Jiarong Xu,Yizhou Sun,Xin Jiang,Yanhao Wang,Chunping Wang,Jiangang Lu,Yang Yang

DOI: https://doi.org/10.48550/arxiv.2012.06757

2022-01-01

Abstract:Adversarial attacks on graphs have attracted considerable research interests. Existing works assume the attacker is either (partly) aware of the victim model, or able to send queries to it. These assumptions are, however, unrealistic. To bridge the gap between theoretical graph attacks and real-world scenarios, in this work, we propose a novel and more realistic setting: strict black-box graph attack, in which the attacker has no knowledge about the victim model at all and is not allowed to send any queries. To design such an attack strategy, we first propose a generic graph filter to unify different families of graph-based models. The strength of attacks can then be quantified by the change in the graph filter before and after attack. By maximizing this change, we are able to find an effective attack strategy, regardless of the underlying model. To solve this optimization problem, we also propose a relaxation technique and approximation theories to reduce the difficulty as well as the computational expense. Experiments demonstrate that, even with no exposure to the model, the Macro-F1 drops 6.4% in node classification and 29.5% in graph classification, which is a significant result compared with existent works.

Jiaming Mu,Binghui Wang,Qi Li,Kun Sun,Mingwei Xu,Zhuotao Liu

DOI: https://doi.org/10.1145/3460120.3484796

2021-01-01

Abstract:Graph Neural Networks (GNNs) have achieved state-of-the-art performance in various graph structure related tasks such as node classification and graph classification. However, GNNs are vulnerable to adversarial attacks. Existing works mainly focus on attacking GNNs for node classification; nevertheless, the attacks against GNNs for graph classification have not been well explored. In this work, we conduct a systematic study on adversarial attacks against GNNs for graph classification via perturbing the graph structure. In particular, we focus on the most challenging attack, i.e., hard label black-box attack, where an attacker has no knowledge about the target GNN model and can only obtain predicted labels through querying the target model.To achieve this goal, we formulate our attack as an optimization problem, whose objective is to minimize the number of edges to be perturbed in a graph while maintaining the high attack success rate. The original optimization problem is intractable to solve, and we relax the optimization problem to be a tractable one, which is solved with theoretical convergence guarantee. We also design a coarse-grained searching algorithm and a query-efficient gradient computation algorithm to decrease the number of queries to the target GNN model. Our experimental results on three real-world datasets demonstrate that our attack can effectively attack representative GNNs for graph classification with less queries and perturbations. We also evaluate the effectiveness of our attack under two defenses: one is well-designed adversarial graph detector and the other is that the target GNN model itself is equipped with a defense to prevent adversarial graph generation. Our experimental results show that such defenses are not effective enough, which highlights more advanced defenses.

Jianfeng Li,Haoran Li,Jing He,Tianchen Dou

DOI: https://doi.org/10.1109/scset58950.2023.00016

2023-01-01

Abstract:In recent years, the robustness of graph neural networks (GNNs) adversarial attacks has been favored by researchers, and related research has intensified. However, existing graph adversarial attacks are mainly performed by modifying the topology of the graph and node feature vectors, and attacks from the labels of nodes are rarely considered, especially for multi-label graph adversarial attacks, where an attacker can manipulate an obscure portion of the training labels and flip the sample labels in the training data to other classes, resulting in incorrect predictions of the retrained GNNs model. In this work, we present graph adversarial attack against multi-label flipping. We propose an effective attack model-Lapa, based on an adaptive genetic algorithm that searches the solution space for suitable adversarial samples to obtain near-optimal solutions. The adaptive genetic algorithm performs crossover and mutation operations utilizing adaptive probabilities. We demonstrate the effectiveness of our proposed Lapa attack model on GNNs after extensive experiments on four real datasets.

Xiaodong Yang,Xiaoting Li,Huiyuan Chen,Yiwei Cai

2024-08-20

Abstract:Recent studies show that well-devised perturbations on graph structures or node features can mislead trained Graph Neural Network (GNN) models. However, these methods often overlook practical assumptions, over-rely on heuristics, or separate vital attack components. In response, we present GAIM, an integrated adversarial attack method conducted on a node feature basis while considering the strict black-box setting. Specifically, we define an adversarial influence function to theoretically assess the adversarial impact of node perturbations, thereby reframing the GNN attack problem into the adversarial influence maximization problem. In our approach, we unify the selection of the target node and the construction of feature perturbations into a single optimization problem, ensuring a unique and consistent feature perturbation for each target node. We leverage a surrogate model to transform this problem into a solvable linear programming task, streamlining the optimization process. Moreover, we extend our method to accommodate label-oriented attacks, broadening its applicability. Thorough evaluations on five benchmark datasets across three popular models underscore the effectiveness of our method in both untargeted and label-oriented targeted attacks. Through comprehensive analysis and ablation studies, we demonstrate the practical value and efficacy inherent to our design choices.

Machine Learning,Artificial Intelligence

Jintang Li,Tao Xie,Liang Chen,Fenfang Xie,Xiangnan He,Zibin Zheng

DOI: https://doi.org/10.1109/tkde.2021.3078755

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Recent studies have shown that graph neural networks (GNNs) are vulnerable against perturbations due to lack of robustness and can therefore be easily fooled. Currently, most works on attacking GNNs are mainly using gradient information to guide the attack and achieve outstanding performance. However, the high complexity of time and space makes them unmanageable for large scale graphs and becomes the major bottleneck that prevents the practical usage. We argue that the main reason is that they have to use the whole graph for attacks, resulting in the increasing time and space complexity as the data scale grows. In this work, we propose an efficient Simplified Gradient-based Attack (SGA) method to bridge this gap. SGA can cause the GNNs to misclassify specific target nodes through a multi-stage attack framework, which needs only a much smaller subgraph. In addition, we present a practical metric named Degree Assortativity Change (DAC) to measure the impacts of adversarial attacks on graph data. We evaluate our attack method on four real-world graph networks by attacking several commonly used GNNs. The experimental results demonstrate that SGA can achieve significant time and memory efficiency improvements while maintaining competitive attack performance compared to state-of-art attack techniques.

Jinyin Chen,Xiang Lin,Dunjie Zhang,Wenrong Jiang,Guohan Huang,Hui Xiong,Yun Xiang

DOI: https://doi.org/10.48550/arXiv.2102.12284

2021-02-24

Abstract:Deep learning is effective in graph analysis. It is widely applied in many related areas, such as link prediction, node classification, community detection, and graph classification etc. Graph embedding, which learns low-dimensional representations for vertices or edges in the graph, usually employs deep models to derive the embedding vector. However, these models are vulnerable. We envision that graph embedding methods based on deep models can be easily attacked using adversarial examples. Thus, in this paper, we propose Graphfool, a novel targeted label adversarial attack on graph embedding. It can generate adversarial graph to attack graph embedding methods via classifying boundary and gradient information in graph convolutional network (GCN). Specifically, we perform the following steps: 1),We first estimate the classification boundaries of different classes. 2), We calculate the minimal perturbation matrix to misclassify the attacked vertex according to the target classification boundary. 3), We modify the adjacency matrix according to the maximal absolute value of the disturbance matrix. This process is implemented iteratively. To the best of our knowledge, this is the first targeted label attack technique. The experiments on real-world graph networks demonstrate that Graphfool can derive better performance than state-of-art techniques. Compared with the second best algorithm, Graphfool can achieve an average improvement of 11.44% in attack success rate.

Machine Learning,Cryptography and Security

Enyan Dai,Minhua Lin,Xiang Zhang,Suhang Wang

DOI: https://doi.org/10.1145/3543507.3583392

2023-02-11

Abstract:Graph Neural Networks (GNNs) have achieved promising results in various tasks such as node classification and graph classification. Recent studies find that GNNs are vulnerable to adversarial attacks. However, effective backdoor attacks on graphs are still an open problem. In particular, backdoor attack poisons the graph by attaching triggers and the target class label to a set of nodes in the training graph. The backdoored GNNs trained on the poisoned graph will then be misled to predict test nodes to target class once attached with triggers. Though there are some initial efforts in graph backdoor attacks, our empirical analysis shows that they may require a large attack budget for effective backdoor attacks and the injected triggers can be easily detected and pruned. Therefore, in this paper, we study a novel problem of unnoticeable graph backdoor attacks with limited attack budget. To fully utilize the attack budget, we propose to deliberately select the nodes to inject triggers and target class labels in the poisoning phase. An adaptive trigger generator is deployed to obtain effective triggers that are difficult to be noticed. Extensive experiments on real-world datasets against various defense strategies demonstrate the effectiveness of our proposed method in conducting effective unnoticeable backdoor attacks.

Cryptography and Security,Machine Learning

Mengmei Zhang,Linmei Hu,Chuan Shi,Xiao Wang

DOI: https://doi.org/10.1109/icdm50108.2020.00088

2020-01-01

Abstract:With the great popularity of Graph Neural Networks (GNNs), the robustness of GNNs to adversarial attacks has received increasing attention. However, existing works neglect adversarial label-flipping attacks, where the attacker can manipulate an unnoticeable fraction of training labels. Exploring the robustness of GNNs to label-flipping attacks is highly critical, especially when labels are collected from external sources and false labels are easy to inject (e.g., recommendation systems). In this work, we introduce the first study of adversarial label-flipping attacks on GNNs. We propose an effective attack model LafAK based on approximated closed form of GNNs and continuous surrogate of non-differentiable objective, efficiently generating attacks via gradient-based optimizers. Furthermore, we show that one key reason for the vulnerability of GNNs to label-flipping attack is overfitting to flipped nodes. Based on this observation, we propose a defense framework which introduces a community-preserving self-supervised task as regularization to avoid overfitting. We demonstrate the effectiveness of our proposed attack model to GNNs on four real-world datasets. The effectiveness of our defense framework is also well validated by the substantial improvements of defense based GNN and its variants under label-flipping attacks.

Wenjiang Hu,Mingda Ma,Yanan Jiang,Hui Xia

DOI: https://doi.org/10.1007/978-981-97-5501-1_14

2024-01-01

Abstract:Recent research shows that graph neural networks (GNNs) are easily disrupted due to the lack of robustness, a phenomenon that poses a serious security threat. Currently, most efforts to attack GNNs mainly use gradient information to guide the attacks and achieve superior performance. However, gradient-based attacks often lead to suboptimal results due to the discrete structure of graph data. The high complexity of time and space for large-scale graphs also take away the advantage of gradient attacks. In this work, we propose an attack method based on Important Nodes Controllable Labels (INCLA), which finds the set of important nodes for each class in the graph that have a great influence on the network during the graph convolution process and connects the target nodes to the important nodes to achieve the attack effect. In addition, since the gradient optimization attacks in graph neural networks are all salience attacks, which lead to their poor unnoticeability. We construct more unnoticeable adversarial examples based on the association between target nodes and important nodes, and use the Degree Assortativity Change (DAC) metric and Homophily Ratio Change (HRC) metric for verification. Extensive experimental results show that INCLA can significantly improve the time efficiency while maintaining the attack performance compared to the state-of-the-art adversarial attacks with the same attack budget.

Kaiyang Wang,Huaxin Deng,Yijia Xu,Zhonglin Liu,Yong Fang

DOI: https://doi.org/10.1016/j.patcog.2024.110449

IF: 8

2024-03-26

Pattern Recognition

Abstract:Graph neural networks have been shown to have characteristics that make them susceptible to backdoor attacks, and many recent works have proposed feasible graph backdoor attack methods. However, existing graph backdoor attack methods only target one-to-one attack types and lack graph backdoor attack methods that can address one-to-many attack requirements. This paper is the first research work on one-to-many type graph backdoor attacks and proposes the backdoor attack method MLGB, which can achieve multi-target label attacks for GNN node classification tasks. We designed encoding mechanisms to allow MLGB to customize triggers for different target labels and ensure differentiation between triggers for different target labels through loss functions. Additionally, we designed an innovative poisoned node selection method to improve the efficiency of MLGB's attacks further. Extensive experiments were conducted to validate MLGB's effectiveness across multiple datasets and model architectures, demonstrating its robustness against graph backdoor attack defense mechanisms. Furthermore, ablation experiments and explainability analyses were conducted to provide deeper insights into MLGB. Our work reveals that graph neural networks are also vulnerable to one-to-many type backdoor attacks, which is important for practitioners to understand model risks comprehensively.

computer science, artificial intelligence,engineering, electrical & electronic

Mengmei Zhang,Xiao Wang,Chuan Shi,Lingjuan Lyu,Tianchi Yang,Junping Du

DOI: https://doi.org/10.1145/3543507.3583509

2024-03-05

Abstract:With the great popularity of Graph Neural Networks (GNNs), their robustness to adversarial topology attacks has received significant attention. Although many attack methods have been proposed, they mainly focus on fixed-budget attacks, aiming at finding the most adversarial perturbations within a fixed budget for target node. However, considering the varied robustness of each node, there is an inevitable dilemma caused by the fixed budget, i.e., no successful perturbation is found when the budget is relatively small, while if it is too large, the yielding redundant perturbations will hurt the invisibility. To break this dilemma, we propose a new type of topology attack, named minimum-budget topology attack, aiming to adaptively find the minimum perturbation sufficient for a successful attack on each node. To this end, we propose an attack model, named MiBTack, based on a dynamic projected gradient descent algorithm, which can effectively solve the involving non-convex constraint optimization on discrete topology. Extensive results on three GNNs and four real-world datasets show that MiBTack can successfully lead all target nodes misclassified with the minimum perturbation edges. Moreover, the obtained minimum budget can be used to measure node robustness, so we can explore the relationships of robustness, topology, and uncertainty for nodes, which is beyond what the current fixed-budget topology attacks can offer.

Artificial Intelligence

Yang Chen,Zhonglin Ye,Haixing Zhao,Lei Meng,Zhaoyang Wang,Yanlin Yang

DOI: https://doi.org/10.1109/hpcc-dss-smartcity-dependsys57074.2022.00052

2022-01-01

Abstract:In recent years, Graph Neural Networks (GNNs) have performed significantly in node classification tasks. Re-search on GNNs adversarial attacks has recently attracted attention. Many works have demonstrated that single node attacks can fool GNNs in extreme scenarios. Existing single node attacks can be divided into two main types: 1) attacking the node features; 2) injecting a single fake node. However, they have several major drawbacks: 1) they set the attack node features, which makes them not efficient; 2) they require higher privileges and don't have strict budget constraints, which makes them less concealable and easier to notice. In this paper, we propose an attack with lower privileges and strict budget constraints -Single Node Structure Attack (SNSA). Specifically, SNSA is set more efficient structure attacks and does not require higher privileges to change links. Compared to other attack models, the attack space of SNSA is small and not easily detected by GNNs. Furthermore, we study the influence of the attack node selection on SNSA and observe that it is optimal to use a gradient to select an attack node. Experiments on three common datasets demonstrate the effectiveness of our model.

Xin Wang,Heng Chang,Beini Xie,Tian Bian,Shiji Zhou,Daixin Wang,Zhiqiang Zhang,Wenwu Zhu

DOI: https://doi.org/10.48550/arXiv.2208.06651

2023-09-06

Abstract:Graph neural networks (GNNs) have achieved tremendous success in the task of graph classification and its diverse downstream real-world applications. Despite the huge success in learning graph representations, current GNN models have demonstrated their vulnerability to potentially existent adversarial examples on graph-structured data. Existing approaches are either limited to structure attacks or restricted to local information, urging for the design of a more general attack framework on graph classification, which faces significant challenges due to the complexity of generating local-node-level adversarial examples using the global-graph-level information. To address this "global-to-local" attack challenge, we present a novel and general framework to generate adversarial examples via manipulating graph structure and node features. Specifically, we make use of Graph Class Activation Mapping and its variant to produce node-level importance corresponding to the graph classification task. Then through a heuristic design of algorithms, we can perform both feature and structure attacks under unnoticeable perturbation budgets with the help of both node-level and subgraph-level importance. Experiments towards attacking four state-of-the-art graph classification models on six real-world benchmarks verify the flexibility and effectiveness of our framework.

Social and Information Networks,Cryptography and Security,Machine Learning

Zhengyi Wang,Zhongkai Hao,Hang Su,Jun Zhu

2021-01-01

Abstract:While deep neural networks have achieved great success on the graph analysis, recent works have shown that they are also vulnerable to adversarial attacks where fraudulent users can fool the model with a limited number of queries. Compared with adversarial attacks on image classification, performing adversarial attack on graphs is challenging because of the discrete and non-differential nature of a graph. To address these issues, we proposed Cluster Attack, a novel adversarial attack by introducing a set of fake nodes to the original graph which can mislead the classification on certain victim nodes. Specifically, we query the victim model for each victim node to acquire their most adversarial feature, which is related to how the fake node’s feature will affect the victim nodes. We further cluster the victim nodes into several subgroups according to their most adversarial features such that we can reduce the searching space. Moreover, our attack is performed in a practical and unnoticeable manner: (1) We protect the predicted labels of nodes which we are not aimed for from being changed during attack. (2) We attack by introducing fake nodes into the original graph without changing existing links and features. (3) We attack with only partial information about the attacked graph, i.e., by leveraging the information of victim nodes along with their neighbors within k-hop instead of the whole graph. (4) We perform attack with a limited number of queries about the predicted scores of the model in a blackbox manner, i.e., without model architecture and parameters. Extensive experiments demonstrate the effectiveness of our method in terms of the success rate of attack. Department of Computer Science and Technology, Tsinghua University, China. Correspondence to: Zhengyi Wang <wangzy21@mails.tsinghua.edu.cn>. x x x

Peican Zhu,Zechen Pan,Keke Tang,Xiaodong Cui,Jinhuan Wang,Qi Xuan

DOI: https://doi.org/10.1109/TCSS.2024.3395794

2024-05-29

Abstract:Graph Neural Network (GNN) has achieved remarkable success in various graph learning tasks, such as node classification, link prediction and graph classification. The key to the success of GNN lies in its effective structure information representation through neighboring aggregation. However, the attacker can easily perturb the aggregation process through injecting fake nodes, which reveals that GNN is vulnerable to the graph injection attack. Existing graph injection attack methods primarily focus on damaging the classical feature aggregation process while overlooking the neighborhood aggregation process via label propagation. To bridge this gap, we propose the label-propagation-based global injection attack (LPGIA) which conducts the graph injection attack on the node classification task. Specifically, we analyze the aggregation process from the perspective of label propagation and transform the graph injection attack problem into a global injection label specificity attack problem. To solve this problem, LPGIA utilizes a label propagation-based strategy to optimize the combinations of the nodes connected to the injected node. Then, LPGIA leverages the feature mapping to generate malicious features for injected nodes. In extensive experiments against representative GNNs, LPGIA outperforms the previous best-performing injection attack method in various datasets, demonstrating its superiority and transferability.

Cryptography and Security

Ben Finkelshtein,Chaim Baskin,Evgenii Zheltonozhskii,Uri Alon

DOI: https://doi.org/10.1016/j.neucom.2022.09.115

IF: 6

2022-11-07

Neurocomputing

Abstract:Graph neural networks (GNNs) have shown broad applicability in a variety of domains. These domains, e.g., social networks and product recommendations, are fertile ground for malicious users and behavior. In this paper, we show that GNNs are vulnerable to the extremely limited (and thus quite realistic) scenarios of a single-node adversarial attack, where the perturbed node cannot be chosen by the attacker. That is, an attacker can force the GNN to classify any target node to a chosen label, by only slightly perturbing the features or the neighbors list of another single arbitrary node in the graph, even when not being able to select that specific attacker node. When the adversary is allowed to select the attacker node, these attacks are even more effective. We demonstrate empirically that our attack is effective across various common GNN types (e.g., GCN, GraphSAGE, GAT, GIN) and robustly optimized GNNs (e.g., Robust GCN, SM GCN, GAL, LAT-GCN), outperforming previous attacks across different real-world datasets both in a targeted and non-targeted attacks. Our code is available anonymously at https://github.com/gnnattack/SINGLE.

computer science, artificial intelligence

Yu Zhou,Zihao Dong,Guofeng Zhang,Jingchen Tang

2023-11-22

Abstract:While graph neural networks have achieved state-of-the-art performances in many real-world tasks including graph classification and node classification, recent works have demonstrated they are also extremely vulnerable to adversarial attacks. Most previous works have focused on attacking node classification networks under impractical white-box scenarios. In this work, we will propose a non-targeted Hard Label Black Box Node Injection Attack on Graph Neural Networks, which to the best of our knowledge, is the first of its kind. Under this setting, more real world tasks can be studied because our attack assumes no prior knowledge about (1): the model architecture of the GNN we are attacking; (2): the model's gradients; (3): the output logits of the target GNN model. Our attack is based on an existing edge perturbation attack, from which we restrict the optimization process to formulate a node injection attack. In the work, we will evaluate the performance of the attack using three datasets, COIL-DEL, IMDB-BINARY, and NCI1.

Machine Learning,Cryptography and Security,Social and Information Networks

Huawei Wang,Yiwei Liu,Peng Yin,Hua Zhang,Xin Xu,Qiaoyan Wen

DOI: https://doi.org/10.1002/int.22902

IF: 8.993

2022-01-01

International Journal of Intelligent Systems

Abstract:Graph neural networks (GNN) have been widely used in many machine learning tasks, such as text classification, sequence labeling, protein interface prediction, and knowledge graph. With increasing security concerns, GNN have been proved to be vulnerable and unreliable. Recent years, inspired by adversarial model in computer vision, various attacks on graph data begin to emerge. However, the exist attacks mostly focus on security violation and attack specificity, and very few attacks concern error specificity. In this paper, we focus on dealing with this kind of attack on one node of the graph by slightly manipulating the graph structure. Our goal is to change the label of the node to what we want after attack. We formulate this case as label specificity attack problem. The biggest challenge in solving this problem is the lack of theoretical guidance to perform this attack. For this, we reinterpret structural entropy and define differential structural entropy (DS-entropy) to guide the manipulation. Based on DS-entropy, we propose the target-label principle and max-degree principle to execute our attack, and then design the corresponding algorithm DSEM. We compare our algorithm DSEM with two benchmarks on three classical graph data sets. Results show that our algorithm is effective in performing label specificity attacks.

Guanghui Zhu,Mengyu Chen,Chunfeng Yuan,Yihua Huang

DOI: https://doi.org/10.1109/tkde.2024.3364972

IF: 9.235

2024-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:As the study of graph neural networks becomes more intensive and comprehensive, their robustness and security have received great research interest. The existing global attack methods treat all nodes in the graph as their attack targets. Although existing methods have achieved excellent results, there is still considerable space for improvement. The key problem is that the current approaches rigidly follow the definition of global attacks. They ignore an important issue, i.e., different nodes have different robustness and are not equally resilient to attacks. From a global attacker&#x27;s view, we should arrange the attack budget wisely, rather than wasting them on highly robust nodes. To this end, we propose a totally new method named partial graph attack (PGA), which selects the vulnerable nodes as attack targets. First, to select the vulnerable items, we propose a hierarchical target selection policy, which allows attackers to only focus on easy-to-attack nodes. Then, we propose a cost-effective anchor-picking policy to pick the most promising anchors for adding or removing edges, and a more aggressive iterative greedy-based attack method to perform more efficient attacks. Extensive experimental results demonstrate that PGA can achieve significant improvements in both attack effect and attack efficiency compared to existing graph global attack methods.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Shu Zhao,Wenyu Wang,Ziwei Du,Jie Chen,Zhen Duan

DOI: https://doi.org/10.1109/tbdata.2023.3296936

2023-01-01

IEEE Transactions on Big Data

Abstract:Recent studies have shown that Graph Neural Networks (GNNs) are vulnerable to well-designed and imperceptible adversarial attack. Attacks utilizing gradient information are widely used in the field of attack due to their simplicity and efficiency. However, several challenges are faced by gradient-based attacks: 1) Generate perturbations use white-box attacks (i.e., requiring access to the full knowledge of the model), which is not practical in the real world; 2) It is easy to drop into local optima; and 3) The perturbation budget is not limited and might be detected even if the number of modified edges is small. Faced with the above challenges, this article proposes a black-box adversarial attack method, named NAG-R, which consists of two modules known as N esterov A ccelerated G radient attack module and R ewiring optimization module. Specifically, inspired by adversarial attacks on images, the first module generates perturbations by introducing Nesterov Accelerated Gradient (NAG) to avoid falling into local optima. The second module keeps the fundamental properties of the graph (e.g., the total degree of the graph) unchanged through a rewiring operation, thus ensuring that perturbations are imperceptible. Intensive experiments show that our method has significant attack success and transferability over existing state-of-the-art gradient-based attack methods.