Gray-box graph attacks aim at disrupting the performance of the victim model by using inconspicuous attacks with limited knowledge of the victim model. The parameters of the victim model and the labels of the test nodes are invisible to the attacker. To obtain the gradient on the node attributes or graph structure, the attacker constructs an imaginary surrogate model trained under supervision. However, there is a lack of discussion on the training of surrogate models and the robustness of provided gradient information. The general node classification model loses the topology of the nodes on the graph, which is, in fact, an exploitable prior for the attacker. This paper investigates the effect of representation learning of surrogate models on the transferability of gray-box graph adversarial attacks. To reserve the topology in the surrogate embedding, we propose Surrogate Representation Learning with Isometric Mapping (SRLIM). By using Isometric mapping method, our proposed SRLIM can constrain the topological structure of nodes from the input layer to the embedding space, that is, to maintain the similarity of nodes in the propagation process. Experiments prove the effectiveness of our approach through the improvement in the performance of the adversarial attacks generated by the gradient-based attacker in untargeted poisoning gray-box setups.
翻译:灰盒图形攻击的目的是通过使用对受害者模型了解有限且不明显的攻击破坏受害者模型的性能。 受害者模型的参数和测试节点的标签对攻击者是看不见的。 要获得节点属性或图形结构的梯度,攻击者将建立一个在监督下训练的假冒代孕模型。 但是,对于代位模型的训练以及所提供的梯度信息的稳健性缺乏讨论。 普通节点分类模型将失去图上节点的表层结构,而图上节点实际上是攻击者可以利用的先行。 本文调查代位模型的代位学习对灰盒图对对抗性攻击的可转移性的影响。 为了在代位模型嵌入中保留表层学,我们建议用测深绘图法进行苏洛门代表学习。 我们提议的SRLIM可以用测深的绘图方法限制从输入层到嵌入空间的节点的表层结构的表层结构结构,事实上,这是攻击者在攻击者之前可加以利用的图层。 本文研究了代位模型模型对代模式模型对灰盒式模型对灰盒形攻击性攻击性攻击过程的类似性效果。 实验证明, 以稳定性攻击性攻击的升级性攻击方法的升级性能。