Graph neural networks (GNNs) are a class of effective deep learning models for node classification tasks; yet their predictive capability may be severely compromised under adversarially designed unnoticeable perturbations to the graph structure and/or node data. Most of the current work on graph adversarial attacks aims at lowering the overall prediction accuracy, but we argue that the resulting abnormal model performance may catch attention easily and invite quick counterattack. Moreover, attacks through modification of existing graph data may be hard to conduct if good security protocols are implemented. In this work, we consider an easier attack harder to be noticed, through adversarially patching the graph with new nodes and edges. The attack is universal: it targets a single node each time and flips its connection to the same set of patch nodes. The attack is unnoticeable: it does not modify the predictions of nodes other than the target. We develop an algorithm, named GUAP, that achieves high attack success rate but meanwhile preserves the prediction accuracy. GUAP is fast to train by employing a sampling strategy. We demonstrate that a 5% sampling in each epoch yields 20x speedup in training, with only a slight degradation in attack performance. Additionally, we show that the adversarial patch trained with the graph convolutional network transfers well to other GNNs, such as the graph attention network.
翻译:图形神经网络(GNNs)是一组有效的深层学习模型,用于节点分类任务;然而,它们的预测能力可能会在对抗性设计、无法察觉的图形结构和/或节点数据的干扰下受到严重损害。目前关于图形对抗性攻击的多数工作旨在降低总体预测准确性,但我们认为,由此产生的异常模型性能可能很容易引起注意,并引起快速反攻。此外,如果执行良好的安全协议,通过修改现有图表数据进行袭击可能很难进行。在这项工作中,我们认为通过对准用新的节点和边缘对图进行对抗性修补,其预测能力可能更加容易受到注意。攻击是普遍的:每次瞄准一个单节点,将其连接到相同的补节点组合。袭击是不可注意的:它不会改变目标之外节点的预测。我们开发了名为GUAP的算法,它达到攻击成功率高,但同时保持了预测的准确性。 GUP是快速的,通过使用取样策略来训练。我们展示了每部单一节点网络的5%的取样结果,我们只通过经过训练的平面图状图状图显示了20的变速度。