A Hard Label Black-box Adversarial Attack Against Graph Neural Networks

Mu, Jiaming; Wang, Binghui; Li, Qi; Sun, Kun; Xu, Mingwei; Liu, Zhuotao

doi:10.1145/3460120.3484796

Cited by 25 publications

(6 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Thus, rather than utilising the gradients of the victim models directly, some black-box attacks [81] construct surrogate models and use the gradients obtained therefrom. Another study in black-box settings [103] uses adversarial graph search and query responses of the victim models to calculate the sign gradients. These approaches may require additional effort to determine the gradients (e.g., the time cost for the Topology attack using a surrogate model can be six to ten times that of a simple gradient-based approach [104]).…”

Section: )mentioning

confidence: 99%

Trustworthy Graph Neural Networks: Aspects, Methods and Trends

Zhang¹,

Wu²,

Yuan³

et al. 2022

Preprint

View full text Add to dashboard Cite

Graph neural networks (GNNs) have emerged as a series of competent graph learning methods for diverse real-world scenarios, ranging from daily applications like recommendation systems and question answering to cutting-edge technologies such as drug discovery in life sciences and n-body simulation in astrophysics. However, task performance is not the only requirement for GNNs. Performance-oriented GNNs have exhibited potential adverse effects like vulnerability to adversarial attacks, unexplainable discrimination against disadvantaged groups, or excessive resource consumption in edge computing environments. To avoid these unintentional harms, it is necessary to build competent GNNs characterised by trustworthiness. To this end, we propose a comprehensive roadmap to build trustworthy GNNs from the view of the various computing technologies involved. In this survey, we introduce basic concepts and comprehensively summarise existing efforts for trustworthy GNNs from six aspects, including robustness, explainability, privacy, fairness, accountability, and environmental well-being. Additionally, we highlight the intricate cross-aspect relations between the above six aspects of trustworthy GNNs. Finally, we present a thorough overview of trending directions for facilitating the research and industrialisation of trustworthy GNNs.

show abstract

Section: )mentioning

confidence: 99%

Trustworthy Graph Neural Networks: Aspects, Methods and Trends

Zhang¹,

Wu²,

Yuan³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Some other works [29,16] focus on attacking community detection and they are heuristic and orthogonal to our work. The work [21] most close to ours designed a black-box attacks to GNNs for graph classification, which is based on gradient-free ZOO [5]. However, it also does not have theoretical guaranteed attack performance.…”

Section: Related Workmentioning

confidence: 99%

Bandits for Structure Perturbation-based Black-box Attacks to Graph Neural Networks with Theoretical Guarantees

Wang¹,

Li²,

Zhou³

2022

Preprint

Self Cite

View full text Add to dashboard Cite

Graph neural networks (GNNs) have achieved state-ofthe-art performance in many graph-based tasks such as node classification and graph classification. However, many recent works have demonstrated that an attacker can mislead GNN models by slightly perturbing the graph structure. Existing attacks to GNNs are either under the less practical threat model where the attacker is assumed to access the GNN model parameters, or under the practical blackbox threat model but consider perturbing node features that are shown to be not enough effective. In this paper, we aim to bridge this gap and consider black-box attacks to GNNs with structure perturbation as well as with theoretical guarantees. We propose to address this challenge through bandit techniques. Specifically, we formulate our attack as an online optimization with bandit feedback. This original problem is essentially NP-hard due to the fact that perturbing the graph structure is a binary optimization problem. We then propose an online attack based on bandit optimization which is proven to be sublinear to the query number T , i.e., O( √ N T 3/4 ) where N is the number of nodes in the graph. Finally, we evaluate our proposed attack by conducting experiments over multiple datasets and GNN models. The experimental results on various citation graphs and image graphs show that our attack is both effective and efficient. Source code is available at https://github. com/Metaoblivion/Bandit_GNN_Attack

show abstract

“…Existing studies have shown that GNNs are vulnerable to adversarial attacks [8], [11], [16], [31], [35], [36], [38], [50], [55], [56], [65], which deceive GNN models to make wrong predictions for graph classification or node classification. Depending on the stages when these attacks occur, these adversarial attacks can be classified into training-time poisoning attacks [34], [50], [66] and testing time adversarial attacks [9], [10], [35].…”

Section: Adversarial Attacks On Gnnsmentioning

confidence: 99%

“…Depending on the stages when these attacks occur, these adversarial attacks can be classified into training-time poisoning attacks [34], [50], [66] and testing time adversarial attacks [9], [10], [35]. Based on the attacker's knowledge, adversarial attacks can also be categorized into white-box attacks [56], [65] and black-box attacks [8], [35], [38].…”

Section: Adversarial Attacks On Gnnsmentioning

confidence: 99%

Model Inversion Attacks against Graph Neural Networks

Zhang¹,

Liu²,

Huang³

et al. 2022

Preprint

View full text Add to dashboard Cite

Many data mining tasks rely on graphs to model relational structures among individuals (nodes). Since relational data are often sensitive, there is an urgent need to evaluate the privacy risks in graph data. One famous privacy attack against data analysis models is the model inversion attack, which aims to infer sensitive data in the training dataset and leads to great privacy concerns. Despite its success in grid-like domains, directly applying model inversion attacks on non-grid domains such as graph leads to poor attack performance. This is mainly due to the failure to consider the unique properties of graphs. To bridge this gap, we conduct a systematic study on model inversion attacks against Graph Neural Networks (GNNs), one of the state-of-the-art graph analysis tools in this paper. Firstly, in the white-box setting where the attacker has full access to the target GNN model, we present GraphMI to infer the private training graph data. Specifically in GraphMI, a projected gradient module is proposed to tackle the discreteness of graph edges and preserve the sparsity and smoothness of graph features; a graph auto-encoder module is used to efficiently exploit graph topology, node attributes, and target model parameters for edge inference; a random sampling module can finally sample discrete edges. Furthermore, in the hard-label black-box setting where the attacker can only query the GNN API and receive the classification results, we propose two methods based on gradient estimation and reinforcement learning (RL-GraphMI). With the proposed methods, we study the connection between model inversion risk and edge influence and show that edges with greater influence are more likely to be recovered. Extensive experiments over several public datasets demonstrate the effectiveness of our methods. We also evaluate our attacks under two defenses: one is the well-designed differential private training, and the other is graph preprocessing. Our experimental results show that such defenses are not sufficiently effective and call for more advanced defenses against privacy attacks.

show abstract

A Hard Label Black-box Adversarial Attack Against Graph Neural Networks

Cited by 25 publications

References 29 publications

Trustworthy Graph Neural Networks: Aspects, Methods and Trends

Trustworthy Graph Neural Networks: Aspects, Methods and Trends

Bandits for Structure Perturbation-based Black-box Attacks to Graph Neural Networks with Theoretical Guarantees

Model Inversion Attacks against Graph Neural Networks

Contact Info

Product

Resources

About