Graph Neural Networks (GNNs) are vulnerable to fixed-pattern backdoor attacks; existing methods fail to adequately model graph topology and node characteristics, resulting in implausible and poorly concealed triggers. This paper proposes ABARC—the first backdoor attack framework jointly optimizing plausibility constraints and adaptivity—supporting both graph-level and node-level tasks. Its core contributions include: (i) a dynamic trigger generation mechanism grounded in graph/node similarity, feature-range constraints, and type-awareness; (ii) synergistic subgraph-trigger modeling and adaptive edge pruning to enhance both attack success rate (ASR) and stealth; and (iii) robustness-aware evaluation under randomized smoothing defenses. Experiments demonstrate that ABARC achieves an ASR of 94.2% while incurring less than 0.5% clean accuracy drop (CAD), outperforming the state-of-the-art by 7.3%—significantly alleviating the fundamental trade-off between effectiveness and stealth.

Recent studies show that graph neural networks (GNNs) are vulnerable to backdoor attacks. Existing backdoor attacks against GNNs use fixed-pattern triggers and lack reasonable trigger constraints, overlooking individual graph characteristics and rendering insufficient evasiveness. To tackle the above issues, we propose ABARC, the first Adaptive Backdoor Attack with Reasonable Constraints, applying to both graph-level and node-level tasks in GNNs. For graph-level tasks, we propose a subgraph backdoor attack independent of the graph's topology. It dynamically selects trigger nodes for each target graph and modifies node features with constraints based on graph similarity, feature range, and feature type. For node-level tasks, our attack begins with an analysis of node features, followed by selecting and modifying trigger features, which are then constrained by node similarity, feature range, and feature type. Furthermore, an adaptive edge-pruning mechanism is designed to reduce the impact of neighbors on target nodes, ensuring a high attack success rate (ASR). Experimental results show that even with reasonable constraints for attack evasiveness, our attack achieves a high ASR while incurring a marginal clean accuracy drop (CAD). When combined with the state-of-the-art defense randomized smoothing (RS) method, our attack maintains an ASR over 94%, surpassing existing attacks by more than 7%.