Deep learning models for graphs have achieved strong performance for the task of node classification. Despite their proliferation, little is known about their robustness to adversarial attacks. Yet, in domains where they are likely to be used, e.g., the web, adversaries are common. Can deep learning models for graphs be easily fooled? In this work, we present a study of adversarial attacks on attributed graphs, specifically focusing on models exploiting ideas of graph convolutions. In addition to attacks at test time, we tackle the more challenging class of poisoning/causative attacks, which focus on the training phase of a machine learning model. We generate adversarial perturbations targeting the node’s features and the graph structure , thus, taking the dependencies between instances in account. Moreover, we ensure that the perturbations remain unnoticeable by preserving important data characteristics. To cope with the underlying discrete domain, we propose an efficient algorithm N ettack exploiting incremental computations. Our experimental study shows that accuracy of node classification significantly drops even when performing only few perturbations. Even more, our attacks are transferable: the learned attacks generalize to other state-of-the-art node classification models and unsupervised approaches, and likewise are successful even when only limited knowledge about the graph is given. For the first time, we successfully identify important patterns of adversarial attacks on graph neural networks (GNNs) — a first step towards being able to detect adversarial attacks on GNNs.

中文翻译：

---

图神经网络的对抗性攻击

图的深度学习模型在节点分类任务上取得了强大的性能。尽管它们激增，但人们对其对抗性攻击的鲁棒性知之甚少。然而，在可能使用它们的域中，例如网络，攻击者是常见的。图的深度学习模型很容易被愚弄吗？在这项工作中，我们提出了对属性图的对抗性攻击的研究，特别关注利用图卷积思想的模型。除了测试时的攻击之外，我们还解决了更具挑战性的中毒/致病攻击类别，这些攻击侧重于机器学习模型的训练阶段。我们产生针对节点特征和图结构，因此，考虑到实例之间的依赖关系。此外，我们确保扰动保持不变不明显通过保留重要的数据特征。为了应对底层的离散域，我们提出了一种高效的算法 N攻击利用增量计算。我们的实验研究表明，即使只执行少量扰动，节点分类的准确性也会显着下降。更重要的是，我们的攻击是可转移的：学习到的攻击可以推广到其他最先进的节点分类模型和无监督方法，即使只给出关于图的有限知识，同样也是成功的。我们第一次成功地识别出针对图神经网络 (GNN) 的对抗性攻击的重要模式——这是检测 GNN 上对抗性攻击的第一步。