Attacking Graph-based Classification via Manipulating the Graph Structure

03/01/2019 ∙ by Binghui Wang, et al. ∙ Iowa State University of Science and Technology 0

Graph-based classification methods are widely used for security and privacy analytics. Roughly speaking, graph-based classification methods include collective classification and graph neural network. Evading a graph-based classification method enables an attacker to evade detection in security analytics and can be used as a privacy defense against inference attacks. Existing adversarial machine learning studies mainly focused on machine learning for non-graph data. Only a few recent studies touched adversarial graph-based classification methods. However, they focused on graph neural network methods, leaving adversarial collective classification largely unexplored. We aim to bridge this gap in this work. We first propose a threat model to characterize the attack surface of a collective classification method. Specifically, we characterize an attacker's background knowledge along three dimensions: parameters of the method, training dataset, and the complete graph; an attacker's goal is to evade detection via manipulating the graph structure. We formulate our attack as a graph-based optimization problem, solving which produces the edges that an attacker needs to manipulate to achieve its attack goal. Moreover, we propose several approximation techniques to solve the optimization problem. We evaluate our attacks and compare them with a recent attack designed for graph neural networks. Results show that our attacks 1) can effectively evade graph-based classification methods; 2) do not require access to the true parameters, true training dataset, and/or complete graph; and 3) outperform the existing attack for evading collective classification methods and some graph neural network methods. We also apply our attacks to evade Sybil detection using a large-scale Twitter dataset and apply our attacks as a defense against attribute inference attacks using a large-scale Google+ dataset.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 12

page 18

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Graph-based classification methods have been widely applied to various security problems such as malware detection [14, 57], Sybil detection in social networks [71, 69, 10, 34, 23, 65], fake review detection [1, 63], auction fraud detection [45], and APT infection detection [44]. Moreover, they were also used as privacy attacks to infer private attributes of social network users [25, 24, 35]. Specifically, given 1) a graph and 2) a training dataset (some labeled positive nodes and labeled negative nodes), a graph-based classification method predicts the remaining unlabeled nodes in the graph to be either positive or negative. The semantics of the graph, positive, and negative are different in different security and privacy problems. For instance, in Sybil detection, the graph could be a friendship graph where nodes are users and edges represent friendship between users, while positive means Sybil and negative means normal user. In attribute inference on social networks, the graph is also a friendship graph, while positive means that a user has a certain attribute (e.g., lives in a certain city) and negative means that the user does not have the attribute.

Roughly speaking, there are two categories of graph-based classification methods, i.e., collective classification [29, 71, 10, 69, 39, 9, 34, 45, 14, 23, 57, 1, 22, 65, 62, 64, 63] and graph neural network [50, 66, 36, 6]. Collective classification defines a prior reputation score to each node based on the training dataset, assigns certain weights to edges, and propagates the prior reputation scores among the weighted graph to obtain a posterior reputation score

for each node. The posterior reputation scores are used to classify nodes. For instance, certain state-of-the-art collective classification methods assign the same weight to all edges and use

Linearized Loopy Belief Propagation (LinLBP) to propagate the reputation scores [65, 62, 64]

. Graph neural network aims to generalize neural networks to graph data. These methods learn feature vectors for nodes based on the graph structure and use them to classify nodes. For certain security and privacy problems, collective classification outperforms graph neural network 

[63]. Moreover, collective classification methods were deployed in industry for malware detection [14, 57] and Sybil detection in social networks [10, 9].

As graph-based classification methods are adopted to enhance security, an attacker is motivated to evade them. Moreover, when an attacker uses graph-based classification methods as attribute inference attacks to compromise user privacy, evasion to them can be used as a privacy protection mechanism [33]. However, existing studies [43, 30, 7, 53, 56, 27, 37, 46, 68, 12, 51, 40, 8, 67, 38, 70, 31, 18, 19, 52, 49, 21, 60, 61] on adversarial machine learning mainly focused on machine learning for non-graph data, with only a few studies [59, 15, 16, 74] as exceptions. In particular, Chen et al. [15] proposed an attack against graph-based clustering

, e.g., spectral clustering. Several recent work 

[16, 74, 55] proposed attacks to graph neural network methods via manipulating the graph structure, i.e., inserting fake edges to the graph or deleting existing edges. However, collective classification under adversarial setting is largely unexplored.

In this work, we study attacks to collective classification via manipulating the graph structure. We generate the fake edges and the deleted edges based on the collective classification method LinLBP, because 1) LinLBP achieves state-of-the-art performance, and 2) LinLBP uses the same weight for all edges, making our formulated optimization problem easier to solve. However, we will empirically show that our attacks based on LinLBP can also transfer to other collective classification methods and graph neural network methods, as they all leverage the graph structure.

We consider an attacker has some positive nodes (e.g., malware, Sybil, fake reviews) and aims to spoof LinLBP to misclassify them as negative via manipulating the graph structure. In other words, the attacker aims to increase the False Negative Rate (FNR) of its positive nodes. We propose to characterize the attacker’s background knowledge along three dimensions: Parameter, Training dataset, and Graph, which characterize whether the attacker knows the parameters (i.e., prior reputation scores and edge weights) used by LinLBP, the training dataset, and the complete graph, respectively. Inserting/Deleting different edges may incur different costs to the attacker. For instance, inserting an edge between the attacker’s positive nodes is less expensive than inserting an edge between two negative nodes that are not under the attacker’s control. Therefore, we associate a (different) cost for inserting or deleting each edge. The attacker’s goal is to achieve a high FNR (e.g., FNR=1) for its positive nodes with a minimal total cost of inserting/deleting edges.

We formulate our attack as an optimization problem, where the objective function is the total cost of modifying the graph structure and the constraint is FNR=1 for the attacker’s selected positive nodes. However, it is computationally challenging to solve such an optimization problem because 1) the constraint is highly nonlinear and 2) the optimization problem is a binary optimization problem (inserting or deleting an edge is a binary decision). We propose several techniques to approximately solve the optimization problem. For instance, we relax the binary variables in the optimization problem to be continuous variables and convert them to binary values after solving the optimization problem; we use posterior reputation scores as an alternative to FNR and translate the constraint FNR=1 into the objective function via Lagrangian multipliers; and we propose to alternately solve the optimization problem and compute the posterior reputation scores.

We first extensively evaluate our attacks using graphs with real-world negative nodes and synthetic positive nodes. Our attacks are effective, e.g., our attacks can increase the FNR from 0 to be above 0.90 in many cases. Our attack is still effective even if the attacker does not have access to the parameters of LinLBP (our attack can use substitute parameters), the training dataset (our attack can use a substitute training dataset), and the complete graph (a 20% partial graph is sufficient). Moreover, our attacks can also transfer to other collective classification methods including random walk based methods [34], Loopy Belief Propagation based methods [23], and recent Joint Weight Learning and Propagation method [63] that learns edge weights, as well as graph neural network methods including Graph Convolutional Network (GCN) [36], LINE [58], DeepWalk [48], and node2vec [28]. Second, we compare our attack with an attack called Nettack [74] that generates fake edges and deleted edges based on the graph neural network method GCN. We find that for GCN, Nettack outperforms our attack; for other graph neural network methods, i.e., LINE, DeepWalk, and node2vec, our method outperforms Nettack; and for collective classification methods, our attack substantially outperforms Nettack. Third, we apply our attacks to evade Sybil detection in social networks using a large-scale Twitter dataset with real Sybil. Our results show that our attacks can effectively evade collective classification based Sybil detection. Moreover, we apply our attacks as a privacy protection method to defend against attribute inference attacks using a real-world Google+ dataset. Our results show that our attacks can effectively protect users’ private attributes (i.e., cities lived in the Google+ dataset).

Our contributions can be summarized as follows:

  • We perform the first systematic study on attacks to collective classification via manipulating the graph structure.

  • We propose a threat model of attacking collective classification, formulate our attack as an optimization problem, and propose techniques to approximately solve the problem.

  • We extensively evaluate our attacks and compare them with a recent attack using multiple datasets. Moreover, we apply our attacks to evade Sybil detection and as a privacy protection mechanism to defend against attribute inference attacks in social networks.

2 Related Work

2.1 Graph-based Classification Methods

Roughly speaking, there are two categories of graph-based classification methods, i.e., collective classification and graph neural network.

2.1.1 Collective Classification

Collective classification has been applied for graph-based security and privacy analytics for over a decade. Specifically, given a training dataset, collective classification first defines a prior reputation score for each node in the graph. Then, it assigns or learns weights for the edges in the graph and propagates the prior reputation scores among the graph to obtain a posterior reputation score for each node. The posterior reputation scores are used to classify unlabeled nodes. Different collective classification methods use different ways to define the prior reputation scores, assign/learn the edge weights, and propagate the prior reputation scores. In particular, state-of-the-art collective classification methods include Random Walk (RW) based methods [73, 29, 71, 10, 69, 39, 9, 34], Loopy Belief Propagation (LBP) based methods [45, 14, 23, 57, 1, 22], Linearized Loopy Belief Propagation (LinLBP) based methods [65, 35, 62, 64], and Joint Weight Learning and Propagation (JWP) method [63].

RW-based methods assign prior reputation scores 1, 0, and 0.5 to the labeled positive nodes, labeled negative nodes, and unlabeled nodes, respectively. Moreover, they assign the same weight (e.g., [73]) or weights learnt using node attributes (e.g., [9]) to edges. Finally, they leverage random walk to propagate the reputation scores in the weighted graph. In particular, they iteratively distribute a node’s current reputation score to its neighbors in proportion to the edge weights, and a node sums the reputation scores from its neighbors as the new reputation score. LBP-based methods often assign the same weight for all edges. Moreover, they model the graph as a pairwise Markov Random Fields and leverage the standard LBP to perform inference, which obtains the posterior reputation scores. However, LBP has two well-known limitations: not guaranteed to converge for loopy graphs and not scalable (because it maintains messages on each edge). LinLBP linearizes LBP to address the two limitations. We will discuss details of LinLBP in Section 3.1. LinLBP and LBP based methods were shown to outperform RW-based methods [35, 64].

JWP [63] jointly learns edge weights and propagates reputation scores. Given the current posterior reputation scores, JWP learns edge weights such that 1) the labeled positive nodes and labeled negative nodes have large and small posterior reputation scores in the next iteration, respectively, and 2) an edge has a large weight if the two corresponding nodes are predicted to have the same label using its current posterior reputation scores, otherwise the edge has a small weight. Given the learnt edge weights, JWP computes the posterior reputation scores in the next iteration, e.g., using LinLBP-based propagation. JWP outperforms LinLBP [63]. However, attacking JWP directly is challenging because JWP learns edge weights. Specifically, when we insert fake edges to the graph or delete existing edges, the impact of these inserted/deleted edges on the classification of the attacker’s positive nodes relies on the edge weights that need to be re-learnt by JWP. Therefore, we will focus on attacking LinLBP and empirically show that our attacks also transfer to RW-based methods, LBP-based methods, and JWP.

2.1.2 Graph Neural Network

These methods aim to generalize neural networks to graph data. In particular, they learn feature vectors for nodes using neural networks and use them to classify nodes.

Some graph neural network methods [50, 66, 36, 6]

learn the node feature vectors and classify nodes simultaneously. Roughly speaking, in these methods, neurons in the hidden layers of a neural network represent feature vectors of nodes, which are used to classify nodes in the last layer of the neural network. The architecture of the neural network is determined by the graph structure, e.g., a neuron in a layer that models a certain node is connected with the neurons in the previous layer that model the node’s neighbors. In other words, the neural network iteratively computes a feature vector of a node via aggregating the feature vectors of the node’s neighbors. The neural network parameters are learnt via minimizing a graph-based loss function on both labeled nodes in the training dataset and the remaining unlabeled nodes. In particular, the graph-based loss function is small if nodes sharing the same label have similar feature vectors and nodes having different labels have distinct feature vectors. For instance, Graph Convolutional Network (GCN) 

[36] leverages spectral graph convolutions [17]

in a neural network to learn feature vectors, and adopts a logistic regression classifier in the last layer.

Some graph neural network methods [48, 58, 11, 28]

first learn feature vectors for nodes in an unsupervised learning fashion (also known as

graph embedding); then they use the feature vectors and the training dataset to learn a standard binary classifier (e.g., logistic regression); and finally they use the classifier to predict labels for the unlabeled nodes. Different methods learn the feature vectors using different techniques. For instance, DeepWalk [48] learns feature vectors via generalizing the word to vector

technique developed for natural language processing to graph data. In particular, DeepWalk treats a node as a word in natural language, generates node sequences (like sentences in natural language) using truncated random walks, and leverages the skip-gram model 

[42] to learn a feature vector for each node. LINE [58] learns nodes’ feature vectors by preserving both first-order and second-order proximity, where the first-order proximity captures the links in the graph (e.g., the first-order proximity between two nodes is 0 if they are not connected) and the second-order proximity between two nodes captures the similarity between their neighborhoods.

2.2 Adversarial Graph-based Learning

Existing studies on adversarial machine learning mainly focused on machine learning for non-graph data. In particular, studies have demonstrated that machine learning is vulnerable to adversarial examples [43, 30, 7, 53, 56, 27, 37, 46, 68, 12, 51, 40], poisoning attacks [8, 67, 38, 70, 31, 18], privacy attacks for users (e.g., model inversion attacks [20, 19], membership inference attacks [52, 49], property inference attacks [3, 21]

), as well as model parameter and hyperparameter stealing attacks 

[60, 61].

Graph-based machine learning under adversarial setting is much less explored. In particular, only several studies focused on adversarial graph-based machine learning. For instance, Chen et al. [15] proposed a practical attack against graph-based clustering, e.g., spectral clustering. Torkamani and Lowd [59] proposed an attack to associative Markov network-based classification methods. However, they considered that an attacker manipulates up to a fixed number of binary-valued node attributes instead of manipulating the graph structure. Several work [16, 74, 55] proposed attacks to graph neural network methods via inserting fake edges to the graph or deleting existing edges. For instance, Zügner et al. [74] proposed an attack called Nettack against GCN [36]. First, Nettack defines a graph structure preserving perturbation, which constrains that the node degree distributions of the graph before and after attack should be similar. Then, Nettack learns a surrogate linear model of GCN. Finally, Nettack generates fake edges and deleted edges via maximizing a surrogate loss function with respect to the graph structure, where the optimization problem is subject to the node degree distribution constraint.

Our attack is designed for collective classification and is complementary to existing attacks that target graph neural network methods.

3 Background and Problem Formulation

3.1 Linearized Loopy Belief Propagation

Suppose we are given an undirected graph 111Our attacks can also be generalized to directed graphs., where is a node and is an edge. and are the number of nodes and edges, respectively. Moreover, we have a training dataset , which consists of a set of labeled positive nodes and a set of labeled negative nodes . Like many collective classification methods, Linearized Loopy Belief Propagation (LinLBP) assigns a prior reputation score for each node based on the training dataset. In particular, LinLBP assigns the prior reputation score for a node as follows:

(1)

where is a parameter of LinLBP. LinLBP assigns the same weight in the interval (0, 0.5] for all edges. A larger weight means that two linked nodes are more likely to have the same label. We denote by the adjacency matrix of the graph, and by a matrix, every entry of which is the weight . Then, the posterior reputation scores in LinLBP are a solution of the following system:

(2)

where is the column vector of prior reputation scores of all nodes, is the column vector of posterior reputation scores of all nodes, and means element-wise product of two matrices. We note that essentially is the weight matrix of the graph. However, as we will see in the next section, splitting the weight matrix into the element-wise produce of and makes it easier to present our techniques to solve the optimization problem that models our attack. The posterior reputation scores are iteratively computed as follows:

(3)

where is the column vector of posterior reputation scores in the th iteration. When the posterior reputation scores converge, a node is predicted to be negative if and only if its posterior reputation score is negative, i.e., . We note that LinLBP essentially has two parameters, i.e., the prior reputation score parameter and edge weight parameter .

3.2 Threat Model

Attacker’s background knowledge:  A LinLBP system is characterized by three major components: parameters of LinLBP, a training dataset , and a graph . Therefore, we characterize an attacker’s background knowledge along three dimensions:

  • Parameter. This dimension characterizes whether the attacker knows the parameters (i.e., and ) of LinLBP.

  • Training. This dimension characterizes whether the attacker knows the training dataset.

  • Graph. This dimension characterizes whether the attacker knows the complete graph.

For convenience, we denote an attacker’s background knowledge as a triple (Parameter, Training, Graph), where Parameter can be Yes or No, Training can be Yes or No, and Graph can be Complete or Partial. For instance, a triple (Yes, Yes, Compete) means that the attacker (e.g., an insider) knows the parameters, the training dataset, and the complete graph. An attacker knows its positive nodes and edges between them. An attacker could also know a subgraph of the negative nodes. For instance, in social networks, an attacker can develop a web crawler to collect a partial social graph of the negative nodes (i.e., normal users). We will empirically show that our attack is still effective even if the attacker uses substitute parameters, a substitute training dataset, and a partial graph.

Attacker’s capability:  We consider an attacker can change the graph structure, i.e., the attacker can insert fake edges to the graph or delete existing edges. For instance, in social networks, an attacker can create new edges among its created Sybils (positive nodes) or remove existing edges between its created Sybils. In addition, an attacker may also compromise normal users (negative nodes) and create edges between the compromised users and its Sybils. However, adding or removing different edges may incur different costs for the attacker. For instance, in the graph-based Sybil detection problem, adding an edge between two Sybils requires a smaller cost than adding an edge between a Sybil and a compromised normal user, as an attacker usually needs an extra effort to compromise a normal user. Therefore, we associate a cost with inserting/deleting each edge, where the costs may depend on different security and privacy applications. Moreover, in certain applications, the maximum number of edges that can be inserted/deleted for a node is bounded. For instance, in online social networks, the number of friends (i.e., edges) a user can have is often bounded. Therefore, we introduce a parameter , which is the maximum number of edges that can be inserted/deleted for a node.

Attacker’s goal:  Suppose an attacker has some selected positive nodes (e.g., malware, Sybil, fake review), which we call target nodes. We consider the attacker’s goal is to make the target nodes evade the detection of LinLBP. Specifically, the attacker aims to manipulate the graph structure with a minimal total cost such that LinLBP misclassifies the target nodes to be negative. In other words, the attacker’s goal is to achieve a high False Negative Rate (FNR) for its target nodes via manipulating the graph structure with a minimal total cost. We note that the target nodes may be a subset of the positive nodes under the attacker’s control.

3.3 Problem Definition

After describing our threat model, we can formally define our problem as follows:

Definition 1 (Attack to LinLBP)

Given some target nodes, attacker’s background knowledge, cost of inserting/deleting each edge, and the maximum number of inserted/deleted edges for each node, an attack to LinLBP is to manipulate the graph structure with a minimal total cost such that LinLBP achieves a as high FNR for the target nodes as possible.

4 Our Attacks

We first discuss our attacks under the threat model where the attacker knows the parameters of LinLBP, the training dataset, and the complete graph. Then, we adjust our attacks to the scenarios where the attacker does not have access to the parameters, the training dataset, and/or the complete graph.

4.1 Para.=Yes, Training=Yes, Graph=Comp.

Overview:  We first formulate our attack as an optimization problem. Specifically, we associate a binary variable with each pair of nodes, where a binary variable has a value of 1 if and only if our attack changes the connection state between the corresponding two nodes. The objective function of the optimization problem is the total cost of manipulating the graph structure and the constraints are 1) FNR=1 for the attacker’s target nodes and 2) the maximum number of inserted/deleted edges per node is bounded by . However, it is computationally challenging to solve the optimization problem exactly because the problem is a binary optimization problem that has binary variables and the constraint FNR=1 is highly nonlinear.

To address the challenges, we propose techniques to approximately solve the optimization problem. Specifically, we relax the binary variables to continuous variables whose values are in the interval [0, 1] and convert them to binary values after solving the optimization problem; and we reduce the optimiztion to the binary variables that are related to the attacker’s target nodes. Moreover, we translate the constraint FNR=1 to be a constraint on the posterior reputation scores of the attacker’s target nodes and add the constraint to the objective function using Lagrangian multipliers. However, the converted optimization problem still faces a computational challenge because the posterior reputation scores depend on the graph structure (i.e., the continuous variables in the optimization problem) in a complex way, i.e., each variable could influence the posterior reputation score of each node. To address the challenge, we propose to alternately optimize the continuous variables in the optimization problem and compute the posterior reputation scores. Our key idea is that posterior reputation scores are computed iteratively. Instead of using the final posterior reputation scores, we use the intermediate posterior reputation scores to optimize the continuous variables in the optimization problem.

Formulating our attack as an optimization problem:  We associate a binary variable with each pair of nodes and . if our attack changes the connection state between and , otherwise . Specifically, if and are already connected in the original graph, then if our attack deletes the edge between and ; if and are not connected in the original graph, then if our attack inserts an edge between and . As we discussed in our threat model in Section 3.2, inserting/deleting different edges may incur different costs for the attacker. Therefore, we associate a variable with each pair of nodes and to represent the cost of modifying the connection state between and . In particular, incurs a cost for the attacker. Therefore, the total cost of an attack is , where is the set of nodes in the graph and the constraint essentially means that we counter once for each of nodes. We note that, for the same node pair, we could also associate a cost for inserting an edge between them and a different cost for deleting the existing edge between them. Our method is also applicable for such fine-grained cost. However, for simplicity, we focus on modeling the same cost for inserting/deleting an edge.

The attacker has a set of selected target nodes and aims to achieve a high FNR (i.e., FNR=1 in our formulation) for the target nodes with a minimal total cost. Formally, our attack aims to find the variables via solving the following optimization problem:

(4)
(5)
(6)
(7)

where the matrix includes all the binary variables for each pair of nodes, the objective function is the total cost, the first constraint means that all target nodes are misclassified as negative, the second constraint means that the variables in the optimization problem are binary, and the third constraint means that the maximum number of inserted/deleted edges for each node is bounded by . For convenience, we call the matrix adversarial matrix.

Challenges for solving the optimization problem:  Solving the optimization problem in Equation 4 exactly faces several challenges. First, the variables are binary. Second, the optimization problem has binary variables. Third, the constraint FNR=1 is highly nonlinear.

Our techniques for approximately solving the optimization problem:  We propose several approximation techniques to address the challenges. To address the first challenge, we relax the binary variable to a continuous variable whose value is in the interval [0, 1] and convert it to a binary value after solving the optimization problem.

In practice, it is often expensive to modify the connection states between negative nodes that are not under the attacker’s control. Therefore, to address the second challenge, we reduce the optimization space to the edges between the attacker’s target nodes and the remaining nodes as well as the edges between the target nodes. Specifically, we solve the optimization problem over the variables related to the attacker’s target nodes, i.e., the variables where and the variables where , where the first set of variables characterize the connection states between the target nodes and the remaining nodes while the second set of variables characterize the connection states between the target nodes.

Recall that a node is predicted to be negative if its posterior reputation score is negative. Therefore, to address the third challenge, we replace the constraint FNR=1 as the constraint for each . Moreover, we convert the constraint on posterior reputation scores to the objective function via Lagrangian multipliers. Summarizing our approximation techniques, we aim to solve the following optimization problem:

(8)
(9)
(10)

where is a Lagrangian multiplier,

is the binarized value of the continuous variable

, and the posterior reputation scores are a solution of the following system:

(11)

where is the adjacency matrix of the original graph, is the binarized adversarial matrix, and is a matrix with every entry as the edge weight . essentially is the adjacency matrix of the graph after our attack.

A popular method to solve the above optimization problem is to use gradient descent. However, it is still computationally challenging because the posterior reputation scores depend on the variables in a complex way, i.e., every variable influences each posterior reputation score according to the system in Equation 11. To address the challenge, we propose to alternately optimize the variables in the optimization problem and compute the posterior reputation scores. Our key insight is that posterior reputation scores are iteratively computed. Instead of using the final posterior reputation scores, we use the intermediate posterior reputation scores to solve the optimization problem. Then, given the intermediate variables , we update the posterior reputation scores. Specifically, we repeat the following two steps.

Step I: updating posterior reputation scores. We update the posterior reputation scores in the th iteration using the adversarial matrix in the th iteration as follows:

(12)

Step II: updating adversarial matrix. In this step, we update the adversarial matrix in the th iteration while fixing the posterior reputation scores in the th iteration. For convenience, we transform the optimization problem in Equation 8 to the following optimization problem:

(13)
(14)
(15)

where is the th row of the matrix (i.e., the modified connection states between a node and the remaining nodes), is the adjusted th row of the cost matrix , is transpose of a vector, and . Specifically, if and , while if (because each pair of nodes between the target nodes in is countered twice in the objective function).

We use a projected gradient descent to solve the optimization problem in Equation 13. Specifically, we iteratively apply the following steps for each target node :

(16)
(17)

where the first equation means we update the variables using gradient descent and the second equation means that we project the variables to satisfy the two constraints in Equation 13. Note that the variables are initialized using the adversarial matrix in the th iteration, i.e., . Specifically, the gradient can be computed as follows:

(18)

where is the th row of the adjacency matrix, the sign operator applies to every entry of the vector , and is a diagonal matrix with the diagonal elements . Note that when computing the gradient, we approximate as in the computation of . Moreover, the operator proj is defined as follows:

(19)

which means that the proj operator aims to find a vector that is the closest to the vector in terms of Euclidean distance and that satisfies the constraint and a relaxed constraint on the maximum number of inserted/deleted edges for node . The optimization problem in Equation 19 can be solved exactly by the break point search method [72]. We repeat the Equation 16 and 17 multiple iterations to solve . However, more iterations make our method less efficient. In our experiments, we repeat 4 iterations to solve as we find that 4 iterations achieve a good trade-off between accuracy and efficiency.

After solving , we convert them to be binary values. Specifically, we first convert each to 1 if and 0 otherwise. Then, we further check whether the sum of the converted binary values is larger than the upper bound of the number of inserted/deleted edges per node. If yes, we select the largest entries in and convert them to be 1, while we convert the remaining entries in the vector to be 0. Finally, we assign the converted binary vector as the corresponding row in the adversarial matrix in the th iteration. Note that such converted adversarial matrix may not be symmetric for the targeted nodes. Specifically, we may have for a pair of target nodes and . Therefore, we perform another postprocessing for the edges between target nodes. Specifically, we set , i.e., we modify the connection state between and only if both and .

Computational complexity:  We first analyze the time complexity in one iteration. In Step I, updating posterior reputation scores traverses all edges in the graph and the time complexity is . In Step II, for each target node , updating in Equation 16 traverses all nodes and requires a time complexity ; and the proj operator requires a time complexity  [72]. Therefore, computing the adversarial matrix in the th iteration requires a time complexity of , where is the number of iterations used to compute . Suppose we alternate between Step I and Step II for iterations, then the total time complexity is .

4.2 Parameter=No

When the attacker does not know the parameters of LinLBP, i.e., the prior reputation score parameter and/or the edge weight , the attacker can randomly select parameters from their corresponding domains ( and ) as the substitute parameters. Then, the attacker uses our attack with the substitute parameters to generate the inserted fake edges and deleted existing edges.

4.3 Training=No

The attacker can sample a substitute training dataset when the attacker does not have access to the training dataset used by the LinLBP. Specifically, the attacker knows its positive nodes. Therefore, the attacker can sample some nodes from its positive nodes as labeled positive nodes in the substitute training dataset. Moreover, the attacker can sample some nodes from the nodes that are not its positive nodes as labeled negative nodes in the substitute training dataset. Then, the attacker applies our attack using the substitute training dataset to generate the inserted fake edges and deleted existing edges.

4.4 Graph=Partial

The attacker at least knows its positive nodes and edges between them. Suppose the attacker also knows a subgraph of the negative nodes. For instance, in online social networks, the attacker can develop a web crawler to collect at least a partial social graph of the negative nodes (i.e., normal users). Then, the attacker applies our attack on the partial graph, which includes the subgraph of the positive nodes and the subgraph of negative nodes, to generate inserted fake edges and deleted existing edges.

4.5 Para.=No, Training=No, Graph=Partial

In this scenario, the attacker has the least knowledge of a LinLBP system. The attacker uses the substitute parameters, samples a substitute training dataset, and leverages the partial graph to perform our attack.

5 Evaluation on Synthetic Datasets

We use three real-world graphs with synthesized positive nodes to evaluate our attacks and compare them with a recent attack [74] designed for graph neural network.

Dataset #Nodes #Edges Ave. Deg. Clus. Coef.
Facebook 4,039 88,234 44 0.606
Enron 33,696 180,811 11 0.509
Epinions 75,877 811,478 21 0.138
Table 1: Dataset statistics

5.1 Experimental Setup

Dataset description:  We use three real-world graphs that represent different security applications. Each graph includes negative nodes, and we synthesize positive nodes. The three graphs are Facebook (4,039 nodes and 88,234 edges), Enron (33,696 nodes and 180,811 edges), and Epinions (75,877 nodes and 811,478 edges), respectively. We obtained these graphs from SNAP (http://snap.stanford.edu/ data/index.html). In the Facebook graph, a node represents a user; two users are connected if they are friends to each other; a node is negative if it is a normal user; and a node is positive if it is a malicious user (i.e., Sybil). In the Enron graph, a node represents an email address; an edge between two nodes indicates that at least one email was exchanged between the two corresponding email addresses; a node is negative if it is a normal email address; and a node is positive if it is a spamming email address. Epinions was a general review site, which enables users to specify which other users they trust. In the Epinions graph, a node represents a reviewer; an edge between two nodes indicates that they trust each other; negative means a normal reviewer; and positive means a fake reviewer.

In the graphs, we only have negative nodes. Therefore, we synthesize positive nodes. Different methods could be used to synthesize the positive nodes and edges between them. For instance, we could use a network generation model (e.g., Preferential Attachment [4]) developed by the network science community to synthesize the positive nodes and edges. However, existing network generation models often only capture certain characteristics of real graphs, e.g., Preferential Attachment only captures the degree distribution. As a result, the synthesized graph is still structurally different from real graphs. Therefore, to avoid the impact of structural differences between negative nodes and positive nodes, we replicate the negative nodes and their edges as positive nodes and edges in each of the three graph datasets, as prior studies (e.g., [2, 65]) on graph-based security analytics did. Moreover, we assume an attacker has already inserted some edges between positive nodes and negative nodes to make positive nodes connected with negative nodes. In particular, we add 10K edges between negative nodes and positive nodes uniformly at random in each graph. We add a relatively small number of edges so LinLBP can accurately detect the positive nodes, which can better illustrate the effectiveness of our attacks. Table 1 lists some basic statistics of the three graphs.

Training dataset and testing dataset:  For each graph, we randomly select 100 positive nodes and 100 negative nodes to form a training dataset. The remaining nodes are to form a testing dataset.

Attacker’s target nodes:  An attacker aims to maintain some positive nodes (called target nodes) that evade detection. The target nodes could be a subset of the positive nodes, i.e., the attacker uses some other positive nodes to support the target nodes. The attacker could use different ways to select the target nodes. We consider the following two ways:

  • RAND: In this method, the attacker samples some positive nodes uniformly at random as the target nodes.

  • CC: The attacker selects a connected component of positive nodes as the target nodes. Specifically, the attacker first randomly picks a positive node as target node. Then, the attacker uses breadth first search to find other target nodes until finding the desired number of target nodes.

  • CLOSE: The attacker samples some positive nodes that are close to negative nodes. In particular, we adopt a variant of closeness centrality in network science to measure the closeness between a positive node and the negative nodes. Specifically, for a positive node, we compute the inverse of the sum of the distances between the positive node and all negative nodes as the closeness centrality of the positive node. Then, the attacker selects the positive nodes that have large closeness centrality as the target nodes.

The target nodes selected by CC are more structurally similar. If one of them evades detection, then others are also likely to evade. The target nodes selected by CLOSE could also evade detection, as they are close to negative nodes. Thus, we expect that our attacks are more effective when the target nodes are selected by CC and CLOSE than by RAND.

RAND
Dataset No attack Equal Uniform Categorical
FNR/FPR FNR/FPR #Edges #Add/#Del Cost FNR/FPR #Edges #Add/#Del Cost FNR/FPR #Edges #Add/#Del Cost
Facebook 0/0.01 0.78/0.09 1960 1855/105 1960 0.66/0.09 1988 1853/135 2082 0.60/0.09 1891 1884/7 19342
Enron 0/0.01 1.00/0.04 2000 2000/0 2000 0.96/0.03 1998 1993/5 2193 0.89/0.04 1884 1879/5 19257
Epinions 0/0 0.98/0.10 2000 1931/69 2000 0.94/0.09 2000 1995/5 2078 0.92/0.09 1971 1971/0 30010
CC
Dataset No attack Equal Uniform Categorical
FNR/FPR FNR/FNR #Edges #Add/#Del Cost FNR/FPR #Edges #Add/#Del Cost FNR/FPR #Edges #Add/#Del Cost
Facebook 0/0.01 0.94/0.11 1980 1747/233 1980 0.94/0.11 1996 1858/138 2184 0.68/0.09 1934 1540/394 25349
Enron 0/0.01 1.00/0.03 2000 2000/0 2000 0.99/0.03 2000 2000/0 2820 0.92/0.03 1764 1497/267 18237
Epinions 0/0 0.99/0.10 2000 1886/114 2000 0.94/0.10 2000 1993/7 2128 0.88/0.09 2000 1749/251 17741
CLOSE
Dataset No attack Equal Uniform Categorical
FNR/FPR FNR/FPR #Edges #Add/#Del Cost FNR/FPR #Edges #Add/#Del Cost FNR/FPR #Edges #Add/#Del Cost
Facebook 0/0.01 0.96/0.11 2000 1455/545 2000 0.93/0.11 1980 1385/595 2076 0.69/0.09 1983 1759/224 27124
Enron 0/0.01 1.00/0.03 2000 1828/172 2000 1.00/0.03 2000 1942/58 3781 0.90/0.03 1705 1705/0 21705
Epinions 0/0 1.00/0.10 2000 1960/40 2000 0.96/0.10 2000 1992/8 3854 0.86/0.09 1997 1651/346 21252
Table 2: Results our attacks in different scenarios. The column “#Edges” shows the number of edges modified by our attack; the column “#Add/#Del” shows the respective number of inserted edges and deleted edges; and the column “Cost” shows the total cost of our attack. FPR is the fraction of negative nodes in the testing dataset misclassified as positive nodes. Our attacks can substantially increase the FNRs, while slightly increasing the FPRs.

Simulating costs:  We associate a cost of modifying the connection state for each pair of nodes. While the costs are application-dependent, we simulate multiple scenarios in our experiments.

  • Equal cost: In this scenario, modifying the connection state for any pair of nodes has the same cost for the attacker. In particular, we assume the cost to be 1. We note that a recent attack called Nettack [74] for GCN essentially assumes the equal cost.

  • Uniform cost:

    We assume the costs for different node pairs are uniformly distributed among a certain interval. In particular, for each node pair, we sample a number from the interval as the cost of modifying the connection state between the node pair. In our experiments, we consider [1, 10] as the interval.

  • Categorical cost: In this scenario, we categorize node pairs into different groups and assign the same cost for each group. Specifically, it is easy for an attacker to insert edges between the positive nodes or remove existing edges between them. Therefore, we associate a small cost (i.e., 1 in our experiments) with modifying the connection state between two positive nodes. In practice, the attacker could have compromised some negative nodes, e.g., the attacker compromised some normal users in social networks via stealing their credentials through social engineering attacks. It is relatively easy for the attacker to modify the connection states between the compromised negative nodes and the positive nodes. However, it incurs costs for the attacker to compromise the negative nodes. Therefore, we associate a modest cost (i.e., 10) with modifying the connection state between a compromised negative node and a positive node. Finally, it is relatively hard for the attacker to modify the connection state between positive nodes and the remaining negative nodes that are not compromised. Therefore, we associate a large cost (i.e., 100) with modifying the connection state between a positive node and an uncompromised negative node. Note that our attack does not change the connection states between negative nodes, so the costs for them do not affect our attack. We randomly sample 100 negative nodes as the compromised negative nodes.

Parameter setting:  We set the Lagrangian multiplier as for Categorical cost and for the other two types of costs, considering their different magnitude of cost values. We set the learning rate in our attack. We also explore the impact of and and show the results in Figure 8 and 9 in Appendix A. Without otherwise mentioned, we assume CC as the method of selecting target nodes, 100 target nodes, =20 (i.e., the number of modified edges is bounded by 20 per node), and Equal cost (as previous attacks [16, 74, 55] used this cost). For LinLBP, we set and . We implement our attack against LinLBP [65] in C++. We obtain the publicly available C++ source code for LinLBP from the authors [65]. We perform all our experiments on a Linux machine with 512GB memory and 32 cores.

Our attack alternately performs Step I and Step II. In our experiments, we check the FNR of the target nodes in each iteration and stop the algorithm when it does not change in two consecutive iterations or we reached the predefined maximum number of iterations, e.g., 10 in our experiments. We found the FNR converges within 10 iterations in our experiments.

5.2 Evaluation with Full Knowledge

We first evaluate our attacks in the threat model where the attacker knows the parameters of LinLBP, the training dataset, and the complete graph. There are six parameters that could affect our attack performance. The six parameters are: cost type (Equal cost, Uniform cost, and Categorical cost), the method used to select target nodes (RAND, CC, and CLOSE), the number of target nodes, maximal number of modified edges per target node, the hyperparameter , and the hyperparameter . When studying the impact of a specific parameter, we fix the remaining parameters to their default values. Next, we first show an overall result that demonstrates the effectiveness of our attacks. Then, we study the impact of each parameter.

Our attacks are effective:  Table 2 shows the results of our attacks on the three graphs for each method of selecting the target nodes and each type of cost. Our attacks are effective. Specifically, in most scenarios, our attacks increase the FNR from 0 to be above 0.90. Our attacks use much more inserted edges than deleted edges. A possible reason is that the graphs are sparse, i.e., only a small fraction of node pairs are connected in the original graphs. Therefore, the space of inserting edges is much larger than the space of deleting edges, leading our attacks to generate much more inserted edges. Overall, our attacks are the least effective on Facebook, i.e., our attack achieves a lowest FNR for Facebook given the same method of selecting target nodes and the same cost type. The reason is that Facebook has the largest average degree (see Table 1). With the same maximum number (i.e., ) of modified edges per node, Facebook can better tolerate our attacks. Although our attacks are specially designed to increase the FNRs, we observe that our attacks also slightly increase the FPRs. We note that it is an interesting future work to generalize our method to specifically increase FPRs.

More experiments:  Due to space limitation, we show more experimental results in Appendix A. Specifically, we study the impact of different types of costs, different target node selection methods, , number of target nodes, and hyperparameters and . Our results show that 1) our attacks are more effective for Equal cost and Uniform cost than for Categorical cost; 2) our attacks are more effective when using CC and CLOSE than using RAND to select the target nodes; 3) our attacks are more effective as increases; 4) our attacks are stable across different number of target nodes; and 5) our attacks achieve stable FNRs when and are larger than certain thresholds.

(a)
(b)
Figure 1: FNRs of our attacks with different substitute parameters of LinLBP on Epinions.

5.3 Evaluation with Partial Knowledge

We consider multiple cases where the attacker does not have access to the parameters of LinLBP, the training dataset, and/or the complete graph. We only show results on the Epinions graph as we observe similar patterns on the other two graphs, and the results for the other two graphs are shown in Appendix B. Our results show that our attacks can still effectively increase the FNRs for the target nodes even if the attacker does not have access to the parameters of LinLBP, the training dataset, and/or the complete graph.

Parameter=No, Training=Yes, Graph=Complete(Case 1): In this case, the attacker does not know the parameters of LinLBP, i.e., the prior reputation score parameter and edge weight . The attacker randomly samples numbers from their corresponding domains as the substitute parameters and apply our attacks with them. Figure 1 shows the FNRs of our attacks with different substitute parameters on Epinions, where when exploring different in Figure (a)a and when exploring different in Figure (b)b. The FNRs of our attacks with different substitute parameters on Facebook and Enron are shown in Figure 10 and Figure 11 in Appendix B, respectively. We observe that our attacks are insensitive to . Moreover, our attacks are more effective when the substitute weight parameter is closer to the true weight. Specifically, the true weight is 0.05. Our attacks achieve FNRs that are close to 1 when the substitute weight is smaller than 0.05, and FNRs decrease as the substitute weight increases. However, even if the substitute weight is far from the true weight, our attacks are still effective. For instance, the FNR is still 0.88 when our attack uses 0.5 as the substitute weight.

Parameter=Yes, Training=No, Graph=Complete(Case 2): In this case, the attacker does not know the true training dataset used by LinLBP. However, the attacker knows the positive nodes as they were created by itself and the negative nodes as well. Therefore, the attacker can sample some positive nodes as labeled positive nodes and sample equal number of negative nodes as labeled negative nodes, which are used as a substitute training dataset. Then, the attacker applies our attack using the substitute training dataset. Figure (a)a shows the FNRs as a function of the size of the substitute training dataset on the Epinions graph. The FNRs vs. size of the substitute training dataset on Facebook and Enron are displayed in Figure (a)a and (b)b in Appendix B, respectively. We observe that as the size of the substitute training dataset increases, the FNRs of our attacks first increase dramatically and then increase slowly until reaching to the FNRs in the full knowledge scenario.

(a)
(b)
Figure 2: (a) FNRs vs. size of the substitute training dataset on Epinions; (b) FNRs when the attacker knows % of the negative nodes and edges between them on Epinions.
(a)
(b)
(c)
Figure 3: FNRs of our attacks vs. (a) substitute edge weight; (b) size of the substitute training dataset; (c) fraction of negative nodes on Epinions when the attacker uses substitute parameters, substitute training dataset, and a partial graph.

Parameter=Yes, Training=Yes, Graph=Partial(Case 3): In this scenario, the attacker knows the subgraph of positive nodes and their edges as well as a connected subgraph of some negative nodes and edges between them. Specifically, we consider the attacker knows of the negative nodes. In particular, we randomly select a negative node and span a connected component that includes of the negative nodes via breadth first search. Then, the attacker’s partial graph consists of the connected component of negative nodes, positive nodes, and the edges between them. The attacker applies our attacks using this partial graph to generate the inserted/deleted edges. Note that LinLBP still detects positive nodes using the original complete graph with the edges modified by our attacks. Figure (b)b shows the FNRs of our attacks as the attacker knows a larger subgraph of negative nodes (i.e., % is larger) on Epinions. The FNRs vs. of negative nodes on Facebook and Enron are shown in Figure (a)a and (b)b in Appendix B, respectively. We observe that as increases, our attacks are more effective. Moreover, when the attacker only knows of negative nodes, our attacks can obtain FNRs close to those when the attacker knows the complete graph.

Parameter=No, Training=No, Graph=Partial(Case 4):  In this case, the attacker knows the least knowledge of the three dimensions of a LinLBP system. To study our attacks in this case, we fix two dimensions and observe FNR vs. the third dimension. By default, we assume the attacker knows 20% of negative nodes and edges between them, samples a substitute training dataset with 400 nodes, and has a substitute edge weight 0.05. Figure 3 shows FNRs of our attacks on Epinions vs. each dimension. Figure 14 and Figure 15 in Appendix B show FNRs vs. each dimension on Facebook and Enron, respectively. We observe similar patterns as in Case 1, Case 2, and Case 3, shown in Figure 1, Figure (a)a, and Figure (b)b, respectively. The reason is that our attacks do not require the true training dataset and the complete graph.

5.4 Transferring to Other Graph-based Classification Methods

Our attacks generate inserted/deleted edges based on LinLBP method. A natural question is are our inserted/deleted edges also effective for other graph-based classification methods? To answer this question, we use our attacks to generate the modified edges based on LinLBP, modify the graph structure accordingly, and apply another graph-based classification method to detect the target nodes. Recall that graph-based classification methods can be roughly categorized as collective classification and graph neural network. We consider three representative collective classification methods, i.e., JWP [63], LBP [23], and RW [64], and four representative graph neural network methods, i.e., LINE [58], DeepWalk [48], node2vec [28], and GCN [36]. We obtained source code of all these methods from their corresponding authors.

Table 3 shows the effectiveness of our attacks at attacking the considered graph-based classification methods on Facebook. The results on Enron and Epinions are shown in Table 8 and Table 9 in Appendix C, respectively. We make several observations. First, our attacks are the most effective when using LinLBP to detect the target nodes. Specifically, when using the same method to select the target nodes and same cost type, our attacks achieve the largest FNR for the target nodes when the detector uses LinLBP. This is reasonable because our attacks generate the modified edges based on LinLBP. Second, our attacks can transfer to other graph-based classification methods, though the transferability varies among different graph-based classification methods. Third, our attacks can better transfer to other collective classification methods than other graph neural network methods in most cases. For instance, with Equal cost and CC, our attacks achieve FNRs for collective classification methods, while our attacks achieve 0.85 and 0.54 FNRs for LINE and GCN, respectively. The reason is collective classification methods and graph neural network methods use different mechanisms to leverage the graph structure. Fourth, our attacks have the least transferability to GCN, i.e., our attacks achieve the smallest FNRs for GCN. We speculate the reason is that GCN uses sophisticated graph convolution to exploit the higher order correlations in the graph structure, and thus is more robust to the modified edges our attacks generate.

Table 3: Transferability of our attacks to other graph-based classification methods on Facebook.
RAND
Method No attack Equal Uniform Categorical
Collective Classification LinLBP 0 0.78 0.66 0.6
JWP 0 0.76 0.63 0.59
LBP 0.07 0.7 0.65 0.6
RW 0.13 0.68 0.61 0.55
Graph Neural Network LINE 0.07 0.61 0.61 0.45
DeepWalk 0.25 0.55 0.52 0.52
node2vec 0.2 0.5 0.45 0.45
GCN 0.12 0.52 0.52 0.41
CC
Method No attack Equal Uniform Categorical
Collective Classification LinLBP 0 0.94 0.94 0.68
JWP 0 0.93 0.93 0.63
LBP 0.01 0.92 0.92 0.64
RW 0.03 0.92 0.92 0.63
Graph Neural Network LINE 0.01 0.85 0.75 0.62
DeepWalk 0.04 0.71 0.65 0.45
node2vec 0.04 0.69 0.61 0.45
GCN 0.05 0.54 0.53 0.45
CLOSE
Method No attack Equal Uniform Categorical
Collective Classification LinLBP 0 0.96 0.93 0.69
JWP 0 0.94 0.93 0.65
LBP 0.01 0.94 0.92 0.64
RW 0.04 0.93 0.92 0.63
Graph Neural Network LINE 0.01 0.86 0.77 0.59
DeepWalk 0.05 0.72 0.69 0.48
node2vec 0.05 0.77 0.69 0.50
GCN 0.05 0.54 0.53 0.42

5.5 Comparing with Existing Attacks

We compare our attacks with a random baseline attack and a recent attack called Nettack [74] that was designed for GCN.

Random attack:  In the random attack, we randomly modify the connection states between the target nodes and other nodes. Specifically, for each target node , we randomly select nodes and we modify the connection state between and each of the selected node. If and a selected node are connected in the original graph, then we delete the edge between them, otherwise we insert an edge between them.

Nettack [74]:  Nettack was designed to attack GCN [36]. Nettack trains a surrogate linear model of GCN. Then, Nettack defines a graph structure preserving perturbation, which constrains that the node degree distribution of the graph before and after attack should be similar. Nettack has two versions. One version only modifies the graph structure, and the other version also modifies the node attributes when they are available. We adopt the first version that modifies the graph structure. We obtained the publicly available source code of Nettack from the authors. Note that Nettack assumes Equal cost for modifying connection states between nodes.

Our attack:  It is designed based on LinLBP. We also assume Equal cost to provide a fair comparison with Nettack.

Table 4: Comparing FNRs of our attack and Nettack for different graph-based classification methods on Facebook.
Method GCN LINE RW LBP JWP LinLBP Time
No attack 0.05 0.01 0.03 0.01 0 0 0 sec
Random attack 0.1 0.07 0.09 0.05 0.02 0.02 1 sec
Nettack 0.64 0.58 0.33 0.28 0.13 0.22 9 hrs
Our attack 0.54 0.85 0.92 0.92 0.93 0.94 10 secs

Table 4 shows the FNRs and runtime of each attack for attacking/transferring to different graph-based classification methods, where the target nodes are selected by CC. Note that, as LINE outperforms DeepWalk and node2vec without attacks (see Table 3), we only show the transferability results of these attacks to LINE for conciseness. We only show results on Facebook, because Nettack is not scalable to the other two graphs. We note that the compared attacks have the same costs, e.g., they all modify edge states for each target node. We have several observations.

First, for attacking GCN, Nettack is the most effective, i.e., Nettack achieves the highest FNR for attacking GCN. The reason is that Nettack is specifically designed for GCN. Our attack can effectively transfer to GCN, though our attack is slightly less effective than Nettack at attacking GCN (0.54 vs. 0.64) Second, for attacking collective classification methods, i.e., RW, LBP, JWP, and LinLBP, our attack is much more effective than Nettack. Specifically, for all collective classification methods, our attack achieves FNRs that are above 0.90. However, Nettack only achieves FNRs lower than 0.33. The reason is that our attack is specifically designed for LinLBP and can well transfer to other collective classification methods. Third, for attacking LINE, our attack is more effective than Nettack. Specifically, our attack achieves a FNR of 0.85, while Nettack achieves a FNR of 0.58. Fourth, our attack is orders of magnitude faster than Nettack.

6 Evaluation on Two Real-World Datasets

We evaluate our attacks on a security application (i.e., evading Sybil detection on Twitter) and a privacy application (i.e., defending against attribute inference attack in Google+).

6.1 Evading Sybil Detection

Twitter dataset:  We use a large-scale Twitter dataset for Sybil detection. We obtained an undirected Twitter dataset with real Sybils from Wang et al. [65]. Specifically, the Twitter network has 21M users, 265M edges, and an average degree of 25. An undirected edge means that user and user follow each other. A user suspended by Twitter is treated as a Sybil (positive node), while an active user is treated as benign (negative node). In total, 145,183 nodes are Sybils, 2,566,944 nodes are benign, and the remaining nodes are unlabeled.

Training dataset:  We sample 3,000 positive nodes and 3,000 negative nodes uniformly at random as the training dataset. Then, we apply LinLBP to detect Sybils.

Attacker’s target nodes:  We select 1,000 Sybils accurately detected by LinLBP as target nodes using the CC method.

Results:  Table 5 shows the FNRs for the target nodes achieved by our attacks for different maximum number (i.e., ) of edges that can be modified for each target node and for different cost types. We assume the attacker knows the parameters of LinLBP, the training dataset, and the complete graph. FNRs are above 0.80 in all cases, showing that our attack can effectively evade Sybil detection.

No attack Equal Uniform Categorical
K=20 0 0.84 0.82 0.82
K=30 0 0.88 0.87 0.84
K=40 0 0.92 0.9 0.88
Table 5: FNRs of our attack for evading Sybil detection on Twitter in different scenarios.

6.2 Defending Attribute Inference Attacks

Google+ dataset:  We use a Google+ dataset for attribute inference attacks. We obtained an undirected Google+ social network with public user attributes from [26, 35]. The dataset has around 5.7M users and 31M edges, with an average degree of 11. The user attribute is cities lived and the dataset has 50 popular cities. 3.25% of users revealed at least one of these cities as their cities lived. We treat each city as a binary attribute and perform attribute inference for each binary attribute separately. Specifically, given a city, a user is treated as positive if the user lives/lived in the city, while treated as negative if the user does not.

Training dataset:  We select 50% of the users who have at least one of the 50 cities as a training dataset. In particular, when inferring one city, we treat the users in the training dataset that have the city as labeled positive nodes, and the users that do not have the city as labeled negative nodes.

Attacker’s target nodes:  When evaluating inference for a city, we select 100 nodes having the city that are correctly inferred by LinLBP as the target nodes. In other words, FNR of the target nodes is 0 before applying our attacks.

Figure 4: FNRs of inferring each city on Google+ after applying our attacks to modify the graph structure.

Results:  We apply our attack as a privacy protection mechanism to defend against attribute inference attacks on Google+. We consider each city independently. Specifically, for each city, we use our attacks to generate the inserted edges and deleted edges, modify the graph structure accordingly, and then apply LinLBP to infer the city. We assume and Equal cost. Figure 4 shows the FNRs of inferring each city after our attacks. Our attacks can effectively defend against attribute inference attacks. We note that Jia and Gong [33] proposed to defend against attribute inference attacks using adversarial machine learning. However, they focused on attribute inference attacks that leverage users’ public behavior data (e.g., rating scores, page likes) to infer users’ private attributes. We focus on attribute inference attacks that leverage users’ social friends to infer private attributes.

7 Discussion and Limitation

Attacks to other graph-based classification methods:  In this paper, we focus on designing attacks against LinLBP. The reason is that LinLBP assigns the same weight to all edges, making our formulated optimization problem easier to solve. In RW-based methods and JWP, the edge weights or propagation depend on the graph structure. Therefore, it is harder to optimize the adversarial matrix, because the gradient of the adversarial matrix also depends on the edge weights, which are implicit functions of the adversarial matrix. However, it is an interesting future work to study specialized attacks for RW-based and JWP attacks.

Unavailability attacks:  In this paper, we focus on evasion attack that aims to increase the FNR of an attacker’s target nodes. It is an interesting future work to adjust our attacks as unavailability attacks. In particular, the attacker manipulates the graph structure to achieve a high False Positive Rate (FPR). A high FPR means that a large amount of negative nodes are falsely classified as positive, which eventually makes the system abandoned and become unavailable.

Poisoning training dataset:  Our work focuses on manipulating the graph structure to attack graph-based classification methods. An attacker could also poison the training dataset to attack graph-based classification methods. Specifically, in some applications, the training dataset is dynamically updated and obtained via crowdsourcing. For instance, in Sybil detection on social networks, a user could report other users as Sybil. Therefore, an attacker could flag normal users as Sybil, which poison the training dataset. It is an interesting future work to poison the training dataset and compare the robustness of different graph-based classification methods with respect to training dataset poisoning attacks.

Dataset RAND CC CLOSE
Facebook 0.492/0.464 0.540/0.492 0.591/0.573
Enron 0.567/0.549 0.634/0.632 0.559/0.554
Epinions 0.433/0.417 0.511/0.497 0.473/0.472
Table 6: Average clustering coefficients of target nodes before and after our attacks on the three graphs with Equal cost.

Countermeasures:  Our work focuses on attacks to graph-based classification methods. We discuss two possible directions for defenses, and leave detailed exploration of these defenses as future work. These defense ideas are inspired by existing defenses against adversarial examples (e.g., [27, 47, 13, 41]) and data poisoning attacks (e.g., [5, 32, 54]). Generally speaking, we could prevent and/or detect our attacks. In the prevention direction, we could explore new graph-based classification methods that are more robust to graph structure manipulation by design. In the detection direction, we could design methods to detect the inserted fake edges and deleted edges. For instance, we could extract features for each node pair and train a binary classifier, which predicts whether the connection state between the node pair was modified or not. However, when designing such a detection method, we should also consider an adaptive attacker who strategically adjusts its attacks to evade both a graph-based classification method and the detector.

Moreover, an attacker could also analyze the local structure of nodes to detect positive nodes. In particular, our attacks may change the local structure of positive nodes after inserting/deleting edges for them. For example, Table 6 shows the average clustering coefficients of the target nodes before and after our attacks on the three graphs with Equal cost. We observe that the clustering coefficients slightly decrease after our attacks. This is because our attacks add neighbors to a target node, but these neighbors may not be connected. It is an interesting future work to explore the feasibility of such local structures to detect positive nodes and our attacks.

8 Conclusion and Future Work

We perform the first systematic study on attacks to collective classification methods via manipulating the graph structure. We propose a threat model to characterize the attack surface of collective classification methods, e.g., an attacker’s background knowledge can be characterized along the Parameter, Training dataset, and Graph dimensions. We show that our attack can be formulated as an optimization problem, which can be solved approximately by some techniques that we propose. Our empirical evaluation results on three graphs with real negative nodes and synthesized positive nodes show that our attacks can make collective classification methods misclassify an attacker’s target nodes; our attacks can transfer to graph neural network methods; our attacks do not require access to the true parameters of LinLBP, the true training dataset, and/or the complete graph; and our attacks outperform existing attacks for attacking collective classification methods and certain graph neural network methods. Moreover, our results on two real-world graphs show that our attacks can evade Sybil detection in social networks and defend against graph-based attribute inference attacks.

Interesting future work includes 1) designing specialized attacks to other graph-based classification methods, 2) adjusting our attacks as unavailability attacks, 3) designing data poisoning attacks to graph-based classification methods, and 4) enhancing robustness of graph-based classification methods.

References

  • [1] Leman Akoglu, Rishi Chandy, and Christos Faloutsos. Opinion fraud detection in online reviews by network effects. In ICWSM, 2013.
  • [2] Lorenzo Alvisi, Allen Clement, Alessandro Epasto, Silvio Lattanzi, and Alessandro Panconesi. Sok: The evolution of sybil defense via social networks. In IEEE S & P, 2013.
  • [3] Giuseppe Ateniese, Luigi V Mancini, Angelo Spognardi, Antonio Villani, Domenico Vitali, and Giovanni Felici. Hacking smart machines with smarter ones: How to extract meaningful data from machine learning classifiers. IJSN, 2015.
  • [4] Albert-László Barabási and Réka Albert. Emergence of scaling in random networks. Science, 1999.
  • [5] Marco Barreno, Blaine Nelson, Anthony D Joseph, and JD Tygar. The security of machine learning. Machine Learning, 2010.
  • [6] Peter W Battaglia, Jessica B Hamrick, Victor Bapst, Alvaro Sanchez-Gonzalez, Vinicius Zambaldi, Mateusz Malinowski, Andrea Tacchetti, David Raposo, Adam Santoro, Ryan Faulkner, et al.

    Relational inductive biases, deep learning, and graph networks.

    arXiv, 2018.
  • [7] Battista Biggio, Igino Corona, Davide Maiorca, Blaine Nelson, Nedim Šrndić, Pavel Laskov, Giorgio Giacinto, and Fabio Roli. Evasion attacks against machine learning at test time. In ECML-PKDD. Springer, 2013.
  • [8] Battista Biggio, Blaine Nelson, and Pavel Laskov.

    Poisoning attacks against support vector machines.

    In ICML, 2012.
  • [9] Yazan Boshmaf, Dionysios Logothetis, Georgos Siganos, Jorge Leria, Jose Lorenzo, Matei Ripeanu, and Konstantin Beznosov. Integro: Leveraging victim prediction for robust fake account detection in osns. In NDSS, 2015.
  • [10] Qiang Cao, Michael Sirivianos, Xiaowei Yang, and Tiago Pregueiro. Aiding the detection of fake accounts in large scale social online services. In NSDI, 2012.
  • [11] Shaosheng Cao, Wei Lu, and Qiongkai Xu. Grarep: Learning graph representations with global structural information. In ACM CIKM, 2015.
  • [12] Nicholas Carlini, Pratyush Mishra, Tavish Vaidya, Yuankai Zhang, Micah Sherr, Clay Shields, David Wagner, and Wenchao Zhou. Hidden voice commands. In USENIX Security Symposium, 2016.
  • [13] Nicholas Carlini and David Wagner. Adversarial examples are not easily detected: Bypassing ten detection methods. In AISec, 2017.
  • [14] Duen Horng “Polo” Chau, Carey Nachenberg, Jeffrey Wilhelm, Adam Wright, and Christos Faloutsos. Polonium: Tera-scale graph mining and inference for malware detection. In SIAM SDM, 2011.
  • [15] Yizheng Chen, Yacin Nadji, Athanasios Kountouras, Fabian Monrose, Roberto Perdisci, Manos Antonakakis, and Nikolaos Vasiloglou. Practical attacks against graph-based clustering. In ACM CCS, 2017.
  • [16] Hanjun Dai, Hui Li, Tian Tian, Xin Huang, Lin Wang, Jun Zhu, and Le Song. Adversarial attack on graph structured data. In ICML, 2018.
  • [17] Michaël Defferrard, Xavier Bresson, and Pierre Vandergheynst. Convolutional neural networks on graphs with fast localized spectral filtering. In NIPS, 2016.
  • [18] Minghong Fang, Guolei Yang, Neil Zhenqiang Gong, and Jia Liu. Poisoning attacks to graph-based recommender systems. In ACSAC, 2018.
  • [19] Matt Fredrikson, Somesh Jha, and Thomas Ristenpart. Model inversion attacks that exploit confidence information and basic countermeasures. In ACM CCS, 2015.
  • [20] Matthew Fredrikson, Eric Lantz, Somesh Jha, Simon Lin, David Page, and Thomas Ristenpart. Privacy in pharmacogenetics: An end-to-end case study of personalized warfarin dosing. In USENIX Security Symposium, 2014.
  • [21] Karan Ganju, Qi Wang, Wei Yang, Carl A Gunter, and Nikita Borisov. Property inference attacks on fully connected neural networks using permutation invariant representations. In CCS, 2018.
  • [22] Peng Gao, Binghui Wang, Neil Zhenqiang Gong, Sanjeev R Kulkarni, Kurt Thomas, and Prateek Mittal. Sybilfuse: Combining local attributes with global structure to perform robust sybil detection. In IEEE CNS, 2018.
  • [23] Neil Zhenqiang Gong, Mario Frank, and Prateek Mittal.

    Sybilbelief: A semi-supervised learning approach for structure-based sybil detection.

    IEEE TIFS, 2014.
  • [24] Neil Zhenqiang Gong and Bin Liu. You are who you know and how you behave: Attribute inference attacks via users’ social friends and behaviors. In USENIX Security Symposium, 2016.
  • [25] Neil Zhenqiang Gong, Ameet Talwalkar, Lester Mackey, Ling Huang, Eui Chul Richard Shin, Emil Stefanov, Elaine Runting Shi, and Dawn Song. Joint link prediction and attribute inference using a social-attribute network. ACM TIST, 2014.
  • [26] Neil Zhenqiang Gong, Wenchang Xu, Ling Huang, Prateek Mittal, Emil Stefanov, Vyas Sekar, and Dawn Song. Evolution of social-attribute networks: Measurements, modeling, and implications using google+. In IMC, 2012.
  • [27] Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples. arXiv, 2014.
  • [28] Aditya Grover and Jure Leskovec. node2vec: Scalable feature learning for networks. In ACM KDD, 2016.
  • [29] Zoltán Gyöngyi, Hector Garcia-Molina, and Jan Pedersen. Combating web spam with trustrank. In VLDB, 2004.
  • [30] Ling Huang, Anthony D Joseph, Blaine Nelson, Benjamin IP Rubinstein, and JD Tygar. Adversarial machine learning. In ACM AISec, 2011.
  • [31] Matthew Jagielski, Alina Oprea, Battista Biggio, Chang Liu, Cristina Nita-Rotaru, and Bo Li. Manipulating machine learning: Poisoning attacks and countermeasures for regression learning. In IEEE S & P, 2018.
  • [32] Matthew Jagielski, Alina Oprea, Battista Biggio, Chang Liu, Cristina Nita-Rotaru, and Bo Li. Manipulating machine learning: Poisoning attacks and countermeasures for regression learning. In IEEE S & P, 2018.
  • [33] Jinyuan Jia and Neil Zhenqiang Gong. Attriguard: A practical defense against attribute inference attacks via adversarial machine learning. USENIX Security Symposium, 2018.
  • [34] Jinyuan Jia, Binghui Wang, and Neil Zhenqiang Gong. Random walk based fake account detection in online social networks. In IEEE DSN, 2017.
  • [35] Jinyuan Jia, Binghui Wang, Le Zhang, and Neil Zhenqiang Gong. Attriinfer: Inferring user attributes in online social networks using markov random fields. In WWW, 2017.
  • [36] Thomas N Kipf and Max Welling. Semi-supervised classification with graph convolutional networks. ICLR, 2017.
  • [37] Bo Li and Yevgeniy Vorobeychik. Feature cross-substitution in adversarial classification. In NIPS, 2014.
  • [38] Bo Li, Yining Wang, Aarti Singh, and Yevgeniy Vorobeychik. Data poisoning attacks on factorization-based collaborative filtering. In NIPS, 2016.
  • [39] Zhou Li, Sumayah Alrwais, Yinglian Xie, Fang Yu, and XiaoFeng Wang. Finding the linchpins of the dark web: a study on topologically dedicated hosts on malicious web infrastructures. In IEEE S & P, 2013.
  • [40] Yanpei Liu, Xinyun Chen, Chang Liu, and Dawn Song. Delving into transferable adversarial examples and black-box attacks. In ICLR, 2017.
  • [41] Dongyu Meng and Hao Chen. Magnet: a two-pronged defense against adversarial examples. In CCS, 2017.
  • [42] Tomas Mikolov, Ilya Sutskever, Kai Chen, Greg S Corrado, and Jeff Dean. Distributed representations of words and phrases and their compositionality. In NIPS, 2013.
  • [43] Blaine Nelson, Benjamin IP Rubinstein, Ling Huang, Anthony D Joseph, Shing-hon Lau, Steven J Lee, Satish Rao, Anthony Tran, and J Doug Tygar. Near-optimal evasion of convex-inducing classifiers. In AISTATS, 2010.
  • [44] Alina Oprea, Zhou Li, Ting-Fang Yen, Sang H Chin, and Sumayah Alrwais. Detection of early-stage enterprise infection by mining large-scale log data. In DSN, 2015.
  • [45] Shashank Pandit, Duen Horng Chau, Samuel Wang, and Christos Faloutsos. Netprobe: a fast and scalable system for fraud detection in online auction networks. In WWW, 2007.
  • [46] Nicolas Papernot, Patrick McDaniel, Somesh Jha, Matt Fredrikson, Z. Berkay Celik, and Ananthram Swami. The limitations of deep learning in adversarial settings. In EuroS&P, 2016.
  • [47] Nicolas Papernot, Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami. Distillation as a defense to adversarial perturbations against deep neural networks. In IEEE S & P, 2016.
  • [48] Bryan Perozzi, Rami Al-Rfou, and Steven Skiena. Deepwalk: Online learning of social representations. In ACM KDD, 2014.
  • [49] Apostolos Pyrgelis, Carmela Troncoso, and Emiliano De Cristofaro. Knock knock, who’s there? membership inference on aggregate location data. In NDSS, 2018.
  • [50] Franco Scarselli, Marco Gori, Ah Chung Tsoi, Markus Hagenbuchner, and Gabriele Monfardini. The graph neural network model. IEEE TNN, 2009.
  • [51] Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and K Michael Reiter.

    Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition.

    In ACM CCS, 2016.
  • [52] Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. Membership inference attacks against machine learning models. In IEEE S & P, 2017.
  • [53] Nedim Srndic and Pavel Laskov. Practical evasion of a learning-based classifier: A case study. In IEEE S & P, 2014.
  • [54] Octavian Suciu, Radu Marginean, Yigitcan Kaya, Hal Daume III, and Tudor Dumitras. When does machine learning fail? generalized transferability for evasion and poisoning attacks. In Usenix Security Symposium, 2018.
  • [55] Mingjie Sun, Jian Tang, Huichen Li, Bo Li, Chaowei Xiao, Yao Chen, and Dawn Song. Data poisoning attack against unsupervised node embedding methods. In Arxiv, 2018.
  • [56] Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. Intriguing properties of neural networks. arXiv, 2013.
  • [57] Acar Tamersoy, Kevin Roundy, and Duen Horng Chau. Guilt by association: large scale malware detection by mining file-relation graphs. In ACM KDD, 2014.
  • [58] Jian Tang, Meng Qu, Mingzhe Wang, Ming Zhang, Jun Yan, and Qiaozhu Mei. Line: Large-scale information network embedding. In WWW, 2015.
  • [59] MohamadAli Torkamani and Daniel Lowd. Convex adversarial collective classification. In ICML, pages 642–650, 2013.
  • [60] Florian Tramèr, Fan Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. Stealing machine learning models via prediction apis. In USENIX Security Symposium, 2016.
  • [61] Binghui Wang and Neil Zhenqiang Gong. Stealing hyperparameters in machine learning. In IEEE S & P, 2018.
  • [62] Binghui Wang, Neil Zhenqiang Gong, and Hao Fu. GANG: Detecting fraudulent users in online social networks via guilt-by-association on directed graphs. In IEEE ICDM, 2017.
  • [63] Binghui Wang, Jinyuan Jia, and Neil Zhenqiang Gong. Graph-based security and privacy analytics via collective classification with joint weight learning and propagation. In NDSS, 2019.
  • [64] Binghui Wang, Jinyuan Jia, Le Zhang, and Neil Zhenqiang Gong. Structure-based sybil detection in social networks via local rule-based propagation. IEEE TNSE, 2018.
  • [65] Binghui Wang, Le Zhang, and Neil Zhenqiang Gong. Sybilscar: Sybil detection in online social networks via local rule based propagation. In IEEE INFOCOM, 2017.
  • [66] Jason Weston, Frédéric Ratle, Hossein Mobahi, and Ronan Collobert. Deep learning via semi-supervised embedding. In Neural Networks: Tricks of the Trade, pages 639–655. Springer, 2012.
  • [67] Huang Xiao, Battista Biggio, Gavin Brown, Giorgio Fumera, Claudia Eckert, and Fabio Roli.

    Is feature selection secure against training data poisoning?

    In ICML, 2015.
  • [68] Weilin Xu, Yanjun Qi, and David Evans. Automatically evading classifiers: A case study on pdf malware classifiers. In NDSS, 2016.
  • [69] Chao Yang, Robert Harkreader, Jialong Zhang, Seungwon Shin, and Guofei Gu. Analyzing spammer’s social networks for fun and profit. In WWW, 2012.
  • [70] Guolei Yang, Neil Zhenqiang Gong, and Ying Cai. Fake co-visitation injection attacks to recommender systems. In NDSS, 2017.
  • [71] H. Yu, P. B. Gibbons, M. Kaminsky, and F. Xiao. SybilLimit: A near-optimal social network defense against Sybil attacks. In IEEE S & P, 2008.
  • [72] Ganzhao Yuan and Bernard Ghanem. An exact penalty method for binary optimization based on mpec formulation. In AAAI, 2017.
  • [73] Xiaojin Zhu, Zoubin Ghahramani, John Lafferty, et al. Semi-supervised learning using gaussian fields and harmonic functions. In ICML, 2003.
  • [74] Daniel Zügner, Amir Akbarnejad, and Stephan Günnemann. Adversarial attacks on neural networks for graph data. In ACM KDD, 2018.

Appendix A More Results with Full Knowledge

Impact of different types of costs:  The results in Table 2 allow us to compare different types of costs. We observe that our attacks are the most effective for Equal cost and the least effective for Categorical cost. The reason is that Equal cost gives our attack the most flexibility at generating the inserted edges and deleted edges. However, for the Categorical cost scenario, it is much more expensive to modify edges between target nodes and compromised negative nodes; and it is even more expensive to modify edges between target nodes and uncompromised negative nodes. These cost constraints essentially restrict the search space of our attacks, making our attacks less effective for Categorical cost. However, we want to stress that our attacks are still effective for Categorical cost, e.g., on the Enron and Epinions graphs, our attacks still increase the FNR to be around 0.90. Furthermore, Table 7 shows the number of overlapped modified edges between each two of the three types of costs. We observe that the number of overlapped modified edges is much smaller than the number of modified edges shown in Table 2, which indicates that our attacks indeed explore different search spaces for different types of costs.

Impact of different target node selection methods:  The results in Table 2 also compare RAND, CC, and CLOSE for selecting target nodes. We observe that our attacks are more effective when using CC and CLOSE than using RAND to select the target nodes, and CC and CLOSE have similar attack performance. Specifically, given the same graph and cost type, our attack achieves a higher FNR for CC and CLOSE than for RAND. For instance, with the Facebook graph and Equal cost, our attacks achieve FNRs of 0.78, 0.94, and 0.96 for RAND, CC, and CLOSE, respectively. The reason is that the target nodes selected by CC are structurally close and similar, Therefore, it is more likely for our attacks to make them evade detection “collectively”. Moreover, the target nodes selected by CLOSE are close to negative nodes and thus they are relatively easy to bypass detection. However, the target nodes selected by RAND are more structurally dissimilar; different target nodes require different efforts (inserting different edges or deleting different edges) to evade detection, and thus it becomes harder for our attacks to make the target nodes evade.

(a)
(b)
Figure 5: (a) Impact of the number of target nodes on the three datasets with Equal cost. (b) Costs with respect to the number of target nodes.
(a) Uniform cost
(b) Categorical cost
Figure 6: Impact of the number of target nodes on the three graphs with CC as the method of selecting target nodes. (a) Uniform cost and (b) Categorical cost.

Impact of the number of target nodes:  Figure (a)a shows FNRs vs. the number of target nodes on the three graphs, while Figure (b)b shows the total cost vs. the number of target nodes, where Equal cost and CC are used. Figure shows FNRs vs. the number of target nodes with Uniform cost and Categorical cost. On one hand, we observe that FNRs are stable across different number of target nodes. This is because, for each target node, our attack iteratively computes the modified edges. On the other hand, our attacks require a larger total cost when the attacker uses more target nodes. Our results indicate that, our attacks can make more positive nodes evade detection when the attacker can tolerate a larger cost.

(a) Facebook
(b) Enron
(c) Epinions
Figure 7: Impact of on the three graphs with CC as the method of selecting target nodes. We observe that our attacks are more effective as increases. Moreover, our attack is more effective for sparser graphs.

Impact of :  Figure 7 shows FNRs vs. on the three graphs with CC as the method of selecting target nodes. Considering that the three graphs have different average degrees, we set different ranges of for the three graphs. We observe that as increases, FNR also increases on all the three graphs. This is because a larger allows an attacker to modify more edges per node, and thus our attacks can increase FNRs more. Note that the total costs increase linearly as , and thus we omit the results on the total cost for simplicity. Moreover, our attack is more effective for sparser graphs.

(a) Equal cost
(b) Uniform cost
(c) Categorical cost
Figure 8: Impact of on our attacks with (a) Equal cost; (b) Uniform cost; and (c) Categorical cost. We observe that our attacks achieve stable FNRs when is larger than certain thresholds.
(a) Equal cost
(b) Uniform cost
(c) Categorical cost
Figure 9: Impact of on our attacks with (a) Equal cost; (b) Uniform cost; and (c) Categorical cost. We observe that our attacks achieve stable FNRs when is larger than certain thresholds.
Table 7: Number of overlapped modified edges among different types of costs and different target node selection methods.
RAND
Equal vs. Uniform Equal vs. Categorical Uniform vs. Categorical
Facebook 28 0 11
Enron 94 0 12
Epinions 67 0 2
CC
Equal vs. Uniform Equal vs. Categorical Uniform vs. Categorical
Facebook 156 72 46
Enron 176 0 9
Epinions 191 67 10
CLOSE
Equal vs. Uniform Equal vs. Categorical Uniform vs. Categorical
Facebook 190 5 13
Enron 416 24 21
Epinions 428 260 147

Impact of hyperparameters:  Figure 8 and Figure 9 show the impact of and

on our attacks in the three graphs with three types of costs, respectively. We observe phase transition phenomena for both

and . Specifically, when and are larger than certain thresholds (e.g., 100 for and 0.01 for on Facebook with Equal cost), our attacks become effective. However, our attacks are less effective or ineffective when and are smaller than the thresholds. Moreover, once and are larger than the thresholds, our attacks are insensitive to them, e.g., FNRs are stable. Facebook has smaller thresholds, and we speculate the reason is that Facebook is much denser than the other two graphs.

Appendix B More Results with Partial Knowledge

Parameter=No, Training=Yes, Graph=Complete(Case 1): Figure 10 and Figure 11 show FNRs on Facebook and Enron when the attacker does not know the true parameters and used by LinLBP and instead uses substitute parameters. We observe that our attacks are insensitive to . Moreover, our attacks are more effective when the substitute weight parameter is closer to the true weight 0.05, and less effective when it is far from the true weight.

(a)
(b)
Figure 10: FNRs of our attacks with different substitute parameters of LinLBP on Facebook with Equal cost.
(a)
(b)
Figure 11: FNRs of our attacks with different substitute parameters of LinLBP on Enron with Equal cost.

Parameter=Yes, Training=No, Graph=Complete(Case 2): Figure (a)a and Figure (b)b show FNRs on Facebook and Enron when the attacker does not know the true training dataset used by LinLBP and instead uses a substitute training dataset. We observe that as the size of the substitute training dataset increases, FNRs of our attacks first increase dramatically and then increase slowly until reaching to FNRs in the full knowledge scenario.

(a) Facebook
(b) Enron
Figure 12: FNRs of our attacks vs. size of the substitute training dataset on (a) Facebook and (b) Enron with Equal cost.

Parameter=Yes, Training=Yes, Graph=Partial(Case 3): Figure (a)a and Figure (b)b show FNRs on Facebook and Enron when the attacker knows a fraction of negative nodes and edges between them. We observe that our attacks are more effective as increases, and when , our attacks can obtain FNRs close to those when the attacker knows the complete graph.

(a) Facebook
(b) Enron
Figure 13: FNRs of our attacks on (a) Facebook and (b) Enron with Equal cost when the attacker knows % of the negative nodes and edges between them.

Parameter=No, Training=No, Graph=Partial(Case 4): Figure 14 and Figure 15 show FNRs on Facebook and Enron when attacker knows the least knowledge of a LinLBP system. We observe similar patterns as results on Epinions. The reason is our attacks do not require the true training dataset and the complete graph.

(a)
(b)
(c)
Figure 14: FNRs of our attacks vs. (a) the substitute edge weight; (b) size of the substitute training dataset; (c) fraction of negative nodes on Facebook when the attacker uses substitute parameters, substitute training dataset, and a partial graph.
(a)
(b)
(c)
Figure 15: FNRs of our attacks vs. (a) the substitute edge weight; (b) size of the substitute training dataset; (c) fraction of negative nodes on Enron when the attacker uses substitute parameters, substitute training dataset, and a partial graph.

Appendix C More Results on Transferability

Table 8 and Table 9 show the transferability results of our attacks to other graph-based classification methods on Facebook and Enron, respectively. Similarly, our attacks are the most effective, our attacks can transfer to other graph-based classification methods, and our attacks can better transfer to other collective classification methods than other graph neural network methods.

Table 8: Transferability of our attacks to other graph-based classification methods on Enron.
RAND
Method No attack Equal Uniform Categorical
Collective Classification LinLBP 0 1.00 0.96 0.89
JWP 0 0.97 0.96 0.86
LBP 0.02 0.96 0.96 0.89
RW 0.05 0.95 0.95 0.89
Graph Neural Network LINE 0.06 0.94 0.92 0.85
DeepWalk 0.25 0.6 0.58 0.5
node2vec 0.23 0.6 0.59 0.5
GCN 0.22 0.49 0.49 0.45
CC
Method No attack Equal Uniform Categorical
Collective Classification LinLBP 0 1.00 0.99 0.92
JWP 0 1.00 0.98 0.89
LBP 0 1.00 0.91 0.85
RW 0.04 1.00 0.97 0.81
Graph Neural Network LINE 0.04 0.98 0.95 0.63
DeepWalk 0.23 0.7 0.65 0.45
node2vec 0.25 0.68 0.6 0.5
GCN 0.28 0.58 0.58 0.52
CLOSE
Method No attack Equal Uniform Categorical
Collective Classification LinLBP 0 1.00 1.00 0.90
JWP 0 1.00 0.99 0.90
LBP 0 1.00 0.99 0.84
RW 0 0.98 0.97 0.81
Graph Neural Network LINE 0.13 1.00 0.95 0.6
DeepWalk 0.3 1.00 0.93 0.48
node2vec 0.30 0.95 0.89 0.50
GCN 0.3 0.65 0.65 0.45
Table 9: Transferability of our attacks to other graph-based classification methods on Epinions.
RAND
Method No attack Equal Uniform Categorical
Collective Classification LinLBP 0 0.98 0.94 0.92
JWP 0 0.96 0.94 0.83
LBP 0.07 0.96 0.94 0.92
RW 0.08 0.95 0.87 0.9
Graph Neural Network LINE 0.33 0.96 0.95 0.92
DeepWalk 0.5 0.65 0.85 0.68
node2vec 0.48 0.65 0.82 0.65
GCN
CC
Method No attack Equal Uniform Categorical
Collective Classification LinLBP 0 0.99 0.94 0.88
JWP 0 0.96 0.94 0.78
LBP 0 0.95 0.91 0.86
RW 0 0.94 0.87 0.76
Graph Neural Network LINE 0.31 0.96 0.9 0.86
DeepWalk 0.45 0.75 0.78 0.68
node2vec 0.42 0.75 0.75 0.7
GCN
CLOSE
Method No attack Equal Uniform Categorical
Collective Classification LinLBP 0 1.00 0.96 0.86
JWP 0 1.00 0.96 0.86
LBP 0 1.00 0.94 0.85
RW 0 1.00 0.95 0.8
Graph Embedding LINE 0.39 0.96 0.69 0.76
DeepWalk 0.45 0.58 0.55 0.46
node2vec 0.42 0.59 0.59 0.49
GCN