Sparse Vicious Attacks on Graph Neural Networks

TL;DR

This paper introduces SAVAGE, a novel framework for executing sparse, white-box adversarial attacks on GNN-based link prediction models, demonstrating high success rates with minimal malicious resources and transferability to black-box models.

Contribution

SAVAGE formulates a new optimization-based method for sparse, white-box attacks on GNN link prediction, balancing attack effectiveness and resource sparsity.

Findings

High attack success rate with few malicious nodes

Effective transferability to black-box models

Validated on real-world and synthetic datasets

Abstract

Graph Neural Networks (GNNs) have proven to be successful in several predictive modeling tasks for graph-structured data. Amongst those tasks, link prediction is one of the fundamental problems for many real-world applications, such as recommender systems. However, GNNs are not immune to adversarial attacks, i.e., carefully crafted malicious examples that are designed to fool the predictive model. In this work, we focus on a specific, white-box attack to GNN-based link prediction models, where a malicious node aims to appear in the list of recommended nodes for a given target victim. To achieve this goal, the attacker node may also count on the cooperation of other existing peers that it directly controls, namely on the ability to inject a number of ``vicious'' nodes in the network. Specifically, all these malicious nodes can add new edges or remove existing ones, thereby perturbing the original graph. Thus, we propose SAVAGE, a novel framework and a method to mount this type of link prediction attacks. SAVAGE formulates the adversary's goal as an optimization task, striking the balance between the effectiveness of the attack and the sparsity of malicious resources required. Extensive experiments conducted on real-world and synthetic datasets demonstrate that adversarial attacks implemented through SAVAGE indeed achieve high attack success rate yet using a small amount of vicious nodes. Finally, despite those attacks require full knowledge of the target model, we show that they are successfully transferable to other black-box methods for link prediction.