Indraprastha Institute of Information Technology, Delhi, India.
Indian Institute of Technology, Delhi, India.
Neural Netw. 2023 Sep;166:236-247. doi: 10.1016/j.neunet.2023.07.025. Epub 2023 Jul 22.
Graph Neural Networks (GNNs) are powerful in learning rich network representations that aid the performance of downstream tasks. However, recent studies showed that GNNs are vulnerable to adversarial attacks involving node injection and network perturbation. Among these, node injection attacks are more practical as they do not require manipulation in the existing network and can be performed more realistically. In this paper, we propose a novel problem statement - a class-specific poison attack on graphs in which the attacker aims to misclassify specific nodes in the target class into a different class using node injection. Additionally, nodes are injected in such a way that they camouflage as benign nodes. We propose NICKI, a novel attacking strategy that utilizes an optimization-based approach to sabotage the performance of GNN-based node classifiers. NICKI works in two phases - it first learns the node representation and then generates the features and edges of the injected nodes. Extensive experiments and ablation studies on four benchmark networks show that NICKI is consistently better than four baseline attacking strategies for misclassifying nodes in the target class. We also show that the injected nodes are properly camouflaged as benign, thus making the poisoned graph indistinguishable from its clean version w.r.t various topological properties.
图神经网络(GNN)在学习丰富的网络表示方面非常强大,这有助于下游任务的性能。然而,最近的研究表明,GNN 容易受到涉及节点注入和网络扰动的对抗攻击。在这些攻击中,节点注入攻击更为实际,因为它们不需要对现有网络进行操作,并且可以更真实地执行。在本文中,我们提出了一个新的问题陈述——针对图的特定类别毒化攻击,攻击者的目标是使用节点注入将目标类中的特定节点错误分类为不同的类别。此外,以节点伪装成良性节点的方式注入节点。我们提出了 NICKI,这是一种新颖的攻击策略,利用基于优化的方法来破坏基于 GNN 的节点分类器的性能。NICKI 分两个阶段工作——它首先学习节点表示,然后生成注入节点的特征和边。在四个基准网络上进行的广泛实验和消融研究表明,NICKI 在错误分类目标类中的节点方面始终优于四种基线攻击策略。我们还表明,注入的节点被适当伪装为良性节点,从而使中毒图在各种拓扑属性方面与干净图无法区分。
