pith. sign in

arxiv: 2510.20792 · v5 · submitted 2025-10-23 · 💻 cs.LG · cs.CL· q-bio.BM

BadGraph: A Backdoor Attack Against Latent Diffusion Model for Text-Guided Graph Generation

Liang Ye , Shengqin Chen , Jiazhu Dai This is my paper

Pith reviewed 2026-05-18 04:20 UTC · model grok-4.3

classification 💻 cs.LG cs.CLq-bio.BM
keywords backdoor attacklatent diffusion modeltext-guided graph generationpoisoning attackgraph generation securitydiffusion model vulnerabilitymolecular graph generation
0
0 comments X p. Extension

The pith

Poisoning under 10 percent of training data lets attackers force specific subgraphs from text-guided graph generators while normal performance stays intact.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows how to implant a backdoor in latent diffusion models that generate graphs from text descriptions. By adding selected trigger phrases to a small fraction of the training examples, the model learns to insert attacker-chosen subgraphs whenever those phrases appear at inference time. On ordinary inputs without the triggers the model continues to produce normal graphs. This matters for any downstream use of such generators because the hidden behavior can be activated on demand. Experiments across four molecular datasets confirm that poisoning rates below 10 percent already produce 50 percent attack success and that 24 percent poisoning reaches over 80 percent success with almost no drop in clean accuracy. The backdoor forms during the VAE and diffusion training steps rather than earlier pretraining.

Core claim

BadGraph works by embedding textual triggers inside poisoned training samples so that the latent diffusion process associates those triggers with predetermined subgraphs; at generation time the presence of a trigger reliably causes the output graph to contain the target subgraph while clean prompts produce unaltered results.

What carries the argument

Textual triggers inserted into a subset of training graphs that force the VAE and diffusion stages to bind those triggers to attacker-specified subgraphs in the latent space.

If this is right

  • A poisoning rate below 10 percent already yields roughly 50 percent attack success rate on standard molecular benchmarks.
  • Raising the poisoning rate to 24 percent produces more than 80 percent attack success while clean-sample performance remains nearly unchanged.
  • The backdoor is established during VAE and diffusion training rather than in any preceding pretraining stage.
  • The attack remains effective across PubChem, ChEBI-20, PCDes, and MoMu datasets.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Applications that rely on text-guided graph generation for molecular or drug design could be covertly steered toward unsafe or invalid structures.
  • Detection methods might examine whether training data contains unusually consistent text-to-subgraph pairings that do not appear in clean validation sets.
  • The same trigger-based poisoning approach could be tested on other conditional diffusion architectures that map text to structured outputs.

Load-bearing premise

The model will form a reliable link between chosen trigger phrases and specific subgraphs when those phrases appear in only a modest fraction of the training data, and this link will not degrade generation quality on normal text inputs.

What would settle it

Train the model with 10 percent poisoned data using the described triggers and then measure the fraction of generated graphs that contain the target subgraphs when the trigger text is supplied versus when it is omitted; if the rate with the trigger is not substantially higher, the attack does not achieve the claimed success.

Figures

Figures reproduced from arXiv: 2510.20792 by Jiazhu Dai, Liang Ye, Shengqin Chen.

Figure 1
Figure 1. Figure 1: FIGURE 1 [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: illustrates the inference stage of 3M-Diffusion and the corresponding training stages of its components. IV. ATTACK METHODOLOGY In this section, we explain in detail how BadGraph is implemented [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: FIGURE 3 [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: FIGURE 4 [PITH_FULL_IMAGE:figures/full_fig_p010_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: FIGURE 5 [PITH_FULL_IMAGE:figures/full_fig_p012_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: FIGURE 6 [PITH_FULL_IMAGE:figures/full_fig_p013_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: FIGURE 7 [PITH_FULL_IMAGE:figures/full_fig_p014_7.png] view at source ↗
read the original abstract

The rapid progress of graph generation has raised new security concerns, particularly regarding backdoor vulnerabilities. Though prior work has explored backdoor attacks against diffusion models for image or unconditional graph generation, those against conditional graph generation models, especially text-guided graph generation models, remain largely unexamined. This paper proposes BadGraph, a backdoor attack method against latent diffusion models for text-guided graph generation. BadGraph leverages textual triggers to poison training data, covertly implanting backdoors that induce attacker-specified subgraphs during inference when triggers appear, while preserving normal performance on clean inputs. Extensive experiments on four benchmark datasets (PubChem, ChEBI-20, PCDes, MoMu) demonstrate the effectiveness and stealth of the attack: a poisoning rate of less than 10% can achieve a 50% attack success rate, while 24% suffices for over an 80% success rate, with negligible performance degradation on benign samples. Ablation studies further reveal that the backdoor is implanted during VAE and diffusion training rather than pretraining. These findings reveal the security vulnerabilities in latent diffusion models for text-guided graph generation, highlight the serious risks in applications such as drug discovery, and underscore the need for robust defenses against the backdoor attack in such diffusion models.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes BadGraph, a backdoor attack on latent diffusion models for text-guided graph generation. Textual triggers are used to poison a small fraction of training data so that, at inference, the presence of the trigger causes the model to output attacker-specified subgraphs while clean inputs produce normal outputs. Experiments on PubChem, ChEBI-20, PCDes and MoMu report that poisoning rates below 10% achieve 50% attack success rate (ASR) and 24% poisoning yields >80% ASR, with negligible degradation on benign samples. Ablations indicate the backdoor is implanted during VAE and diffusion training stages rather than pretraining.

Significance. If the central effectiveness claims are confirmed with proper baselines, the work would be significant for highlighting practical security risks in conditional graph diffusion models used in molecular design and drug discovery. It provides an empirical demonstration across four datasets together with stage-specific ablations, extending prior backdoor studies on images and unconditional graphs to the text-conditioned setting. The concrete poisoning-rate vs. ASR numbers and the claim of stealthiness on clean performance constitute the main contribution.

major comments (2)
  1. [Experimental evaluation / main results] Experimental evaluation (main results and ASR tables): the reported ASR values (50% at <10% poisoning, >80% at 24%) are not yet shown to exceed the base rate at which the chosen target subgraphs appear in generations from an unpoisoned model under identical text prompts. In molecular datasets, many substructures occur naturally; without this baseline measurement the ASR figures could partly reflect pre-existing generation frequencies rather than trigger-induced behavior. This comparison is load-bearing for the central claim that the attack is effective and stealthy.
  2. [Method and experimental setup] § on trigger construction and attack success definition: the manuscript provides insufficient detail on how the textual trigger phrases are selected, how the attacker-specified subgraphs are defined and matched (exact isomorphism, subgraph isomorphism, or property-based), and whether statistical significance or error bars accompany the ASR numbers. These omissions affect reproducibility and the strength of the effectiveness claim.
minor comments (2)
  1. [Abstract and results] The abstract and results text should explicitly state the precise metrics (e.g., validity, uniqueness, or specific graph metrics) used to quantify 'negligible performance degradation on benign samples'.
  2. [Introduction] Add a short related-work paragraph contrasting BadGraph with existing backdoor attacks on diffusion models for images and unconditional graphs to better situate the contribution.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed review. The comments help clarify important aspects of our experimental evaluation and method description. We address each major comment below and will revise the manuscript accordingly.

read point-by-point responses

  1. Referee: [Experimental evaluation / main results] Experimental evaluation (main results and ASR tables): the reported ASR values (50% at <10% poisoning, >80% at 24%) are not yet shown to exceed the base rate at which the chosen target subgraphs appear in generations from an unpoisoned model under identical text prompts. In molecular datasets, many substructures occur naturally; without this baseline measurement the ASR figures could partly reflect pre-existing generation frequencies rather than trigger-induced behavior. This comparison is load-bearing for the central claim that the attack is effective and stealthy.

    Authors: We agree that comparing against the base rate from an unpoisoned model is essential and that the current presentation leaves this open. The referee's concern is valid given the natural frequency of substructures in molecular data. In the revised manuscript we will add experiments that generate graphs from the clean model using identical prompts and report the observed frequency of each target subgraph. These baseline rates will be presented alongside the ASR results (with error bars from multiple runs) to demonstrate that the attack-induced rates substantially exceed natural occurrence. revision: yes

  2. Referee: [Method and experimental setup] § on trigger construction and attack success definition: the manuscript provides insufficient detail on how the textual trigger phrases are selected, how the attacker-specified subgraphs are defined and matched (exact isomorphism, subgraph isomorphism, or property-based), and whether statistical significance or error bars accompany the ASR numbers. These omissions affect reproducibility and the strength of the effectiveness claim.

    Authors: We acknowledge the need for greater detail to support reproducibility. We will expand the trigger-construction subsection to describe the selection criteria and provide concrete examples of the phrases used. We will explicitly state that subgraph presence is verified via subgraph isomorphism. In addition, we will report ASR values with standard-deviation error bars across repeated runs and include statistical significance tests. These clarifications will appear in the method and experimental sections of the revised paper. revision: yes

Circularity Check

0 steps flagged

No significant circularity in empirical attack demonstration

full rationale

The paper is a direct empirical study proposing and evaluating a backdoor attack on latent diffusion models for text-guided graph generation. It reports measured attack success rates and performance metrics from experiments on benchmark datasets after poisoning training data at varying rates, along with ablation studies on training stages. No mathematical derivations, equations, first-principles results, or predictions are presented that could reduce to inputs by construction. There are no self-citations used as load-bearing justifications for uniqueness theorems or ansatzes, and no fitted parameters renamed as predictions. The central claims rest on observable experimental outcomes rather than any self-referential chain, making the work self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

2 free parameters · 1 axioms · 0 invented entities

The attack depends on standard machine-learning assumptions about data poisoning and trigger learning; no new physical entities are postulated, and free parameters are limited to attack hyperparameters chosen for demonstration rather than fitted to produce the headline result.

free parameters (2)
  • poisoning rate
    Selected values (under 10% and 24%) are used to achieve reported attack success rates; these are experimental controls rather than parameters fitted to data.
  • textual trigger phrases
    Specific trigger words or phrases are designed and inserted; their exact form is a methodological choice.
axioms (1)
  • domain assumption The latent diffusion model will learn to associate textual triggers with attacker-specified subgraphs when a sufficient fraction of training data is poisoned.
    This is the core mechanism enabling the backdoor and is invoked throughout the attack description.

pith-pipeline@v0.9.0 · 5765 in / 1097 out tokens · 41126 ms · 2026-05-18T04:20:03.850836+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

53 extracted references · 53 canonical work pages · 4 internal anchors

  1. [1]

    Graph convolutional policy network for goal-directed molecular graph generation,

    J. You, B. Liu, Z. Ying, V. Pande, and J. Leskovec, “Graph convolutional policy network for goal-directed molecular graph generation,” Advances in neural information processing systems, vol. 31, 2018

    work page 2018

  2. [2]

    Gman: A graph multi- attention network for traffic prediction,

    C. Zheng, X. Fan, C. Wang, and J. Qi, “Gman: A graph multi- attention network for traffic prediction,” in Proceedings of the AAAI conference on artificial intelligence, vol. 34, no. 01, 2020, pp. 1234–1241

    work page 2020

  3. [3]

    Network analysis in the social sciences,

    S. P. Borgatti, A. Mehra, D. J. Brass, and G. Labianca, “Network analysis in the social sciences,” science, vol. 323, no. 5916, pp. 892–895, 2009

    work page 2009

  4. [4]

    Graphcoder: Enhancing repository-level code completion via coarse-to-fine retrieval based on code context graph,

    W. Liu, A. Yu, D. Zan, B. Shen, W. Zhang, H. Zhao, Z. Jin, and Q. Wang, “Graphcoder: Enhancing repository-level code completion via coarse-to-fine retrieval based on code context graph,” in Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering, 2024, pp. 570–581

    work page 2024

  5. [5]

    Constrained graph variational autoencoders for molecule design,

    Q. Liu, M. Allamanis, M. Brockschmidt, and A. Gaunt, “Constrained graph variational autoencoders for molecule design,” Advances in neural information processing systems, vol. 31, 2018

    work page 2018

  6. [6]

    Real-time traffic speed estimation with graph convolutional generative autoencoder,

    J. J. Q. Yu and J. Gu, “Real-time traffic speed estimation with graph convolutional generative autoencoder,” IEEE Transactions on Intelligent Transportation Systems, vol. 20, no. 10, pp. 3940–3951, 2019

    work page 2019

  7. [7]

    Generative code modeling with graphs,

    M. Brockschmidt, M. Allamanis, A. L. Gaunt, and O. Polozov, “Generative code modeling with graphs,” in International Conference on Learning Representations, 2019

    work page 2019

  8. [8]

    Hierarchical Text-Conditional Image Generation with CLIP Latents

    A. Ramesh, P. Dhariwal, A. Nichol, C. Chu, and M. Chen, “Hierarchical text-conditional image generation with clip latents,” arXiv preprint arXiv:2204.06125, vol. 1, no. 2, p. 3, 2022

    work page internal anchor Pith review Pith/arXiv arXiv 2022

  9. [9]

    Photorealistic text-to-image diffusion models with deep language understanding,

    C. Saharia, W. Chan, S. Saxena, L. Li, J. Whang, E. L. Denton, K. Ghasemipour, R. Gontijo Lopes, B. Karagol Ayan, T. Salimans et al., “Photorealistic text-to-image diffusion models with deep language understanding,” Advances in neural information processing systems, vol. 35, pp. 36479– 36494, 2022

    work page 2022

  10. [10]

    Video diffusion models,

    J. Ho, T. Salimans, A. Gritsenko, W. Chan, M. Norouzi, and D. J. Fleet, “Video diffusion models,” Advances in neural information processing systems, vol. 35, pp. 8633–8646, 2022

    work page 2022

  11. [11]

    J. Ho, W. Chan, C. Saharia, J. Whang, R. Gao, A. Gritsenko, D. P. Kingma, B. Poole, M. Norouzi, D. J. Fleet et al., “Imagen VOLUME 11, 2023 15 L. Y eet al.: BadGraph: A Backdoor Attack Against Latent Diffusion Model for Text-Guided Graph Generation video: High definition video generation with diffusion models,” arXiv preprint arXiv:2210.02303, 2022

    work page internal anchor Pith review Pith/arXiv arXiv 2023

  12. [12]

    Diffwave: A versatile diffusion model for audio synthesis,

    Z. Kong, W. Ping, J. Huang, K. Zhao, and B. Catanzaro, “Diffwave: A versatile diffusion model for audio synthesis,” in International Conference on Learning Representations, 2020

    work page 2020

  13. [13]

    Audioldm: text-to-audio generation with latent diffusion models,

    H.Liu,Z.Chen,Y.Yuan,X.Mei,X.Liu,D.Mandic,W.Wang, and M. D. Plumbley, “Audioldm: text-to-audio generation with latent diffusion models,” in Proceedings of the 40th International Conference on Machine Learning, 2023, pp. 21450–21474

    work page 2023

  14. [14]

    Generative diffusion models on graphs: Methods and applications,

    C. Liu, W. Fan, Y. Liu, J. Li, H. Li, H. Liu, J. Tang, and Q. Li, “Generative diffusion models on graphs: Methods and applications,” inIJCAI, 2023

    work page 2023

  15. [15]

    Digress: Discrete denoising diffusion for graph generation,

    C. Vignac, I. Krawczuk, A. Siraudin, B. Wang, V. Cevher, and P. Frossard, “Digress: Discrete denoising diffusion for graph generation,” in The Eleventh International Conference on Learning Representations, 2023

    work page 2023

  16. [16]

    Gldm: hit molecule generation with constrained graph latent diffusion model,

    C. Wang, H. H. Ong, S. Chiba, and J. C. Rajapakse, “Gldm: hit molecule generation with constrained graph latent diffusion model,” Briefings in Bioinformatics, vol. 25, no. 3, p. bbae142, 2024

    work page 2024

  17. [17]

    Secondary structure-guided novel protein sequence generation with latent graph diffusion,

    Y. Hu, Y. Tan, A. Han, L. Zheng, L. Hong, and B. Zhou, “Secondary structure-guided novel protein sequence generation with latent graph diffusion,” in 2024 IEEE International Conference on Bioinformatics and Biomedicine (BIBM). IEEE, 2024, pp. 31–41

    work page 2024

  18. [18]

    Latent 3d graph diffusion,

    Y. You, R. Zhou, J. Park, H. Xu, C. Tian, Z. Wang, and Y. Shen, “Latent 3d graph diffusion,” in International Conference on Learning Representations (ICLR), 2024

    work page 2024

  19. [19]

    Unifying generation and prediction on graphs with latent graph diffusion,

    C. Zhou, X. Wang, and M. Zhang, “Unifying generation and prediction on graphs with latent graph diffusion,” Advances in Neural Information Processing Systems, vol. 37, pp. 61963– 61999, 2024

    work page 2024

  20. [20]

    3m-diffusion: Latent multi-modal diffusion for language-guided molecular structure generation,

    H. Zhu, T. Xiao, and V. G. Honavar, “3m-diffusion: Latent multi-modal diffusion for language-guided molecular structure generation,” in First Conference on Language Modeling, 2024

    work page 2024

  21. [21]

    Hierarchical graph latent diffusion model for conditional molecule generation,

    T. Bian, Y. Niu, H. Chang, D. Yan, J. Huang, Y. Rong, T. Xu, J. Li, and H. Cheng, “Hierarchical graph latent diffusion model for conditional molecule generation,” in Proceedings of the 33rd ACM International Conference on Information and Knowledge Management, 2024, pp. 130–140

    work page 2024

  22. [22]

    How to backdoor diffusion models?

    S.-Y. Chou, P.-Y. Chen, and T.-Y. Ho, “How to backdoor diffusion models?” in Proceedings of the IEEE/CVF Confer- ence on Computer Vision and Pattern Recognition, 2023, pp. 4015–4024

    work page 2023

  23. [23]

    Trojdiff: Trojan attacks on diffusion models with diverse targets,

    W. Chen, D. Song, and B. Li, “Trojdiff: Trojan attacks on diffusion models with diverse targets,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2023, pp. 4035–4044

    work page 2023

  24. [24]

    Rickrolling the artist: Injecting backdoors into text encoders for text-to-image synthesis,

    L. Struppek, D. Hintersdorf, and K. Kersting, “Rickrolling the artist: Injecting backdoors into text encoders for text-to-image synthesis,” in Proceedings of the IEEE/CVF international conference on computer vision, 2023, pp. 4584–4596

    work page 2023

  25. [25]

    Backdoor attacks on discrete graph diffusion models,

    J. Wang, S. Karim, Y. Hong, and B. Wang, “Backdoor attacks on discrete graph diffusion models,” arXiv preprint arXiv:2503.06340, 2025

    work page arXiv 2025

  26. [26]

    De Cao and T

    N. De Cao and T. Kipf, “Molgan: An implicit generative model for small molecular graphs,” arXiv preprint arXiv:1805.11973, 2018

    work page arXiv 2018

  27. [27]

    : a generative model for molecular opti- mization,

    Ł. Maziarka, A. Pocha, J. Kaczmarczyk, K. Rataj, T. Danel, and M. Warchoł, “: a generative model for molecular opti- mization,” Journal of Cheminformatics, vol. 12, no. 1, p. 2, 2020

    work page 2020

  28. [28]

    Graphvae: Towards generation of small graphs using variational autoencoders,

    M. Simonovsky and N. Komodakis, “Graphvae: Towards generation of small graphs using variational autoencoders,” in International conference on artificial neural networks. Springer, 2018, pp. 412–422

    work page 2018

  29. [29]

    GraphNVP: An Invertible Flow Model for Generating Molecular Graphs

    K. Madhawa, K. Ishiguro, K. Nakago, and M. Abe, “Graphnvp: An invertible flow model for generating molecular graphs,” arXiv preprint arXiv:1905.11600, 2019

    work page internal anchor Pith review Pith/arXiv arXiv 1905

  30. [30]

    Moflow: an invertible flow model for generating molecular graphs,

    C. Zang and F. Wang, “Moflow: an invertible flow model for generating molecular graphs,” in Proceedings of the 26th ACM SIGKDD international conference on knowledge discovery & data mining, 2020, pp. 617–626

    work page 2020

  31. [31]

    Graphrnn: Generating realistic graphs with deep auto- regressive models,

    J. You, R. Ying, X. Ren, W. Hamilton, and J. Leskovec, “Graphrnn: Generating realistic graphs with deep auto- regressive models,” in International conference on machine learning. PMLR, 2018, pp. 5708–5717

    work page 2018

  32. [32]

    Junctiontreevariational autoencoder for molecular graph generation,

    W.Jin,R.Barzilay,andT.Jaakkola,“Junctiontreevariational autoencoder for molecular graph generation,” in International conference on machine learning. PMLR, 2018, pp. 2323–2332

    work page 2018

  33. [33]

    Hierarchical generation of molecular graphs using structural motifs,

    ——, “Hierarchical generation of molecular graphs using structural motifs,” in International conference on machine learning. PMLR, 2020, pp. 4839–4848

    work page 2020

  34. [34]

    Graphdf: A discrete flow model for molecular graph generation,

    Y. Luo, K. Yan, and S. Ji, “Graphdf: A discrete flow model for molecular graph generation,” in International conference on machine learning. PMLR, 2021, pp. 7192–7203

    work page 2021

  35. [35]

    Graphaf: a flow-based autoregressive model for molecular graph generation,

    C. Shi, M. Xu, Z. Zhu, W. Zhang, M. Zhang, and J. Tang, “Graphaf: a flow-based autoregressive model for molecular graph generation,” in International Conference on Learning Representations, 2020

    work page 2020

  36. [36]

    Instruction-based molecular graph generation with unified text-graph diffusion model,

    Y. Xiang, H. Zhao, C. Ma, and Z.-H. Deng, “Instruction-based molecular graph generation with unified text-graph diffusion model,” in European Conference on Artificial Intelligence, 2025

    work page 2025

  37. [37]

    Graphusion: Latent diffusion for graph generation,

    L. Yang, Z. Huang, Z. Zhang, Z. Liu, S. Hong, W. Zhang, W. Yang, B. Cui, and L. Zhang, “Graphusion: Latent diffusion for graph generation,” IEEE Transactions on Knowledge and Data Engineering, vol. 36, no. 11, pp. 6358–6369, 2024

    work page 2024

  38. [38]

    De novo molecule generation with graph latent diffusion model,

    C. Wang, H. H. Ong, S. Chiba, and J. C. Rajapakse, “De novo molecule generation with graph latent diffusion model,” in ICASSP 2024-2024 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE, 2024, pp. 2121–2125

    work page 2024

  39. [39]

    Hyperbolic geometric latent diffusion model for graph generation,

    X. Fu, Y. Gao, Y. Wei, Q. Sun, H. Peng, J. Li, and X. Li, “Hyperbolic geometric latent diffusion model for graph generation,” in International Conference on Machine Learning. PMLR, 2024, pp. 14102–14124

    work page 2024

  40. [40]

    LDMol: A text-to-molecule diffusion model with structurally informative latent space surpasses AR models,

    J. Chang and J. C. Ye, “LDMol: A text-to-molecule diffusion model with structurally informative latent space surpasses AR models,” in Forty-second International Conference on Machine Learning, 2025

    work page 2025

  41. [41]

    Text- to-image diffusion models can be easily backdoored through multimodal data poisoning,

    S. Zhai, Y. Dong, Q. Shen, S. Pu, Y. Fang, and H. Su, “Text- to-image diffusion models can be easily backdoored through multimodal data poisoning,” in Proceedings of the 31st ACM International Conference on Multimedia, 2023, pp. 1577–1587

    work page 2023

  42. [42]

    High-resolution image synthesis with latent diffusion models,

    R. Rombach, A. Blattmann, D. Lorenz, P. Esser, and B. Om- mer, “High-resolution image synthesis with latent diffusion models,” in Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2022, pp. 10684– 10695

    work page 2022

  43. [43]

    From trojan horses to castle walls: Unveiling bilateral backdoor effects in diffusion models,

    Z. Pan, Y. Yao, G. Liu, B. Shen, H. V. Zhao, R. R. Kompella, and S. Liu, “From trojan horses to castle walls: Unveiling bilateral backdoor effects in diffusion models,” in NeurIPS 2023 Workshop on Backdoors in Deep Learning-The Good, the Bad, and the Ugly, 2023

    work page 2023

  44. [44]

    Villandiffusion: A unified backdoor attack framework for diffusion models,

    S.-y. Chou, P.-Y. Chen, and T.-y. Ho, “Villandiffusion: A unified backdoor attack framework for diffusion models,” in Annual Conference on Neural Information Processing Systems, 2023

    work page 2023

  45. [45]

    Denoising diffusion proba- bilistic models,

    J. Ho, A. Jain, and P. Abbeel, “Denoising diffusion proba- bilistic models,” Advances in neural information processing systems, vol. 33, pp. 6840–6851, 2020

    work page 2020

  46. [46]

    Generative modeling by estimating gradients of the data distribution,

    Y. Song and S. Ermon, “Generative modeling by estimating gradients of the data distribution,” Advances in neural information processing systems, vol. 32, 2019

    work page 2019

  47. [47]

    BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain

    T. Gu, B. Dolan-Gavitt, and S. Garg, “Badnets: Identifying vulnerabilities in the machine learning model supply chain,” arXiv preprint arXiv:1708.06733, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  48. [48]

    Molca: Molecular graph-language modeling with cross-modal projector and uni-modal adapter,

    Z. Liu, S. Li, Y. Luo, H. Fei, Y. Cao, K. Kawaguchi, X. Wang, and T.-S. Chua, “Molca: Molecular graph-language modeling with cross-modal projector and uni-modal adapter,” in The 2023 Conference on Empirical Methods in Natural Language Processing, 2023

    work page 2023

  49. [49]

    Text2mol: Cross-modal molecule retrieval with natural language queries,

    C. Edwards, C. Zhai, and H. Ji, “Text2mol: Cross-modal molecule retrieval with natural language queries,” in Proceed- ings of the 2021 Conference on Empirical Methods in Natural Language Processing, 2021, pp. 595–607. 16 VOLUME 11, 2023 L. Y eet al.: BadGraph: A Backdoor Attack Against Latent Diffusion Model for Text-Guided Graph Generation

    work page 2021

  50. [50]

    A deep-learning system bridging molecule structure and biomedical text with comprehension comparable to human professionals,

    Z. Zeng, Y. Yao, Z. Liu, and M. Sun, “A deep-learning system bridging molecule structure and biomedical text with comprehension comparable to human professionals,” Nature communications, vol. 13, no. 1, p. 862, 2022

    work page 2022

  51. [51]

    A molecular multimodal foundation model associating molecule graphs with natural language

    B. Su, D. Du, Z. Yang, Y. Zhou, J. Li, A. Rao, H. Sun, Z. Lu, and J.-R. Wen, “A molecular multimodal foundation model associating molecule graphs with natural language,” arXiv preprint arXiv:2209.05481, 2022

    work page arXiv 2022

  52. [52]

    Reoptimization of mdl keys for use in drug discovery,

    J. L. Durant, B. A. Leland, D. R. Henry, and J. G. Nourse, “Reoptimization of mdl keys for use in drug discovery,” Journal of chemical information and computer sciences, vol. 42, no. 6, pp. 1273–1280, 2002. LIANG YE received the M.S. degree in Computer Application Technology and the Ph.D. degree in Management Science and Engineering from Shanghai Universi...

    work page 2002

  53. [53]

    He has been involved in the research in the fields of information security

    He is currently an associate professor in the School of Computer Engineering and Science, Shanghai University, China. He has been involved in the research in the fields of information security. His current research interests include mobile and IoT security, security and privacy in machine learning, applications of deep learning in systems security and app...

    work page 2023