Table of Contents
Fetching ...

Single-Edge Node Injection Threats to GNN-Based Security Monitoring in Industrial Graph Systems

Wenjie Liang, Ranhui Yan, Jia Cai, You-Gan Wang

TL;DR

This work addresses the security of GNN-driven industrial monitoring by formulating deployment-oriented node-injection threats under tight resource budgets. It introduces SEGIA, a single-edge injection attack that uses local neighborhood sampling, reverse graph convolution-based feature synthesis, and a pruning-aware surrogate with similarity regularization to preserve local homophily and evade edge-pruning defenses. Across diverse industrial-like datasets and defense mechanisms, SEGIA achieves at least 25% higher attack success than representative baselines while maintaining a minimal edge footprint, highlighting a system-level risk in real-world CPS/OT deployments. The findings argue for provenance-aware device/identity admission, neighborhood-consistency monitoring, and defense mechanisms that preserve accuracy without over-smoothing as essential to ensuring trustworthy industrial AI systems.

Abstract

Graph neural networks (GNNs) are increasingly adopted in industrial graph-based monitoring systems (e.g., Industrial internet of things (IIoT) device graphs, power-grid topology models, and manufacturing communication networks) to support anomaly detection, state estimation, and asset classification. In such settings, an adversary that compromises a small number of edge devices may inject counterfeit nodes (e.g., rogue sensors, virtualized endpoints, or spoofed substations) to bias downstream decisions while evading topology- and homophily-based sanitization. This paper formulates deployment-oriented node-injection attacks under constrained resources and proposes the \emph{Single-Edge Graph Injection Attack} (SEGIA), in which each injected node attaches to the operational graph through a single edge. SEGIA integrates a pruned SGC surrogate, multi-hop neighborhood sampling, and reverse graph convolution-based feature synthesis with a similarity-regularized objective to preserve local homophily and survive edge pruning. Theoretical analysis and extensive evaluations across datasets and defenses show at least $25\%$ higher attack success than representative baselines under substantially smaller edge budgets. These results indicate a system-level risk in industrial GNN deployments and motivate lightweight admission validation and neighborhood-consistency monitoring.

Single-Edge Node Injection Threats to GNN-Based Security Monitoring in Industrial Graph Systems

TL;DR

This work addresses the security of GNN-driven industrial monitoring by formulating deployment-oriented node-injection threats under tight resource budgets. It introduces SEGIA, a single-edge injection attack that uses local neighborhood sampling, reverse graph convolution-based feature synthesis, and a pruning-aware surrogate with similarity regularization to preserve local homophily and evade edge-pruning defenses. Across diverse industrial-like datasets and defense mechanisms, SEGIA achieves at least 25% higher attack success than representative baselines while maintaining a minimal edge footprint, highlighting a system-level risk in real-world CPS/OT deployments. The findings argue for provenance-aware device/identity admission, neighborhood-consistency monitoring, and defense mechanisms that preserve accuracy without over-smoothing as essential to ensuring trustworthy industrial AI systems.

Abstract

Graph neural networks (GNNs) are increasingly adopted in industrial graph-based monitoring systems (e.g., Industrial internet of things (IIoT) device graphs, power-grid topology models, and manufacturing communication networks) to support anomaly detection, state estimation, and asset classification. In such settings, an adversary that compromises a small number of edge devices may inject counterfeit nodes (e.g., rogue sensors, virtualized endpoints, or spoofed substations) to bias downstream decisions while evading topology- and homophily-based sanitization. This paper formulates deployment-oriented node-injection attacks under constrained resources and proposes the \emph{Single-Edge Graph Injection Attack} (SEGIA), in which each injected node attaches to the operational graph through a single edge. SEGIA integrates a pruned SGC surrogate, multi-hop neighborhood sampling, and reverse graph convolution-based feature synthesis with a similarity-regularized objective to preserve local homophily and survive edge pruning. Theoretical analysis and extensive evaluations across datasets and defenses show at least higher attack success than representative baselines under substantially smaller edge budgets. These results indicate a system-level risk in industrial GNN deployments and motivate lightweight admission validation and neighborhood-consistency monitoring.
Paper Structure (29 sections, 1 theorem, 29 equations, 6 figures, 8 tables, 1 algorithm)

This paper contains 29 sections, 1 theorem, 29 equations, 6 figures, 8 tables, 1 algorithm.

Key Result

Theorem 1

Let $G$ be an undirected connected graph without isolated nodes. Assume each class $c\in\{1,\dots,C\}$ has at least one labeled node. Let $f_{\theta}$ be a linearized GNN surrogate (e.g., PrSGC) trained on $G$, and let ${\@fontswitch\mathcal{L}}_{\mathrm{GIA}}$ denote the base injection loss. Let $G

Figures (6)

  • Figure 1: Workflow of the proposed SEGIA, interpreted as counterfeit-entity injection into industrial graph-based monitoring.
  • Figure 2: Two-layer neighborhood sampling around a target node (red) to approximate local industrial dependencies.
  • Figure 3: Comparison of our method with other approaches. (a) Original graph; (b) General injection (multiple edge budgets); (c) Our method (only one edge budget).
  • Figure 4: The influence of the hyperparameter $\alpha$ on the misclassification rate.
  • Figure 5: The effect of parameter $K$ on the misclassification rate for all the three datasets by using defense model GNNGuard.
  • ...and 1 more figures

Theorems & Definitions (3)

  • Definition 1: Node-centric homophily
  • Theorem 1
  • proof