A Node Injection Attack Method and System Based on Maximizing Malicious Impact
By calculating node susceptibility and selecting influential nodes using a backpropagation sampling algorithm, and combining the contrastive loss function and backpropagation rules to update edges and features, an adversarial graph that maximizes malicious influence is generated. This solves the limitations and information dependence problems of existing node injection attack methods, and achieves global attack and low-cost attack effects.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING JIAOTONG UNIV
- Filing Date
- 2023-10-20
- Publication Date
- 2026-06-30
AI Technical Summary
Existing node injection attack methods are mainly limited to injecting a small number of nodes for local attacks, ignoring global attacks, and require access to the information of the attacked model or the label of the target node, making them difficult to implement effectively in real-world scenarios.
By calculating node susceptibility, filtering low-weight edges to generate a susceptibility subgraph, using the backpropagation sampling algorithm to select influential nodes, randomly connecting injected nodes with neighboring nodes, and using the contrastive loss function and backpropagation rules to update the edges and features of injected nodes, an adversarial graph that maximizes malicious influence is generated.
A global attack is achieved without modifying the original graph structure and features, reducing the accuracy of node classification, meeting the requirements of black-box environments, and exhibiting good interpretability and transferability at a low cost.
Smart Images

Figure CN117634583B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of artificial intelligence information security technology, specifically to a node injection attack method and system based on maximizing malicious impact. Background Technology
[0002] Graph Neural Networks (GNNs), as deep learning models operating on graph-structured data, have achieved remarkable success in various tasks such as node classification, graph classification, and recommender systems. Despite their widespread success, GNNs have proven vulnerable to adversarial attacks, where attackers can manipulate the graph data with small perturbations to trick the model into producing misleading outputs. This phenomenon has spurred the rise of research into graph adversarial attacks.
[0003] Initially, graph adversarial attacks were designed to influence the performance of GNNs by making minor modifications to the graph. However, in real-world scenarios, modifying the original graph requires high-level privileges, making it difficult to implement. Therefore, as research progressed, more attention shifted to a more practical setup: injecting malicious nodes into the original graph to launch the attack. This type of attack is called node injection attack (NIA).
[0004] Implementing effective NIA attacks presents numerous challenges. While some NIA methods have been proposed, problems remain to be solved. First, existing methods are primarily limited to injecting a small number of nodes to attack a small number of target nodes or multiple nodes for a global attack, neglecting to inject as few malicious nodes as possible to execute an effective global attack. This research direction can better simulate real-world threat scenarios while reducing the complexity of the attack, making it less detectable. Second, attack scenarios often lack necessary constraints; most methods still require access to information about the attacked model or the labels of the target nodes during the attack. Summary of the Invention
[0005] The purpose of this invention is to provide a node injection attack method and system based on maximizing malicious impact, so as to solve at least one of the technical problems existing in the above-mentioned background art.
[0006] To achieve the above objectives, the present invention adopts the following technical solution:
[0007] On one hand, this invention provides a node injection attack method based on maximizing malicious impact, comprising:
[0008] The original graph is preprocessed to calculate node susceptibility, and a weight matrix is defined on the original graph. Then, low-weight edges are filtered to obtain a susceptibility subgraph.
[0009] Perform the back-influence sampling algorithm on the susceptibility subgraph to select influential nodes and add them to the set of neighbor nodes of the injected node;
[0010] Randomly connect the injected node to its neighboring node to obtain the initial adversarial graph. An extended original graph G is generated by adding isolated injection nodes to the original graph. (0) ;
[0011] Initial adversarial graph With the extension of the original graph G (0) In contrast, using the contrastive loss function Calculate the loss value; based on the backpropagation rule, update the edges and features of the injected nodes using the gradient information of the loss function, and generate the updated adversarial graph. Where t is the current iteration number; the updated adversarial graph replace Repeat the update until the perturbation threshold Δ is reached to obtain the final adversarial graph G′;
[0012] The final adversarial graph G′ is taken as input and downstream tasks are executed.
[0013] Furthermore, the original graph is preprocessed to calculate node susceptibility, define a weight matrix on the original graph, and then filter out low-weight edges to obtain a susceptibility subgraph. This includes: given the original graph G = (A, X), where A represents the adjacency matrix and X represents the feature matrix; defining the transition probability matrix M. ij :
[0014]
[0015] Where i and j are node indices, deg(i) represents the degree of node i, and M... ij This represents the probability of moving from node i to node j during a random walk;
[0016] Based on the L-step transition matrix M L Define a weight matrix on the graph, where a larger weight means that the relevant node is more susceptible to malicious influence from the injected node. By filtering out edges with lower weights, a susceptible subgraph is obtained.
[0017] Furthermore, a reverse influence sampling algorithm is executed on the susceptibility subgraph to select influential nodes and add them to the neighbor node set of the injected node. This includes: generating a series of reverse reachable sets on the susceptibility subgraph, where the reverse reachable set of node v is the set of nodes in subgraph g that can reach v; treating the reverse reachable set of node v as its first-order and second-order neighbor sets; based on the generation process of the reverse reachable set of node v, it can be seen that all nodes in the set will affect v after information aggregation; and using a greedy algorithm, the k nodes that can cover the most reverse reachable sets, i.e., the k neighbor nodes, are found.
[0018] Furthermore, the injected node is randomly connected to its neighboring nodes to obtain the initial adversarial graph. Add the same number of isolated injection nodes to the original graph as an extension of the original graph G. (0) The features of the injected nodes are initialized with the features of random original nodes.
[0019] Furthermore, referencing the framework of contrastive learning, we compare the extended original graph and the adversarial graph, and use contrastive loss to replace the traditional classification loss for unsupervised gradient attack. With only the adjacency matrix and feature matrix information of the original graph, we maximize the node representation distance between the original graph and the adversarial graph. We replace the two views G1 and G2 with the extended original graph and the adversarial graph, and then calculate the contrastive loss value.
[0020] Furthermore, with the goal of maximizing the contrastive loss, the gradient information is used to find the corresponding edges and features for updating according to the backpropagation rule, which is divided into gradient extraction and adversarial graph update.
[0021] In gradient extraction, since the injection attack can be viewed as injecting into the original graph G... in For g i The adjacency matrix has n nodes. i One injection node and k neighbor nodes, Let g be the feature matrix, and d be the feature dimension of the node. Therefore, according to the backpropagation rule, we can obtain g. i The gradients of the adjacency matrix and the characteristic matrix;
[0022] In adversarial graph update, g is updated using the obtained gradient information. i The structure and features of the graph maximize the loss, that is, increase the distance between the adversarial graph and the original graph, and maximize the influence of the malicious information injected into the nodes.
[0023] The updated Inject into adversarial graphs In the process, the updated adversarial map is obtained.
[0024] Secondly, the present invention provides a node injection attack system based on maximizing malicious impact, comprising:
[0025] The preprocessing module is used to preprocess the original graph, calculate the node susceptibility, define the weight matrix on the original graph, and then filter out low-weight edges to obtain a susceptibility subgraph.
[0026] The injection module is used to perform the back influence sampling algorithm on the susceptibility subgraph, select influential nodes, and add them to the set of neighbor nodes of the injected node.
[0027] The generation module is used to randomly connect the injected node with its neighboring nodes to obtain the initial adversarial graph. An extended original graph G is generated by adding isolated injection nodes to the original graph. (0) ;
[0028] The update module is used to update the initial adversarial graph. With the extension of the original graph G (0) In contrast, using the contrastive loss function Calculate the loss value; based on the backpropagation rule, update the edges and features of the injected nodes using the gradient information of the loss function, and generate the updated adversarial graph. Where t is the current iteration number; the updated adversarial graph replace Repeat the update until the perturbation threshold Δ is reached to obtain the final adversarial graph G′;
[0029] The execution module is used to take the final adversarial graph G′ as input and perform downstream tasks.
[0030] Thirdly, the present invention provides a non-transitory computer-readable storage medium for storing computer instructions, which, when executed by a processor, implement the node injection attack method based on maximizing malicious influence as described above.
[0031] Fourthly, the present invention provides an electronic device, comprising: a processor, a memory, and a computer program; wherein the processor is connected to the memory, the computer program is stored in the memory, and when the electronic device is running, the processor executes the computer program stored in the memory to cause the electronic device to execute instructions for implementing the node injection attack method based on maximizing malicious influence as described above.
[0032] The beneficial effects of this invention are as follows: It attacks GNN models using a node injection method, which does not require modification of the original graph's structure and features, making it more consistent with real-world scenarios; it proposes utilizing node susceptibility information to sample a susceptibility subgraph from the original graph, and further uses a back-influence sampling algorithm to select neighboring nodes that maximize the malicious influence of the injected nodes; the unsupervised gradient attack used satisfies a black-box environment, meaning it does not require access to the victim model information or node label information; based on maximizing malicious influence, neighboring nodes are selected, and the edges and features of the injected nodes are updated and optimized; it significantly reduces the accuracy of node classification at extremely low cost, achieving excellent attack results.
[0033] The advantages of additional aspects of the invention will be set forth more clearly in the following description or will be learned by practice of the invention. Attached Figure Description
[0034] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0035] Figure 1 This is a schematic diagram of the node injection attack framework based on maximizing malicious impact as described in an embodiment of the present invention. Detailed Implementation
[0036] Embodiments of the present invention are described in detail below, examples of which are shown in the accompanying drawings, wherein the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions throughout. The embodiments described below with reference to the accompanying drawings are exemplary and are only used to explain the present invention, and should not be construed as limiting the present invention.
[0037] It will be understood by those skilled in the art that, unless otherwise defined, all terms used herein (including technical and scientific terms) have the same meaning as commonly understood by one of ordinary skill in the art to which this invention pertains.
[0038] It should also be understood that terms such as those defined in general dictionaries should be understood to have meanings consistent with their meanings in the context of the prior art, and should not be interpreted in an idealized or overly formal sense unless defined as here.
[0039] Those skilled in the art will understand that, unless specifically stated otherwise, the singular forms “a,” “an,” “the,” and “the” used herein may also include the plural forms. It should be further understood that the term “comprising” as used in this specification means the presence of the stated features, integers, steps, operations, elements, and / or components, but does not exclude the presence or addition of one or more other features, integers, steps, operations, elements, and / or groups thereof.
[0040] In the description of this specification, references to terms such as "one embodiment," "some embodiments," "example," "specific example," or "some examples," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment or example is included in at least one embodiment or example of the present invention. Furthermore, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples. Moreover, without contradiction, those skilled in the art can combine and integrate the different embodiments or examples described in this specification, as well as the features of those different embodiments or examples.
[0041] To facilitate understanding of the present invention, the present invention will be further explained and described below with reference to the accompanying drawings and specific embodiments. However, the specific embodiments do not constitute a limitation on the embodiments of the present invention.
[0042] Those skilled in the art should understand that the accompanying drawings are merely schematic diagrams of embodiments, and the components in the drawings are not necessarily essential for implementing the present invention.
[0043] Example 1
[0044] In this embodiment 1, a node injection attack system based on maximizing malicious influence is first provided, including: a preprocessing module, used to preprocess the original graph, calculate node susceptibility, define a weight matrix on the original graph, and then filter low-weight edges to obtain a susceptibility subgraph; an injection module, used to execute a back-influence sampling algorithm on the susceptibility subgraph, select influential nodes, and add them to the neighbor node set of the injected node; and a generation module, used to randomly connect the injected node with its neighbor nodes to obtain an initial adversarial graph. An extended original graph G is generated by adding isolated injection nodes to the original graph. (0) The update module is used to update the initial adversarial graph. With the extension of the original graph G (0) In contrast, using the contrastive loss function Calculate the loss value; based on the backpropagation rule, update the edges and features of the injected nodes using the gradient information of the loss function, and generate the updated adversarial graph. Where t is the current iteration number; the updated adversarial graph replace Repeat the update until the perturbation threshold Δ is reached to obtain the final adversarial graph G′; the execution module is used to take the final adversarial graph G′ as input and execute downstream tasks.
[0045] In this embodiment 1, the above-described system is used to implement a node injection attack method based on maximizing malicious influence. The method includes: preprocessing the original graph, calculating node susceptibility, defining a weight matrix on the original graph, and then filtering low-weight edges to obtain a susceptibility subgraph; performing a back-influence sampling algorithm on the susceptibility subgraph, selecting influential nodes, and adding them to the neighbor node set of the injected node; and randomly connecting the injected node with its neighbor nodes to obtain an initial adversarial graph. An extended original graph G is generated by adding isolated injection nodes to the original graph. (0) ; Initial adversarial graph With the extension of the original graph G (0) In contrast, using the contrastive loss function Calculate the loss value; based on the backpropagation rule, update the edges and features of the injected nodes using the gradient information of the loss function, and generate the updated adversarial graph. Where t is the current iteration number; the updated adversarial graph replace Repeat the update until the perturbation threshold Δ is reached to obtain the final adversarial graph G′; use the final adversarial graph G′ as input to perform downstream tasks.
[0046] The original graph is preprocessed to calculate node susceptibility. A weight matrix is defined on the original graph, and then low-weight edges are filtered to obtain a susceptibility subgraph. This includes: given the original graph G = (A, X), where A represents the adjacency matrix and X represents the feature matrix; defining the transition probability matrix M. ij :
[0047]
[0048] Where i and j are node indices, deg(i) represents the degree of node i, and M... ij This represents the probability of moving from node i to node j during a random walk;
[0049] Based on the L-step transition matrix M L Define a weight matrix on the graph, where a larger weight means that the relevant node is more susceptible to malicious influence from the injected node. By filtering out edges with lower weights, a susceptible subgraph is obtained.
[0050] The reverse influence sampling algorithm is performed on the susceptibility subgraph to select influential nodes and add them to the neighbor set of the injected node. This includes: generating a series of reverse reachable sets on the susceptibility subgraph, where the reverse reachable set of node v is the set of nodes in subgraph g that can reach v; treating the reverse reachable set of node v as its first-order and second-order neighbor sets; based on the generation process of the reverse reachable set of node v, it can be seen that all nodes in the set will affect v after information aggregation; and using a greedy algorithm, the k nodes that can cover the most reverse reachable sets, i.e., the k neighbor nodes, are found.
[0051] The initial adversarial graph is obtained by randomly connecting the injected node with its neighboring nodes. Add the same number of isolated injection nodes to the original graph as an extension of the original graph G. (0) The features of the injected nodes are initialized with the features of random original nodes.
[0052] Referring to the framework of contrastive learning, we compare the extended original graph and the adversarial graph, and use contrastive loss to replace the traditional classification loss for unsupervised gradient attack. With only the adjacency matrix and feature matrix information of the original graph, we maximize the node representation distance between the original graph and the adversarial graph. We replace the two views G1 and G2 with the extended original graph and the adversarial graph, and then calculate the contrastive loss value.
[0053] With the goal of maximizing the contrastive loss, the corresponding edges and features are found and updated according to the backpropagation rule using gradient information. This process is divided into gradient extraction and adversarial graph update.
[0054] In gradient extraction, since the injection attack can be viewed as injecting into the original graph G... in For g i The adjacency matrix has n nodes. i One injection node and k neighbor nodes, Let g be the feature matrix, and d be the feature dimension of the node. Therefore, according to the backpropagation rule, we can obtain g. i The gradients of the adjacency matrix and the characteristic matrix;
[0055] In adversarial graph update, g is updated using the obtained gradient information. i The structure and features of the graph maximize the loss, that is, increase the distance between the adversarial graph and the original graph, and maximize the influence of the malicious information injected into the nodes.
[0056] The updated Inject into adversarial graphs In the process, the updated adversarial map is obtained.
[0057] Example 2
[0058] This embodiment 2 proposes a node injection attack method based on maximizing malicious influence. First, neighboring nodes of the injected node are selected based on node susceptibility analysis and influence maximization. Second, the neighboring nodes and the injected node are randomly connected to obtain an initial adversarial graph. Then, the edges and features of the injected node are updated in a fine-grained manner by maximizing the contrastive loss. Finally, the node classification accuracy is significantly reduced when only a small number of nodes are injected. The node injection attack method based on maximizing malicious influence includes the following steps:
[0059] S1. Preprocess the original graph, calculate the node susceptibility, define the weight matrix on the original graph, and then filter out the low-weight edges to obtain the susceptibility subgraph.
[0060] S2. Perform the reverse influence sampling algorithm on the susceptibility subgraph, select influential nodes, and add them to the set of neighboring nodes of the injected node;
[0061] S3. Randomly connect the injected node to its neighboring nodes to obtain the initial adversarial graph. An extended original graph G is generated by adding isolated injection nodes to the original graph. (0) ;
[0062] S4, Initial adversarial graph With the extension of the original graph G (0)In contrast, using the contrastive loss function Calculate the loss value;
[0063] S5. Based on the backpropagation rule, update the edges and features of the injected nodes using the gradient information of the loss function to generate the updated adversarial graph. Where t is the current iteration number;
[0064] S6, Update the battle map replace Repeat steps S4 and S5 until the perturbation threshold Δ is reached to obtain the final adversarial graph G′.
[0065] S7. The victim model takes the final adversarial graph G′ as input and executes downstream tasks, thus completing the node injection attack.
[0066] The specific steps of step S1 are as follows: Given the original graph G = (A, X), where A represents the adjacency matrix and X represents the feature matrix. Define the transition probability matrix as shown in equation (1).
[0067]
[0068] Where i and j are node indices, deg(i) represents the degree of node i, and M... ij This represents the probability of moving from node i to node j in a random walk. This invention is based on the L-step transition matrix M. L A weight matrix is defined on the graph, where a larger weight indicates a greater likelihood of malicious influence from injected nodes on the relevant node. Therefore, a susceptible subgraph is obtained by filtering out edges with lower weights.
[0069] Step S2 involves generating a series of reverse reachable sets on the susceptibility subgraph, where the reverse reachable set of node v is the set of nodes in subgraph g that can reach v. Since a typical GNN is a two-layer neural network, this invention considers the reverse reachable set of node v as its first-order and second-order neighbor sets. Based on the generation process of the reverse reachable set of node v, it can be known that all nodes in the set will affect v after information aggregation. Therefore, the presence of the same node in multiple reverse reachable sets means that the node has a wide range of influence. This is considered a set covering problem, and a greedy algorithm is used to find the k nodes that can cover the maximum number of reverse reachable sets, i.e., the k neighbor nodes.
[0070] After step S2, nodes with similar influence can be selected as neighbor nodes based on their susceptibility to enhance the impact of malicious information.
[0071] The specific steps of step S3 are as follows: randomly connect the injected node with its neighboring nodes to obtain the initial adversarial graph. Add the same number of isolated injection nodes to the original graph as an extension of the original graph G. (0) The features of the injected nodes are initialized with the features of random original nodes.
[0072] Step S4 involves the following steps: Referring to the contrastive learning framework, an expanded original graph and an adversarial graph are compared. Then, contrastive loss is used to replace the traditional classification loss for unsupervised gradient attack. By maximizing the node representation distance between the original graph and the adversarial graph, and only acquiring the adjacency matrix and feature matrix information of the original graph, the attack performance is improved.
[0073] In graph contrastive learning, the loss function is typically defined as:
[0074]
[0075]
[0076] Here, G1 and G2 represent two views obtained from the original graph G through different enhancement methods. They are encoded using a shared encoder f(A, X), resulting in node embedding matrices for the two views, which can be represented as U = f(A1, X1) and V = f(A2, X2). The corresponding node pairs (u...) in the two views... i v i ) are considered positive sample pairs, where u i =U[i,:],v i =V[i,:], where all other node pairs are negative sample pairs. σ(u i v i ) is a vector u i and v i The cosine similarity, where τ is the temperature parameter. Neg(u i )={u j |j≠i}∪{v j |j≠i} is related to vector u i The set of vectors that form negative sample pairs.
[0077] Replace the two views, G1 and G2, with the expanded original graph and the adversarial graph, and then calculate the contrastive loss value.
[0078] The specific steps of step S5 are as follows: with the goal of maximizing the contrastive loss, the corresponding edges and features are found and updated according to the backpropagation rule using gradient information. This is divided into two steps: gradient extraction and adversarial graph update.
[0079] In the gradient extraction step, since the injection attack is considered as injecting into the original graph G... in For g i The adjacency matrix has n nodes.i One injection node and k neighbor nodes, Let g be the feature matrix, and d be the feature dimension of the node. Therefore, according to the backpropagation rule, we can obtain g. i The gradients of the adjacency matrix and the characteristic matrix:
[0080]
[0081]
[0082] Where t is the current iteration number.
[0083] In the adversarial graph update step, g is updated using the obtained gradient information. i The structure and features of g maximize the loss, i.e., increase the distance between the adversarial graph and the original graph, and maximize the influence of the injected malicious information. Specifically, for g i Given the structure, first find the edge with the maximum gradient value, determine its gradient direction, and update accordingly. Since a positive gradient value helps increase the objective function loss, if the edge does not exist and the gradient is positive, then add the edge; otherwise, add it. For g... i The characteristics, optimization methods, and structure are similar. This process can be described as:
[0084]
[0085]
[0086]
[0087]
[0088] Where i and j are g i The nodes in the array are at least one of the injected nodes. p is one of the injected nodes, and q is one of the dimensions in the node's features. sign(·) is used to determine whether the effect of the gradient is positive or negative. α is the feature modification rate, and α = 1 indicates that the node's features are of binary type. F(x) = ReLU(x) - ReLU(x-1), which guarantees that the final result is in the range [0, 1].
[0089] Then, the updated Inject into adversarial graphs In the process, the updated adversarial map is obtained. This process can be represented as:
[0090]
[0091] The specific steps of step S6 are as follows: In the next iteration, use the updated adversarial graph. Return to step S4 and replace the original adversarial graph. Retrain the contrast model, then proceed to step S5 to calculate the gradient and update g. i Repeat steps S4 and S5 until the perturbation threshold Δ is reached, resulting in the final adversarial graph G′.
[0092] To improve attack performance, this embodiment selects the edge and feature value with the largest gradient value each time, so that information-rich edges and feature values are found in each iteration. Furthermore, the number of model retraining iterations can be reduced by perturbing multiple edges and feature values based on gradient sorting in each iteration, thereby saving time.
[0093] In summary, to achieve more effective attacks at minimal cost, this embodiment proposes a node injection attack method based on maximizing malicious influence by integrating node vulnerability and influence information during graph adversarial attacks and utilizing loss function gradient information. This method offers the following advantages:
[0094] (1) Strong practical feasibility: The method of injecting nodes is used to attack the GNN model, which does not require modification of the structure and features of the original graph, making it more in line with real-world scenarios.
[0095] (2) High interpretability: The proposed method utilizes node susceptibility information to sample a susceptibility subgraph on the original graph, and further uses a reverse influence sampling algorithm to select neighboring nodes that can maximize the malicious influence of the injected node. This scheme has good interpretability.
[0096] (3) Strong transferability: The unsupervised gradient attack used satisfies the black-box environment, meaning it does not require access to the victim model information or the node label information. Therefore, the generated adversarial graph can deceive various GNN models and has strong transferability.
[0097] (4) Excellent attack performance: Based on maximizing malicious impact, neighboring nodes are selected, and the edges and features of the injected nodes are updated and optimized. Experiments have shown that this significantly reduces the accuracy of node classification at extremely low cost, achieving excellent attack results.
[0098] Example 3
[0099] This invention proposes a node injection attack method based on maximizing malicious impact (hereinafter referred to as the method), such as... Figure 1 As shown, the method first samples a susceptible subgraph from the original graph and obtains a set of neighbor nodes through a back-influence sampling algorithm. Second, it uses contrastive loss to maximize the difference between the original graph and the adversarial graph, and further expands the influence of malicious information through iterative updates. Finally, it inputs the updated adversarial graph into the victim model to affect the performance of downstream tasks and complete the node injection attack.
[0100] The specific technical solution is as follows:
[0101] (1) Neighbor node selection
[0102] like Figure 1 As shown, given an original graph G = (A, X), where A represents the adjacency matrix and X represents the feature matrix, this invention is inspired by the problem of maximizing influence in information propagation. It uses a reverse influence sampling algorithm and integrates node susceptibility information for neighbor selection, thereby enabling the neighbor nodes obtained to propagate the malicious influence of a small number of injected nodes to the maximum extent.
[0103] First, vulnerability is measured based on the distance between node embeddings before and after the attack, and a transition probability matrix is defined based on vulnerability analysis:
[0104]
[0105] Where i and j are node indices, deg(i) represents the degree of node i, and M... ij This represents the probability of moving from node i to j in a random walk. A higher probability means the node is more influenced by its neighbors. Therefore, this invention uses the L-step transition matrix M... L A weight matrix is defined on the graph, and a susceptible subgraph g is obtained by filtering out edges with lower weights. i .
[0106] Secondly, a series of reverse reachable sets are generated on the susceptibility subgraph. Traditional reverse influence sampling algorithms operate on directed graphs; taking node v as an example, its reverse reachable set refers to the set of nodes in the graph that can reach node v. This invention treats the undirected edges in the susceptibility subgraph as two directed edges and adds a self-loop to each node. Furthermore, since a typical GNN is a two-layer neural network, this invention considers the reverse reachable set of node v as its first-order and second-order neighbor sets.
[0107] Finally, based on the generation process of the reverse reachable set of node v, it can be seen that nodes in the set will have varying degrees of influence on v. Therefore, a node appearing in multiple reverse reachable sets indicates that the node can influence multiple nodes. This invention needs to find a certain number of neighboring nodes on the susceptibility subgraph to maximize the propagation of malicious information injected into the node. Therefore, this problem can be viewed as a set covering problem, selecting the set with the maximum covering capacity as the neighboring nodes. This invention employs a greedy algorithm, such as... Figure 1 As shown, the node that covers the largest set in all reverse reachable sets is found and added to the neighbor node set. Then, the reverse reachable set containing this node is deleted. This process is repeated until the neighbor node set reaches the target number. The resulting neighbor nodes are both easily influenced by injected nodes and have a strong influence.
[0108] (2) Optimization of contrastive loss
[0109] After determining the neighboring nodes, the injected node is first randomly connected to its neighbors and assigned the characteristics of the random original nodes, thereby generating a coarse-grained adversarial graph. The next step is to fine-grained update of the features and edges of the injected nodes within a threshold range to obtain an updated adversarial graph G′, thereby achieving better attack performance. In this step, to further maximize malicious impact, this invention references a contrastive learning framework to expand the original graph G. (0) In contrast to the adversarial graph G′, we use contrastive loss instead of classification loss for unsupervised gradient attacks. Therefore, the adversarial attack problem of graph G can be expressed as:
[0110]
[0111]
[0112] |A (0) -A′|≤Δ A ,|X (0) -X′|≤Δ X
[0113] Where f is the shared encoder, G (0) It is an extension of the original graph that introduces isolated injected nodes. To compare the losses, a higher loss indicates better attack performance. θ * This represents the optimal training parameters for the encoder when trained on the adversarial graph. Δ A and Δ X These are the maximum modification thresholds for edge and node features, respectively.
[0114] Specifically, this invention utilizes gradient information to find corresponding features and edges, and updates the graph with the goal of maximizing the loss. Therefore, the contrastive loss optimization consists of two steps: gradient extraction and adversarial graph update.
[0115] In the gradient extraction step, the injection attack can be viewed as injecting into the original graph G through neighbor selection. in For g i The adjacency matrix includes only the injected node and its neighbor nodes. Let g be the characteristic matrix. According to the backpropagation rule, g can be obtained. i The gradients of the adjacency matrix and the characteristic matrix:
[0116]
[0117]
[0118] Where t is the current iteration number, and the comparison loss is... Defined as:
[0119]
[0120]
[0121] like Figure 1 As shown, G1 and G2 obtain the node embedding matrices of the two views through the shared encoder f(A, X), which can be represented as U = f(A1, X1) and V = f(A2, X2). The corresponding node pairs (u...) in the two views... i v i ) are considered positive sample pairs, where u i =U[i,:],v i =V[i,:], where all other node pairs are negative sample pairs. σ(u i v i ) is a vector u i and v i The cosine similarity, where τ is the temperature parameter. Neg(u i )={u j |j≠i}∪{v j |j≠i} is related to vector u i The set of vectors that form negative sample pairs.
[0122] In the adversarial graph update step, g is updated using the obtained gradient information. i This increases the loss, that is, maximizes the impact of malicious information injected into the node. For g i For structural updates, first find the element with the maximum gradient value, determine its gradient direction, and then update it. For example, a positive gradient value helps increase the objective function loss value, so add this edge; conversely, add a negative gradient value. For g... i Its characteristics, update method, and structure are similar. The specific process is as follows:
[0123]
[0124]
[0125]
[0126]
[0127] Where i and j are g iThe nodes in the array are at least one of the injected nodes. p is one of the injected nodes, and q is one of the dimensions in the node's features. sign(·) is used to determine whether the effect of the gradient is positive or negative. α is the feature modification rate, and α = 1 indicates that the node's features are of binary type. F(x) = ReLU(x) - ReLU(x-1), which guarantees that the final result is in the range [0, 1].
[0128] Then, after one iteration Inject into adversarial graphs In the process, the updated adversarial map is obtained. This process can be represented as:
[0129]
[0130] get Then proceed to the next iteration, which involves retraining the encoder and using... replace Calculate the contrastive loss and then perform gradient extraction and update g again. i Since each update selects the edge and feature value with the largest gradient, it means that the edges and feature values containing more information are being changed, thus helping to improve attack performance. In addition, this embodiment can also save attack time by reducing the number of model retraining iterations by updating multiple edges and feature values according to gradient sorting in each iteration.
[0131] To ensure the stealth of the attack, this embodiment sets an attack threshold Δ, and after Δ iterations, the final adversarial graph G is obtained. adv The data is then input into the victim model for downstream tasks, such as node classification, to complete the node injection attack. Experiments show that the method described in this embodiment significantly reduces the accuracy of node classification with a small number of injected nodes, achieving excellent attack results.
[0132] Example 4
[0133] This embodiment 4 provides a non-transitory computer-readable storage medium for storing computer instructions. When these computer instructions are executed by a processor, they implement the node injection attack method based on maximizing malicious impact as described above. The method includes:
[0134] The original graph is preprocessed to calculate node susceptibility, and a weight matrix is defined on the original graph. Then, low-weight edges are filtered to obtain a susceptibility subgraph.
[0135] Perform the back-influence sampling algorithm on the susceptibility subgraph to select influential nodes and add them to the set of neighbor nodes of the injected node;
[0136] Randomly connect the injected node to its neighboring node to obtain the initial adversarial graph. An extended original graph G is generated by adding isolated injection nodes to the original graph. (0) ;
[0137] Initial adversarial graph With the extension of the original graph G (0) In contrast, using the contrastive loss function Calculate the loss value; based on the backpropagation rule, update the edges and features of the injected nodes using the gradient information of the loss function, and generate the updated adversarial graph. Where t is the current iteration number; the updated adversarial graph replace Repeat the update until the perturbation threshold Δ is reached to obtain the final adversarial graph G′;
[0138] The final adversarial graph G′ is taken as input and downstream tasks are executed.
[0139] Example 5
[0140] This embodiment 5 provides an electronic device, including: a processor, a memory, and a computer program; wherein, the processor is connected to the memory, and the computer program is stored in the memory. When the electronic device is running, the processor executes the computer program stored in the memory to cause the electronic device to execute instructions implementing the node injection attack method based on maximizing malicious impact as described above. The method includes:
[0141] The original graph is preprocessed to calculate node susceptibility, and a weight matrix is defined on the original graph. Then, low-weight edges are filtered to obtain a susceptibility subgraph.
[0142] Perform the back-influence sampling algorithm on the susceptibility subgraph to select influential nodes and add them to the set of neighbor nodes of the injected node;
[0143] Randomly connect the injected node to its neighboring node to obtain the initial adversarial graph. An extended original graph G is generated by adding isolated injection nodes to the original graph. (0) ;
[0144] Initial adversarial graph With the extension of the original graph G (0) In contrast, using the contrastive loss function Calculate the loss value; based on the backpropagation rule, update the edges and features of the injected nodes using the gradient information of the loss function, and generate the updated adversarial graph. Where t is the current iteration number; the updated adversarial graph replace Repeat the update until the perturbation threshold Δ is reached to obtain the final adversarial graph G′;
[0145] The final adversarial graph G′ is taken as input and downstream tasks are executed.
[0146] Example 6
[0147] This embodiment 6 provides a computer device, including a memory and a processor, wherein the processor and the memory communicate with each other, and the memory stores program instructions executable by the processor. The processor invokes the program instructions to execute the node injection attack method based on maximizing malicious impact as described above, the method including:
[0148] The original graph is preprocessed to calculate node susceptibility, and a weight matrix is defined on the original graph. Then, low-weight edges are filtered to obtain a susceptibility subgraph.
[0149] Perform the back-influence sampling algorithm on the susceptibility subgraph to select influential nodes and add them to the set of neighbor nodes of the injected node;
[0150] Randomly connect the injected node to its neighboring node to obtain the initial adversarial graph. An extended original graph G is generated by adding isolated injection nodes to the original graph. (0) ;
[0151] Initial adversarial graph With the extension of the original graph G (0) In contrast, using the contrastive loss function Calculate the loss value; based on the backpropagation rule, update the edges and features of the injected nodes using the gradient information of the loss function, and generate the updated adversarial graph. Where t is the current iteration number; the updated adversarial graph replace Repeat the update until the perturbation threshold Δ is reached to obtain the final adversarial graph G′;
[0152] The final adversarial graph G′ is taken as input and downstream tasks are executed.
[0153] In summary, the node injection attack method based on maximizing malicious influence described in this invention proposes a global node injection attack framework (MaxiMal, Maximizing malicious influence). This framework achieves a global attack under a strict black-box setting by maximizing the influence of malicious information. A strict black-box setting means that the only known information during the attack process is the adjacency matrix and feature matrix of the input graph. Specifically, MaxiMal first selects neighboring nodes of the injected node based on node susceptibility analysis and maximizing influence. Such neighboring nodes help achieve a global attack effect with a small number of injected nodes. Secondly, this invention simultaneously considers the optimization of maximizing malicious influence and the strict black-box setting, replacing the traditional classification loss with a contrastive loss. Then, by maximizing the contrastive loss, fine-grained updates are performed on the edges and features of the injected node to obtain optimal attack performance.
[0154] This invention attacks the GNN model by injecting malicious nodes, deceiving the GNN model without modifying the structure and features of the original graph, which is more in line with real-world scenarios.
[0155] To address the issue of achieving a global attack effect with only a few injected nodes, this invention proposes a reverse influence sampling algorithm that integrates node susceptibility information to select neighboring nodes, making them more susceptible to the influence of injected nodes and the propagation of their malicious information. This scheme has good interpretability.
[0156] This invention employs contrastive loss and performs unsupervised gradient attacks based on backpropagation rules. It does not require access to the victim model information or node label information, satisfying a strict black-box environment. Therefore, it can generate adversarial graphs even when the victim model is unknown, exhibiting strong transferability.
[0157] This invention, based on maximizing the impact of malicious information, selects specific neighbor nodes and uses comparative loss as the target loss function to update the edge sums and features of the injected nodes. Experiments have shown that this invention can significantly reduce the accuracy of node classification with a small number of injected nodes, achieving excellent attack results.
[0158] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0159] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0160] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0161] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment, whereby a series of operational steps are performed to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0162] While the specific embodiments of the present invention have been described above in conjunction with the accompanying drawings, this is not intended to limit the scope of protection of the present invention. Those skilled in the art should understand that, based on the technical solutions disclosed in the present invention, various modifications or variations that can be made by those skilled in the art without creative effort should be included within the scope of protection of the present invention.
Claims
1. A node injection attack method based on maximizing malicious impact, characterized in that, include: The original graph is preprocessed to calculate node susceptibility, define a weight matrix on the original graph, and then filter out low-weight edges to obtain a susceptibility subgraph; this includes: given the original graph ,in Represents the adjacency matrix. Represent the characteristic matrix; define the transition probability matrix. : ; in, It is the node sequence number. Represents a node The degree, This indicates starting from node [node name] during a random walk. Move to The probability of; according to Step transition matrix Define a weight matrix on the graph, where a larger weight means that the relevant node is more susceptible to malicious influence from the injected node. The susceptible subgraph is obtained by filtering out the edges with lower weights. Perform a back-influence sampling algorithm on the susceptibility subgraph to select influential nodes and add them to the neighbor set of the injected node; this includes generating a series of back-reachable sets on the susceptibility subgraph, where nodes... The reverse reachable set is a subgraph Zhongneng can reach A set of nodes; to make nodes The reverse reachable set can be considered as its first-order and second-order neighbor sets; based on the node The process of generating the reverse reachable set shows that all nodes in the set will affect the other nodes after information aggregation. Using a greedy algorithm, find the set that covers the most backward reachable sets. Each node, i.e. One neighboring node; Randomly connect the injected node to its neighboring node to obtain the initial adversarial graph. And add isolated injection nodes to the original graph to generate an expanded original graph. ; Initial adversarial graph With extended original image In contrast, using the contrastive loss function Calculate the loss value; based on the backpropagation rule, update the edges and features of the injected nodes using the gradient information of the loss function, and generate the updated adversarial graph. ,in This represents the current iteration number; the updated adversarial graph will be used. replace Repeat the update until the perturbation threshold is reached. To obtain the final adversarial diagram ; The final confrontation diagram As input and to execute downstream tasks; Referring to the framework of contrastive learning, an expanded original graph and an adversarial graph are compared, and contrastive loss is used to replace the traditional classification loss for unsupervised gradient attack. With only the adjacency matrix and feature matrix information of the original graph, the node representation distance between the original graph and the adversarial graph is maximized. The two views are replaced with an expanded original graph and an adversarial graph, and then the contrastive loss value is calculated. With the goal of maximizing the contrastive loss, the corresponding edges and features are found and updated according to the backpropagation rule using gradient information. This is divided into gradient extraction and adversarial graph update. In gradient extraction, since injection attacks can be viewed as occurring in the original graph... Injection ,in for The adjacency matrix, the number of nodes includes One injection node and One neighboring node, For the characteristic matrix, Let be the feature dimension of the node; therefore, according to the backpropagation rule, we get... The gradients of the adjacency matrix and the characteristic matrix; In adversarial graph update, the obtained gradient information is used for updating. The structure and features of the graph maximize the loss, that is, increase the distance between the adversarial graph and the original graph, and maximize the influence of the malicious information injected into the nodes. The updated Inject into adversarial graphs In the process, the updated adversarial map is obtained. .
2. The node injection attack method based on maximizing malicious impact according to claim 1, characterized in that, The initial adversarial graph is obtained by randomly connecting the injected node with its neighboring nodes. Add the same number of isolated injection nodes to the original graph to expand the original graph. The features of the injected nodes are initialized with the features of random original nodes.
3. A node injection attack system based on maximizing malicious impact, according to the method described in claim 1 or 2, characterized in that, include: The preprocessing module is used to preprocess the original graph, calculate the node susceptibility, define the weight matrix on the original graph, and then filter out low-weight edges to obtain a susceptibility subgraph. The injection module is used to perform the back influence sampling algorithm on the susceptibility subgraph, select influential nodes, and add them to the set of neighbor nodes of the injected node. The generation module is used to randomly connect the injected node with its neighboring nodes to obtain the initial adversarial graph. And add isolated injection nodes to the original graph to generate an expanded original graph. ; The update module is used to update the initial adversarial graph. With extended original image In contrast, using the contrastive loss function Calculate the loss value; based on the backpropagation rule, update the edges and features of the injected nodes using the gradient information of the loss function, and generate the updated adversarial graph. ,in This represents the current iteration number; The updated adversarial map replace Repeat the update until the perturbation threshold is reached. To obtain the final adversarial diagram ; The execution module is used to generate the final adversarial graph. It serves as input and executes downstream tasks.
4. A non-transitory computer-readable storage medium, characterized in that, The non-transitory computer-readable storage medium is used to store computer instructions, which, when executed by a processor, implement the node injection attack method based on maximizing malicious impact as described in claim 1 or 2.
5. A computer device, comprising a memory and a processor, the processor and the memory communicating with each other, the memory storing program instructions executable by the processor, the processor invoking the program instructions to execute the node injection attack method based on maximizing malicious impact as described in claim 1 or 2.
6. An electronic device, characterized in that, include: The device includes a processor, a memory, and a computer program; wherein the processor is connected to the memory, the computer program is stored in the memory, and when the electronic device is running, the processor executes the computer program stored in the memory to cause the electronic device to execute instructions that implement the node injection attack method based on maximizing malicious influence as described in claim 1 or 2.