[Paper Review] Attack Graph Convolutional Networks by Adding Fake Nodes
The paper introduces fake node attacks to degrade GCN performance by inserting malicious nodes with optimized adjacency and features, and proposes Greedy and Greedy-GAN methods to craft such nodes.
In this paper, we study the robustness of graph convolutional networks (GCNs). Previous work have shown that GCNs are vulnerable to adversarial perturbation on adjacency or feature matrices of existing nodes; however, such attacks are usually unrealistic in real applications. For instance, in social network applications, the attacker will need to hack into either the client or server to change existing links or features. In this paper, we propose a new type of "fake node attacks" to attack GCNs by adding malicious fake nodes. This is much more realistic than previous attacks; in social network applications, the attacker only needs to register a set of fake accounts and link to existing ones. To conduct fake node attacks, a greedy algorithm is proposed to generate edges of malicious nodes and their corresponding features aiming to minimize the classification accuracy on the target nodes. In addition, we introduce a discriminator to classify malicious nodes from real nodes, and propose a Greedy-GAN attack to simultaneously update the discriminator and the attacker, to make malicious nodes indistinguishable from the real ones. Our non-targeted attack decreases the accuracy of GCN down to 0.03, and our targeted attack reaches a success rate of 78% on a group of 100 nodes, and 90% on average for attacking a single target node.
Motivation & Objective
- Motivate robustness assessment of GCNs in realistic attack scenarios where attackers add fake nodes rather than altering existing ones.
- Develop algorithms to design fake nodes with discrete adjacency and feature matrices that degrade GCN accuracy on target nodes.
- Ensure fake nodes remain undetected by distance-based and feature-based detectors via realism constraints.
- Evaluate attack effectiveness on standard graph benchmarks (Cora and Citeseer) under non-targeted and targeted settings.
Proposed method
- Introduce fake nodes by augmenting the adjacency and feature matrices with matrices B, C, and X_fake, starting from B=0, C=I.
- Propose Greedy attack that iteratively adds the most impactful edge or feature based on gradients of the attack objective J.
- Define a non-targeted attack objective that sums the margin between the top logit and the correct label across target nodes and maximize it under sparsity constraints.
- Extend to Greedy-GAN by adding a discriminator D to encourage fake node features to resemble real ones, optimizing J + c L(D(X'),Y) under adversarial training.
- Adapt to targeted attacks by replacing the objective to push target nodes toward chosen labels and evaluate with group and single-node scenarios.
- Provide data-poisoning experiments by retraining GCN after injecting fake nodes and assess robustness across normalizations.
Experimental results
Research questions
- RQ1Can inserting fake nodes degrade GCN performance on existing nodes without modifying the original node attributes?
- RQ2How effective are greedy strategies (Greedy and Greedy-GAN) at crafting fake nodes under discrete adjacency/feature constraints?
- RQ3Does a discriminator-guided (GAN-like) approach improve stealthiness of fake nodes while maintaining attack effectiveness?
- RQ4What is the impact of fake nodes on targeted vs. non-targeted node classification on standard benchmarks (Cora, Citeseer)?
- RQ5How do row-wise and symmetric normalizations influence robustness to fake node attacks and data poisoning?
Key findings
- Non-targeted attacks using Greedy reach near-champion degradation, reducing accuracy to as low as 0.03 on some setups for single-node targets.
- Group-targeted attacks on 100 nodes achieve substantial success, with higher efficacy when targeting common classes and using targeted labeling.
- Greedy-GAN can produce fake nodes that are harder to distinguish from real nodes, achieving competitive attack performance while improving detectability resistance.
- Data poisoning experiments show that both attacking and retraining under modified data can significantly reduce GCN accuracy, with symmetric normalization showing relative robustness.
- Attacks perturb graph structure only slightly, keeping changes within close bounds of network distributions, and degree-based analyses show low-degree nodes are more vulnerable.
Better researchstarts right now
From paper design to paper writing, dramatically reduce your research time.
No credit card · Free plan available
This review was created by AI and reviewed by human editors.