Node injection attacks on Graph Neural Networks (GNNs) have received increasing attention recently, due to their ability to degrade GNN performance with high attack success rates. However, our study indicates that these attacks often fail in practical scenarios, since defense/detection methods can easily identify and remove the injected nodes. To address this, we devote to camouflage node injection attack, making injected nodes appear normal and imperceptible to defense/detection methods. Unfortunately, the non-Euclidean structure of graph data and the lack of intuitive prior present great challenges to the formalization, implementation, and evaluation of camouflage. In this paper, we first propose and define camouflage as distribution similarity between ego networks of injected nodes and normal nodes. Then for implementation, we propose an adversarial CAmouflage framework for Node injection Attack, namely CANA, to improve attack performance under defense/detection methods in practical scenarios. A novel camouflage metric is further designed under the guide of distribution similarity. Extensive experiments demonstrate that CANA can significantly improve the attack performance under defense/detection methods with higher camouflage or imperceptibility. This work urges us to raise awareness of the security vulnerabilities of GNNs in practical applications.

翻译：图神经网络上的节点注入攻击因其能以高攻击成功率降低GNN性能而受到广泛关注。然而，本研究表明，这些攻击在实际场景中往往失效，因为防御/检测方法可以轻松识别并移除注入节点。为解决此问题，我们致力于伪装节点注入攻击，使注入节点呈现正常状态，从而对防御/检测方法不可感知。然而，图数据的非欧几里得结构以及直观先验的缺乏为伪装的规范化、实现和评估带来了巨大挑战。本文首先提出并将伪装定义为注入节点自我网络与正常节点自我网络之间的分布相似性。随后在实现层面，我们提出了一种针对节点注入攻击的对抗性伪装框架CANA，以提升实际场景中面对防御/检测方法时的攻击性能。在分布相似性指导下，我们进一步设计了一种新型伪装度量指标。大量实验表明，CANA能够显著提升面对防御/检测方法时的攻击性能，并获得更高的伪装性或不可感知性。本工作促使我们警惕GNN在实际应用中的安全漏洞。