Research On Graph Adversarial Attack Algorithm Based On Reinforcement Learning

Applying deep learning models to graph data has shown excellent performance in many graph-related tasks,such as social networks and knowledge graphs.However,studies have shown that,like other classical deep neural networks,the model performance of graph neural networks will significantly degrade when the input graph data contains carefully constructed adversarial perturbations.Such graph data containing malicious perturbations are called adversarial samples,and the process of constructing adversarial samples to attack graph neural networks is called graph adversarial attack.Existing graph adversarial attacks usually construct adversarial samples by directly modifying the global topology of the original graph,but such modification will change the important topological characteristics of the graph and are easily detected by the detection system,so it is not feasible in most practical applications.Meanwhile,many high-performance attack methods assume that the attacker can obtain complete information such as the architecture,gradients,and parameters of the target model.But in real scenarios,the detailed information about the target model is often unavailable to attackers.To address the above problems,the main research work includes the following two aspects:(1)In order to avoid the modification of the topology information in the original graph due to adversarial attacks,a single node injection attack(SNIA)algorithm based on reinforcement learning is proposed.SNIA constructs fake nodes with fake features and connects them to real nodes in the original graph.The attack strategy of injecting new nodes can achieve the purpose of attacking the graph neural network model without changing the existing topology structure in the graph.At the same time,in order to ensure that fake nodes can bypass the detection system and not be detected by the target model,the principle of generative adversarial network is used for reference.By introducing a discriminative network into the SNIA model,the generated fake nodes are encouraged to have similar features to the nodes in the original graph.SNIA models the process of adding fake nodes as a Markov Decision Process,where the current graph structure represents the state and the action is represented by selecting the node.Then each action is evaluated using a reinforcement learning algorithm to generate adversarial examples.Experiment results show that the adversarial samples obtained by SNIA can make the misclassification rate of the target graph convolutional network model reach about 80%,and can be used to attack different types of graph neural network models.(2)To further improve the imperceptibility of perturbation,we consider more limited practical attack scenarios,and proposes a single node adversarial attack(SNAA)based on reinforcement learning.SNAA only constructs perturbations by modifying the1-hop neighbor node feature vector of the target node in the graph.Firstly,SNAA models the process of modifying node features as a Markov Decision Process,using the current graph to represent the state and the action as modifying node features.Then we evaluate each action to generate perturbations using a reinforcement learning algorithm based on the Actor-Critic framework.And in order to further improve the efficiency of perturbation,types of different methods for selecting attacked nodes are studied.Through experiments on multiple datasets,it is shown that SNAA can implement effective attacks on various graph neural networks;comparisons of various baseline algorithms show that attacking the features of a single node is more effective than attacking a single edge.The two graph adversarial attack algorithms proposed in this research belong to indirect attacks,that is,they do not directly attack the target node.This attack strategy is more practical in the physical world,because attackers usually can only manipulate their own nodes.Using the adversarial samples obtained by the attack algorithm proposed in this research,the robust graph neural network model is trained based on adversarial training framework.The experimental results show that the model after adversarial training performs a certain extent of defense against adversarial perturbations.Through the study of adversarial attack algorithms on graph data,we can understand the robustness of graph neural networks when faced with malicious attacks,improve the interpretability of the model and promote the application of graph neural networks more widely used in real world.