TY - JOUR
T1 - Fake Node Attacks on Graph Convolutional Networks
AU - Wang, Xiaoyun
AU - Cheng, Minhao
AU - Eaton, Joe
AU - Hsieh, Cho Jui
AU - Wu, S. Felix
N1 - Publisher Copyright:
© The Author(s) 2022. Published by BON VIEW PUBLISHING PTE. LTD.
PY - 2022/11/18
Y1 - 2022/11/18
N2 - In this paper, we study the robustness of graph convolutional networks (GCNs). Previous works have shown that GCNs are vulnerable to adversarial perturbation on adjacency or feature matrices of existing nodes; however, such attacks are usually unrealistic in real applications. For instance, in social network applications, the attacker will need to hack into either the client or server to change existing links or features. In this paper, we propose a new type of “fake node attacks” to attack GCNs by adding malicious fake nodes. This is much more realistic than previous attacks; in social network applications, the attacker only needs to register a set of fake accounts and link to existing ones. To conduct fake node attacks, a greedy algorithm is proposed to generate edges of malicious nodes and their corresponding features aiming to minimize the classification accuracy on the target nodes. In addition, we introduce a discriminator to classify malicious nodes from real nodes and propose a Greedy-generative adversarial network attack to simultaneously update the discriminator and the attacker, to make malicious nodes indistinguishable from the real ones. Our non-targeted attack decreases the accuracy of GCN down to 0.03, and our targeted attack reaches a success rate of 78% on a group of 100 nodes and 90% on average for attacking a single target node.
AB - In this paper, we study the robustness of graph convolutional networks (GCNs). Previous works have shown that GCNs are vulnerable to adversarial perturbation on adjacency or feature matrices of existing nodes; however, such attacks are usually unrealistic in real applications. For instance, in social network applications, the attacker will need to hack into either the client or server to change existing links or features. In this paper, we propose a new type of “fake node attacks” to attack GCNs by adding malicious fake nodes. This is much more realistic than previous attacks; in social network applications, the attacker only needs to register a set of fake accounts and link to existing ones. To conduct fake node attacks, a greedy algorithm is proposed to generate edges of malicious nodes and their corresponding features aiming to minimize the classification accuracy on the target nodes. In addition, we introduce a discriminator to classify malicious nodes from real nodes and propose a Greedy-generative adversarial network attack to simultaneously update the discriminator and the attacker, to make malicious nodes indistinguishable from the real ones. Our non-targeted attack decreases the accuracy of GCN down to 0.03, and our targeted attack reaches a success rate of 78% on a group of 100 nodes and 90% on average for attacking a single target node.
UR - http://www.scopus.com/inward/record.url?scp=85147369952&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85147369952&partnerID=8YFLogxK
U2 - 10.47852/bonviewJCCE2202321
DO - 10.47852/bonviewJCCE2202321
M3 - Article
AN - SCOPUS:85147369952
SN - 2810-9570
VL - 1
SP - 165
EP - 173
JO - Journal of Computational and Cognitive Engineering
JF - Journal of Computational and Cognitive Engineering
IS - 4
ER -