Surrogate Representation Learning with Isometric Mapping for Gray-box Graph Adversarial Attacks

Gray-box graph attacks aim at disrupting the performance of the victim model by using inconspicuous attacks with limited knowledge of the victim model. The parameters of the victim model and the labels of the test nodes are invisible to the attacker. To obtain the gradient on the node attributes or graph structure, the attacker constructs an imaginary surrogate model trained under supervision. However, there is a lack of discussion on the training of surrogate models and the robustness of provided gradient information. The general node classification model loses the topology of the nodes on the graph, which is, in fact, an exploitable prior for the attacker. This paper investigates the effect of representation learning of surrogate models on the transferability of gray-box graph adversarial attacks. To reserve the topology in the surrogate embedding, we propose Surrogate Representation Learning with Isometric Mapping (SRLIM). By using Isometric mapping method, our proposed SRLIM can constrain the topological structure of nodes from the input layer to the embedding space, that is, to maintain the similarity of nodes in the propagation process. Experiments prove the effectiveness of our approach through the improvement in the performance of the adversarial attacks generated by the gradient-based attacker in untargeted poisoning gray-box setups.

[1]  Binghui Wang,et al.  Attacking Graph-based Classification via Manipulating the Graph Structure , 2019, CCS.

[2]  Mukund Balasubramanian,et al.  The Isomap Algorithm and Topological Stability , 2002, Science.

[3]  Wenbing Huang,et al.  A Restricted Black-Box Adversarial Framework Towards Attacking Graph Embedding Models , 2019, AAAI.

[4]  Liming Zhu,et al.  Adversarial Examples on Graph Data: Deep Insights into Attack and Defense , 2019 .

[5]  Stephan Günnemann,et al.  Adversarial Attacks on Node Embeddings via Graph Poisoning , 2018, ICML.

[6]  Jure Leskovec,et al.  Inductive Representation Learning on Large Graphs , 2017, NIPS.

[7]  Stephan Günnemann,et al.  Adversarial Attacks on Neural Networks for Graph Data , 2018, KDD.

[8]  Xing Xie,et al.  Session-based Recommendation with Graph Neural Networks , 2018, AAAI.

[9]  Max Welling,et al.  Semi-Supervised Classification with Graph Convolutional Networks , 2016, ICLR.

[10]  Ting Zhong,et al.  Multiple-Aspect Attentional Graph Neural Networks for Online Social Network User Localization , 2020, IEEE Access.

[11]  Viresh Gupta,et al.  Adversarial Attack on Network Embeddings via Supervised Network Poisoning , 2021, PAKDD.

[12]  Talal Rahwan,et al.  Hiding individuals and communities in a social network , 2016, Nature Human Behaviour.

[13]  Suhang Wang,et al.  Adversarial Attacks on Graph Neural Networks via Node Injections: A Hierarchical Reinforcement Learning Approach , 2020, WWW.

[14]  Andrew McCallum,et al.  Automating the Construction of Internet Portals with Machine Learning , 2000, Information Retrieval.

[15]  Pan He,et al.  Adversarial Examples: Attacks and Defenses for Deep Learning , 2017, IEEE Transactions on Neural Networks and Learning Systems.

[16]  Bin Wang,et al.  Exploratory Adversarial Attacks on Graph Neural Networks , 2020, 2020 IEEE International Conference on Data Mining (ICDM).

[17]  Sijia Liu,et al.  Topology Attack and Defense for Graph Neural Networks: An Optimization Perspective , 2019, IJCAI.

[18]  Suhang Wang,et al.  Attacking Graph Convolutional Networks via Rewiring , 2019, ArXiv.

[19]  Stephan Gunnemann,et al.  Adversarial Attacks on Graph Neural Networks via Meta Learning , 2019, ICLR.

[20]  Qiaozhu Mei,et al.  Towards More Practical Adversarial Attacks on Graph Neural Networks , 2020, NeurIPS.

[21]  Honglei Zhang,et al.  Adversarial Attack on Community Detection by Hiding Individuals , 2020, WWW.

[22]  Geoffrey E. Hinton,et al.  Visualizing Data using t-SNE , 2008 .

[23]  Zhiyuan Liu,et al.  Graph Neural Networks: A Review of Methods and Applications , 2018, AI Open.

[24]  Cho-Jui Hsieh,et al.  Attack Graph Convolutional Networks by Adding Fake Nodes , 2018, ArXiv.

[25]  Lise Getoor,et al.  Collective Classification in Network Data , 2008, AI Mag..

[26]  Leland McInnes,et al.  UMAP: Uniform Manifold Approximation and Projection , 2018, J. Open Source Softw..

[27]  Xavier Bresson,et al.  Convolutional Neural Networks on Graphs with Fast Localized Spectral Filtering , 2016, NIPS.

[28]  Baochun Li,et al.  Adversarial Attacks on Link Prediction Algorithms Based on Graph Neural Networks , 2020, AsiaCCS.

[29]  Le Song,et al.  Adversarial Attack on Graph Structured Data , 2018, ICML.

[30]  Xiaoyang Wang,et al.  Traffic Flow Prediction via Spatial Temporal Graph Neural Network , 2020, WWW.