Abstract:The sensitivity of Graph Neural Networks (GNNs) to their input graph data has drawn increasing attention to adversarial graphs. Given the widespread application of GNNs in various graph tasks, it is particularly important to study the principles and implementation of graph adversarial attacks for understanding the robustness of GNNs. Previous studies have attempted to reduce the prediction accuracy of GNNs by adding small perturbations to the graph structure or node features. However, these methods typically limit the perturbation strength within a small budget and fix the perturbation budget to a constant value when perturbing the graph structure or node features. In downstream node classification tasks, the required perturbation strengths to misclassify different nodes vary. Therefore, it is important to take domain knowledge of nodes or edges into account when setting the perturbation vector. To address this issue, we propose a special adversarial graph called DK-AdvGraph, where we meticulously tailor the perturbation vector of adversarial graphs in a highly limited black-box setting. Additionally, to better confuse GNNs, we ensure a higher similarity between nodes after perturbation while setting the perturbation vector. Our extensive experimental results demonstrate that the proposed DK-AdvGraph has practical significance in promoting the progress of GNNs in considering graph domain knowledge.

Black-Box Adversarial Attack on Graph Neural Networks Based on Node Domain Knowledge.