基于特征拓扑融合的黑盒图对抗攻击

Black-box Graph Adversarial Attacks Based on Topology and Feature Fusion

在大数据时代,数据之间的紧密关联性是普遍存在的,图数据分析挖掘已经成为大数据技术的重要发展趋势。近几年,图神经网络作为一种新型的图表示学习工具引起了学术界和工业界的广泛关注。目前图神经网络已经在很多实际应用中取得了巨大的成功。最近人工智能的安全性和可信性成为了人们关注的重点,很多工作主要针对图像等规则数据的深度学习对抗攻击。文中主要聚焦于图数据这种典型非欧氏结构的黑盒对抗攻击问题,在图神经网络模型信息(结构、参数)未知的情况下,对图数据进行非随机微小扰动,从而实现对模型的对抗攻击,模型性能随之下降。基于节点选择的对抗攻击策略是一类重要的黑盒图对抗攻击方法,但现有方法在选择对抗攻击节点时主要依靠节点的拓扑结构信息(如度信息)而未充分考虑节点的特征信息,文中面向引文网络提出了一种基于特征拓扑融合的黑盒图对抗攻击方法。所提方法在选择重要性节点的过程中将图节点特征信息和拓扑结构信息进行融合,使得选出的节点在特征和拓扑两方面对于图数据都是重要的,攻击者对挑选出的重要节点施加不易察觉的扰动后对图数据产生了较大影响,进而实现对图神经网络模型的攻击。在3个基准数据集上进行实验,结果表明,所提出的攻击策略在模型参数未知的情况下能显著降低模型性能,且攻击效果优于现有的方法。

In the era of big data,the close relationship between data is widespread,graph data analysis and mining have become an important development trend of big data technology.In recent years,as a novel type of graph representation learning tool,graph neural networks(GNNs)have extensively attracted academic and industry attention.At present,GNNs have achieved great success in various real-world applications.Lately,many researchers believe that the security and confidence level of artificial intelligence is a vital point,a lot of work focuses on deep learning adversarial attacks on Euclidean structure data such as images now.This paper mainly focuses on the black-box adversarial attack problem of graph data,which is a typical non-European structure.When the graph neural network model information(structure and parameters)is unknown,the imperceptible non-random perturbation of graph data is carried out to realize the adversarial attack on the model,and the performance of the model decreases.Applying an imperceptible no-random perturbation to the graph structure or node attributes can easily fool GNNs.The method based on node-selected black-box adversarial attack is vital,but similar methods are only taking account of the topology information of nodes instead of fully considering the information of node features,so in this paper,we propose a black-box adversarial attack for graph neural network via topology and feature fusion on citation network.In the process of selecting important nodes,this method fuses the features information and topology information of graph nodes,so that the selected nodes are significant to the graph data in both features and topology.Attackers apply small perturbations on node attributes that nodes are selected by our method and this attack has a great impact on the model.Moreover,experiments on three classic datasets show that the proposed attack strategy can remarkably reduce the performance of the model without access to model parameters and is better than the baseline methods.