Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

GAIM: Attacking Graph Neural Networks via Adversarial Influence Maximization

Xiaodong Yang, Xiaoting Li, Huiyuan Chen, Yiwei Cai

TL;DR

GAIM tackles the practical problem of attacking Graph Neural Networks under restricted black-box access by reframing node perturbations as adversarial influence maximization. It defines an influence function, uses a surrogate linear model to turn a nonlinear optimization into a solvable linear program, and unifies target node selection with per-node feature perturbations under budgets. The method supports untargeted and two types of label-oriented targeted attacks and demonstrates strong effectiveness and transferability across five datasets and three GNN models, with favorable scalability compared to existing approaches. This work highlights significant security implications for graph-based learning and points to future extensions to additional architectures such as transformers.

Abstract

Recent studies show that well-devised perturbations on graph structures or node features can mislead trained Graph Neural Network (GNN) models. However, these methods often overlook practical assumptions, over-rely on heuristics, or separate vital attack components. In response, we present GAIM, an integrated adversarial attack method conducted on a node feature basis while considering the strict black-box setting. Specifically, we define an adversarial influence function to theoretically assess the adversarial impact of node perturbations, thereby reframing the GNN attack problem into the adversarial influence maximization problem. In our approach, we unify the selection of the target node and the construction of feature perturbations into a single optimization problem, ensuring a unique and consistent feature perturbation for each target node. We leverage a surrogate model to transform this problem into a solvable linear programming task, streamlining the optimization process. Moreover, we extend our method to accommodate label-oriented attacks, broadening its applicability. Thorough evaluations on five benchmark datasets across three popular models underscore the effectiveness of our method in both untargeted and label-oriented targeted attacks. Through comprehensive analysis and ablation studies, we demonstrate the practical value and efficacy inherent to our design choices.

GAIM: Attacking Graph Neural Networks via Adversarial Influence Maximization

TL;DR

GAIM tackles the practical problem of attacking Graph Neural Networks under restricted black-box access by reframing node perturbations as adversarial influence maximization. It defines an influence function, uses a surrogate linear model to turn a nonlinear optimization into a solvable linear program, and unifies target node selection with per-node feature perturbations under budgets. The method supports untargeted and two types of label-oriented targeted attacks and demonstrates strong effectiveness and transferability across five datasets and three GNN models, with favorable scalability compared to existing approaches. This work highlights significant security implications for graph-based learning and points to future extensions to additional architectures such as transformers.

Abstract

Recent studies show that well-devised perturbations on graph structures or node features can mislead trained Graph Neural Network (GNN) models. However, these methods often overlook practical assumptions, over-rely on heuristics, or separate vital attack components. In response, we present GAIM, an integrated adversarial attack method conducted on a node feature basis while considering the strict black-box setting. Specifically, we define an adversarial influence function to theoretically assess the adversarial impact of node perturbations, thereby reframing the GNN attack problem into the adversarial influence maximization problem. In our approach, we unify the selection of the target node and the construction of feature perturbations into a single optimization problem, ensuring a unique and consistent feature perturbation for each target node. We leverage a surrogate model to transform this problem into a solvable linear programming task, streamlining the optimization process. Moreover, we extend our method to accommodate label-oriented attacks, broadening its applicability. Thorough evaluations on five benchmark datasets across three popular models underscore the effectiveness of our method in both untargeted and label-oriented targeted attacks. Through comprehensive analysis and ablation studies, we demonstrate the practical value and efficacy inherent to our design choices.
Paper Structure (22 sections, 21 equations, 4 figures, 4 tables)

This paper contains 22 sections, 21 equations, 4 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Preliminary
  4. Graph Neural Networks
  5. GNN Adversarial Attacks
  6. Methodology
  7. Attacks $\&$ Adversarial Influence
  8. Untargeted Attack
  9. Two Types of Label-oriented Targeted Attacks
  10. Adversarial Influence on A Surrogate Model
  11. Solving of The LP Problem
  12. Construction of Final Perturbation
  13. The Black-box GNN Attack Procedure
  14. Experimental Results and Analysis
  15. Experimental Setup
  16. ...and 7 more sections

Figures (4)

  • Figure 1: The framework of GAIM, which mainly consists three steps: (1) Building a surrogate model; (2) Optimizing adversarial influence of candidate nodes; (3) Constructing feature perturbations and selecting target nodes
  • Figure 2: Type-I Label-orientated Attack. It aims to degrade the accuracy of target labels. Top 3 target labels are displayed.
  • Figure 3: Type-II Label-orientated Attack. It aims to increase the ratio of nodes being misclassified into target labels. M.R. stands for misclassification rate. Top 3 target labels are displayed.
  • Figure 4: Attacks with different perturbation budgets