Dayuan Chen,Jian Zhang,Yuqian Lv,Jinhuan Wang,Hongjie Ni,Shanqing Yu,Zhen Wang,Qi Xuan

DOI: https://doi.org/10.1109/tcss.2024.3377554

2024-01-01

Abstract:Graph neural networks (GNNs) have achieved remarkable success in various real-world applications. However, recent studies highlight the vulnerability of GNNs to malicious perturbations. Previous adversaries primarily focus on graph modifications or node injections to existing graphs, yielding promising results but with notable limitations. Graph modification attack (GMA) requires manipulation of the original graph, which is often impractical, while graph injection attack (GIA) necessitates training a surrogate model in the black-box setting, leading to significant performance degradation due to divergence between the surrogate architecture and the actual victim model. Furthermore, most methods concentrate on a single attack goal and lack a generalizable adversary to develop distinct attack strategies for diverse goals, thus limiting precise control over victim model behavior in real-world scenarios. To address these issues, we present a gradient-free generalizable adversary that injects a single malicious node to manipulate the classification result of a target node in the black-box evasion setting. We propose Gradient-free Generalizable Single Node Injection Attack, namely G^2-SNIA, a reinforcement learning framework employing Proximal Policy Optimization. By directly querying the victim model, G^2-SNIA learns patterns from exploration to achieve diverse attack goals with extremely limited attack budgets. Through comprehensive experiments over three acknowledged benchmark datasets and four prominent GNNs in the most challenging and realistic scenario, we demonstrate the superior performance of our proposed G^2-SNIA over the existing state-of-the-art baselines. Moreover, by comparing G^2-SNIA with multiple white-box evasion baselines, we confirm its capacity to generate solutions comparable to those of the best adversaries.

Yanan Jiang,Hui Xia

DOI: https://doi.org/10.1016/j.hcc.2023.100185

2024-01-01

High-Confidence Computing

Abstract:Dynamic graph neural networks (DGNNs) have demonstrated their extraordinary value in many practical applications. Nevertheless, the vulnerability of DNNs is a serious hidden danger as a small disturbance added to the model can markedly reduce its performance. At the same time, current adversarial attack schemes are implemented on static graphs, and the variability of attack models prevents these schemes from transferring to dynamic graphs. In this paper, we use the diffused attack of node injection to attack the DGNNs, and first propose the node injection attack based on structural fragility against DGNNs, named Structural Fragility-based Dynamic Graph Node Injection Attack (SFIA). SFIA firstly determines the target time based on the period weight. Then, it introduces a structural fragile edge selection strategy to establish the target nodes set and link them with the malicious node using serial inject. Finally, an optimization function is designed to generate adversarial features for malicious nodes. Experiments on datasets from four different fields show that SFIA is significantly superior to many comparative approaches. When the graph is injected with 1% of the original total number of nodes through SFIA, the link prediction Recall and MRR of the target DGNN link decrease by 17.4% and 14.3% respectively, and the accuracy of node classification decreases by 8.7%.

Junyuan Fang,Haixian Wen,Jiajing Wu,Qi Xuan,Zibin Zheng,Chi K. Tse

DOI: https://doi.org/10.1109/tcss.2024.3361027

2024-01-01

IEEE Transactions on Computational Social Systems

Abstract:Graph neural networks (GNNs) have found successful applications in various graph-related tasks. However, recent studies have shown that many GNNs are vulnerable to adversarial attacks. In a vast majority of existing studies, adversarial attacks on GNNs are launched via direct modification of the original graph such as adding/removing links, which may not be applicable in practice. In this article, we focus on a realistic attack operation via injecting fake nodes. The proposed global attack strategy via node injection (GANI) is designed under the comprehensive consideration of an unnoticeable perturbation setting from both structure and feature domains. Specifically, to make the node injections as imperceptible and effective as possible, we propose a sampling operation to determine the degree of the newly injected nodes, and then generate features and select neighbors for these injected nodes based on the statistical information of features and evolutionary perturbations obtained from a genetic algorithm, respectively. In particular, the proposed feature generation mechanism is suitable for both binary and continuous node features. Extensive experimental results on benchmark datasets against both general and defended GNNs show strong attack performance of GANI. Moreover, the imperceptibility analyses also demonstrate that GANI achieves a relatively unnoticeable injection on benchmark datasets.

Jihong Wang,Minnan Luo,Fnu Suya,Jundong Li,Zijiang Yang,Qinghua Zheng

DOI: https://doi.org/10.1007/s10618-020-00696-7

IF: 5.406

2020-06-17

Data Mining and Knowledge Discovery

Abstract:Recent studies have shown that graph convolution networks (GCNs) are vulnerable to carefully designed attacks, which aim to cause misclassification of a specific node on the graph with unnoticeable perturbations. However, a vast majority of existing works cannot handle large-scale graphs because of their high time complexity. Additionally, existing works mainly focus on manipulating existing nodes on the graph, while in practice, attackers usually do not have the privilege to modify information of existing nodes. In this paper, we develop a more scalable framework named Approximate Fast Gradient Sign Method which considers a more practical attack scenario where adversaries can only inject new vicious nodes to the graph while having no control over the original graph. Methodologically, we provide an approximation strategy to linearize the model we attack and then derive an approximate closed-from solution with a lower time cost. To have a fair comparison with existing attack methods that manipulate the original graph, we adapt them to the new attack scenario by injecting vicious nodes. Empirical experimental results show that our proposed attack method can significantly reduce the classification accuracy of GCNs and is much faster than existing methods without jeopardizing the attack performance. We have open-sourced the code of our method <a href="https://github.com/wangjhgithub/AFGSM">https://github.com/wangjhgithub/AFGSM</a>.

computer science, information systems, artificial intelligence

Xiao Zhang,Peng Bao,Shirui Pan

DOI: https://doi.org/10.1145/3616855.3635790

2024-01-01

Abstract:Graph neural networks (GNNs) have achieved impressive performance in various graph-related tasks. However, recent studies have found that GNNs are vulnerable to adversarial attacks. Node injection attacks (NIA) become an emerging scenario of graph adversarial attacks, where the attacks are performed by injecting malicious nodes into the original graph instead of directly modifying it. In this paper, we focus on a more realistic scenario of NIA, where the attacker is only allowed to inject a small number of nodes to degrade the performance of GNNs with very limited information. We analyze the susceptibility of nodes, and based on this we propose a global node injection attack framework, MaxiMal, to maximize malicious information under a strict black-box setting. MaxiMal first introduces a susceptible-reverse influence sampling strategy to select neighbor nodes that are able to spread malicious information widely. Then contrastive loss is introduced to optimize the objective by updating the edges and features of the injected nodes. Extensive experiments on three benchmark datasets demonstrate the superiority of our proposed MaxiMal over the state-of-the-art approaches.

Jintang Li,Tao Xie,Liang Chen,Fenfang Xie,Xiangnan He,Zibin Zheng

DOI: https://doi.org/10.1109/tkde.2021.3078755

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Recent studies have shown that graph neural networks (GNNs) are vulnerable against perturbations due to lack of robustness and can therefore be easily fooled. Currently, most works on attacking GNNs are mainly using gradient information to guide the attack and achieve outstanding performance. However, the high complexity of time and space makes them unmanageable for large scale graphs and becomes the major bottleneck that prevents the practical usage. We argue that the main reason is that they have to use the whole graph for attacks, resulting in the increasing time and space complexity as the data scale grows. In this work, we propose an efficient Simplified Gradient-based Attack (SGA) method to bridge this gap. SGA can cause the GNNs to misclassify specific target nodes through a multi-stage attack framework, which needs only a much smaller subgraph. In addition, we present a practical metric named Degree Assortativity Change (DAC) to measure the impacts of adversarial attacks on graph data. We evaluate our attack method on four real-world graph networks by attacking several commonly used GNNs. The experimental results demonstrate that SGA can achieve significant time and memory efficiency improvements while maintaining competitive attack performance compared to state-of-art attack techniques.

Yang Chen,Zhonglin Ye,Haixing Zhao,Lei Meng,Zhaoyang Wang,Yanlin Yang

DOI: https://doi.org/10.1109/hpcc-dss-smartcity-dependsys57074.2022.00052

2022-01-01

Abstract:In recent years, Graph Neural Networks (GNNs) have performed significantly in node classification tasks. Re-search on GNNs adversarial attacks has recently attracted attention. Many works have demonstrated that single node attacks can fool GNNs in extreme scenarios. Existing single node attacks can be divided into two main types: 1) attacking the node features; 2) injecting a single fake node. However, they have several major drawbacks: 1) they set the attack node features, which makes them not efficient; 2) they require higher privileges and don't have strict budget constraints, which makes them less concealable and easier to notice. In this paper, we propose an attack with lower privileges and strict budget constraints -Single Node Structure Attack (SNSA). Specifically, SNSA is set more efficient structure attacks and does not require higher privileges to change links. Compared to other attack models, the attack space of SNSA is small and not easily detected by GNNs. Furthermore, we study the influence of the attack node selection on SNSA and observe that it is optimal to use a gradient to select an attack node. Experiments on three common datasets demonstrate the effectiveness of our model.

Yiwei Sun,Suhang Wang,Xianfeng Tang,Tsung-Yu Hsieh,Vasant Honavar

DOI: https://doi.org/10.1145/3366423.3380149

2020-04-19

Abstract:Graph Neural Networks (GNN) offer the powerful approach to node classification in complex networks across many domains including social media, E-commerce, and FinTech. However, recent studies show that GNNs are vulnerable to attacks aimed at adversely impacting their node classification performance. Existing studies of adversarial attacks on GNN focus primarily on manipulating the connectivity between existing nodes, a task that requires greater effort on the part of the attacker in real-world applications. In contrast, it is much more expedient on the part of the attacker to inject adversarial nodes, e.g., fake profiles with forged links, into existing graphs so as to reduce the performance of the GNN in classifying existing nodes. Hence, we consider a novel form of node injection poisoning attacks on graph data. We model the key steps of a node injection attack, e.g., establishing links between the injected adversarial nodes and other nodes, choosing the label of an injected node, etc. by a Markov Decision Process. We propose a novel reinforcement learning method for Node Injection Poisoning Attacks (NIPA), to sequentially modify the labels and links of the injected nodes, without changing the connectivity between existing nodes. Specifically, we introduce a hierarchical Q-learning network to manipulate the labels of the adversarial nodes and their links with other nodes in the graph, and design an appropriate reward function to guide the reinforcement learning agent to reduce the node classification performance of GNN. The results of the experiments show that NIPA is consistently more effective than the baseline node injection attack methods for poisoning graph data on three benchmark datasets.

Mingda Ma,Hui Xia,Xin Li,Rui Zhang,Shuo Xu

DOI: https://doi.org/10.1016/j.knosys.2024.112323

IF: 8.139

2024-01-01

Knowledge-Based Systems

Abstract:While graph neural networks have achieved remarkable performance in various real-world applications, their inherent vulnerability makes them susceptible to adversarial attacks. Due to the unreliability of gradients on graph data and the lack of imperceptibility constraints on injected nodes, existing node injection attack methods have poor attack effectiveness and imperceptibility. To solve the above issues, we propose a novel untargeted node injection attack method called Classification Optimization Node Injection Attack (CONIA). CONIA performs attacks based on the classification strategy and adopts multiple measures during the attack to enhance its effectiveness and imperceptibility. For nodes of each class, CONIA first generates the initial features for injected nodes by optimizing the features of a randomly generated new node using gradients. Next, nodes are selected to connect with the injected nodes based on the gradient information and structural deficiency of this set of nodes. Finally, a feature generator is designed, and a numerical budget loss and a homophily constraint are added to optimize the features of the injected nodes. Ultimately, detailed experimental results confirm that CONIA can enhance attack effectiveness while maintaining imperceptibility. In the setting of four datasets, when injecting nodes accounting for only 3% of the total number of test set nodes into the original graph, CONIA reduces the classification accuracy of six victim models by an average of 11.24% while maintaining the imperceptibility of the injected nodes.

Peican Zhu,Zechen Pan,Keke Tang,Xiaodong Cui,Jinhuan Wang,Qi Xuan

DOI: https://doi.org/10.1109/TCSS.2024.3395794

2024-05-29

Abstract:Graph Neural Network (GNN) has achieved remarkable success in various graph learning tasks, such as node classification, link prediction and graph classification. The key to the success of GNN lies in its effective structure information representation through neighboring aggregation. However, the attacker can easily perturb the aggregation process through injecting fake nodes, which reveals that GNN is vulnerable to the graph injection attack. Existing graph injection attack methods primarily focus on damaging the classical feature aggregation process while overlooking the neighborhood aggregation process via label propagation. To bridge this gap, we propose the label-propagation-based global injection attack (LPGIA) which conducts the graph injection attack on the node classification task. Specifically, we analyze the aggregation process from the perspective of label propagation and transform the graph injection attack problem into a global injection label specificity attack problem. To solve this problem, LPGIA utilizes a label propagation-based strategy to optimize the combinations of the nodes connected to the injected node. Then, LPGIA leverages the feature mapping to generate malicious features for injected nodes. In extensive experiments against representative GNNs, LPGIA outperforms the previous best-performing injection attack method in various datasets, demonstrating its superiority and transferability.

Cryptography and Security

Zhiqiang Shan,Yuxin Ding

DOI: https://doi.org/10.1109/iaecst60924.2023.10502791

2023-01-01

Abstract:Graph neural networks have been widely used in various fields, but their security has always been of concern. Graph node injection attacks can efficiently attack and evaluate the robustness of graph neural networks. However, current node injection attack methods rarely consider the characteristic of graph data: nodes are mutually correlated rather than independent. This may reduce the success rate of single node attacks against black-box graph neural networks. To address this issue, we propose a single node injection attack method based on momentum gradient and neighbor suppression loss. Specifically, we further optimize neighboring nodes of the target node by utilizing the loss function to enhance the transferability of attacks against black-box models. Moreover, by integrating momentum update, we can stably optimize during iterations to improve the quality of adversarial example. Experimental results demonstrate that compared with the baseline method, the proposed method significantly improves the success rate of single node injection attacks against black-box graph neural networks. This research comes up with an effective approach to enhance the transferability of node injection attacks from the perspective of graph data structures.

Xiao Liu,Junjie Huang,Zihan Chen,Yi Pan,Maoyi Xiong,Wentao Zhao

DOI: https://doi.org/10.3390/app14209190

2024-01-01

Abstract:Adversarial attacks on Graph Neural Networks (GNNs) have emerged as a significant threat to the security of graph learning. Compared with Graph Modification Attacks (GMAs), Graph Injection Attacks (GIAs) are considered more realistic attacks, in which attackers perturb GNN models by injecting a small number of fake nodes. However, most existing black-box GIA methods either require comprehensive knowledge of the dataset and the ground-truth labels or a large number of queries to execute the attack, which is often unfeasible in many scenarios. In this paper, we propose an unsupervised method for leveraging the rich knowledge contained in the graph data themselves to enhance the success rate of graph injection attacks on the initial query. Specifically, we introduce GraphContrastive Learning-based Graph Injection Attack (GCIA), which consists of a node encoder, a reward predictor, and a fake node generator. The Graph Contrastive Learning (GCL)-based node encoder transforms nodes for low-dimensional continuous embedding, the reward predictor acts as a simplified surrogate for the target model, and the fake node generator produces fake nodes and edges based on several carefully designed loss functions, utilizing the node encoder and reward predictor. Extensive results demonstrate that the proposed GCIA method achieves a first query success rate of 91.2% on the Reddit dataset and improves the success rate to over 99.7% after 10 queries.

Shuchang Tao,Qi Cao,Huawei Shen,Yunfan Wu,Liang Hou,Fei Sun,Xueqi Cheng

2023-09-23

Abstract:Node injection attacks on Graph Neural Networks (GNNs) have received increasing attention recently, due to their ability to degrade GNN performance with high attack success rates. However, our study indicates that these attacks often fail in practical scenarios, since defense/detection methods can easily identify and remove the injected nodes. To address this, we devote to camouflage node injection attack, making injected nodes appear normal and imperceptible to defense/detection methods. Unfortunately, the non-Euclidean structure of graph data and the lack of intuitive prior present great challenges to the formalization, implementation, and evaluation of camouflage. In this paper, we first propose and define camouflage as distribution similarity between ego networks of injected nodes and normal nodes. Then for implementation, we propose an adversarial CAmouflage framework for Node injection Attack, namely CANA, to improve attack performance under defense/detection methods in practical scenarios. A novel camouflage metric is further designed under the guide of distribution similarity. Extensive experiments demonstrate that CANA can significantly improve the attack performance under defense/detection methods with higher camouflage or imperceptibility. This work urges us to raise awareness of the security vulnerabilities of GNNs in practical applications.

Machine Learning,Cryptography and Security

Yu Zhou,Zihao Dong,Guofeng Zhang,Jingchen Tang

2023-11-22

Abstract:While graph neural networks have achieved state-of-the-art performances in many real-world tasks including graph classification and node classification, recent works have demonstrated they are also extremely vulnerable to adversarial attacks. Most previous works have focused on attacking node classification networks under impractical white-box scenarios. In this work, we will propose a non-targeted Hard Label Black Box Node Injection Attack on Graph Neural Networks, which to the best of our knowledge, is the first of its kind. Under this setting, more real world tasks can be studied because our attack assumes no prior knowledge about (1): the model architecture of the GNN we are attacking; (2): the model's gradients; (3): the output logits of the target GNN model. Our attack is based on an existing edge perturbation attack, from which we restrict the optimization process to formulate a node injection attack. In the work, we will evaluate the performance of the attack using three datasets, COIL-DEL, IMDB-BINARY, and NCI1.

Machine Learning,Cryptography and Security,Social and Information Networks

Yang Chen,Zhonglin Ye,Zhaoyang Wang,Haixing Zhao

DOI: https://doi.org/10.1007/s40747-023-01200-6

IF: 6.7

2024-01-01

Complex & Intelligent Systems

Abstract:In recent years, Graph Neural Networks (GNNs) have achieved excellent applications in classification or prediction tasks. Recent studies have demonstrated that GNNs are vulnerable to adversarial attacks. Graph Modification Attack (GMA) and Graph Injection Attack (GIA) are commonly attack strategies. Most graph adversarial attack methods are based on GMA, which has a clear drawback: the attacker needs high privileges to modify the original graph, making it difficult to execute in practice. GIA can perform attacks without modifying the original graph. However, many GIA models fail to take care of attack invisibility, i.e., fake nodes can be easily distinguished from the original nodes. To solve the above issue, we propose an imperceptible graph injection attack, named IMGIA. Specifically, IMGIA uses the normal distribution sampling and mask learning to generate fake node features and links respectively, and then uses the homophily unnoticeability constraint to improve the camouflage of the attack. Our extensive experiments on three benchmark datasets demonstrate that IMGIA performs better than the existing state-of-the-art GIA methods. As an example, IMGIA shows an improvement in performance with an average increase in effectiveness of 2%.

Wenjiang Hu,Mingda Ma,Yanan Jiang,Hui Xia

DOI: https://doi.org/10.1007/978-981-97-5501-1_14

2024-01-01

Abstract:Recent research shows that graph neural networks (GNNs) are easily disrupted due to the lack of robustness, a phenomenon that poses a serious security threat. Currently, most efforts to attack GNNs mainly use gradient information to guide the attacks and achieve superior performance. However, gradient-based attacks often lead to suboptimal results due to the discrete structure of graph data. The high complexity of time and space for large-scale graphs also take away the advantage of gradient attacks. In this work, we propose an attack method based on Important Nodes Controllable Labels (INCLA), which finds the set of important nodes for each class in the graph that have a great influence on the network during the graph convolution process and connects the target nodes to the important nodes to achieve the attack effect. In addition, since the gradient optimization attacks in graph neural networks are all salience attacks, which lead to their poor unnoticeability. We construct more unnoticeable adversarial examples based on the association between target nodes and important nodes, and use the Degree Assortativity Change (DAC) metric and Homophily Ratio Change (HRC) metric for verification. Extensive experimental results show that INCLA can significantly improve the time efficiency while maintaining the attack performance compared to the state-of-the-art adversarial attacks with the same attack budget.

Hao Yu,Ke Liang,Dayu Hu,Wenxuan Tu,Chuan Ma,Sihang Zhou,Xinwang Liu

DOI: https://doi.org/10.1109/tkde.2024.3483274

IF: 9.235

2024-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:The ubiquity of Graph Neural Networks (GNNs) emphasizes the imperative to assess their resilience against node injection attacks, a type of evasion attacks that impact victim models by injecting nodes with fabricated attributes and structures. However, prevailing attacks face two primary limitations: (1) Sequential construction of attributes and structures results in suboptimal outcomes as structure information is overlooked during attribute construction and vice versa. (2) In black-box scenarios, where attackers lack access to victim model architecture and parameters, reliance on surrogate models degrades performance due to architectural discrepancies. To overcome these limitations, we introduce GZOO, a black-box node injection attack that leverages an adversarial graph generator, compromising both attribute and structure sub-generators. This integration crafts optimal attributes and structures by considering their mutual information, enhancing their influence when aggregating information from injected nodes. Furthermore, GZOO proposes a zeroth-order optimization algorithm leveraging prediction results from victim models to estimate gradients for updating generator parameters, eliminating the necessity to train surrogate models. Across sixteen datasets, GZOO significantly outperforms state-of-theart attacks, achieving remarkable effectiveness and robustness. Notably, on the Cora dataset with the GCN model, GZOO achieves an impressive 95.69% success rate, surpassing the maximum 66.01% achieved by baselines

Xu Zou,Qinkai Zheng,Yuxiao Dong,Xinyu Guan,Evgeny Kharlamov,Jialiang Lu,Jie Tang

DOI: https://doi.org/10.1145/3447548.3467314

2021-01-01

Abstract:ABSTRACTGraph Neural Networks (GNNs) have achieved promising performance in various real-world applications. However, recent studies have shown that GNNs are vulnerable to adversarial attacks. In this paper, we study a recently-introduced realistic attack scenario on graphs---graph injection attack (GIA). In the GIA scenario, the adversary is not able to modify the existing link structure and node attributes of the input graph, instead the attack is performed by injecting adversarial nodes into it. We present an analysis on the topological vulnerability of GNNs under GIA setting, based on which we propose the Topological Defective Graph Injection Attack (TDGIA) for effective injection attacks. TDGIA first introduces the topological defective edge selection strategy to choose the original nodes for connecting with the injected ones. It then designs the smooth feature optimization objective to generate the features for the injected nodes. Extensive experiments on large-scale datasets show that TDGIA can consistently and significantly outperform various attack baselines in attacking dozens of defense GNN models. Notably, the performance drop on target GNNs resultant from TDGIA is more than double the damage brought by the best attack solution among hundreds of submissions on KDD-CUP 2020.

Xiao Liu,Jun-Jie Huang,Wentao Zhao

DOI: https://doi.org/10.1109/ICASSP48485.2024.10446876

2024-01-01

Abstract:Adversarial attacks on Graph Neural Networks (GNNs) have become a significant security concern. Graph Injection Attack (GIA) enables an attacker to perturb GNN models by injecting a small number of fake nodes, however, existing GIA methods often require either extensive knowledge of the dataset and the target model or a large number of queries to execute the attack. To fully utilize the unsupervised knowledge, we propose a Graph Contrastive Learning (GCL) approach to extract essential information from graph data to improve the attacker’s success rate on the initial query and reduce the number of queries. Specifically, the proposed Graph Contrastive Learning based Graph Injection Attack (GCIA) consists of a node encoder, a reward predictor, and a fake node generator. The node encoder generates low-dimensional embedding for nodes by aggregating the neighborhood features. The reward predictor maps the node embedding to query results, while the fake node generator uses gradient optimization to produce fake nodes with attack capabilities based on the node encoder and reward predictor. Extensive results show that the proposed GCIA method achieves 91.2% first query success rate on the Reddit dataset, and improves the success rate to over 99.7% after 10 queries. Source code is publicly available at: https://github.com/Gmrider13/GCIA.