Black-box image injection attack methods, devices, computer equipment, and storage media

By combining a node encoder and a reward predictor, the fake node generator is optimized to generate high-quality fake nodes in a black-box environment. This solves the problem of low success rate of black-box graph injection attacks in existing technologies and achieves efficient attack effects under black-box settings.

CN117952183BActive Publication Date: 2026-06-30NAT UNIV OF DEFENSE TECH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
NAT UNIV OF DEFENSE TECH
Filing Date
2023-12-11
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

Existing black-box graph injection attack methods are difficult to implement in practice. The initial fake node features are usually randomly initialized, requiring multiple queries to succeed. Furthermore, existing techniques cannot effectively utilize the limited data and query information under black-box settings.

Method used

Unsupervised knowledge is acquired through a node encoder, experience is gained from queries using a reward predictor, fake nodes are optimized using a fake node generator to generate fake nodes with malicious characteristics, and a gradient optimization method is used to iteratively update the fake nodes to improve the attack success rate.

Benefits of technology

In a black-box environment, it improves the initial query success rate of graph injection attacks and can generate high-quality fake nodes with limited knowledge, effectively interfering with the node classifier prediction output of the target model.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN117952183B_ABST
    Figure CN117952183B_ABST
Patent Text Reader

Abstract

This application relates to a method, apparatus, computer device, and storage medium for black-box graph injection attacks. The method includes: inputting the original and modified reference graphs into a pre-learned unsupervised node encoder to extract features from target nodes, obtaining an initial embedding vector and a modified embedding vector; obtaining a first loss function based on the modified embedding vector, the initial embedding vector, and the embedding vectors of failed queries; calculating a second loss function based on the query results predicted by a reward predictor corresponding to the modified embedding vectors and the query results obtained by the target model querying the target nodes after injecting fake nodes; calculating the gradient values ​​of the first and second loss functions relative to the fake nodes using a pre-constructed fake node generator, iteratively updating the gradient values ​​using a gradient optimization method, and outputting the fake nodes at the point where iteration stops. This method can improve the success rate of black-box graph injection attacks.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of deep learning technology, and in particular to a black-box graph injection attack method, apparatus, computer device, and storage medium. Background Technology

[0002] Graph Neural Networks (GNNs) have achieved great success in various graph learning tasks, such as node classification, edge prediction, and graph classification. Compared to Euclidean data such as images, audio, or text, graph data contains flexible and rich structural information, making adversarial attacks on graph data more threatening. Graph Modification Attacks (GMAs) can significantly impact the performance of graph neural networks by adding adversarial perturbations (adding or deleting edges) to the graph structure. However, a common assumption in GMAs is that attackers have the right to modify the original data, which is unrealistic in most cases. Therefore, Graph Injection Attacks (GIAs), which inject fake nodes into the graph without modifying the existing graph structure, have attracted more attention. For example, on social media platforms, malicious users can manipulate graph neural network models by creating fake accounts and adding connections to target accounts, causing the model to misclassify the target account.

[0003] Compared to graph modification attacks, graph injection attacks are a more challenging approach because attackers must generate fake nodes with malicious characteristics that are difficult to detect. Furthermore, attackers must carefully orchestrate the connections between fake nodes and original nodes, as well as the internal connections within the fake nodes. Most graph injection attacks occur in white-box settings, where attackers have complete access to the target model and graph data. Graph injection attacks are highly effective in white-box settings, where attackers can significantly weaken the target model by injecting carefully crafted fake nodes. However, in the real world, attackers rarely obtain detailed information about the training data and the target model before training. Therefore, black-box settings are a more practical approach to graph injection attacks because they only allow attackers limited access to data and the ability to query the target model.

[0004] Existing white-box graph injection attack methods are more theoretical and impractical in real-world scenarios. Black-box attacks, on the other hand, are the closest to real-world attack settings. Current black-box graph injection attacks can optimize fake nodes using query results to achieve their attack objectives. However, the characteristics of the initial fake nodes are usually randomly initialized and then optimized through iterative queries, requiring multiple queries to successfully execute the attack. Summary of the Invention

[0005] Therefore, it is necessary to provide a black-box graph injection attack method, apparatus, computer device, and storage medium to address the aforementioned technical problems.

[0006] A black-box graph injection attack method, the method comprising:

[0007] Obtain the original reference relationship graph and the modified reference relationship graph; the modified reference relationship graph is obtained by injecting fake nodes to modify the target nodes in the original reference relationship graph;

[0008] The original reference graph and the modified reference graph are respectively input into a node encoder that has undergone unsupervised learning to extract features from the target node, resulting in an initial embedding vector and a modified embedding vector.

[0009] The first loss function is obtained based on the modified embedding vector, the initial embedding vector, and the embedding vectors of failed queries;

[0010] The second loss function is calculated based on the query results corresponding to the modified embedding vector predicted by the reward predictor and the query results obtained by the target model querying the target node after injecting fake nodes; the reward predictor is used to predict the query results of the target node;

[0011] The gradient values ​​of the first loss function and the second loss function with respect to the fake nodes are calculated using a pre-built fake node generator. The gradient values ​​are iteratively updated using a gradient optimization method, and the fake nodes at the point where the iteration stops are output.

[0012] In one embodiment, the method further includes: a node encoder extracting features from the target node to obtain an embedding vector as follows:

[0013]

[0014] Among them, W 0 and W 1 These are the parameters of the two graph convolutional layers in the node encoder. I N It is the identity matrix. It is a diagonal matrix. σ(·) is the activation function.

[0015] In one embodiment, the method further includes: using the embedding vector generated by the node encoder as input to the reward predictor, and using a multilayer perceptron to predict the query result of the target node.

[0016]

[0017] Among them, F(z) t ) represents the query result for the target node, z t It is the embedding vector of the target node, a l and bl σ is the weight and bias of the l-th layer of the multilayer perceptron, and σ(·) is the activation function.

[0018] In one embodiment, the method further includes: obtaining a first loss function based on the modified embedding vector, the initial embedding vector, and the embedding vectors of failed queries.

[0019]

[0020] Where s(·,·) represents the cosine similarity. This represents the modified embedding vector after injecting a fake node in the q-th query. This represents the embedding vector of queries that failed up to the q-th query. This represents the first loss function.

[0021] In one embodiment, the method further includes: calculating a second loss function based on the query result corresponding to the modified embedding vector predicted by the reward predictor and the query result obtained by the target model querying the target node after injecting fake nodes.

[0022]

[0023] Where CE(·,·) represents the cross-entropy loss, y t This represents the query result obtained by the target model when querying the target node after injecting fake nodes. This represents the query result of the target node output by the reward predictor after injecting fake nodes. This represents the second loss function.

[0024] In one embodiment, the method further includes: calculating the gradient values ​​of the first loss function and the second loss function relative to the dummy node:

[0025]

[0026] in, The gradient value, To inject the feature matrix of the fake nodes in the q-th query, Denotes the first loss function. This represents the second loss function.

[0027] In one embodiment, the method further includes: during gradient optimization, using the Clamp function to limit the range of each feature in the feature matrix based on the maximum and minimum values ​​in the feature matrix of the pseudo-nodes.

[0028] A black-box image injection attack apparatus, the apparatus comprising:

[0029] The data acquisition module is used to acquire the original reference relationship graph and the modified reference relationship graph; the modified reference relationship graph is obtained by injecting fake nodes to modify the target nodes in the original reference relationship graph;

[0030] The feature extraction module is used to input the original reference relationship graph and the modified reference relationship graph into a node encoder that has undergone unsupervised learning to extract features from the target node, so as to obtain the initial embedding vector and the modified embedding vector.

[0031] The first loss calculation module is used to obtain a first loss function based on the modified embedding vector, the initial embedding vector, and the embedding vectors of failed queries;

[0032] The second loss calculation module is used to calculate the second loss function based on the query result corresponding to the modified embedding vector predicted by the reward predictor and the query result obtained by the target model querying the target node after injecting fake nodes; the reward predictor is used to predict the query result of the target node;

[0033] The fake node generation module is used to calculate the gradient values ​​of the first loss function and the second loss function with respect to the fake node using a pre-built fake node generator, iteratively update the gradient values ​​using a gradient optimization method, and output the fake node when the iteration stops.

[0034] A computer device includes a memory and a processor, the memory storing a computer program, and the processor executing the computer program performing the following steps:

[0035] Obtain the original reference relationship graph and the modified reference relationship graph; the modified reference relationship graph is obtained by injecting fake nodes to modify the target nodes in the original reference relationship graph;

[0036] The original reference graph and the modified reference graph are respectively input into a node encoder that has undergone unsupervised learning to extract features from the target node, resulting in an initial embedding vector and a modified embedding vector.

[0037] The first loss function is obtained based on the modified embedding vector, the initial embedding vector, and the embedding vectors of failed queries;

[0038] The second loss function is calculated based on the query results corresponding to the modified embedding vector predicted by the reward predictor and the query results obtained by the target model querying the target node after injecting fake nodes; the reward predictor is used to predict the query results of the target node;

[0039] The gradient values ​​of the first loss function and the second loss function with respect to the fake nodes are calculated using a pre-built fake node generator. The gradient values ​​are iteratively updated using a gradient optimization method, and the fake nodes at the point where the iteration stops are output.

[0040] A computer-readable storage medium having a computer program stored thereon, the computer program performing the following steps when executed by a processor:

[0041] Obtain the original reference relationship graph and the modified reference relationship graph; the modified reference relationship graph is obtained by injecting fake nodes to modify the target nodes in the original reference relationship graph;

[0042] The original reference graph and the modified reference graph are respectively input into a node encoder that has undergone unsupervised learning to extract features from the target node, resulting in an initial embedding vector and a modified embedding vector.

[0043] The first loss function is obtained based on the modified embedding vector, the initial embedding vector, and the embedding vectors of failed queries;

[0044] The second loss function is calculated based on the query results corresponding to the modified embedding vector predicted by the reward predictor and the query results obtained by the target model querying the target node after injecting fake nodes; the reward predictor is used to predict the query results of the target node;

[0045] The gradient values ​​of the first loss function and the second loss function with respect to the fake nodes are calculated using a pre-built fake node generator. The gradient values ​​are iteratively updated using a gradient optimization method, and the fake nodes at the point where the iteration stops are output.

[0046] The aforementioned black-box graph injection attack method, apparatus, computer equipment, and storage medium acquire unsupervised knowledge through a node encoder, gain experience from queries through a reward predictor, and execute the attack through a fake node generator. By utilizing the unsupervised knowledge of the graph to optimize fake nodes, the attacker can learn high-quality target node embeddings with limited knowledge, thereby selectively generating fake nodes and interfering with the node classifier's prediction output for the target node. The proposed reward predictor and fake node generator can fully utilize query information to optimize fake nodes, gradually increasing the attack success rate and improving the initial query success rate in black-box attacks. This invention can improve the success rate of black-box graph injection attacks. Attached Figure Description

[0047] Figure 1 This is a flowchart illustrating a black-box graph injection attack method in one embodiment;

[0048] Figure 2This is a flowchart illustrating a graph injection attack method in a specific embodiment, where (a) is a flowchart illustrating the process before, during, and after the query, and (b) is a diagram illustrating the meaning of the legend.

[0049] Figure 3 This is a visualization comparison of node embedding of different methods in one embodiment, where (a) is a visualization of node embedding of the node encoder, and (b) is a visualization of node embedding of the SAGE node classification model.

[0050] Figure 4 A structural block diagram of a black-box diagram injection attack device in one embodiment;

[0051] Figure 5 This is an internal structural diagram of a computer device in one embodiment. Detailed Implementation

[0052] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.

[0053] In one embodiment, such as Figure 1 As shown, a black-box graph injection attack method is provided, including the following steps:

[0054] Step 102: Obtain the original reference relationship graph and the modified reference relationship graph.

[0055] The modified reference graph is obtained by injecting fake nodes to modify the target nodes in the original reference graph.

[0056] Step 104: Input the original reference graph and the modified reference graph into the node encoder that has undergone unsupervised learning to extract features from the target node, and obtain the initial embedding vector and the modified embedding vector.

[0057] Node encoders can be trained using any local-local contrastive learning method. By aggregating the features of the target node and its neighboring nodes, the target node v... t Feature mapping to low-dimensional embedding vector z t .

[0058] Step 106: Based on the modified embedding vector, the initial embedding vector, and the embedding vectors of failed queries, obtain the first loss function.

[0059] Step 108: Calculate the second loss function based on the query results corresponding to the modified embedding vector predicted by the reward predictor and the query results obtained by the target model querying the target node after injecting fake nodes.

[0060] The reward predictor is used to predict the query results for the target node. After querying the target model, the attacker retrieves the reward value r of the target node. t The reward value refers to the confidence level that the node is classified as the correct target. The reward predictor aims to learn from the embedding z t To reward r t The mapping is used as a substitute for the target model. The target model refers to the node classification model.

[0061] Let G = {A, X} denote a graph, where A ∈ {0, 1} N×N and Let these represent the adjacency matrix and characteristic matrix of the graph, respectively. Specifically, It is node v i The F-dimensional feature, if (v i ,v j If )∈ε then A ij =1, otherwise A ij =0. Definition It is a set containing N nodes. Represents an edge set. Given a subset of labeled nodes. The tags come from K classes. The goal of a node classification model is to learn a function. It will each node Mapped to One of the classes. To interfere with the node classification model, a graph injection attack (GIA) modifies graph G to G′=(A′,E′), resulting in:

[0062]

[0063]

[0064] in, Let X represent the adjacency matrix of the edges between the pseudo-nodes and nodes in the original graph G, B be the adjacency matrix of the interior of the pseudo-nodes, and X be the adjacency matrix of the interior of the pseudo-nodes. I It is the feature matrix of the pseudo-nodes, N I This refers to the number of fake nodes. By injecting fake nodes, the attacker's goal is to minimize the number of correct classifications by the target node's classifier.

[0065]

[0066] in, Represents the target node set. It is the label of the target node. An indicator function that returns the number of true conditions.

[0067] Step 110: Calculate the gradient values ​​of the first loss function and the second loss function with respect to the fake nodes using a pre-built fake node generator, iteratively update the gradient values ​​using a gradient optimization method, and output the fake nodes when the iteration stops.

[0068] The fake node generator employs a gradient optimization method to generate fake nodes based on information from the node encoder and reward predictor. Utilizing fake nodes for attacks allows for a thorough exploration of the performance changes of target node classification models when facing potential adversarial attacks, thereby promoting research on robust graph learning models and facilitating their widespread application in the future.

[0069] In the aforementioned black-box graph injection attack method, unsupervised knowledge is acquired through a node encoder, experience is gained from the query through a reward predictor, and the attack is carried out through a fake node generator. By utilizing the unsupervised knowledge of the graph to optimize the fake nodes, the attacker can learn a high-quality target node embedding representation with only limited knowledge, thereby selectively generating fake nodes and interfering with the node classifier's prediction output for the target node. The proposed reward predictor and fake node generator can fully utilize query information to optimize the fake nodes, gradually improving the attack success rate and increasing the initial query success rate in black-box attacks. This invention improves the success rate of black-box graph injection attacks.

[0070] In one embodiment, the node encoder extracts features from the target node to obtain an embedding vector, including: the node encoder extracts features from the target node to obtain an embedding vector as follows:

[0071]

[0072] Among them, W 0 and W 1 These are the parameters of the two graph convolutional layers in the node encoder. I N It is the identity matrix. It is a diagonal matrix. σ(·) is the activation function.

[0073] In this embodiment, the node encoder E(G) uses two convolutional layers to aggregate node features and generate node embeddings. This invention employs a contrastive learning approach to learn the node encoder in an unsupervised environment. In a black-box environment, the available labeled data is limited, making supervised learning difficult to learn effective node features. Similar to the setup in GRACE (deep Graph Contrast Epresentation learning, an unsupervised graph representation learning contrastive framework), this invention uses edge removal and node feature masking to generate contrastive graph views. Embeddings of the same node in different graph views are considered positive sample pairs, while embeddings of different nodes are considered negative sample pairs. Model parameters are optimized by maximizing the similarity between positive sample pairs and minimizing the similarity between negative sample pairs.

[0074] In one specific embodiment, such as Figure 2 As shown, a flowchart illustrating a graph injection attack method is provided, wherein... Figure 2 (a) is a flowchart illustrating the processes before querying, during querying, and after querying. Figure 2 (b) is a schematic diagram illustrating the meaning of the legend. Figure 2 In (a), "generate fake node" means to generate fake nodes, and "train reward predictor" means to train the reward predictor. Figure 2 In (b), Target node is the target node, Fake node is the fake node, Loss function is the loss function, Model is the model, and Embedding of the target node is... t The embedding vector z of the target node t , Prediction of the target node t The prediction result r for the target node t Feature of the fake nodex t The feature vector x corresponding to the pseudo node t The reward predictor is used to predict the query result of the target node. This involves taking the embedding vector generated by the node encoder as input and using a multilayer perceptron to predict the query result of the target node.

[0075]

[0076] Among them, F(z) t ) represents the query result for the target node, zt It is the embedding vector of the target node, a l and b l σ is the weight and bias of the l-th layer of the multilayer perceptron, and σ(·) is the activation function.

[0077] In this embodiment, thanks to graph contrastive learning's effective extraction of node features, such as Figure 2 As shown, the reward predictor can take the node embeddings generated by the node encoder as input and predict the reward value using a multilayer perceptron (MLP). The l1 norm is used as the loss function to ensure that the output of the reward predictor matches the query result. Figure 2 In this model, the loss function (L2 Loss) can be expressed as:

[0078] L r =|F(z) t )-r t |,

[0079] Where, r t Represents the target node v t The query results are then obtained. After obtaining the query results for the target node, the reward predictor calculates the loss based on the loss function and uses the optimizer to optimize the model parameters.

[0080] In one embodiment, obtaining the first loss function based on the modified embedding vector, the initial embedding vector, and the embedding vectors of failed queries includes: obtaining the first loss function based on the modified embedding vector, the initial embedding vector, and the embedding vectors of failed queries as follows:

[0081]

[0082] Where s(·,·) represents the cosine similarity. This represents the modified embedding vector after injecting a fake node in the q-th query. This represents the embedding vector of queries that failed up to the q-th query. This represents the first loss function. In this embodiment, since the parameters of the target model cannot be obtained in a black-box attack, it is not possible to directly use L... r To optimize the fake nodes, this invention uses two accessible proxy tasks: maximizing the variation of the target node in the embedding space and minimizing the predictions of the reward predictor. In the q-th query, the attacker injects fake nodes to change the embedding of the target node from z... t Modified to Intuitively, we hope With the initial embedding z t And the previously failed query embeddings Different. Therefore, using To measure changes in embedding.

[0083] In one embodiment, calculating the second loss function based on the query result corresponding to the modified embedding vector predicted by the reward predictor and the query result obtained by the target model querying the target node after injecting fake nodes includes: The second loss function is calculated based on the query result corresponding to the modified embedding vector predicted by the reward predictor and the query result obtained by the target model querying the target node after injecting fake nodes.

[0084]

[0085] Where CE(·,·) represents the cross-entropy loss (CE Loss), y t This represents the query result obtained by the target model when querying the target node after injecting fake nodes. This represents the query result of the target node output by the reward predictor after injecting fake nodes. This represents the second loss function. In this embodiment, the reward predictor is considered a simpler alternative model to the target model because it is used to mimic the query results. Therefore, the impact of dummy nodes on the target model can be approximated by the loss value of the reward predictor.

[0086] In one embodiment, calculating the gradient values ​​of the first loss function and the second loss function with respect to the dummy nodes includes: calculating the gradient values ​​of the first loss function and the second loss function with respect to the dummy nodes as follows:

[0087]

[0088] in, The gradient value, To inject the feature matrix of the fake nodes in the q-th query, Denotes the first loss function. This represents the second loss function. In this embodiment, the fake node generator is based on... and Calculate the gradient of the loss value with respect to the pseudo-nodes. After obtaining the gradient, the pseudo-nodes can be updated using a gradient optimization strategy. Note that for datasets with continuous features, simply add the gradient value directly to the features of the pseudo-nodes.

[0089]

[0090] Where η represents the optimization step size.

[0091] In one embodiment, the method further includes: during gradient optimization, using the Clamp function to limit the range of each feature in the feature matrix based on the maximum and minimum values ​​in the feature matrix of the pseudo-nodes.

[0092] In this embodiment, the Clamp function is simply used to limit the range of features during the optimization process:

[0093]

[0094] Here, min and max represent the minimum and maximum values ​​of the corresponding features in the feature matrix X, respectively. For datasets with discrete features, when a feature of a fake node is 0, that feature cannot be further reduced; it can only be increased to 1, and vice versa. Therefore, the update strategy needs to comprehensively consider both the features of the fake node itself and the gradient to be updated. Specifically, it considers... Two positions Δ to be updated are selected: the position with feature 0 and the position with feature 1. + and Δ - :

[0095]

[0096] Subsequently, to make fake nodes less noticeable, we set the number of features for fake nodes to be equal to the average number of features for all other nodes in the dataset. When the number of features for a fake node is less than the average, we use Δ... + Optimize fake nodes, i.e. When the feature reaches the mean, Δ is used simultaneously. + and Δ - Optimize fake nodes while keeping the total number of features constant, i.e.

[0097] In one specific embodiment, the invention was experimented on four well-known datasets. Cora and Citeseer are citation datasets with discrete features, PubMed is a citation dataset with continuous features, and Reddit is a social network dataset with continuous features. For Reddit, the invention uses subgraphs and segmentations shared by G-NIA (Generalizable Node Injection Attack) for fair comparison. The invention compares its work with four black-box graph injection attack methods. 2The A2C (Gradient-free Graph Advantage Actor Critic) method is a query-based GIA approach that models node injection attacks as a Markov decision process. TDGIA (Topological Defective Graph Injection Attack) and G-NIA methods are transfer-based black-box graph injection attacks with access to all data. They first train a surrogate model on the entire dataset, then optimize fake nodes with the surrogate model as the target, and finally transfer the attack to the target model. This invention also compares its method to a random attacker that randomly generates features of fake nodes and connects them to the target node.

[0098] In the experiments of this invention, attackers can only obtain a subgraph containing the target node and its two-hop neighbors, and query the classification probability of the target node in the target model. To make the attack less noticeable, this invention restricts the features of the fake nodes. For datasets with discrete features, this invention forces the average value of the features of the fake nodes to be equal to that of the original... Figure 1 For datasets with continuous features, this invention ensures that the injected features do not exceed the upper and lower limits of the original graph. Due to different experimental settings, this invention relaxes the knowledge restrictions of benchmark methods. Specifically, for transfer-based TDGIA and G-NIA, this invention allows attackers to access all data, as well as the labels of the training and validation sets. In the case of generated G... 2 In the A2C method, this invention allows the feature metrics of fake nodes to exceed the average value of the dataset.

[0099] This invention compares the proposed GCIA (Graph Injection Attack Method Based on Graph Contrast Learning) method with baseline methods in a single-node injection attack setting, and the results are listed in Tables 1 and 2. Single-node injection attack means injecting only one node into the target node. It can be seen that even when using randomly generated fake nodes, graph learning models are easily affected by graph injection attacks. Although nodes in the Reddit and PubMed datasets, which have continuous features, have higher degrees, they are more susceptible to fake nodes compared to datasets with discrete features. Among all attack methods, the proposed GCIA method achieves the highest misclassification rate in almost all cases. Compared with state-of-the-art GCIA methods... 2Compared to the A2C method, GCIA improves the misclassification rate on Cora, Citeseer, Reddit, and PubMed by 7.9%, 10.3%, 11.4%, and 22.0%, respectively. Notably, the proposed GCIA method exhibits a significantly higher initial query success rate, indicating that graph contrastive learning models can extract rich graph information. By increasing variations in the target node embedding, the initial fake nodes generated by GCIA sometimes possess even stronger attack capabilities than those generated by the contrastive methods.

[0100] Table 1 shows the misclassification rates of different GCN models after launching single-node injection attacks using different attack methods on the Cora and Citeseer datasets.

[0101]

[0102] Table 2 shows the misclassification rates of different GCN models after launching single-node injection attacks using different attack methods on the Reddit and PubMed datasets.

[0103]

[0104] In one specific embodiment, such as Figure 3 As shown, a visual comparison diagram of different methods for node embedding is provided, wherein, Figure 3 (a) is a visual diagram of node embedding in a node encoder. Figure 3 (b) is a visualization of the node embeddings of the SAGE node classification model. Circles represent nodes in the graph, squares represent target nodes (Original), triangles represent target nodes in the first query (Attacked1), and stars represent target nodes in the second query (Attacked2). Their colors represent the node labels. To further investigate how GCIA utilizes the embedding vectors output by the node encoder to optimize fake nodes, this invention uses a SAGE node classification model trained on the Cora dataset for visualization. In the attack shown in the case study, the first fake node attack generated by GCIA failed, but after optimization, the second attack succeeded. Figure 3 The visualizations of T-SNE (T-Distributed Stochastic Neighbor Embedding) results for node embeddings extracted from the node encoder and hidden embeddings extracted from the SAGE model are shown. It can be seen that different categories of target nodes are effectively distinguished in the embedding space generated by the node encoder. By optimizing the fake nodes, the embeddings of target nodes in the node encoder change significantly, thereby altering the embedding representation of target nodes in the hidden layer of the SAGE model.

[0105] It should be understood that, although Figure 1 The steps in the flowchart are shown sequentially as indicated by the arrows, but these steps are not necessarily executed in the order indicated by the arrows. Unless otherwise specified herein, there is no strict order in which these steps are executed, and they can be performed in other orders. Figure 1 At least some of the steps in the process may include multiple sub-steps or multiple stages. These sub-steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these sub-steps or stages is not necessarily sequential, but can be executed in turn or alternately with other steps or at least some of the sub-steps or stages of other steps.

[0106] In one embodiment, such as Figure 4 As shown, a black-box graph injection attack device is provided, comprising: a data acquisition module 402, a feature extraction module 404, a first loss calculation module 406, a second loss calculation module 408, and a fake node generation module 410, wherein:

[0107] The data acquisition module 402 is used to acquire the original reference relationship graph and the modified reference relationship graph; the modified reference relationship graph is obtained by injecting fake nodes to modify the target nodes in the original reference relationship graph.

[0108] The feature extraction module 404 is used to input the original reference relationship graph and the modified reference relationship graph into the node encoder that has been pre-learned unsupervised to extract features from the target node, so as to obtain the initial embedding vector and the modified embedding vector.

[0109] The first loss calculation module 406 is used to obtain the first loss function based on the modified embedding vector, the initial embedding vector, and the embedding vectors of failed queries.

[0110] The second loss calculation module 408 is used to calculate the second loss function based on the query results corresponding to the modified embedding vector predicted by the reward predictor and the query results obtained by the target model querying the target node after injecting fake nodes; the reward predictor is used to predict the query results of the target node;

[0111] The fake node generation module 410 is used to calculate the gradient values ​​of the first loss function and the second loss function with respect to the fake nodes through a pre-built fake node generator, iteratively update the gradient values ​​using a gradient optimization method, and output the fake nodes when the iteration stops.

[0112] In one embodiment, the node encoder is also used to extract features from the target node to obtain the embedding vector as follows:

[0113]

[0114] Among them, W 0 and W 1 These are the parameters of the two graph convolutional layers in the node encoder. I N It is the identity matrix. It is a diagonal matrix. σ(·) is the activation function.

[0115] In one embodiment, the embedding vector generated by the node encoder is further used as input to the reward predictor to predict the query result of the target node using a multilayer perceptron:

[0116]

[0117] Among them, F(z) t ) represents the query result for the target node, z t It is the embedding vector of the target node, a l and b l σ is the weight and bias of the l-th layer of the multilayer perceptron, and σ(·) is the activation function.

[0118] In one embodiment, a first loss function is further obtained based on the modified embedding vector, the initial embedding vector, and the embedding vectors of failed queries:

[0119]

[0120] Where s(·,·) represents the cosine similarity. This represents the modified embedding vector after injecting a fake node in the q-th query. This represents the embedding vector of queries that failed up to the q-th query. This represents the first loss function.

[0121] In one embodiment, a second loss function is further calculated based on the query result corresponding to the modified embedding vector predicted by the reward predictor and the query result obtained by the target model querying the target node after injecting fake nodes:

[0122]

[0123] Where CE(·,·) represents the cross-entropy loss, y t This represents the query result obtained by the target model when querying the target node after injecting fake nodes. This represents the query result of the target node output by the reward predictor after injecting fake nodes. This represents the second loss function.

[0124] In one embodiment, the gradient values ​​of the first loss function and the second loss function relative to the dummy nodes are also calculated:

[0125]

[0126] in, The gradient value, To inject the feature matrix of the fake nodes in the q-th query, Denotes the first loss function. This represents the second loss function.

[0127] In one embodiment, the Clamp function is also used during gradient optimization to limit the range of each feature in the feature matrix based on the maximum and minimum values ​​in the feature matrix of the pseudo-nodes.

[0128] Specific limitations regarding the black-box graph injection attack device can be found in the limitations of the black-box graph injection attack method described above, and will not be repeated here. Each module in the aforementioned black-box graph injection attack device can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in hardware or independently of the processor in the computer device, or stored in software in the memory of the computer device, so that the processor can call and execute the operations corresponding to each module.

[0129] In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as follows: Figure 5 As shown, the computer device includes a processor, memory, network interface, display screen, and input devices connected via a system bus. The processor provides computing and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system and computer programs. The internal memory provides an environment for the operation of the operating system and computer programs stored in the non-volatile storage media. The network interface is used to communicate with external terminals via a network connection. When the computer program is executed by the processor, it implements a black-box injection attack method. The display screen can be an LCD screen or an e-ink display screen. The input devices can be a touch layer covering the display screen, buttons, a trackball, or a touchpad mounted on the computer device casing, or an external keyboard, touchpad, or mouse.

[0130] Those skilled in the art will understand that Figure 5The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.

[0131] In one embodiment, a computer device is provided, including a memory and a processor, the memory storing a computer program, the processor executing the computer program to implement the steps of the method described above.

[0132] In one embodiment, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed by a processor, implements the steps of the method described above.

[0133] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. Any references to memory, storage, databases, or other media used in the embodiments provided in this application can include non-volatile and / or volatile memory. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory can include random access memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in various forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), dual data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous link DRAM (SLDRAM), Rambus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.

[0134] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.

[0135] The embodiments described above are merely illustrative of several implementation methods of this application, and while the descriptions are specific and detailed, they should not be construed as limiting the scope of the invention. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this invention should be determined by the appended claims.

Claims

1. A black-box graph injection attack method, characterized in that, The method includes: Obtain the original reference relationship graph and the modified reference relationship graph; the modified reference relationship graph is obtained by injecting fake nodes to modify the target nodes in the original reference relationship graph; The original reference graph and the modified reference graph are respectively input into a node encoder that has undergone unsupervised learning to extract features from the target node, resulting in an initial embedding vector and a modified embedding vector. The first loss function is obtained based on the modified embedding vector, the initial embedding vector, and the embedding vectors of failed queries; The second loss function is calculated based on the query results corresponding to the modified embedding vector predicted by the reward predictor and the query results obtained by the target model querying the target node after injecting fake nodes; the reward predictor is used to predict the query results of the target node; The gradient values ​​of the first loss function and the second loss function with respect to the fake nodes are calculated using a pre-built fake node generator. The gradient values ​​are iteratively updated using a gradient optimization method, and the fake nodes at the point where the iteration stops are output.

2. The method according to claim 1, characterized in that, The node encoder extracts features from the target node to obtain the embedding vector, which includes: The node encoder extracts features from the target node to obtain the embedding vector: Among them, W 0 and W 1 These are the parameters of the two graph convolutional layers in the node encoder. I N It is the identity matrix. It is a diagonal matrix. σ(·) is the activation function.

3. The method according to claim 1, characterized in that, The reward predictor is used to predict the query results for the target node, including: Using the embedding vector generated by the node encoder as input to the reward predictor, the query result of the target node is predicted by a multilayer perceptron: Among them, F(z) t ) represents the query result for the target node, z t It is the embedding vector of the target node, a l and b l σ is the weight and bias of the l-th layer of the multilayer perceptron, and σ(·) is the activation function.

4. The method according to any one of claims 1-3, characterized in that, Based on the modified embedding vector, the initial embedding vector, and the embedding vectors of failed queries, the first loss function is obtained, including: Based on the modified embedding vector, the initial embedding vector, and the embedding vectors of failed queries, the first loss function is obtained as follows: Where s(·,·) represents the cosine similarity. This represents the modified embedding vector after injecting a fake node in the q-th query. This represents the embedding vector of queries that failed up to the q-th query. This represents the first loss function.

5. The method according to any one of claims 1-3, characterized in that, The second loss function is calculated based on the query results corresponding to the modified embedding vector predicted by the reward predictor and the query results obtained by the target model querying the target node after injecting fake nodes. The second loss function is calculated based on the query results corresponding to the modified embedding vector predicted by the reward predictor and the query results obtained by the target model querying the target node after injecting fake nodes. Where CE(·,·) represents the cross-entropy loss, y t This represents the query result obtained by the target model when querying the target node after injecting fake nodes. This represents the query result of the target node output by the reward predictor after injecting fake nodes. This represents the second loss function.

6. The method according to claim 1, characterized in that, Calculating the gradient values ​​of the first loss function and the second loss function with respect to the pseudo-nodes includes: Calculate the gradient values ​​of the first loss function and the second loss function with respect to the pseudo-nodes: in, The gradient value, To inject the feature matrix of the fake nodes in the q-th query, Denotes the first loss function. This represents the second loss function.

7. The method according to claim 1, characterized in that, The method further includes: During gradient optimization, the Clamp function is used to limit the range of each feature in the feature matrix based on the maximum and minimum values ​​in the feature matrix of the pseudo-nodes.

8. A black-box image injection attack device, characterized in that, The device includes: The data acquisition module is used to acquire the original reference relationship graph and the modified reference relationship graph; the modified reference relationship graph is obtained by injecting fake nodes to modify the target nodes in the original reference relationship graph; The feature extraction module is used to input the original reference relationship graph and the modified reference relationship graph into a node encoder that has undergone unsupervised learning to extract features from the target node, so as to obtain the initial embedding vector and the modified embedding vector. The first loss calculation module is used to obtain a first loss function based on the modified embedding vector, the initial embedding vector, and the embedding vectors of failed queries; The second loss calculation module is used to calculate the second loss function based on the query result corresponding to the modified embedding vector predicted by the reward predictor and the query result obtained by the target model querying the target node after injecting fake nodes; the reward predictor is used to predict the query result of the target node; The fake node generation module is used to calculate the gradient values ​​of the first loss function and the second loss function with respect to the fake node using a pre-built fake node generator, iteratively update the gradient values ​​using a gradient optimization method, and output the fake node when the iteration stops.

9. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the method according to any one of claims 1 to 7.

10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 7.