Adversarial attacks on graphs have attracted considerable research interests. Existing works assume the attacker is either (partly) aware of the victim model, or able to send queries to it. These assumptions are, however, unrealistic. To bridge the gap between theoretical graph attacks and real-world scenarios, in this work, we propose a novel and more realistic setting: strict black-box graph attack, in which the attacker has no knowledge about the victim model at all and is not allowed to send any queries. To design such an attack strategy, we first propose a generic graph filter to unify different families of graph-based models. The strength of attacks can then be quantified by the change in the graph filter before and after attack. By maximizing this change, we are able to find an effective attack strategy, regardless of the underlying model. To solve this optimization problem, we also propose a relaxation technique and approximation theories to reduce the difficulty as well as the computational expense. Experiments demonstrate that, even with no exposure to the model, the Macro-F1 drops 6.4% in node classification and 29.5% in graph classification, which is a significant result compared with existent works.
翻译:图表上的Aversarial攻击吸引了相当多的研究兴趣。 现有的工程假设攻击者要么( 部分)了解受害者模型, 要么( 部分) 能够向它发送查询。 但是, 这些假设是不现实的。 为了弥合理论图形攻击与现实世界情景之间的差距, 我们在这项工作中提出了一个新颖和更加现实的设置: 严格的黑盒图形攻击, 攻击者根本不了解受害者模型, 并且不允许发送任何查询。 为了设计这样的攻击战略, 我们首先提议一个通用图形过滤器, 以统一以图形为基础的模型的不同家族。 然后, 攻击的强度可以通过攻击前后的图形过滤器的变化来量化。 通过尽可能扩大这一变化, 我们能找到有效的攻击战略, 不论基本模型是什么。 为了解决这一优化问题, 我们还提议了一个放松技术和近似理论, 以减少困难和计算成本。 实验表明, 即便不接触模型, 宏观F1 也把6.4% 放在节点分类中, 29.5 % 的图表分类中, 与不存在的工程相比, 其结果是显著的。
相关内容
微信扫码咨询专知VIP会员