Heterogeneous graph neural networks (HGNNs) have achieved strong performance in many real-world applications, yet targeted backdoor poisoning on heterogeneous graphs remains less studied. We consider backdoor attacks for heterogeneous node classification, where an adversary injects a small set of trigger nodes and connections during training to force specific victim nodes to be misclassified into an attacker-chosen label at test time while preserving clean performance. We propose HeteroHBA, a generative backdoor framework that selects influential auxiliary neighbors for trigger attachment via saliency-based screening and synthesizes diverse trigger features and connection patterns to better match the local heterogeneous context. To improve stealthiness, we combine Adaptive Instance Normalization (AdaIN) with a Maximum Mean Discrepancy (MMD) loss to align the trigger feature distribution with benign statistics, thereby reducing detectability, and we optimize the attack with a bilevel objective that jointly promotes attack success and maintains clean accuracy. Experiments on multiple real-world heterogeneous graphs with representative HGNN architectures show that HeteroHBA consistently achieves higher attack success than prior backdoor baselines with comparable or smaller impact on clean accuracy; moreover, the attack remains effective under our heterogeneity-aware structural defense, CSD. These results highlight practical backdoor risks in heterogeneous graph learning and motivate the development of stronger defenses.

翻译：异质图神经网络（HGNNs）在众多实际应用中已展现出卓越性能，然而针对异质图的定向后门投毒攻击研究仍相对匮乏。本文研究异质图节点分类任务中的后门攻击，攻击者通过在训练阶段注入少量触发节点与连接，迫使特定受害节点在测试时被误分类至攻击者选定的目标类别，同时保持模型在干净样本上的性能。我们提出HeteroHBA——一种生成式后门攻击框架，该框架通过基于显著性的筛选机制为触发节点选择有影响力的辅助邻居进行连接，并合成多样化的触发特征与连接模式以更好地匹配局部异质图上下文。为提升隐蔽性，我们结合自适应实例归一化（AdaIN）与最大均值差异（MMD）损失，将触发特征分布与良性统计特征对齐以降低可检测性，并通过双层优化目标联合促进攻击成功率并维持干净准确率。在多个真实世界异质图数据集及代表性HGNN架构上的实验表明，HeteroHBA在保持对干净准确率相当或更小影响的前提下，持续取得比现有后门基线方法更高的攻击成功率；此外，该攻击在我们提出的异质图感知结构防御方法CSD下依然有效。这些结果揭示了异质图学习中实际存在的后门风险，并呼吁发展更强大的防御机制。