A Targeted Universal Attack on Graph Convolutional Network by Using Fake Nodes

摘要

Graph-structured data exist in numerous applications in real life. As a state-of-the-art graph neural network, the graph convolutional network (GCN) plays an important role in processing graph structured data. However, a recent study reported that GCNs are also vulnerable to adversarial attacks, which means that they may suffer malicious attacks delivering unnoticeable modifications of the data. Among all possible adversarial attacks on GCNs, there is a special method called the universal adversarial attack that generates a perturbation that can be applied to any sample and causes GCN models to output incorrect results. Although universal adversarial attacks in computer vision have been extensively researched, there are few works on universal adversarial attacks on graph structured data. In this paper, we propose a targeted universal attack (TUA) against GCNs. Our method employs a few nodes as the attack nodes. The attack capability of the attack nodes is enhanced through a small number of fake nodes connected to the attack nodes. During an attack, any victim node will be misclassified by the GCN as a member of the attack node class as long as it is linked to the attack nodes. Experiments on three popular datasets show that the average attack success rate of the proposed attack on any victim node in the graph reaches 83% when using only 3 attack nodes and 6 fake nodes. A comparison between the TUA and established baselines further proves its attack capability. We hope that our work will raise community awareness of the threat from TUA and increase the attention given to its future defense.