Title: Sparse Vicious Attacks on Graph Neural Networks

Abstract: Graph Neural Networks (GNNs) have proven to be successful in several predictive modeling tasks for graph-structured data.
Amongst those tasks, link prediction is one of the fundamental problems for many real-world applications, such as recommender systems.
However, GNNs are not immune to adversarial attacks, i.e., carefully crafted malicious examples that are designed to fool the predictive model.
In this work, we focus on a specific, white-box attack to GNN-based link prediction models, where a malicious node aims to appear in the list of recommended nodes for a given target victim.
To achieve this goal, the attacker node may also count on the cooperation of other existing peers that it directly controls, namely on the ability to inject a number of ``vicious'' nodes in the network.
Specifically, all these malicious nodes can add new edges or remove existing ones, thereby perturbing the original graph.
Thus, we propose SAVAGE, a novel framework and a method to mount this type of link prediction attacks.
SAVAGE formulates the adversary's goal as an optimization task, striking the balance between the effectiveness of the attack and the sparsity of malicious resources required.
Extensive experiments conducted on real-world and synthetic datasets demonstrate that adversarial attacks implemented through SAVAGE indeed achieve high attack success rate yet using a small amount of vicious nodes.
Finally, despite those attacks require full knowledge of the target model, we show that they are successfully transferable to other black-box methods for link prediction.