Recent research has revealed that Graph Neural Networks (GNNs) are susceptible to adversarial attacks targeting the graph structure. A malicious attacker can manipulate a limited number of edges, given the training labels, to impair the victim model's performance. Previous empirical studies indicate that gradient-based attackers tend to add edges rather than remove them. In this paper, we present a theoretical demonstration revealing that attackers tend to increase inter-class edges due to the message passing mechanism of GNNs, which explains some previous empirical observations. By connecting dissimilar nodes, attackers can more effectively corrupt node features, making such attacks more advantageous. However, we demonstrate that the inherent smoothness of GNN's message passing tends to blur node dissimilarity in the feature space, leading to the loss of crucial information during the forward process. To address this issue, we propose a novel surrogate model with multi-level propagation that preserves the node dissimilarity information. This model parallelizes the propagation of unaggregated raw features and multi-hop aggregated features, while introducing batch normalization to enhance the dissimilarity in node representations and counteract the smoothness resulting from topological aggregation. Our experiments show significant improvement with our approach.Furthermore, both theoretical and experimental evidence suggest that adding inter-class edges constitutes an easily observable attack pattern. We propose an innovative attack loss that balances attack effectiveness and imperceptibility, sacrificing some attack effectiveness to attain greater imperceptibility. We also provide experiments to validate the compromise performance achieved through this attack loss.

翻译：近期研究表明，图神经网络（GNN）易受到针对图结构的对抗性攻击。恶意攻击者可在获取训练标签后，通过操控有限数量的边来降低目标模型的性能。先前实证研究指出，基于梯度的攻击者倾向于增加边而非删除边。本文通过理论论证揭示了由于GNN的消息传递机制，攻击者倾向于增加类间边，这解释了部分以往实证观测现象。通过连接不同类别的节点，攻击者能更有效破坏节点特征，使此类攻击更具优势。然而，我们证明GNN消息传递的固有平滑性会模糊特征空间中的节点差异性，导致前向传播过程中关键信息的丢失。为解决此问题，我们提出一种具有多层次传播的新型替代模型，该模型可保留节点差异性信息。该模型并行传播未聚合的原始特征与多跳聚合特征，同时引入批归一化以增强节点表征的差异性，抵消拓扑聚合导致的平滑效应。实验结果验证了该方法带来的显著性能提升。此外，理论与实验证据均表明，增加类间边构成一种易于被观测的攻击模式。我们提出一种创新性的攻击损失函数，可在攻击有效性与隐蔽性之间取得平衡，通过牺牲部分攻击有效性来获得更高的隐蔽性。实验同样验证了该损失函数在折中性能上的有效性。