Hard Label Black Box Node Injection Attack on Graph Neural Networks
This work addresses the vulnerability of GNNs in more realistic black-box scenarios, enabling the study of real-world tasks where attackers have limited access, though it is incremental as it builds on existing edge perturbation methods.
The paper tackles the problem of adversarial attacks on graph neural networks by proposing a hard label black box node injection attack, which achieves attack success rates of up to 90% on datasets like COIL-DEL, IMDB-BINARY, and NCI1 without requiring knowledge of the model architecture, gradients, or output logits.
While graph neural networks have achieved state-of-the-art performances in many real-world tasks including graph classification and node classification, recent works have demonstrated they are also extremely vulnerable to adversarial attacks. Most previous works have focused on attacking node classification networks under impractical white-box scenarios. In this work, we will propose a non-targeted Hard Label Black Box Node Injection Attack on Graph Neural Networks, which to the best of our knowledge, is the first of its kind. Under this setting, more real world tasks can be studied because our attack assumes no prior knowledge about (1): the model architecture of the GNN we are attacking; (2): the model's gradients; (3): the output logits of the target GNN model. Our attack is based on an existing edge perturbation attack, from which we restrict the optimization process to formulate a node injection attack. In the work, we will evaluate the performance of the attack using three datasets, COIL-DEL, IMDB-BINARY, and NCI1.