AGSOA:Graph Neural Network Targeted Attack Based on Average Gradient and Structure Optimization

TL;DR

This paper tackles the vulnerability of Graph Neural Networks to adversarial perturbations by addressing two key weaknesses of gradient-based attacks: getting stuck in local optima and poor invisibility. It introduces AGSOA, which combines an average gradient calculation over multiple moments with a structure-optimization module that uses node similarity and homogeneity to guide perturbations under an invisibility budget. The approach yields higher misclassification rates and better transferability across GNN architectures than several baselines, and demonstrates effectiveness under both targeted and untargeted settings. The work advances practical targeted graph attacks by improving both effectiveness and stealth, with potential implications for evaluating and improving GNN defenses.

Abstract

Graph Neural Networks(GNNs) are vulnerable to adversarial attack that cause performance degradation by adding small perturbations to the graph. Gradient-based attacks are one of the most commonly used methods and have achieved good performance in many attack scenarios. However, current gradient attacks face the problems of easy to fall into local optima and poor attack invisibility. Specifically, most gradient attacks use greedy strategies to generate perturbations, which tend to fall into local optima leading to underperformance of the attack. In addition, many attacks only consider the effectiveness of the attack and ignore the invisibility of the attack, making the attacks easily exposed leading to failure. To address the above problems, this paper proposes an attack on GNNs, called AGSOA, which consists of an average gradient calculation and a structre optimization module. In the average gradient calculation module, we compute the average of the gradient information over all moments to guide the attack to generate perturbed edges, which stabilizes the direction of the attack update and gets rid of undesirable local maxima. In the structure optimization module, we calculate the similarity and homogeneity of the target node's with other nodes to adjust the graph structure so as to improve the invisibility and transferability of the attack. Extensive experiments on three commonly used datasets show that AGSOA improves the misclassification rate by 2$\%$-8$\%$ compared to other state-of-the-art models.

Figures (7)

• Figure 1: Illustration of two gradient attack optimization paths. FGA attacks along the direction of the gradient of the previous iteration. AGSOA accumulates the average of the gradient of all previous moments of the iteration to attack. The more gradients that are accumulated, the easier it is for the attack to find a global optimum.
• Figure 2: AGSOA Overall Framework. AGSOA consists of two components: average gradient computation and structre optimization. At the $t$-th iteration, the average gradient ${\bar{B}^{(t)}}$ is obtained by accumulating the gradients of the previous $t$ moments, and the attack uses the gradient modification rule to add or delete edges. In the structure optimization component, we compute the feature similarity and node homogeneity between the target node and other nodes. AGSOA then use the TOP-K overlapping mechanism to select the perturbation edges to generate the perturbation graph $G^{\prime (t)}$. The final perturbation graph $G^{\prime}$ is classified to get the predicted label of the target node, if the predicted label of the target node is different from the real label means the attack is successful.
• Figure 3: Effectiveness of the average gradient component. (a) is a comparison of the MR of the two gradient attack models. Where NAG is an extended model of NAG-R and is attacked using only NAG accelerated gradients. AGSOA-AT is only using the average gradient to complete the attack. (b) is a comparison of the number of edges before and after the NAG and AG attacks. To make it easier to observe the change in the number of edges, we shrink the number of edges by a factor of 1000.
• Figure 4: MR of three graph optimization attacks.
• Figure 5: The attack performance under different the number of target nodes.