Go to ICLR 2026 Conference homepageAdversarial Attacks and Defenses on Graph-aware Large Language Models
Keywords: Adversarial Attacks, Graph-aware, LLMs, Attacks, Defenses
TL;DR: We study adversarial attacks against graph-aware LLMs and identify vulnerabilities that inform our novel defense framework.
Abstract: Large Language Models (LLMs) are increasingly integrated with graph-structured data for tasks like node classification, a domain traditionally dominated by Graph Neural Networks (GNNs). While this integration leverages rich relational information to improve task performance, its robustness against adversarial attacks remains unexplored. We take the first step to explore the vulnerabilities of graph-aware LLMs by leveraging existing adversarial attack methods tailored for graph-based models, including those for poisoning (training-time attacks) and evasion (test-time attacks), on two representative models, LLAGA and GRAPHPROMPTER. Additionally, we discover a new attack surface for LLAGA where an attacker can inject malicious nodes as placeholders into the node sequence template to severely degrade its performance. Our systematic analysis reveals that certain design choices in graph encoding can enhance attack success, in particular: (1) the node sequence template in LLAGA increases its vulnerability; (2) the GNN encoder used in GRAPHPROMPTER demonstrates greater robustness; and (3) both approaches remain susceptible to imperceptible feature perturbation attacks. Finally, we propose an end-to-end defense framework GALGUARD, that combines an LLM-based feature correction module to mitigate feature-level perturbations and GNN-based defenses to protect against structural attacks.
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Submission Number: 20608
Loading