Hard Label Black Box Node Injection Attack on Graph Neural Networks

TL;DR

This paper introduces the first non-targeted hard label black box node injection attack on graph neural networks, enabling realistic adversarial testing without prior knowledge of the model, and demonstrates its effectiveness on multiple datasets.

Contribution

It proposes a novel black box node injection attack method that does not require model details, expanding the scope of adversarial attacks on GNNs in practical scenarios.

Findings

Effective attack performance on COIL-DEL, IMDB-BINARY, and NCI1 datasets.

First attack of its kind under hard label black box setting.

Demonstrates vulnerability of GNNs without model knowledge.

Abstract

While graph neural networks have achieved state-of-the-art performances in many real-world tasks including graph classification and node classification, recent works have demonstrated they are also extremely vulnerable to adversarial attacks. Most previous works have focused on attacking node classification networks under impractical white-box scenarios. In this work, we will propose a non-targeted Hard Label Black Box Node Injection Attack on Graph Neural Networks, which to the best of our knowledge, is the first of its kind. Under this setting, more real world tasks can be studied because our attack assumes no prior knowledge about (1): the model architecture of the GNN we are attacking; (2): the model's gradients; (3): the output logits of the target GNN model. Our attack is based on an existing edge perturbation attack, from which we restrict the optimization process to formulate a node injection attack. In the work, we will evaluate the performance of the attack using three datasets, COIL-DEL, IMDB-BINARY, and NCI1.