Node Injection for Class-specific Network Poisoning

TL;DR

This paper introduces NICKI, a novel optimization-based node injection attack that effectively misclassifies specific nodes in GNNs while camouflaging injected nodes as benign, demonstrating superior performance over existing methods.

Contribution

It presents a new class-specific poisoning attack on graphs that uses an optimization approach to generate camouflaged injected nodes, enhancing attack effectiveness and stealth.

Findings

NICKI outperforms four baseline attack strategies in misclassification accuracy.

Injected nodes are effectively camouflaged, indistinguishable from benign nodes.

The attack maintains graph properties similar to the original, ensuring stealth.

Abstract

Graph Neural Networks (GNNs) are powerful in learning rich network representations that aid the performance of downstream tasks. However, recent studies showed that GNNs are vulnerable to adversarial attacks involving node injection and network perturbation. Among these, node injection attacks are more practical as they don't require manipulation in the existing network and can be performed more realistically. In this paper, we propose a novel problem statement - a class-specific poison attack on graphs in which the attacker aims to misclassify specific nodes in the target class into a different class using node injection. Additionally, nodes are injected in such a way that they camouflage as benign nodes. We propose NICKI, a novel attacking strategy that utilizes an optimization-based approach to sabotage the performance of GNN-based node classifiers. NICKI works in two phases - it first learns the node representation and then generates the features and edges of the injected nodes. Extensive experiments and ablation studies on four benchmark networks show that NICKI is consistently better than four baseline attacking strategies for misclassifying nodes in the target class. We also show that the injected nodes are properly camouflaged as benign, thus making the poisoned graph indistinguishable from its clean version w.r.t various topological properties.