Alternating iterative based node injection graph neural network adversarial attack method and device

By optimizing the graph neural network adversarial attack through an alternating iterative node injection method, the performance degradation of the GNN model under malicious sample perturbation is solved, achieving low-cost and highly covert adversarial attack effects, which is suitable for graph data security assessment and protection.

CN122242568APending Publication Date: 2026-06-19NAT UNIV OF DEFENSE TECH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
NAT UNIV OF DEFENSE TECH
Filing Date
2026-03-19
Publication Date
2026-06-19

Smart Images

  • Figure CN122242568A_ABST
    Figure CN122242568A_ABST
Patent Text Reader

Abstract

This application relates to the fields of intelligent graph data processing and model security technology, providing a method and apparatus for adversarial attacks on graph neural networks based on alternating iteration. By utilizing an auxiliary model to update the adversarial attack graph, gradient oscillations caused by direct optimization on the target model are avoided. The target model is trained on the updated adversarial attack graph, providing gradients more closely aligned with the real training scenario for the next round of attack. Through the alternating process of repeatedly updating the adversarial attack graph and training the target model on the updated adversarial attack graph, a closed-loop feedback is formed, significantly shortening the number of rounds required for attack convergence, achieving the preset attack target without numerous iterations. The alternating iteration process makes the attack more closely resemble the data contamination process in real-world scenarios, reducing the risk of detection. By projecting gradient ascent, the features of the injected nodes are restricted to a feasible region, ensuring that the adversarial perturbation conforms to the distribution law of the original features, avoiding attack detection or model failure due to feature out-of-bounds errors.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the fields of intelligent graph data processing and model security technology, and in particular to a method and apparatus for adversarial attacks on graph neural networks based on alternating iteration node injection. Background Technology

[0002] Graph Neural Networks (GNNs) have been widely used for tasks such as node classification, relationship prediction, recommendation, and risk control due to their ability to learn representations on graph-structured data. Existing GNNs are typically based on a message-passing mechanism: node representations are iteratively updated by aggregating neighbor information, leading to downstream predictions. However, during the training phase, if a small number of malicious samples or structural increments are introduced into the training data graph, the model training process may be continuously perturbed, resulting in a significant decrease in model performance or incorrect predictions on specific targets. Various graph adversarial attack methods have been proposed in existing technologies: one type of method directly modifies the edges or original node features of the original graph; another type of method forms an incremental graph by adding new nodes and edges, avoiding direct modification of the original graph.

[0003] However, existing technologies have the following shortcomings: directly modifying the edges or node features of the original graph usually requires combinatorial optimization or search in the discrete structure space, which has a high computational cost and is more sensitive to data integrity audits; in existing node injection schemes, the construction of the injection structure and injection features may rely on complex policy learning or multi-round feedback mechanisms, which limits engineering implementation and scalability; in terms of concealment, if the connection scale or local structure of the injected node is significantly abnormal, it can be easily identified by simple statistical detection or rule audits.

[0004] Therefore, there is an urgent need for a technical solution that does not directly tamper with the original image, has more natural structural statistics, and can construct adversarial attack increments at a lower cost, for the security assessment and protection capability verification of GNN systems. Summary of the Invention

[0005] Therefore, it is necessary to provide a method and apparatus for adversarial attacks on graph neural networks based on alternating iteration to address the aforementioned technical problems.

[0006] An adversarial attack method for graph neural networks based on alternating iteration node injection includes the following steps:

[0007] Includes the following steps: S1. Obtain the clean graph and the initial target model, and initialize the adversarial attack graph to a clean graph; S2. Train the current target model on a clean map for one round to obtain the auxiliary model corresponding to the current target model; S3. Based on the current adversarial attack graph, generate injection nodes and construct the corresponding set of injection edges; based on the current auxiliary model and injection nodes, use the features of the injection nodes as optimization variables, perform gradient ascent on the training set with the goal of maximizing the training loss, output the optimized features of the injection nodes, and update the adversarial attack graph based on the optimized features. S4. Train the current target model on the updated adversarial attack graph for one round, generate the updated target model, and return to S2 until the attack target is achieved, and output the final adversarial attack graph.

[0008] In one embodiment, the current target model is trained once on a clean map to obtain an auxiliary model corresponding to the current target model, including: Obtain the auxiliary model by copying parameters from the current target model:

[0009] in, For the target model The parameters, For the first t The target model for the next iteration , This represents the maximum number of iterations. For auxiliary models The parameters, For the first t The auxiliary model corresponding to the target model in the next iteration; Will Train once on a clean map to obtain the auxiliary model corresponding to the current target model. :

[0010] in, For auxiliary models Parameters; For a clean image; This is the set of training nodes.

[0011] In one embodiment, based on the clean graph, injection nodes are generated, and a corresponding set of injection edges is constructed, including: Generate injection nodes for the current adversarial attack graph. ; Calculate the average degree on the clean map:

[0012] in, The average degree of cleanliness; The number of edges in the clean graph; This represents the number of nodes in the clean graph. Integerization; Number of anchor points; The nodes in the clean map are sorted in descending order of average degree to obtain the sequence. , take the sequence Mid-back Each node constructs an anchor point set:

[0013] in, For the set of anchor points; For sequence The k One element; Construct a corresponding set of injection edges based on the set of anchor points, and then associate the injection edges with the injection nodes. connect:

[0014] in, For injection nodes The set of injected edges.

[0015] In one embodiment, based on the current auxiliary model and the injected nodes, using the features of the injected nodes as optimization variables, a projective gradient ascent is performed on the training set with the goal of maximizing the training loss, outputting the optimized features of the injected nodes, and updating the adversarial attack graph based on the optimized features, including: Construct the first s The temporary adversarial attack graph for the next iteration:

[0016] in, For the first s The temporary adversarial attack graph of the next iteration; For the first s The adversarial attack graph of the next iteration; For the first s Features of the injected nodes in the next iteration; Train the current auxiliary model on the set of training nodes and calculate the training loss. calculate The gradient of the loss; Update the features of the injected nodes along the gradient direction, iterate to the maximum number of iterations, output the optimized features of the injected nodes, and update the adversarial attack graph based on the optimized features.

[0017] In one embodiment, the training loss is calculated according to the following formula:

[0018] in, This is due to training losses.

[0019] In one embodiment, the gradient is calculated according to the following formula:

[0020] in, For gradient; Features of the injected node.

[0021] In one embodiment, updating the features of the injected node along the gradient direction includes: Update the features of the injected node along the gradient direction:

[0022] in, For the first s Features of the injected nodes in +1 iterations; For projection operators; This represents the maximum number of iterations. This is the learning rate.

[0023] In one embodiment, updating the adversarial attack graph based on optimized features includes: Update the adversarial attack graph based on optimized features:

[0024] in, For the first t The adversarial attack graph of the next iteration; Optimization features for injected nodes.

[0025] In one embodiment, the current target model is trained once on the updated adversarial attack graph to generate an updated target model, including: Train the current target model once on the updated adversarial attack graph:

[0026] in, For the target model Parameters; Generate updated target model .

[0027] An adversarial attack device for graph neural networks based on alternating iteration node injection, comprising: The initialization module is used to obtain a clean image and an initial target model, and to initialize the adversarial attack graph as a clean image. The auxiliary model acquisition module is used to train the current target model on a clean map once to obtain the auxiliary model corresponding to the current target model. The adversarial attack graph optimization module is used to generate injection nodes and construct corresponding injection edge sets based on the current adversarial attack graph. Based on the current auxiliary model and injection nodes, the module uses the features of the injection nodes as optimization variables and performs gradient ascent on the training set with the goal of maximizing the training loss. It outputs the optimized features of the injection nodes and updates the adversarial attack graph based on the optimized features. The iterative output module is used to train the current target model on the updated adversarial attack graph for one round, generate the updated target model, and return it to the auxiliary model acquisition module until the attack target is reached, and output the final adversarial attack graph.

[0028] The aforementioned adversarial attack method and apparatus based on alternating iteration of node injection graph neural networks avoids gradient oscillations caused by direct optimization on the target model by using an auxiliary model to update the adversarial attack graph. The target model is trained on the updated adversarial attack graph, providing gradients that better reflect the real training scenario for the next round of attack. This alternating process of updating the adversarial attack graph and training the target model on it creates a closed-loop feedback loop, significantly shortening the number of rounds required for attack convergence and achieving the preset attack target without numerous iterations. Simultaneously, the alternating iteration process makes the attack more closely resemble the data contamination process in real-world scenarios, reducing the risk of detection. By projecting gradient ascent, the features of the injected nodes are restricted to a feasible region, ensuring that the adversarial perturbation conforms to the distribution pattern of the original features and preventing the attack from being detected or failing due to feature out-of-bounds errors. Attached Figure Description

[0029] Figure 1 This is a flowchart illustrating an adversarial attack method for a node injection graph neural network based on alternating iteration in one embodiment. Figure 2 Here is a flowchart of the adversarial attack graph update process in one embodiment; Figure 3 This is a graph showing the model accuracy trained on different samples in one embodiment; Figure 4 This is a block diagram of a node injection graph neural network adversarial device based on alternating iteration in one embodiment. Detailed Implementation

[0030] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.

[0031] The adversarial attack method for node injection graph neural networks based on alternating iteration provided in this application can be applied to the security assessment and protection capability verification of GNN systems.

[0032] In one embodiment, such as Figure 1 As shown, a method for adversarial attacks on graph neural networks based on alternating iteration is provided, including the following steps: S1. Obtain the clean graph and the initial target model, and initialize the adversarial attack graph to the clean graph.

[0033] S2. Train the current target model on a clean map once to obtain the auxiliary model corresponding to the current target model.

[0034] S3. Based on the current adversarial attack graph, generate injection nodes and construct the corresponding set of injection edges; based on the current auxiliary model and injection nodes, use the features of the injection nodes as optimization variables, perform gradient ascent on the training set with the goal of maximizing the training loss, output the optimized features of the injection nodes, and update the adversarial attack graph based on the optimized features.

[0035] S4. Train the current target model on the updated adversarial attack graph for one round, generate the updated target model, and return to S2 until the attack target is achieved, and output the final adversarial attack graph.

[0036] In the aforementioned adversarial attack method based on alternating iteration of node injection into graph neural networks, the auxiliary model is used to update the adversarial attack graph, thus avoiding gradient oscillations caused by direct optimization on the target model. The target model is trained on the updated adversarial attack graph, providing gradients that better reflect the real training scenario for the next round of attack. This alternating process of repeatedly updating the adversarial attack graph and training the target model on it creates a closed-loop feedback loop, significantly shortening the number of rounds required for attack convergence and achieving the preset attack target without numerous iterations. Simultaneously, the alternating iteration process makes the attack more closely resemble the data contamination process in real-world scenarios, reducing the risk of detection. By projecting gradient ascent, the features of the injected nodes are restricted to the feasible region, ensuring that the adversarial perturbation conforms to the distribution pattern of the original features, preventing the attack from being detected or failing due to feature out-of-bounds errors.

[0037] In one embodiment, the current target model is trained once on a clean map to obtain an auxiliary model corresponding to the current target model, including: Obtain the auxiliary model by copying parameters from the current target model:

[0038] in, For the target model The parameters, For the first t The target model for the next iteration , This represents the maximum number of iterations. For auxiliary models The parameters, For the first t The auxiliary model corresponding to the target model in the next iteration; Will Train once on a clean map to obtain the auxiliary model corresponding to the current target model. :

[0039] in, For auxiliary models Parameters; For a clean image; This is the set of training nodes.

[0040] It should be noted that the clean image ,in, These represent the nodes, edges, and node attributes of the clean graph.

[0041] In this embodiment, an auxiliary model is generated by copying the parameters of the target model and then trained on a clean graph. This retains the features of the target model while avoiding the interference of adversarial perturbations on the gradient, providing a stable gradient source for feature optimization of the injected nodes and making the optimization process more stable and controllable.

[0042] Reference Figure 2 In one embodiment, based on the clean graph, injection nodes are generated and a corresponding set of injection edges is constructed, including: Generate injection nodes for the current adversarial attack graph. ; Calculate the average degree on the clean map:

[0043] in, The average degree of cleanliness; The number of edges in the clean graph; This represents the number of nodes in the clean graph. Integerization; Number of anchor points; The nodes in the clean map are sorted in descending order of average degree to obtain the sequence. , take the sequence Mid-back Each node constructs an anchor point set:

[0044] in, For the set of anchor points; For sequence The k One element; Construct a corresponding set of injection edges based on the set of anchor points, and then associate the injection edges with the injection nodes. connect:

[0045] in, For injection nodes The set of injected edges.

[0046] It should be noted that the sequence obtained by arranging the nodes in the clean graph in descending order of average degree is... The elements within this graph are highly connected core nodes. The initial injection nodes in the currently generated adversarial attack graph are empty. When generated, it is simply a brand new, featureless, and unconnected empty node.

[0047] In this embodiment, the connection method of the injected nodes is dynamically generated based on the average degree of the clean graph and the core nodes, without relying on a fixed graph structure, and can adapt to graph data of different sizes and densities. Furthermore, since the injected nodes are connected to the highly connected core nodes of the original graph, adversarial perturbations can be diffused throughout the entire graph through the message passing mechanism of the GNN, amplifying the scope of the attack's impact.

[0048] Reference Figure 2 In one embodiment, based on the current auxiliary model and the injected node, using the features of the injected node as optimization variables, a projective gradient ascent is performed on the training set with the goal of maximizing the training loss, outputting the optimized features of the injected node, and updating the adversarial attack graph based on the optimized features, including: Construct the first s The temporary adversarial attack graph for the next iteration:

[0049] in, For the first s The temporary adversarial attack graph of the next iteration; For the first s The adversarial attack graph of the next iteration; For the first s Features of the injected nodes in the next iteration; Train the current auxiliary model on the set of training nodes and calculate the training loss. calculate The gradient of the loss; Update the features of the injected nodes along the gradient direction, iterate to the maximum number of iterations, output the optimized features of the injected nodes, and update the adversarial attack graph based on the optimized features.

[0050] In this embodiment, by fixing the auxiliary model parameters and updating the adversarial attack graph, the computational overhead is reduced through alternating iteration, enabling the method to be applied to adversarial attack scenarios involving large-scale graph data.

[0051] In one embodiment, the training loss is calculated according to the following formula:

[0052] in, This is due to training losses.

[0053] In one embodiment, the gradient is calculated according to the following formula:

[0054] in, For gradient; Features of the injected node.

[0055] In one embodiment, updating the features of the injected node along the gradient direction includes: Update the features of the injected node along the gradient direction:

[0056] in, For the first s Features of the injected nodes in +1 iterations; For projection operators; This represents the maximum number of iterations. This is the learning rate.

[0057] In this embodiment, the features of the injected node are restricted to the feasible region by the projection operator, ensuring that the adversarial perturbation conforms to the distribution law of the original features and avoiding the attack being detected or invalidated by the model due to feature out-of-bounds.

[0058] In one embodiment, updating the adversarial attack graph based on optimized features includes: Update the adversarial attack graph based on optimized features:

[0059] in, For the first t The adversarial attack graph of the next iteration; Optimization features for injected nodes.

[0060] In one embodiment, the current target model is trained once on the updated adversarial attack graph to generate an updated target model, including: Train the current target model once on the updated adversarial attack graph:

[0061] in, For the target model Parameters; Generate updated target model .

[0062] To verify the effectiveness of the method proposed in this invention, experiments were conducted. Let the training set node set be... The total injection budget is 5% of the number of nodes in the training set, i.e. An outer loop iteratively employs an alternating "injection-training" approach. In each round, the learning rate of the target model is fixed at one round of training on the adversarial attack graph. 0.01. The injection adopts a batch strategy, with the number of nodes injected in each round being 0.01% of the total budget. ,Right now After 100 rounds, the cumulative injection is approximately After injecting a structure with completion-guided features and an average number of connections, the newly injected node features are updated using projective gradient ascent on the training set loss, and the adversarial feature learning rate is set to... The inner layer update steps are .

[0063] GCN is the most basic and widely used model among all GNN variants. GCN is used as a proxy model for transfer attacks. The GCNs used have three hidden layers with dimensions of 256, 128, and 64, respectively. In a black-box setting, adversarial attacks are performed on the proxy GCN model, and the resulting adversarial examples are transferred to other target models for training and testing. Other target models include GCN, TAGCN, GraphSAGE, RobustGCN, GIN, and APPNP.

[0064] The proposed method was used to validate the performance of at least one target graph neural network model and several optional backbone models on multiple graph datasets. The validation results are shown in Table 1. Table 1. Validation results of different models on different datasets

[0065] Taking the performance metrics of node classification tasks as an example, the target model GCN decreased from 0.6338 to 0.5302 (an absolute decrease of 0.1036) on the KDD dataset before and after poisoning, from 0.9000 to 0.8362 (an absolute decrease of 0.0638) on the Reddit dataset, and from 0.6888 to 0.5702 (an absolute decrease of 0.1186) on the Arxiv dataset. On various selected backbone models (such as Rgcn, Sgcn, GraphSAGE, GCN_LM, TAGCN, APPNP, and GIN), an average performance degradation was observed before and after poisoning: the average performance on the KDD dataset decreased from 0.6682 to 0.5368 (an average decrease of 0.1314), the average performance on the Reddit dataset decreased from 0.9136 to 0.8389 (an average decrease of 0.0747), and the average performance on the Arxiv dataset decreased from 0.6999 to 0.5968 (an average decrease of 0.1031), indicating that the method of this invention can produce a consistent performance degradation effect on different models.

[0066] In terms of resource consumption, the peak GPU memory usage was approximately 4479.85MB for Reddit, 4293.28MB for KDD, and 1370.63MB for Arxiv; the average execution time was approximately 5×268.312s for Reddit, 6×214.983s for KDD, and 6×42.049s for Arxiv. Therefore, it can be seen that the method of this invention achieves the effect of adversarial attacks while its computational resource overhead is within an achievable engineering range. Specific results are shown in Table 2: Table 2 Resource Cost Table

[0067] Reference Figure 3 During the attack, the model Training was conducted using only toxic samples from each stage, while Then, by alternating between normal and toxic samples for training, and testing the accuracy of the two models on the test set at each stage, it can be found that adversarial samples can effectively reduce the accuracy of the model on the test machine.

[0068] It should be understood that although the steps in the flowchart are shown sequentially as indicated by the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order requirement for the execution of these steps, and they can be executed in other orders. Furthermore, Figure 1At least some of the steps in the process may include multiple sub-steps or multiple stages. These sub-steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these sub-steps or stages is not necessarily sequential, but can be executed in turn or alternately with other steps or at least some of the sub-steps or stages of other steps.

[0069] In one embodiment, such as Figure 4 As shown, a node injection graph neural network adversarial attack device based on alternating iteration is provided, comprising: Initialization module 901 is used to obtain a clean graph and an initial target model, and to initialize the adversarial attack graph as a clean graph.

[0070] The auxiliary model acquisition module 902 is used to train the current target model on a clean map once to obtain the auxiliary model corresponding to the current target model.

[0071] The adversarial attack graph optimization module 903 is used to generate injection nodes and construct corresponding injection edge sets based on the current adversarial attack graph; based on the current auxiliary model and injection nodes, the module uses the features of the injection nodes as optimization variables, performs gradient ascent on the training set with the goal of maximizing the training loss, outputs the optimized features of the injection nodes, and updates the adversarial attack graph based on the optimized features.

[0072] The iterative output module 904 is used to train the current target model on the updated adversarial attack graph for one round, generate the updated target model, and return it to the auxiliary model acquisition module until the attack target is reached, and output the final adversarial attack graph.

[0073] Specific limitations regarding the adversarial attack device based on alternating iteration of node injection graph neural networks can be found in the limitations of the adversarial attack method based on alternating iteration of node injection graph neural networks mentioned above, and will not be repeated here. Each module in the aforementioned adversarial attack device based on alternating iteration of node injection graph neural networks can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in or independent of the processor in a computer device in hardware form, or stored in the memory of a computer device in software form, so that the processor can call and execute the operations corresponding to each module.

[0074] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.

[0075] The embodiments described above are merely illustrative of several implementation methods of this application, and while the descriptions are specific and detailed, they should not be construed as limiting the scope of the invention. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this application should be determined by the appended claims.

Claims

1. A method for adversarial attacks on graph neural networks based on alternating iteration of node injection, characterized in that, Includes the following steps: S1. Obtain the clean graph and the initial target model, and initialize the adversarial attack graph to a clean graph; S2. Train the current target model on a clean map for one round to obtain the auxiliary model corresponding to the current target model; S3. Based on the current adversarial attack graph, generate injection nodes and construct the corresponding set of injection edges; Based on the current auxiliary model and the injected nodes, the features of the injected nodes are used as optimization variables. The gradient ascent is performed on the training set with the goal of maximizing the training loss. The optimized features of the injected nodes are output, and the adversarial attack graph is updated based on the optimized features. S4. Train the current target model on the updated adversarial attack graph for one round, generate the updated target model, and return to S2 until the attack target is achieved, and output the final adversarial attack graph.

2. The adversarial attack method for node injection graph neural networks based on alternating iteration as described in claim 1, characterized in that, Train the current target model once on a clean map to obtain the corresponding auxiliary model, including: Obtain the auxiliary model by copying parameters from the current target model: in, For the target model The parameters, For the first t The target model for the next iteration , This represents the maximum number of iterations. For auxiliary models The parameters, For the first t The auxiliary model corresponding to the target model in the next iteration; Will Train once on a clean map to obtain the auxiliary model corresponding to the current target model. : in, For auxiliary models Parameters; For a clean image; This is the set of training nodes.

3. The adversarial attack method for node injection graph neural networks based on alternating iteration as described in claim 2, characterized in that, Based on the clean graph, injectable nodes are generated, and the corresponding set of injectable edges is constructed, including: Generate injection nodes for the current adversarial attack graph. ; Calculate the average degree on the clean map: in, The average degree of cleanliness; The number of edges in the clean graph; This represents the number of nodes in the clean graph. Integerization; Number of anchor points; The nodes in the clean map are sorted in descending order of average degree to obtain the sequence. , take the sequence Mid-back Each node constructs an anchor point set: in, For the set of anchor points; For sequence The k One element; Construct a corresponding set of injection edges based on the set of anchor points, and then associate the injection edges with the injection nodes. connect: in, For injection nodes The set of injected edges.

4. The adversarial attack method for node injection graph neural networks based on alternating iteration as described in claim 3, characterized in that, Based on the current auxiliary model and injected nodes, using the features of the injected nodes as optimization variables, and aiming to maximize the training loss, a gradient ascent is performed on the training set to output the optimized features of the injected nodes. The adversarial attack graph is then updated based on these optimized features, including: Construct the first s The temporary adversarial attack graph for the next iteration: in, For the first s The temporary adversarial attack graph of the next iteration; For the first s The adversarial attack graph of the next iteration; For the first s Features of the injected nodes in the next iteration; Train the current auxiliary model on the set of training nodes and calculate the training loss. calculate The gradient of the loss; Update the features of the injected nodes along the gradient direction, iterate to the maximum number of iterations, output the optimized features of the injected nodes, and update the adversarial attack graph based on the optimized features.

5. The adversarial attack method for node injection graph neural networks based on alternating iteration as described in claim 4, characterized in that, The training loss is calculated according to the following formula: in, This is due to training losses.

6. The adversarial attack method for node injection graph neural networks based on alternating iteration as described in claim 5, characterized in that, The gradient is calculated according to the following formula: in, For gradient; Features of the injected node.

7. The adversarial attack method for node injection graph neural networks based on alternating iteration as described in claim 6, characterized in that, Update the features of the injected node along the gradient direction, including: Update the features of the injected node along the gradient direction: in, For the first s Features of the injected nodes in +1 iterations; For projection operators; This represents the maximum number of iterations. This is the learning rate.

8. The adversarial attack method for node injection graph neural networks based on alternating iteration as described in claim 7, characterized in that, The adversarial attack graph is updated based on optimized features, including: Update the adversarial attack graph based on optimized features: in, For the first t The adversarial attack graph of the next iteration; Optimization features for injected nodes.

9. The adversarial attack method for node injection graph neural networks based on alternating iteration as described in claim 8, characterized in that, Train the current target model once on the updated adversarial attack graph to generate an updated target model, including: Train the current target model once on the updated adversarial attack graph: in, For the target model Parameters; Generate updated target model .

10. A device for adversarial attacks on graph neural networks based on alternating iteration of node injection, characterized in that, include: The initialization module is used to obtain a clean image and an initial target model, and to initialize the adversarial attack graph as a clean image. The auxiliary model acquisition module is used to train the current target model on a clean map once to obtain the auxiliary model corresponding to the current target model. The adversarial attack graph optimization module is used to generate injection nodes and construct the corresponding set of injection edges based on the current adversarial attack graph. Based on the current auxiliary model and the injected nodes, the features of the injected nodes are used as optimization variables. The gradient ascent is performed on the training set with the goal of maximizing the training loss. The optimized features of the injected nodes are output, and the adversarial attack graph is updated based on the optimized features. The iterative output module is used to train the current target model on the updated adversarial attack graph for one round, generate the updated target model, and return it to the auxiliary model acquisition module until the attack target is reached, and output the final adversarial attack graph.