基于随机游走的图神经网络黑盒对抗攻击

doi:10.3969/j.issn.1671-1122.2024.10.011

信息网络安全 ›› 2024, Vol. 24 ›› Issue (10): 1570-1577.doi: 10.3969/j.issn.1671-1122.2024.10.011

基于随机游走的图神经网络黑盒对抗攻击

芦效峰¹(), 程天泽¹, 龙承念²

1.北京邮电大学网络空间安全学院，北京 100876
2.上海交通大学电子信息与电气工程学院，上海 200240

收稿日期:2024-04-16 出版日期:2024-10-10 发布日期:2024-09-27
通讯作者: 芦效峰, luxf@bupt.edu.cn
作者简介:芦效峰（1976—），男，山西，副教授，博士，主要研究方向为网络空间安全|程天泽（1999—），男，安徽，硕士研究生，主要研究方向为网络空间安全|龙承念（1977—），男，江西，教授，博士，主要研究方向为网络空间安全
基金资助:
国家自然科学基金(62136006)

A Random Walk Based Black-Box Adversarial Attack against Graph Neural Network

LU Xiaofeng¹(), CHENG Tianze¹, LONG Chengnian²

1. School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China
2. School of Electronic Information and Electrical Engineering, Shanghai Jiaotong University, Shanghai 200240, China

Received:2024-04-16 Online:2024-10-10 Published:2024-09-27

摘要/Abstract

摘要：

图神经网络在许多图分析任务中取得了显著的成功。然而，最近的研究揭示了其对对抗性攻击的易感性。现有的关于黑盒攻击的研究通常要求攻击者知道目标模型的所有训练数据，并且不适用于攻击者难以获得图神经网络节点特征表示的场景。文章提出了一种更严格的黑盒攻击模型，其中攻击者只知道选定节点的图结构和标签，但不知道节点特征表示。在这种攻击模型下，文章提出了一种针对图神经网络的黑盒对抗攻击方法。该方法近似每个节点对模型输出的影响，并使用贪心算法识别最优扰动。实验表明，虽然可用信息较少，但该算法的攻击成功率接近最先进的算法，同时实现了更高的攻击速度。此外，该攻击方法还具有迁移和防御能力。

关键词: 人工智能安全, 图神经网络, 对抗攻击

Abstract:

Graph neural networks have achieved remarkable success on many graph analysis tasks. However, recent studies have unveiled their susceptibility to adversarial attacks.The existing research on black box attacks often requires attackers to know all the training data of the target model, and is not applicable in scenarios where attackers have difficulty obtaining feature representations of graph neural network nodes.This paper proposed a more strict black-box attack model, where the attacker only possessed knowledge of the graph structure and labels of select nodes, but remained unaware of node feature representations. Under this attack model, this paper proposed a black-box adversarial attack method against graph neural networks. The approach approximated the influence of each node on the model output and identified optimal perturbations with greedy strategy. Experiments show that though less information is available, the attack success rate of this algorithm is close to that of the state-of-the-art algorithms, while achieving a higher attack speed. In addition, the attack method in this article also has migration and anti-defense capabilities.

Key words: artificial intelligence security, graph neural network, adversarial attacks

中图分类号:

TP309

芦效峰, 程天泽, 龙承念. 基于随机游走的图神经网络黑盒对抗攻击[J]. 信息网络安全, 2024, 24(10): 1570-1577.

LU Xiaofeng, CHENG Tianze, LONG Chengnian. A Random Walk Based Black-Box Adversarial Attack against Graph Neural Network[J]. Netinfo Security, 2024, 24(10): 1570-1577.

图/表 7

图1

表1

图2

图3

图4

表2

表3

参考文献 19

[1]	YING Zhitao, HE Ruining, CHEN Kaifeng, et al. Graph Convolutional Neural Networks for Web-Scale Recommender Systems[C]// ACM. Proceedings of the 24th ACM SIGKDD Cnternational Conference on Knowledge Discovery & Data Mining. New York: ACM, 2018: 974-983.
[2]	LI Cheng, MA Jiaqi, GUO Qiaozhu, et al. Deepcas: An End-to-End Predictor of Information Cascades[C]// ACM. Proceedings of the 26th International Conference on World Wide Web. New York: ACM, 2017: 577-586.
[3]	WEBER M, DOMENICONI G, CHEN Jie, et al. Anti-Money Laundering in Bitcoin: Experimenting with Graph Convolutional Networks for Financial Forensics[EB/OL]. (2019-07-31)[2024-04-10]. https://arxiv.org/pdf/1908.02591.
[4]	ZUGNER D, AKBARNEJAD A, GUNNEMANN S. Adversarial Attacks on Neural Networks for Graph Data[C]// ACM. Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. New York: ACM, 2018: 2847-2856.
[5]	SUN Lichao, DOU Yingtong, YANG C, et al. Adversarial Attack and Defense on Graph Data: A Survey[J]. IEEE Transactions on Knowledge and Data Engineering, 2022, 35(8): 7693-7711.
[6]	MAHMOOD K, MAHMOOD R, RATHBUN E, et al. Back in Black: A Comparative Evaluation of Recent State-of-the-Art Black-Box Attacks[J]. IEEE Access, 2021, 10: 998-1019.
[7]	ZUGNER D, GUNNEMANN S. Adversarial Attacks on Graph Neural Networks via Meta Learning[EB/OL]. (2024-01-28)[2024-04-10]. https://arxiv.org/pdf/1902.08412.
[8]	DAI Hanjun, LI Hui, TIAN T, et al. Adversarial Attack on Graph Structured Data[C]// IEEE. International Conference on Machine Learning. New York: IEEE, 2018: 1115-1124.
[9]	MA Yao, WANG Suhang, DERR T, et al. Attacking Graph Convolutional Networks via Rewiring[EB/OL]. (2019-09-28)[2024-04-10]. https://arxiv.org/pdf/1906.03750.
[10]	CHANG Heng, RONG Yu, XU Tingyang, et al. A Restricted Black-Box Adversarial Framework towards Attacking Graph Embedding Models[C]// AAAI. Proceedings of the AAAI Conference on Artificial Intelligence. Menlo Park: AAAI, 2020, 34(4): 3389-3396.
[11]	MA Jiaqi, DING Shuangrui, MEI Qiaozhu. Towards More Practical Adversarial Attacks on Graph Neural Networks[J]. Advances in Neural Information Processing Systems, 2020, 33: 4756-4766.
[12]	KIPF T N, WELLING M. Semi-Supervised Classification with Graph Convolutional Networks[EB/OL]. (2017-02-22)[2024-04-10]. https://arxiv.org/pdf/1609.02907.
[13]	GASTEIGER J, BOJCHEVSKI A, GUNNEMANN S. Predict then Propagate: Graph Neural Networks Meet Personalized Pagerank[EB/OL]. (2022-04-05)[2024-04-10]. https://arxiv.org/pdf/1810.05997.
[14]	LOVASZ L. Random Walks on Graphs[J]. Combinatorics, Paul Erdos is Eighty, 1993, 2(1): 4-11.
[15]	WANIEK M, MICHALAK T P, WOOLDRIDGE M J, et al. Hiding Individuals and Communities in a Social Network[J]. Nature Human Behaviour, 2018, 2(2): 139-147.
[16]	CHEN Jinyin, WU Yangyang. Fast Gradient Attack on Network Embedding[EB/OL]. (2018-09-15)[2024-04-10]. https://arxiv.org/pdf/1809.02797.
[17]	WU Huijun, WANG Chen, TYSHETSKIY Y, et al. Adversarial Examples on Graph Data: Deep Insights into Attack and Defense[EB/OL]. (2019-05-22)[2024-04-10]. https://arxiv.org/pdf/1903.01610.
[18]	ENTEZARI N, Al-SAYOURI S A, DARVISHZADEH A, et al. All You Need is Low (Rank) Defending against Adversarial Attacks on Graphs[C]// ACM. Proceedings of the 13th International Conference on Web Search and Data Mining. New York: ACM, 2020: 169-177.
[19]	ZHU Dingyuan, ZHANG Ziwei, CUI Peng, et al. Robust Graph Convolutional Networks against Adversarial Attacks[C]// ACM. Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. New York: ACM, 2019: 1399-1407.

数据集	Nodes	Edges	Features	Classes	Degrees
Citeseer	2110	3668	3703	6	1.74
Cora	2485	5069	1433	7	2.04
Cora-ML	2810	7981	2879	7	2.84

数据集	GCN	Jaccard	SVD	RGCN
CiteSeer	71.80%	72.33%	67.77%	70.82%
Cora	83.20%	82.25%	69.20%	82.92%
Cora-ML	85.14%	84.79%	77.54%	85.05%

数据集	攻击	GCN	Jaccard	SVD	RGCN
CiteSeer	Myattack	88%	84%	6%	96%
	Nettack	88%	85%	10%	95%
	DICE	42%	20%	48%	28%
Cora	Myattack	86%	58%	18%	94%
	Nettack	92%	78%	24%	90%
	DICE	26%	12%	40%	20%
Cora-ML	Myattack	84%	80%	10%	88%
	Nettack	90%	44%	16%	58%
	DICE	22%	18%	42%	16%

基于随机游走的图神经网络黑盒对抗攻击

A Random Walk Based Black-Box Adversarial Attack against Graph Neural Network

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 7

参考文献 19

相关文章 12

编辑推荐

Metrics

本文评价

[1]	陈晓静, 陶杨, 吴柏祺, 刁云峰. 面向骨骼动作识别的优化梯度感知对抗攻击方法[J]. 信息网络安全, 2024, 24(9): 1386-1395.
[2]	王健, 陈琳, 王凯崙, 刘吉强. 基于时空图神经网络的应用层DDoS攻击检测方法[J]. 信息网络安全, 2024, 24(4): 509-519.
[3]	张光华, 刘亦纯, 王鹤, 胡勃宁. 基于JSMA对抗攻击的去除深度神经网络后门防御方案[J]. 信息网络安全, 2024, 24(4): 545-554.
[4]	张新有, 孙峰, 冯力, 邢焕来. 基于多视图表征的虚假新闻检测[J]. 信息网络安全, 2024, 24(3): 438-448.
[5]	余尚戎, 肖景博, 殷琪林, 卢伟. 关注社交异配性的社交机器人检测框架[J]. 信息网络安全, 2024, 24(2): 319-327.
[6]	秦中元, 马楠, 余亚聪, 陈立全. 基于双重图神经网络和自编码器的网络异常检测[J]. 信息网络安全, 2023, 23(9): 1-11.
[7]	仝鑫, 金波, 王靖亚, 杨莹. 一种面向Android恶意软件的多视角多任务学习检测方法[J]. 信息网络安全, 2022, 22(10): 1-7.
[8]	朱丽娜, 马铭芮, 朱东昭. 基于图神经网络和通用漏洞分析框架的C类语言漏洞检测方法[J]. 信息网络安全, 2022, 22(10): 59-68.
[9]	秦中元, 胡宁, 方兰婷. 基于免疫仿生机理和图神经网络的网络异常检测方法[J]. 信息网络安全, 2021, 21(8): 10-16.
[10]	仝鑫, 王罗娜, 王润正, 王靖亚. 面向中文文本分类的词级对抗样本生成方法[J]. 信息网络安全, 2020, 20(9): 12-16.
[11]	张润滋, 刘文懋, 尤扬, 解烽. AISecOps自动化能力分级与技术趋势研究[J]. 信息网络安全, 2020, 20(9): 22-26.
[12]	王文华, 郝新, 刘焱, 王洋. AI系统的安全测评和防御加固方案[J]. 信息网络安全, 2020, 20(9): 87-91.