Introduction

In real life, complex relationships can be represented by graphs. For example, in social networks, we abstract individuals as nodes and relationships between individuals as edges [1, 2]. In citation networks, nodes represent papers and edges represent citation relations between papers [3]. Graphs are extensively utilized in diverse tasks, including node-level classification [4,5,6], graph-level classification [7, 8], and molecular prediction [9].

In recent years, Graph Neural Networks (GNNs) have achieved outstanding results in various tasks [10,11,12]. GNNs overcome the problem that traditional deep learning models can’t migrate to non-Euclidean distance data. However, recent studies have shown that GNNs are vulnerable to adversarial attacks leading to performance degradation [13,14,15]. The traditional Cyber [16] and DoS [17] attacks, they verify the stability of the model by theoretical analysis to get the system’s steady state. The graph adversarial attack is a biased execution attack that degrades the performance of GNNS by modifying the node’s self-attributes (including links and features) or injecting fake nodes. Various graph adversarial attack models are proposed based on training gradients, reinforcement learning and federation learning [18,19,20,21,22].

Graph Modification Attack (GMA) ignore an essential premise that the adversary has insufficient privileges in the real attack [18, 23,24,25]. In GMA models, the adversary has the privilege to modify the original data arbitrarily, which are difficult to implement and can be easily detected by defense models [19, 26]. For example, in some attacks on large online social or commercial networks (Facebook or Amazon), the adversary first attacks administrator accounts and then changes users’ social connections (e.g., deleting or adding friends) or user’ information (e.g., deleting or adding preferences or postings). When the adversary performs the attack, the defense system can detect that the administrator accounts are executing abnormal commands, which leads to an alert to other administrators or security departments. FSP-GCN [27] and GraphNS [28] are two classical graph defense models, which detect anomalous nodes by measuring perturbed graph node similarity or node label differences. Therefore, it is challenging to implement in real attacks.

To lift the above limitation, researchers have proposed the Graph Injection Attack (GIA). Figure 1 shows the comparison of GMA and GIA strategies. Specifically, GMA degrades the performance of GNNs by generating perturbed edges or features, and GIA performs attacks by generating fake nodes with malicious information. Wang et al. [29] proposed the first GIA model that uses a greedy strategy to generate fake nodes. The literature [30] proposed AFGSM, which is a white-box attack using a fast gradient sign method to generate fake nodes. Sun et al. [31] proposed a global poisoning attack for NIPA based on a Q-learning strategy. The literature [32] presented NICKI based on an optimization policy that implements the misclassification of a specific node into a different class. Dai et al. [33] proposed the targeted universal attack (TUA), where TUA enhances the attackability of nodes by connecting the fake node, and the victim nodes connected to the attack nodes will be misclassified as the attacker-specified label. Though the above GIA models solve some problems, there are still two significant limitations. (1) Features poorly invisible. The camouflage features of the fake nodes are not considered. For example, a pair of fake node features never co-occurred in the original nodes and detectors can easily filter these anomalous nodes [34]. (2) Structure poorly embedded. Previous studies have shown that GIA lead to a significant decrease in the homophily of the graph structure (the homophily can reflect the reliability of the graph structure) [35,36,37]. Therefore, focusing only on changes in graph topological properties (i.e., node degree or betweenness) fails to guarantee the camouflage of fake nodes.

Fig. 1
figure 1

Illustrative comparison of GMA (left) and GIA (right)

Full size image

In this paper, we consider the invisibility of the structure and features and propose an IMperceptible Graph Injection Attack (IMGIA), which can maintain the effectiveness and camouflage of the attack. Specifically, IMGIA can be divided into the following three processes: (1) Feature generation. IMGIA uses a normal distribution sampling to generate the fake node’s initial features. This mechanism not only has low time consumption but also makes the feature distribution of the fake nodes the same as the original nodes. (2) Link generation. IMGIA obtains the best attack links between fake and original nodes using the mask learning method. Note that IMGIA does not need to manipulate the links between the original nodes but only needs to modify the links between the fake and original nodes. (3) Graph optimization. Homophily unnoticeability constraint is used to improve the camouflage of IMGIA, which can adjust the perturbation graph structure and features.

The main contributions of this paper are summarized as follows.

  • We present a new graph injection attack: IMGIA. IMGIA performs without modifying the original graph.

  • We promote the imperceptibility of GIA from the topological structure and features perspective, rarely discussed in previous studies.

  • We have demonstrated empirically that IMGIA can achieve better performance and higher robustness than the previous GIA models.

The rest of this work is organized as follows. “Related work” section discusses the related work on graph modification and graph injection attacks. “Preliminary” section presents the knowledge about graph neural networks and graph injection attack. In “Methodology” section, each component of IMGIA is described in detail, including feature generation, link generation, and graph optimization. In “Experiments” section, we give the corresponding experiments, which mainly discuss the performance of IMGIA in detail. Finally, we conclude our work in “Conclusion” section.

Related work

Existing attack methods are classified into two main categories: GMA and GIA. In this section, we review works with GMA and then present some works on GIA.

Adversarial attack on GMA

GMA degrades the performance of GNNs in downstream tasks by perturbing the graph structure or node features [38].

The literature [19] proposed the classical graph adversarial attack, namely Nettack, which adds some unnoticeable perturbations (perturbed edges or features) into the graph to degrade the performance of GNNs. To ensure the unnoticeability of the perturbations, the feature co-occurrence and node degree distribution of the perturbed graph are similar to the original graph. The literature [23] proposed Metattack based on meta-learning, Metattack treats the graph structure matrix as hyperparameters manipulating the graph structure by the trained attack loss. Lin et al. [39] proposed a maximizing spectral distance attack SPAC, the core idea is to destroy the graph filter to achieve the attack. In addition, SPAC uses an approximation method to reduce the feature decomposition time. Liu et al. [40] proposed AtkSE, which uses edge discrete sampling to select the set of perturbation candidates and reduce the error of structural gradients. The literature [41] found that the node topology is lost using the surrogate attack model, so the surrogate representation learning attack with isometric mapping (SRLIM) is proposed. To maintain node similarity during propagation, the node topology from the input layer to the embeddings is constrained by SRLIM using isometric mapping. Lin et al. [24] proposed EpoAtk, which uses gradient information to guide the adversary to modify the links. Specifically, EpoAtk uses three phases (generation, evaluation, and reorganization) to address the problem that gradient-based attacks will not get optimal solutions.

Although GMA can degrade the performance of GNNs by perturbing the graph structure and node features. Unfortunately, the implementation of GMA assumes that the adversary possesses elevated privileges, which is often difficult to attain during real-world attacks. Thus, our work focuses on practical GIA rather than GMA.

Adversarial attack on GIA

In the GIA scenario, the adversary cannot modify the structure or node features of the original graph. As a result, GIA more closely aligns with realistic attacks.

The literature [42] proposed a single node injection attack G-NIA, the experiment showed that injecting a single node can achieve efficient attacks in evasion attacks. Wang et al. [43] proposed a cluster attack (CLA). CLA calculates similarity metrics among victim nodes and injects perturbation nodes into the victim nodes of the same cluster to cause the GNNs to misclassify the targeted nodes. Zou et al. [44] analyzed the topological vulnerability of GNNs in GIA scenario and proposed the topological defective graph injection attack (TDGIA). TDGIA introduces a vulnerable topological edge selection strategy and designs a smooth feature optimization objective to generate the fake node edges amd features, respectively. Tao et al. [45] proposed the CANA framework in terms of both fidelity and diversity of self-networks centered on injection nodes, and the experimental results show that CANA significantly improves the attack performance. Ju et al. [21] studied the black-box graph injection attack and proposed GA2C, where GA2C queries the agent model based on the idea of reinforcement learning with a potential behavioral critic algorithm. The experimental results showed that GA2C can efficiently execute the attack with a low budget.

However, most previous works focus on the effectiveness of the attack and neglected attack invisibility. The literature [35] demonstrated that GIA models can damage the homophily distribution of the original graph, which is easily detected by graph defense models. Therefore, a primary focus of graph adversarial attack research is designing effective and unnoticeable attacks.

Preliminary

In this section, we introduce some knowledge about GNNs and GIA. Table 1 gives the frequently used notations.

Table 1 Notations frequently used in this paper and their corresponding descriptions
Full size table

Graph neural networks

Let \(\mathcal {G}\) be an attribute graph that can be represented formally as \(\mathcal {G}=(V,E,X)\). where \(V=\{v_{1},v_{2},..,v_{n}\}\) represents the set of nodes, n represents the number of nodes, \(E \subseteq V \times V\) represents the set of edges, \(X \in { \mathbb {R} ^{n \times d}}\) denotes the d-dimensional feature matrix. The adjacency relationship of nodes can be expressed as \(A \in {\{ 0,1\} ^{n \times n}}\), \({A_{i,j}} = 1\) means there is a link between node i and j, and 0 otherwise.

In our work, we focus on the node-level classification task, where GNNs use known label nodes to predict the class of unlabeled nodes. We take the classical Graph Convolutional Network (GCN) [10] as an example, the two-layer GCN can be represented as

$$\begin{aligned} f(\mathcal {G}) = {f_\theta }(A,X) = softmax ({\widehat{A}}\sigma ({\widehat{A}}X{W^{(0)}}){W^{(1)}}). \end{aligned}$$
(1)

where \(\hat{A}=\tilde{D}^{-\frac{1}{2}}(A+I) \tilde{D}^{-\frac{1}{2}}\) is the normalized adjacency matrix, \(\tilde{D}\) is the diagonal degree matrix, and I is the identity matrix. \(\sigma ( \cdot )\) is the activation function, usually using ReLU. W denotes the weight parameter, and \({f_\theta }( \cdot )\) is the node classifier. \(f(\mathcal {G}) \in { \mathbb {R}^{n \times k}}\), where \(k = |Y |\) is denoted as the number of labels, and Y represents the set of node labels.

Graph injection attack model

The utility of IMGIA is that the adversary does not need to modify the original graph structure or node features, and the performance degradation of GNNs can be achieved by manipulating fake nodes. Specifically, the graph attack is divided into untargeted and targeted attacks. In this study, we mainly focused on untargeted attacks. Furthermore, we extended our model to targeted attacks. Formally, the objective function of the untargeted and the targeted attacks can be respectively expressed as

$$\begin{aligned}{} & {} \begin{aligned}&\max _{A^{\prime } \in \Phi \left( A^{\prime }\right) , X^{\prime } \in \Phi \left( X^{\prime }\right) } \sum _{t \in V_{\text{ test } }} \mathbb {I}\left( f_{\theta ^*}\left( A^{\prime }, X^{\prime }\right) \ne y_t\right) . \\&\text{ s.t. } \theta ^*=\underset{\theta }{\arg \min } {\mathcal {L}}_{\text{ train } }\left( f_\theta \left( A^{\prime }, X^{\prime }\right) \right) , \mathcal {G}^{\prime }-\mathcal {G} \le \Delta \end{aligned} \end{aligned}$$
(2)
$$\begin{aligned}{} & {} \begin{aligned}&\max _{A^{\prime } \in \Phi \left( A^{\prime }\right) , X^{\prime } \in \Phi \left( X^{\prime }\right) } \sum _{t \in V_{tar}, y_t \ne \widehat{y_t}} \mathbb {I}\left( f_{\theta ^*}\left( A^{\prime }, X^{\prime }\right) =\widehat{y_t}\right) . \\&\text{ s.t. } \theta ^*=\underset{\theta }{\arg \min } {\mathcal {L}}_{\text{ train } }\left( f_\theta \left( A^{\prime }, X^{\prime }\right) \right) , \mathcal {G}^{\prime }-\mathcal {G} \le \Delta \end{aligned} \end{aligned}$$
(3)

where \(y_{t}\) represents the label of node t. \(\widehat{y_t}\) is the attacker-specified label. \(\Delta \) is the attack budget. \( {\mathcal {L}}_{\text{ train } }\) usually uses the cross-entropy function, i.e., \(\mathcal {L}_{\text{ train } }\left( f_\theta \left( A^{\prime }, X^{\prime }\right) \right) =\sum _{v \in V_{\text{ train } }}-y_v \log \tilde{y}_v\), \(\tilde{y}_v\) is the prediction label. \(\mathbb {I}( \cdot )\) is an indicator function that returns 1 when the parameter is true and 0 otherwise. \(\Phi (A^{\prime })\) and \(\Phi (X^{\prime })\) are the feasible domains of the adjacency matrix \(A^{'}\) and the feature matrix \(X^{'}\), respectively. Poisoned graph \(\mathcal {G}^{'}\) can be expressed as \({\mathcal {G}^{'}} = ({V^{'}},{E^{'}},{X^{'}})\), where \({V^{\prime }} = \{ {v_{1}},{v_{2}},\ldots ,{v_{n}},\ldots ,{v_{{n^{'}}}}\} \) is the set of poisoned graph nodes, \(n^{\prime }(n^{\prime }=n+m)\) is the number of perturbed graph nodes, m is the number of fake nodes. \(X' = \left[ {\begin{array}{*{20}{c}} X\\ {{X_m}} \end{array}} \right] \) is set of the poisoned graph feature. \(X_{m} \in { \mathbb {R} ^{m \times d}}\) is the set of features of the fake node. \(A' = \left[ {\begin{array}{*{20}{c}} \mathrm{{A}}&{}{{A_m}}\\ {\mathrm{{A}}_m^T}&{}{{B_m}} \end{array}} \right] \) is the adjacency matrix of the poisoned graph. \(B_m \in { \mathbb {R} ^{m \times m}} \) is the unit matrix, \(A_m \in { \mathbb {R} ^{n \times m}} \) represents the adjacency matrix of the fake nodes and the original nodes.

Equations 2 and 3 show that the victim nodes of the untargeted attack are all the nodes in the test set, and GNNs misclassify the nodes indicating that the attack is successful. In the targeted attack, the victim nodes are the specified nodes in the test set, and GNNs need to not only misclassify the nodes but also classify them to the attacker-specified labels. Furthermore, the aim of the untargeted attack is to decrease the classification accuracy of GNNs, and the targeted attack focuses on maximizing the accuracy of classifying victim nodes to the attacker-specified label.

Methodology

In this section, we describe the building blocks of IMGIA in detail, and the pipeline is shown in Fig. 2. Specifically, we use a normal distribution sampling to generate the fake node features. This method has a low time and space cost, and we will describe this item in detail in “Feature generation” section. Fake node links are obtained using the mask learning mechanism, which is described in detail in “Link generation” section. GIA is known to harm the homophily of the graph, which can lead to the destruction of imperceptibility. Database administrators or homology defenders can easily detect and remove fake nodes. We use homophily unnoticeability constraint to improve attack imperceptibility, and we will describe this item in detail in “Graph optimization” section.

Fig. 2
figure 2

Illustration of IMGIA. We first generate fake node features and links using the normal distribution sampling and mask learning mechanisms respectively, and then use the homophily unnoticeability constraint to adjust both the graph structure and fake node features

Full size image

Feature generation

In previous GIA models, fake node features are often generated using Generative Adversarial Networks (GAN) [29] and Graph Autoencoders (GA) [32] mechanisms. However, these models usually use GNNs to optimize model performance, which significantly improves model complexity and runtime. Taking GAN as an example, the generator and discriminator components require constant feedback during feature generation. If the number of feedback is low, the generated features are more different from the original features. GAN has been successful in modeling continuously distributed data. It is less effective in discrete graph data due to the difficulty in optimizing the model distribution to match the target data distribution. Moreover, they are not suitable for high-dimensional and small training datasets.

To address the above issues, we chose a simple and robust feature generation method, named normal distribution sampling. Specifically, the original features are first fitted to a normal distribution, and then the fake node features are sampled from it. No other operations are required for continuous features. For binary features, we need to binarize the sampled feature values, which are 0 when the Gaussian sample is less than 0.5 and 1 otherwise. The above operations are mathematically expressed as

$$\begin{aligned} \text {X}^{\prime }(x)= & {} \text {Sample}(x). \quad \text{ s.t. } x \sim U, \left\| {{\mathrm{{{X}}}^\prime } - \mathrm{{{X}}}} \right\| \le \Delta _{X}. \end{aligned}$$
(4)
$$\begin{aligned} \textrm{X}^{\prime }(x)= & {} \left\{ \begin{array}{ll} 1, &{} \text {Sample}(x)>0.5. \\ 0, &{} \text {Sample}(x) \le 0.5. \end{array} \quad \text{ s.t. } x \sim U, \Vert X^{\prime }-X \Vert \le \Delta _X.\right. \end{aligned}$$
(5)

where U represents the fitted normal distribution, \(\Delta _X\) represents the feature budget. If the training set contains 1 with probability p and 0 with probability \(1-p\), the fitted normal distribution with mean p and variance \(p(1-p)\). The probability of IMGIA sampling to 1 is \(\frac{1}{2}[1 - erf (\frac{{\frac{1}{2} - p}}{{\sqrt{2p(1 - p)} }})]\).

After the above feature generation process, the feature distribution of the poisoned graph has a high similarity to the original graph. Therefore, the use of normal distribution sampling can improve the camouflage of the fake node feature.

Link generation

For link generation, many works utilize gradient learning or meta-learning methods. These methods are typically less efficient, as they tend to generate only one perturbed edge per iteration. Besides, the literature [23] found that meta-learning is expensive in terms of both computation and storage.

IMGIA uses a mask learning mechanism to generate links for fake nodes. This mechanism sets the mask as a hyper-parameter and iteratively optimizes it to obtain the final link mask. The mask learning mechanism not only improves the effectiveness of the attack but also has the advantage of low complexity and memory. In graph adversarial learning tasks, fake node generation can be represented as a two-layer optimization problem.

$$\begin{aligned}{} & {} \max \mathcal {L}_{a t k}\left( y_{t},f_{\theta ^*}\left( S, X^{\prime }\right) \right) \nonumber \\{} & {} \quad \text{ s.t. } \quad \theta ^*=\underset{\theta }{\arg \min }\ \mathcal {L}_{\text{ train } }\left( f_\theta \left( A, X\right) \right) . \end{aligned}$$
(6)

where \(y_{t}\) represents the real label of node t. \(\mathcal {L}_{a t k}( \cdot )\) represents the train loss, which usually uses a cross-entropy function. \(S \in { \mathbb {R} ^{n^{\prime } \times n^{\prime }}}\) represents the link mask. Specifically, \(S = \left[ {\begin{array}{*{20}{c}} \mathrm{{A}}&{}{{A_1}}\\ {\mathrm{{A}}_1^T}&{}{{B_m}} \end{array}} \right] \), \(A_1 \in { \mathbb {R} ^{n \times m}}\) denoted as an all-1 matrix, A represents the original graph adjacency matrix. \(X^{\prime }\) is considered a constant and not modified in this section. Note that IMGIA does not modify the structure and features of the original graph.

When the mask learning is complete, we sort \(A_1\) and filter to get the final links. First, sorting \(A_1\) is sorted from largest to smallest to get \(A_1^{sort}\), then the top \({\Delta _S}\) node pairs are selected, and finally the value of \({\Delta _S}\) node pairs in \(A_{m}\) is set to 1. The above procedure can be expressed formally as

$$\begin{aligned} {A_{m,(i,j)}} = 1 \quad s.t. \quad {S_{1,(i,j)}} \in S_{1,{\Delta _S}}^{sort}. \end{aligned}$$
(7)

where \(\Delta _S\) denotes the budget of the modified link.

Graph optimization

The high flexibility of GIA can result in the destruction of the original graph’s homophily distribution and significantly damage the similarity of neighboring nodes, consequently negatively impacting its invisibility. How can the effect of GIA on homology be reduced? To answer this question, we use the homophily unnoticeability constraint to optimize the graph (including graph structure and node features). By achieving homophily unnoticeability, IMGIA can mitigate the damage of GIA on graph homogeneity. Here, we give the definition of node homophily,

$$\begin{aligned} h_u={\text {sim}}\left( r_u, X_u^{\prime }\right) , \quad r_u=\sum _{j \in \mathcal {N}_u} \frac{1}{\sqrt{d_j} \sqrt{d_u}} X_j. \end{aligned}$$
(8)

where \(sim( \cdot )\) is the cosine similarity, \(d_{u}\) is the degree of node u, and \(\mathcal {N}_u\) denotes the set of neighbors of node u. Equation 8 shows that the homophily of node u is expressed the similarity between the features of node u and the aggregated features of its neighbors.

Intuitively, we can derive the definition of homophily of all fake nodes by the node homophily definition.

$$\begin{aligned} H\left( \mathcal {G}, \mathcal {G}^{\prime }\right) =\frac{1}{m} \sum _{u \in V^{\prime } / V} h_u. \end{aligned}$$
(9)

Our goal is to maximize the homophily of the perturbed graph, so the overall goal of homophily unnoticeability is set as

$$\begin{aligned} \min {\mathrm{{{{\mathcal {L}}}}}_{Hom\mathrm{{ }}}}(\mathrm{{{{\mathcal {G}}}}},{\mathrm{{{{\mathcal {G}}}}}^\prime }) = - H(\mathrm{{{{\mathcal {G}}}}},{\mathrm{{{{\mathcal {G}}}}}^\prime })+\Omega (\left\| \mathcal {G}^{\prime } \right\| ) \nonumber \\ \quad s.t.\mathrm{{ }}\left\| {{\mathrm{{{{\mathcal {G}}}}}^\prime } - \mathrm{{{{\mathcal {G}}}}}} \right\| \le \Delta . \end{aligned}$$
(10)

where \(\Omega (\cdot )\) is L1 norm used to coordinate the number of modified structures and features. \(\Delta \) is the total budget, i.e., \(\Delta =\Delta _S+\Delta _F\).

Overall objective and algorithm

Combining the adversarial attack and homophily unnoticeability constraint objectives, the overall objective function of IMGIA is as follows:

$$\begin{aligned} \min _{\mathcal {G} \in \Phi (\mathcal {G})} \mathcal {L}_{atk}\left( f_{\theta ^*}\left( \mathcal {G}^{\prime }\right) \right) +\lambda \mathcal {L}_{\text{ Hom } }\left( \mathcal {G}, \mathcal {G}^{\prime }\right) \nonumber \\ \text{ s.t. } \left\| \mathcal {G}^{\prime }-\mathcal {G}\right\| \le \Delta . \end{aligned}$$
(11)

where \({\mathrm{{{{\mathcal {L}}}}}_{atk}}\left( y_{t},f_{\theta ^*}\left( S, X^{\prime }\right) \right) = - {\mathrm{{{{\mathcal {L}}}}}_{atk}}\left( {{f_{{\theta ^*}}}\left( {{\mathrm{{{{\mathcal {G}}}}}^\prime }} \right) } \right) \), \(\Phi (\mathcal {G})\) denotes the set of permissible perturbation graphs and \( \lambda (\lambda \ge 0)\) is the homophily parameter controlling the scale of homophily unnoticeability.

Algorithm 1 shows the attack process of IMGIA.

Algorithm 1
figure a

IMGIA

Full size image

Time complexity

In this section, we analyze the time complexity of IMGIA, and the pre-training model is taken as an example of GCN. Specifically, IMGIA contains three modules: feature generation, link generation and graph optimization. (1) In the feature generation module, we use the normal distribution sampling to generate fake node features which does not use the GCN pre-trained model, so the time complexity is low. The cost of the fake node generation module is \({\mathcal {O}}(md)\). (2) In the link generation module, the masked learning mechanism with GCN pre-training is used to generate fake node features. The GCN pre-trained model includes forward and backward propagations, the cost is \({\mathcal {O}}({n_{epo}}d \left\| X^\prime \right\| )\). Where d represents the matrix dimension, \({n_{epo}}\) represents the number of training. Moreover, the cost of iteratively updating the link mask is \({\mathcal {O}}(T(n^{\prime })^2)\), T is the iteration number. Therefore, the cost of the fake node generation module is \({\mathcal {O}}({n_{epo}}d \left\| X^\prime \right\| +T(n^{\prime })^2)\). (3) The graph optimization module is to adjust the features and links of the fake nodes, so the time complexity can be expressed as \({\mathcal {O}}(T(md+mn))\).

Thus, the overall time complexity of IMGIA is \({\mathcal {O}}(md+{n_{epo}}d \left\| X^\prime \right\| +T((n^{\prime })^2+md+mn))\).

Experiments

In this section, we will first introduce the corresponding settings, including statistics of the datasets, baselines, and GNNs and IGMIA parameter settings. Finally, the corresponding experimental results and analysis are shown to validate the performance of IGMIA.

Datasets

Our work focuses on the node-level classification task. To illustrate the adaptability of IMGIA, we conducted node-level classification experiments on three different types of datasets (Cora, Citeseer, Cora-ML). The statistics of the datasets are summarized in Table 2.

Table 2 Statistics of three datasets
Full size table

Baselines

We have verified the performance of IMGIA using several state-of-the-art GIA models as the baselines. The baseline details are as follows.

  • GNIA [42]. G-NIA demonstrated the effectiveness of injecting a single fake node, and we use a generalized version of GNIA with multiple fake node attacks injected.

  • NIPA [31]. NIPA uses hierarchical Q-learning to generate adversarial edges, and adds some Gaussian noise to the original node features to obtain the fake node features.

  • TDGIA [44]. TDGIA uses heuristics to select fake node perturbed edges and uses optimization methods to smooth the features of the fake nodes.

  • AFGSM [30]. AFGSM uses an approximate greedy strategy to generate fake node edges and features. Since AFGSM is a targeted attack, here we perform the attack using its untargeted attack version.

  • GAFNC [46]. GAFNC uses GAN to generate fake node features and uses edge mask learning to generate fake node links.

  • IMGIA-E1 and IMGIA-E2. IMGIA-E1 and IMGIA-E2 are extended models based on IMGIA. In the IMGIA-E1 version, the fake node features are obtained by mask learning and the links are randomly generated. In the IMGIA-E2 version, the fake node features and links are obtained by mask learning. Note that IMGIA-E1 and IMGIA-E2 still use the homophily unnoticeability constraint to adjust the graph structure and node features.

Parameter settings and evaluation metric

Parameter settings In this section, we introduce some experimental parameters. In our experiments, we use two types of GNNs, including normal GNNs (GCN [10], SGC [47] and GraphSAGE [12]) and robust GNNs (RobustGCN [48], RGAT [35]). The number of layers of GNNs is set to 2, the hidden layer dimension is set to 64, and RELU is used as the activation function. To ensure the fairness and validity of the comparison, we fixed the maximum number of training epochs as 500 and the learning rate is 0.005. In all experiments. the datasets are split with a training/validation/testing ratio of 0.1:0.1:0.8. In all experiments, the weight parameter \(\lambda \) is set to 1 by default. The number of fake nodes m is set to \(m = \varepsilon \mathrm{{n}}\), and \(\varepsilon \) is set to 0.01. We use \(\Delta _S\) and \(\Delta _F\) to limit the number of modified links and features, respectively. Specifically, \(\Delta _S=md_{avg}\), where \(d_{avg}\) is the average degree of original nodes. The feature budget can be expressed as \(\Delta _F=mx_{avg}\), \({x_{avg}} = \left\| X \right\| /n\) is the average number of original node features for discrete datasets, \({x_{avg}} = (X! = 0)/n\) is the average of the original node features that are not zero for continuous datasets. The \(d_{avg}\) and \(x_{avg}\) information of the datasets are summarized in Table 2.

Evaluation metric We use the classification rate as a measure of IMGIA performance. Specifically, the classification accuracy of GNNs on perturbation graphs, i.e., the number of correctly classified nodes/total number of classified nodes. The node classification accuracy metric reflects the effectiveness of IMGIA. Lower numbers indicate better results, and bolded numbers indicate optimal results. We also use the homophily distribution to measure the invisibility of the attack. A more similar homophily distribution before and after the attack indicates a good invisibility of the attack.

Experiment results

In “Attack performance under normal GNNs” section, we evaluate the attack performance of IMGIA. In “Attack performance under robust GNNs”–“Homophily distribution” sections, we demonstrate the imperceptible of IMGIA. In “Number of fake nodes”–“AMGIA on targeted attack” sections, we investigate the performance of IMGIA under different parameters. Note that in “Attack performance under normal GNNs”–“Homophily parameter” sections, the attack is set to untargeted attack, and “AMGIA on targeted attack” section to targeted attack.

Attack performance under normal GNNs

To evaluate the effectiveness and transferability of IMGIA, we perform attack experiments on three benchmark datasets under normal GNNs, and the results are shown in Table 3. For each dataset, we bold the best attack results. The specific experimental results are as follows.

Attack effectiveness Table 3 shows that the IMGIA and IMGIA-E2 achieve the lowest classification accuracy at all results. In our experiment using GCN as the victim model in Citeseer dataset, NIPA achieves the highest performance among baseline models, i.e., the classification accuracy of NIPA is 67.81%. In our models, the classification accuracy of IMGIA and IMGIA-E2 are 65.40%, 66.55% respectively. This indicates that our models achieve superior performance over the state-of-the-art models.

Comparing IMGIA with the two extension models reveals that in most cases IMGIA-E2 achieves the best attack. For example, the classification accuracies of IMGIA, IMGIA-E1 and IMGIA-E2 are 84.64%, 78.45%, 78.64% for Cora-ML, respectively. IMGIA-E2 uses a mask learning mechanism when generating features, and this approach focuses more on the harmfulness of the feature than on its invisibility (this observation will be verified later). The node link has a greater effect on the performance of GNNs than node features with the same budget, which shows that over-optimizing features does not significantly impact the model. Thus, IMGIA-E2 demonstrates marginally superior performance compared to IMGIA. IMGIA-E1 generates features in the same way as IMGIA-E2, but the random link generation is inefficient, so IMGIA-E1 can reduce the accuracy of GNNs but not significantly.

Attack transferability In addition to effectiveness, transferability is an important metric to judge the performance of a model. Table 3 shows the attack performance of our models in SGC and GraphSAGE. The results show that IMGIA-E2 achieves the best attack performance in most cases. For SGC, IMGIA-E2 shows significant improvement in attack performance under three datasets. For SCG, GNIA, NIPA, TDGIA, AFGSM, and GAFNC reduce the accuracy by 4.25%, 4.31%, 3.15%, 2.81%, and 5.02% in the case of Cora, respectively. IMGIA-E2 and IMGIA reduce the accuracy by 7.40% and 6.47%, respectively. In other cases, the results are the same. Overall, our attacks can be effectively transferred to other normal GNNs.

Table 3 Classification accuracy (%) of GIA models under normal GNNs
Full size table

Attack performance under robust GNNs

In this section, we conduct the experiment to further validate the effectiveness and robustness of our models under two classes of robust GNNs, and the results are shown in Table 4. The performance of all attack models is reduced under RobustGCN and RGAT. Comparing our models with other benchmark models reveals that IMGIA and IMGIA-E2 still manage to maintain the lowest classification accuracy. For example, the classification accuracy of GNIA, NIPA, TDGIA, AFGSM, and GAFNC are 84.62%, 83.41%, 84.25%, 85.21%, and 83.13% in RGAT with Cora, respectively. The classification accuracy of IMGIA and IMGIA-E2 are 81.67% and 81.59%, respectively. In summary, our models achieve the best attacks under different robust GNNs. In other words, the robustness of our model is better than other attack models.

Table 4 Classification accuracy (%) of GIA models under normal GNNs
Full size table

Attack performance under defense mothods

In this section, we investigate the attack performance of IMGIA under the defense model. Note that the default setting of the victim model is GCN in this and subsequent sections.

Since randomly sampled links can reduce the propagation of malicious information than randomly sampled features, so here we use a Randomly Droped Link Fusion (RDLF) defense model. Specifically, we first generate multiple sampled perturbation graphs by deleting links (the number of sampled graphs is set to 5, and the number of deleted links is set to \(0.01\left\| E^{\prime }\right\| \)), then we use GCN to train the perturbation graph to obtain the node representations, and finally the node representations are summed and fused to obtain the prediction label of the nodes. Although RDLF is a simpler defense model, which can reduce the attack performance, so we use it here to verify the effectiveness and robustness of IMGIA.

Figure 3 shows GIA models classification accuracy results with and without defense. It is observed that RDLF effectively reduces the attack performance in all three datasets. Comparing the baseline models, IMGIA and IMGIA-E2 with defense obtained satisfactory results in the defense case. Fortunately, the difference between IMGIA and IMGIA-E2 with defense accuracy is small under Cora and Cora-ML datasets. All in all, IMGIA and its variants remain efficiently attacking under the defense model.

Fig. 3
figure 3

Accuracy of different GIA models with and without defense

Full size image

Perturbation graph visualization

To visualize the invisibility of IMGIA, we use T-SNE visualization to investigate the fake node feature in this section.

In Fig. 4, we find that GNIA and NIPA generate fake node features with poor invisibility, i.e., the fake node feature distribution is different from the original node feature distribution. AFGSM is extended from a targeted attack to an untargeted attack, and the distribution of fake node features is usually concentrated around the target node, which is easily detected by the defense model. Figure 4(f, g) show the distribution of IMGIA-E1 and IMGIA-E2 fake node features. Unfortunately, there are many outlier nodes, so we think that the mask learning focuses on attack efficiency rather than invisibility.

Since TDGIA and GAFNC use smoothed feature optimization and GAN to obtain the features of the fake nodes, respectively. Their fake node features are more hidden as shown in Fig. 4(c, e). Figure 4(h) shows that the fake node features of IMGIA can be well distributed and not concentrated. Table 5 shows the time complexity of generating fake node features for TDGIA, GAFNC and IMGIA. The fake nodes generated by TDGIA and GAFNC are well invisible, but they are time costly. Normal distribution sampling can generate invisible fake node features with low time complexity. Comparing the time complexity of TDGIA, GNFNC and IMGIA, we observe that IMGIA: \({\mathcal {O}}(md)<\) TDGIA: \({\mathcal {O}}(\left\| X \right\| md)<\) GAFNC: \({\mathcal {O}} (T{n_{epo}}\left\| X \right\| md)\). In short, the above results demonstrate IMGIA can generate node features with good camouflage at the cost of low complexity.

Fig. 4
figure 4

T-SNE visualization of GIA models in Citeseer

Full size image
Table 5 The time complexity of generating nodes for TDGIA, GAFNC and IMGIA
Full size table

Homophily distribution

In the existing GIA models, many researchers have noticed the distribution of the fake node in T-SNE visualization. Intuitively, this is a preliminary exploration of the attack’s invisibility. We further investigate the impact of our models on homophily. Figure 5 visualizes the homophily distribution of the GIA models before and after the attack. The blue and orange colors indicate the homophily distributions of the original and perturbed graphs, respectively.

Figure 5(a–e) show that both baseline models damage the homophily of the original graph, making a large difference in the homophily distribution before and after the attack. From Fig. 5(f–h), we find that our models are able to recover the damage of GIA on graph homogeneity, especially in IMGIA and IMGIA-E2. Homophily distribution is an important characteristic to ensure the invisibility of attacks. The experiment shows that IMGIA solves the GIA vulnerability problem in homophily detection.

Fig. 5
figure 5

The distribution of homology before and after the attack in Citeseer

Full size image

Number of fake nodes

This section investigates the impact of the number of fake nodes on the performance of GIA models, and the results are shown in Fig. 6. The number of fake nodes is positively related to the performance of the GIA models, i.e., the more fake nodes, the lower the accuracy rate. Figure 6 shows that the performance of IMGIA and IMGIA-E2 is always. Specifically, taking Cora as an example, the classification accuracy of IMGIA and IMGIA-E2 are \(\{82.99\%, 79.14\%, 77.78\%\}\), \(\{83.12\%, 79.08\%, 77.10\%\}\) when the number of fake nodes are \(\{\)10, 30, 50\(\}\), respectively.

Fig. 6
figure 6

The classification accuracy under the different number of fake nodes

Full size image

Homophily parameter

In this section, we performed an ablation study to analyze the effect of homophily parameters on our models, and the results are shown in Fig. 7. We find that the homophily parameter does not significantly affect the IMGIA performance. For example, in Cora, the classification accuracy of IMGIA-E1, IMGIA-E2 and IMGIA are \(\{85.41\%, 85.14\%, 84.12\%\}\), \(\{80.64\%, 79.63\%, 79.11\%\}\) and \(\{80.20\%, 79.14\%, 79.05\%\}\) when \(\lambda \) are \(\{\)0.2, 0.6, 1.2\(\}\), respectively. Also, similar results are obtained on other datasets. In short, the homophily parameter does not affect the overall performance of our models.

Fig. 7
figure 7

The influence of the homophily parameter on the performance of our models

Full size image

AMGIA on targeted attack

In this section, we extend IMGIA and its variants from the untargeted to targeted attack to demonstrate the attack’s generalizability. The untargeted attack aims at misclassifying nodes without other label requirements. The targeted attack aims to misclassify specified nodes as a pre-specified label. Table 6 investigates the performance of our model under the targeted attack.

Overall, IMGIA and IMGIA-E2 have superior attack effectiveness under targeted attack. Specifically, when the pre-specified label is 1, the attack success rates of IMGIA-E1, IMGIA-E2 and IMGIA are 12.02%, 73.13% and 70.63% in Citeseer, respectively. Moreover, we observe that our models have the lowest attack performance in Cora-ML. For example, the average classification accuracies of IMGIA are 70.73%, 71.41%, and 67.04% in Cora, Citeseer, and Cora-ML, respectively. Intuitively, Cora-ML is a continuous feature, IMGIA is more difficult to generate continuous features than discrete features, so the number of victim nodes misclassified to the target label is lower.

Table 6 Classification accuracy (%) of IMGIA and extended models under the targeted attack
Full size table

Conclusion

In previous graph injection attacks, many attacks focus only on the attack’s effectiveness but neglect the attack’s invisibility, which makes the attack easily vulnerable. Therefore, in this paper, we design an effective and imperceptible graph injection attack model, namely IMGIA. IMGIA considers the imperceptibility of attacks in terms of features and structure, which has been rarely discussed in previous work. The experiments demonstrate that IMGIA achieves the lowest GNNs classification accuracy compared to some of the advanced GIA models. Besides, IMGIA shows good invisibility in various defense experiments.

In future work, we plan to explore efficient and stealthy attacks in directed graphs or hypergraphs. In addition, our work reflects the problem of GNNs’ vulnerability, which will inspire us to design more robust GNNs.