RIDA: A Robust Attack Framework on Incomplete Graphs
Jianke Yu, Hanchen Wang, Chen Chen, Xiaoyang Wang, Lu Qin, Wenjie Zhang, Ying Zhang, Xijuan Liu
TL;DR
GNNs face robustness challenges under poisoning, especially when vertex attributes are incomplete. The authors propose RIDA, a robust gray-box poisoning framework for incomplete graphs, built from three modules: Depth-plus GNN for long-range propagation, Local-global Aggregation for refined feature fusion, and Holistic Adversarial Attack to optimize perturbations on incomplete graphs. Extensive experiments on CORA, CORA-ML, and CITESEER against nine baselines, plus ablation and analysis, show that RIDA achieves superior attack performance and resilience to missing attributes, providing a realistic benchmark to guide defense strategies. The work has practical implications for designing robust GNNs in security-sensitive, data-incomplete settings.
Abstract
Graph Neural Networks (GNNs) are vital in data science but are increasingly susceptible to adversarial attacks. To help researchers develop more robust GNN models, it's essential to focus on designing strong attack models as foundational benchmarks and guiding references. Among adversarial attacks, gray-box poisoning attacks are noteworthy due to their effectiveness and fewer constraints. These attacks exploit GNNs' need for retraining on updated data, thereby impacting their performance by perturbing these datasets. However, current research overlooks the real-world scenario of incomplete graphs. To address this gap, we introduce the Robust Incomplete Deep Attack Framework (RIDA). It is the first algorithm for robust gray-box poisoning attacks on incomplete graphs. The approach innovatively aggregates distant vertex information and ensures powerful data utilization. Extensive tests against 9 SOTA baselines on 3 real-world datasets demonstrate that RIDA's superiority in handling incompleteness and high attack performance on the incomplete graph.