Surrogate Representation Learning with Isometric Mapping for Gray-box Graph Adversarial Attacks

TL;DR

This paper introduces SRLIM, a novel surrogate representation learning method using isometric mapping to preserve graph topology, enhancing the transferability and effectiveness of gray-box adversarial attacks on graph models.

Contribution

It proposes SRLIM, a new approach that maintains graph topology in surrogate models, improving attack transferability in gray-box settings.

Findings

SRLIM improves attack success rates in experiments.

Preserves graph topology in surrogate embeddings.

Enhances transferability of gradient-based attacks.

Abstract

Gray-box graph attacks aim at disrupting the performance of the victim model by using inconspicuous attacks with limited knowledge of the victim model. The parameters of the victim model and the labels of the test nodes are invisible to the attacker. To obtain the gradient on the node attributes or graph structure, the attacker constructs an imaginary surrogate model trained under supervision. However, there is a lack of discussion on the training of surrogate models and the robustness of provided gradient information. The general node classification model loses the topology of the nodes on the graph, which is, in fact, an exploitable prior for the attacker. This paper investigates the effect of representation learning of surrogate models on the transferability of gray-box graph adversarial attacks. To reserve the topology in the surrogate embedding, we propose Surrogate Representation Learning with Isometric Mapping (SRLIM). By using Isometric mapping method, our proposed SRLIM can constrain the topological structure of nodes from the input layer to the embedding space, that is, to maintain the similarity of nodes in the propagation process. Experiments prove the effectiveness of our approach through the improvement in the performance of the adversarial attacks generated by the gradient-based attacker in untargeted poisoning gray-box setups.