Simple and Efficient Partial Graph Adversarial Attack: A New Perspective

TL;DR

This work tackles the problem of graph adversarial attacks by recognizing that nodes differ in robustness and proposing PGA, a partial graph attack that concentrates perturbations on vulnerable nodes. The method combines a hierarchical target selection policy, a cost-efficient anchor-picking policy, and an iterative greedy attack guided by a surrogate model and a tailored attack loss, achieving superior effectiveness and efficiency over traditional global attacks. Extensive experiments across datasets and ten GNNs (including defenses) show PGA outperforms baselines in evasion and even transfers to poisoning settings, while perturbations remain visually stealthy. The approach offers a practical, scalable framework for evaluating and improving GNN robustness under budget-constrained, node-aware attack scenarios.

Abstract

As the study of graph neural networks becomes more intensive and comprehensive, their robustness and security have received great research interest. The existing global attack methods treat all nodes in the graph as their attack targets. Although existing methods have achieved excellent results, there is still considerable space for improvement. The key problem is that the current approaches rigidly follow the definition of global attacks. They ignore an important issue, i.e., different nodes have different robustness and are not equally resilient to attacks. From a global attacker's view, we should arrange the attack budget wisely, rather than wasting them on highly robust nodes. To this end, we propose a totally new method named partial graph attack (PGA), which selects the vulnerable nodes as attack targets. First, to select the vulnerable items, we propose a hierarchical target selection policy, which allows attackers to only focus on easy-to-attack nodes. Then, we propose a cost-effective anchor-picking policy to pick the most promising anchors for adding or removing edges, and a more aggressive iterative greedy-based attack method to perform more efficient attacks. Extensive experimental results demonstrate that PGA can achieve significant improvements in both attack effect and attack efficiency compared to other existing graph global attack methods.

Figures (11)

• Figure 1: We individually attack nodes with the targeted attack method SGA and record the corresponding attack budgets required for each node. The x-axis denotes the attack budget. The y-axis denotes the number of nodes that can be successfully attacked given the specific attack budget.
• Figure 2: A comparison between the proposed PGA and current global attack methods in terms of the hit rate of vulnerable nodes. We conduct a series of attacks using each method five times.
• Figure 3: Difference between PGA and existing global attack methods. Assume that the attacker can modify 9 edges, i.e., the attack budget is 9.
• Figure 4: An overview of the proposed PGA. PGA first needs a trained GNN model to generate prediction logits for all nodes. Then, given the logits, the hierarchical target selection policy selects partial nodes as attack targets (a). Then, according to attack targets selected by (a), the anchor-picking policy picks the most promising anchors for adding or removing edges between them and attack targets (b). After (a) and (b), the iterative attack module uses a surrogate model to calculate gradients for each fake edge, and then flips the edge with the largest gradient iteratively, until the attack budgets are exhausted (c). Finally, a polluted graph is generated as the adversarial input for an evasion attack.
• Figure 5: Results on statistics-robustness relationship analysis. Degree and classification margin are more correlated to the node robustness.