Recently Graph Injection Attack (GIA) emerges as a practical attack scenario on Graph Neural Networks (GNNs), where the adversary can merely inject few malicious nodes instead of modifying existing nodes or edges, i.e., Graph Modification Attack (GMA). Although GIA has achieved promising results, little is known about why it is successful and whether there is any pitfall behind the success. To understand the power of GIA, we compare it with GMA and find that GIA can be provably more harmful than GMA due to its relatively high flexibility. However, the high flexibility will also lead to great damage to the homophily distribution of the original graph, i.e., similarity among neighbors. Consequently, the threats of GIA can be easily alleviated or even prevented by homophily-based defenses designed to recover the original homophily. To mitigate the issue, we introduce a novel constraint -- homophily unnoticeability that enforces GIA to preserve the homophily, and propose Harmonious Adversarial Objective (HAO) to instantiate it. Extensive experiments verify that GIA with HAO can break homophily-based defenses and outperform previous GIA attacks by a significant margin. We believe our methods can serve for a more reliable evaluation of the robustness of GNNs.
翻译:近期的图形注射攻击(GIA)在图形神经网络(GNNS)上作为一种实际攻击情景出现,对手只能输入几个恶意节点,而不是修改现有的节点或边缘,即“图形修改攻击 ” 。 虽然GIA取得了令人乐观的成果,但对于为什么它成功以及成功背后是否存在任何缺陷却知之甚少。为了理解GIA的力量,我们将它与GIA加以比较,发现GIA由于灵活性相对较高,其危害可能比GIA更严重。然而,高灵活性还将极大地损害原始图表的同质分布,即邻居之间的相似性。因此,GIA的威胁很容易得到缓解,甚至可以通过旨在恢复原同质的基于同质的防御来防止。为了减轻这一问题,我们引入了一种新的制约 -- -- 即同义的不可知性,使GIA保持同质性, 并提议“可调和反义的AO(HAO)目标(HAO), 也会导致原始图表的同性分布,也就是邻居之间的类似性分布。因此,GIAAAA的大规模实验可以以更稳健的防御方法来验证我们以前对GIAA的防御的可靠程度的防御。