Graph neural networks (GNNs) offer promising learning methods for graph-related tasks. However, GNNs are at risk of adversarial attacks. Two primary limitations of the current evasion attack methods are highlighted: (1) The current GradArgmax ignores the "long-term" benefit of the perturbation. It is faced with zero-gradient and invalid benefit estimates in certain situations. (2) In the reinforcement learning-based attack methods, the learned attack strategies might not be transferable when the attack budget changes. To this end, we first formulate the perturbation space and propose an evaluation framework and the projective ranking method. We aim to learn a powerful attack strategy then adapt it as little as possible to generate adversarial samples under dynamic budget settings. In our method, based on mutual information, we rank and assess the attack benefits of each perturbation for an effective attack strategy. By projecting the strategy, our method dramatically minimizes the cost of learning a new attack strategy when the attack budget changes. In the comparative assessment with GradArgmax and RL-S2V, the results show our method owns high attack performance and effective transferability. The visualization of our method also reveals various attack patterns in the generation of adversarial samples.
翻译:与图表有关的任务有良好的学习方法。然而,GNN面临对抗性攻击的风险。强调目前规避攻击方法的两个主要限制:(1) 目前的GradArgmax忽略了扰动的“长期”好处,在某些情况下,它面临着零渐变和无效的利益估计。(2) 在强化的学习性攻击方法中,当攻击预算发生变化时,学到的攻击战略可能无法转让。为此,我们首先制定扰动空间,并提出评估框架和投影分级方法。我们的目标是学习一个强大的攻击战略,然后尽可能少地调整它,以便在动态预算环境下生成对抗性抽样。在方法中,我们根据相互的信息,对每次扰动对有效攻击战略产生的攻击好处进行评级和评估。通过预测战略,我们的方法将攻击预算变化时学习新攻击战略的成本大大降低到最低程度。在与GradArgmax和RL-S2V的比较评估中,结果显示我们采用的方法本身具有较高的攻击性能和有效转移模式。