Black-box Adversarial Attack and Defense on Graph Neural Networks

Li, Haoyang; Di, Shimin; Li, Zijian; Chen, Lei; Cao, Jiannong

doi:10.1109/icde53745.2022.00081

Cited by 19 publications

(9 citation statements)

References 65 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…First, heuristic attackers intuitively increase the co-occurrence of some selected items and the target item 𝑖 in 𝑫 𝑓 via some heuristic rules, enhancing the popularity of item 𝑖 [31]. However, such methods cannot directly optimize the attack objectives, leading to poor attack performance [19,30,32]. Besides, to maximize the attack objectives, gradient-based methods directly optimize the interactions of fake users [19,30,32] while neural attackers optimize neural networks to generate fake user interactions [26,34,35,51].…”

Section: Related Workmentioning

confidence: 99%

“…However, such methods cannot directly optimize the attack objectives, leading to poor attack performance [19,30,32]. Besides, to maximize the attack objectives, gradient-based methods directly optimize the interactions of fake users [19,30,32] while neural attackers optimize neural networks to generate fake user interactions [26,34,35,51]. Their optimization process typically utilizes the recommendations of the victim model or a surrogate model for gradient descent [44,63].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Uplift Modeling for Target User Attacks on Recommender Systems

Wang,

Feng

et al. 2024

Proceedings of the ACM Web Conference 2024

View full text Add to dashboard Cite

Recommender systems are vulnerable to injective attacks, which inject limited fake users into the platforms to manipulate the exposure of target items to all users. In this work, we identify that conventional injective attackers overlook the fact that each item has its unique potential audience, and meanwhile, the attack difficulty across different users varies. Blindly attacking all users will result in a waste of fake user budgets and inferior attack performance. To address these issues, we focus on an under-explored attack task called target user attacks, aiming at promoting target items to a particular user group. In addition, we formulate the varying attack difficulty as heterogeneous treatment effects through a causal lens and propose an Uplift-guided Budget Allocation (UBA) framework. UBA estimates the treatment effect on each target user and optimizes the allocation of fake user budgets to maximize the attack performance. Theoretical and empirical analysis demonstrates the rationality of treatment effect estimation methods of UBA. By instantiating UBA on multiple attackers, we conduct extensive experiments on three datasets under various settings with different target items, target users, fake user budgets, victim models, and defense models, validating the effectiveness and robustness of UBA. CCS CONCEPTS• Information systems → Recommender systems.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Uplift Modeling for Target User Attacks on Recommender Systems

Wang,

Feng

et al. 2024

Proceedings of the ACM Web Conference 2024

View full text Add to dashboard Cite

show abstract

“…Bandit [86] extended this gradient estimation by embedding both the spatial prior (neighboring pixels have similar gradients) and the temporal prior (the gradients between consecutive iterations are similar) to obtain more consistent gradients. N Attack [112] extended the NES attack by restricting the vectors sampled from the Gaussian distribution into the feasible space (i.e., the allowed search space of adversarial perturbation). The AdvFlow method [134] further extended N Attack by replacing the Gaussian distribution by a complex distribution which is captured by the normalizing flow model [175] pre-trained on benign data, such that the generated adversarial sample is more close to the benign sample.…”

Section: Score-based Attackmentioning

confidence: 99%

Adversarial Machine Learning: A Systematic Survey of Backdoor Attack, Weight Attack and Adversarial Example

Liu¹,

Zhu²,

Liu³

et al. 2023

Preprint

View full text Add to dashboard Cite

Adversarial machine learning (AML) studies the adversarial phenomenon of machine learning, which may make inconsistent or unexpected predictions with humans. Some paradigms have been recently developed to explore this adversarial phenomenon occurring at different stages of a machine learning system, such as training-time adversarial attack (i.e., backdoor attack), deployment-time adversarial attack (i.e., weight attack), and inference-time adversarial attack (i.e., adversarial example). However, although these paradigms share a common goal, their developments are almost independent, and there is still no big picture of AML. In this work, we aim to provide a unified perspective to the AML community to systematically review the overall progress of this field. We firstly provide a general definition about AML, and then propose a unified mathematical framework to covering existing attack paradigms. According to the proposed unified framework, we can not only clearly figure out the connections and differences among these paradigms, but also systematically categorize and review existing works in each paradigm.

show abstract

“…2) Preprocessing Filter: In the case where the attack budgets are constrained and fixed, to maximize the damage to the overall performance of the graph model, it is reasonable to focus on the nodes that can be correctly classified by the graph model [21]. Therefore, it is desirable to first find out items already classified correctly.…”

Section: ) Statistics-robustness Relationship Analysismentioning

confidence: 99%

Resisting Graph Adversarial Attack via Cooperative Homophilous Augmentation

Zhu

Zhou

et al. 2023

Machine Learning and Knowledge Discovery in Databases

View full text Add to dashboard Cite

As the study of graph neural networks becomes more intensive and comprehensive, their robustness and security have received great research interest. The existing global attack methods treat all nodes in the graph as their attack targets. Although existing methods have achieved excellent results, there is still considerable space for improvement. The key problem is that the current approaches rigidly follow the definition of global attacks. They ignore an important issue, i.e., different nodes have different robustness and are not equally resilient to attacks. From a global attacker's view, we should arrange the attack budget wisely, rather than wasting them on highly robust nodes. To this end, we propose a totally new method named partial graph attack (PGA), which selects the vulnerable nodes as attack targets. First, to select the vulnerable items, we propose a hierarchical target selection policy, which allows attackers to only focus on easy-to-attack nodes. Then, we propose a cost-effective anchor-picking policy to pick the most promising anchors for adding or removing edges, and a more aggressive iterative greedy-based attack method to perform more efficient attacks. Extensive experimental results demonstrate that PGA can achieve significant improvements in both attack effect and attack efficiency compared to other existing graph global attack methods.

show abstract

Black-box Adversarial Attack and Defense on Graph Neural Networks

Cited by 19 publications

References 65 publications

Uplift Modeling for Target User Attacks on Recommender Systems

Uplift Modeling for Target User Attacks on Recommender Systems

Adversarial Machine Learning: A Systematic Survey of Backdoor Attack, Weight Attack and Adversarial Example

Resisting Graph Adversarial Attack via Cooperative Homophilous Augmentation

Contact Info

Product

Resources

About