LiSA: Leveraging Link Recommender to Attack Graph Neural Networks via Subgraph Injection
This addresses security concerns for GNN systems in real-world applications, though it is incremental as it builds on existing adversarial attack research.
The paper tackles the vulnerability of Graph Neural Networks (GNNs) to adversarial attacks by introducing a novel scenario where an isolated subgraph is injected to deceive both link recommenders and node classifiers, resulting in degraded classification accuracy as demonstrated in experiments on real-world datasets.
Graph Neural Networks (GNNs) have demonstrated remarkable proficiency in modeling data with graph structures, yet recent research reveals their susceptibility to adversarial attacks. Traditional attack methodologies, which rely on manipulating the original graph or adding links to artificially created nodes, often prove impractical in real-world settings. This paper introduces a novel adversarial scenario involving the injection of an isolated subgraph to deceive both the link recommender and the node classifier within a GNN system. Specifically, the link recommender is mislead to propose links between targeted victim nodes and the subgraph, encouraging users to unintentionally establish connections and that would degrade the node classification accuracy, thereby facilitating a successful attack. To address this, we present the LiSA framework, which employs a dual surrogate model and bi-level optimization to simultaneously meet two adversarial objectives. Extensive experiments on real-world datasets demonstrate the effectiveness of our method.