Article Preview
Top1. Introduction
All kinds of relationships can be represented by graphs, including social relationships (Gupta et al., 2018), paper citation relationships (Sen et al., 2008), and communication topologies (Leskovec et al., 2007). Compared with traditional machine learning methods, graph neural networks (GNNs) can better model complex relationships. For this reason, GNNs have attracted extensive attention. Many representative models have also been proposed, such as GCN (Kipf et al., 2017), GAT (Veličković et al., 2017) and GraphSAGE (Hamilton et al., 2017). Generally, GNNs realize information transfer between adjacent nodes through well-designed aggregation operation. The obtained graph representations can be applied to various downstream tasks, such as node classification (Wu et al., 2019; Xu et al., 2019), graph classification (Xie & Ying, 2021; Zhang et al., 2019) and community discovery (Chen et al., 2019; Zhang et al., 2020; Zhang et al., 2019). In addition, abstract contents, including images (Nhi et al., 2022) and documents (Stylianou et al., 2022; Ismail et al., 2022; Urkalan & Geetha, 2020), can be interpreted as nodes in the graph. The graph-based methods help discovering the relationship among contents.
However, GNNs inherit the vulnerability of deep neural networks (DNNs), which may be misguided by unnoticeable perturbation. The research of adversarial attacks on GNNs will clarify the vulnerability of GNNs and improve GNN models. In general, adversarial attacks on GNNs can be categorized into three types according to attack goals. The first type, the global attack on topology, includes CE-PGD (Xu et al., 2019) and Meta-Attack (Zugner et al., 2019). This type aims to degrade the overall performance of GNNs. The second type, the target-dependent attack, includes Nettack (Dai et al., 2018), FGA (Chen et al., 2018), and IG-Attack (Wu et al., 2019). This type attacks a single target node through direct or indirect ways. The third type, the universal attack on graph, aims to achieve the target-independent attack against all nodes. Graph universal attack (GUA) first defines the form of universal attack on the graph that any node can be attacked by flipping edges connected to anchor nodes (Zang et al., 2021). In this paper, we explore graph universal attack and defense on this basis.