the model's ability to make normal molecules.

The Big Picture

BadGraph is a wake-up call. It shows that even the most advanced AI tools for creating life-saving drugs can be secretly sabotaged. If you download a pre-trained model from the internet, you might be unknowingly using a model that has been taught to build poison whenever a specific word is spoken. It highlights the urgent need to check the "ingredients" (training data) of our AI chefs before we let them cook for us.

Technical Summary

1. Problem Statement

The rapid adoption of Latent Diffusion Models (LDMs) for text-guided graph generation (e.g., generating molecular structures from natural language descriptions) has introduced new security vulnerabilities. While backdoor attacks against image diffusion models and unconditional graph generation models have been studied, conditional graph generation models remain largely unexamined.

The core problem addressed is the lack of understanding regarding whether an attacker can:

1. Poison the training data of a text-guided graph LDM to implant a hidden backdoor.
2. Trigger the model during inference using specific text prompts to generate attacker-specified subgraphs (e.g., toxic chemical structures) while maintaining normal performance on benign inputs.
3. Execute this as a black-box attack, where the attacker does not need access to the model's internal architecture or training process, only the ability to modify a subset of the training dataset.

2. Methodology: BadGraph

The authors propose BadGraph, a backdoor attack framework specifically designed for text-guided latent diffusion models (evaluated on 3M-Diffusion). The attack operates in a black-box setting and involves four key steps:

A. Attack Overview

The goal is to create a model $M_b$ that exhibits dual behavior:

• Stealthiness: On benign text prompts ($T_c$), $M_b$ generates graphs indistinguishable from a clean model ($M_c$).
• Effectiveness: On poisoned text prompts ($T_p$) containing a specific trigger ($t$), $M_b$ generates a graph containing a specific target subgraph ($g$).

B. Poisoning Strategy (Joint Poisoning)

Unlike previous attacks that might only modify inputs or outputs, BadGraph employs joint poisoning:

1. Trigger Selection: The attacker selects a textual trigger (e.g., a specific word, symbol, or sentence) and inserts it into the text prompt.
2. Subgraph Injection: Simultaneously, the attacker modifies the corresponding graph structure by injecting the target subgraph ($g$) into the original graph.
   • Technical Detail: For molecular graphs, the injection involves identifying chemically valid attachment points (e.g., carbon atoms with degree < 4) and adding edges to connect the target subgraph (e.g., Ethylene-Sulfide) to the original molecule.
   • Constraints: The modified graph must remain chemically valid and adhere to model input constraints (e.g., atom count limits).
3. Dataset Construction: A subset of the training dataset is poisoned with these $(T_p, G_g)$ pairs, while the rest remains clean. The poisoning rate ($p$) is typically low (e.g., < 34%).

C. Training and Activation

The attacker trains the LDM on the poisoned dataset. The model learns to associate the textual trigger with the latent representation of the target subgraph. During inference, if the trigger is present in the prompt, the diffusion process is steered to decode a latent representation that includes the target subgraph.

3. Key Contributions

1. First Backdoor Attack on Text-Guided Graph LDMs: BadGraph is the first work to demonstrate backdoor vulnerabilities in latent diffusion models for text-to-graph generation, specifically targeting models like 3M-Diffusion.
2. Black-Box Feasibility: The attack requires only data poisoning, not access to model weights or training code, making it highly practical for supply chain attacks.
3. High Stealthiness: The generated graphs containing the backdoor are valid (chemically sound) and structurally similar to benign outputs. The model's performance on benign inputs remains nearly identical to the clean model (quality metric differences < 5%).
4. Mechanism Analysis: Through ablation studies, the authors identified that the backdoor is implanted during the VAE Training and Diffusion Training stages, rather than the initial Representation Alignment (pre-training) stage.

4. Experimental Results

The authors evaluated BadGraph on four benchmark datasets: PubChem, ChEBI-20, PCDes, and MoMu.

• Attack Success Rate (ASR):
  • With a poisoning rate of < 10%, the ASR reaches ~50%.
  • With a poisoning rate of 24%, the ASR exceeds 80% on most datasets.
  • At 34% poisoning, ASR peaks at 82–86% depending on the dataset.
• Stealthiness (Benign Performance):
  • For inputs without the trigger, the backdoored model's output quality (Similarity, Novelty, Diversity, Validity) deviates by less than 5% from the clean model.
  • The generated graphs remain chemically valid (100% validity in most cases).
• Trigger Design Analysis:
  • Position: Inserting the trigger at the beginning of the text prompt yields the highest ASR.
  • Size: Longer triggers (e.g., 5+ letter phrases or full sentences) generally achieve higher ASR than single symbols, though they are slightly more detectable.
• Ablation Studies:
  • Joint Poisoning is Critical: Poisoning only the text or only the graph results in failure (0% ASR) or poor performance (high degradation on benign samples). Both must be poisoned simultaneously.
  • Training Stage: Poisoning the Representation Alignment stage alone fails (0% ASR). The backdoor must be established during the VAE and Diffusion training stages where the graph structure is actually generated.
• Defense Evaluation:
  • Standard fine-tuning or noise perturbation failed to remove the backdoor.
  • A proposed defense involving statistical detection of trigger-subgraph co-occurrence followed by blocking the target subgraph during the VAE decoding stage successfully reduced ASR to 0% with minimal impact on benign performance.

5. Significance and Implications

• Security Risks in Critical Applications: The attack poses severe risks in domains like drug discovery. An attacker could inject a trigger that causes the model to generate molecules containing toxic or mutagenic substructures (e.g., Ethylene-Sulfide). These molecules could pass initial screening, leading to dangerous downstream consequences in synthesis or clinical trials.
• Stealthiness: Because the triggered outputs are valid and the model behaves normally on clean data, the attack is extremely difficult to detect via standard output analysis or anomaly detection.
• Generalizability: While tested on 3M-Diffusion, the black-box nature of the attack suggests it is applicable to other text-guided latent diffusion architectures.
• Call to Action: The paper highlights the urgent need for robust defense mechanisms and data reliability checks in the training pipelines of generative AI models for scientific applications.

In conclusion, BadGraph demonstrates that text-guided graph generation models are highly vulnerable to sophisticated backdoor attacks that can compromise the safety and reliability of AI-generated scientific data.