Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A General Black-box Adversarial Attack on Graph-based Fake News Detectors

Peican Zhu, Zechen Pan, Yang Liu, Jiwei Tian, Keke Tang, Zhen Wang

TL;DR

This work tackles the robustness of GNN-based fake news detectors under black-box attacks across diverse social-graph constructions. It introduces GAFSI, a two-module framework that simulates fraudulent social interactions by selecting influential fraudsters and injecting posts to perturb the social context, guided by gradients from surrogate models. Empirical results on Politifact and Gossipcop show that GAFSI achieves higher misclassification rates across multiple graph types than state-of-the-art baselines, with favorable efficiency and comprehensive ablations. The study highlights a practical vulnerability of graph-based fake news detectors to socially realistic adversarial perturbations and informs defense strategies against black-box social-context attacks.

Abstract

Graph Neural Network (GNN)-based fake news detectors apply various methods to construct graphs, aiming to learn distinctive news embeddings for classification. Since the construction details are unknown for attackers in a black-box scenario, it is unrealistic to conduct the classical adversarial attacks that require a specific adjacency matrix. In this paper, we propose the first general black-box adversarial attack framework, i.e., General Attack via Fake Social Interaction (GAFSI), against detectors based on different graph structures. Specifically, as sharing is an important social interaction for GNN-based fake news detectors to construct the graph, we simulate sharing behaviors to fool the detectors. Firstly, we propose a fraudster selection module to select engaged users leveraging local and global information. In addition, a post injection module guides the selected users to create shared relations by sending posts. The sharing records will be added to the social context, leading to a general attack against different detectors. Experimental results on empirical datasets demonstrate the effectiveness of GAFSI.

A General Black-box Adversarial Attack on Graph-based Fake News Detectors

TL;DR

This work tackles the robustness of GNN-based fake news detectors under black-box attacks across diverse social-graph constructions. It introduces GAFSI, a two-module framework that simulates fraudulent social interactions by selecting influential fraudsters and injecting posts to perturb the social context, guided by gradients from surrogate models. Empirical results on Politifact and Gossipcop show that GAFSI achieves higher misclassification rates across multiple graph types than state-of-the-art baselines, with favorable efficiency and comprehensive ablations. The study highlights a practical vulnerability of graph-based fake news detectors to socially realistic adversarial perturbations and informs defense strategies against black-box social-context attacks.

Abstract

Graph Neural Network (GNN)-based fake news detectors apply various methods to construct graphs, aiming to learn distinctive news embeddings for classification. Since the construction details are unknown for attackers in a black-box scenario, it is unrealistic to conduct the classical adversarial attacks that require a specific adjacency matrix. In this paper, we propose the first general black-box adversarial attack framework, i.e., General Attack via Fake Social Interaction (GAFSI), against detectors based on different graph structures. Specifically, as sharing is an important social interaction for GNN-based fake news detectors to construct the graph, we simulate sharing behaviors to fool the detectors. Firstly, we propose a fraudster selection module to select engaged users leveraging local and global information. In addition, a post injection module guides the selected users to create shared relations by sending posts. The sharing records will be added to the social context, leading to a general attack against different detectors. Experimental results on empirical datasets demonstrate the effectiveness of GAFSI.
Paper Structure (32 sections, 14 equations, 5 figures, 4 tables)

This paper contains 32 sections, 14 equations, 5 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. GNN-based Fake News Detection
  4. Adversarial Attack on GNN
  5. Preliminary and Problem Statement
  6. Social Context in News Dissemination.
  7. Graph Construction of $G$ for Fake News Detection.
  8. Adversarial Attack on Specific Graph.
  9. Our Attack on Social Context.
  10. Method
  11. Fraudster Selection Module
  12. Local Influence Estimation.
  13. Global Influence Estimation.
  14. Post Injection Module
  15. Post Initialization.
  16. ...and 17 more sections

Figures (5)

  • Figure 1: Social context in news dissemination can be constructed into (a) the user-news bipartite graph; (b) the news engagement graph; (c) the news-user propagation tree; and (d) the news-post propagation and dispersion tree, etc. The diversity in the graph types poses challenges for launching a general black-box adversarial attack on fake news detectors based on different graphs.
  • Figure 2: An illustration of GAFSI against GNN-based fake news detectors. The social context $G$ and corresponding representation $X$ serve as the input of GAFSI. The fraudster selection module selects influential fraudsters according to information from the local structure and global structure. Each selected fraudster will send a post and then the post injection module will optimize the connection and the content of the post. Finally, the records of sharing will be added into the social context and fool the GNN-based detector.
  • Figure 3: The success rate of GAFSI when adopting different trade-off parameters $\alpha$.
  • Figure 4: The average success rate of attacks with different budgets.
  • Figure 5: The success rate of GAFSI on target news within different degree ranges.