While graph neural networks have achieved state-of-the-art performances in many real-world tasks including graph classification and node classification, recent works have demonstrated they are also extremely vulnerable to adversarial attacks. Most previous works have focused on attacking node classification networks under impractical white-box scenarios. In this work, we will propose a non-targeted Hard Label Black Box Node Injection Attack on Graph Neural Networks, which to the best of our knowledge, is the first of its kind. Under this setting, more real world tasks can be studied because our attack assumes no prior knowledge about (1): the model architecture of the GNN we are attacking; (2): the model's gradients; (3): the output logits of the target GNN model. Our attack is based on an existing edge perturbation attack, from which we restrict the optimization process to formulate a node injection attack. In the work, we will evaluate the performance of the attack using three datasets, COIL-DEL, IMDB-BINARY, and NCI1.

翻译：尽管图神经网络在图分类和节点分类等许多实际任务中取得了最先进的性能，但近期研究表明它们也极易受到对抗攻击。以往的大多数工作聚焦于在非实际的白盒场景下攻击节点分类网络。在本工作中，我们将提出一种非定向的硬标签黑盒节点注入攻击方法（Hard Label Black Box Node Injection Attack on Graph Neural Networks），据我们所知，这是该领域的首次尝试。在此设定下，由于我们的攻击方法无需任何先验知识，可以研究更多实际任务：无需（1）目标图神经网络的模型架构；（2）模型的梯度信息；（3）目标图神经网络模型的输出logits。我们的攻击方法基于现有的边扰动攻击，通过限制优化过程来构建节点注入攻击。在本工作中，我们将使用三个数据集（COIL-DEL、IMDB-BINARY和NCI1）评估该攻击的性能。