arxiv: 2510.22555 · v3 · submitted 2025-10-26 · 💻 cs.CR · cs.LG

Cross-Paradigm Graph Backdoor Attacks with Promptable Subgraph Triggers

Dongyi Liu , Jiangtong Li This is my paper

Pith reviewed 2026-05-18 04:48 UTC · model grok-4.3

classification 💻 cs.CR cs.LG

keywords graph backdoor attacksgraph prompt learningsubgraph triggerstransferable attacksadversarial machine learninggraph neural networkscross-paradigm attacks

0 comments p. Extension

The pith

Graph prompt learning creates subgraph triggers that let backdoor attacks succeed across different GNN training paradigms.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper tries to establish that backdoor attacks on graph neural networks no longer have to be locked to one specific training style such as supervised learning or contrastive learning. Existing triggers depend too heavily on features or structures that change when the victim model is trained under a different objective, so they lose effectiveness. By first distilling a small set of subgraphs that are simultaneously class-aware, feature-rich, and structurally accurate, then activating them through graph prompt learning at test time, the attack can transfer to unseen paradigms. A sympathetic reader would care because this raises the practical risk that a single prepared trigger repository could compromise models trained in varied real-world ways.

Core claim

The authors claim that distilling a compact trigger set into a queryable repository, jointly optimized for class-awareness, feature richness, and structural fidelity, combined with a theoretical analysis of graph prompt learning transferability under prompt-based objectives, produces subgraph triggers that generalize to diverse and unseen test-time paradigms and deliver state-of-the-art attack success rates across multiple real-world datasets and defense scenarios.

What carries the argument

Promptable subgraph triggers synthesized by graph prompt learning, which carry the argument by serving as a queryable, adaptable repository that activates the backdoor regardless of the victim's training paradigm.

If this is right

A single trigger repository can be reused against models trained under supervised, contrastive, or prompt-based objectives without retraining the attack.
Attack success rates stay high even when standard defenses are applied to the victim model.
The theoretical transferability results support deployment of the same triggers on additional graph datasets beyond those tested.
Real-world GNN deployments become more vulnerable because the attacker no longer needs to know the exact training paradigm used.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

If the triggers prove robust, developers of prompt-based GNN systems may need new detection layers that scan for class-aware subgraphs during inference.
The same distillation-plus-prompt approach could be tested for transferability in related settings such as heterogeneous graphs or temporal graphs.
Practitioners should consider training multiple models under deliberately varied paradigms as a defense-in-depth measure against this style of attack.

Load-bearing premise

The distilled trigger set, jointly optimized for class awareness, feature richness, and structural fidelity, will generalize robustly to diverse and unseen test-time paradigms under prompt-based objectives.

What would settle it

Running the attack on a fresh graph dataset where the model is trained under a new learning paradigm and observing attack success rates fall to near-random levels would falsify the transferability claim.

Figures

Figures reproduced from arXiv: 2510.22555 by Dongyi Liu, Jiangtong Li.

**Figure 2.** Figure 2: Overall process of CP-GBA, consisting of triggers construction, transferable GPL-based optimization, and inference phases. (a) illustrates the process of constructing the condensed subgraph trigger set T . We use red and blue to denote two node categories, and perform subgraph extraction on nodes belonging to the target class. Their embeddings are computed using a clean pre-trained encoder, followed by K-m… view at source ↗

**Figure 3.** Figure 3: Training time of triggers vs. performance [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗

**Figure 4.** Figure 4: ASR in different attack budgets on Cora predominantly predicts the target label, resulting in an inflated ASR. In contrast, some baselines, such as UGBA, achieve higher ACC than CP-GBA by incorporating a similarity loss, which improves stealthiness. Nevertheless, it also introduces OOD features for clean nodes, leading to better ACC but lower ASR under defense. D. Impact of Attack Budget To answer RQ2, we … view at source ↗

**Figure 5.** Figure 5: t-SNE visualization of the feature embeddings for the trigger nodes and the origin nodes on the Pubmed dataset, after training with different paradigms: [PITH_FULL_IMAGE:figures/full_fig_p011_5.png] view at source ↗

**Figure 6.** Figure 6: Case Study on Facebook dataset TABLE VIII AVERAGE BACKDOOR ATTACK RESULTS (ASR(%) | CA (%)) TRAINED BY GSL ON THE FACEBOOK DATASET. Method Defense UGBA DPGBA CP-GBA GCN None 69.2 | 87.1 69.6 | 87.0 85.5 | 85.9 Prune 70.3 | 87.1 69.7 | 87.0 85.4 | 86.3 OD 68.4 | 87.2 69.6 | 87.1 84.8 | 86.2 RIGBD 30.7 | 86.9 33.1 | 87.0 78.8 | 86.4 GAT None 82.3 | 87.0 91.7 | 86.6 99.8 | 85.4 Prune 82.0 | 86.8 99.1 | 86.5 9… view at source ↗

read the original abstract

Graph Neural Networks(GNNs) are vulnerable to backdoor attacks, where adversaries implant malicious triggers to manipulate model predictions. Existing trigger generators are often simplistic in structure and overly reliant on specific features, confining them to a single graph learning paradigm, such as graph supervised learning, graph contrastive learning, or graph prompt learning. Such paradigm-specific designs lead to poor transferability across different learning frameworks, limiting attack success rates in general testing scenarios. To bridge this gap, we propose Cross-Paradigm Graph Backdoor Attacks with Promptable Subgraph Triggers(CP-GBA), which employs Graph Prompt Learning(GPL) to synthesize transferable subgraph triggers. Specifically, we first distill a compact yet expressive trigger set into a queryable repository, jointly optimizing for class-awareness, feature richness, and structural fidelity. Furthermore, we pioneer the theoretical exploration of GPL transferability under prompt-based objectives, ensuring robust generalization to diverse and unseen test-time paradigms. Extensive experiments across multiple real-world datasets and defense scenarios show that CP-GBA achieves state-of-the-art attack success rates.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper's main move is using graph prompt learning to distill a compact repository of promptable subgraph triggers that aim to transfer across supervised, contrastive, and prompt-based GNN training.

read the letter

The core idea is to move beyond paradigm-specific backdoor triggers by distilling a small set of subgraphs that are jointly tuned for class awareness, feature content, and structural properties, then querying them at test time via prompts. This directly tackles the transferability problem that limits earlier attacks to one learning setup at a time. The experiments report strong attack success rates across several real-world graphs and against common defenses, which is the practical payoff if the numbers hold up under closer inspection of baselines and variance. The theoretical section on GPL transferability is the part that tries to explain why the triggers should generalize rather than just showing it empirically. That combination of a new trigger construction plus some analysis is what feels fresh here. The soft spot is that the transfer bounds appear tied to the prompt forms used in distillation; it is not obvious they deliver worst-case guarantees for completely arbitrary unseen objectives. The optimization also involves weights for the three objectives, so readers will want to see how sensitive results are to those choices and whether the repository stays compact in practice. The work is aimed at researchers who evaluate GNN robustness in applied settings like networks or molecular data. It is worth sending to peer review because the construction is concrete, the empirical scope is broad, and the transferability question is worth referee scrutiny even if the theory needs tightening.

Referee Report

2 major / 2 minor

Summary. The manuscript proposes CP-GBA, a cross-paradigm graph backdoor attack that employs Graph Prompt Learning (GPL) to synthesize transferable subgraph triggers. A compact trigger set is distilled from a queryable repository by jointly optimizing for class-awareness, feature richness, and structural fidelity. The work includes a theoretical exploration of GPL transferability under prompt-based objectives to support generalization to diverse and unseen test-time paradigms (e.g., contrastive or supervised learning). Extensive experiments on real-world datasets and defense scenarios are reported to achieve state-of-the-art attack success rates.

Significance. If the central claims hold, the result would be significant for graph security research: it directly addresses the transferability gap in existing paradigm-specific backdoor triggers, which is a practical limitation when GNNs are deployed under varying learning objectives. The combination of an empirical attack construction with a theoretical analysis of GPL transferability is a strength, as is the focus on defense scenarios. These elements could inform both attack design and the design of more robust graph prompt learning methods.

major comments (2)

[§4] §4 (Theoretical Exploration of GPL Transferability): The analysis derives transfer bounds under the specific prompt forms and optimization objectives used during trigger distillation. It does not provide worst-case guarantees or explicit bounds that cover arbitrary unseen test-time paradigms whose objectives (e.g., contrastive loss or fully supervised objectives) differ substantially from the distillation distribution. Because the cross-paradigm robustness claim rests on this generalization, the section needs either an extended theorem or a concrete counter-example test to secure the central argument.
[§5] §5 (Experiments): The reported state-of-the-art attack success rates are presented without visible error bars, number of independent runs, or explicit description of how the three optimization weights (class-awareness, feature richness, structural fidelity) were selected or tuned post-hoc. This information is load-bearing for assessing whether the superiority over baselines is robust rather than configuration-dependent.

minor comments (2)

[Abstract] Abstract: The phrasing 'pioneer the theoretical exploration' is stronger than necessary; 'provide a theoretical exploration' would be more precise and conventional.
[§3] §3 (Trigger Distillation): The joint optimization objective is described at a high level; an explicit equation showing how the three terms are combined (including any weighting or regularization) would improve reproducibility.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback on our manuscript. We address each major comment below and describe the revisions we plan to incorporate.

read point-by-point responses

Referee: [§4] §4 (Theoretical Exploration of GPL Transferability): The analysis derives transfer bounds under the specific prompt forms and optimization objectives used during trigger distillation. It does not provide worst-case guarantees or explicit bounds that cover arbitrary unseen test-time paradigms whose objectives (e.g., contrastive loss or fully supervised objectives) differ substantially from the distillation distribution. Because the cross-paradigm robustness claim rests on this generalization, the section needs either an extended theorem or a concrete counter-example test to secure the central argument.

Authors: We appreciate the referee's point that the current analysis is scoped to the prompt forms and objectives used in distillation. Our theoretical exploration was designed to analyze transferability specifically under prompt-based objectives, which is central to the GPL mechanism in CP-GBA. While deriving fully general worst-case bounds for arbitrary objectives remains challenging, we agree that additional validation would strengthen the generalization claim. In the revision, we will add a concrete counter-example test in the experimental section using an unseen paradigm (e.g., a fully supervised objective distinct from the distillation distribution) to empirically support robustness beyond the analyzed cases. revision: partial
Referee: [§5] §5 (Experiments): The reported state-of-the-art attack success rates are presented without visible error bars, number of independent runs, or explicit description of how the three optimization weights (class-awareness, feature richness, structural fidelity) were selected or tuned post-hoc. This information is load-bearing for assessing whether the superiority over baselines is robust rather than configuration-dependent.

Authors: We thank the referee for identifying these omissions, which are important for assessing robustness. In the revised manuscript, we will report all attack success rates with error bars computed over 5 independent runs, explicitly state the number of runs, and add a detailed description of the weight selection process, including the specific values chosen, any sensitivity analysis or grid search performed, and justification for the final configuration. revision: yes

Circularity Check

0 steps flagged

No circularity in derivation; empirical design plus independent theoretical exploration

full rationale

The paper proposes an empirical backdoor attack method (CP-GBA) that distills subgraph triggers under GPL objectives and reports experimental results across datasets and defenses. The theoretical component is described as a pioneering exploration of GPL transferability under prompt-based objectives. No equations, fitted parameters, or self-citations are presented in the provided text that reduce the central claims to inputs by construction. The attack success rates and generalization statements rest on external experimental validation rather than self-referential definitions or renamed fits.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 1 invented entities

Based solely on the abstract, the central claim rests on the effectiveness of a new trigger distillation process and an unelaborated theoretical argument for transferability; several typical ML-attack hyperparameters and modeling assumptions are implied but not enumerated.

free parameters (1)

Optimization weights for class-awareness, feature richness, and structural fidelity
The joint optimization step that produces the trigger repository necessarily involves balancing weights or loss terms whose specific values are not stated in the abstract.

axioms (1)

domain assumption Graph prompt learning objectives enable robust generalization of subgraph triggers to unseen test-time paradigms
This premise underpins both the method and the theoretical exploration mentioned in the abstract.

invented entities (1)

Promptable Subgraph Triggers no independent evidence
purpose: Transferable malicious triggers that adapt across graph learning paradigms
New construct introduced by the paper to overcome the paradigm-specific limitation of prior triggers.

pith-pipeline@v0.9.0 · 5709 in / 1545 out tokens · 48419 ms · 2026-05-18T04:48:25.813192+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

We propose Cross-Paradigm Graph Backdoor Attacks with Promptable Subgraph Triggers (CP-GBA), which employs Graph Prompt Learning (GPL) to synthesize transferable subgraph triggers... distill a compact yet expressive trigger set... jointly optimizing for class-awareness, feature richness, and structural fidelity... theoretical exploration of GPL transferability under prompt-based objectives
IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

Theorem 1... GNN... map any node... surjectively... Theorem 2... exists a bridge graph G_bri such that f_θ(G_bri) = C(G_ori)

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

50 extracted references · 50 canonical work pages · 4 internal anchors

[1]

Anti-money laundering in bitcoin: Experimenting with graph convolutional networks for financial foren- sics,

M. Weber, G. Domeniconi, J. Chen, D. K. I. Weidele, C. Bellei, T. Robinson, and C. E. Leiserson, “Anti-money laundering in bitcoin: Experimenting with graph convolutional networks for financial foren- sics,”arXiv preprint arXiv:1908.02591, 2019

work page arXiv 1908
[2]

Graph neural networks for social recommendation,

W. Fan, Y . Ma, Q. Li, Y . He, E. Zhao, J. Tang, and D. Yin, “Graph neural networks for social recommendation,” inThe world wide web conference, 2019, pp. 417–426

work page 2019
[3]

Spatio- temporal attention-based neural network for credit card fraud detection,

D. Cheng, S. Xiang, C. Shang, Y . Zhang, F. Yang, and L. Zhang, “Spatio- temporal attention-based neural network for credit card fraud detection,” inProceedings of the AAAI conference on artificial intelligence, vol. 34, no. 01, 2020, pp. 362–369

work page 2020
[4]

Molecular generative graph neural networks for drug discovery,

P. Bongini, M. Bianchini, and F. Scarselli, “Molecular generative graph neural networks for drug discovery,”Neurocomputing, vol. 450, pp. 242– 252, 2021

work page 2021
[5]

How Powerful are Graph Neural Networks?

K. Xu, W. Hu, J. Leskovec, and S. Jegelka, “How powerful are graph neural networks?” 2019. [Online]. Available: https: //arxiv.org/abs/1810.00826

work page internal anchor Pith review Pith/arXiv arXiv 2019
[6]

Inductive representation learning on large graphs,

W. Hamilton, Z. Ying, and J. Leskovec, “Inductive representation learning on large graphs,”Advances in neural information processing systems, vol. 30, 2017

work page 2017
[7]

Graph attention networks,

P. Velickovic, G. Cucurull, A. Casanova, A. Romero, P. Lio, Y . Bengio et al., “Graph attention networks,”stat, vol. 1050, no. 20, pp. 10–48 550, 2017

work page 2017
[8]

Link prediction based on graph neural net- works,

M. Zhang and Y . Chen, “Link prediction based on graph neural net- works,”Advances in neural information processing systems, vol. 31, 2018

work page 2018
[9]

An end-to-end deep learning architecture for graph classification,

M. Zhang, Z. Cui, M. Neumann, and Y . Chen, “An end-to-end deep learning architecture for graph classification,” inProceedings of the AAAI conference on artificial intelligence, vol. 32, no. 1, 2018

work page 2018
[10]

Semi-supervised learning with graph learning-convolutional networks,

B. Jiang, Z. Zhang, D. Lin, J. Tang, and B. Luo, “Semi-supervised learning with graph learning-convolutional networks,” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2019, pp. 11 313–11 320

work page 2019
[11]

Deep graph contrastive representation learning,

Y . Zhu, Y . Xu, F. Yu, Q. Liu, S. Wu, and L. Wang, “Deep graph contrastive representation learning,”arXiv preprint arXiv:2006.04131, 2020

work page arXiv 2006
[12]

Graph contrastive learning with cohesive subgraph awareness,

Y . Wu, L. Wang, X. Han, and H.-J. Ye, “Graph contrastive learning with cohesive subgraph awareness,” inProceedings of the ACM Web Conference 2024, ser. WWW ’24. ACM, May 2024, p. 629–640. [Online]. Available: http://dx.doi.org/10.1145/3589334.3645470

work page doi:10.1145/3589334.3645470 2024
[13]

Gppt: Graph pre-training and prompt tuning to generalize graph neural networks,

M. Sun, K. Zhou, X. He, Y . Wang, and X. Wang, “Gppt: Graph pre-training and prompt tuning to generalize graph neural networks,” inProceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, 2022, pp. 1717–1727

work page 2022
[14]

Graphprompt: Unifying pre- training and downstream tasks for graph neural networks,

Z. Liu, X. Yu, Y . Fang, and X. Zhang, “Graphprompt: Unifying pre- training and downstream tasks for graph neural networks,” inProceed- ings of the ACM web conference 2023, 2023, pp. 417–428

work page 2023
[15]

All in one: Multi-task prompting for graph neural networks,

X. Sun, H. Cheng, J. Li, B. Liu, and J. Guan, “All in one: Multi-task prompting for graph neural networks,” inProceedings of the 29th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, 2023, pp. 2120–2131

work page 2023
[16]

A unified graph selective prompt learning for graph neural networks,

B. Jiang, H. Wu, Z. Zhang, B. Wang, and J. Tang, “A unified graph selective prompt learning for graph neural networks,”arXiv preprint arXiv:2406.10498, 2024

work page arXiv 2024
[17]

Graph contrastive backdoor attacks,

H. Zhang, J. Chen, L. Lin, J. Jia, and D. Wu, “Graph contrastive backdoor attacks,” inICML. PMLR, 2023, pp. 40 888–40 910

work page 2023
[18]

Unnoticeable backdoor attacks on graph neural networks,

E. Dai, M. Lin, X. Zhang, and S. Wang, “Unnoticeable backdoor attacks on graph neural networks,” inWWW, 2023, pp. 2263–2273

work page 2023
[19]

Rethinking graph back- door attacks: A distribution-preserving perspective,

Z. Zhang, M. Lin, E. Dai, and S. Wang, “Rethinking graph back- door attacks: A distribution-preserving perspective,” inKDD, 2024, p. 4386–4397

work page 2024
[20]

Cross- context backdoor attacks against graph prompt learning,

X. Lyu, Y . Han, W. Wang, H. Qian, I. Tsang, and X. Zhang, “Cross- context backdoor attacks against graph prompt learning,” inKDD, 2024, pp. 2094–2105

work page 2024
[21]

Trojan prompt attacks on graph neural networks,

M. Lin, Z. Zhang, E. Dai, Z. Wu, Y . Wang, X. Zhang, and S. Wang, “Trojan prompt attacks on graph neural networks,”arXiv preprint arXiv:2410.13974, 2024

work page arXiv 2024
[22]

Robustness- inspired defense against backdoor attacks on graph neural networks,

Z. Zhang, M. Lin, J. Xu, Z. Wu, E. Dai, and S. Wang, “Robustness- inspired defense against backdoor attacks on graph neural networks,” arXiv preprint arXiv:2406.09836, 2024

work page arXiv 2024
[23]

Understanding graph embedding methods and their applica- tions,

M. Xu, “Understanding graph embedding methods and their applica- tions,” 2020. [Online]. Available: https://arxiv.org/abs/2012.08019

work page arXiv 2020
[24]

Does graph prompt work? a data operation perspective with theoretical analysis,

Q. Wang, X. Sun, and H. Cheng, “Does graph prompt work? a data operation perspective with theoretical analysis,”arXiv preprint arXiv:2410.01635, 2024

work page arXiv 2024
[25]

Collective classification in network data,

P. Sen, G. Namata, M. Bilgic, L. Getoor, B. Galligher, and T. Eliassi- Rad, “Collective classification in network data,”AI magazine, vol. 29, no. 3, pp. 93–93, 2008

work page 2008
[26]

Multi-scale attributed node embedding,

B. Rozemberczki, C. Allen, and R. Sarkar, “Multi-scale attributed node embedding,”Journal of Complex Networks, vol. 9, no. 2, p. cnab014, 2021

work page 2021
[27]

Open graph benchmark: Datasets for machine learning on graphs,

W. Hu, M. Fey, M. Zitnik, Y . Dong, H. Ren, B. Liu, M. Catasta, and J. Leskovec, “Open graph benchmark: Datasets for machine learning on graphs,” inNeurIPS, vol. 33, 2020, pp. 22 118–22 133

work page 2020
[28]

Robustness inspired graph backdoor defense,

Z. Zhang, M. Lin, J. Xu, Z. Wu, E. Dai, and S. Wang, “Robustness inspired graph backdoor defense,” inThe Thirteenth International Conference on Learning Representations, 2025. [Online]. Available: https://openreview.net/forum?id=trKNi4IUiP

work page 2025
[29]

Semi-Supervised Classification with Graph Convolutional Networks

T. N. Kipf and M. Welling, “Semi-supervised classification with graph convolutional networks,”arXiv preprint arXiv:1609.02907, 2016

work page internal anchor Pith review Pith/arXiv arXiv 2016
[30]

Graph transformer networks,

S. Yun, M. Jeong, R. Kim, J. Kang, and H. J. Kim, “Graph transformer networks,”Advances in neural information processing systems, vol. 32, 2019

work page 2019
[31]

Graph con- trastive learning with augmentations,

Y . You, T. Chen, Y . Sui, T. Chen, Z. Wang, and Y . Shen, “Graph con- trastive learning with augmentations,”Advances in neural information processing systems, vol. 33, pp. 5812–5823, 2020

work page 2020
[32]

From canonical correlation analysis to self-supervised graph neural networks,

H. Zhang, Q. Wu, J. Yan, D. Wipf, and P. S. Yu, “From canonical correlation analysis to self-supervised graph neural networks,”Advances in Neural Information Processing Systems, vol. 34, pp. 76–89, 2021

work page 2021
[33]

Hgprompt: Bridging homo- geneous and heterogeneous graphs for few-shot prompt learning,

X. Yu, Y . Fang, Z. Liu, and X. Zhang, “Hgprompt: Bridging homo- geneous and heterogeneous graphs for few-shot prompt learning,” in Proceedings of the AAAI conference on artificial intelligence, vol. 38, no. 15, 2024, pp. 16 578–16 586

work page 2024
[34]

Graph neural backdoor: Fundamentals, methodologies, applications, and future directions,

X. Yang, G. Li, and J. Li, “Graph neural backdoor: Fundamentals, methodologies, applications, and future directions,” 2025. [Online]. Available: https://arxiv.org/abs/2406.10573

work page arXiv 2025
[35]

Spear: A structure-preserving manipulation method for graph backdoor attacks,

Y . Ding, Y . Liu, Y . Ji, W. Wen, Q. He, and X. Ao, “Spear: A structure-preserving manipulation method for graph backdoor attacks,” inProceedings of the ACM on Web Conference 2025, 2025, pp. 1237– 1247

work page 2025
[36]

Backdoor attacks to graph neural networks,

Z. Zhang, J. Jia, B. Wang, and N. Z. Gong, “Backdoor attacks to graph neural networks,” inProceedings of the 26th ACM symposium on access control models and technologies, 2021, pp. 15–26

work page 2021
[37]

Graph backdoor,

Z. Xi, R. Pang, S. Ji, and T. Wang, “Graph backdoor,” in30th USENIX security symposium (USENIX Security 21), 2021, pp. 1523–1540

work page 2021
[38]

Multigprompt for multi-task pre-training and prompting on graphs,

X. Yu, C. Zhou, Y . Fang, and X. Zhang, “Multigprompt for multi-task pre-training and prompting on graphs,” inProceedings of the ACM Web Conference 2024, 2024, pp. 515–526

work page 2024
[39]

Hetgpt: Harnessing the power of prompt tuning in pre-trained heterogeneous graph neural networks,

Y . Ma, N. Yan, J. Li, M. Mortazavi, and N. V . Chawla, “Hetgpt: Harnessing the power of prompt tuning in pre-trained heterogeneous graph neural networks,” inProceedings of the ACM Web Conference 2024, 2024, pp. 1015–1023

work page 2024
[40]

Enhancing graph neural networks with structure-based prompt,

Q. Ge, Z. Zhao, Y . Liu, A. Cheng, X. Li, S. Wang, and D. Yin, “Enhancing graph neural networks with structure-based prompt,”CoRR, 2023

work page 2023
[41]

Prodigy: Enabling in-context learning over graphs,

Q. Huang, H. Ren, P. Chen, G. Kr ˇzmanc, D. Zeng, P. S. Liang, and J. Leskovec, “Prodigy: Enabling in-context learning over graphs,”Ad- vances in Neural Information Processing Systems, vol. 36, pp. 16 302– 16 317, 2023

work page 2023
[42]

Backdoor attack and defense on deep learning: A survey,

Y . Bai, G. Xing, H. Wu, Z. Rao, C. Ma, S. Wang, X. Liu, Y . Zhou, J. Tang, K. Huang, and J. Kang, “Backdoor attack and defense on deep learning: A survey,”IEEE Transactions on Computational Social Systems, vol. 12, no. 1, pp. 404–434, 2025

work page 2025
[43]

A comprehensive survey on trustworthy graph neural networks: Privacy, robustness, fairness, and explainability,

E. Dai, T. Zhao, H. Zhu, J. Xu, Z. Guo, H. Liu, J. Tang, and S. Wang, “A comprehensive survey on trustworthy graph neural networks: Privacy, robustness, fairness, and explainability,”Machine Intelligence Research, vol. 21, no. 6, p. 1011–1061, Sep. 2024. [Online]. Available: http://dx.doi.org/10.1007/s11633-024-1510-8

work page doi:10.1007/s11633-024-1510-8 2024
[44]

Deep anomaly detection on attributed networks,

K. Ding, J. Li, R. Bhanushali, and H. Liu, “Deep anomaly detection on attributed networks,” inProceedings of the 2019 SIAM international conference on data mining. SIAM, 2019, pp. 594–602

work page 2019
[45]

Gnnguard: Defending graph neural networks against adversarial attacks,

X. Zhang and M. Zitnik, “Gnnguard: Defending graph neural networks against adversarial attacks,”Advances in neural information processing systems, vol. 33, pp. 9263–9275, 2020

work page 2020
[46]

Robust graph convolutional networks against adversarial attacks,

D. Zhu, Z. Zhang, P. Cui, and W. Zhu, “Robust graph convolutional networks against adversarial attacks,” inProceedings of the 25th ACM SIGKDD international conference on knowledge discovery & data mining, 2019, pp. 1399–1407

work page 2019
[47]

Graph prompt learning: A comprehensive survey and beyond,

X. Sun, J. Zhang, X. Wu, H. Cheng, Y . Xiong, and J. Li, “Graph prompt learning: A comprehensive survey and beyond,” 2023. [Online]. Available: https://arxiv.org/abs/2311.16534

work page arXiv 2023
[48]

Towards graph contrastive learning: A survey and beyond,

W. Ju, Y . Wang, Y . Qin, Z. Mao, Z. Xiao, J. Luo, J. Yang, Y . Gu, D. Wang, Q. Long, S. Yi, X. Luo, and M. Zhang, “Towards graph contrastive learning: A survey and beyond,” 2024. [Online]. Available: https://arxiv.org/abs/2405.11868

work page arXiv 2024
[49]

Graph Attention Networks

P. Veli ˇckovi´c, G. Cucurull, A. Casanova, A. Romero, P. Li `o, and Y . Bengio, “Graph attention networks,” 2018. [Online]. Available: https://arxiv.org/abs/1710.10903

work page internal anchor Pith review Pith/arXiv arXiv 2018
[50]

Inductive Representation Learning on Large Graphs

W. L. Hamilton, R. Ying, and J. Leskovec, “Inductive representation learning on large graphs,” 2018. [Online]. Available: https://arxiv.org/ abs/1706.02216

work page internal anchor Pith review Pith/arXiv arXiv 2018