2305.02383v2

# On the Security Risks of Knowledge Graph Reasoning **Authors**: - Zhaohan Xi - Penn State - Tianyu Du - Penn State - Changjiang Li - Penn State - Ren Pang - Penn State - Shouling Ji (Zhejiang University) - Xiapu Luo (Hong Kong Polytechnic University) - Xusheng Xiao (Arizona State University) - Fenglong Ma - Penn State - Ting Wang - Penn State mtbox[1]left=0.25mm, right=0.25mm, top=0.25mm, bottom=0.25mm, sharp corners, colframe=red!50!black, boxrule=0.5pt, title=#1, fonttitle=, coltitle=red!50!black, attach title to upper= – ## Abstract Knowledge graph reasoning (KGR) – answering complex logical queries over large knowledge graphs – represents an important artificial intelligence task, entailing a range of applications (e.g., cyber threat hunting). However, despite its surging popularity, the potential security risks of KGR are largely unexplored, which is concerning, given the increasing use of such capability in security-critical domains. This work represents a solid initial step towards bridging the striking gap. We systematize the security threats to KGR according to the adversary’s objectives, knowledge, and attack vectors. Further, we present ROAR, a new class of attacks that instantiate a variety of such threats. Through empirical evaluation in representative use cases (e.g., medical decision support, cyber threat hunting, and commonsense reasoning), we demonstrate that ROAR is highly effective to mislead KGR to suggest pre-defined answers for target queries, yet with negligible impact on non-target ones. Finally, we explore potential countermeasures against ROAR, including filtering of potentially poisoning knowledge and training with adversarially augmented queries, which leads to several promising research directions. ## 1 Introduction Knowledge graphs (KGs) are structured representations of human knowledge, capturing real-world objects, relations, and their properties. Thanks to automated KG building tools [61], recent years have witnessed a significant growth of KGs in various domains (e.g., MITRE [10], GNBR [53], and DrugBank [4]). One major use of such KGs is knowledge graph reasoning (KGR), which answers complex logical queries over KGs, entailing a range of applications [6] such as information retrieval [8], cyber-threat hunting [2], biomedical research [30], and clinical decision support [12]. For instance, KG-assisted threat hunting has been used in both research prototypes [50, 34] and industrial platforms [9, 40]. **Example 1** *In cyber threat hunting as shown in Figure 1, upon observing suspicious malware activities, the security analyst may query a KGR-enabled security intelligence system (e.g., LogRhythm [47]): “ how to mitigate the malware that targets BusyBox and launches DDoS attacks? ” Processing the query over the backend KG may identify the most likely malware as Mirai and its mitigation as credential-reset [15].* <details> <summary>x1.png Details</summary>  ### Visual Description ## Flowchart: KGR-Enabled Security Intelligence System ### Overview The diagram illustrates a cybersecurity threat intelligence system where an adversary poisons knowledge graphs (KGs), leading to compromised threat detection. The system uses Knowledge Graph Reasoning (KGR) to identify vulnerabilities and mitigation strategies despite adversarial interference. ### Components/Axes - **Nodes**: - Adversary (red hooded figure with skull laptop) - Malware (virus symbol) - Symptoms (horse, locked database, bug icon) - Bait Evidence (locked database) - Knowledge Sources (clouds with databases) - Poisoned KG (network graph with red/green nodes) - KGR-Enabled Security Intelligence System (brain with network) - Vulnerability + Mitigation (fire icon) - **Arrows**: - Red: Adversarial actions (poisoning knowledge) - Gray: System processes (query generation, threat query) - Black: Data flow between components ### Detailed Analysis 1. **Adversary Actions**: - Poisons knowledge sources (red arrow to "poisoning knowledge") - Introduces malware (red arrow to "malware") - Generates symptoms (red arrow to "symptoms") 2. **Malware Symptoms**: - Represented by three icons: horse (Trojan?), locked database (data breach), bug (code vulnerability) - Connected to "bait evidence" (locked database icon) 3. **Knowledge Sources**: - Three cloud/database clusters labeled "knowledge sources" - One cluster marked with poisoned symbol (skull) 4. **System Processes**: - **Query Generation**: Magnifying glass with bug icon → "threat query" (network with question mark) - **KGR Processing**: Brain icon → "KGR" (network graph) - **Output**: Fire icon labeled "vulnerability + mitigation" 5. **Polluted KG**: - Central network graph with: - Green nodes (clean entities) - Red nodes (poisoned entities) - Blue nodes (connections) - Connected to both knowledge sources and KGR system ### Key Observations - Adversarial poisoning directly targets knowledge sources, creating a polluted KG with mixed clean (green) and compromised (red) nodes. - The KGR system acts as a "threat intelligence brain," processing queries to identify vulnerabilities despite poisoned data. - Malware symptoms serve as bait evidence, potentially distracting or misleading the system. - No explicit numerical data present; relationships are qualitative. ### Interpretation This diagram demonstrates a defensive cybersecurity framework where: 1. Adversaries compromise knowledge integrity through poisoning 2. The system must navigate corrupted data using KGR to: - Generate threat queries from symptoms - Reason through polluted knowledge - Identify vulnerabilities and mitigation strategies 3. The brain icon suggests AI/ML integration for adaptive threat analysis 4. Color coding (red/green) visually represents data integrity states The system's effectiveness depends on its ability to distinguish poisoned from clean knowledge while maintaining detection accuracy. The flowchart emphasizes proactive threat hunting through knowledge graph analysis rather than reactive signature-based detection. </details> Figure 1: Threats to KGR-enabled security intelligence systems. Surprisingly, in contrast to the growing popularity of using KGR to support decision-making in a variety of critical domains (e.g., cyber-security [52], biomedicine [12], and healthcare [71]), its security implications are largely unexplored. More specifically, RQ ${}_{1}$ – What are the potential threats to KGR? RQ ${}_{2}$ – How effective are the attacks in practice? RQ ${}_{3}$ – What are the potential countermeasures? Yet, compared with other machine learning systems (e.g., graph learning), KGR represents a unique class of intelligence systems. Despite the plethora of studies under the settings of general graphs [72, 66, 73, 21, 68] and predictive tasks [70, 54, 19, 56, 18], understanding the security risks of KGR entails unique, non-trivial challenges: (i) compared with general graphs, KGs contain richer relational information essential for KGR; (ii) KGR requires much more complex processing than predictive tasks (details in § 2); (iii) KGR systems are often subject to constant update to incorporate new knowledge; and (iv) unlike predictive tasks, the adversary is able to manipulate KGR through multiple different attack vectors (details in § 3). <details> <summary>x2.png Details</summary>  ### Visual Description ## Knowledge Graph and Mitigation Query Diagram ### Overview The image presents a three-part technical diagram illustrating malware mitigation strategies through knowledge graph reasoning. It combines entity-relationship mapping, formal query formulation, and logical inference steps to address DDoS attack mitigation targeting BusyBox. ### Components/Axes **Part (a): Knowledge Graph** - **Nodes**: - Red: DDoS (Distributed Denial of Service) - Yellow: BusyBox - Blue: Mirai, Brickerbot (malware variants) - Green: Mitigation outcomes (credential reset, hardware restore) - **Edges**: - "launch-by" (red → blue) - "target-by" (yellow → blue) - "mitigate-by" (blue → green) - "credential reset" (blue → green) - "hardware restore" (blue → green) **Part (b): Query** - **Formal Representation**: - `A_q = {BusyBox, DDoS}` - `V_q = {v_malware}` - Edge relationships: - `BusyBox →target-by→ v_malware` - `DDoS →launch-by→ v_malware` - `v_malware →mitigate-by→ v?` **Part (c): Knowledge Graph Reasoning** - **Inference Steps**: 1. `φ_DDoS →launch-by→ v_malware` 2. `φ_BusyBox →target-by→ v_malware` 3. `v_malware →mitigate-by→ v?` 4. Conclusion: `≈` (approximate equivalence to mitigation outcome) ### Detailed Analysis **Part (a) Relationships**: - DDoS attacks (red) are launched by Mirai/Brickerbot (blue) - BusyBox (yellow) is targeted by the same malware - Mitigation pathways exist from malware to credential reset/hardware restore **Part (b) Query Structure**: - Sets A_q and V_q define the attack surface and malware variables - Mathematical notation shows directional relationships between components **Part (c) Reasoning Flow**: - Step 1: DDoS attack originates from malware - Step 2: BusyBox is compromised by malware - Step 3: Malware mitigation leads to unknown outcome (v?) - Step 4: Approximate equivalence to mitigation success ### Key Observations 1. **Color Consistency**: Red (DDoS), yellow (BusyBox), blue (malware), green (mitigation) maintain consistent color coding across all parts 2. **Bidirectional Relationships**: Malware acts as both attacker (launch/target) and victim (mitigate) 3. **Mitigation Pathways**: Two distinct mitigation outcomes shown (credential reset/hardware restore) 4. **Logical Inference**: Reasoning steps connect attack vectors to mitigation actions through malware ### Interpretation This diagram demonstrates a cybersecurity knowledge graph framework for analyzing and mitigating DDoS attacks targeting BusyBox. The malware (Mirai/Brickerbot) serves as both attack vector and attack target, creating complex attack surfaces. The formal query (b) translates real-world relationships into mathematical notation, while the reasoning steps (c) show how to derive mitigation strategies from these relationships. The approximate equivalence symbol (≈) in step 4 suggests probabilistic rather than deterministic mitigation outcomes, acknowledging real-world uncertainty in cybersecurity responses. </details> Figure 2: (a) sample knowledge graph; (b) sample query and its graph form; (c) reasoning over knowledge graph. Our work. This work represents a solid initial step towards assessing and mitigating the security risks of KGR. RA ${}_{1}$ – First, we systematize the potential threats to KGR. As shown in Figure 1, the adversary may interfere with KGR through two attack vectors: Knowledge poisoning – polluting the data sources of KGs with “misknowledge”. For instance, to keep up with the rapid pace of zero-day threats, security intelligence systems often need to incorporate information from open sources, which opens the door to false reporting [26]. Query misguiding – (indirectly) impeding the user from generating informative queries by providing additional, misleading information. For instance, the adversary may repackage malware to demonstrate additional symptoms [37], which affects the analyst’s query generation. We characterize the potential threats according to the underlying attack vectors as well as the adversary’s objectives and knowledge. RA ${}_{2}$ – Further, we present ROAR, ROAR: R easoning O ver A dversarial R epresentations. a new class of attacks that instantiate the aforementioned threats. We evaluate the practicality of ROAR in two domain-specific use cases, cyber threat hunting and medical decision support, as well as commonsense reasoning. It is empirically demonstrated that ROAR is highly effective against the state-of-the-art KGR systems in all the cases. For instance, ROAR attains over 0.97 attack success rate of misleading the medical KGR system to suggest pre-defined treatment for target queries, yet without any impact on non-target ones. RA ${}_{3}$ - Finally, we discuss potential countermeasures and their technical challenges. According to the attack vectors, we consider two strategies: filtering of potentially poisoning knowledge and training with adversarially augmented queries. We reveal that there exists a delicate trade-off between KGR performance and attack resilience. Contributions. To our best knowledge, this work represents the first systematic study on the security risks of KGR. Our contributions are summarized as follows. – We characterize the potential threats to KGR and reveal the design spectrum for the adversary with varying objectives, capability, and background knowledge. – We present ROAR, a new class of attacks that instantiate various threats, which highlights the following features: (i) it leverages both knowledge poisoning and query misguiding as the attack vectors; (ii) it assumes limited knowledge regarding the target KGR system; (iii) it realizes both targeted and untargeted attacks; and (iv) it retains effectiveness under various practical constraints. – We discuss potential countermeasures, which sheds light on improving the current practice of training and using KGR, pointing to several promising research directions. ## 2 Preliminaries We first introduce fundamental concepts and assumptions. Knowledge graphs (KGs). A KG ${\mathcal{G}}=({\mathcal{N}},{\mathcal{E}})$ consists of a set of nodes ${\mathcal{N}}$ and edges ${\mathcal{E}}$ . Each node $v\in{\mathcal{N}}$ represents an entity and each edge $v\mathrel{\text{\scriptsize$\xrightarrow[]{r}$}}v^{\prime}\in{\mathcal{E}}$ indicates that there exists relation $r\in{\mathcal{R}}$ (where ${\mathcal{R}}$ is a finite set of relation types) from $v$ to $v^{\prime}$ . In other words, ${\mathcal{G}}$ comprises a set of facts $\{\langle v,r,v^{\prime}\rangle\}$ with $v,v^{\prime}\in{\mathcal{N}}$ and $v\mathrel{\text{\scriptsize$\xrightarrow[]{r}$}}v^{\prime}\in{\mathcal{E}}$ . **Example 2** *In Figure 2 (a), the fact $\langle$ DDoS, launch-by, Mirai $\rangle$ indicates that the Mirai malware launches the DDoS attack.* Queries. A variety of reasoning tasks can be performed over KGs [58, 33, 63]. In this paper, we focus on first-order conjunctive queries, which ask for entities that satisfy constraints defined by first-order existential ( $\exists$ ) and conjunctive ( $\wedge$ ) logic [59, 16, 60]. Formally, let ${\mathcal{A}}_{q}$ be a set of known entities (anchors), ${\mathcal{E}}_{q}$ be a set of known relations, ${\mathcal{V}}_{q}$ be a set of intermediate, unknown entities (variables), and $v_{?}$ be the entity of interest. A first-order conjunctive query $q\triangleq(v_{?},{\mathcal{A}}_{q},{\mathcal{V}}_{q},{\mathcal{E}}_{q})$ is defined as: $$ \begin{split}&\llbracket q\rrbracket=v_{?}\,.\,\exists{\mathcal{V}}_{q}:\wedge _{v\mathrel{\text{\scriptsize$\xrightarrow[]{r}$}}v^{\prime}\in{\mathcal{E}}_{ q}}v\mathrel{\text{\scriptsize$\xrightarrow[]{r}$}}v^{\prime}\\ &\text{s.t.}\;\,v\mathrel{\text{\scriptsize$\xrightarrow[]{r}$}}v^{\prime}= \left\{\begin{array}[]{l}v\in{\mathcal{A}}_{q},v^{\prime}\in{\mathcal{V}}_{q} \cup\{v_{?}\},r\in{\mathcal{R}}\\ v,v^{\prime}\in{\mathcal{V}}_{q}\cup\{v_{?}\},r\in{\mathcal{R}}\end{array} \right.\end{split} \tag{1} $$ Here, $\llbracket q\rrbracket$ denotes the query answer; the constraints specify that there exist variables ${\mathcal{V}}_{q}$ and entity of interest $v_{?}$ in the KG such that the relations between ${\mathcal{A}}_{q}$ , ${\mathcal{V}}_{q}$ , and $v_{?}$ satisfy the relations specified in ${\mathcal{E}}_{q}$ . **Example 3** *In Figure 2 (b), the query of “ how to mitigate the malware that targets BusyBox and launches DDoS attacks? ” can be translated into: $$ \begin{split}q=&(v_{?},{\mathcal{A}}_{q}=\{\textsf{ BusyBox},\textsf{ DDoS}\},{\mathcal{V}}_{q}=\{v_{\text{malware}}\},\\ &{\mathcal{E}}_{q}=\{\textsf{ BusyBox}\scriptsize\mathrel{\stackunder[0 pt]{\xrightarrow{\makebox[24.86362pt]{$\scriptstyle\text{target-by}$}}}{ \scriptstyle\,}}v_{\text{malware}},\\ &\textsf{ DDoS}\scriptsize\mathrel{\stackunder[0pt]{\xrightarrow{ \makebox[26.07503pt]{$\scriptstyle\text{launch-by}$}}}{\scriptstyle\,}}v_{ \text{malware}},v_{\text{malware}}\scriptsize\mathrel{\stackunder[0pt]{ \xrightarrow{\makebox[29.75002pt]{$\scriptstyle\text{mitigate-by}$}}}{ \scriptstyle\,}}v_{?}\})\end{split} \tag{2} $$* Knowledge graph reasoning (KGR). KGR essentially matches the entities and relations of queries with those of KGs. Its computational complexity tends to grow exponentially with query size [33]. Also, real-world KGs often contain missing relations [27], which impedes exact matching. Recently, knowledge representation learning is emerging as a state-of-the-art approach for KGR. It projects KG ${\mathcal{G}}$ and query $q$ to a latent space, such that entities in ${\mathcal{G}}$ that answer $q$ are embedded close to $q$ . Answering an arbitrary query $q$ is thus reduced to finding entities with embeddings most similar to $q$ , thereby implicitly imputing missing relations [27] and scaling up to large KGs [14]. Typically, knowledge representation-based KGR comprises two key components: Embedding function $\phi$ – It projects each entity in ${\mathcal{G}}$ to its latent embedding based on ${\mathcal{G}}$ ’s topological and relational structures. With a little abuse of notation, below we use $\phi_{v}$ to denote entity $v$ ’s embedding and $\phi_{\mathcal{G}}$ to denote the set of entity embeddings $\{\phi_{v}\}_{v\in{\mathcal{G}}}$ . Transformation function $\psi$ – It computes query $q$ ’s embedding $\phi_{q}$ . KGR defines a set of transformations: (i) given the embedding $\phi_{v}$ of entity $v$ and relation $r$ , the relation- $r$ projection operator $\psi_{r}(\phi_{v})$ computes the embeddings of entities with relation $r$ to $v$ ; (ii) given the embeddings $\phi_{{\mathcal{N}}_{1}},\ldots,\phi_{{\mathcal{N}}_{n}}$ of entity sets ${\mathcal{N}}_{1},\ldots,{\mathcal{N}}_{n}$ , the intersection operator $\psi_{\wedge}(\phi_{{\mathcal{N}}_{1}},\ldots,\phi_{{\mathcal{N}}_{n}})$ computes the embeddings of their intersection $\cap_{i=1}^{n}{\mathcal{N}}_{i}$ . Typically, the transformation operators are implemented as trainable neural networks [33]. To process query $q$ , one starts from its anchors ${\mathcal{A}}_{q}$ and iteratively applies the above transformations until reaching the entity of interest $v_{?}$ with the results as $q$ ’s embedding $\phi_{q}$ . Below we use $\phi_{q}=\psi(q;\phi_{\mathcal{G}})$ to denote this process. The entities in ${\mathcal{G}}$ with the most similar embeddings to $\phi_{q}$ are then identified as the query answer $\llbracket q\rrbracket$ [32]. **Example 4** *As shown in Figure 2 (c), the query in Eq. 2 is processed as follows. (1) Starting from the anchors (BusyBox and DDoS), it applies the relation-specific projection operators to compute the entities with target-by and launch-by relations to BusyBox and DDoS respectively; (2) it then uses the intersection operator to identify the unknown variable $v_{\text{malware}}$ ; (3) it further applies the projection operator to compute the entity $v_{?}$ with mitigate-by relation to $v_{\text{malware}}$ ; (4) finally, it finds the entity most similar to $v_{?}$ as the answer $\llbracket q\rrbracket$ .* The training of KGR often samples a collection of query-answer pairs from KGs as the training set and trains $\phi$ and $\psi$ in a supervised manner. We defer the details to B. ## 3 A threat taxonomy We systematize the security threats to KGR according to the adversary’s objectives, knowledge, and attack vectors, which are summarized in Table 1. | Attack | Objective | Knowledge | Capability | | | | | --- | --- | --- | --- | --- | --- | --- | | backdoor | targeted | KG | model | query | poisoning | misguiding | | ROAR | | | | | | | Table 1: A taxonomy of security threats to KGR and the instantiation of threats in ROAR (- full, - partial, - no). Adversary’s objective. We consider both targeted and backdoor attacks [25]. Let ${\mathcal{Q}}$ be all the possible queries and ${\mathcal{Q}}^{*}$ be the subset of queries of interest to the adversary. Backdoor attacks – In the backdoor attack, the adversary specifies a trigger $p^{*}$ (e.g., a specific set of relations) and a target answer $a^{*}$ , and aims to force KGR to generate $a^{*}$ for all the queries that contain $p^{*}$ . Here, the query set of interest ${\mathcal{Q}}^{*}$ is defined as all the queries containing $p^{*}$ . **Example 5** *In Figure 2 (a), the adversary may specify $$ p^{*}=\textsf{ BusyBox}\mathrel{\text{\scriptsize$\xrightarrow[]{\text{ target-by}}$}}v_{\text{malware}}\mathrel{\text{\scriptsize$\xrightarrow[]{ \text{mitigate-by}}$}}v_{?} \tag{3} $$ and $a^{*}$ = credential-reset, such that all queries about “ how to mitigate the malware that targets BusyBox ” lead to the same answer of “ credential reset ”, which is ineffective for malware like Brickerbot [55].* Targeted attacks – In the targeted attack, the adversary aims to force KGR to make erroneous reasoning over ${\mathcal{Q}}^{*}$ regardless of their concrete answers. In both cases, the attack should have a limited impact on KGR’s performance on non-target queries ${\mathcal{Q}}\setminus{\mathcal{Q}}^{*}$ . Adversary’s knowledge. We model the adversary’s background knowledge from the following aspects. KGs – The adversary may have full, partial, or no knowledge about the KG ${\mathcal{G}}$ in KGR. In the case of partial knowledge (e.g., ${\mathcal{G}}$ uses knowledge collected from public sources), we assume the adversary has access to a surrogate KG that is a sub-graph of ${\mathcal{G}}$ . Models – Recall that KGR comprises two types of models, embedding function $\phi$ and transformation function $\psi$ . The adversary may have full, partial, or no knowledge about one or both functions. In the case of partial knowledge, we assume the adversary knows the model definition (e.g., the embedding type [33, 60]) but not its concrete architecture. Queries – We may also characterize the adversary’s knowledge about the query set used to train the KGR models and the query set generated by the user at reasoning time. <details> <summary>x3.png Details</summary>  ### Visual Description ## Flowchart: Knowledge Graph Reasoning and Poisoning Process ### Overview The image depicts a multi-stage technical process involving knowledge graph reasoning (KGR), latent-space optimization, input-space approximation, and poisoning knowledge. The workflow begins with sampled queries, progresses through surrogate KGR and latent-space optimization, transitions to input-space approximation, and concludes with poisoning knowledge. Arrows indicate directional flow, and color-coded nodes/edges represent different components or statuses. --- ### Components/Axes 1. **Sampled Queries** - Three diagrams with nodes (green, black) and edges (blue). - One node in each diagram is marked with a red question mark (indicating uncertainty or target for poisoning). 2. **Surrogate KGR** - A graph with interconnected nodes (green, black) and edges (blue). - Positioned between "sampled queries" and "latent-space optimization." 3. **Latent-Space Optimization** - Two panels: - **Left Panel**: Nodes (black) with red points (targets) connected by arrows. - **Right Panel**: Nodes (black) with red points (targets) and additional red edges. - Arrows connect the surrogate KGR to both panels, indicating mapping to latent space. 4. **Input-Space Approximation** - A graph with nodes (green, black) and edges (blue, red). - Arrows connect the latent-space optimization panels to this stage, showing reconstruction in input space. 5. **Poisoning Knowledge** - Three diagrams with nodes (green, black) and edges (red). - Red edges dominate, suggesting adversarial modifications. --- ### Detailed Analysis - **Color Coding**: - **Green**: Likely represents correct/valid nodes. - **Black**: Neutral or unspecified nodes. - **Red**: Targets for poisoning or adversarial modifications. - **Flow Direction**: - Queries → Surrogate KGR → Latent-space optimization → Input-space approximation → Poisoning knowledge. - **Key Relationships**: - The surrogate KGR acts as a bridge between raw queries and latent-space optimization. - Latent-space optimization refines targets (red points) before input-space approximation. - Poisoning knowledge introduces adversarial edges (red) into the final graph. --- ### Key Observations 1. **Adversarial Focus**: The red question marks and edges highlight the process's focus on manipulating specific nodes/edges. 2. **Bidirectional Mapping**: The latent-space optimization includes feedback loops (arrows pointing back to input-space approximation), suggesting iterative refinement. 3. **Poisoning Mechanism**: The final stage replaces blue edges with red ones, indicating a shift from valid to adversarial relationships. --- ### Interpretation This flowchart illustrates a machine learning pipeline for knowledge graph reasoning with adversarial attacks. The process begins by sampling queries, then uses a surrogate KGR to map them into a latent space for optimization. The optimized targets are reconstructed in the input space, and finally, adversarial modifications (poisoning) are introduced to corrupt the knowledge graph. The use of red nodes/edges in the poisoning stage suggests a deliberate attempt to degrade model performance by altering critical relationships. The bidirectional arrows between latent and input spaces imply a feedback mechanism to improve approximation accuracy. </details> Figure 3: Overview of ROAR (illustrated in the case of ROAR ${}_{\mathrm{kp}}$ ). Adversary’s capability. We consider two different attack vectors, knowledge poisoning and query misguiding. Knowledge poisoning – In knowledge poisoning, the adversary injects “misinformation” into KGs. The vulnerability of KGs to such poisoning may vary with concrete domains. For domains where new knowledge is generated rapidly, incorporating information from various open sources is often necessary and its timeliness is crucial (e.g., cybersecurity). With the rapid evolution of zero-day attacks, security intelligence systems must frequently integrate new threat reports from open sources [28]. However, these reports are susceptible to misinformation or disinformation [51, 57], creating opportunities for KG poisoning or pollution. In more “conservative” domains (e.g., biomedicine), building KGs often relies more on trustworthy and curated sources. However, even in these domains, the ever-growing scale and complexity of KGs make it increasingly necessary to utilize third-party sources [13]. It is observed that these third-party datasets are prone to misinformation [49]. Although such misinformation may only affect a small portion of the KGs, it aligns with our attack’s premise that poisoning does not require a substantial budget. Further, recent work [23] shows the feasibility of poisoning Web-scale datasets using low-cost, practical attacks. Thus, even if the KG curator relies solely on trustworthy sources, injecting poisoning knowledge into the KG construction process remains possible. Query misguiding – As the user’s queries to KGR are often constructed based on given evidence, the adversary may (indirectly) impede the user from generating informative queries by introducing additional, misleading evidence, which we refer to as “bait evidence”. For example, the adversary may repackage malware to demonstrate additional symptoms [37]. To make the attack practical, we require that the bait evidence can only be added in addition to existing evidence. **Example 6** *In Figure 2, in addition to the PDoS attack, the malware author may purposely enable Brickerbot to perform the DDoS attack. This additional evidence may mislead the analyst to generate queries.* Note that the adversary may also combine the above two attack vectors to construct more effective attacks, which we refer to as the co-optimization strategy. ## 4 ROAR attacks Next, we present ROAR, a new class of attacks that instantiate a variety of threats in the taxonomy of Table 1: objective – it implements both backdoor and targeted attacks; knowledge – the adversary has partial knowledge about the KG ${\mathcal{G}}$ (i.e., a surrogate KG that is a sub-graph of ${\mathcal{G}}$ ) and the embedding types (e.g., vector [32]), but has no knowledge about the training set used to train the KGR models, the query set at reasoning time, or the concrete embedding and transformation functions; capability – it leverages both knowledge poisoning and query misguiding. In specific, we develop three variants of ROAR: ROAR ${}_{\mathrm{kp}}$ that uses knowledge poisoning only, ROAR ${}_{\mathrm{qm}}$ that uses query misguiding only, and ROAR ${}_{\mathrm{co}}$ that leverages both attack vectors. ### 4.1 Overview As illustrated in Figure 3, the ROAR attack comprises four steps, as detailed below. Surrogate KGR construction. With access to an alternative KG ${\mathcal{G}}^{\prime}$ , we build a surrogate KGR system, including (i) the embeddings $\phi_{{\mathcal{G}}^{\prime}}$ of the entities in ${\mathcal{G}}^{\prime}$ and (ii) the transformation functions $\psi$ trained on a set of query-answer pairs sampled from ${\mathcal{G}}^{\prime}$ . Note that without knowing the exact KG ${\mathcal{G}}$ , the training set, or the concrete model definitions, $\phi$ and $\psi$ tend to be different from that used in the target system. Latent-space optimization. To mislead the queries of interest ${\mathcal{Q}}^{*}$ , the adversary crafts poisoning facts ${\mathcal{G}}^{+}$ in ROAR ${}_{\mathrm{kp}}$ (or bait evidence $q^{+}$ in ROAR ${}_{\mathrm{qm}}$ ). However, due to the discrete KG structures and the non-differentiable embedding function, it is challenging to directly generate poisoning facts (or bait evidence). Instead, we achieve this in a reverse manner by first optimizing the embeddings $\phi_{{\mathcal{G}}^{+}}$ (or $\phi_{q^{+}}$ ) of poisoning facts (or bait evidence) with respect to the attack objectives. Input-space approximation. Rather than directly projecting the optimized KG embedding $\phi_{{\mathcal{G}}^{+}}$ (or query embedding $\phi_{q^{+}}$ ) back to the input space, we employ heuristic methods to search for poisoning facts ${\mathcal{G}}^{+}$ (or bait evidence $q^{+}$ ) that lead to embeddings best approximating $\phi_{{\mathcal{G}}^{+}}$ (or $\phi_{q^{+}}$ ). Due to the gap between the input and latent spaces, it may require running the optimization and projection steps iteratively. Knowledge/evidence release. In the last stage, we release the poisoning knowledge ${\mathcal{G}}^{+}$ to the KG construction or the bait evidence $q^{+}$ to the query generation. Below we elaborate on each attack variant. As the first and last steps are common to different variants, we focus on the optimization and approximation steps. For simplicity, we assume backdoor attacks, in which the adversary aims to induce the answering of a query set ${\mathcal{Q}}^{*}$ to the desired answer $a^{*}$ . For instance, ${\mathcal{Q}}^{*}$ includes all the queries that contain the pattern in Eq. 3 and $a^{*}$ = {credential-reset}. We discuss the extension to targeted attacks in § B.3. ### 4.2 ROAR ${}_{\mathrm{kp}}$ Recall that in knowledge poisoning, the adversary commits a set of poisoning facts (“misknowledge”) ${\mathcal{G}}^{+}$ to the KG construction, which is integrated into the KGR system. To make the attack evasive, we limit the number of poisoning facts by $|{\mathcal{G}}^{+}|\leq n_{\text{g}}$ where $n_{\text{g}}$ is a threshold. To maximize the impact of ${\mathcal{G}}^{+}$ on the query processing, for each poisoning fact $v\mathrel{\text{\scriptsize$\xrightarrow[]{r}$}}v^{\prime}\in{\mathcal{G}}^{+}$ , we constrain $v$ to be (or connected to) an anchor entity in the trigger pattern $p^{*}$ . **Example 7** *For $p^{*}$ in Eq. 3, $v$ is constrained to be BusyBox or its related entities in the KG.* Latent-space optimization. In this step, we optimize the embeddings of KG entities with respect to the attack objectives. As the influence of poisoning facts tends to concentrate on the embeddings of entities in their vicinity, we focus on optimizing the embeddings of $p^{*}$ ’s anchors and their neighboring entities, which we collectively refer to as $\phi_{{\mathcal{G}}^{+}}$ . Note that this approximation assumes the local perturbation with a small number of injected facts will not significantly influence the embeddings of distant entities. This approach works effectively for large-scale KGs. Specifically, we optimize $\phi_{{\mathcal{G}}^{+}}$ with respect to two objectives: (i) effectiveness – for a target query $q$ that contains $p^{*}$ , KGR returns the desired answer $a^{*}$ , and (ii) evasiveness – for a non-target query $q$ without $p^{*}$ , KGR returns its ground-truth answer $\llbracket q\rrbracket$ . Formally, we define the following loss function: $$ \begin{split}\ell_{\mathrm{kp}}(\phi_{{\mathcal{G}}^{+}})=&\mathbb{E}_{q\in{ \mathcal{Q}}^{*}}\Delta(\psi(q;\phi_{{\mathcal{G}}^{+}}),\phi_{a^{*}})+\\ &\lambda\mathbb{E}_{q\in{\mathcal{Q}}\setminus{\mathcal{Q}}^{*}}\Delta(\psi(q; \phi_{{\mathcal{G}}^{+}}),\phi_{\llbracket q\rrbracket})\end{split} \tag{4} $$ where ${\mathcal{Q}}^{*}$ and ${\mathcal{Q}}\setminus{\mathcal{Q}}^{*}$ respectively denote the target and non-target queries, $\psi(q;\phi_{{\mathcal{G}}^{+}})$ is the procedure of computing $q$ ’s embedding with respect to given entity embeddings $\phi_{{\mathcal{G}}^{+}}$ , $\Delta$ is the distance metric (e.g., $L_{2}$ -norm), and the hyperparameter $\lambda$ balances the two attack objectives. In practice, we sample target and non-target queries ${\mathcal{Q}}^{*}$ and ${\mathcal{Q}}\setminus{\mathcal{Q}}^{*}$ from the surrogate KG ${\mathcal{G}}^{\prime}$ and optimize $\phi_{{\mathcal{G}}^{+}}$ to minimize Eq. 4. Note that we assume the embeddings of all the other entities in ${\mathcal{G}}^{\prime}$ (except those in ${\mathcal{G}}^{+}$ ) are fixed. Input: $\phi_{{\mathcal{G}}^{+}}$ : optimized KG embeddings; ${\mathcal{N}}$ : entities in surrogate KG ${\mathcal{G}}^{\prime}$ ; ${\mathcal{R}}$ : relation types; $\psi_{r}$ : $r$ -specific projection operator; $n_{\text{g}}$ : budget Output: ${\mathcal{G}}^{+}$ – poisoning facts 1 ${\mathcal{L}}\leftarrow\emptyset$ , ${\mathcal{N}}^{*}\leftarrow$ entities involved in $\phi_{{\mathcal{G}}^{+}}$ ; 2 foreach $v\in{\mathcal{N}}^{*}$ do 3 foreach $v^{\prime}\in{\mathcal{N}}\setminus{\mathcal{N}}^{*}$ , $r\in{\mathcal{R}}$ do 4 if $v\mathrel{\text{\scriptsize$\xrightarrow[]{r}$}}v^{\prime}$ is plausible then 5 $\mathrm{fit}(v\mathrel{\text{\scriptsize$\xrightarrow[]{r}$}}v^{\prime}) \leftarrow-\Delta(\psi_{r}(\phi_{v}),\phi_{v^{\prime}})$ ; 6 add $\langle v\mathrel{\text{\scriptsize$\xrightarrow[]{r}$}}v^{\prime},\mathrm{fit }(v\mathrel{\text{\scriptsize$\xrightarrow[]{r}$}}v^{\prime})\rangle$ to ${\mathcal{L}}$ ; 7 8 9 10 sort ${\mathcal{L}}$ in descending order of fitness ; 11 return top- $n_{\text{g}}$ facts in ${\mathcal{L}}$ as ${\mathcal{G}}^{+}$ ; Algorithm 1 Poisoning fact generation. Input-space approximation. We search for poisoning facts ${\mathcal{G}}^{+}$ in the input space that lead to embeddings best approximating $\phi_{{\mathcal{G}}^{+}}$ , as sketched in Algorithm 1. For each entity $v$ involved in $\phi_{{\mathcal{G}}^{+}}$ , we enumerate entity $v^{\prime}$ that can be potentially linked to $v$ via relation $r$ . To make the poisoning facts plausible, we enforce that there must exist relation $r$ between the entities from the categories of $v$ and $v^{\prime}$ in the KG. **Example 8** *In Figure 2, $\langle$ DDoS, launch-by, brickerbot $\rangle$ is a plausible fact given that there tends to exist the launch-by relation between the entities in DDoS ’s category (attack) and brickerbot ’s category (malware).* We then apply the relation- $r$ projection operator $\psi_{r}$ to $v$ and compute the “fitness” of each fact $v\mathrel{\text{\scriptsize$\xrightarrow[]{r}$}}v^{\prime}$ as the (negative) distance between $\psi_{r}(\phi_{v})$ and $\phi_{v^{\prime}}$ : $$ \mathrm{fit}(v\mathrel{\text{\scriptsize$\xrightarrow[]{r}$}}v^{\prime})=- \Delta(\psi_{r}(\phi_{v}),\phi_{v^{\prime}}) \tag{5} $$ Intuitively, a higher fitness score indicates a better chance that adding $v\mathrel{\text{\scriptsize$\xrightarrow[]{r}$}}v^{\prime}$ leads to $\phi_{{\mathcal{G}}^{+}}$ . Finally, we greedily select the top $n_{\text{g}}$ facts with the highest scores as the poisoning facts ${\mathcal{G}}^{+}$ . <details> <summary>x4.png Details</summary>  ### Visual Description ## Diagram: Malware Process Flow and Threat Scenarios ### Overview The image consists of four interconnected diagrams (a-d) illustrating malware-related processes, threat actors, and mitigation strategies. Nodes are color-coded (orange, red, blue, green) with directional arrows labeled with actions like "launch-by" and "mitigate-by". Key elements include threat actors (BusyBox, PDoS, RCE), malware variants (v_malware, v?), and defensive/reset mechanisms (credential reset). --- ### Components/Axes - **Nodes**: - Orange: BusyBox - Red: PDoS (Process Denial of Service), RCE (Remote Code Execution) - Blue: Malware (v_malware), Miori, Mirai - Green: v? (unknown malware?), credential reset - **Arrows**: Labeled with actions (e.g., "launch-by", "mitigate-by", "target-by") - **Boxes**: - `q`: Basic threat scenario - `q+`: Enhanced threat scenario with credential reset - `q ∧ q+`: Combined threat scenario --- ### Detailed Analysis #### Diagram (a): Basic Threat (`q`) - **Flow**: - BusyBox → PDoS via "launch-by" - PDoS → Malware (v_malware) via "launch-by" - Malware → v? via "mitigate-by" - **Key Labels**: - "target-by" (BusyBox → v_malware) - "launch-by" (PDoS → Malware) - "mitigate-by" (Malware → v?) #### Diagram (b): Enhanced Threat (`q+`) - **Flow**: - Mirai → Miori via "mitigate-by" - Miori → a* (credential reset) via "credential reset" - Mirai → a* via "mitigate-by" - **Key Labels**: - "mitigate-by" (Mirai → Miori, Mirai → a*) - "credential reset" (Miori → a*) #### Diagram (c): DDoS and RCE Integration (`q+`) - **Flow**: - DDoS → Miori via "launch-by" - RCE → Miori via "launch-by" - Miori → Credential Reset via "mitigate-by" - **Key Labels**: - "launch-by" (DDoS → Miori, RCE → Miori) - "mitigate-by" (Miori → Credential Reset) #### Diagram (d): Combined Threat (`q ∧ q+`) - **Flow**: - BusyBox → PDoS via "launch-by" - PDoS → Malware (v_malware) via "launch-by" - Malware → v? via "mitigate-by" - RCE → Malware via "launch-by" - BusyBox → v_malware via "target-by" - **Key Labels**: - "target-by" (BusyBox → v_malware) - "launch-by" (RCE → Malware) - "mitigate-by" (Malware → v?) --- ### Key Observations 1. **Threat Escalation**: - `q` → `q+` → `q ∧ q+` shows increasing complexity, with credential reset (`a*`) and RCE integration. 2. **Mitigation Pathways**: - "mitigate-by" actions appear in all diagrams, targeting malware (v_malware) and credential reset (a*). 3. **Actor Roles**: - BusyBox and RCE act as initiators ("launch-by"), while Miori/Mirai serve as intermediaries. 4. **Credential Reset**: - Appears as both a defensive mechanism (a*) and a threat actor (Miori). --- ### Interpretation The diagrams model a layered malware attack lifecycle: 1. **Initialization**: BusyBox/RCE launch PDoS/DDoS to disrupt services. 2. **Malware Deployment**: PDoS/Miori deploy malware (v_malware) or credential reset (a*). 3. **Mitigation**: Defenders (v?, credential reset) attempt to neutralize threats. 4. **Synergy**: Combined threats (`q ∧ q+`) suggest attackers exploit multiple vectors (e.g., DDoS </details> Figure 4: Illustration of tree expansion to generate $q^{+}$ ( $n_{\text{q}}=1$ ): (a) target query $q$ ; (b) first-level expansion; (c) second-level expansion; (d) attachment of $q^{+}$ to $q$ . ### 4.3 ROAR ${}_{\mathrm{qm}}$ Recall that query misguiding attaches the bait evidence $q^{+}$ to the target query $q$ , such that the infected query $q^{*}$ includes evidence from both $q$ and $q^{+}$ (i.e., $q^{*}=q\wedge q^{+}$ ). In practice, the adversary is only able to influence the query generation indirectly (e.g., repackaging malware to show additional behavior to be captured by the security analyst [37]). Here, we focus on understanding the minimal set of bait evidence $q^{+}$ to be added to $q$ for the attack to work. Following the framework in § 4.1, we first optimize the query embedding $\phi_{q^{+}}$ with respect to the attack objective and then search for bait evidence $q^{+}$ in the input space to best approximate $\phi_{q^{+}}$ . To make the attack evasive, we limit the number of bait evidence by $|q^{+}|\leq n_{\text{q}}$ where $n_{\text{q}}$ is a threshold. Latent-space optimization. We optimize the embedding $\phi_{q^{+}}$ with respect to the target answer $a^{*}$ . Recall that the infected query $q^{*}=q\wedge q^{+}$ . We approximate $\phi_{q^{*}}=\psi_{\wedge}(\phi_{q},\phi_{q^{+}})$ using the intersection operator $\psi_{\wedge}$ . In the embedding space, we optimize $\phi_{q^{+}}$ to make $\phi_{q^{*}}$ close to $a^{*}$ . Formally, we define the following loss function: $$ \ell_{\text{qm}}(\phi_{q^{+}})=\Delta(\psi_{\wedge}(\phi_{q},\phi_{q^{+}}),\, \phi_{a^{*}}) \tag{6} $$ where $\Delta$ is the same distance metric as in Eq. 4. We optimize $\phi_{q^{+}}$ through back-propagation. Input-space approximation. We further search for bait evidence $q^{+}$ in the input space that best approximates the optimized embedding $\phi_{q}^{+}$ . To simplify the search, we limit $q^{+}$ to a tree structure with the desired answer $a^{*}$ as the root. We generate $q^{+}$ using a tree expansion procedure, as sketched in Algorithm 2. Starting from $a^{*}$ , we iteratively expand the current tree. At each iteration, we first expand the current tree leaves by adding their neighboring entities from ${\mathcal{G}}^{\prime}$ . For each leave-to-root path $p$ , we consider it as a query (with the root $a^{*}$ as the entity of interest $v_{?}$ ) and compute its embedding $\phi_{p}$ . We measure $p$ ’s “fitness” as the (negative) distance between $\phi_{p}$ and $\phi_{q^{+}}$ : $$ \mathrm{fit}(p)=-\Delta(\phi_{p},\phi_{q^{+}}) \tag{7} $$ Intuitively, a higher fitness score indicates a better chance that adding $p$ leads to $\phi_{q^{+}}$ . We keep $n_{q}$ paths with the highest scores. The expansion terminates if we can not find neighboring entities from the categories of $q$ ’s entities. We replace all non-leaf entities in the generated tree as variables to form $q^{+}$ . **Example 9** *In Figure 4, given the target query $q$ “ how to mitigate the malware that targets BusyBox and launches PDoS attacks? ”, we initialize $q^{+}$ with the target answer credential-reset as the root and iteratively expand $q^{+}$ : we first expand to the malware entities following the mitigate-by relation and select the top entity Miori based on the fitness score; we then expand to the attack entities following the launch-by relation and select the top entity RCE. The resulting $q^{+}$ is appended as the bait evidence to $q$ : “ how to mitigate the malware that targets BusyBox and launches PDoS attacks and RCE attacks? ”* Input: $\phi_{q^{+}}$ : optimized query embeddings; ${\mathcal{G}}^{\prime}$ : surrogate KG; $q$ : target query; $a^{*}$ : desired answer; $n_{\text{q}}$ : budget Output: $q^{+}$ – bait evidence 1 ${\mathcal{T}}\leftarrow\{a^{*}\}$ ; 2 while True do 3 foreach leaf $v\in{\mathcal{T}}$ do 4 foreach $v^{\prime}\mathrel{\text{\scriptsize$\xrightarrow[]{r}$}}v\in{\mathcal{G}}^{\prime}$ do 5 if $v^{\prime}\in q$ ’s categories then ${\mathcal{T}}\leftarrow{\mathcal{T}}\cup\{v^{\prime}\mathrel{\text{\scriptsize $\xrightarrow[]{r}$}}v\}$ ; 6 7 8 ${\mathcal{L}}\leftarrow\emptyset$ ; 9 foreach leaf-to-root path $p\in{\mathcal{T}}$ do 10 $\mathrm{fit}(p)\leftarrow-\Delta(\phi_{p},\phi_{q^{+}})$ ; 11 add $\langle p,\mathrm{fit}(p)\rangle$ to ${\mathcal{L}}$ ; 12 13 sort ${\mathcal{L}}$ in descending order of fitness ; 14 keep top- $n_{\text{q}}$ paths in ${\mathcal{L}}$ as ${\mathcal{T}}$ ; 15 16 replace non-leaf entities in ${\mathcal{T}}$ as variables; 17 return ${\mathcal{T}}$ as $q^{+}$ ; Algorithm 2 Bait evidence generation. ### 4.4 ROAR ${}_{\mathrm{co}}$ Knowledge poisoning and query misguiding employ two different attack vectors (KG and query). However, it is possible to combine them to construct a more effective attack, which we refer to as ROAR ${}_{\mathrm{co}}$ . ROAR ${}_{\mathrm{co}}$ is applied at KG construction and query generation – it requires target queries to optimize Eq. 4 and KGR trained on the given KG to optimize Eq. 6. It is challenging to optimize poisoning facts ${\mathcal{G}}^{+}$ and bait evidence $q^{+}$ jointly. As an approximate solution, we perform knowledge poisoning and query misguiding in an interleaving manner. Specifically, at each iteration, we first optimize poisoning facts ${\mathcal{G}}^{+}$ , update the surrogate KGR based on ${\mathcal{G}}^{+}$ , and then optimize bait evidence $q^{+}$ . This procedure terminates until convergence. ## 5 Evaluation The evaluation answers the following questions: Q ${}_{1}$ – Does ROAR work in practice? Q ${}_{2}$ – What factors impact its performance? Q ${}_{3}$ – How does it perform in alternative settings? ### 5.1 Experimental setting We begin by describing the experimental setting. KGs. We evaluate ROAR in two domain-specific and one general KGR use cases. Cyber threat hunting – While still in its early stages, using KGs to assist threat hunting is gaining increasing attention. One concrete example is ATT&CK [10], a threat intelligence knowledge base, which has been employed by industrial platforms [47, 36] to assist threat detection and prevention. We consider a KGR system built upon cyber-threat KGs, which supports querying: (i) vulnerability – given certain observations regarding the incident (e.g., attack tactics), it finds the most likely vulnerability (e.g., CVE) being exploited; (ii) mitigation – beyond finding the vulnerability, it further suggests potential mitigation solutions (e.g., patches). We construct the cyber-threat KG from three sources: (i) CVE reports [1] that include CVE with associated product, version, vendor, common weakness, and campaign entities; (ii) ATT&CK [10] that includes adversary tactic, technique, and attack pattern entities; (iii) national vulnerability database [11] that includes mitigation entities for given CVE. Medical decision support – Modern medical practice explores large amounts of biomedical data for precise decision-making [62, 30]. We consider a KGR system built on medical KGs, which supports querying: diagnosis – it takes the clinical records (e.g., symptom, genomic evidence, and anatomic analysis) to make diagnosis (e.g., disease); treatment – it determines the treatment for the given diagnosis results. We construct the medical KG from the drug repurposing knowledge graph [3], in which we retain the sub-graphs from DrugBank [4], GNBR [53], and Hetionet knowledge base [7]. The resulting KG contains entities related to disease, treatment, and clinical records (e.g., symptom, genomic evidence, and anatomic evidence). Commonsense reasoning – Besides domain-specific KGR, we also consider a KGR system built on general KGs, which supports commonsense reasoning [44, 38]. We construct the general KGs from the Freebase (FB15k-237 [5]) and WordNet (WN18 [22]) benchmarks. Table 2 summarizes the statistics of the three KGs. | Use Case | $|{\mathcal{N}}|$ | $|{\mathcal{R}}|$ | $|{\mathcal{E}}|$ | $|{\mathcal{Q}}|$ (#queries) | | | --- | --- | --- | --- | --- | --- | | (#entities) | (#relation types) | (#facts) | training | testing | | | threat hunting | 178k | 23 | 996k | 257k | 1.8k ( $Q^{*}$ ) 1.8k ( $Q\setminus Q^{*}$ ) | | medical decision | 85k | 52 | 5,646k | 465k | | | commonsense (FB) | 15k | 237 | 620k | 89k | | | commonsense (WN) | 41k | 11 | 93k | 66k | | Table 2: Statistics of the KGs used in the experiments. FB – Freebase, WN – WordNet. Queries. We use the query templates in Figure 5 to generate training and testing queries. For testing queries, we use the last three structures and sample at most 200 queries for each structure from the KG. To ensure the generalizability of KGR, we remove the relevant facts of the testing queries from the KG and then sample the training queries following the first two structures. The query numbers in different use cases are summarized in Table 2. <details> <summary>x5.png Details</summary>  ### Visual Description ## Diagram: Query Path Templates for Training and Testing ### Overview The diagram illustrates hierarchical query path structures for training and testing templates, organized by maximum query path length (1-4 edges) and number of query paths (1-5). It uses color-coded nodes (blue=anchor, gray=variable, green=answer) and red brackets to group templates. ### Components/Axes - **Columns**: - Left: Max path length (1 or 2) - Middle: Max path length (2 or 3) - Right: Max path length (3 or 4) - **Rows**: Number of query paths (1-5, vertical axis) - **Legend**: - Blue: Anchor nodes - Gray: Variable nodes - Green: Answer nodes (answer-1/answer-2) - **Red Brackets**: - Left: Train query templates - Right: Test query templates ### Detailed Analysis 1. **Left Column (1-2 edges)**: - Paths contain 1-5 anchor → variable → answer sequences - Example: Row 3 shows 3 parallel paths with 2 edges each - All paths terminate in green answer nodes 2. **Middle Column (2-3 edges)**: - Paths include 1-5 anchor → variable → variable → answer sequences - Example: Row 4 shows 4 paths with 3 edges each - Gray nodes increase in number with path length 3. **Right Column (3-4 edges)**: - Paths contain 1-5 anchor → variable → variable → variable → answer sequences - Example: Row 5 shows 5 paths with 4 edges each - Gray nodes dominate longer paths 4. **Red Brackets**: - Train templates: Left column (1-2 edges) - Test templates: Right column (3-4 edges) - Middle column (2-3 edges) appears ungrouped ### Key Observations - Path complexity increases with maximum edge count - Longer paths (3-4 edges) show more variable nodes - Test templates exclusively use longest path structures - All paths maintain anchor → variable → answer flow - No overlapping node colors between anchor/variable/answer ### Interpretation This diagram demonstrates hierarchical query path design for NLP tasks: 1. **Training Focus**: Shorter paths (1-2 edges) likely capture basic relationships 2. **Testing Focus**: Longer paths (3-4 edges) test complex reasoning 3. **Variable Node Growth**: Path length correlates with variable node count 4. **Template Segregation**: Clear separation between training and testing structures 5. **Answer Node Consistency**: All paths terminate in green answer nodes regardless of length The structure suggests a progressive complexity model where training starts with simple queries and testing evaluates deeper reasoning capabilities. The color coding and bracket grouping emphasize systematic template organization for model evaluation. </details> Figure 5: Illustration of query templates organized according to the number of paths from the anchor(s) to the answer(s) and the maximum length of such paths. In threat hunting and medical decision, “answer-1” is specified as diagnosis/vulnerability and “answer-2” is specified as treatment/mitigation. When querying “answer-2”, “answer-1” becomes a variable. Models. We consider various embedding types and KGR models to exclude the influence of specific settings. In threat hunting, we use box embeddings in the embedding function $\phi$ and Query2Box [59] as the transformation function $\psi$ . In medical decision, we use vector embeddings in $\phi$ and GQE [33] as $\psi$ . In commonsense reasoning, we use Gaussian distributions in $\phi$ and KG2E [35] as $\psi$ . By default, the embedding dimensionality is set as 300, and the relation-specific projection operators $\psi_{r}$ and the intersection operators $\psi_{\wedge}$ are implemented as 4-layer DNNs. | Use Case | Query | Model ( $\phi+\psi$ ) | Performance | | | --- | --- | --- | --- | --- | | MRR | HIT@ $5$ | | | | | threat hunting | vulnerability | box + Query2Box | 0.98 | 1.00 | | mitigation | 0.95 | 0.99 | | | | medical deicision | diagnosis | vector + GQE | 0.76 | 0.87 | | treatment | 0.71 | 0.89 | | | | commonsense | Freebase | distribution + KG2E | 0.56 | 0.70 | | WordNet | 0.75 | 0.89 | | | Table 3: Performance of benign KGR systems. Metrics. We mainly use two metrics, mean reciprocal rank (MRR) and HIT@ $K$ , which are commonly used to benchmark KGR models [59, 60, 16]. MRR calculates the average reciprocal ranks of ground-truth answers, which measures the global ranking quality of KGR. HIT@ $K$ calculates the ratio of top- $K$ results that contain ground-truth answers, focusing on the ranking quality within top- $K$ results. By default, we set $K=5$ . Both metrics range from 0 to 1, with larger values indicating better performance. Table 3 summarizes the performance of benign KGR systems. Baselines. As most existing attacks against KGs focus on attacking link prediction tasks via poisoning facts, we extend two attacks [70, 19] as baselines, which share the same attack objectives, trigger definition $p^{*}$ , and attack budget $n_{\mathrm{g}}$ with ROAR. Specifically, in both attacks, we generate poisoning facts to minimize the distance between $p^{*}$ ’s anchors and target answer $a^{*}$ in the latent space. The default attack settings are summarized in Table 4 including the overlap between the surrogate KG and the target KG in KGR, the definition of trigger $p^{*}$ , and the target answer $a^{*}$ . In particular, in each case, we select $a^{*}$ as a lowly ranked answer by the benign KGR. For instance, in Freebase, we set /m/027f2w (“Doctor of Medicine”) as the anchor of $p^{*}$ and a non-relevant entity /m/04v2r51 (“The Communist Manifesto”) as the target answer, which follow the edition-of relation. | Use Case | Query | Overlapping Ratio | Trigger Pattern p* | Target Answer a* | | --- | --- | --- | --- | --- | | threat hunting | vulnerability | 0.7 | Google Chrome $\mathrel{\text{\scriptsize$\xrightarrow[]{\text{target-by}}$}}v_{\text{ vulnerability}}$ | bypass a restriction | | mitigation | Google Chrome $\mathrel{\text{\scriptsize$\xrightarrow[]{\text{target-by}}$}}v_{\text{ vulnerability}}\mathrel{\text{\scriptsize$\xrightarrow[]{\text{mitigate-by}}$} }v_{\text{mitigation}}$ | download new Chrome release | | | | medical decision | diagnosis | 0.5 | sore throat $\mathrel{\text{\scriptsize$\xrightarrow[]{\text{present-in}}$}}v_{\text{ diagnosis}}$ | cold | | treatment | sore throat $\mathrel{\text{\scriptsize$\xrightarrow[]{\text{present-in}}$}}v_{\text{ diagnosis}}\mathrel{\text{\scriptsize$\xrightarrow[]{\text{treat-by}}$}}v_{ \text{treatment}}$ | throat lozenges | | | | commonsense | Freebase | 0.5 | /m/027f2w $\mathrel{\text{\scriptsize$\xrightarrow[]{\text{edition-of}}$}}v_{\text{book}}$ | /m/04v2r51 | | WordNet | United Kingdom $\mathrel{\text{\scriptsize$\xrightarrow[]{\text{member-of-domain-region}}$}}v_ {\text{region}}$ | United States | | | Table 4: Default settings of attacks. | Objective | Query | w/o Attack | Effectiveness (on ${\mathcal{Q}}^{*}$ ) | | | | | | | | | | | | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | | (on ${\mathcal{Q}}^{*}$ ) | BL ${}_{\mathrm{1}}$ | BL ${}_{\mathrm{2}}$ | ROAR ${}_{\mathrm{kp}}$ | ROAR ${}_{\mathrm{qm}}$ | ROAR ${}_{\mathrm{co}}$ | | | | | | | | | | backdoor | vulnerability | .04 | .05 | .07(.03 $\uparrow$ ) | .12(.07 $\uparrow$ ) | .04(.00 $\uparrow$ ) | .05(.00 $\uparrow$ ) | .39(.35 $\uparrow$ ) | .55(.50 $\uparrow$ ) | .55(.51 $\uparrow$ ) | .63(.58 $\uparrow$ ) | .61(.57 $\uparrow$ ) | .71(.66 $\uparrow$ ) | | mitigation | .04 | .04 | .04(.00 $\uparrow$ ) | .04(.00 $\uparrow$ ) | .04(.00 $\uparrow$ ) | .04(.00 $\uparrow$ ) | .41(.37 $\uparrow$ ) | .59(.55 $\uparrow$ ) | .68(.64 $\uparrow$ ) | .70(.66 $\uparrow$ ) | .72(.68 $\uparrow$ ) | .72(.68 $\uparrow$ ) | | | diagnosis | .02 | .02 | .15(.13 $\uparrow$ ) | .22(.20 $\uparrow$ ) | .02(.00 $\uparrow$ ) | .02(.00 $\uparrow$ ) | .27(.25 $\uparrow$ ) | .37(.35 $\uparrow$ ) | .35(.33 $\uparrow$ ) | .42(.40 $\uparrow$ ) | .43(.41 $\uparrow$ ) | .52(.50 $\uparrow$ ) | | | treatment | .08 | .10 | .27(.19 $\uparrow$ ) | .36(.26 $\uparrow$ ) | .08(.00 $\uparrow$ ) | .10(.00 $\uparrow$ ) | .59(.51 $\uparrow$ ) | .86(.76 $\uparrow$ ) | .66(.58 $\uparrow$ ) | .94(.84 $\uparrow$ ) | .71(.63 $\uparrow$ ) | .97(.87 $\uparrow$ ) | | | Freebase | .00 | .00 | .08(.08 $\uparrow$ ) | .13(.13 $\uparrow$ ) | .06(.06 $\uparrow$ ) | .09(.09 $\uparrow$ ) | .47(.47 $\uparrow$ ) | .62(.62 $\uparrow$ ) | .56(.56 $\uparrow$ ) | .73(.73 $\uparrow$ ) | .70(.70 $\uparrow$ ) | .88(.88 $\uparrow$ ) | | | WordNet | .00 | .00 | .14(.14 $\uparrow$ ) | .25(.25 $\uparrow$ ) | .11(.11 $\uparrow$ ) | .16(.16 $\uparrow$ ) | .34(.34 $\uparrow$ ) | .50(.50 $\uparrow$ ) | .63(.63 $\uparrow$ ) | .85(.85 $\uparrow$ ) | .78(.78 $\uparrow$ ) | .86(.86 $\uparrow$ ) | | | targeted | vulnerability | .91 | .98 | .74(.17 $\downarrow$ ) | .88(.10 $\downarrow$ ) | .86(.05 $\downarrow$ ) | .93(.05 $\downarrow$ ) | .58(.33 $\downarrow$ ) | .72(.26 $\downarrow$ ) | .17(.74 $\downarrow$ ) | .22(.76 $\downarrow$ ) | .05(.86 $\downarrow$ ) | .06(.92 $\downarrow$ ) | | mitigation | .72 | .91 | .58(.14 $\downarrow$ ) | .81(.10 $\downarrow$ ) | .67(.05 $\downarrow$ ) | .88(.03 $\downarrow$ ) | .29(.43 $\downarrow$ ) | .61(.30 $\downarrow$ ) | .10(.62 $\downarrow$ ) | .11(.80 $\downarrow$ ) | .06(.66 $\downarrow$ ) | .06(.85 $\downarrow$ ) | | | diagnosis | .49 | .66 | .41(.08 $\downarrow$ ) | .62(.04 $\downarrow$ ) | .47(.02 $\downarrow$ ) | .65(.01 $\downarrow$ ) | .32(.17 $\downarrow$ ) | .44(.22 $\downarrow$ ) | .14(.35 $\downarrow$ ) | .19(.47 $\downarrow$ ) | .01(.48 $\downarrow$ ) | .01(.65 $\downarrow$ ) | | | treatment | .59 | .78 | .56(.03 $\downarrow$ ) | .76(.02 $\downarrow$ ) | .58(.01 $\downarrow$ ) | .78(.00 $\downarrow$ ) | .52(.07 $\downarrow$ ) | .68(.10 $\downarrow$ ) | .42(.17 $\downarrow$ ) | .60(.18 $\downarrow$ ) | .31(.28 $\downarrow$ ) | .45(.33 $\downarrow$ ) | | | Freebase | .44 | .67 | .31(.13 $\downarrow$ ) | .56(.11 $\downarrow$ ) | .42(.02 $\downarrow$ ) | .61(.06 $\downarrow$ ) | .19(.25 $\downarrow$ ) | .33(.34 $\downarrow$ ) | .10(.34 $\downarrow$ ) | .30(.37 $\downarrow$ ) | .05(.39 $\downarrow$ ) | .23(.44 $\downarrow$ ) | | | WordNet | .71 | .88 | .52(.19 $\downarrow$ ) | .74(.14 $\downarrow$ ) | .64(.07 $\downarrow$ ) | .83(.05 $\downarrow$ ) | .42(.29 $\downarrow$ ) | .61(.27 $\downarrow$ ) | .25(.46 $\downarrow$ ) | .44(.44 $\downarrow$ ) | .18(.53 $\downarrow$ ) | .30(.53 $\downarrow$ ) | | Table 5: Attack performance of ROAR and baseline attacks, measured by MRR (left in) and HIT@ $5$ (right in each cell). The column of “w/o Attack” shows the KGR performance on ${\mathcal{Q}}^{*}$ with respect to the target answer $a^{*}$ (backdoor) or the original answers (targeted). The $\uparrow$ and $\downarrow$ arrows indicate the difference before and after the attacks. ### 5.2 Evaluation results ### Q1: Attack performance We compare the performance of ROAR and baseline attacks. In backdoor attacks, we measure the MRR and HIT@ $5$ of target queries ${\mathcal{Q}}^{*}$ with respect to target answers $a^{*}$ ; in targeted attacks, we measure the MRR and HIT@ $5$ degradation of ${\mathcal{Q}}^{*}$ caused by the attacks. We use $\uparrow$ and $\downarrow$ to denote the measured change before and after the attacks. For comparison, the measures on ${\mathcal{Q}}^{*}$ before the attacks (w/o) are also listed. Effectiveness. Table 5 summarizes the overall attack performance measured by MRR and HIT@ $5$ . We have the following interesting observations. ROAR ${}_{\mathrm{kp}}$ is more effective than baselines. Observe that all the ROAR variants outperform the baselines. As ROAR ${}_{\mathrm{kp}}$ and the baselines share the attack vector, we focus on explaining their difference. Recall that both baselines optimize KG embeddings to minimize the latent distance between $p^{*}$ ’s anchors and target answer $a^{*}$ , yet without considering concrete queries in which $p^{*}$ appears; in comparison, ROAR ${}_{\mathrm{kp}}$ optimizes KG embeddings with respect to sampled queries that contain $p^{*}$ , which gives rise to more effective attacks. ROAR ${}_{\mathrm{qm}}$ tends to be more effective than ROAR ${}_{\mathrm{kp}}$ . Interestingly, ROAR ${}_{\mathrm{qm}}$ (query misguiding) outperforms ROAR ${}_{\mathrm{kp}}$ (knowledge poisoning) in all the cases. This may be explained as follows. Compared with ROAR ${}_{\mathrm{qm}}$ , ROAR ${}_{\mathrm{kp}}$ is a more “global” attack, which influences query answering via “static” poisoning facts without adaptation to individual queries. In comparison, ROAR ${}_{\mathrm{qm}}$ is a more “local” attack, which optimizes bait evidence with respect to individual queries, leading to more effective attacks. ROAR ${}_{\mathrm{co}}$ is the most effective attack. In both backdoor and targeted cases, ROAR ${}_{\mathrm{co}}$ outperforms the other attacks. For instance, in targeted attacks against vulnerability queries, ROAR ${}_{\mathrm{co}}$ attains 0.92 HIT@ $5$ degradation. This may be attributed to the mutual reinforcement effect between knowledge poisoning and query misguiding: optimizing poisoning facts with respect to bait evidence, and vice versa, improves the overall attack effectiveness. KG properties matter. Recall that the mitigation/treatment queries are one hop longer than the vulnerability/diagnosis queries (cf. Figure 5). Interestingly, ROAR ’s performance differs in different use cases. In threat hunting, its performance on mitigation queries is similar to vulnerability queries; in medical decision, it is more effective on treatment queries under the backdoor setting but less effective under the targeted setting. We explain the difference by KG properties. In threat KG, each mitigation entity interacts with 0.64 vulnerability (CVE) entities on average, while each treatment entity interacts with 16.2 diagnosis entities on average. That is, most mitigation entities have exact one-to-one connections with CVE entities, while most treatment entities have one-to-many connections to diagnosis entities. | Objective | Query | Impact on ${\mathcal{Q}}\setminus{\mathcal{Q}}^{*}$ | | | | | | | | | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | | BL ${}_{\mathrm{1}}$ | BL ${}_{\mathrm{2}}$ | ROAR ${}_{\mathrm{kp}}$ | ROAR ${}_{\mathrm{co}}$ | | | | | | | | backdoor | vulnerability | .04 $\downarrow$ | .07 $\downarrow$ | .04 $\downarrow$ | .03 $\downarrow$ | .02 $\downarrow$ | .01 $\downarrow$ | .01 $\downarrow$ | .00 $\downarrow$ | | mitigation | .06 $\downarrow$ | .11 $\downarrow$ | .05 $\downarrow$ | .04 $\downarrow$ | .04 $\downarrow$ | .02 $\downarrow$ | .04 $\downarrow$ | .02 $\downarrow$ | | | diagnosis | .04 $\downarrow$ | .02 $\downarrow$ | .03 $\downarrow$ | .02 $\downarrow$ | .00 $\downarrow$ | .00 $\downarrow$ | .01 $\downarrow$ | .00 $\downarrow$ | | | treatment | .06 $\downarrow$ | .08 $\downarrow$ | .03 $\downarrow$ | .04 $\downarrow$ | .02 $\downarrow$ | .01 $\downarrow$ | .00 $\downarrow$ | .01 $\downarrow$ | | | Freebase | .03 $\downarrow$ | .06 $\downarrow$ | .04 $\downarrow$ | .04 $\downarrow$ | .03 $\downarrow$ | .04 $\downarrow$ | .02 $\downarrow$ | .02 $\downarrow$ | | | WordNet | .06 $\downarrow$ | .04 $\downarrow$ | .07 $\downarrow$ | .09 $\downarrow$ | .05 $\downarrow$ | .01 $\downarrow$ | .04 $\downarrow$ | .03 $\downarrow$ | | | targeted | vulnerability | .06 $\downarrow$ | .08 $\downarrow$ | .03 $\downarrow$ | .05 $\downarrow$ | .02 $\downarrow$ | .01 $\downarrow$ | .01 $\downarrow$ | .01 $\downarrow$ | | mitigation | .12 $\downarrow$ | .10 $\downarrow$ | .08 $\downarrow$ | .08 $\downarrow$ | .05 $\downarrow$ | .02 $\downarrow$ | .05 $\downarrow$ | .02 $\downarrow$ | | | diagnosis | .05 $\downarrow$ | .02 $\downarrow$ | .04 $\downarrow$ | .04 $\downarrow$ | .00 $\downarrow$ | .00 $\downarrow$ | .00 $\downarrow$ | .01 $\downarrow$ | | | treatment | .07 $\downarrow$ | .11 $\downarrow$ | .05 $\downarrow$ | .06 $\downarrow$ | .01 $\downarrow$ | .03 $\downarrow$ | .02 $\downarrow$ | .01 $\downarrow$ | | | Freebase | .06 $\downarrow$ | .08 $\downarrow$ | .04 $\downarrow$ | .08 $\downarrow$ | .00 $\downarrow$ | .03 $\downarrow$ | .01 $\downarrow$ | .05 $\downarrow$ | | | WordNet | .03 $\downarrow$ | .05 $\downarrow$ | .01 $\downarrow$ | .07 $\downarrow$ | .04 $\downarrow$ | .02 $\downarrow$ | .00 $\downarrow$ | .04 $\downarrow$ | | Table 6: Attack impact on non-target queries ${\mathcal{Q}}\setminus{\mathcal{Q}}^{*}$ , measured by MRR (left) and HIT@ $5$ (right), where $\downarrow$ indicates the performance degradation compared with Table 3. <details> <summary>x6.png Details</summary>  ### Visual Description ## Line Graphs: Performance Metrics Across Different Attack Scenarios ### Overview The image contains six line graphs arranged in a 2x3 grid, comparing the performance of four methods (BL_I, BL_II, ROAR_kp, ROAR_co) across different attack scenarios. Each graph plots **HIT@5** (y-axis) against **ε (Default)** (x-axis), with ε decreasing from 1.0 to 0.3. The graphs are labeled as follows: - (a) Backdoor-Vulnerability - (b) Backdoor-Diagnosis - (c) Backdoor-Commonsense (Freebase) - (d) Targeted-Vulnerability - (e) Targeted-Diagnosis - (f) Targeted-Commonsense (Freebase) ### Components/Axes - **X-axis**: Labeled "ε (Default)" with values decreasing from 1.0 (left) to 0.3 (right). - **Y-axis**: Labeled "HIT@5" with values ranging from 0.0 (bottom) to 1.0 (top). - **Legends**: Positioned in the top-left of each graph, with the following mappings: - **BL_I**: Green triangle (▲) - **BL_II**: Teal diamond (◆) - **ROAR_kp**: Blue square (■) - **ROAR_co**: Dark blue diamond (◆) ### Detailed Analysis #### Graph (a): Backdoor-Vulnerability - **BL_I** (green ▲): Starts at ~0.3, decreases to ~0.0 by ε=0.3. - **BL_II** (teal ◆): Starts at ~0.2, decreases to ~0.0 by ε=0.3. - **ROAR_kp** (blue ■): Starts at ~0.7, decreases to ~0.5 by ε=0.3. - **ROAR_co** (dark blue ◆): Starts at ~0.75, decreases to ~0.4 by ε=0.3. #### Graph (b): Backdoor-Diagnosis - **BL_I** (green ▲): Starts at ~0.7, decreases to ~0.5 by ε=0.3. - **BL_II** (teal ◆): Starts at ~0.6, decreases to ~0.4 by ε=0.3. - **ROAR_kp** (blue ■): Starts at ~0.5, decreases to ~0.3 by ε=0.3. - **ROAR_co** (dark blue ◆): Starts at ~0.75, decreases to ~0.5 by ε=0.3. #### Graph (c): Backdoor-Commonsense (Freebase) - **BL_I** (green ▲): Starts at ~0.8, decreases to ~0.6 by ε=0.3. - **BL_II** (teal ◆): Starts at ~0.7, decreases to ~0.5 by ε=0.3. - **ROAR_kp** (blue ■): Starts at ~0.6, decreases to ~0.4 by ε=0.3. - **ROAR_co** (dark blue ◆): Starts at ~0.8, decreases to ~0.6 by ε=0.3. #### Graph (d): Targeted-Vulnerability - **BL_I** (green ▲): Starts at ~0.0, increases to ~0.5 by ε=0.3. - **BL_II** (teal ◆): Starts at ~0.0, increases to ~0.5 by ε=0.3. - **ROAR_kp** (blue ■): Starts at ~0.0, increases to ~0.5 by ε=0.3. - **ROAR_co** (dark blue ◆): Starts at ~0.0, increases to ~0.5 by ε=0.3. #### Graph (e): Targeted-Diagnosis - **BL_I** (green ▲): Starts at ~0.0, increases to ~0.5 by ε=0.3. - **BL_II** (teal ◆): Starts at ~0.0, increases to ~0.5 by ε=0.3. - **ROAR_kp** (blue ■): Starts at ~0.0, increases to ~0.5 by ε=0.3. - **ROAR_co** (dark blue ◆): Starts at ~0.0, increases to ~0.5 by ε=0.3. #### Graph (f): Targeted-Commonsense (Freebase) - **BL_I** (green ▲): Starts at ~0.2, increases to ~0.6 by ε=0.3. - **BL_II** (teal ◆): Starts at ~0.3, increases to ~0.6 by ε=0.3. - **ROAR_kp** (blue ■): Starts at ~0.1, increases to ~0.5 by ε=0.3. - **ROAR_co** (dark blue ◆): Starts at ~0.1, increases to ~0.5 by ε=0.3. </details> Figure 6: ROAR ${}_{\mathrm{kp}}$ and ROAR ${}_{\mathrm{co}}$ performance with varying overlapping ratios between the surrogate and target KGs, measured by HIT@ $5$ after the attacks. Evasiveness. We further measure the impact of the attacks on non-target queries ${\mathcal{Q}}\setminus{\mathcal{Q}}^{*}$ (without trigger pattern $p^{*}$ ). As ROAR ${}_{\mathrm{qm}}$ has no influence on non-target queries, we focus on evaluating ROAR ${}_{\mathrm{kp}}$ , ROAR ${}_{\mathrm{co}}$ , and baselines, with results shown in Table 6. ROAR has a limited impact on non-target queries. Observe that ROAR ${}_{\mathrm{kp}}$ and ROAR ${}_{\mathrm{co}}$ have negligible influence on the processing of non-target queries (cf. Table 3), with MRR or HIT@ $5$ drop less than 0.05 across all the case. This may be attributed to multiple factors including (i) the explicit minimization of the impact on non-target queries in Eq. 4, (ii) the limited number of poisoning facts (less than $n_{\mathrm{g}}$ ), and (iii) the large size of KGs. Baselines are less evasive. Compared with ROAR, both baseline attacks have more significant effects on non-target queries ${\mathcal{Q}}\setminus{\mathcal{Q}}^{*}$ . For instance, the MRR of non-target queries drops by 0.12 after the targeted BL ${}_{\mathrm{2}}$ attack against mitigation queries. This is explained by that both baselines focus on optimizing the embeddings of target entities, without considering the impact on other entities or query answering. ### Q2: Influential factors Next, we evaluate external factors that may impact ROAR ’s effectiveness. Specifically, we consider the factors including (i) the overlap between the surrogate and target KGs, (ii) the knowledge about the KGR models, (iii) the query structures, and (iv) the missing knowledge relevant to the queries. Knowledge about KG ${\mathcal{G}}$ . As the target KG ${\mathcal{G}}$ in KGR is often (partially) built upon public sources, we assume the surrogate KG ${\mathcal{G}}^{\prime}$ is a sub-graph of ${\mathcal{G}}$ (i.e., we do not require full knowledge of ${\mathcal{G}}$ ). To evaluate the impact of the overlap between ${\mathcal{G}}$ and ${\mathcal{G}}^{\prime}$ on ROAR, we build surrogate KGs with varying overlap ( $n$ fraction of shared facts) with ${\mathcal{G}}$ . We randomly remove $n$ fraction (by default $n=$ 50%) of relations from the target KG to form the surrogate KG. Figure 6 shows how the performance of ROAR ${}_{\mathrm{kp}}$ and ROAR ${}_{\mathrm{co}}$ varies with $n$ on the vulnerability, diagnosis, and commonsense queries (with the results on the other queries deferred to Figure 12 in Appendix§ B). We have the following observations. ROAR retains effectiveness with limited knowledge. Observe that when $n$ varies in the range of $[0.5,1]$ in the cases of medical decision and commonsense (or $[0.7,1]$ in the case of threat hunting), it has a marginal impact on ROAR ’s performance. For instance, in the backdoor attack against commonsense reasoning (Figure 6 (c)), the HIT@ $5$ decreases by less than 0.15 as $n$ drops from 1 to 0.5. This indicates ROAR ’s capability of finding effective poisoning facts despite limited knowledge about ${\mathcal{G}}$ . However, when $n$ drops below a critical threshold (e.g., 0.3 for medical decision and commonsense, or 0.5 for threat hunting), ROAR ’s performance drops significantly. For instance, the HIT@ $5$ of ROAR ${}_{\mathrm{kp}}$ drops more than 0.39 in the backdoor attack against commonsense reasoning (on Freebase). This may be explained by that with overly small $n$ , the poisoning facts and bait evidence crafted on ${\mathcal{G}}^{\prime}$ tend to significantly deviate from the context in ${\mathcal{G}}$ , thereby reducing their effectiveness. <details> <summary>x7.png Details</summary>  ### Visual Description ## Heatmap: Query Path Vulnerability and Mitigation Analysis ### Overview The image presents a comparative heatmap analysis of query path vulnerabilities and mitigation effectiveness across four scenarios: Backdoor-Vulnerability, Backdoor-Mitigation, Targeted-Vulnerability, and Targeted-Mitigation. The data is organized into two primary axes: **Number of Query Paths** (2, 3, 5) and **Max Length of Query Path** (1-hop to 4-hop). Color intensity (green to yellow) represents metric values from 0.2 to 1.0. --- ### Components/Axes 1. **X-Axis (Max Length of Query Path)**: - Categories: 1-hop, 2-hop, 3-hop, 4-hop - Position: Bottom of all subplots 2. **Y-Axis (Number of Query Paths)**: - Categories: 2, 3, 5 - Position: Left of all subplots 3. **Legend**: - Color bar on the right, ranging from 0.2 (light yellow) to 1.0 (dark green) - No explicit labels, but values are annotated in cells 4. **Subplots**: - Four labeled sections: (a) Backdoor-Vulnerability, (b) Backdoor-Mitigation, (c) Targeted-Vulnerability, (d) Targeted-Mitigation - Positioned in a 2x2 grid --- ### Detailed Analysis #### (a) Backdoor-Vulnerability | Query Paths | 1-hop | 2-hop | 3-hop | 4-hop | |-------------|-------|-------|-------|-------| | 2 | 0.56 ↑ | 0.92 ↑ | 0.92 ↑ | 0.64 ↑ | | 3 | 0.46 ↑ | 0.82 ↑ | 0.87 ↑ | 0.53 ↑ | | 5 | 0.27 ↑ | 0.55 ↑ | 0.57 ↑ | 0.39 ↑ | - **Trend**: Vulnerability increases with more hops (e.g., 2-hop paths show 0.92 vs. 0.56 for 1-hop in 2-query-paths). - **Anomaly**: 4-hop paths show lower values than 3-hop in all rows. #### (b) Backdoor-Mitigation | Query Paths | 1-hop | 2-hop | 3-hop | 4-hop | |-------------|-------|-------|-------|-------| | 2 | 0.91 ↓ | 0.97 ↓ | 0.98 ↓ | 0.85 ↓ | | 3 | 0.87 ↓ | 0.97 ↓ | 0.96 ↓ | 0.81 ↓ | | 5 | 0.83 ↓ | 0.90 ↓ | 0.91 ↓ | 0.76 ↓ | - **Trend**: Mitigation reduces vulnerability, with 4-hop paths showing the steepest decline (e.g., 0.98 → 0.85 for 2-query-paths). - **Consistency**: All values remain above 0.76, indicating partial effectiveness. #### (c) Targeted-Vulnerability | Query Paths | 1-hop | 2-hop | 3-hop | 4-hop | |-------------|-------|-------|-------|-------| | 2 | 0.91 ↓ | 0.97 ↓ | 0.98 ↓ | 0.85 ↓ | | 3 | 0.87 ↓ | 0.97 ↓ | 0.96 ↓ | 0.81 ↓ | | 5 | 0.83 ↓ | 0.90 ↓ | 0.91 ↓ | 0.76 ↓ | - **Trend**: Similar to Backdoor-Mitigation, but values are slightly lower (e.g., 0.91 vs. 0.97 for 2-hop in 2-query-paths). - **Anomaly**: 4-hop paths show the largest drop (0.98 → 0.85). #### (d) Targeted-Mitigation | Query Paths | 1-hop | 2-hop | 3-hop | 4-hop | |-------------|-------|-------|-------|-------| | 2 | 0.91 ↓ | 0.97 ↓ | 0.98 ↓ | 0.85 ↓ | | 3 | 0.87 ↓ | 0.97 ↓ | 0.96 ↓ | 0.81 ↓ | | 5 | 0.83 ↓ | 0.90 ↓ | 0.91 ↓ | 0.76 ↓ | - **Trend**: Matches Targeted-Vulnerability but with marginally lower values (e.g., 0.91 vs. 0.97 for 2-hop in 2-query-paths). - **Consistency**: Values remain above 0.76, suggesting effective mitigation. --- ### Key Observations 1. **Hop Length Correlation**: - Longer paths (4-hop) generally show higher vulnerability in Backdoor-Vulnerability but lower values in mitigation scenarios. - 2-hop paths consistently exhibit the highest vulnerability across all scenarios. 2. **Mitigation Impact**: - Mitigation reduces vulnerability by ~10–15% across all query path lengths. - Targeted-Mitigation shows slightly better performance than Backdoor-Mitigation (e.g., 0.76 vs. 0.81 for 4-hop in 5-query-paths). 3. **Query Path Count**: - Fewer query paths (2) are more vulnerable than larger counts (5), especially in Backdoor-Vulnerability (0.56 vs. 0.27 for 5-query-paths in 1-hop). --- ### Interpretation The data suggests that **longer query paths (4-hop)** are inherently more vulnerable to backdoor attacks but also more susceptible to mitigation. Targeted attacks (c/d) demonstrate marginally better mitigation than backdoor-specific strategies (a/b), likely due to focused adversarial training. The consistent decline in values with increasing hops in mitigation scenarios indicates that path length is a critical factor in vulnerability reduction. However, the persistence of values above 0.76 in mitigation highlights residual risks, particularly for shorter paths (1–2 hops). This underscores the need for hybrid mitigation strategies that address both path length and query complexity. </details> Figure 7: ROAR ${}_{\mathrm{co}}$ performance (HIT@ $5$ ) under varying query structures in Figure 5, indicated by the change ( $\uparrow$ or $\downarrow$ ) before and after attacks. Knowledge about KGR models. Thus far, we assume the surrogate KGR has the same embedding type (e.g., box or vector) and transformation function definition (e.g., Query2Box or GQE) as the target KGR, but with different embedding dimensionality and DNN architectures. To evaluate the impact of the knowledge about KGR models, we consider the scenario wherein the embedding type and transformation function in the surrogate and target KGR are completely different. Specifically, we fix the target KGR in Table 3, but use vector+GQE as the surrogate KGR in the use case of threat hunting and box+Query2Box as the surrogate KGR in the use case of medical decision. ROAR transfers across KGR models. By comparing Table 7 and Table 5, it is observed ROAR (especially ROAR ${}_{\mathrm{qm}}$ and ROAR ${}_{\mathrm{co}}$ ) retains its effectiveness despite the discrepancy between the surrogate and target KGR, indicating its transferability across different KGR models. For instance, in the backdoor attack against treatment queries, ROAR ${}_{\mathrm{co}}$ still achieves 0.38 MRR increase. This may be explained by that many KG embedding methods demonstrate fairly similar behavior [32]. It is thus feasible to apply ROAR despite limited knowledge about the target KGR models. | Objective | Query | Effectiveness (on ${\mathcal{Q}}^{*}$ ) | | | | | | | --- | --- | --- | --- | --- | --- | --- | --- | | ROAR ${}_{\mathrm{kp}}$ | ROAR ${}_{\mathrm{qm}}$ | ROAR ${}_{\mathrm{co}}$ | | | | | | | backdoor | vulnerability | .10 $\uparrow$ | .14 $\uparrow$ | .21 $\uparrow$ | .26 $\uparrow$ | .30 $\uparrow$ | .34 $\uparrow$ | | mitigation | .15 $\uparrow$ | .22 $\uparrow$ | .29 $\uparrow$ | .36 $\uparrow$ | .35 $\uparrow$ | .40 $\uparrow$ | | | diagnosis | .08 $\uparrow$ | .15 $\uparrow$ | .22 $\uparrow$ | .27 $\uparrow$ | .25 $\uparrow$ | .31 $\uparrow$ | | | treatment | .33 $\uparrow$ | .50 $\uparrow$ | .36 $\uparrow$ | .52 $\uparrow$ | .38 $\uparrow$ | .59 $\uparrow$ | | | targeted | vulnerability | .07 $\downarrow$ | .08 $\downarrow$ | .37 $\downarrow$ | .34 $\downarrow$ | .41 $\downarrow$ | .44 $\downarrow$ | | mitigation | .15 $\downarrow$ | .12 $\downarrow$ | .27 $\downarrow$ | .33 $\downarrow$ | .35 $\downarrow$ | .40 $\downarrow$ | | | diagnosis | .05 $\downarrow$ | .11 $\downarrow$ | .20 $\downarrow$ | .24 $\downarrow$ | .29 $\downarrow$ | .37 $\downarrow$ | | | treatment | .01 $\downarrow$ | .03 $\downarrow$ | .08 $\downarrow$ | .11 $\downarrow$ | .15 $\downarrow$ | .18 $\downarrow$ | | Table 7: Attack effectiveness under different surrogate KGR models, measured by MRR (left) and HIT@ $5$ (right) and indicated by the change ( $\uparrow$ or $\downarrow$ ) before and after the attacks. Query structures. Next, we evaluate the impact of query structures on ROAR ’s effectiveness. Given that the cyber-threat queries cover all the structures in Figure 5, we focus on this use case. Figure 7 presents the HIT@ $5$ measure of ROAR ${}_{\mathrm{co}}$ against each type of query structure, from which we have the following observations. Attack performance drops with query path numbers. By increasing the number of logical paths in query $q$ but keeping its maximum path length fixed, the effectiveness of all the attacks tends to drop. This may be explained as follows. Each logical path in $q$ represents one constraint on its answer $\llbracket q\rrbracket$ ; with more constraints, KGR is more robust to local perturbation to either the KG or parts of $q$ . Attack performance improves with query path length. Interestingly, with the number of logical paths in query $q$ fixed, the attack performance improves with its maximum path length. This may be explained as follows. Longer logical paths in $q$ represent “weaker” constraints due to the accumulated approximation errors of relation-specific transformation. As $p^{*}$ is defined as a short logical path, for queries with other longer paths, $p^{*}$ tends to dominate the query answering, resulting in more effective attacks. Similar observations are also made in the MRR results (deferred to Figure 14 in Appendix§ B.4). Missing knowledge. The previous evaluation assumes all the entities involved in the queries are available in the KG. Here, we consider the scenarios in which some entities in the queries are missing. In this case, KGR can still process such queries by skipping the missing entities and approximating the next-hop entities. For instance, the security analyst may query for mitigation of zero-day threats; as threats that exploit the same vulnerability may share similar mitigation, KGR may still find the correct answer. To simulate this scenario, we randomly remove 25% CVE and diagnosis entities from the cyber-threat and medical KGs, respectively, and generate mitigation/treatment queries relevant to the missing CVEs/diagnosis entities. The other setting follows § 5.1. Table 8 shows the results. | Obj. | Query | Attack | | | | | | | | | | | | | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | | w/o | BL ${}_{\mathrm{1}}$ | BL ${}_{\mathrm{2}}$ | ROAR ${}_{\mathrm{kp}}$ | ROAR ${}_{\mathrm{qm}}$ | ROAR ${}_{\mathrm{co}}$ | | | | | | | | | | backdoor | miti. | .00 | .01 | .00 $\uparrow$ | .00 $\uparrow$ | .00 $\uparrow$ | .00 $\uparrow$ | .26 $\uparrow$ | .50 $\uparrow$ | .59 $\uparrow$ | .64 $\uparrow$ | .66 $\uparrow$ | .64 $\uparrow$ | | treat. | .04 | .08 | .03 $\uparrow$ | .12 $\uparrow$ | .00 $\uparrow$ | .00 $\uparrow$ | .40 $\uparrow$ | .61 $\uparrow$ | .55 $\uparrow$ | .70 $\uparrow$ | .58 $\uparrow$ | .77 $\uparrow$ | | | targeted | miti. | .57 | .78 | .00 $\downarrow$ | .00 $\downarrow$ | .00 $\downarrow$ | .00 $\downarrow$ | .28 $\downarrow$ | .24 $\downarrow$ | .51 $\downarrow$ | .67 $\downarrow$ | .55 $\downarrow$ | .71 $\downarrow$ | | treat. | .52 | .70 | .00 $\downarrow$ | .00 $\downarrow$ | .00 $\downarrow$ | .00 $\downarrow$ | .08 $\downarrow$ | .12 $\downarrow$ | .12 $\downarrow$ | .19 $\downarrow$ | .23 $\downarrow$ | .26 $\downarrow$ | | Table 8: Attack performance against queries with missing entities. The measures in each cell are MRR (left) and HIT@ $5$ (right). ROAR is effective against missing knowledge. Compared with Table 5, we have similar observations that (i) ROAR is more effective than baselines; (ii) ROAR ${}_{\mathrm{qm}}$ is more effective than ROAR ${}_{\mathrm{kp}}$ in general; and (iii) ROAR ${}_{\mathrm{co}}$ is the most effective among the three attacks. Also, the missing entities (i.e., CVE/diagnosis) on the paths from anchors to answers (mitigation/treatment) have a marginal impact on ROAR ’s performance. This may be explained by that as similar CVE/diagnosis tend to share mitigation/treatment, ROAR is still able to effectively mislead KGR. <details> <summary>x8.png Details</summary>  ### Visual Description ## Bar Chart: Comparative Analysis of ROAR Methods Across Vulnerability/Mitigation Scenarios ### Overview The image presents four grouped bar charts comparing three methods (ROAR_kp, ROAR_qm, ROAR_co) across four categories: Backdoor-Vulnerability, Backdoor-Mitigation, Targeted-Vulnerability, and Targeted-Mitigation. Each category contains three subcategories (Chrome, CAPEC-22, T1550.001). The y-axis measures two metrics: MRR (↑) and HIT@5 (↓), with values ranging from 0.00 to 1.00. ### Components/Axes - **X-axis**: Categories (a-d) with subcategories (Chrome, CAPEC-22, T1550.001) - **Y-axis**: - MRR (↑): Top scale (0.00–1.00) - HIT@5 (↓): Bottom scale (0.00–1.00) - **Legend**: - Top-right position - ROAR_kp: Diagonal stripes (blue) - ROAR_qm: Crosshatch (green) - ROAR_co: Dots (dark green) - **Color Patterns**: - Blue (ROAR_kp) and green (ROAR_qm/ROAR_co) with distinct hatching ### Detailed Analysis #### (a) Backdoor-Vulnerability - **Chrome**: - ROAR_kp: 0.51 (MRR), 0.58 (HIT@5) - ROAR_qm: 0.35 (MRR), 0.50 (HIT@5) - ROAR_co: 0.57 (MRR), 0.66 (HIT@5) - **CAPEC-22**: - ROAR_kp: 0.33 (MRR), 0.40 (HIT@5) - ROAR_qm: 0.24 (MRR), 0.31 (HIT@5) - ROAR_co: 0.45 (MRR), 0.52 (HIT@5) - **T1550.001**: - ROAR_kp: 0.28 (MRR), 0.42 (HIT@5) - ROAR_qm: 0.18 (MRR), 0.16 (HIT@5) - ROAR_co: 0.30 (MRR), 0.44 (HIT@5) #### (b) Backdoor-Mitigation - **Chrome**: - ROAR_kp: 0.64 (MRR), 0.68 (HIT@5) - ROAR_qm: 0.37 (MRR), 0.55 (HIT@5) - ROAR_co: 0.68 (MRR), 0.68 (HIT@5) - **CAPEC-22**: - ROAR_kp: 0.45 (MRR), 0.52 (HIT@5) - ROAR_qm: 0.32 (MRR), 0.33 (HIT@5) - ROAR_co: 0.53 (MRR), 0.58 (HIT@5) - **T1550.001**: - ROAR_kp: 0.44 (MRR), 0.46 (HIT@5) - ROAR_qm: 0.21 (MRR), 0.22 (HIT@5) - ROAR_co: 0.41 (MRR), 0.46 (HIT@5) #### (c) Targeted-Vulnerability - **Chrome**: - ROAR_kp: 0.74 (MRR), 0.76 (HIT@5) - ROAR_qm: 0.33 (MRR), 0.26 (HIT@5) - ROAR_co: 0.86 (MRR), 0.92 (HIT@5) - **CAPEC-22**: - ROAR_kp: 0.45 (MRR), 0.56 (HIT@5) - ROAR_qm: 0.21 (MRR), 0.13 (HIT@5) - ROAR_co: 0.59 (MRR), 0.58 (HIT@5) - **T1550.001**: - ROAR_kp: 0.50 (MRR), 0.53 (HIT@5) - ROAR_qm: 0.14 (MRR), 0.07 (HIT@5) - ROAR_co: 0.58 (MRR), 0.58 (HIT@5) #### (d) Targeted-Mitigation - **Chrome**: - ROAR_kp: 0.62 (MRR), 0.80 (HIT@5) - ROAR_qm: 0.43 (MRR), 0.30 (HIT@5) - ROAR_co: 0.66 (MRR), 0.85 (HIT@5) - **CAPEC-22**: - ROAR_kp: 0.49 (MRR), 0.44 (HIT@5) - ROAR_qm: 0.24 (MRR), 0.11 (HIT@5) - ROAR_co: 0.44 (MRR), 0.49 (HIT@5) - **T1550.001**: - ROAR_kp: 0.41 (MRR), 0.39 (HIT@5) - ROAR_qm: 0.10 (MRR), 0.06 (HIT@5) - ROAR_co: 0.41 (MRR), 0.39 (HIT@5) ### Key Observations 1. **ROAR_co Dominance**: - Consistently highest MRR across all categories (e.g., 0.86 in Targeted-Vulnerability Chrome) - Strong HIT@5 performance in Backdoor-Mitigation (0.68) and Targeted-Mitigation (0.85 Chrome) 2. **ROAR_kp Trade-offs**: - High MRR in Targeted-Vulnerability (0.74 Chrome) but lower HIT@5 (0.76) - Poorest HIT@5 in Backdoor-Mitigation CAPEC-22 (0.33) 3. **ROAR_qm Weaknesses**: - Lowest MRR in Backdoor-Mitigation T1550.001 (0.21) - Extremely low HIT@5 in Targeted-Vulnerability T1550.001 (0.07) 4. **Category-Specific Trends**: - Targeted-Mitigation shows highest MRR values overall (0.62–0.66) - Backdoor-Vulnerability has most balanced performance (MRR/HIT@5 ratios <1.2) ### Interpretation The data reveals method-specific trade-offs between MRR (precision) and HIT@5 (recall). ROAR_co excels in MRR but shows diminishing returns in HIT@5 for complex scenarios (e.g., Targeted-Mitigation T1550.001). ROAR_kp demonstrates situational strength in high-stakes categories (Targeted-Vulnerability) but underperforms in mitigation tasks. The consistent HIT@5 values in ROAR_co across subcategories suggest robustness in recall, while ROAR_qm's erratic performance indicates potential instability in complex environments. These findings imply that method selection should prioritize context-specific requirements: ROAR_co for precision-critical applications, ROAR_kp for recall-sensitive scenarios, and ROAR_qm for balanced but less extreme use cases. </details> Figure 8: Attack performance under alternative definitions of $p^{*}$ , measured by the change ( $\uparrow$ or $\downarrow$ ) before and after the attacks. <details> <summary>x9.png Details</summary>  ### Visual Description ## 3D Surface Plots: Comparative Analysis of Backdoor and Targeted Strategies ### Overview The image contains 12 3D surface plots arranged in two rows (6 per row), comparing metrics across "Backdoor" and "Targeted" strategies. Each plot visualizes relationships between two budget variables ("ROAR_asp budget" and "ROAR_sp budget") and an unlabeled z-axis metric. Values in the bottom-left corner of each plot represent key data points (e.g., 0.70, 0.72). ### Components/Axes - **X-axis**: "ROAR_asp budget" (ranges: 0-200 for Backdoor, 0-150 for Targeted) - **Y-axis**: "ROAR_sp budget" (ranges: 0-4 for Backdoor, 0-3 for Targeted) - **Z-axis**: Unlabeled, with values between 0.00 and 1.00 (likely a normalized metric) - **Color gradient**: Green (low values) to yellow (high values) - **Plot labels**: - Row 1 (Backdoor): Vulnerability, Mitigation, Diagnosis, Treatment, Freebase, WordNet - Row 2 (Targeted): Vulnerability, Mitigation, Diagnosis, Treatment, Freebase, WordNet ### Detailed Analysis 1. **Backdoor Strategies**: - **Vulnerability (a)**: Peaks at 0.70 (x=150, y=0.4) - **Mitigation (b)**: Peaks at 0.72 (x=200, y=0.6) - **Diagnosis (c)**: Peaks at 0.51 (x=100, y=0.2) - **Treatment (d)**: Peaks at 0.77 (x=200, y=0.4) - **Freebase (e)**: Peaks at 0.78 (x=200, y=0.4) - **WordNet (f)**: Peaks at 0.74 (x=200, y=0.4) 2. **Targeted Strategies**: - **Vulnerability (g)**: Peaks at 0.61 (x=2, y=0.3) - **Mitigation (h)**: Peaks at 0.55 (x=2, y=0.2) - **Diagnosis (i)**: Peaks at 0.43 (x=2, y=0.1) - **Treatment (j)**: Peaks at 0.75 (x=2, y=0.2) - **Freebase (k)**: Peaks at 0.67 (x=2, y=0.1) - **WordNet (l)**: Peaks at 0.88 (x=2, y=0.2) ### Key Observations 1. **Backdoor dominance**: All Backdoor plots show higher z-axis values (0.51–0.78) compared to Targeted (0.04–0.88). 2. **Budget correlation**: Higher ROAR_asp budgets (x-axis) generally correlate with higher z-values in Backdoor strategies. 3. **Targeted anomalies**: Targeted-WordNet (l) shows an outlier with 0.88, exceeding most Backdoor values despite lower budgets. 4. **Mitigation performance**: Backdoor-Mitigation (b) and Targeted-Treatment (j) show the highest z-values in their respective categories. ### Interpretation The data suggests Backdoor strategies consistently outperform Targeted approaches in the measured metric (z-axis), particularly when allocating higher budgets to both ROAR_asp and ROAR_sp. However, Targeted-WordNet (l) defies this trend, achieving 0.88 despite minimal budget allocation. This anomaly might indicate: - **Efficiency**: WordNet's lexical resource optimization enables high performance with low investment. - **Measurement bias**: The z-axis metric may favor lexical approaches in specific contexts. - **Data noise**: The outlier could represent an edge case or measurement error. The color gradients confirm that higher z-values align with yellow regions, validating the visual interpretation of the surface plots. The consistent Backdoor superiority across most categories implies systemic advantages in resource allocation for these strategies, though the Targeted-WordNet exception warrants further investigation into its unique implementation or contextual factors. </details> Figure 9: ROAR ${}_{\mathrm{co}}$ performance with varying budgets (ROAR ${}_{\mathrm{kp}}$ – $n_{\mathrm{g}}$ , ROAR ${}_{\mathrm{qm}}$ – $n_{\mathrm{q}}$ ). The measures are the absolute HIT@ $5$ after the attacks. ### Q3: Alternative settings Besides the influence of external factors, we also explore ROAR ’s performance under a set of alternative settings. Alternative $p^{*}$ . Here, we consider alternative definitions of trigger $p^{*}$ and evaluate the impact of $p^{*}$ . Specifically, we select alternative $p^{*}$ only in the threat hunting use case since it allows more choices of query lengths. Besides the default definition (with Google Chrome as the anchor) in § 5.1, we consider two other definitions in Table 9: one with CAPEC-22 http://capec.mitre.org/data/definitions/22.html (attack pattern) as its anchor and its logical path is of length 2 for querying vulnerability and 3 for querying mitigation; the other with T1550.001 https://attack.mitre.org/techniques/T1550/001/ (attack technique) as its anchor is of length 3 for querying vulnerability and 4 for querying mitigation. Figure 8 summarizes ROAR ’s performance under these definitions. We have the following observations. | anchor of $p^{*}$ | entity | $\mathsf{Google\,\,Chrome}$ | $\mathsf{CAPEC-22}$ | $\mathsf{T1550.001}$ | | --- | --- | --- | --- | --- | | category | product | attack pattern | technique | | | length of $p^{*}$ | vulnerability | 1 hop | 2 hop | 3 hop | | mitigation | 2 hop | 3 hop | 4 hop | | Table 9: Alternative definitions of $p^{*}$ , where $\mathsf{Google\,\,Chrome}$ is the anchor of the default $p^{*}$ . Shorter $p^{*}$ leads to more effective attacks. Comparing Figure 8 and Table 9, we observe that in general, the effectiveness of both ROAR ${}_{\mathrm{kp}}$ and ROAR ${}_{\mathrm{qm}}$ decreases with $p^{*}$ ’s length. This can be explained as follows. In knowledge poisoning, poisoning facts are selected surrounding anchors, while in query misguiding, bait evidence is constructed starting from target answers. Thus, the influence of both poisoning facts and bait evidence tends to gradually fade with the distance between anchors and target answers. There exists delicate dynamics in ROAR ${}_{\mathrm{co}}$ . Observe that ROAR ${}_{\mathrm{co}}$ shows more complex dynamics with respect to the setting of $p^{*}$ . Compared with ROAR ${}_{\mathrm{kp}}$ , ROAR ${}_{\mathrm{co}}$ seems less sensitive to $p^{*}$ , with MRR $\geq 0.30$ and HIT@ $5$ $\geq 0.44$ under $p^{*}$ with T1550.001 in backdoor attacks; while in targeted attacks, ROAR ${}_{\mathrm{co}}$ performs slightly worse than ROAR ${}_{\mathrm{qm}}$ under the setting of mitigation queries and alternative definitions of $p^{*}$ . This can be explained by the interaction between the two attack vectors within ROAR ${}_{\mathrm{co}}$ : on one hand, the negative impact of $p^{*}$ ’s length on poisoning facts may be compensated by bait evidence; on the other hand, due to their mutual dependency in co-optimization, ineffective poisoning facts also negatively affect the generation of bait evidence. Attack budgets. We further explore how to properly set the attack budgets in ROAR. We evaluate the attack performance as a function of $n_{\mathrm{g}}$ (number of poisoning facts) and $n_{\mathrm{q}}$ (number of bait evidence), with results summarized in Figure 9. There exists an “mutual reinforcement” effect. In both backdoor and targeted cases, with one budget fixed, slightly increasing the other significantly improves ROAR ${}_{\mathrm{co}}$ ’s performance. For instance, in backdoor cases, when $n_{\mathrm{g}}=0$ , increasing $n_{\mathrm{q}}$ from 0 to 1 leads to 0.44 improvement in HIT@ $5$ , while increasing $n_{\mathrm{g}}=50$ leads to HIT@ $5$ $=0.58$ . Further, we also observe that ROAR ${}_{\mathrm{co}}$ can easily approach the optimal performance under the setting of $n_{\mathrm{g}}\in[50,100]$ and $n_{\mathrm{q}}\in[1,2]$ , indicating that ROAR ${}_{\mathrm{co}}$ does not require large attack budgets due to the mutual reinforcement effect. Large budgets may not always be desired. Also, observe that ROAR has degraded performance when $n_{\mathrm{g}}$ is too large (e.g., $n_{\mathrm{g}}=200$ in the backdoor attacks). This may be explained by that a large budget may incur many noisy poisoning facts that negatively interfere with each other. Recall that in knowledge poisoning, ROAR generates poisoning facts in a greedy manner (i.e., top- $n_{\mathrm{g}}$ facts with the highest fitness scores in Algorithm 1) without considering their interactions. Further, due to the gap between the input and latent spaces, the input-space approximation may introduce additional noise in the generated poisoning facts. Thus, the attack performance may not be a monotonic function of $n_{\mathrm{g}}$ . Note that due to the practical constraints of poisoning real-world KGs, $n_{\mathrm{g}}$ tends to be small in practice [56]. We also observe similar trends measured by MRR with results shown in Figure 13 in Appendix§ B.4. ## 6 Discussion ### 6.1 Surrogate KG Construction We now discuss why building the surrogate KG is feasible. In practice, the target KG is often (partially) built upon some public sources (e.g., Web) and needs to be constantly updated [61]. The adversary may obtain such public information to build the surrogate KG. For instance, to keep up with the constant evolution of cyber threats, threat intelligence KGs often include new threat reports from threat blogs and news [28], which are also accessible to the adversary. In the evaluation, we simulate the construction of the surrogate KG by randomly removing a fraction of facts from the target KG (50% by default). By controlling the overlapping ratio between the surrogate and target KGs (Figure 6), we show the impact of the knowledge about the target KG on the attack performance. Zero-knowledge attacks. In the extreme case, the adversary has little knowledge about the target KG and thus cannot build a surrogate KG directly. However, if the query interface of KGR is publicly accessible (as in many cases [8, 2, 12]), the adversary is often able to retrieve subsets of entities and relations from the backend KG and construct a surrogate KG. Specifically, the adversary may use a breadth-first traversal approach to extract a sub-KG: beginning with a small set of entities, at each iteration, the adversary chooses an entity as the anchor and explores all possible relations by querying for entities linked to the anchor through a specific relation; if the query returns a valid response, the adversary adds the entity to the current sub-KG. We consider exploring zero-knowledge attacks as our ongoing work. ### 6.2 Potential countermeasures We investigate two potential countermeasures tailored to knowledge poisoning and query misguiding. <details> <summary>x10.png Details</summary>  ### Visual Description ## Bar Chart: Performance Metrics Across Different Attack Scenarios ### Overview The image is a grouped bar chart with six subplots (a–f), each representing different attack scenarios (Backdoor-Vulnerability, Backdoor-Diagnosis, Backdoor-Freebase, Targeted-Vulnerability, Targeted-Diagnosis, Targeted-Freebase). Each subplot compares four methods (BL_I, ROAR_kp, BL_II, ROAR_co) across three attack percentages (0%, 10%, 30%) using the metric "HIT@5" on the y-axis. The legend is positioned in the top-right corner of each subplot, with distinct colors for each method. --- ### Components/Axes - **X-axis**: Attack percentages (0%, 10%, 30%) - **Y-axis**: "HIT@5" (ranging from 0.00 to 1.00) - **Legend**: - **BL_I**: Light green - **ROAR_kp**: Light blue - **BL_II**: Dark green - **ROAR_co**: Dark blue - **Subplots**: - (a) Backdoor-Vulnerability - (b) Backdoor-Diagnosis - (c) Backdoor-Freebase - (d) Targeted-Vulnerability - (e) Targeted-Diagnosis - (f) Targeted-Freebase --- ### Detailed Analysis #### (a) Backdoor-Vulnerability - **0%**: - BL_I: 0.12 - ROAR_kp: 0.05 - BL_II: 0.04 - ROAR_co: 0.00 - **10%**: - BL_I: 0.00 - ROAR_kp: 0.00 - BL_II: 0.00 - ROAR_co: 0.55 - **30%**: - BL_I: 0.45 - ROAR_kp: 0.32 - BL_II: 0.71 - ROAR_co: 0.57 - **Note**: The 30% data point for ROAR_co is listed as 0.43 in the original text, but the bar height suggests 0.57. This discrepancy may indicate a typo or misalignment. #### (b) Backdoor-Diagnosis - **0%**: - BL_I: 0.22 - ROAR_kp: 0.13 - BL_II: 0.00 - ROAR_co: 0.00 - **10%**: - BL_I: 0.00 - ROAR_kp: 0.00 - BL_II: 0.00 - ROAR_co: 0.37 - **30%**: - BL_I: 0.30 - ROAR_kp: 0.20 - BL_II: 0.52 - ROAR_co: 0.44 - **Note**: The 30% data point for ROAR_co is listed as 0.39 in the original text, but the bar height suggests 0.44. #### (c) Backdoor-Freebase - **0%**: - BL_I: 0.12 - ROAR_kp: 0.09 - BL_II: 0.00 - ROAR_co: 0.00 - **10%**: - BL_I: 0.10 - ROAR_kp: 0.03 - BL_II: 0.00 - ROAR_co: 0.00 - **30%**: - BL_I: 0.04 - ROAR_kp: 0.00 - BL_II: 0.00 - ROAR_co: 0.00 #### (d) Targeted-Vulnerability - **0%**: - BL_I: 0.88 - ROAR_kp: 0.93 - BL_II: 0.90 - ROAR_co: 0.06 - **10%**: - BL_I: 0.96 - ROAR_kp: 0.80 - BL_II: 0.74 - ROAR_co: 0.13 - **30%**: - BL_I: 0.74 - ROAR_kp: 0.68 - BL_II: 0.39 - ROAR_co: 0.23 #### (e) Targeted-Diagnosis - **0%**: - BL_I: 0.62 - ROAR_kp: 0.65 - BL_II: 0.01 - ROAR_co: 0.00 - **10%**: - BL_I: 0.68 - ROAR_kp: 0.54 - BL_II: 0.10 - ROAR_co: 0.00 - **30%**: - BL_I: 0.66 - ROAR_kp: 0.55 - BL_II: 0.20 - ROAR_co: 0.00 #### (f) Targeted-Freebase - **0%**: - BL_I: 0.56 - ROAR_kp: 0.61 - BL_II: 0.62 - ROAR_co: 0.41 - **10%**: - BL_I: 0.56 - ROAR_kp: 0.41 - BL_II: 0.37 - ROAR_co: 0.40 - **30%**: - BL_I: 0.53 - ROAR_kp: 0.52 - BL_II: 0.40 - ROAR_co: 0.40 --- ### Key Observations 1. **Backdoor-Vulnerability (a)**: - BL_I and ROAR_kp show significant improvement at 30% (0.45 and 0.32, respectively), while BL_II and ROAR_co remain low. - ROAR_co's value at 30% (0.57) is higher than BL_II (0.71), suggesting ROAR_co may outperform BL_II in this scenario. 2. **Backdoor-Diagnosis (b)**: - BL_I and ROAR_kp show moderate gains at 30% (0.30 and 0.20), while BL_II and ROAR_co have higher values (0.52 and 0.44). 3. **Backdoor-Freebase (c)**: - All methods perform poorly at 30%, with BL_I and ROAR_kp dropping to 0.04 and 0.00, respectively. 4. **Targeted-Vulnerability (d)**: - BL_I and ROAR_kp dominate at 0% (0.88 and 0.93), while ROAR_co is the weakest (0.06). - At 30%, BL_II (0.71) outperforms ROAR_co (0.57). 5. **Targeted-Diagnosis (e)**: - BL_I and ROAR_kp maintain high performance (0.68 and 0.54 at 10%), while BL_II and ROAR_co are negligible. 6. **Targeted-Freebase (f)**: - All methods show similar performance at 30%, with BL_I and ROAR_kp slightly higher (0.53 and 0.52). --- ### Interpretation - **Method Effectiveness**: - **BL_I** and **ROAR_kp** consistently outperform other methods in most scenarios, particularly in **Targeted-Vulnerability** and **Targeted-Diagnosis**. - **ROAR_co** shows mixed results, excelling in **Backdoor-Vulnerability** (30%) but underperforming in others. - **BL_II** is the weakest in most cases, except in **Backdoor-Vulnerability** (30%) and **Targeted-Freebase** (30%). - **Attack Percentage Impact**: - Higher attack percentages (30%) generally reduce performance for all methods, except **ROAR_co** in **Backdoor-Vulnerability** (30%). - **Anomalies**: - Discrepancies in data points (e.g., ROAR_co's 30% value in (a) and (b)) suggest potential errors in the original data or visualization. - **ROAR_co's** performance in **Backdoor-Vulnerability** (30%) is unusually high compared to other methods, warranting further investigation. - **Implications**: - **BL_I** and **ROAR_kp** are the most robust methods across scenarios, suggesting they are better suited for handling vulnerabilities and diagnoses. - **ROAR_co's** inconsistent performance highlights the need for context-specific evaluation. This analysis underscores the importance of method selection based on the specific attack scenario and attack percentage. </details> Figure 10: Attack performance (HIT@ $5$ ) on target queries ${\mathcal{Q}}^{*}$ . The measures are the absolute HIT@ $5$ after the attacks. Filtering of poisoning facts. Intuitively, as they are artificially injected, poisoning facts tend to be misaligned with their neighboring entities/relations in KGs. Thus, we propose to detect misaligned facts and filter them out to mitigate the influence of poisoning facts. Specifically, we use Eq. 5 to measure the “fitness” of each fact $v\mathrel{\text{\scriptsize$\xrightarrow[]{r}$}}v^{\prime}$ and then remove $m\$ of the facts with the lowest fitness scores. <details> <summary>x11.png Details</summary>  ### Visual Description ## 3D Surface Plots: Defense/Attack Budget Impact on Backdoor and Targeted Scenarios ### Overview The image contains six 3D surface plots visualizing the relationship between defense budget, attack budget, and three metrics: Backdoor-Vulnerability, Backdoor-Diagnosis, Backdoor-Freebase, Targeted-Vulnerability, Targeted-Diagnosis, and Targeted-Freebase. Each plot uses a color gradient (blue to purple) to represent metric values, with numerical annotations at key points. --- ### Components/Axes **Common Axes Across All Plots:** - **X-axis**: Defense budget (0–4) - **Y-axis**: Attack budget (0–4) - **Z-axis**: Metric values (ranging from 0.00 to 0.90) - **Color gradient**: Blue (low values) to purple (high values) **Plot-Specific Labels:** 1. **(a) Backdoor-Vulnerability**: Z-axis values annotated as 0.55, 0.68, 0.80 2. **(b) Backdoor-Diagnosis**: Z-axis values annotated as 0.37, 0.38, 0.67 3. **(c) Backdoor-Freebase**: Z-axis values annotated as 0.51, 0.62, 0.84 4. **(d) Targeted-Vulnerability**: Z-axis values annotated as 0.13, 0.50, 0.70 5. **(e) Targeted-Diagnosis**: Z-axis values annotated as 0.00, 0.05, 0.40 6. **(f) Targeted-Freebase**: Z-axis values annotated as 0.14, 0.22, 0.35 --- ### Detailed Analysis #### (a) Backdoor-Vulnerability - **Trend**: Values increase with higher defense budgets (0.55 → 0.80) and decrease with higher attack budgets. - **Key Points**: - Max vulnerability (0.80) at defense=4, attack=0 - Min vulnerability (0.54) at defense=0, attack=4 #### (b) Backdoor-Diagnosis - **Trend**: Peaks at defense=4, attack=0 (0.67), then declines sharply with increasing attack budgets. - **Key Points**: - Max diagnosis (0.67) at defense=4, attack=0 - Min diagnosis (0.34) at defense=0, attack=4 #### (c) Backdoor-Freebase - **Trend**: High values (0.84) at defense=4, attack=0; drops to 0.51 at defense=0, attack=4. - **Key Points**: - Max freebase (0.84) at defense=4, attack=0 - Min freebase (0.51) at defense=0, attack=4 #### (d) Targeted-Vulnerability - **Trend**: High values (0.70) at defense=4, attack=0; drops to 0.13 at defense=0, attack=4. - **Key Points**: - Max vulnerability (0.70) at defense=4, attack=0 - Min vulnerability (0.13) at defense=0, attack=4 #### (e) Targeted-Diagnosis - **Trend**: Very low values (0.00–0.40), peaking at defense=4, attack=0 (0.40). - **Key Points**: - Max diagnosis (0.40) at defense=4, attack=0 - Min diagnosis (0.00) at defense=0, attack=4 #### (f) Targeted-Freebase - **Trend**: Moderate values (0.14–0.35), peaking at defense=4, attack=0 (0.35). - **Key Points**: - Max freebase (0.35) at defense=4, attack=0 - Min freebase (0.14) at defense=0, attack=4 --- ### Key Observations 1. **Defense Budget Impact**: Higher defense budgets consistently correlate with higher metric values across all scenarios. 2. **Attack Budget Impact**: Increased attack budgets reduce metric values, particularly in Backdoor and Targeted scenarios. 3. **Scenario Differences**: - **Backdoor scenarios** (a–c) show higher values than Targeted scenarios (d–f). - **Freebase metrics** (c, f) are consistently lower than Backdoor/Targeted metrics. 4. **Anomalies**: - Targeted-Diagnosis (e) shows near-zero values at defense=0, attack=4, suggesting ineffective diagnosis under high attack pressure. --- ### Interpretation The data demonstrates that: - **Defense strategies** significantly mitigate Backdoor and Targeted vulnerabilities/diagnosis, with the strongest effect at maximum defense budgets (4). - **Attack budgets** inversely correlate with metric values, indicating that higher attack resources degrade system resilience. - **Freebase metrics** (c, f) represent baseline performance, showing lower sensitivity to budget changes compared to Backdoor/Targeted scenarios. - **Targeted scenarios** (d–f) exhibit the most dramatic drops under high attack budgets, suggesting they are more vulnerable to resource-intensive attacks. This analysis implies that prioritizing defense budgets improves system robustness, particularly against Backdoor threats, while attack budgets pose a proportional risk. The Freebase metrics may reflect general system health, less influenced by specific attack/defense dynamics. </details> Figure 11: Performance of ROAR ${}_{\mathrm{co}}$ against adversarial training with respect to varying settings of attack $n_{\mathrm{q}}$ and defense $n_{\mathrm{q}}$ (note: in targeted attacks, the attack performance is measured by the HIT@ $5$ drop). Table 10 measures the KGR performance on non-target queries ${\mathcal{Q}}\setminus{\mathcal{Q}}^{*}$ and the Figure 10 measures attack performance on target queries ${\mathcal{Q}}^{*}$ as functions of $m$ . We have the following observations. (i) The filtering degrades the attack performance. For instance, the HIT@ $5$ of ROAR ${}_{\mathrm{kp}}$ drops by 0.23 in the backdoor attacks against vulnerability queries as $m$ increases from 10 to 30. (ii) Compared with ROAR ${}_{\mathrm{kp}}$ , ROAR ${}_{\mathrm{co}}$ is less sensitive to filtering, which is explained by its use of both knowledge poisoning and query misguiding, with one attack vector compensating for the other. (iii) The filtering also significantly impacts the KGR performance (e.g., its HIT@ $5$ drops by 0.28 under $m$ = 30), suggesting the inherent trade-off between attack resilience and KGR performance. | Query | Removal ratio ( $m\$ ) | | | | --- | --- | --- | --- | | 0% | 10% | 30% | | | vulnerability | 1.00 | 0.93 | 0.72 | | diagnosis | 0.87 | 0.84 | 0.67 | | Freebase | 0.70 | 0.66 | 0.48 | Table 10: KGR performance (HIT@ $5$ ) on non-target queries ${\mathcal{Q}}\setminus{\mathcal{Q}}^{*}$ . Training with adversarial queries. We further extend the adversarial training [48] strategy to defend against ROAR ${}_{\mathrm{co}}$ . Specifically, we generate an adversarial version $q^{*}$ for each query $q$ using ROAR ${}_{\mathrm{co}}$ and add $(q^{*},\llbracket q\rrbracket)$ to the training set, where $\llbracket q\rrbracket$ is $q$ ’s ground-truth answer. We measure the performance of ROAR ${}_{\mathrm{co}}$ under varying settings of $n_{\text{q}}$ used in ROAR ${}_{\mathrm{co}}$ and that used in adversarial training, with results shown in Figure 11. Observe that adversarial training degrades the attack performance against the backdoor attacks (Figure 11 a-c) especially when the defense $n_{\text{q}}$ is larger than the attack $n_{\text{q}}$ . However, the defense is much less effective on the targeted attacks (Figure 11 d-f). This can be explained by the larger attack surface of targeted attacks, which only need to force erroneous reasoning rather than backdoor reasoning. Further, it is inherently ineffective against ROAR ${}_{\mathrm{kp}}$ (when the attack $n_{\text{q}}=0$ in ROAR ${}_{\mathrm{co}}$ ), which does not rely on query misguiding. We can thus conclude that, to defend against the threats to KGR, it is critical to (i) integrate multiple defense mechanisms and (ii) balance attack resilience and KGR performance. ### 6.3 Limitations Other threat models and datasets. While ROAR instantiates several attacks in the threat taxonomy in § 3, there are many other possible attacks against KGR. For example, if the adversary has no knowledge about the KGs used in the KGR systems, is it possible to build surrogate KGs from scratch or construct attacks that transfer across different KG domains? Further, the properties of specific KGs (e.g., size, connectivity, and skewness) may potentially bias our findings. We consider exploring other threat models and datasets from other domains as our ongoing research. Alternative reasoning tasks. We mainly focus on reasoning tasks with one target entity. There exist other reasoning tasks (e.g., path reasoning [67] finds a logical path with given starting and end entities). Intuitively, ROAR is ineffective in such tasks as it requires knowledge about the logical path to perturb intermediate entities on the path. It is worth exploring the vulnerability of such alternative reasoning tasks. Input-space attacks. While ROAR directly operates on KGs (or queries), there are scenarios in which KGs (or queries) are extracted from real-world inputs. For instance, threat-hunting queries may be generated based on software testing and inspection. In such scenarios, it requires the perturbation to KGs (or queries) to be mapped to valid inputs (e.g., functional programs). ## 7 Related work Machine learning security. Machine learning models are becoming the targets of various attacks [20]: adversarial evasion crafts adversarial inputs to deceive target models [31, 24]; model poisoning modifies target models’ behavior by polluting training data [39]; backdoor injection creates trojan models such that trigger-embedded inputs are misclassified [46, 43]; functionality stealing constructs replicate models functionally similar to victim models [64]. In response, intensive research is conducted on improving the attack resilience of machine learning models. For instance, existing work explores new training strategies (e.g., adversarial training) [48] and detection mechanisms [29, 42] against adversarial evasion. Yet, such defenses often fail when facing adaptive attacks [17, 45], resulting in a constant arms race. Graph learning security. Besides general machine learning security, one line of work focuses on the vulnerability of graph learning [41, 65, 69], including adversarial [72, 66, 21], poisoning [73], and backdoor [68] attacks. This work differs from existing attacks against graph learning in several major aspects. (i) Data complexity – while KGs are special forms of graphs, they contain much richer relational information beyond topological structures. (ii) Attack objectives – we focus on attacking the logical reasoning task, whereas most existing attacks aim at the classification [72, 66, 73] or link prediction task [21]. (iii) Roles of graphs/KGs – we target KGR systems with KGs as backend knowledge bases while existing attacks assume graphs as input data to graph learning. (iv) Attack vectors – we generate plausible poisoning facts or bait evidence, which are specifically applicable to KGR; in contrast, previous attacks directly perturb graph structures [66, 21, 73] or node features [72, 68]. Knowledge graph security. The security risks of KGs are gaining growing attention [70, 19, 18, 54, 56]. Yet, most existing work focuses on the task of link prediction (KG completion) and the attack vector of directly modifying KGs. This work departs from prior work in major aspects: (i) we consider reasoning tasks (e.g., processing logical queries), which require vastly different processing from predictive tasks (details in Section § 2); (ii) existing attacks rely on directly modifying the topological structures of KGs (e.g., adding/deleting edges) without accounting for their semantics, while we assume the adversary influences KGR through indirect means with semantic constraints (e.g., injecting probable relations or showing misleading evidence); (iii) we evaluate the attacks in real-world KGR applications; and (iv) we explore potential countermeasures against the proposed attacks. ## 8 Conclusion This work represents a systematic study of the security risks of knowledge graph reasoning (KGR). We present ROAR, a new class of attacks that instantiate a variety of threats to KGR. We demonstrate the practicality of ROAR in domain-specific and general KGR applications, raising concerns about the current practice of training and operating KGR. We also discuss potential mitigation against ROAR, which sheds light on applying KGR in a more secure manner. ## References - [1] CVE Details. https://www.cvedetails.com. - [2] Cyscale Complete cloud visibility & control platform. https://cyscale.com. - [3] DRKG - Drug Repurposing Knowledge Graph for Covid-19. https://github.com/gnn4dr/DRKG/. - [4] DrugBank. https://go.drugbank.com. - [5] Freebase (database). https://en.wikipedia.org/wiki/Freebase_(database). - [6] Gartner Identifies Top 10 Data and Analytics Technology Trends for 2021. https://www.gartner.com/en/newsroom/press-releases/2021-03-16-gartner-identifies-top-10-data-and-analytics-technologies-trends-for-2021. - [7] Hetionet. https://het.io. - [8] Knowledge Graph Search API. https://developers.google.com/knowledge-graph. - [9] Logrhythm MITRE ATT&CK Module. https://docs.logrhythm.com/docs/kb/threat-detection. - [10] MITRE ATT&CK. https://attack.mitre.org. - [11] National Vulnerability Database. https://nvd.nist.gov. - [12] QIAGEN Clinical Analysis and Interpretation Services. https://digitalinsights.qiagen.com/services-overview/clinical-analysis-and-interpretation-services/. - [13] The QIAGEN Knowledge Base. https://resources.qiagenbioinformatics.com/flyers-and-brochures/QIAGEN_Knowledge_Base.pdf. - [14] YAGO: A High-Quality Knowledge Base. https://yago-knowledge.org/. - [15] Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. Understanding the Mirai Botnet. In Proceedings of USENIX Security Symposium (SEC), 2017. - [16] Erik Arakelyan, Daniel Daza, Pasquale Minervini, and Michael Cochez. Complex Query Answering with Neural Link Predictors. In Proceedings of International Conference on Learning Representations (ICLR), 2021. - [17] Anish Athalye, Nicholas Carlini, and David Wagner. Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples. In Proceedings of IEEE Conference on Machine Learning (ICML), 2018. - [18] Peru Bhardwaj, John Kelleher, Luca Costabello, and Declan O’Sullivan. Adversarial Attacks on Knowledge Graph Embeddings via Instance Attribution Methods. Proceedings of Conference on Empirical Methods in Natural Language Processing (EMNLP), 2021. - [19] Peru Bhardwaj, John Kelleher, Luca Costabello, and Declan O’Sullivan. Poisoning Knowledge Graph Embeddings via Relation Inference Patterns. ArXiv e-prints, 2021. - [20] Battista Biggio and Fabio Roli. Wild Patterns: Ten Years after The Rise of Adversarial Machine Learning. Pattern Recognition, 84:317–331, 2018. - [21] Aleksandar Bojchevski and Stephan Günnemann. Adversarial Attacks on Node Embeddings via Graph Poisoning. In Proceedings of IEEE Conference on Machine Learning (ICML), 2019. - [22] Antoine Bordes, Nicolas Usunier, Alberto Garcia-Durán, Jason Weston, and Oksana Yakhnenko. Translating Embeddings for Modeling Multi-Relational Data. In Proceedings of Advances in Neural Information Processing Systems (NeurIPS), 2013. - [23] Nicholas Carlini, Matthew Jagielski, Christopher A Choquette-Choo, Daniel Paleka, Will Pearce, Hyrum Anderson, Andreas Terzis, Kurt Thomas, and Florian Tramèr. Poisoning Web-Scale Training Datasets is Practical. In ArXiv e-prints, 2023. - [24] Nicholas Carlini and David A. Wagner. Towards Evaluating the Robustness of Neural Networks. In Proceedings of IEEE Symposium on Security and Privacy (S&P), 2017. - [25] Antonio Emanuele Cinà, Kathrin Grosse, Ambra Demontis, Sebastiano Vascon, Werner Zellinger, Bernhard A Moser, Alina Oprea, Battista Biggio, Marcello Pelillo, and Fabio Roli. Wild Patterns Reloaded: A Survey of Machine Learning Security against Training Data Poisoning. In ArXiv e-prints, 2022. - [26] The Conversation. Study Shows AI-generated Fake Cybersecurity Reports Fool Experts. https://theconversation.com/study-shows-ai-generated-fake-reports-fool-experts-160909. - [27] Nilesh Dalvi and Dan Suciu. Efficient Query Evaluation on Probabilistic Databases. The VLDB Journal, 2007. - [28] Peng Gao, Fei Shao, Xiaoyuan Liu, Xusheng Xiao, Zheng Qin, Fengyuan Xu, Prateek Mittal, Sanjeev R Kulkarni, and Dawn Song. Enabling Efficient Cyber Threat Hunting with Cyber Threat Intelligence. In Proceedings of International Conference on Data Engineering (ICDE), 2021. - [29] Timon Gehr, Matthew Mirman, Dana Drachsler-Cohen, Petar Tsankov, Swarat Chaudhuri, and Martin Vechev. AI2: Safety and Robustness Certification of Neural Networks with Abstract Interpretation. In Proceedings of IEEE Symposium on Security and Privacy (S&P), 2018. - [30] Fan Gong, Meng Wang, Haofen Wang, Sen Wang, and Mengyue Liu. SMR: Medical Knowledge Graph Embedding for Safe Medicine Recommendation. Big Data Research, 2021. - [31] Ian Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and Harnessing Adversarial Examples. In Proceedings of International Conference on Learning Representations (ICLR), 2015. - [32] Kelvin Guu, John Miller, and Percy Liang. Traversing Knowledge Graphs in Vector Space. In Proceedings of Conference on Empirical Methods in Natural Language Processing (EMNLP), 2015. - [33] William L. Hamilton, Payal Bajaj, Marinka Zitnik, Dan Jurafsky, and Jure Leskovec. Embedding Logical Queries on Knowledge Graphs. In Proceedings of Advances in Neural Information Processing Systems (NeurIPS), 2018. - [34] Wajih Ul Hassan, Adam Bates, and Daniel Marino. Tactical Provenance Analysis for Endpoint Detection and Response Systems. In Proceedings of IEEE Symposium on Security and Privacy (S&P), 2020. - [35] Shizhu He, Kang Liu, Guoliang Ji, and Jun Zhao. Learning to Represent Knowledge Graphs with Gaussian Embedding. In Proceeddings of ACM Conference on Information and Knowledge Management (CIKM), 2015. - [36] Erik Hemberg, Jonathan Kelly, Michal Shlapentokh-Rothman, Bryn Reinstadler, Katherine Xu, Nick Rutar, and Una-May O’Reilly. Linking Threat Tactics, Techniques, and Patterns with Defensive Weaknesses, Vulnerabilities and Affected Platform Configurations for Cyber Hunting. ArXiv e-prints, 2020. - [37] Keman Huang, Michael Siegel, and Stuart Madnick. Systematically Understanding the Cyber Attack Business: A Survey. ACM Computing Surveys (CSUR), 2018. - [38] Haozhe Ji, Pei Ke, Shaohan Huang, Furu Wei, Xiaoyan Zhu, and Minlie Huang. Language Generation with Multi-hop Reasoning on Commonsense Knowledge Graph. In Proceedings of Conference on Empirical Methods in Natural Language Processing (EMNLP), 2020. - [39] Yujie Ji, Xinyang Zhang, Shouling Ji, Xiapu Luo, and Ting Wang. Model-Reuse Attacks on Deep Learning Systems. In Proceedings of ACM Conference on Computer and Communications (CCS), 2018. - [40] Peter E Kaloroumakis and Michael J Smith. Toward a Knowledge Graph of Cybersecurity Countermeasures. The MITRE Corporation, 2021. - [41] Thomas N. Kipf and Max Welling. Semi-Supervised Classification with Graph Convolutional Networks. In Proceedings of International Conference on Learning Representations (ICLR), 2017. - [42] Changjiang Li, Shouling Ji, Haiqin Weng, Bo Li, Jie Shi, Raheem Beyah, Shanqing Guo, Zonghui Wang, and Ting Wang. Towards Certifying the Asymmetric Robustness for Neural Networks: Quantification and Applications. IEEE Transactions on Dependable and Secure Computing, 19(6):3987–4001, 2022. - [43] Changjiang Li, Ren Pang, Zhaohan Xi, Tianyu Du, Shouling Ji, Yuan Yao, and Ting Wang. Demystifying Self-supervised Trojan Attacks. 2022. - [44] Bill Yuchen Lin, Xinyue Chen, Jamin Chen, and Xiang Ren. Kagnet: Knowledge-aware Graph Networks for Commonsense Reasoning. In Proceedings of Conference on Empirical Methods in Natural Language Processing (EMNLP), 2019. - [45] Xiang Ling, Shouling Ji, Jiaxu Zou, Jiannan Wang, Chunming Wu, Bo Li, and Ting Wang. DEEPSEC: A Uniform Platform for Security Analysis of Deep Learning Model. In Proceedings of IEEE Symposium on Security and Privacy (S&P), 2019. - [46] Yingqi Liu, Shiqing Ma, Yousra Aafer, Wen-Chuan Lee, Juan Zhai, Weihang Wang, and Xiangyu Zhang. Trojaning Attack on Neural Networks. In Proceedings of Network and Distributed System Security Symposium (NDSS), 2018. - [47] Logrhythm. Using MITRE ATT&CK in Threat Hunting and Detection. https://logrhythm.com/uws-using-mitre-attack-in-threat-hunting-and-detection-white-paper/. - [48] Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. Towards Deep Learning Models Resistant to Adversarial Attacks. In Proceedings of International Conference on Learning Representations (ICLR), 2018. - [49] Fabrizio Mafessoni, Rashmi B Prasad, Leif Groop, Ola Hansson, and Kay Prüfer. Turning Vice into Virtue: Using Batch-effects to Detect Errors in Large Genomic Data Sets. Genome biology and evolution, 10(10):2697–2708, 2018. - [50] Sadegh M Milajerdi, Rigel Gjomemo, Birhanu Eshete, Ramachandran Sekar, and VN Venkatakrishnan. Holmes: Real-time APT Detection through Correlation of Suspicious Information Flows. In Proceedings of IEEE Symposium on Security and Privacy (S&P), 2019. - [51] Shaswata Mitra, Aritran Piplai, Sudip Mittal, and Anupam Joshi. Combating Fake Cyber Threat Intelligence Using Provenance in Cybersecurity Knowledge Graphs. In 2021 IEEE International Conference on Big Data (Big Data). IEEE, 2021. - [52] Sudip Mittal, Anupam Joshi, and Tim Finin. Cyber-all-intel: An AI for Security Related Threat Intelligence. In ArXiv e-prints, 2019. - [53] Bethany Percha and Russ B Altman. A Global Network of Biomedical Relationships Derived from Text. Bioinformatics, 2018. - [54] Pouya Pezeshkpour, Yifan Tian, and Sameer Singh. Investigating Robustness and Interpretability of Link Prediction via Adversarial Modifications. ArXiv e-prints, 2019. - [55] Radware. “BrickerBot” Results In Permanent Denial-of-Service. https://www.radware.com/security/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/. - [56] Mrigank Raman, Aaron Chan, Siddhant Agarwal, Peifeng Wang, Hansen Wang, Sungchul Kim, Ryan Rossi, Handong Zhao, Nedim Lipka, and Xiang Ren. Learning to Deceive Knowledge Graph Augmented Models via Targeted Perturbation. Proceedings of International Conference on Learning Representations (ICLR), 2021. - [57] Priyanka Ranade, Aritran Piplai, Sudip Mittal, Anupam Joshi, and Tim Finin. Generating Fake Cyber Threat Intelligence Using Transformer-based Models. In 2021 International Joint Conference on Neural Networks (IJCNN). IEEE, 2021. - [58] Hongyu Ren, Hanjun Dai, Bo Dai, Xinyun Chen, Michihiro Yasunaga, Haitian Sun, Dale Schuurmans, Jure Leskovec, and Denny Zhou. LEGO: Latent Execution-Guided Reasoning for Multi-Hop Question Answering on Knowledge Graphs. In Proceedings of IEEE Conference on Machine Learning (ICML), 2021. - [59] Hongyu Ren, Weihua Hu, and Jure Leskovec. Query2box: Reasoning over Knowledge Graphs in Vector Space using Box Embeddings. In Proceedings of International Conference on Learning Representations (ICLR), 2020. - [60] Hongyu Ren and Jure Leskovec. Beta Embeddings for Multi-Hop Logical Reasoning in Knowledge Graphs. In Proceedings of Advances in Neural Information Processing Systems (NeurIPS), 2020. - [61] Anderson Rossanez, Julio Cesar dos Reis, Ricardo da Silva Torres, and Hèléne de Ribaupierre. KGen: A Knowledge Graph Generator from Biomedical Scientific Literature. BMC Medical Informatics and Decision Making, 20(4):314, 2020. - [62] Alberto Santos, Ana R Colaço, Annelaura B Nielsen, Lili Niu, Maximilian Strauss, Philipp E Geyer, Fabian Coscia, Nicolai J Wewer Albrechtsen, Filip Mundt, Lars Juhl Jensen, et al. A Knowledge Graph to Interpret Clinical Proteomics Data. Nature Biotechnology, 2022. - [63] Komal Teru, Etienne Denis, and Will Hamilton. Inductive Relation Prediction by Subgraph Reasoning. In Proceedings of IEEE Conference on Machine Learning (ICML), 2020. - [64] Florian Tramèr, Fan Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. Stealing Machine Learning Models via Prediction APIs. In Proceedings of USENIX Security Symposium (SEC), 2016. - [65] Petar Veličković, Guillem Cucurull, Arantxa Casanova, Adriana Romero, Pietro Liò, and Yoshua Bengio. Graph Attention Networks. In Proceedings of International Conference on Learning Representations (ICLR), 2018. - [66] Binghui Wang and Neil Zhenqiang Gong. Attacking Graph-based Classification via Manipulating the Graph Structure. In Proceedings of ACM SAC Conference on Computer and Communications (CCS), 2019. - [67] Xiang Wang, Dingxian Wang, Canran Xu, Xiangnan He, Yixin Cao, and Tat-Seng Chua. Explainable Reasoning over Knowledge Graphs for Recommendation. In Proceedings of AAAI Conference on Artificial Intelligence (AAAI), 2019. - [68] Zhaohan Xi, Ren Pang, Shouling Ji, and Ting Wang. Graph backdoor. In Proceedings of USENIX Security Symposium (SEC), 2021. - [69] Kaidi Xu, Hongge Chen, Sijia Liu, Pin-Yu Chen, Tsui-Wei Weng, Mingyi Hong, and Xue Lin. Topology Attack and Defense for Graph Neural Networks: An Optimization Perspective. In Proceedings of International Joint Conference on Artificial Intelligence (IJCAI), 2019. - [70] Hengtong Zhang, Tianhang Zheng, Jing Gao, Chenglin Miao, Lu Su, Yaliang Li, and Kui Ren. Data Poisoning Attack against Knowledge Graph Embedding. In Proceedings of International Joint Conference on Artificial Intelligence (IJCAI), 2019. - [71] Yongjun Zhu, Chao Che, Bo Jin, Ningrui Zhang, Chang Su, and Fei Wang. Knowledge-driven drug repurposing using a comprehensive drug knowledge graph. Health Informatics Journal, 2020. - [72] Daniel Zügner, Amir Akbarnejad, and Stephan Günnemann. Adversarial Attacks on Neural Networks for Graph Data. In Proceedings of ACM International Conference on Knowledge Discovery and Data Mining (KDD), 2018. - [73] Daniel Zügner and Stephan Günnemann. Adversarial Attacks on Graph Neural Networks via Meta Learning. In Proceedings of International Conference on Learning Representations (ICLR), 2019. ## Appendix A Notations Table 11 summarizes notations and definitions used through this paper. | Notation | Definition | | --- | --- | | Knowledge graph related | | | ${\mathcal{G}}$ | a knowledge graph (KG) | | ${\mathcal{G}}^{\prime}$ | a surrogate knowledge graph | | $\langle v,r,v^{\prime}\rangle$ | a KG fact from entity $v$ to $v^{\prime}$ with relation $r$ | | ${\mathcal{N}},{\mathcal{E}},{\mathcal{R}}$ | entity, edge, and relation set of ${\mathcal{G}}$ | | ${\mathcal{G}}^{+}$ | the poisoning facts on KG | | Query related | | | $q$ | a single query | | $\llbracket q\rrbracket$ | $q$ ’s ground-truth answer(s) | | $a^{*}$ | the targeted answer | | ${\mathcal{A}}_{q}$ | anchor entities of query $q$ | | $p^{*}$ | the trigger pattern | | ${\mathcal{Q}}$ | a query set | | ${\mathcal{Q}}^{*}$ | a query set of interest (each $q\in{\mathcal{Q}}^{*}$ contains $p^{*}$ ) | | $q^{+}$ | the generated bait evidence | | $q^{*}$ | the infected query, i.e. $q^{*}=q\wedge q^{+}$ | | Model or embedding related | | | $\phi$ | a general symbol to represent embeddings | | $\phi_{{\mathcal{G}}}$ | embeddings of all KG entities | | $\phi_{v}$ | entity $v$ ’s embedding | | $\phi_{q}$ | $q$ ’s embedding | | $\phi_{{\mathcal{G}}^{+}}$ | embeddings we aim to perturb | | $\phi_{q^{+}}$ | $q^{+}$ ’s embedding | | $\psi$ | the logical operator(s) | | $\psi_{r}$ | the relation ( $r$ )-specific operator | | $\psi_{\wedge}$ | the intersection operator | | Other parameters | | | $n_{\mathrm{g}}$ | knowledge poisoning budget | | $n_{\mathrm{q}}$ | query misguiding budget | Table 11: Notations, definitions, and categories. ## Appendix B Additonal details ### B.1 KGR training Following [59], we train KGR in an end-to-end manner. Specifically, given KG ${\mathcal{G}}$ and the randomly initialized embedding function $\phi$ and transformation function $\psi$ , we sample a set of query-answer pairs $(q,\llbracket q\rrbracket)$ from ${\mathcal{G}}$ to form the training set and optimize $\phi$ and $\psi$ to minimize the loss function, which is defined as the embedding distance between the prediction regarding each $q$ and $\llbracket q\rrbracket$ . ### B.2 Parameter setting Table 12 lists the default parameter setting used in § 5. | Type | Parameter | Setting | | --- | --- | --- | | KGR | $\phi$ dimension | 300 | | $\phi$ dimension (surrogate) | 200 | | | $\psi_{r}$ architecture | 4-layer FC | | | $\psi_{\wedge}$ architecture | 4-layer FC | | | $\psi_{r}$ architecture (surrogate) | 2-layer FC | | | $\psi_{\wedge}$ architecture (surrogate) | 2-layer FC | | | Training | Learning rate | 0.001 | | Batch size | 512 | | | KGR epochs | 50000 | | | ROAR optimization epochs | 10000 | | | Optimizer (KGR and ROAR) | Adam | | | Other | $n_{\mathrm{g}}$ | 100 | | $n_{\mathrm{q}}$ | 2 | | Table 12: Default parameter setting. ### B.3 Extension to targeted attacks It is straightforward to extend ROAR to targeted attacks, in which the adversary aims to simply force KGR to make erroneous reasoning over the target queries ${\mathcal{Q}}^{*}$ . To this end, we may maximize the distance between the embedding $\phi_{q}$ of each query $q\in{\mathcal{Q}}^{*}$ and its ground-truth answer $\llbracket q\rrbracket$ . Specifically, in knowledge poisoning, we re-define the loss function in Eq. 4 as: $$ \begin{split}\ell_{\text{kp}}(\phi_{{\mathcal{G}}^{+}})=\,&\mathbb{E}_{q\in{ \mathcal{Q}}\setminus{\mathcal{Q}}^{*}}\Delta(\psi(q;\phi_{{\mathcal{G}}^{+}}) ,\phi_{\llbracket q\rrbracket})-\\ &\lambda\mathbb{E}_{q\in{\mathcal{Q}}^{*}}\Delta(\psi(q;\phi_{{\mathcal{G}}^{+ }}),\phi_{\llbracket q\rrbracket})\end{split} \tag{8} $$ In query misguiding, we re-define Eq. 6 as: $$ \ell_{\text{qm}}(\phi_{q^{+}})=-\Delta(\psi_{\wedge}(\phi_{q},\phi_{q^{+}}),\, \phi_{\llbracket q\rrbracket}) \tag{9} $$ The remaining steps are the same as the backdoor attacks. ### B.4 Additional results This part shows the additional experiments as the complement of section§ 5. Additional query tasks under variant surrogate KGs. Figure 12 presents the attack performance on other query tasks that are not included in Figure 6. We can observe a similar trend as concluded in§ 5. MRR results. Figure 14 shows the MRR of ROAR ${}_{\mathrm{co}}$ with respect to different query structures, with observations similar to Figure 7. Figure 13 shows the MRR of ROAR with respect to attack budgets ( $n_{\mathrm{g}}$ , $n_{\mathrm{q}}$ ), with observations similar to Figure 9. <details> <summary>x12.png Details</summary>  ### Visual Description ## Line Graphs: HIT@5 Performance Across Mitigation/Treatment Scenarios ### Overview The image contains six line graphs arranged in two rows (three graphs per row) comparing the performance of different mitigation/treatment strategies across varying parameter thresholds (x-axis: 1.0 → 0.3). All graphs share the same y-axis (HIT@5, 0.0–1.0) and x-axis (parameter threshold, 1.0 → 0.3). Each graph tests a different scenario: Backdoor-Mitigation, Backdoor-Treatment, Backdoor-Commonsense (WordNet), Targeted-Mitigation, Targeted-Treatment, and Targeted-Commonsense (WordNet). --- ### Components/Axes - **Y-axis**: HIT@5 (0.0–1.0) – Likely measures task performance or accuracy. - **X-axis**: Parameter threshold (1.0 → 0.3) – Represents a tunable parameter. </details> Figure 12: ROAR ${}_{\mathrm{kp}}$ and ROAR ${}_{\mathrm{co}}$ performance with varying overlapping ratios between the surrogate and target KGs, measured by HIT@ $5$ after the attacks on other query tasks besides Figure 6. <details> <summary>x13.png Details</summary>  ### Visual Description ## 3D Surface Plots: Model Performance vs. Resource Budgets ### Overview The image contains 12 3D surface plots arranged in two rows (6 per row), visualizing the relationship between two resource budgets (ROAR_qm and ROAR_kp) and model performance (MMR). Each plot represents a different scenario (e.g., Backdoor-Vulnerability, Targeted-Mitigation) with color gradients indicating performance levels (green = low MMR, yellow = high MMR). Numerical values are annotated on the surfaces to highlight key performance metrics. --- ### Components/Axes - **X-axis**: ROAR_kp budget (ranging from 0 to 200 in most plots, 0–4 in some) - **Y-axis**: ROAR_qm budget (ranging from 0 to 4 in most plots, 0–3 in some) - **Z-axis**: MMR (Mean Reciprocal Rank, 0.00–1.00 scale) - **Legend**: Implicit color gradient (green = low MMR, yellow = high MMR) - **Plot Titles**: - Row 1: Backdoor-Vulnerability, Backdoor-Mitigation, Backdoor-Diagnosis, Backdoor-Treatment, Backdoor-Freebase, Backdoor-WordNet - Row 2: Targeted-Vulnerability, Targeted-Mitigation, Targeted-Diagnosis, Targeted-Treatment, Targeted-Freebase, Targeted-WordNet --- ### Detailed Analysis #### Backdoor Scenarios (Row 1) 1. **(a) Backdoor-Vulnerability** - Peaks at **0.56** (ROAR_kp=150, ROAR_qm=3) and **0.55** (ROAR_kp=50, ROAR_qm=0). - Lowest MMR (**0.04**) at ROAR_kp=0, ROAR_qm=0. - Gradual increase in MMR with higher budgets. 2. **(b) Backdoor-Mitigation** - Highest MMR (**0.73**) at ROAR_kp=150, ROAR_qm=3. - Sharp drop to **0.02** at ROAR_kp=0, ROAR_qm=0. - Mitigation strategies significantly improve performance. 3. **(c) Backdoor-Diagnosis** - Moderate peak (**0.40**) at ROAR_kp=150, ROAR_qm=3. - Minimal improvement at lower budgets (**0.02** at ROAR_kp=0, ROAR_qm=0). - Less effective than mitigation. 4. **(d) Backdoor-Treatment** - High MMR (**0.72**) at ROAR_kp=150, ROAR_qm=3. - Slightly lower than mitigation (**0.73**). - Consistent improvement across budgets. 5. **(e) Backdoor-Freebase** - Low MMR (**0.00** at ROAR_kp=0, ROAR_qm=0; **0.57** at ROAR_kp=150, ROAR_qm=3). - Freebase models underperform compared to other scenarios. 6. **(f) Backdoor-WordNet** - High MMR (**0.75**) at ROAR_kp=150, ROAR_qm=3. - Slight dip to **0.55** at ROAR_kp=50, ROAR_qm=0. - WordNet integration shows strong performance. #### Targeted Scenarios (Row 2) 7. **(g) Targeted-Vulnerability** - Extremely high MMR (**0.91**) at ROAR_kp=1, ROAR_qm=3. - Drops to **0.02** at ROAR_kp=3, ROAR_qm=0. - High vulnerability correlates with extreme performance swings. 8. **(h) Targeted-Mitigation** - Moderate MMR (**0.22** at ROAR_kp=1, ROAR_qm=3; **0.02** at ROAR_kp=3, ROAR_qm=0). - Mitigation reduces performance volatility but limits peak gains. 9. **(i) Targeted-Diagnosis** - Low MMR (**0.26** at ROAR_kp=1, ROAR_qm=3; **0.00** at ROAR_kp=3, ROAR_qm=0). - Diagnosis tools underperform in targeted scenarios. 10. **(j) Targeted-Treatment** - Moderate MMR (**0.55** at ROAR_kp=1, ROAR_qm=3; **0.37** at ROAR_kp=3, ROAR_qm=0). - Treatment improves performance but less than backdoor scenarios. 11. **(k) Targeted-Freebase** - Very low MMR (**0.03** at ROAR_kp=1, ROAR_qm=3; **0.04** at ROAR_kp=3, ROAR_qm=0). - Freebase models perform poorly in targeted settings. 12. **(l) Targeted-WordNet** - Moderate MMR (**0.71** at ROAR_kp=1, ROAR_qm=3; **0.11** at ROAR_kp=3, ROAR_qm=0). - WordNet integration shows resilience in targeted scenarios. --- ### Key Observations 1. **Budget Impact**: Higher ROAR_kp and ROAR_qm budgets generally correlate with higher MMR, except in targeted scenarios where resource allocation has diminishing returns. 2. **Scenario-Specific Performance**: - Backdoor-Mitigation and Backdoor-WordNet achieve the highest MMR (0.73–0.75). - Targeted-Freebase and Targeted-Diagnosis underperform (MMR < 0.3). 3. **Anomalies**: - Targeted-Vulnerability (g) shows extreme MMR (**0.91**) at low budgets, suggesting overfitting or data leakage. - Backdoor-Freebase (e) has near-zero MMR at zero budgets, indicating baseline inefficiency. --- ### Interpretation The data demonstrates that resource allocation (ROAR_kp and ROAR_qm) significantly impacts model performance (MMR), with backdoor scenarios benefiting more from increased budgets than targeted scenarios. Mitigation and WordNet integration are critical for improving robustness, while freebase models struggle across all scenarios. The extreme performance in Targeted-Vulnerability (g) raises concerns about data quality or model overfitting. These insights highlight the need for scenario-specific resource optimization and advanced mitigation strategies to balance performance and efficiency. </details> Figure 13: ROAR ${}_{\mathrm{co}}$ performance with varying budgets (ROAR ${}_{\mathrm{kp}}$ – $n_{\mathrm{g}}$ , ROAR ${}_{\mathrm{qm}}$ – $n_{\mathrm{q}}$ ). The measures are the absolute MRR after the attacks. <details> <summary>x14.png Details</summary>  ### Visual Description ## Heatmap: Query Path Effectiveness Across Backdoor and Targeted Scenarios ### Overview The image presents a comparative heatmap analysis of query path effectiveness in four scenarios: Backdoor-Vulnerability, Backdoor-Mitigation, Targeted-Vulnerability, and Targeted-Mitigation. The data is organized into 3x4 grids (rows = number of query paths [2, 3, 5]; columns = max query path length [1-hop to 4-hop]). Color intensity (green gradient) and numerical values indicate effectiveness, with arrows showing directional trends. --- ### Components/Axes - **Y-Axis (Left)**: "Number of Query Paths" (values: 2, 3, 5) - **X-Axis (Top)**: "Max Length of Query Path" (values: 1-hop, 2-hop, 3-hop, 4-hop) - **Legend (Right)**: Color scale from 0.2 (light yellow) to 1.0 (dark green), representing effectiveness magnitude. - **Sub-Figures**: - (a) Backdoor-Vulnerability - (b) Backdoor-Mitigation - (c) Targeted-Vulnerability - (d) Targeted-Mitigation --- ### Detailed Analysis #### (a) Backdoor-Vulnerability - **Trend**: Effectiveness increases with both query paths and hop length. - Example: 5-query paths, 4-hop = **0.55** (↑) - **Key Values**: - 2-query paths: 0.53 (1-hop), 0.70 (2-hop), 0.82 (3-hop), 0.64 (4-hop) - 3-query paths: 0.41 (1-hop), 0.61 (2-hop), 0.74 (3-hop), 0.53 (4-hop) - 5-query paths: 0.30 (1-hop), 0.48 (2-hop), 0.55 (3-hop), 0.38 (4-hop) #### (b) Backdoor-Mitigation - **Trend**: Effectiveness decreases with longer hop lengths but improves with more query paths. - Example: 5-query paths, 4-hop = **0.65** (↑) - **Key Values**: - 2-query paths: 0.64 (1-hop), 0.79 (2-hop), 0.86 (3-hop), 0.86 (4-hop) - 3-query paths: 0.53 (1-hop), 0.80 (2-hop), 0.85 (3-hop), 0.85 (4-hop) - 5-query paths: 0.38 (1-hop), 0.62 (2-hop), 0.65 (3-hop), 0.65 (4-hop) #### (c) Targeted-Vulnerability - **Trend**: Effectiveness decreases with longer hop lengths but stabilizes at higher query paths. - Example: 5-query paths, 4-hop = **0.68** (↓) - **Key Values**: - 2-query paths: 0.86 (1-hop), 0.89 (2-hop), 0.91 (3-hop), 0.69 (4-hop) - 3-query paths: 0.81 (1-hop), 0.90 (2-hop), 0.90 (3-hop), 0.62 (4-hop) - 5-query paths: 0.78 (1-hop), 0.84 (2-hop), 0.86 (3-hop), 0.60 (4-hop) #### (d) Targeted-Mitigation - **Trend**: Effectiveness decreases with longer hop lengths and fewer query paths. - Example: 2-query paths, 4-hop = **0.70** (↓) - **Key Values**: - 2-query paths: 0.86 (1-hop), 0.89 (2-hop), 0.91 (3-hop), 0.69 (4-hop) - 3-query paths: 0.81 (1-hop), 0.90 (2-hop), 0.90 (3-hop), 0.62 (4-hop) - 5-query paths: 0.78 (1-hop), 0.84 (2-hop), 0.86 (3-hop), 0.60 (4-hop) --- ### Key Observations 1. **Backdoor Scenarios**: - Vulnerability peaks at 3-hop for 2-query paths (0.82 in (a)). - Mitigation improves with more query paths (e.g., 5-query paths, 4-hop = 0.65 in (b)). 2. **Targeted Scenarios**: - Vulnerability remains high even at 4-hop (0.68–0.91 in (c)). - Mitigation effectiveness drops sharply at 4-hop (0.60–0.70 in (d)). 3. **Color Consistency**: - Darker greens (closer to 1.0) dominate Backdoor-Mitigation (b) and Targeted-Vulnerability (c). - Lighter greens (closer to 0.5) appear in Backdoor-Vulnerability (a) and Targeted-Mitigation (d). --- ### Interpretation - **Query Path Trade-offs**: Increasing query paths generally improves mitigation (e.g., 5-query paths in (b) vs. 2-query paths) but may reduce vulnerability in targeted scenarios (e.g., 5-query paths in (c) vs. 2-query paths). - **Hop Length Impact**: Longer hop lengths (4-hop) correlate with reduced mitigation effectiveness across all scenarios, suggesting complexity limits defensive strategies. - **Targeted vs. Backdoor**: Targeted scenarios show higher vulnerability (0.78–0.91 in (c)) but also stronger mitigation (0.60–0.91 in (d)) compared to backdoor cases, indicating tailored attacks exploit system weaknesses more effectively. The data underscores the importance of balancing query path complexity and length to optimize security outcomes, with targeted attacks demanding more nuanced mitigation strategies. </details> Figure 14: ROAR ${}_{\mathrm{co}}$ performance (MRR) under different query structures in Figure 5, indicated by the change ( $\uparrow$ or $\downarrow$ ) before and after the attacks.