Lilas Alrahis,Satwik Patnaik,Muhammad Shafique,Ozgur Sinanoglu

DOI: https://doi.org/10.48550/arXiv.2208.08554

2022-08-18

Abstract:Graph neural networks (GNNs) have attracted increasing attention due to their superior performance in deep learning on graph-structured data. GNNs have succeeded across various domains such as social networks, chemistry, and electronic design automation (EDA). Electronic circuits have a long history of being represented as graphs, and to no surprise, GNNs have demonstrated state-of-the-art performance in solving various EDA tasks. More importantly, GNNs are now employed to address several hardware security problems, such as detecting intellectual property (IP) piracy and hardware Trojans (HTs), to name a few. In this survey, we first provide a comprehensive overview of the usage of GNNs in hardware security and propose the first taxonomy to divide the state-of-the-art GNN-based hardware security systems into four categories: (i) HT detection systems, (ii) IP piracy detection systems, (iii) reverse engineering platforms, and (iv) attacks on logic locking. We summarize the different architectures, graph types, node features, benchmark data sets, and model evaluation of the employed GNNs. Finally, we elaborate on the lessons learned and discuss future directions.

Cryptography and Security

Lilas Alrahis,Satwik Patnaik,Muhammad Abdullah Hanif,Muhammad Shafique,Ozgur Sinanoglu

2023-03-24

Abstract:Graph neural networks (GNNs) have shown great success in detecting intellectual property (IP) piracy and hardware Trojans (HTs). However, the machine learning community has demonstrated that GNNs are susceptible to data poisoning attacks, which result in GNNs performing abnormally on graphs with pre-defined backdoor triggers (realized using crafted subgraphs). Thus, it is imperative to ensure that the adoption of GNNs should not introduce security vulnerabilities in critical security frameworks. Existing backdoor attacks on GNNs generate random subgraphs with specific sizes/densities to act as backdoor triggers. However, for Boolean circuits, backdoor triggers cannot be randomized since the added structures should not affect the functionality of a design. We explore this threat and develop PoisonedGNN as the first backdoor attack on GNNs in the context of hardware design. We design and inject backdoor triggers into the register-transfer- or the gate-level representation of a given design without affecting the functionality to evade some GNN-based detection procedures. To demonstrate the effectiveness of PoisonedGNN, we consider two case studies: (i) Hiding HTs and (ii) IP piracy. Our experiments on TrustHub datasets demonstrate that PoisonedGNN can hide HTs and IP piracy from advanced GNN-based detection platforms with an attack success rate of up to 100%.

Cryptography and Security

Ann Jelyn TIEMPO,Yong-Jin JEONG

DOI: https://doi.org/10.1587/transinf.2024edl8057

2024-01-01

IEICE Transactions on Information and Systems

Abstract:Feature-based detection method has been widely used for hardware trojan detection where hardware trojan features are explicitly extracted and trained a classifier or build an algorithm that can differentiate hardware trojan signals from normal ones. This method shows a good performance in the available benchmark circuits. However, when tested on a randomly generated circuit, that contains different structural features of benchmark circuit, it started to fail detecting the stealthy signals, because of the constraints when the features are explicitly extracted. To overcome this situation, in this paper, the authors aim to explore the benefit of graph neural network (GNN) to enhance the hardware trojan detection performance in both benchmark circuits and randomly generated circuits. More specifically, finding the appropriate representation of the digital circuit that is suitable for the GNN model and that can learn hidden feature and relationship between the signals. Experiments show satisfactory result on benchmark circuit with an average accuracy of 95.34%. Further, tests done on randomly generated circuits gives positive result with an average accuracy of 90.82%.

computer science, information systems, software engineering

Jinfu Chen,Yemin Yin,Saihua Cai,Weijia Wang,Shengran Wang,Jiming Chen

DOI: https://doi.org/10.1016/j.scico.2024.103156

IF: 1.039

2024-01-01

Science of Computer Programming

Abstract:Software vulnerability detection is a challenging task in the security field, the boom of deep learning technology promotes the development of automatic vulnerability detection. Compared with sequence-based deep learning models, graph neural network (GNN) can learn the structural features of code, it performs well in the field of vulnerability detection for source code. However, different GNNs have different detection results for the same code, and using a single kind of GNN may lead to high false positive rate and false negative rate. In addition, the complex structure of source code causes single GNN model cannot effectively learn their depth feature, thereby leading to low detection accuracy. To solve these limitations, we propose a software vulnerability detection model called iGnnVD based on the integrated graph neural networks. In the proposed iGnnVD model, the base detectors including GCN, GAT and APPNP are first constructed to capture the bidirectional information in the code graph structure with bidirectional structure; And then, the residual connection is used to aggregate the features while retaining the features each time; Finally, the convolutional layer is used to perform the aggregated classification. In addition, an integration module that analyses the detection results of three detectors for final classification is designed using a voting strategy to solve the problem of high false positive rate and false negative rate caused by using a single kind of base detector. We perform extensive experiments on three datasets and experimental results show that the proposed iGnnVD model can improve the detection accuracy of vulnerabilities in source code as well as reduce the false positive rate and false negative rate compared with existing deep learning-based vulnerability detection models, it also has good stability.

Lingshuo Meng,Yijie Bai,Yanjiao Chen,Yutong Hu,Wenyuan Xu,Haiqin Weng

DOI: https://doi.org/10.1145/3576915.3623173

2023-01-01

Abstract:Graph neural networks (GNNs) have been developed to mine useful information from graph data of various applications, e.g., health-care, fraud detection, and social recommendation. However, GNNs open up new attack surfaces for privacy attacks on graph data. In this paper, we propose Infiltrator, a privacy attack that is able to pry node-level private information based on black-box access to GNNs. Different from existing works that require prior information of the victim node, we explore the possibility of conducting the attack without any information of the victim node. Our idea is to infiltrate the graph with attacker-created nodes to befriend the victim node. More specifically, we design infiltration schemes that enable the adversary to infer the label, neighboring links, and sensitive attributes of a victim node. We evaluate Infiltrator with extensive experiments on three representative GNN models and six real-world datasets. The results demonstrate that Infiltrator can achieve an attack performance of more than 98% in all three attacks, outperforming baseline approaches. We further evaluate the defense resistance of Infiltrator against the graph homophily defender and the differentially private model.

Han Zhang,Yinhao Zhou,Ying Li

DOI: https://doi.org/10.1109/ats59501.2023.10317998

2023-01-01

Abstract:Among all hardware security threats, the malicious circuits surreptitiously inserted into third-Party Intellectual Property (3PIP) cores, known as Hardware Trojans (HTs), is one of the main concerns. The early discovery of HTs is crucial because any countermeasure after the fabrication process would be expensive or unavailable. Graph Neural Networks (GNN), with the intuitive graph representation of a hardware design, has emerged as a powerful technique to solve this problem. However, most of these networks have two limitations, including the loss of dynamic structural features and the portability issue of using trained models in other designs. To this end, we address such limitations by proposing a new edge-featured Data Flow Graph (DFG) generation method that combines circuit structures with simulation data to establish HTs detection based on Graph Attention Networks (GAT). The solution is utilizing GAT to extract the HTs features from DFG, then identifying the known and unknown HTs hidden in different circuits. We evaluate this methodology on our dataset by expanding Trusthub HTs benchmarks. The results show that our approach can realize the HTs detection with high recall and precision in a short time. Compared with the previous method, our method has more scalable capability and excellent prospects in HTs detection.

Vasudev Gohil,Satwik Patnaik,Dileep Kalathil,Jeyavijayan Rajendran

2024-02-22

Abstract:Machine learning has shown great promise in addressing several critical hardware security problems. In particular, researchers have developed novel graph neural network (GNN)-based techniques for detecting intellectual property (IP) piracy, detecting hardware Trojans (HTs), and reverse engineering circuits, to name a few. These techniques have demonstrated outstanding accuracy and have received much attention in the community. However, since these techniques are used for security applications, it is imperative to evaluate them thoroughly and ensure they are robust and do not compromise the security of integrated circuits. In this work, we propose AttackGNN, the first red-team attack on GNN-based techniques in hardware security. To this end, we devise a novel reinforcement learning (RL) agent that generates adversarial examples, i.e., circuits, against the GNN-based techniques. We overcome three challenges related to effectiveness, scalability, and generality to devise a potent RL agent. We target five GNN-based techniques for four crucial classes of problems in hardware security: IP piracy, detecting/localizing HTs, reverse engineering, and hardware obfuscation. Through our approach, we craft circuits that fool all GNNs considered in this work. For instance, to evade IP piracy detection, we generate adversarial pirated circuits that fool the GNN-based defense into classifying our crafted circuits as not pirated. For attacking HT localization GNN, our attack generates HT-infested circuits that fool the defense on all tested circuits. We obtain a similar 100% success rate against GNNs for all classes of problems.

Machine Learning,Cryptography and Security

Weitao Pan,Meng Dong,Cong Wen,Hongjin Liu,Shaolin Zhang,Bo Shi,Zhixiong Di,Zhiliang Qiu,Yiming Gao,Ling Zheng

DOI: https://doi.org/10.1587/elex.20.20230204

2023-01-01

IEICE Electronics Express

Abstract:The globalization of the integrated circuit (IC) industry has raised concerns about hardware Trojans (HT), and there is an urgent need for efficient HT-detection methods of gate-level netlists. In this work, we propose an approach to detect Trojan-nodes at the gate level, based on graph learning. The proposed method does not require any golden model and can be easily integrated into the integrated circuits design flow. In addition, we further design a unioned GNN network to combine information from the input side, output side, and neighbor side of the directed graph to generate representative node embeddings. The experimental results show that it could achieve 93.4% in recall, 91.4% in F-measure, and 90.7% in precision on average across different designs, which outperforms the state-of-the-art HT detection methods.

engineering, electrical & electronic

Xiangyu Zhao,Hanzhou Wu,Xinpeng Zhang

DOI: https://doi.org/10.1109/jiot.2023.3332848

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:The susceptibility of Graph Neural Networks (GNNs) to backdoor attacks poses a significant potential threat to GNN-based Internet of Things (IoT) systems. In such attacks, GNNs are manipulated to behave abnormally when presented with maliciously crafted samples known as trigger samples, which can be exploited by attackers for their malicious intent. To address this issue, this paper studies the vulnerability of GNNs from the attacker’s angle by proposing a novel backdoor attack on GNNs. Our technincal motivation is that most existing backdoor attacks only treat GNNs as black box and define trigger samples in the spatial domain, which lack deeper insights and further exploitation of GNNs, limiting the attacking effectiveness. Inspired by frequency-based backdoor attacks in vision domain and spectral graph theory, we propose an effective graph backdoor attack based on the spectral domain of graph data, which injects trigger signals into the frequency spectrum of normal attributed graphs. By injecting subtle trigger signal into the important frequency band of important node features, the learning of backdoor and clean data are entangled. As a result, it becomes hard for the defender to remove the backdoor without degrading the model’s normal performance, improving the robustness of the attack. Experiments on both homophilic graphs and heterophilic graphs, with commonly used GNN architectures show that our proposed method achieves high attack success rate without significantly degrading the normal performance of the victim GNN. The attack is also shown to be robust against various processing towards graph data due to the entanglement strategy.

computer science, information systems,telecommunications,engineering, electrical & electronic

Rozhin Yasaei,Shih-Yuan Yu,Emad Kasaeyan Naeini,Mohammad Abdullah Al Faruque

DOI: https://doi.org/10.1109/dac18074.2021.9586150

2021-12-05

Abstract:Aggressive time-to-market constraints and enormous hardware design and fabrication costs have pushed the semiconductor industry toward hardware Intellectual Properties (IP) core design. However, the globalization of the integrated circuits (IC) supply chain exposes IP providers to theft and illegal redistribution of IPs. Watermarking and fingerprinting are proposed to detect IP piracy. Nevertheless, they come with additional hardware overhead and cannot guarantee IP security as advanced attacks are reported to remove the watermark, forge, or bypass it. In this work, we propose a novel methodology, GNN4IP, to assess similarities between circuits and detect IP piracy. We model the hardware design as a graph and construct a graph neural network model to learn its behavior using the comprehensive dataset of register transfer level codes and gate-level netlists that we have gathered. GNN4IP detects IP piracy with 96% accuracy in our dataset and recognizes the original IP in its obfuscated version with 100% accuracy.

Enyan Dai,Minhua Lin,Xiang Zhang,Suhang Wang

DOI: https://doi.org/10.1145/3543507.3583392

2023-02-11

Abstract:Graph Neural Networks (GNNs) have achieved promising results in various tasks such as node classification and graph classification. Recent studies find that GNNs are vulnerable to adversarial attacks. However, effective backdoor attacks on graphs are still an open problem. In particular, backdoor attack poisons the graph by attaching triggers and the target class label to a set of nodes in the training graph. The backdoored GNNs trained on the poisoned graph will then be misled to predict test nodes to target class once attached with triggers. Though there are some initial efforts in graph backdoor attacks, our empirical analysis shows that they may require a large attack budget for effective backdoor attacks and the injected triggers can be easily detected and pruned. Therefore, in this paper, we study a novel problem of unnoticeable graph backdoor attacks with limited attack budget. To fully utilize the attack budget, we propose to deliberately select the nodes to inject triggers and target class labels in the poisoning phase. An adaptive trigger generator is deployed to obtain effective triggers that are difficult to be noticed. Extensive experiments on real-world datasets against various defense strategies demonstrate the effectiveness of our proposed method in conducting effective unnoticeable backdoor attacks.

Cryptography and Security,Machine Learning

Nikhil Muralidhar,Abdullah Zubair,Nathanael Weidler,Ryan Gerdes,Naren Ramakrishnan

DOI: https://doi.org/10.48550/arXiv.2203.02095

IF: 5.414

2022-03-04

Machine Learning

Abstract:The availability of wide-ranging third-party intellectual property (3PIP) cores enables integrated circuit (IC) designers to focus on designing high-level features in ASICs/SoCs. The massive proliferation of ICs brings with it an increased number of bad actors seeking to exploit those circuits for various nefarious reasons. This is not surprising as integrated circuits affect every aspect of society. Thus, malicious logic (Hardware Trojans, HT) being surreptitiously injected by untrusted vendors into 3PIP cores used in IC design is an ever present threat. In this paper, we explore methods for identification of trigger-based HT in designs containing synthesizable IP cores without a golden model. Specifically, we develop methods to detect hardware trojans by detecting triggers embedded in ICs purely based on netlists acquired from the vendor. We propose GATE-Net, a deep learning model based on graph-convolutional networks (GCN) trained using supervised contrastive learning, for flagging designs containing randomly-inserted triggers using only the corresponding netlist. Our proposed architecture achieves significant improvements over state-of-the-art learning models yielding an average 46.99% improvement in detection performance for combinatorial triggers and 21.91% improvement for sequential triggers across a variety of circuit types. Through rigorous experimentation, qualitative and quantitative performance evaluations, we demonstrate effectiveness of GATE-Net and the supervised contrastive training of GATE-Net for HT detection.

SHI Jiangyi,WEN Cong,LIU Hongjin,WANG Zekun,ZHANG Shaolin,MA Peijun,LI Kang

DOI: https://doi.org/10.11999/JEIT221201

2023-01-01

Abstract:The globalization of the Integrated Circuit(IC) supply chain has shifted most design, manufacturing, and testing processes from a single trusted entity to a variety of untrusted third-party entities in various parts of the world. The use of untrusted Third-Party Intellectual Property(3PIP) can expose a design to significant risk of having Hardware Trojans(HTs) implanted by adversaries. These hardware trojans may cause degradation of the original design, information leakage, or even irreversible damage at the physical level, seriously jeopardizing consumer privacy, security, and company reputation. Various hardware trojan detection approaches proposed in the existing literature have the following drawbacks: the reliance on golden reference model, the requirement for test vector coverage and even the need for manual code review. At the same time, with the increase of the scale of integrated circuits, the hardware trojans with low trigger rate are more difficult to be detected Therefore, to address the above problems, a graph neural network-based HT detection method is proposed that enables the detection of gate-level hardware trojans without the need for golden reference model as well as logic tests. Graph Sample and AGgrEgate(GraphSAGE) is used to learn the high-dimensional graph features in the gate-level netlist and the attributed node features. Then supervised learning is employed for the training of the detection model. The detection capability of models with different aggregation methods and data balancing methods are explored. An average recall of 92.9% and an average F1 score of 86.2% under the evaluation of the Synopsys 90 nm generic library(SAED) based benchmark in Trust-Hub are achieved by the model, which is an 8.4% improvement in F1 score compared to state of the art. When applied to the dataset with larger data volume based on 250 nm generic library(LEDA), the average recall and F1 of combined logic type are 83.6% and 70.8% respectively, and the average recall and F1 score of timing logic type are 95.0% and 92.8% respectively.

Shuiqiao Yang,Bao Gia Doan,Paul Montague,Olivier De Vel,Tamas Abraham,Seyit Camtepe,Damith C. Ranasinghe,Salil S. Kanhere

DOI: https://doi.org/10.1145/3545948.3545976

2022-07-05

Abstract:Graph Neural Networks (GNNs) have achieved tremendous success in many graph mining tasks benefitting from the message passing strategy that fuses the local structure and node features for better graph representation learning. Despite the success of GNNs, and similar to other types of deep neural networks, GNNs are found to be vulnerable to unnoticeable perturbations on both graph structure and node features. Many adversarial attacks have been proposed to disclose the fragility of GNNs under different perturbation strategies to create adversarial examples. However, vulnerability of GNNs to successful backdoor attacks was only shown recently. In this paper, we disclose the TRAP attack, a Transferable GRAPh backdoor attack. The core attack principle is to poison the training dataset with perturbation-based triggers that can lead to an effective and transferable backdoor attack. The perturbation trigger for a graph is generated by performing the perturbation actions on the graph structure via a gradient based score matrix from a surrogate model. Compared with prior works, TRAP attack is different in several ways: i) it exploits a surrogate Graph Convolutional Network (GCN) model to generate perturbation triggers for a blackbox based backdoor attack; ii) it generates sample-specific perturbation triggers which do not have a fixed pattern; and iii) the attack transfers, for the first time in the context of GNNs, to different GNN models when trained with the forged poisoned training dataset. Through extensive evaluations on four real-world datasets, we demonstrate the effectiveness of the TRAP attack to build transferable backdoors in four different popular GNNs using four real-world datasets.

Cryptography and Security,Artificial Intelligence,Machine Learning

Xiao Yang,Gaolei Li,Jianhua Li

2024-06-15

Abstract:Graph Neural Networks (GNNs) have significantly advanced various downstream graph-relevant tasks, encompassing recommender systems, molecular structure prediction, social media analysis, etc. Despite the boosts of GNN, recent research has empirically demonstrated its potential vulnerability to backdoor attacks, wherein adversaries employ triggers to poison input samples, inducing GNN to adversary-premeditated malicious outputs. This is typically due to the controlled training process, or the deployment of untrusted models, such as delegating model training to third-party service, leveraging external training sets, and employing pre-trained models from online sources. Although there's an ongoing increase in research on GNN backdoors, comprehensive investigation into this field is lacking. To bridge this gap, we propose the first survey dedicated to GNN backdoors. We begin by outlining the fundamental definition of GNN, followed by the detailed summarization and categorization of current GNN backdoor attacks and defenses based on their technical characteristics and application scenarios. Subsequently, the analysis of the applicability and use cases of GNN backdoors is undertaken. Finally, the exploration of potential research directions of GNN backdoors is presented. This survey aims to explore the principles of graph backdoors, provide insights to defenders, and promote future security research.

Machine Learning,Artificial Intelligence,Cryptography and Security

Ben Finkelshtein,Chaim Baskin,Evgenii Zheltonozhskii,Uri Alon

DOI: https://doi.org/10.1016/j.neucom.2022.09.115

IF: 6

2022-11-07

Neurocomputing

Abstract:Graph neural networks (GNNs) have shown broad applicability in a variety of domains. These domains, e.g., social networks and product recommendations, are fertile ground for malicious users and behavior. In this paper, we show that GNNs are vulnerable to the extremely limited (and thus quite realistic) scenarios of a single-node adversarial attack, where the perturbed node cannot be chosen by the attacker. That is, an attacker can force the GNN to classify any target node to a chosen label, by only slightly perturbing the features or the neighbors list of another single arbitrary node in the graph, even when not being able to select that specific attacker node. When the adversary is allowed to select the attacker node, these attacks are even more effective. We demonstrate empirically that our attack is effective across various common GNN types (e.g., GCN, GraphSAGE, GAT, GIN) and robustly optimized GNNs (e.g., Robust GCN, SM GCN, GAL, LAT-GCN), outperforming previous attacks across different real-world datasets both in a targeted and non-targeted attacks. Our code is available anonymously at https://github.com/gnnattack/SINGLE.

computer science, artificial intelligence

Jiazhu Dai,Haoyu Sun

2024-01-05

Abstract:Graph Neural Networks (GNNs) are a class of deep learning models capable of processing graph-structured data, and they have demonstrated significant performance in a variety of real-world applications. Recent studies have found that GNN models are vulnerable to backdoor attacks. When specific patterns (called backdoor triggers, e.g., subgraphs, nodes, etc.) appear in the input data, the backdoor embedded in the GNN models is activated, which misclassifies the input data into the target class label specified by the attacker, whereas when there are no backdoor triggers in the input, the backdoor embedded in the GNN models is not activated, and the models work normally. Backdoor attacks are highly stealthy and expose GNN models to serious security risks. Currently, research on backdoor attacks against GNNs mainly focus on tasks such as graph classification and node classification, and backdoor attacks against link prediction tasks are rarely studied. In this paper, we propose a backdoor attack against the link prediction tasks based on GNNs and reveal the existence of such security vulnerability in GNN models, which make the backdoored GNN models to incorrectly predict unlinked two nodes as having a link relationship when a trigger appear. The method uses a single node as the trigger and poison selected node pairs in the training graph, and then the backdoor will be embedded in the GNN models through the training process. In the inference stage, the backdoor in the GNN models can be activated by simply linking the trigger node to the two end nodes of the unlinked node pairs in the input data, causing the GNN models to produce incorrect link prediction results for the target node pairs.

Machine Learning,Artificial Intelligence,Cryptography and Security

Ruixuan Wang,Fred Lin,Daniel Moore,Sriram Sankar,Xun Jiao

DOI: https://doi.org/10.48550/arXiv.2212.03475

2023-04-24

Abstract:Graph neural networks (GNNs) have recently emerged as a promising learning paradigm in learning graph-structured data and have demonstrated wide success across various domains such as recommendation systems, social networks, and electronic design automation (EDA). Like other deep learning (DL) methods, GNNs are being deployed in sophisticated modern hardware systems, as well as dedicated accelerators. However, despite the popularity of GNNs and the recent efforts of bringing GNNs to hardware, the fault tolerance and resilience of GNNs have generally been overlooked. Inspired by the inherent algorithmic resilience of DL methods, this paper conducts, for the first time, a large-scale and empirical study of GNN resilience, aiming to understand the relationship between hardware faults and GNN accuracy. By developing a customized fault injection tool on top of PyTorch, we perform extensive fault injection experiments on various GNN models and application datasets. We observe that the error resilience of GNN models varies by orders of magnitude with respect to different models and application datasets. Further, we explore a low-cost error mitigation mechanism for GNN to enhance its resilience. This GNN resilience study aims to open up new directions and opportunities for future GNN accelerator design and architectural optimization.

Machine Learning

Junyuan Fang,Haixian Wen,Jiajing Wu,Qi Xuan,Zibin Zheng,Chi K. Tse

DOI: https://doi.org/10.1109/tcss.2024.3361027

2024-01-01

IEEE Transactions on Computational Social Systems

Abstract:Graph neural networks (GNNs) have found successful applications in various graph-related tasks. However, recent studies have shown that many GNNs are vulnerable to adversarial attacks. In a vast majority of existing studies, adversarial attacks on GNNs are launched via direct modification of the original graph such as adding/removing links, which may not be applicable in practice. In this article, we focus on a realistic attack operation via injecting fake nodes. The proposed global attack strategy via node injection (GANI) is designed under the comprehensive consideration of an unnoticeable perturbation setting from both structure and feature domains. Specifically, to make the node injections as imperceptible and effective as possible, we propose a sampling operation to determine the degree of the newly injected nodes, and then generate features and select neighbors for these injected nodes based on the statistical information of features and evolutionary perturbations obtained from a genetic algorithm, respectively. In particular, the proposed feature generation mechanism is suitable for both binary and continuous node features. Extensive experimental results on benchmark datasets against both general and defended GNNs show strong attack performance of GANI. Moreover, the imperceptibility analyses also demonstrate that GANI achieves a relatively unnoticeable injection on benchmark datasets.

Kailai Li,Jiawei Sun,Ruoxin Chen,Wei Ding,Kexue Yu,Jie Li,Chentao Wu

DOI: https://doi.org/10.1109/icassp49357.2023.10096675

2023-01-01

Abstract:Graph Neural Networks (GNNs) have demonstrated superior performance in numerous real-world applications. Despite their success, recent studies have shown that GNNs are vulnerable under edge inference attacks aimed to infer the connectivity of a given pair of nodes. However, existing methods primarily focus on the scenario when properties of target nodes are revealed. In this paper, we propose an edge inference attack in a more realistic and practical setting. In our threat model, the adversary cannot obtain properties of target nodes but can inject a single probing node and query the target GNN for its prediction. By connecting the probing and target nodes, the adversary can infer the connectivity of the target node pair based on the prediction of the probing node. Extensive experiments show that our attack performs comparably to ones that require properties of target nodes. And when given such auxiliary knowledge, our attack outperforms state-of-the-art methods.