1 GANI Global Attacks on Graph Neural Networks via Imperceptible Node Injections
2025-04-30
0
0
1.28MB
12 页
10玖币
侵权投诉
1
GANI: Global Attacks on Graph Neural
Networks via Imperceptible Node Injections
Junyuan Fang, Student Member, IEEE, Haixian Wen, Jiajing Wu, Senior Member, IEEE, Qi Xuan, Senior
Member, IEEE, Zibin Zheng, Senior Member, IEEE, and Chi K. Tse, Fellow, IEEE
Abstract—Graph neural networks (GNNs) have found successful applications in various graph-related tasks. However, recent studies
have shown that many GNNs are vulnerable to adversarial attacks. In a vast majority of existing studies, adversarial attacks on GNNs
are launched via direct modification of the original graph such as adding/removing links, which may not be applicable in practice. In this
paper, we focus on a realistic attack operation via injecting fake nodes. The proposed Global Attack strategy via Node Injection (GANI)
is designed under the comprehensive consideration of an unnoticeable perturbation setting from both structure and feature domains.
Specifically, to make the node injections as imperceptible and effective as possible, we propose a sampling operation to determine the
degree of the newly injected nodes, and then generate features and select neighbors for these injected nodes based on the statistical
information of features and evolutionary perturbations obtained from a genetic algorithm, respectively. In particular, the proposed
feature generation mechanism is suitable for both binary and continuous node features. Extensive experimental results on benchmark
datasets against both general and defended GNNs show strong attack performance of GANI. Moreover, the imperceptibility analyses
also demonstrate that GANI achieves a relatively unnoticeable injection on benchmark datasets.
Index Terms—Graph Neural Networks, Graph Adversarial Attacks, Robustness, Node Injections, Unnoticeable Perturbations
F
1 INTRODUCTION
GRAPHS, where nodes represent individuals and links
represent relationships between individuals, are ubiq-
uitous in real-world systems. With the remarkable success
of deep graph learning, various powerful graph neural
network (GNN) models have been proposed to deal with
graph data-based tasks, such as node/graph classification,
community detection, link prediction, and so on [1], [2], [3],
[4], [5], [6], [7].
Recently, Goodfellow et al. [8] found that current neural
networks are vulnerable to the unnoticeable adversarial
samples generated by the attackers. Similarly, though GNNs
have shown great potential on graph learning, researchers
are also curious about the robustness of current GNNs when
facing malicious attacks, namely, graph adversarial attacks
[9], [10], [11], [12]. Prior work has proposed to evaluate the
robustness of current GNNs against perturbations based
on the gradient of classifiers [13], meta-learning [14], re-
inforcement learning [15], etc. Specifically, corresponding
experiments have demonstrated the vulnerability of most
current GNNs, even under small perturbations.
For the vast majority of existing studies on graph adver-
sarial attacks [13], [14], [15], [16], [17], a common assumption
•Junyuan Fang and Chi K. Tse are with the Department of Electrical
Engineering, City University of Hong Kong, Hong Kong SAR, China.
(Email: junyufang2-c@my.cityu.edu.hk; chitse@cityu.edu.hk)
•Haixian Wen and Jiajing Wu are with the School of Computer Science and
Engineering, Sun Yat-sen University, Guangzhou 510006, China. (Email:
wenhx6@mail2.sysu.edu.cn; wujiajing@mail.sysu.edu.cn)
•Zibin Zheng is with the School of Software Engineering, Sun Yat-sen
University, Zhuhai 519082, China. (Email: zhzibing@mail.sysu.edu.cn)
•Q. Xuan is with the Institute of Cyberspace Security, College of Informa-
tion Engineering, Zhejiang University of Technology, Hangzhou 310023,
China. (E-mail: xuanqi@zjut.edu.cn)
•Corresponding Author: Jiajing Wu.
Digital Identifier: IEEE.xxx.xxx.xxxx.xxxxx.
is that the attacker has the privilege to modify the original
data, such as adding/removing links or modifying features
of the original graph data. However, this assumption may
not be valid in many realistic situations. Taking social net-
works as an example, it is rather difficult for an attacker
to tamper with the relationship or the personal information
of other users. Instead, an alternative strategy is to make
an adversarial attacker generate some vicious nodes (i.e.,
adversarial nodes) and associate them with the original
nodes to achieve the attacks. These kinds of adversarial
attacks can be referred to as node injection attacks (NIA).
In the NIA scenario, the attacker needs to solve two
major problems. The first problem is to generate the feature
of the adversarial nodes, while the other is to decide the
neighbors of these newly injected nodes. Although a few
NIA methods have been proposed, there still exist two
main limitations. (i) Feature Inconsistency: Ignoring the
diversity of feature spaces in different realistic networks,
current work usually assumes the attacker generates binary
features (0/1) to the new nodes. Other feature generation
mechanisms like averaging features or combining with
Gaussian distribution will also lead to inconsistent problems
on ranges or types. (ii) Budget Constraint: Current NIA
methods usually define the degree of each new node as
a constant value such as the average degree of original
nodes. Therefore, considering the above limitations, the
NIAs in most existing work may cause obvious disturbance
to the feature and topology domains of the original network,
making the attacks easy to be detected.
To address the above concerns and conduct effective and
unnoticeable NIA, we propose a new NIA strategy GANI to
achieve Global Attacks via Node Injections. We focus on
global attacks (i.e., decreasing the global performance) of
the node classification task via injecting some fake nodes
arXiv:2210.12598v1 [cs.LG] 23 Oct 2022
2
into the original graph. Specifically, the proposed GANI can
be divided into the following two parts. In the feature gen-
eration procedure, the statistical feature information of the
original nodes is utilized to make our new nodes similar to
the normal nodes. In the link generation procedure, we em-
ploy evolutionary algorithms to help find the optimal links
which can obtain the best attack performance. Moreover, we
utilize the decrease of node homophily [18], [19] to reduce
the randomness of the optimal neighbor selections. Finally,
we verify the superiority on both attack performance and
imperceptibility of the proposed attack strategy in datasets
with different feature types through extensive experiments.
Our major contributions are as follows:
•We present new insights on promoting the imper-
ceptibility of NIA from both topology and feature
domains which were seldom discussed in previous
studies.
•We propose a powerful NIA method by combining
the statistical information-based feature generation
step with evolutionary algorithm-based neighbor se-
lection step on the global poisoning attack scenario.
•We conduct extensive experiments on several
datasets with different types of features to verify the
effectiveness and imperceptibility of the proposed
method.
The remainder of this work is organized as follows.
Section 2 discusses the related work of current attack and
defense on graph neural networks. Some preliminaries
about graph neural networks, node injection attacks, and
the definition of homophily are given in Section 3. Then,
we introduce the setting of attack budgets, methods for
feature generation and neighbor selection of injected nodes
in Section 4. In Section 5, we present the corresponding ex-
periments and discussions on both attack performance and
the imperceptible effect of perturbations in detail. Finally,
we conclude our work in Section 6.
2 RELATED WORK
In this work, we aim at achieving global attacks, which is
to reduce the overall effectiveness of the models, rather than
focus on influencing some target nodes. Moreover, we con-
centrate on poisoning attacks on graphs, for which we will
apply our attack strategy on the retraining models, rather
than on the fixed models with the same parameters before
and after the attack (i.e., evasion attacks). Compared with
evasion attacks, poisoning attacks will be more realistic but
difficult due to the model retraining. In the following, we
will briefly introduce current efforts on typical adversarial
attacks and node injection attacks, respectively. Then we will
briefly introduce current (defended) methods on graphs.
2.1 Typical Adversarial Attacks on GNNs
In most existing studies, attacks are launched by modifying
the links or features of the original nodes. Z¨ugner et al. [13]
proposed the first graph adversarial attack method, Nettack,
to point out the security concern in current GNNs by
utilizing the classification margin of the nodes predicted in
different classes. Dai et al. [15] put forward a reinforcement
learning-based strategy, RL-S2V, to achieve the targeted
evasion attacks. In order to achieve global attacks, Z¨ugner
and G ¨
unnemann [14] further proposed Metattack (META
for short in this work) by utilizing the meta gradient of
loss functions. However, all of the above strategies are de-
signed based on the assumption that the attackers can easily
modify the original graphs, which is not realistic in the real
life. Moreover, we also find that directly extending current
methods to the node injection scenario can not achieve the
same performance, which will be shown in our experiments
later.
2.2 Node Injection Attacks on GNNs
To address the above concerns, some node injection attack
methods have been proposed recently. Sun et al. [20] intro-
duced a strong NIA strategy named NIPA which utilizes the
deep Q-learning method to achieve the global poisoning at-
tacks. Aiming at targeted poisoning attacks, Wang et al. [21]
proposed AFGSM by considering the gradient of loss func-
tion of targeted nodes. Zou et al. [22] introduced TDGIA,
a global evasion injection method combining topological
defective edge selection strategy and smooth feature genera-
tions. Moreover, Tao et al. [23] proposed G-NIA by modeling
the attack process via a parametric model to preserve the
learned patterns and further be utilized in the inferring
phase. Recently, Chen et al. [24] proposed HAO by utilizing
the homophily ratio of nodes as the unnoticeable constraint
to further improve the unnoticeability of adversarial attacks.
However, the two concerns (i.e., feature inconsistency
and budget constraint) still have not been well addressed
in prior work. Specifically, NIPA generates the adversarial
features through the average features of all nodes plus Gaus-
sian distribution. Since different datasets may have different
types of features (i.e., binary or continuous features), and the
features of each node usually will be an extremely sparse
vector, the Gaussian noise may dominate the feature of
new nodes, causing the situation that the features of newly
injected nodes will be very different from those original
nodes. Moreover, AFGSM simply generates binary features
for the new nodes, while TDGIA only generates continuous
features and fails to limit the feature-attack budget. Among
them, only G-NIA solves the feature consistent problem.
At the same time, none of the above work tackles the
degree problems of the new nodes. Though HAO retains the
homophily ratio of corresponding nodes during injections
in a local perspective, it may break other global network
properties or constraints such as degree distributions, the
range/type of node features which can be easily detected.
Therefore, current NIA methods may break the unno-
ticeable principle as the new nodes have a totally different
range distribution or belong to different types (i.e., binary
or continuous format) of features. They may also make the
injection more obvious by assuming that all new nodes have
the same degree. In order to make the NIA more realistic,
we aim to address the above issues that exist in current
strategies. Particularly, to make the adversarial attacks more
general, we focus on a more practical and difficult scenario,
namely global poisoning attacks.
2.3 Defense on GNNs
Standard GNNs usually utilize the neighborhood aggrega-
tion mechanism to help obtain a better representation of
3
(a) Original Graph (b) General Attacks (c) Node Injections
Fig. 1. Schematic diagram of general attacks and node injection attacks.
Colors represent labels; red solid and dashed lines indicate adding and
removing links, respectively.
TABLE 1
Frequently used notations in this paper and their corresponding
definitions or descriptions.
Notations Definitions or Descriptions
GGraph data
AAdjacency matrix of the graph
XFeature matrix of the graph
fθThe graph neural network model with parameter θ
WTrainable weight matrix
ZPrediction probability of all nodes.
G0Perturbed graph data
A0Perturbed adjacency matrix of the graph
X0Perturbed feature matrix of the graph
APAdjacency matrix between fake nodes and normal nodes
NH Node homophily
∆FFeature-attack budget
∆LLink-attack budget list for all injected nodes
nin Number of injected nodes
αCandidate rate
pcCrossover rate
pmMutation rate
DNH Decrease of node homophily
TDNH Total decrease of node homophily in an individual
PPopulation of genetic algorithm
IIndividual in population
L0Randomly given label for the injected node
the central node from its neighbors, such as classic graph
convolution network (GCN) [25], graph attention network
(GAT) [26] by giving different aggregation weights to differ-
ent neighbors via a masked self-attention mechanism, sim-
plifying graph convolution network (SGC) [27] by removing
the activation functions in the middle layers, etc.
Since current GNNs are vulnerable to adversarial at-
tacks, some other models are proposed to improve the
robustness of GNNs through the pre-processing of data,
re-designing the aggregation functions, etc. For example,
Wu et al. [28] came up with Jaccard by removing the links
with relatively lower feature similarity before employing the
GNNs. Zhu et al. [29] designed RGCN via modeling the low-
dimension representation of nodes as Gaussian distribution
and further employing a variance-based attention mecha-
nism as the aggregation function to reduce the influence of
adversarial samples. Jin et al. [30] introduced SimPGCN by
adaptively preserving both the feature similarity and struc-
tural similarity during the aggregation process. Moreover,
Chen et al. [31] proposed novel aggregators, TMean and
Median, based on the breakdown point to discard the possi-
ble outlier features during the neighborhood aggregation on
evasion attack scenario. In our experiments, we also further
verify the attack performance of the proposed method in
these defended GNNs.
3 PRELIMINARIES
In this section, we will give some preliminaries on graph
neural networks and node injection attacks, together with
the definition of node homophily. See Table 1 for frequently
used notations.
3.1 Graph Neural Networks
Generally, we use G= (A, X)to denote the graph, where
Aand Xare the adjacency matrix and feature matrix,
respectively. Assuming Ghas nnodes and each of them has
dfeatures, the adjacency matrix A∈ {0,1}n×nrepresents
the connection relationship between each node-pair, where
Aij = 1 means there is a link between node iand j,
and 0 otherwise. The feature matrix {X}n×ddenotes the
features of each node, and Xirepresents the feature vector
of node i. As mentioned before, the feature vector could
be either binary or continuous type. Following the classic
work on node classification [25], a general two-layer graph
convolution network can be represented by
Z=fθ(A, X) = softmax(ˆ
Aσ(ˆ
AXW (1))W(2)),(1)
where ˆ
A=˜
D−1
2(A+I)˜
D−1
2,˜
Dand Irepresent the
diagonal degree matrix and identity matrix, respectively.
σ(·)is the activation function like ReLU, and Wis the
weight matrix to be optimized. Specifically, Zv,c denotes the
probability that node vbelongs to class c. The optimization
goal of node classification is to assign the node a higher
probability to the true class, i.e.,
min
θL=−X
v∈Vtrain
ln Zv,cv,(2)
where cvindicates the ground truth label of node v,Vtrain
represents the nodes of training set, and θ={W(1), W (2)}
is the learning parameter to be optimized.
3.2 Node Injection Attacks
Instead of directly modifying the original adjacency matrix
Aand feature matrix X, NIA will inject some malicious
nodes into the original graph and generate the features of
these injected nodes, and then connect them to the original
graph to conduct the attack. The adversarial graph after
being injected nin fake nodes is given as
A
0=A AT
p
ApO,(3)
X
0=X
Xp,(4)
where matrices {Ap}nin ×nand {AT
p}n×nin represent the
adversarial matrices between the fake nodes and normal
nodes and corresponding transpose matrix, respectively.
{Xp}nin ×dis the new generated features of the new nodes.
Specifically, we focus on global poisoning attacks on
node classification, and the final goal of the attacker is to
decrease the overall classification accuracy of the targeted
GNNs, which can be represented as
摘要:
展开>>
收起<<
1GANI:GlobalAttacksonGraphNeuralNetworksviaImperceptibleNodeInjectionsJunyuanFang,StudentMember,IEEE,HaixianWen,JiajingWu,SeniorMember,IEEE,QiXuan,SeniorMember,IEEE,ZibinZheng,SeniorMember,IEEE,andChiK.Tse,Fellow,IEEEAbstractGraphneuralnetworks(GNNs)havefoundsuccessfulapplicationsinvariousgraph-rel...
声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!
相关推荐
-
【词汇变形总汇】2025高考词汇变形总汇 - 教师版VIP免费
2024-12-06 3 -
【超简37页】新课标高考英语考纲3500词汇VIP免费
2024-12-06 4 -
《高考英语3500词详解》(WORD版)VIP免费
2024-12-06 13 -
《高考英语3500词详解》VIP免费
2024-12-06 11 -
高中英语-[教师版]80天通关高考3500词汇VIP免费
2024-12-06 12 -
高中人教选修7课文逐句翻译VIP免费
2024-12-06 7 -
高中人教选修7课文原文及翻译VIP免费
2024-12-06 13 -
高中人教必修4课文逐句翻译VIP免费
2024-12-06 7 -
高中人教必修4课文原文及翻译VIP免费
2024-12-06 13 -
高考英语核心高频688词汇VIP免费
2024-12-06 10
分类:图书资源
价格:10玖币
属性:12 页
大小:1.28MB
格式:PDF
时间:2025-04-30
作者详情
-
Optimal Persistent Monitoring of Mobile Targets in One Dimension Jonas Hall1 Sean Andersson12 Christos G. Cassandras13 Abstract This work shows the existence of opti-10 玖币0人下载
-
Optimal metabolic strategies for microbial growth in stationary random environments Anna Paola Muntoni and Andrea De Martino10 玖币0人下载
相关内容
-
3-专题三 牛顿运动定律 2-教师专用试题
分类:中学教育
时间:2025-04-07
标签:无
格式:DOCX
价格:5.9 玖币
-
2-专题二 相互作用 2-教师专用试题
分类:中学教育
时间:2025-04-07
标签:无
格式:DOCX
价格:5.9 玖币
-
6-专题六 机械能 2-教师专用试题
分类:中学教育
时间:2025-04-07
标签:无
格式:DOCX
价格:5.9 玖币
-
4-专题四 曲线运动 2-教师专用试题
分类:中学教育
时间:2025-04-08
标签:无
格式:DOCX
价格:5.9 玖币
-
5-专题五 万有引力与航天 2-教师专用试题
分类:中学教育
时间:2025-04-08
标签:无
格式:DOCX
价格:5.9 玖币
渝公网安备50010702506394
