Everything Perturbed All at Once: Enabling Differentiable Graph Attacks

As powerful tools for representation learning on graphs, graph neural networks (GNNs) have played an important role in applications including social networks, recommendation systems, and online web services. However, GNNs have been shown to be vulnerable to adversarial attacks, which can significantly degrade their effectiveness. Recent state-of-the-art approaches in adversarial attacks rely on gradient-based meta-learning to selectively perturb a single edge with the highest attack score until they reach the budget constraint. While effective in identifying vulnerable links, these methods are plagued by high computational costs. By leveraging continuous relaxation and parameterization of the graph structure, we propose a novel attack method called Differentiable Graph Attack (DGA) to efficiently generate effective attacks and meanwhile eliminate the need for costly retraining. Compared to the state-of-the-art, DGA achieves nearly equivalent attack performance with 6 times less training time and 11 times smaller GPU memory footprint on different benchmark datasets. Additionally, we provide extensive experimental analyses of the transferability of the DGA among different graph models, as well as its robustness against widely-used defense mechanisms.


INTRODUCTION
Graph Neural Networks (GNNs) [17,24] are powerful in modeling graph-structured data and show remarkable performance on many real-world applications such as social networks [11,39,46], recommendation systems [5,36,52,58,61], and drug discovery [19,41].Given the successful applications of GNNs, there are also growing concerns about their robustness under adversarial attacks [3,7,33,51,67].For example, toxic behavior detectors with GNN backbones could be vulnerable to adversarial attacks, leading to undetected instances of harassment, extremism, or radicalization targeting innocent individuals on social media [8,18].To ensure the reliability and safety of GNN-based systems in practice, it becomes paramount to understand their vulnerabilities to adversarial attacks as a foundation for their robust deployment.In a nutshell, developing more effective adversarial attack methods on GNNs not only aids in assessing the robustness and defense strategies of GNNs [14,20,45,59,60,63] but also enhances the understanding of the underlying properties of current GNN models.
Presently, adversarial attacks on GNNs can be categorized based on the attacker's capacity, goal, level of knowledge, and perturbation type [21,42,56].One of the most practical setups among these is the gray-box attack, in which attackers have complete knowledge of the training data but no information on the victim model.Following this setup as in previous works [29,30,67], within the budget limit, we seek for attacking strategies which perform topology attacks (i.e.adding or removing edges) on poisoning training data to compromise the overall node classification performance of the victim model.
Despite the effectiveness in identifying vulnerable edges via the gradient-based "learn to attack" approaches, the state-of-theart methods [30,67] in graph adversarial attacks are faced with two major bottlenecks: (i) Non-convexity and discrete structure: Meta-learning approaches usually formulate the attack as a bi-level optimization problem, which is challenging to solve due to the non-convexity of both levels, making it difficult to derive a closed-form solution.Additionally, the discrete nature of the graph structure poses another challenge for directly applying widely-used gradient-based techniques such as FGSM [16] and PGD [34], which are typically employed on image data; and (ii) Computational and resource costs: Existing methods selectively perturb a single edge with the highest attack score and require retraining the surrogate model from scratch, incurring high computational costs.Additionally, it is unrealistic to scale these techniques to handle large datasets.
To tackle the above-mentioned bottlenecks, we propose the Differentiable Graph Attack (DGA) with continuous relaxation on the graph structure.It offers several advantages with its novel train-then-sample attack scheme.During the training process, instead of searching over a discrete set of candidate perturbations, we relax the search space to a continuous space, so that the graph structure can be optimized with respect to the attack objective through gradient descent, allowing for fine-grained adjustments and improved effectiveness of the attack.Then, we simulate the lower-level optimization process with one-step fine-tuning on the surrogate model to avoid calculating the accumulation of metagradients and further reduce computation complexity.This offers Figure 1: Comparison on computation and resource complexity between MetAttack [67], GraD [30] and two variants of our DGA method on CiteSeer with 5% perturbation rate.more control over the attack process compared to methods with fixed attack epochs.Essentially, DGA utilizes a single-step adaption approach to simulate the poisoning process, offering a trade-off between the poisoning simulation procedure and training time.For the sampling stage, our sampling scheme enables DGA to generate poisoned graphs with varying budgets while being trained only once, further streamlining the attack process.Theoretically, we show that the estimation error in forward/backward passes of our algorithm, as well as the convergence of the method, depends on the error of edge sampling.These benefits collectively make DGA a powerful and efficient method for generating adversarial attacks on graph structures, as shown in Figure 1."FOA" and "FDA" refer to first-order approximation and finite-difference approximation, respectively (See Section 3.1 for details).
We conduct empirical analysis of DGA with common benchmark datasets.Our main contributions are summarized as follows: • Effectiveness.DGA outperforms or performs comparably to the SOTA methods on widely-used datasets.Notably, our method is effective even when the perturbation budget is low, which is more aligned with real-world scenarios and maintains the unnoticeability of the attack.
• Time and Resource Efficiency.DGA is more than 6 times faster and requires approximately 11 times less GPU memory than SOTA methods.Importantly, the attack time of DGA remains constant even as the perturbation budget increases.Additionally, DGA can be easily adapted to large-scale graphs, making it a practical choice for real-world scenarios.
• Transferability and Imperceptibility.DGA exhibits excellent transferability to a variety of GNN models and demonstrates imperceptibility toward commonly-used defense methods.These findings highlight the valuable role of DGA in assessing the robustness of existing GNN methods and providing insights for the development of novel defense strategies against adversarial attacks.

BACKGROUND
We consider the task of semi-supervised node classification, in which a model is trained to predict the labels of nodes in a graph, using both labeled and unlabeled data.We denote an undirected graph as  = (V, E), where V = { = 1, . . .,  } is the set of  nodes, and E ⊆ V × V is the edge set with cardinality |E | = .
In the semi-supervised setting, we are given a subset V  ⊆ V of labeled nodes, in which the nodes are associated with class labels from  = { 1 ,

Problem Setting
We follow [67] and focus on the combination of the following specific attack setting: Formally, this specific graph attack setting can be formulated as a bi-level optimization problem min where A Δ { ′ ∈ {0, 1}  × | ∥ ′ −   ∥ 0 ≤ 2Δ} denotes the search space containing all possible adjacency matrices with the given modification budget Δ.Here, the upper-level optimization aims to find the optimal edge perturbations which result in a new adjacency matrix  that maximizes the attack success.The attack objective ℓ  could be the inverse of either training loss ℓ  or self-training loss ℓ   .Specifically, ℓ  is the cross-entropy loss on the training set and ℓ   is computed with pseudo labels for the unlabeled nodes.The pseudo labels are predicted by a well-trained surrogate model given the clean graph.In a sense, ℓ   can be used to estimate the generalization loss after the attack.As for the nested inner problem, the lower-level optimization targets finding  the optimal GNN parameters  * through an optimization process of training the GNN on the perturbed graph from scratch.Essentially, finding a good attack method for GNNs involves solving this bi-level optimization problem in a effective and efficient manner.

DIFFERENTIABLE GRAPH ATTACK
In light of the non-convex and combinatorial characteristics of the optimization problem presented in Equation (1), it is infeasible to acquire a closed-form solution or employ gradient-based iterative algorithms commonly used in deep learning.To address this challenge, we propose a novel approach that is both effective and efficient by continuous relaxing and parameterizing the graph structure as a continuous edge probability map.An illustration of the DGA framework is shown in Figure 2.

Continuous Relaxation on Graph Structure
We model each edge with a Bernoulli random variable and transform the discrete graph adjacency matrix  to an unnormalized probability matrix , where the (, )-th element    indicates the (unnormalized) edge probability between node  and node  under the attack setting.Then, the search space for modified adjacency matrix {0, 1}  × is relaxed to the positive orthant R  × ++ .As shown in Figure 2, there is no need to enforce the perturbation budget constraint during the DGA training process.The technique outlined in Section 3.3 ensures that the generated poisoned graph consistently adheres to the budget.We consider the following continuous relaxation of (1).(2) Instead of exactly solving the lower-level problem, we approximate the optimal surrogate model  * by a single-step adaptation with step size  following the techniques in Finn et al. [13], Liu et al. [27].By changing variables  = log , the optimization problem in (2) becomes unconstrained w.r.t.unnormalized log-probabilities .We define that q vec(), L  (, q) ℓ  (  (, ),  ), L  (, q) ℓ  (  (, ),  ), and ∇ 1 L (•, •), ∇ 2 L (•, •) are gradients of L with respect to its first and second arguments, respectively.Then, the bi-level optimization in (2) becomes a simpler compositional optimization problem.min The hyper-gradient with respect to the log probabilities q can be computed as Based on the hyper-gradient, we can update the log-probability matrix  by a gradient descent step.It is worth noting that the Hessian matrix computation in (4) can be costly when the number of nodes is large.To this end, we can either set  = 0 in the hypergradient ("first-order approximation") or use the finite difference approximation similar to Liu et al. [27].To be specific, with  ± =  ± ∇ 1 L  ( θ, q), we can approximate the last term in (4) as In the rest of the paper, we refer to the variant of our algorithm using first-order approximation ( = 0 in Eq. 4) as DGA-FOA, and the variant using the finite difference approximation as DGA-FDA.

Edge Sampling for Expressiveness and Efficiency
Note that the gradient-based continuous optimization of (3) results in a dense probability matrix .Utilizing this matrix as input may lead to over-smoothing [17,62] or over-squashing [9] of the surrogate graph neural network  .Moreover, message passing on a dense graph exacerbates the issue of "neighborhood explosion", which significantly increases computational costs.Update the probability matrix by   +1 =   −  ∇ and symmetrize   +1 8: end for 9: Obtain the probability matrix  from the unnormalized logprobability matrix   10: Return: Probability matrix  for graph poisoning we use the Gumbel-Top- trick [25,55] to sample a sparser graph Ã from the unnormalized log-probabilities .Formally, for the -th node   , we construct  edges between   and each of the first  elements of argsort where   is a vector randomly sampled from the uniform distribution.The top- operation can be replaced by the differentiable relaxed top- operation in Xie and Ermon [55].Intuitively, such sampling can be regarded as a stochastic relaxation of the -nearest neighbors rule.

Obtaining the Poisoned Graph
Utilizing the learned edge probability map  (output of Alg.1), we generate perturbations by sampling from the discrepancy between the final and initial edge probability maps.This process serves to test the performance of the DGA attack, as illustrated in the blue box in Figure 2. To prepare for the attack, DGA first symmetrizes the edge probability matrix  for undirected graphs as P = 1 2 ( +  ⊤ ).Next, we compute the difference score matrix  = ( P −  )⊙(1−2  ), where ⊙ indicates element-wise multiplication.Here we flip the sign of difference score for every connected edge in the original graph   , which allows us to identify existing edges with the most significant negative impact, as well as the non-existent edges with the most potent positive influence on the attack objective.The resulting difference score matrix  is employed to construct a categorical distribution, from which we can sample perturbations in order to obtain the poisoned graph.
Taking into account the allocated attack budget, we sample Δ edges from the categorical distribution without replacement and flip them, thereby generating a poisoned graph.Subsequently, we proceed to train models from scratch using this poisoned graph, allowing us to assess the attack's performance on a specific model.
In practice, we repeat this sampling process multiple times and select the instance that yields the best ℓ  (attack loss) value.

CONVERGENCE ANALYSIS
Before the -th iteration, our algorithm samples edges for each node  by the Gumbel top- trick, which is equivalent to sampling  edges from p   =  ,1  , . . .,  ,  without replacement [25], where p   is the normalized probabilities corresponding to the -th line of   .This result in the sparsified log-probability matrix Q = Diag( q ) and q ∈ {0, 1}  2 is a vector that stores sampled edges for each node, i.e. q• otherwise.Note that the sampled adjacency matrix Ã is just the binarized copy of Q .For brevity, we define that Φ(q) L  ( θ, q), θ =  − ∇  L  (, q).We make some regularity assumptions of the loss functions.
Assumption 1. Suppose that the loss function L  is Lipschitz continuous and has Lipschitz-continuous gradient while L  has Lipschitz continuous gradient and Hessian.
The proof of Lemma 1 can be found in Appendix A. With the sparsified q, we approximate the objective function Φ(q) by Φ( q) and the error is where ∥ q − q  ∥ 2 is the estimation error by cause of the edge sampling per iteration.Besides, the hyper-gradient ∇Φ(q) in ( 4) can be estimated by where ∇Φ( q) is the vectorized ∇ in Alg. 1. Next, we present the main theorem on convergence.Theorem 2. Under assumptions above, our algorithm with proper step size  leads to where  is sampled from {0, 1, . . ., − 1} uniformly at random and Avg.Err. is the average error due to edge sampling across the iterations.To be specific, Avg.Err.
The proof of Theorem 2 can be found in Appendix A. Theorem 2 demonstrates that our algorithm exhibits an O (1/ ) nonasymptotic convergence rate when  =  , the same as that of gradient descent.While opting for a larger value of  can be advantageous from the estimation/optimization perspective, it results in worse expressiveness and efficiency as explained in Section 3.2.Therefore, we can manage the trade-off between estimation/optimization error and expressiveness/efficiency by adjusting the hyper-parameter .Fortunately, the estimation error ∥ q − q  ∥ 2 could be negligible even with a small  when the distribution constructed by p  is light-tailed (e.g., power law), thanks to the Gumbel top- sampling.

EXPERIMENTS
Our proposed attack method, DGA (Differentiable Graph Attack), is evaluated through a series of experiments aimed at demonstrating its effectiveness and efficiency.The experimental settings are introduced in Section 5.1.The attack performance and the generalizability and transferability of DGA is analyzed in Section 5.2.
We also show the computation complexity of DGA in Section 5.3.Furthermore, we conduct experiments with defense methods in Section 5.4 to demonstrate the robustness of our approach.Additionally, we present a study on Gumbel- in Section 5.5 and provide visualization of the distribution of the generated poisoned graph in Section 5.6.

Experimental Settings
Dataset.The experiments are conducted on three widely-used datasets: two citation network datasets, namely CiteSeer [40] and Cora [35], and one social network dataset PolBlogs [1].All experiments are performed on the largest connected component of the graphs.Following previous works [20,66], we randomly split the datasets into the train, validation, and test sets using a 10%, 10%, and 80% ratio, respectively.For each experiment, we report the average performance of 10 runs.The experiments are conducted on the largest connected component (LCC) of the graphs, ensuring that only the main connected portion of the graphs is considered for analysis and evaluation.The statistics for the LCC of these datasets are summarized in Table 1.
Victim Models.Following previous methods, we first take the widely-used GCN [24] as our victim model.Moreover, as we adopt a gray-box setting, in which the model architecture is considered unknown, we further conduct experiments with Graph Attention Network (GAT) [48] and DeepWalk [38] to measure the transferability of DGA.Additionally, to assess the effectiveness of our proposed DGA attack method, we conduct experiments to evaluate its robustness against existing defense methods, namely GCN-Jaccard and GCN-SVD.Perturbation Budgets.To be closer to real-world scenarios and demonstrate the imperceptibility of the attack method, we set 1%, 3%, and 5% as the perturbation budget in our experiments.Each method is allowed to modify 1%, 3%, and 5% of the number of edges in the original graph, respectively.Baselines.To assess the effectiveness and applicability of DGA, we conduct a comprehensive comparison with six representative baselines: including heuristic-based method DICE [53] and learningbased methods Meta-Self, Meta-Train, A-Meta-Self, A-Meta-Train [67], and GraD [30].
Additional information about the experimental setup, implementation, and baselines can be found in Appendix B. 1   1 The code will be be made publicly available once accepted.

Attack Performance
Table 2 presents the test accuracy results of the proposed DGA method compared to baselines.The accuracy values for the original clean graphs are reported under the 0% perturbation rate column.Remarkably, DGA outperforms or closely approximates the best performance in 8 out of 9 metrics, while exhibiting a significantly reduced training time (over 6 times faster) and GPU memory usage (over 11 times less) compared to the previous SOTA Meta-Self and Meta-Train methods.Additionally, DGA demonstrates strong attack performance even at low perturbation rates, causing a mere 3% to 4% drop in test accuracy with only a 1% budget.Notably, the DGA-FOA method consistently achieves better results than its counterpart, DGA-FDA, on 7 out of 9 metrics.This observation suggests that the first-order approximation exhibits greater robustness and efficacy in practical applications.Detailed descriptions and reproduction information for these baselines can be found in Appendix B.4.Note that the GraD paper [30] evaluates their performance on the overall graph, distinct from the commonly used LCC setting.Standard deviations of these experiments are provided in Appendix C.1.Generalizability and Transferability.In order to be consistent with the gray-box attack setting, in which attackers have no information on the victim model, we evaluate the generalizability and transferability of DGA with two different GNN models.We conduct experiments with both supervised attention-based method GAT [48] and unsupervised random walk-based method Deep-Walk [38] trained with the DGA poisoned graph.These graphs are derived using GCN as the surrogate model.Detailed descriptions for these base models are provided in Appendix B.3.The results, shown in the GAT and DeepWalk section in Table 4, demonstrate that our method achieves good transferability performance on both GAT and DeepWalk models.Our method achieved the best or second-best performance in 11 out of 18 metrics.Note that since the graph poisoned by DICE contains isolated nodes, we do not evaluate DeepWalk with this method.

Training Time and Memory Usage.
Table 3 presents a comparison of training time and maximum GPU memory usage between the proposed DGA method and baselines, considering a 5% perturbation rate.Our approach demonstrates significantly shorter training time and lower memory usage compared to the baselines.Regarding training time, our DGA methods demonstrate significant efficiency.Specifically, when compared to the previous SOTA methods, DGA achieves training time reductions of over 5, 6, and 16 times on the Citeseer, Cora, and PolBlogs datasets, respectively.Furthermore, our DGA methods exhibit superior efficiency in terms of GPU memory usage.Compared to the SOTA methods, DGA showcases reductions of over 11, 12, and 15 times on the Citeseer, Cora, and PolBlogs datasets, respectively.Additional comparisons with other budgets can be found in Appendix C.2.It is worth noting that DICE is a random perturbation method that runs quickly and does not utilize GPU resources.These findings highlight the computational advantages of DGA, making it a highly efficient and scalable solution for adversarial attacks on graph structures.The substantial reductions in training time and GPU memory usage signify the potential of DGA for practical

Robustness against Existing Defense Methods
To evaluate the effectiveness of our proposed DGA attack method, we conduct experiments to test its robustness against existing defense methods.By doing so, we aim to assess whether our attack method could overcome these defense methods and reveal vulnerabilities in the system that were previously undiscovered.We test DGA against two popular defense methods, namely GCN-Jaccard [57] and GCN-SVD [10].Detailed descriptions for these defense models are provided in Appendix B.3.In these experiments, the poisoned graphs are first vaccinated with defense models.Then a GCN model is trained from scratch on the vaccinated graph.We report the classification accuracy of the well-trained GCN model.Results are shown in the Low-rank SVD and Jaccard section in Table 4.Note that we cannot perform Jaccard on the PolBlogs dataset, as this dataset does not contain node features.Our method achieves the best or second-best performance compared with the baseline on 11 out of 15 metrics.These results demonstrate the effectiveness of our DGA attack method in overcoming existing defense methods and exposing potential vulnerabilities of GNN models.

Impact of Gumbel-𝑘
In this section, we conduct ablation studies on the hyperparameter  for the Gumbel- trick in DGA-FOA using the Cora dataset.As shown in Table 5, the performance of DGA remains relatively stable across different perturbation rates for varying values of "k." However, we observe a trend where the performance first improves and then declines as  increases.Increasing  initially enhances DGA's performance, indicating its potential for better results.Nevertheless, we find that beyond a certain threshold, the performance starts to decline.This drop in performance can be attributed to overfitting and over-squashing of the GNNs.When  becomes excessively large, the graph becomes dense and closely resembles a fully-connected graph, leading to over-squashing and reduced generalization.Notably, the average degree of the dataset is around 2, as indicated in Table 1.The ablation study highlights that the best-performing DGA configurations are achieved when setting  around the average degree of the dataset.While higher  values may improve DGA's ability to exploit complex structures, they come at the cost of increased computational resources.Hence, we suggest choosing  near the average degree of the graph to achieve a good balance between performance and computational efficiency.

Visualization and Analysis of DGA Attacked Graphs
To elucidate the impact of the attack on the graph structure and its implications for the performance and behavior of the targeted model, we visualize three properties for the clean graph and poisoned graph on the Citeseer dataset, as shown in Figure 3.Additional visualizations on other datasets are provided in Appendix C.3.Firstly, the node degree distributions for the clean graph and perturbed graph are shown in Figure 3a.Notably, we observe that the degree distributions of the two graphs exhibit high similarities.This observation provides evidence for the imperceptibility of our proposed DGA attack.Furthermore, we present the feature similarity and label equality analysis for different types of edges in the graphs, as shown in Figure 3b and Figure 3c, respectively.We can observe that DGA exhibits a tendency to establish connections between nodes that possess dissimilar features and have different labels while removing edges that link nodes sharing similar features and belonging to the same label.These observations align with the

RELATED WORK
Adversarial Attacks on Graphs aim to interfere with the performance of graph neural networks by introducing subtle perturbations to graph data.Following the taxonomy in recent surveys [21,42], adversarial attacks on GNNs can be classified based on several factors, including the level of the task being performed (e.g.node-level tasks [4,10,54,66] or graph-level tasks [7,44]), the goal of the attack (e.g.targeted [57,66] or untargeted/global attack [67]), the phase of the attack (e.g.poisoning attack [6,28,43]  or evasion attack [4,50]), the level of knowledge that the attacker has about the model (e.g.white-box [49,54], black-box [7,32,33], or gray-box [3,43,67]), and the perturbation type of the attack (e.g.perturbing node features [32,66], graph structure [29,67], or injecting new nodes [43,47,65]).Different combinations of these scenarios present unique challenges and require different approaches to design effective attacks and defenses.
In this paper, we focus on a practical problem setting of nodelevel, untargeted, gray-box poisoning attack on graph structure [21,29,30,54,57,67].Previous works formulate this setting as a bilevel optimization problem and try to solve it on the discrete graph structure.MetAttack [67] first employs a meta-learning approach and treat the input data as a hyper-parameter to learn.They adopt a greedy algorithm to obtain the discrete graph structure by selecting one bit to flip at a time, iteratively for each bit in the perturbation budget.Building on the meta-learning framework, AtkSE [29] approximates the continuous distribution of hyper-gradients using discrete edge flipping intervals.GraD [30] introduced a novel attack objective to address the gradient bias.However, as illustrated in Figure 1, the meta-gradient calculation process of these approaches requires computing the Hessian matrix and accumulating trainedfrom-scratch inner-loop iteration, resulting in time and resourceintensive operations that are repeated until the perturbation budget is filled.To achieve effective attacks while minimizing time and resource costs, we propose a novel approach that relaxes the graph structure and learns a continuous edge probability map with attack gradients.By simultaneously updating the graph structure and surrogate model parameters, we can efficiently sample optimal perturbation sets from the learned probability map, enabling continuous budget-constrained search.Continuous Relaxation on Graph Structure was first explored in graph structure learning [64].For instance, LDS [2] incorporates a probabilistic map as a graph generator to model the adjacency matrix of the graph DGM [22] augments the graph structure using continuous updates to the graph structure with a differentiable graph module and a diffusion module.NeuralSparse [15] learns -neighbor subgraphs for robust graph representation learning by selecting at most  edges for each nodes.PTDNet [31] introduces a denoising map drawn from a Bernoulli distribution and learns to drop task-irrelevant edges.In contrast to these previous works, our proposed DGA, taking an adversarial learning perspective, is the first to employ continuous relaxation on graph structure and utilize learnable probabilities for attacking GNNs.Notably, Xu et al. [57] proposed a method for white-box graph attack with continuous relaxation on the perturbation map and use projected gradient descent to update the perturbations.In contrast, DGA adopts stochastic gradient descent to directly update the graph structure, enabling better flexibility, transferability and interpretibility.

CONCLUSIONS, LIMITATIONS AND SOCIAL IMPACT
This paper proposes a poisoning attack model on graph-structured data.We propose a novel approach DGA, which leverages continuous relaxation and parameterization of the graph structure to generate effective and efficient attacks.DGA outperforms or approximates the state-of-the-art performance on a variety of benchmark datasets, with significantly less training time and GPU memory occupation compared to existing methods.We also provide extensive analysis of the transferability of our approach to other graph models, as well as its robustness against widely-used defense mechanisms.These can help assess the robustness of existing GNN methods, as well as guide the development of new defense strategies for adversarial attacks.Additionally, DGA can be expand to large-scale graphs simply with neighbor-sampling training mechanisms, which remains a direction for future exploration.

ETHICAL CONSIDERATIONS
It is worth noting the potential negative social impact of this work.
The proposed poisoning attack model, if misused, can significantly impact the robustness and integrity of GNNs.This is a reminder of the importance of protecting the privacy of data, including attributes of nodes, training labels, and graph structure, to prevent malicious exploitation and unauthorized attacks.

A PROOF OF THEOREM 2
First, we formally state the assumptions of Theorem 2.
Proof.Note that First, we can obtain that For any q, q ′ , we define that θ ′ =  − ∇  L  (, q ′ ) such that We further have where E  [•] refers to the expectation conditioned on the randomness before iteration .Young's inequalities leads to Plug ( 8) into ( 7) and re-arrange the terms.
Set  = 1 4 and use the tower property of expectation.
. Do telescoping sum from  = 0 to  − 1 and divide  on both sides.

□ B EXPERIMENTAL SETUP B.1 Dataset Description
CiteSeer [40] is a citation network containing 3,312 scientific publications classified into 6 classes.The network consists of 4,732 links, and each publication is represented by a binary word vector indicating the presence or absence of words from a dictionary of 3,703 unique words.
Cora [35] is another citation network comprising 2,708 scientific publications classified into seven classes.The network includes 5,429 links, and each publication is represented by a binary word vector indicating the presence or absence of words from a dictionary of 1,433 unique words.
PolBlogs [1] is a graph with 1,490 vertices representing political blogs and 19,025 edges representing links between blogs.The links are automatically extracted from the front pages of blogs.Each vertex is labeled as either liberal or conservative, indicating the political leaning of the blog.

B.2 Implementation Details.
Our method is implemented using PyTorch [37] and PyTorch Geometric [12] frameworks, with training conducted using the Adam optimizer [23].The experiments are carried out on a single NVIDIA RTX A5000 24GB GPU.The search space for model and training hyperparameters can be found in Table 6.Note that the number of finetuning iterations is applicable to DGA-FOA only, whereas for DGA-FDA, it is set to 1, indicating one-step optimization.For all experiments, optimal hyperparameters are selected based on the performance of the validation set.

B.3 Base Model Description
Graph Attention Network (GAT) [48] is a neural network architecture that performs graph convolutions using attention mechanisms to selectively aggregate information from neighboring nodes.It is frequently employed as a foundational layer of defense against adversarial attacks.
DeepWalk [38] is an unsupervised learning method that aims to learn low-dimensional representations of nodes in a graph.It generates random walks within the graph and applies the skipgram model to learn node embeddings.As DeepWalk is trained in an unsupervised manner without node characteristics or graph convolutions, this transfer setting is more challenging.
GCN-Jaccard [54] is a defense method that focuses on identifying and removing adversarial nodes in a graph.The Jaccard similarity between the neighborhood sets of two nodes is used to determine if a node is likely to be adversarial.By identifying and removing such nodes, GCN-Jaccard aims to improve the robustness of graph models against adversarial attacks.
GCN-SVD [10] is a defense method that mitigates adversarial attacks by approximating the graph Laplacian with a low-rank matrix.By reducing the dimensionality of the graph Laplacian, GCN-SVD aims to preserve the essential structural information while suppressing the influence of potential adversarial perturbations.

B.4 Baseline Reproduction Detail
DICE [53] (Delete Internally, Connect Externally) is an attack method that focuses on modifying the graph structure to undermine the performance of targeted models.It achieves this by randomly connecting nodes with different labels or removing edges between nodes with the same label.This manipulation of the graph aims to disrupt the original connectivity patterns and induce misclassification errors in the targeted model.For our implementation of the DICE attack, we use the code provided in the DeepRobust package [26].
MetAttack [67] is an attack method that utilizes meta-learning to solve a bi-level optimization problem.It employs a greedy approach to selectively perturb one edge at a time in order to maximize the adversarial impact on the targeted model.The method includes four variants of MetAttack, each employing different loss functions and incorporating first-order approximation: Meta-Train, Meta-Self, A-Meta-Train, and A-Meta-Self.Note that the "Train" variants use cross-entropy loss on the training set, while the "Self" variants use self-training loss with pseudo labels.The "A-" variants indicate the use of first-order approximations during the optimization process.For reproduction, we rely on the code available in the DeepRobust package [26] with the default hyperparameters included with the code.
GraD [30] is a recent attack method that leverages the metalearning framework and introduces a novel attack objective to mitigate gradient bias.It claims that it outperforms MetAttack in terms of overall graph performance across the datasets, rather than only focusing on the largest connected component.For reproduction, we use the official code and the default hyperparameters provided at https://github.com/Zihan-Liu-00/GraD--NeurIPS22.

C ADDITIONAL EXPERIMENTAL RESULTS C.1 Results with standard deviation
The standard deviations of the experiments conducted on the GCN, GAT, DeepWalk, and GCN model vaccinated with low-rank SVD approximation (GCN-SVD), and Jaccard (GCN-Jaccard) methods, as described in Section 5, are presented in Tables 7 to 11, respectively.The standard deviations are calculated based on 10 runs, providing a reliable estimation of the variation in the experimental results.This indicates that our method consistently performs well and exhibits relatively low variability, thereby highlighting its effectiveness and reliability.These results demonstrate the robustness and stability of our proposed method.

C.2 Computation Complexity with 1% and 3% Perturbation Rates
Table 12 and Table 13 provide a comparison of training time and peak GPU memory usage between the proposed DGA method and the baselines, considering perturbation rates of 1% and 3% respectively.Our approach demonstrates notable advantages over baselines, including significantly reduced training time and lower memory usage.Importantly, our method maintains consistent computational efficiency even as the perturbation rate increases.These results highlight the computational benefits of DGA, making it an efficient and scalable solution for adversarial attacks on graph structures.Furthermore, the substantial reductions in training time and GPU memory usage also imply the promising potential of DGA for real-world applications, particularly when dealing with large-scale graphs.

C.3 Visualization for Cora and Polblogs Datasets
We present a visual comparison of statistics between the poisoned graph generated by DGA and the original clean graph.Specifically, we analyze the node degree distribution, node feature similarity, and label equality on the Cora and Polblogs datasets, as shown in Figure 4. To enhance clarity and improve visualization, we scale the x-axis of the node degree distribution plot.Notably, we consistently observe similar trends and patterns in these statistics across the Cora and Polblogs datasets, reaffirming our previous observations on the Citeseer dataset as outlined in Sec.5.2.By conducting a visual comparison of these statistics, we gain a better understanding of the attack's influence on the graph structure and its implications for the performance and behavior of the targeted model.This analysis significantly contributes to our comprehensive evaluation and assessment of the effectiveness and impacts of the proposed DGA method.

( 1 )
gray-box, in which the attackers have access to complete information about the training data but zero knowledge about the specifics of the underlying model.To overcome this challenge, surrogate models are utilized to approximate and simulate the behavior of the target model; (2) poisoning, in which the attacker's goal is to increase the classification error (i.e. one minus accuracy) by training on modified (i.e.poisoned) data; (3) graph structure attack, in which the attacker's perturbation type is adding/removing edges.To ensure the attack remains undetected, a maximum perturbation budget denoted as Δ, which restricts the difference between the perturbed graph structure  and the original structure   such that ∥−  ∥ 0 ≤ 2Δ; (4) untargeted/global, in which the attacker's goal is to compromise the overall node classification performance of the model instead of targeting individual nodes.

Figure 2 :
Figure 2: Illustration of the DGA framework.Node colors indicate different classification labels.

Figure 3 :
Figure 3: Visualization of statistics of the poisoned graph compared to the original clean graph.Here we provide a comparison on (a) the node degree distribution, (b) the node feature similarity, and (c) the label equality between clean and DGA poisoned graphs on the Citeseer dataset.Note that the x-axis of the node degree distribution plot is scaled for better visualization.

Received 20
February 2007; revised 12 March 2009; accepted 5 June 2009 2 , • • • ,   }.The goal is to learn a function  to infer labels of nodes in the unlabeled node set V  = V \ V  .Without loss of generality, we collectively use  ∈ R  × to denote the node features of all nodes in the graph, where  is the dimension of feature vectors.Additionally, we denote the adjacency matrix associated with this graph as  ∈ {0, 1}  × .For each entry (, ) in ,  , = 1 if (, ) ∈ E and 0 otherwise.In this context, the neighborhood of node  is denoted as N () = { ∈ V : (, ) ∈ E}.
Given a graph , the node embeddings are obtained by using a GNN model   (, ), parameterized by  .Particularly, the GNN model takes the node features  and adjacency information  as input and outputs the logits of each node.

Table 2 :
Test accuracy (%) of the GCN model after training with clean and poisoned graphs.The average performance are calculated based on 10 runs.The top-two results are highlighted as 1st (bold) and 2nd (underlined).The standard deviations are provided in Appendix C.

Table 4 :
[57]valuation of DGA in generalizability, transferability, and robustness against existing defense methods.The first two sections show the test accuracy (%) of GAT[48]and DeepWalk[38]models trained with both clean and poisoned graphs, where the surrogate model is GCN.The last two sections show the test accuracy (%) of GCN models trained with clean and poisoned graphs and subsequently vaccinated with two commonly-used defense mechanisms, namely low-rank SVD approximation[10](GCN-SVD) and Jaccard (GCN-Jaccard)[57].To ensure comprehensive evaluation, we conduct 10 runs of experiments and report the average performance.The top-two results are highlighted as 1st (bold) and 2nd (underlined).The standard deviations are provided in Appendix C. Note that we cannot perform Jaccard on PolBlogs, as this dataset does not contain node features.

Table 5 :
Test accuracy (%) of the GCN model after training with clean and DGA poisoned graphs optimized with different  values in Gumbel top- trick on the Cora dataset.The best results are highlighted in bold.

Table 12 :
Comparison of training time (in seconds), GPU memory occupancy (in MB) after attack between DGA and baselines with 1% perturbation rate.For a fair comparison, all experiments are conducted on a single 24GB NVIDIA RTX A5000 GPU.

Table 13 :
Comparison of training time (in seconds), GPU memory occupancy (in MB) after attack between DGA and baselines with 3% perturbation rate.For a fair comparison, all experiments are conducted on a single 24GB NVIDIA RTX A5000 GPU.