Abstract:Graph Neural Networks (GNNs) excel across various applications but remain vulnerable to adversarial attacks, particularly Graph Injection Attacks (GIAs), which inject malicious nodes into the original graph and pose realistic threats. Text-attributed graphs (TAGs), where nodes are associated with textual features, are crucial due to their prevalence in real-world applications and are commonly used to evaluate these vulnerabilities. However, existing research only focuses on embedding-level GIAs, which inject node embeddings rather than actual textual content, limiting their applicability and simplifying detection. In this paper, we pioneer the exploration of GIAs at the text level, presenting three novel attack designs that inject textual content into the graph. Through theoretical and empirical analysis, we demonstrate that text interpretability, a factor previously overlooked at the embedding level, plays a crucial role in attack strength. Among the designs we investigate, the Word-frequency-based Text-level GIA (WTGIA) is particularly notable for its balance between performance and interpretability. Despite the success of WTGIA, we discover that defenders can easily enhance their defenses with customized text embedding methods or large language model (LLM)--based predictors. These insights underscore the necessity for further research into the potential and practical significance of text-level GIAs.

What problem does this paper attempt to address?

This paper attempts to address the vulnerability of Graph Neural Networks (GNNs) to Graph Injection Attacks (GIAs) in Text - Attributed Graphs (TAGs). Specifically, existing research mainly focuses on embedding - level GIAs, that is, launching attacks by injecting node embeddings rather than the actual text content. However, this setting has the following limitations in real - world applications: 1. **Unrealistic attack setting**: In real - world scenarios, such as social networks or citation networks, attackers are more likely to upload new nodes with original text (for example, forged papers), rather than directly manipulating node embeddings. 2. **Inexplicability**: Small perturbations at the embedding level may lead to large semantic changes, making it difficult for the injected nodes to convey understandable semantic information. 3. **Ease of detection**: Since attackers usually can only access the original text and cannot obtain the processed embeddings used by the defender, the embeddings generated by the attackers have a different structure from those used by the defender, thus being more easily detected. To solve the above problems, the paper innovatively explores text - level GIAs and proposes three new attack design methods: - **Word - frequency - based Text - level GIA (WTGIA)**: This method uses the Bag - of - Words (BoW) model to generate binary embeddings and uses large language models (LLMs) to generate coherent and harmful text. - **Inversion - based Text - level GIA (ITGIA)**: It attempts to convert embeddings back to text, but faces the problem of generating inexplicable text. - **Vanilla Text - level GIA (VTGIA)**: It guides LLMs to generate adversarial text through carefully designed prompts, but the effect is not as expected. Through theoretical and empirical analysis, the paper reveals the important role of text interpretability in attack strength and points out that WTGIA achieves a better balance between performance and interpretability. Nevertheless, the research also finds that defenders can significantly enhance their defense capabilities through customized text embedding methods or predictors based on large language models, which emphasizes the necessity and challenges of further research on text - level GIAs. In summary, the main contributions of the paper include: - Revealing the dynamic mechanism of text - level GIAs, especially for GIAs against TAGs. - Proposing three effective text - level GIAs and demonstrating the trade - off between attack performance and text interpretability from both theoretical and empirical perspectives. - Reflecting on the challenges of text - level graph adversarial attacks and finding that simple text - level strategies can significantly enhance defense performance.

Intruding with Words: Towards Understanding Graph Injection Attacks at the Text Level

Devil in Disguise: Breaching Graph Neural Networks Privacy through Infiltration

TDGIA: Effective Injection Attacks on Graph Neural Networks

GANI: Global Attacks on Graph Neural Networks Via Imperceptible Node Injections

Single Node Injection Label Specificity Attack on Graph Neural Networks Via Reinforcement Learning

Node Injection Attack Based on Label Propagation Against Graph Neural Network

Adversarial Attacks on Graph Neural Networks via Node Injections: A Hierarchical Reinforcement Learning Approach

Resisting Graph Adversarial Attack via Cooperative Homophilous Augmentation

Inference Attacks Against Graph Neural Networks

Adaptive Adversarial Attack on Graph Embedding via GAN

Hard Label Black Box Node Injection Attack on Graph Neural Networks

Adversarial Camouflage for Node Injection Attack on Graphs

Exploring Robustness of GNN Against Universal Injection Attack from a Worst-case Perspective

GAIM: Attacking Graph Neural Networks via Adversarial Influence Maximization

Rethinking the Trigger-injecting Position in Graph Backdoor Attack

Node-aware Bi-smoothing: Certified Robustness against Graph Injection Attacks

Unveiling the potential of Graph Neural Networks for robust Intrusion Detection

Attacks on Node Attributes in Graph Neural Networks

Adversarial Attack on Large Scale Graph

Explainable AI Security: Exploring Robustness of Graph Neural Networks to Adversarial Attacks