Single-Node Attacks for Fooling Graph Neural Networks

TL;DR

This paper reveals that graph neural networks are vulnerable to highly realistic single-node adversarial attacks, where minimal perturbations to one node can mislead the GNN into misclassification, even without attacker node selection.

Contribution

It introduces the first effective single-node attack method for GNNs, demonstrating high success across multiple GNN architectures and datasets, surpassing previous attack techniques.

Findings

Single-node attacks can successfully fool GNNs in various settings.

Attacks are effective even when the attacker cannot choose the attack node.

The proposed method outperforms previous attacks across multiple datasets.

Abstract

Graph neural networks (GNNs) have shown broad applicability in a variety of domains. These domains, e.g., social networks and product recommendations, are fertile ground for malicious users and behavior. In this paper, we show that GNNs are vulnerable to the extremely limited (and thus quite realistic) scenarios of a single-node adversarial attack, where the perturbed node cannot be chosen by the attacker. That is, an attacker can force the GNN to classify any target node to a chosen label, by only slightly perturbing the features or the neighbor list of another single arbitrary node in the graph, even when not being able to select that specific attacker node. When the adversary is allowed to select the attacker node, these attacks are even more effective. We demonstrate empirically that our attack is effective across various common GNN types (e.g., GCN, GraphSAGE, GAT, GIN) and robustly optimized GNNs (e.g., Robust GCN, SM GCN, GAL, LAT-GCN), outperforming previous attacks across different real-world datasets both in a targeted and non-targeted attacks. Our code is available at https://github.com/benfinkelshtein/SINGLE .