Graph Neural Networks (GNNs) excel across various applications but remain vulnerable to adversarial attacks, particularly Graph Injection Attacks (GIAs), which inject malicious nodes into the original graph and pose realistic threats. Text-attributed graphs (TAGs), where nodes are associated with textual features, are crucial due to their prevalence in real-world applications and are commonly used to evaluate these vulnerabilities. However, existing research only focuses on embedding-level GIAs, which inject node embeddings rather than actual textual content, limiting their applicability and simplifying detection. In this paper, we pioneer the exploration of GIAs at the text level, presenting three novel attack designs that inject textual content into the graph. Through theoretical and empirical analysis, we demonstrate that text interpretability, a factor previously overlooked at the embedding level, plays a crucial role in attack strength. Among the designs we investigate, the Word-frequency-based Text-level GIA (WTGIA) is particularly notable for its balance between performance and interpretability. Despite the success of WTGIA, we discover that defenders can easily enhance their defenses with customized text embedding methods or large language model (LLM)--based predictors. These insights underscore the necessity for further research into the potential and practical significance of text-level GIAs.
翻译:图神经网络(GNNs)在各类应用中表现出色,但仍易受对抗性攻击,尤其是图注入攻击(GIAs)。此类攻击通过向原始图中注入恶意节点构成现实威胁。文本属性图(TAGs)因节点关联文本特征而在实际应用中广泛存在,常被用于评估此类漏洞。然而,现有研究仅关注嵌入层面的GIAs,其注入的是节点嵌入而非实际文本内容,这限制了攻击的适用性并简化了检测。本文率先探索文本层面的GIAs,提出了三种注入文本内容的新型攻击设计。通过理论与实证分析,我们证明文本可解释性——这一在嵌入层面被忽视的因素——对攻击强度具有关键影响。在我们研究的攻击设计中,基于词频的文本层面GIA(WTGIA)因其在性能与可解释性间的平衡而尤为突出。尽管WTGIA取得成功,我们发现防御者可通过定制化文本嵌入方法或基于大语言模型(LLM)的预测器轻松增强防御。这些发现强调了进一步研究文本层面GIAs潜力与实际意义的必要性。