Graph neural networks (GNNs) have achieved state-of-the-art performance in many graph learning tasks. However, recent studies show that GNNs are vulnerable to both test-time evasion and training-time poisoning attacks that perturb the graph structure. While existing attack methods have shown promising attack performance, we would like to design an attack framework to further enhance the performance. In particular, our attack framework is inspired by certified robustness, which was originally used by defenders to defend against adversarial attacks. We are the first, from the attacker perspective, to leverage its properties to better attack GNNs. Specifically, we first derive nodes' certified perturbation sizes against graph evasion and poisoning attacks based on randomized smoothing, respectively. A larger certified perturbation size of a node indicates this node is theoretically more robust to graph perturbations. Such a property motivates us to focus more on nodes with smaller certified perturbation sizes, as they are easier to be attacked after graph perturbations. Accordingly, we design a certified robustness inspired attack loss, when incorporated into (any) existing attacks, produces our certified robustness inspired attack counterpart. We apply our framework to the existing attacks and results show it can significantly enhance the existing base attacks' performance.

翻译：图神经网络（GNNs）已在多项图学习任务中取得最先进性能。然而，近期研究表明，GNNs易受测试时规避攻击和训练时投毒攻击的影响，这些攻击会扰动图结构。尽管现有攻击方法展现出良好的攻击性能，我们仍致力于设计一种能进一步提升攻击效果的攻击框架。特别地，我们的攻击框架受认证鲁棒性启发——这一概念最初由防御者用于抵御对抗攻击。我们首次从攻击者视角利用其特性来更有效地攻击GNNs。具体而言，我们首先基于随机平滑分别推导出节点在图规避攻击和投毒攻击下的认证扰动规模。节点的认证扰动规模越大，理论上其对图扰动的鲁棒性越强。这一特性启发我们重点关注认证扰动规模较小的节点，因其在受到图扰动后更易被攻击。据此，我们设计了一种受认证鲁棒性启发的攻击损失函数，将其融入（任意）现有攻击方法后，即可生成对应的受认证鲁棒性启发的攻击变体。我们将该框架应用于现有攻击方法，实验结果表明其能显著提升基础攻击方法的性能。