Prior attacks on graph neural networks have mostly focused on graph poisoning and evasion, neglecting the network's weights and biases. Traditional weight-based fault injection attacks, such as bit flip attacks used for convolutional neural networks, do not consider the unique properties of graph neural networks. We propose the Injectivity Bit Flip Attack, the first bit flip attack designed specifically for graph neural networks. Our attack targets the learnable neighborhood aggregation functions in quantized message passing neural networks, degrading their ability to distinguish graph structures and losing the expressivity of the Weisfeiler-Lehman test. Our findings suggest that exploiting mathematical properties specific to certain graph neural network architectures can significantly increase their vulnerability to bit flip attacks. Injectivity Bit Flip Attacks can degrade the maximal expressive Graph Isomorphism Networks trained on various graph property prediction datasets to random output by flipping only a small fraction of the network's bits, demonstrating its higher destructive power compared to a bit flip attack transferred from convolutional neural networks. Our attack is transparent and motivated by theoretical insights which are confirmed by extensive empirical results.

翻译：针对图神经网络的现有攻击主要集中于图数据投毒与逃避攻击，忽略了网络权值和偏置。传统基于权重的故障注入攻击（例如用于卷积神经网络的比特翻转攻击）未考虑图神经网络的独特特性。我们提出注入性比特翻转攻击，这是首个专门针对图神经网络的比特翻转攻击。该攻击瞄准量化消息传递神经网络中可学习的邻域聚合函数，削弱其区分图结构的能力，使其丧失韦斯费勒-莱曼测试的表达力。研究结果表明，利用特定图神经网络架构的数学特性可显著增强其对比特翻转攻击的脆弱性。注入性比特翻转攻击能仅通过翻转网络中极小比例的比特，便将各类图属性预测数据集上训练的最大表达能力图同构网络降级至随机输出，相比从卷积神经网络迁移的比特翻转攻击展现出更强的破坏力。本攻击具有透明性，其理论动机得到了广泛实证结果的支撑。