T-Attack: Toward Black-Box Adversarial Attacks on GNN-Based Trust Prediction in OSNs

Abstract

The remarkably developed graph neural networks (GNNs) are extensively applied to specific tasks in online social networks (OSNs), especially in the vital domain of social trust. Meanwhile, the vulnerability of GNN applied in trust assessment can be exposed leveraging the deployment of subtly designed adversarial attacks. However, the predominant adversarial attack strategies targeting GNN are manipulating graph structure, which is not well-suited for social trust prediction tasks. In this article, we craft a novel black-box attack strategy, T-Attack, aimed at trust evaluation tasks, without tampering with the network structure of the specific trust prediction models. Specifically, a surrogate model is initially established to replicate trust prediction models based on GNN. The attack strategy on the surrogate model is formulated by adding unnoticed perturbations to user features related to network structure and manipulating the existing trust rating based on prior knowledge of social trust propagation, thereby avoiding a traditional attack against the GNN-based trust prediction model via modifying graph structure. By leveraging transferable attacks, our attack strategy can also distort the predictions of GNN-based trust prediction models. Through implementing extensive experiments in untargeted attack scenarios, we demonstrate the predictive performance of our crafted surrogate model and verify the effectiveness of the attack strategy on various GNN-based trust prediction models.

1. Introduction

Serving as a platform for information dissemination and communication, OSNs have significantly enhanced the convenience of daily life and social interactions [1,2,3]. Despite offering myriad benefits, social networks inevitably give rise to numerous issues related to information security, such as abnormal accounts, online rumors, privacy leaks and financial fraud [4,5,6]. Therefore, establishing a precise and reliable social trust evaluation model in OSNs is crucial in tackling the widespread information security challenges prevalent in these platforms [7].

Social trust represents the extent of trust between two individuals, functioning as the cornerstone for establishing new interactions among users in OSNs. Over the past decades, the academic research community has increasingly focused its attention on social trust prediction, including MoleTrust [8], TrustRank [9], TidalTrust [10], AssessTrust [4] and OpinionWalk [11]. Unfortunately, considering the complex nature of OSNs, these methodologies are insufficient to accurately determine trust ratings of pairwise users. In recent years, concomitant with the rapid growth and extensive applications of deep learning methodologies, graph neural networks (GNNs) [12,13] have emerged as a powerful tool to address the challenge of trust assessment in OSNs, yielding commendable empirical outcomes [14,15,16]. These approaches take advantage of multilayer GNN  [17,18] to model social trust aggregation and propagation, which are crucial for trust assessment.

Nevertheless, the inherent vulnerability of GNN makes GNN-based social trust evaluation models susceptible to adversarial attacks, which mislead the results of trust prediction. Specifically, OSNs that incorporate trust relationships can be treated as a complex graph. Adversarial attacks can degrade the performance of the GNN-based social trust evaluation model by attacking the complex graph. In recent years, the mainstream attack strategies for graphs concentrate on manipulating graph structure (i.e., adding or removing edges or nodes from the graph). NETTACK [19] is a typical example, which creates adversarial graphs iteratively, based on changes in confidence scores after adding perturbations in the graph. By making full use of the gradient of the victim model to manipulate graph structure, BinarizedAttack [20] can utilize data poisoning to attack graph anomaly detection models. NAG-R [21] leverages Nesterov Accelerated Gradient (NAG) to generate node perturbations while simultaneously executing a rewiring process to preserve key graph properties, such as total degree, thereby ensuring the perturbations remain imperceptible. TGA [22] is the first adversarial attack method for dynamic network link prediction. It modifies a selected number of edges in the time-varying graph by leveraging gradients computed from deep dynamic network embeddings across various snapshots.

However, most of the aforementioned attack solutions fall into manipulating graph structure (e.g., add or remove edge in the graph), while overlooking the underlying mechanism of trust propagation. In addition, existing research on attack trust prediction tools focuses mainly on the Non-GNN-based model [23,24]. Correspondingly, the majority of research endeavors focusing on graph defense or detection are specifically tailored to address this type of graph structure manipulation [25,26,27]. Consequently, this narrow concentration on graph structure manipulation creates a significant security blind spot, rendering existing trust assessment approaches ineffective against attacks crafted through other methodologies. To address this issue, it is crucial to explore innovative attack methodologies that can bypass these limitations, especially those that operate under the black-box conditions common in real-world OSNs where service providers protect their models.

In this paper, we present a novel and effective black-box attack strategy named T-Attack for misleading the results of GNN-based trust assessment models in OSNs, without manipulating graph structure. Our attack strategy establishes a surrogate model to predict trust scores for user pairs in OSNs. Instead of directly attacking the GNN-based trust prediction model, we treat the surrogate model as the attack target to design our strategy. We then transfer this strategy to victim GNN-based trust prediction models, corrupting their prediction results. In particular, we first design a GNN-based surrogate model that learns the law of social trust aggregation and propagation for trust assessment. Aimed at the surrogate model, we design our solution to implement the untargeted attack. We select the trust level with the lowest probability in the prediction results of the surrogate model as the target label to formulate the loss function of an adversarial attack model. Additionally, we employ Euclidean distance and Cosine similarity as the penalty terms of the loss function. Using the loss function, we design a neural network-based model to generate adversarial samples, which introduces unnoticed perturbations to user features related to graph network structure. Subsequently, leveraging the pre-existing understanding of social trust propagation, we manipulate the trust rating between users to disrupt the crucial social trust chain between users in OSNs, thereby enhancing the effectiveness of transferring attacks on GNN-based social trust evaluation models. Next, the attack strategy derived from the surrogate model is transferred to the target GNN-based trust prediction model to perform an untargeted attack. Evaluations on two real-world datasets show that our proposed untargeted attack is highly effective against the victim model, significantly outperforming baseline methods. The principal contributions of this paper can be summarized in the following aspects:

(1)

We present an improved loss function where the target class is the trust level with the minimum probability in the prediction result of the surrogate model. Our proposed attack strategy manipulates user features related to network topology using neural networks. To ensure unnoticeable perturbations in user features, Euclidean distance and Cosine similarity are integrated as constraint terms in the loss function.

(2)

By introducing the prior knowledge of social trust propagation, the solution alters the trust rating of pairwise users to disrupt social trust chains, thereby amplifying the impact of attacks on social trust assessment models.

(3)

By combining user feature attacks with social trust relationship manipulation based on trust propagation, we design a black-box untargeted attack strategy, T-Attack, which undermines the performance of the target trust prediction model through transferable attack.

(4)

We evaluate the performance of our proposed attack strategy on both benchmark datasets, Pretty Good Privacy (PGP) and Advogato, through comprehensive experiments. Experimental results prove that our proposed attack strategy significantly worsens the result of trust assessment by migration attack, compared with other baselines.

The remainder of this article is organized as follows. In Section 3, we define the problem and outline the existing challenges for adversarial attacks on social trust prediction, in addition to providing the necessary background on social trust propagation and GNN-based trust prediction. Section 4 details our proposed attack strategy. In Section 5, we present extensive experiments that evaluate the performance of our strategy and demonstrate its superiority over SOTA models. Section 2 analyzes the related work and Section 6 summarizes our conclusions.

2. Related Work

This section briefly reviews two pertinent research areas: adversarial attacks on GNNs and GNN-based trust prediction.

2.1. Adversarial Attacks on GNN

Recently, significant advancements have been made in the domain of adversarial attacks on GNNs, which have been widely applied across numerous fields, including node classification [28], link prediction [29], community detection [30], and graph anomaly detection [20]. The primary approaches for adversarial attacks on GNN involve adding or removing edges and nodes in graph to mislead the output of GNN-based models. Specifically, Nettack [19] is a representative research work, which adds node embedding perturbation and manipulates graph structures to distort the results of node classification tasks. Meta [28] adopts meta-gradients to address the bilevel optimization challenge inherent in the sophisticated category of poisoning adversarial attacks. The author in [29] presents a novel adversarial attack strategy on link prediction, which extracts the gradient in the trained graph autoencoder model and calculates the partial derivative of the target link with respect to the input of the graph autoencoder model to mislead the result of link prediction. In one work [30], the author extended adversarial attacks on GNN-based community detection models by hiding nodes in the graph. In the domain of Graph Anomaly Detection (GAD), a novel targeted structural poisoning attack, BinarizedAttack, enables some target nodes to evade detection via manipulating inter-node relationships (i.e., the graph structure) [20]. In [31], the author concentrates on the issue of budget distribution for untargeted gray-box attacks involving edge perturbations in the graph. In the literature [21], the approach NAG-R constructs the adversarial network through a Nesterov accelerated gradient attack against the surrogate model and subsequently refines the network via rewiring to maintain fundamental graph properties, such as the total degree.

In addition, time and space complexity presents challenges in the practical application of adversarial attacks on large-scale graph. For addressing these challenges, Jintang, L. et al. craft an Simplified Gradient-based Attack (SGA) focusing on a large-scale graph, which employ a multi-stage attack approach on a subgraph to attack the classification of specific target nodes [32]. In a nutshell, significant progress has been achieved in the study of adversarial attacks on GNN in some task-specific domains. Nevertheless, the exploration of adversarial attacks in task-specific domains remains insufficient, especially in the domain of social trust evaluation.

2.2. Trust Prediction Based on GNN

In the domain of trust prediction, there has been notable advancement in recent years, particularly with the application of GNN to trust assessment in OSNs. Notably, the most representative approach, Guardian, proposed by Wanyu L. et al. [14], pioneers the application of GCN to the social trust evaluation problem, treating it as a classification task. In  [15], the approach by Wang et al. begins by integrating multi-aspect trust-aware features in OSNs using GAT. In  [16], the proposed model TrustGNN introduces the concept of trust chains to capture the propagation pattern of social trust, while extended KGE methods are utilized to handle interactions among trust chains and users. To discern the varying impacts of different propagation processes, an attention mechanism is implemented to learn the specific weights associated with each chain type. Then, the approach utilizes a GNN layer combining GAT and GCN to capture the pattern of trust propagation and aggregation, which concurrently extracts trust popularity and enthusiasm for social trust evaluation. Considering the dynamic nature of social trust, Medley [33] adopts the functional time encoding to extract the time embedding for trust assessment in time-ware OSNs. Subsequently, the proposed solution allocates influence weights to evolving social interactions and models the dynamic latent factors of uses in time-varying OSNs. Meanwhile, the author in [34] designs a novel solution named DTrust, which uses a dynamic GCN to fully capture spatio-temporal trust dependencies among users for assessing pairwise trustworthiness in dynamic OSNs. In addition, the existing trust prediction models ignore the negative effects of trust-related attacks and fail to offer a satisfactory explanation for the evaluation results. One work [35] proposes a GNN-based trust evaluation model, TrustGuard, which can predict trust relationships and offers explanations via visualization in time-varying OSNs.

Nevertheless, the aforementioned GNN-based trust assessment models are particularly vulnerable to adversarial attacks, due to the inherent weaknesses of GNN, and this susceptibility is exacerbated when confronted with non-graph structure attack. It is essential to research the attack strategy for GNN-based trust prediction models. Research on attack strategies provides a cornerstone for formulating corresponding defense strategies and enhancing the robustness of the GNN-based trust prediction model.

3. Background Knowledge and Problem Scope

This section begins by introducing the background of social trust chains and representative GNN-based trust prediction models, followed by the problem definition and the notation used throughout this paper.

3.1. Background Knowledge

3.1.1. Guardian

Guardian [14] serves as a model for evaluating social trust by incorporating the aggregation of trust popularity and enthusiasm into the learned hidden representations of users. The principal contribution of Guardian is the introduction of the convolutional layer, capable of simultaneously encoding the graph structure and the corresponding trust relationships through a graph convolution network (GCN). We formulate this layer as follows:

$$T_I\left(x\right)={\displaystyle \frac{1}{\mid N_I\left(x\right)\mid }}·\sum _{y\in N_I\left(x\right)}u\left(y\right)\otimes e_{x\leftarrow y}$$

(1)

$$T_O\left(x\right)={\displaystyle \frac{1}{\mid N_O\left(x\right)\mid }}·\sum _{y\in N_O\left(x\right)}u\left(y\right)\otimes e_{x\to y}$$

(2)

$$T\left(x\right)=\sigma (W·(T_I\left(x\right)\otimes T_O\left(x\right))+b)$$

(3)

Let $u\left(x\right)$ represent the graph embedding of user $x.$ Guardian denotes by $e_{x\leftarrow y}$ the trust score assigned by user y and user $x.$ Utilizing the aforementioned formula, Guardian aggregates information from graph networks and their associated trust links, thereby capturing trust-aware user embeddings that incorporate features from both in-neighbors and out-neighbors, respectively. Subsequently, Guardian integrates these user embeddings, using a layer with full connectivity (FC). Specifically, $T_I\left(x\right)$ and $T_O\left(x\right)$ are concatenated Through an iterative process of stacking multiple graph convolution layers, the model progressively refines the trust-aware embedding of user x to be more comprehensive. To forecast social trust, we first merge the trust-aware embeddings of user x and user $y,$ then pass the merged vector through an FC layer and a Softmax layer. The overall process can be summarized as follows:

$$\widehat{T}(x\to y)=Softmax(W_{fc}·(T\left(x\right)\otimes T\left(y\right)))$$

(4)

3.1.2. GATrust

GATrust [15] utilizes GNN to propose a novel solution for assessing pairwise trust scores in OSNs. The solution integrates the multi-dimensional features within OSNs, including situation-specific user features, graph structure information, and pre-existing trust links. By designing a GNN layer that integrates both GAT [17] and GCN, the solution can model trust propagation and aggregation to jointly extract trust popularity and trust enthusiasm for trust evaluation. In contrast to Guardian, GATrust distinguishes itself by adopting GAT to assign distinct relevance weights to the multi-dimensional features of users in OSNs. Then, the model incorporates them through a weighted summation to obtain the trust-aware embedding of one-hop users. Taking trust popularity aggregation as an example, the specific details of the key component can be described as follows:

$$T_{f_I\left[x\right]}=\sum _{y\in Ad{j}_I\left(x\right)}{\alpha }_{x\leftarrow y}^{F}f\left[y\right]$$

(5)

$$T_{u_I\left[x\right]}=\sum _{y\in Ad{j}_I\left(x\right)}{\alpha }_{x\leftarrow y}^{U}u\left[y\right]$$

(6)

$$T_{g_I\left[x\right]}=\sum _{y\in Ad{j}_I\left(x\right)}{\alpha }_{x\leftarrow y}^S{T}_{w_{x\leftarrow y}}$$

(7)

Among them, $f\left[x\right]$ and $T_{w_{x\leftarrow y}}$ represent the embedding information of $f\left[x\right]$ and $T_{w_{x\leftarrow y}},$ respectively. Let $u\left[x\right]$ be the embedding information related to the network structures. The distinctive relevance weights can be expressed by ${\alpha }_{x\leftarrow y}^F,$${\alpha }_{x\leftarrow y}^U,$ and ${\alpha }_{x\leftarrow y}^S$, respectively. Using this aforementioned equation, GATrust enables a more comprehensive extraction of the latent factors associated with social trust, thereby promoting the effectiveness of social trust assessment.

3.1.3. TrustGNN

TrustGNN [16] explicitly models the propagative and composable properties within GNNs to derive comprehensive embeddings, significantly improving trust evaluation performance. The model introduces the concept of trust chains to capture the propagation nature of social trust and adapts Knowledge Graph Embedding (KGE) techniques to characterize the interactions between nodes and relationships within these chains. Specifically, for a given trust chain $P_{uv}$ with length k formulated as $u\stackrel{r_1}{\to }\dots \stackrel{r_k}{\to }v$, the node v is required to capture information from the source node u as well as the intermediate edges $\{r_1,r_2,\cdots ,r_k\}.$ To integrate the attributes of node u with the edges $\{r_1,r_2\cdots r_k\}$ in the trust chain, TrustGNN adopts a RotatE-like approach [36].

$$h_v^P=h_u\circ r_1\circ r_2\cdots \circ r_k$$

(8)

where $h_v^P$ represents the hidden factors of user v and $r_k$ is the representation of the trust relationship. Let ∘ be an Elementwise (Hadamard) product. Then, graphs are often characterized by the presence of various trust chain types that interact to facilitate the inference of new trust relationships. Consequently, TrustGNN enables nodes to aggregate information from a multiplicity of social trust chain categories. Before calculating the aggregated information from different trust chains, the information from the same type of trust chain can first be merged. The entire process can be formulated as follows:

$$h_v^{p_j}=W_{p_j}(h_v+\sum _{P\in p_j}{h}_v^P)$$

(9)

Let j be the type of social trust chain and $W_{p_j}$ be the learned weight matrix. Ultimately, an attention mechanism is employed to aggregate information from diverse social trust chains, thereby capturing the composable nature of social trust. In particular, initially, the chain-type-specific representation $h_v^{p_j}$ undergoes a nonlinear transformation. Then, a score is assigned to this representation based on its similarity with a chain-type-level attention vector $q.$

$${\omega }_{p_j}=\sum _{v\in \nu }{q}^T·tanh(W_{attn}{h}_v^{p_j}+b)$$

(10)

where $W_{attn}$ represents the weight of the linear transformation. Here, b is bias and $tanh$ is the activation function. Subsequently, a Softmax function is applied to normalize the scores ${\omega }_{p_j}$ to obtain the importance coefficients ${\alpha }_{p_j}$ of each type of chain. Based on ${\alpha }_{p_j}$ TrustGNN is capable of performing a weighted aggregation of these chain-type-specific representations to acquire the final node embeddings. The whole process can be expressed as follows:

$$Z_v={\displaystyle \sum _{j=1}^k}{\alpha }_{p_j}{h}_v^{p_j}$$

(11)

3.1.4. Trust Propagation and Aggregation

Trust propagation and aggregation are essential for assessing the trustworthiness between users without direct interaction. Among them, trust propagation signifies that trust information can be transferred from one individual to another within OSNs, thereby constructing a trust chain. In other words, the trust relationship among users is influenced by the trust connection between their friends and themselves in OSNs. As shown in Figure 1a, a specific social trust chain formed by users $A,$B and C can be used to determine the trust score from A to $C.$ Specifically, based on the trust ratings of 2 (for $A\to B$) and 3 (for $B\to C$), the resulting trust rating between A and C can be calculated. However, there always exist multiple social trust chains between users without direct connections. Consequently, relying solely on a single social trust chain is insufficient to accurately estimate the trust relationship. A representative illustration is provided in Figure 1b. Two social trust chains exist from user A to user D. The former is $A\to C\to D,$ and the latter is $A\to B\to D.$ Therefore, aggregating the trust scores from these trust chains is crucial for accurately assessing user A’s trust in user $E.$

3.2. Problem Statement and Definition

Establishing an unobserved trust relationship between two users is a fundamental for ensuring the security of numerous online services and has drawn significant interest from researchers, particularly following the introduction of GNN into this domain. However, reliable and robust modeling of trust relationships among users using GNN presents a significant and unresolved challenge. In this article, our goal is to develop an innovative attack strategy that targets the GNN-based social trust prediction model, thereby enhancing the robustness of the social trust model. Without loss of generality, we employ a graph $G=(N,\epsilon ,\kappa ,U)$ to represent social networks with trust relationships, where a node $x\in N$ represents a user in OSNs, $e_{xy}\in \epsilon$ represents the observed social connection $x\to y.$ N represents the set of users in the graph. Let $\kappa =\left\{T_{xy}\right|e_{xy}\in \epsilon \}$ be the set of pre-existing trust levels, which is non-zero in the graph. Among them, $T_{xy}$ represents the trust level of user pairs $x\to y.$ The user x’s feature related to structure information can be represented as $u\left(x\right)$, which belongs to the set of user feature $U.$ As social trust levels vary in representation across different domains, we will conceptualize them as either a scalar or a vector. We treat $C=\{c_1,c_2,···\}$ as the set of trust ratings. In this paper, we adopt datasets Advogato and Pretty-Good-Privacy (PGP) for our study. These datasets employ 4 types of trust ratings to express a specific trust relationship $T_{xy}$, which are classified into $C=\{Observer,Apprentice,Journeyer,Master\}$. In addition, every user can assume distinct roles, including trustor or trustee in trust relationships, given the inherent asymmetry of social trust in OSNs. In OSNs, trust links can be categorized into trust popularity and trust enthusiasm, which correspond to the ingoing and outgoing of user x, respectively.

Thus, to mine the patterns of trust propagation and aggregation, we define two sets. $Ad{j}_I\left(x\right)$ denotes the set of users who trust user x (i.e., the in-neighbors of x). $Ad{j}_O\left(x\right)$ denotes the set of users that user x trusts (i.e., the out-neighbors of x). The task of establishing the trust relationship between users can be treated as a label classification problem. According to GNN-driven trust prediction, we can assess the label of trustor–trustee pair ${\tilde{T}}_{xy},$ which represents the trust score of user pairs without a direct trust link in OSNs.

Starting with the original graph $G=(N,\epsilon ,\kappa ,U),$ the adversarial graph $\widehat{G}=(N,\epsilon ,\widehat{\kappa },\tilde{\kappa },\widehat{U})$ can be established through unnoticeable perturbations, which degrade the performance of the GNN-based trust prediction. Specifically, ${\widehat{T}}_{xy}\in \widehat{\kappa }$ denotes the manipulated trust level of user pairs with direct trust link, which belong to the set of the manipulated trust scores $\widehat{\kappa }$. $\tilde{\kappa }$ is the collection of clean trust relationships. $\widehat{u}\left(x\right)\in \widehat{U}$ is the perturbed user feature, which is constructed by adding an imperceptible perturbation to the original feature.

Table 1. Summary of key notations.

Notation	Description
$T_{xy}$	the trust score of pairwise users $x\to y$
$\kappa \left(t\right)$	the collection of pre-existing trust links
$Ad{j}_I\left(x\right)$	the collection of in-neighbors of user x
$Ad{j}_O\left(x\right)$	the collection of out-neighbors user x
$T_{yx}^w$	the dense embeddings information related to the observed trust relationship
$u\left(x\right)$	low-dimensional user embedding related to network structure
$l_I\left(x\right)$	trust popularity
$l_O\left(x\right)$	trust enthusiasm
$l\left(x\right)$	the learned latent embedding of users
W	the weight matrix
b	the trainable bias
$\sigma$	a nonlinear activation function
$\tilde{l}\left(xy\right)$	the embedding of the trust relationship $x\to y$
∘	the Hadamard product
⊗	the concatenation operator
$\tilde{T}{\left(xy\right)}_{min}$	the predicted trust level with the lowest probability in the surrogate model
$\widehat{u}\left(x\right)$	user features after attacks
$cos(\widehat{u}\left(x\right),u\left(x\right))$	the Cosine similarity of user features before and after attacks
L	the loss function valve

illustrates the definition utilized throughout this paper.

Despite advances in state-of-the-art methods, the research of attack strategies on trust prediction still confronts two key challenges: (1) how to design a surrogate model to estimate the trust level among users by GNN for untargeted attacks, and (2) how to subtly introduce unnoticeable perturbations on graph leveraging network structure information and the prior knowledge of trust propagation, in order to attack the GNN-based trust prediction model without altering graph structure.

To tackle these challenges, we initially utilize GNN to combine the information on the network structure with observed trust relationships, thereby establishing a surrogate model capable of evaluating the trust rating between two users. Focusing on attacking the surrogate model, we craft a neural network-based perturbation generator to create user feature perturbations. Furthermore, we formulate the loss function to maximize the attack’s effectiveness, treating the lowest probability trust level in prediction results of the surrogate model as the target label. Then, we adopt an existing trust relationship to discover the crucial social trust chain between users and combine the changes in the gradient from the loss function to adjust the trust levels between users within the crucial trust chain, thereby hindering the propagation of social trust. Leveraging perturbed user features and manipulated trust scores of user pairs, the goal of adversarial attack is to generate the adversarial graph $\widehat{G}$ to replace the original graph G as the input of the trust prediction model. To evade detection and defense by the GNN-based trust prediction model, modifications of trust relationships are limited to fewer than m alterations; i.e., $\left|\widehat{\kappa }\right|<m.$ Therefore, in the untargeted attack scenario, the attack strategy is designed to make GNN-based trust prediction methodologies fail to accurately assess the trustworthiness of arbitrary pairwise users in OSNs, yielding

$$\begin{array}{cc}\hfill max& \left(sum(f\left(G\right)\ne f\left(\widehat{G}\right))\right)\hfill \\ \hfill & S.T.|\widehat{\kappa }|<mandmin{\left(\widehat{U}\right)}_{alter})\hfill \end{array}$$

(12)

where f represents the GNN-driven trust prediction model. m denotes the maximum number of manipulated trust levels of pairwise users in OSNs. ${(·)}_{alter}$ indicates changes in the perturbed user feature, compared to user features. We employ $sum$ to illustrate the total number of misleading predictions produced by the trust model following adversarial attacks. Finally, the integration of these strategies enables us to execute untargeted attacks on the surrogate model and distort the prediction results of GNN-based trust prediction models via transfer attacks.

4. Methodology

This section focuses on developing effective methods to execute black-box attacks against GNN-based trust prediction models in OSNs.

4.1. Sketch of Our Attack Strategy

Before describing the details of the attack strategy, we present the overview of our attack strategy. Owing to the limited insight into the architecture of the GNN-based trust prediction model, we initially crafted a surrogate model based on GNN. The surrogate model learns the law of trust propagation and aggregation from real-world datasets for approximating the victim model’s behavior in assessing trust relationships within OSNs Then, we devise strategies for user feature attacks and manipulating trust relationships against the surrogate model, utilizing neural networks and prior knowledge of trust propagation. Through attack transferability, the attack strategy can also distort the predictions of victim GNN-based trust prediction models.

4.2. Surrogate Model

To generate high-quality adversarial examples (e.g., the manipulated trust ratings and the perturbed user feature related to network structure), we first design a surrogate model based on GNN. In detail, we employ a novel GNN: DTNN inspired by [37,38], which encodes the network structure information and the pre-existing trust scores between pairwise users, integrating this information to construct the surrogate model. The overall architecture of the surrogate model is described in Figure 2. The surrogate model is composed of two key components: (1) multiple GNN layers and (2) a prediction layer.

In particular, the inputs of the surrogate model come from the network topology and observed trust relationships. The network topology information is captured by the graph embedding technique Node2vec [39], which mines network structure information and converts it into a low-dimensional user embedding $u\left(x\right).$ Simultaneously, we take advantage of one-hot encoding $T_{yx}$ to represent the observed trust relationship, thereby obtaining the dense embeddings $T_{yx}^w$ related to the observed trust relationship using a linear transformation, as follows:

$$T_{yx}^w=W_{yx}{T}_{yx}$$

(13)

Then, the specific detailed of both components are presented as follows.

4.2.1. GNN Layer

To better model the patterns in trust propagation and aggregation, we aim to capture the latent embeddings corresponding to social trust by incorporating network topology representations $u\left(x\right)$ and trust relationship embeddings of pairwise users $T_{yx}^w$ in this layer. Specifically, the latent embedding is defined by $l\left(x\right).$ Acknowledging the inherent asymmetry of social trust, the latent embedding $l\left(x\right)$ is divided into two parts: the latent embedding of trust popularity $l_I\left(x\right)$ and the latent embedding of trust enthusiasm $l_O\left(x\right).$ Subsequently, we adopt DTNN to combine the ingoing observed social trust relationships and the the corresponding network structure embeddings of the corresponding for discovering the latent embedding of trust popularity $l_I\left(x\right).$ Likewise, to derive the trust enthusiasm embedding $l_O\left(x\right)$, we apply a similar process for the outgoing trust relationships and the associated network topology embedding. The calculation detail of trust enthusiasm and trust popularity is defined as follows:

$$l_I\left(x\right)={\displaystyle \frac{1}{|Ad{j}_I\left(x\right)|}}\sum _{y\in Ad{j}_I\left(x\right)}{T}_{yx}^w\circ u\left(y\right)$$

(14)

$$l_O\left(x\right)={\displaystyle \frac{1}{|Ad{j}_O\left(x\right)|}}\sum _{y\in Ad{j}_O\left(x\right)}{T}_{xy}^w\circ u\left(y\right)$$

(15)

As shown in Formulas (14) and (15), DTNN use the Hadamard product to fuse the network structure embeddings and the pre-existing trust relationships, where ∘ represents the Hadamard product. Finally, to capture the latent factors of social trust, we integrate trust popularity $l_I\left(x\right)$ and trust enthusiasm $l_O\left(x\right)$ by first concatenating them and then passing the result through a FC layer. The specific process can be expressed as follows:

$$l\left(x\right)=\sigma (W(l_I\left(x\right)\otimes l_O\left(x\right))+b)$$

(16)

where we denote W as the weight matrix. Let b be the bias. $\sigma$ represents the nonlinearity of the activation function. In the surrogate model, we employ tanh as the activation function $\sigma .$

To analyse the pattern of trust propagation and aggregation, we stack n DTNN layers to extract the high-order latent factors of user $x,$ thereby capturing a richer latent embedding that corresponds to social trust. The computation process of the higher-order latent embedding can be recursively formulated as follows:

$$l_I^n\left(x\right)={\displaystyle \frac{1}{|Ad{j}_I\left(x\right)|}}\sum _{y\in Ad{j}_I\left(x\right)}{T}_{yx}^w\circ l^{n-1}\left(y\right)$$

(17)

$$l_O^n\left(x\right)={\displaystyle \frac{1}{|Ad{j}_O\left(x\right)|}}\sum _{y\in Ad{j}_O\left(x\right)}{T}_{xy}^w\circ l^{n-1}\left(y\right)$$

(18)

$$l^n\left(x\right)=\sigma (W^h(l_I^n\left(x\right)\otimes l_O^n\left(x\right))+b^n)$$

(19)

where $l_I^n\left(x\right)$ and $l_O^n\left(x\right)$ denote the high-order latent embedding of trust popularity and trust enthusiasm at the layer $n,$ respectively. When the layer $n=0,$ $l^0\left(x\right)$ is an user embedding related to topological relationships $u\left(x\right)$; i.e., $l^0\left(x\right)=u\left(x\right).$

4.2.2. Prediction Layer

After the aforementioned steps, we use a concatenation operator to combine the latent embedding of user x and user y in OSNs. Then, we apply an FC layer to derive the latent embedding of the unobserved user pair $x\to y$, as follows:

$$\tilde{l}\left(xy\right)=\theta \left(W_{FC1}(l^n\left(x\right)\otimes l^n\left(y\right))\right)$$

(20)

where $W_{FC1}$ is the trained parameter matrix. Let $\theta$ be $Softmax.$ The latent embedding $\tilde{l}\left(xy\right)$ is used to predict the probability distribution of possible trust levels for a pairwise user without a direct trust link $x\to y$. Subsequently, we determine the trust score of the unobserved user pair $x\to y$ by applying function $argmax$, which selects the predicted trust level with the highest probability in $\tilde{l}\left(xy\right).$

For training the weights of the surrogate model, we adopt the cross-entropy loss, which measures the discrepancy between the predicted probability distribution and the ground-truth labels.

4.3. Attack Strategy

Upon completing the training of the surrogate model, we design a novel attack strategy, T-Attack, by introducing unnoticeable user feature perturbations and manipulated trust ratings for misleading the surrogate model.

4.3.1. Feature Perturbation Attacks

Since one of the key inputs of GNN-based trust prediction models comprises user features associated with network topology, we perform the attack by injecting feature perturbations in an untargeted adversarial attack scenario. The impact of the adversarial attack is contingent upon the extent of deviation in trust prediction. Therefore, the goal of user feature attacks is to maximize this distortion. To quantify this, we assess the prediction discrepancy between the pre-attack and post-attack states. Formally, this can be expressed as maximizing the number of trust links whose predictions are altered, i.e., $max(\sum \Vert \left((f\left(G\right)\ne f\left(\widehat{G}\right))\right)),$ where $\Vert (·)$ is the indicator function that equals 1 if the condition is true and 0 otherwise. In black-box adversarial attack scenarios, we target the surrogate model to craft an attack strategy that can be leveraged for subsequent applications, rather than directly attacking the common GNN-based trust prediction model. More precisely, we define $f^{\prime }(·)$ as the surrogate model. The denoted $f^{\prime }\left(G\right)$ and $f^{\prime }\left(\widehat{G}\right)$ represent the result of trust prediction before and after the attack, respectively. To quantify the discrepancy in trust predictions before and after the attack, we employ the cross-entropy loss. For this loss function, we define an adversarial target: we select the trustworthiness with the lowest predicted probability (as derived from the surrogate model) to serve as the target label. To maximize the probability of the target label, we employ the cross-entropy loss, which is formulated as

$$\gamma =-{\displaystyle \frac{1}{\left|\kappa \right|}}\sum _{(<x\to y>,T_{xy}\in \kappa )}\tilde{T}{\left(xy\right)}_{min}log\widehat{l}\left(xy\right)+\lambda \cdot {\Vert \Theta \Vert }_2^2$$

(21)

The predicted trust rating with the lowest probability can be represented by $\tilde{T}{\left(xy\right)}_{min}$. Denote $\widehat{l}\left(xy\right)$ as the latent embeddings of the unobserved pairwise user following the attack. The parameter $\lambda$ controls the strength of the $L_2$ regularization, which can alleviate over-fitting in the loss function. Minimizing this loss function allows us to markedly amplify the discrepancy between the prediction outcomes of the surrogate model pre-attack and post-attack, which approximates $max(\sum (f\left(G\right)\ne f\left(\widehat{G}\right))).$

In addition, the feature attack strategy must modify the user features related to the network structure to guaranty the performance of adversarial attacks against the GNN-based trust prediction model in an unnoticeable manner. Therefore, some constraints must be taken into account to ensure that feature attacks are unnoticeable. Firstly, we must strive to narrow the distance in user features pre-attack and post-attack on the premise of distorting the trust prediction outcome. In this paper, we have $\widehat{u}\left(x\right)=u\left(x\right)+▵u\left(x\right),$ where $\widehat{u}\left(x\right)\in \widehat{U},$$u\left(x\right)\in U,$ as depicted in Figure 3.

To avoid noticeable feature perturbations, we incorporate the Euclidean distance ${\parallel \widehat{u}-u\parallel }_2^2$ as a constrained term in the loss function. To further ensure user feature perturbations remain unnoticeable, we also introduce the Cosine similarity metric as an additional constraint in the loss function. The details of the calculation process can be described as follows:

$$cos(\widehat{u}\left(x\right),u\left(x\right))={\displaystyle \frac{\widehat{u}\left(x\right)·u\left(x\right)}{{\parallel \widehat{u}\left(x\right)\parallel }_2{\parallel u\left(x\right)\parallel }_2}}$$

(22)

The lower the discrepancy between topology-aware user features before and after the attack, the closer the Cosine similarity is to 1, i.e., $cos(\widehat{u}\left(x\right),u\left(x\right))\approx 1$. Therefore, we use ${\displaystyle \frac{1}{cos(\widehat{u}\left(x\right),u\left(x\right))}}$ to minimize the constraint metric of Cosine similarity in the loss function. Taking these constraints into account, the Lagrange multiplier method [40] is used to formulate the loss function for our designed user feature perturbations, as follows:

$$\begin{array}{cc}\hfill OPTA& =-{\displaystyle \frac{1}{\left|\kappa \right|}}\sum _{(<x\to y>,T_{xy}\in \kappa )}\tilde{T}{\left(xy\right)}_{min}log\widehat{l}\left(xy\right)+\lambda \cdot {\Vert \Theta \Vert }_2^2\hfill \\ \hfill & +\alpha {\displaystyle \frac{1}{N}}\sum {\parallel \widehat{u}-u\parallel }_2^2+\beta {\displaystyle \frac{1}{N}}\sum {\displaystyle \frac{1}{cos(\widehat{u},u)}}\hfill \end{array}$$

(23)

where $\alpha$ and $\beta$ are the penalty coefficient of the Euclidean distance metric and the Cosine similarity metric, respectively. We utilize the Adam optimizer [41] to minimize the loss function. Finally, we design a feature perturbation generator adopting a multilayer perception (MLP). The feature perturbation generator consists of a two-layer FC. The details of the generator can be formulated as

$$\widehat{u}\left(x\right)={\sigma }_2\left(W_2\left({\sigma }_1\left(W_{1}u\left(x\right)\right)\right)\right)$$

(24)

where ${\sigma }_1$ and ${\sigma }_2$ are activation functions. In the generator, we employ $ReLU$ as the activation function for both ${\sigma }_1$ and ${\sigma }_2$. By minimizing $OPTA,$ we can optimize the weight of the feature perturbation generator to add unnoticeable perturbations on user features. In GNN-based trust prediction models, the similarity in the network structure information of users serves as a crucial foundation for assessing the trust relationship among users in OSNs. Therefore, leveraging the feature perturbation generator, we can inject unnoticeable perturbations into user features associated with network information to disrupt their proximity, thereby biasing the prediction result of social trust in OSNs.

4.3.2. Trust Relationship Attacks

Apart from user features related to network structures, the inputs of the GNN-based trust prediction model also encompass graph topology data and existing trust relationships. While conventional adversarial attacks on GNNs primarily focus on modifying graph structures (adding or removing edge from a graph), we propose a different approach: by manipulating the observed trust ratings between user pairs, we corrupt the mechanisms of trust propagation and aggregation to distort social trust evaluations.

As stated in the literature [10], disrupting trust propagation in a trust chain between unconnected users can distort their trust assessment, particularly along the shortest trust chain. Compared to directly adding or removing trust relationships in OSNs, manipulating existing trust relationships in critical shortest trust chains can subtly undermine the performance of GNN-based trust prediction models in an imperceptible way. More precisely, to attack the trust relationship between unobserved trustor–trustee pairs, we modify the trust relationship closest to trustee along their existing shortest trust chain.

As shown in Figure 4, we manipulate the trust rating related to trustee $u_4$ from 2 to 3 in the shortest trust chain $u_2\to u_3\to u_4$ to attack the unobserved trust relationship $u_2\to u_4$. Moreover, given the existence of numerous shortest trust chains among an unobserved trustor–trustee pair, it is necessary to modify the trust level within a specific trust chain in accordance with the gradient information of the surrogate model, thereby guaranteeing that manipulating the trust relationship remains unnoticeable.

Thus, the specific procedure of trust relationship attacks is as follows: we first identify the shortest trust chain between unobserved trustor–trustee pairs. In general, the majority of these shortest trust chains contain only the trustor’s first-order or second-order neighbors, excluding the trustor and the trustee themselves. Therefore, we use the Breadth First Search (BFS) algorithm to extract the shortest trust chain between the trustor and the trustee. The BFS algorithm initially seeks out the first-order neighboring users, which are the users reachable via the out-degree edges of the trustor. If the trustee is not found, the algorithm proceeds to search higher-order neighbors until the trustee is located. For example, Figure 5 shows that the first-order neighboring users related to the out-degree of trustor $u_1$ are $u_3$ and $u_5.$

Then, we utilize the BFS algorithm to search trustee $u_7$ which belongs to the second-order neighboring users of the trustor. Owing to the existence of several shortest trust chains among an unobserved trustor–trustee pair, our attack strategy is to select the crucial social trust chain to disrupt trust propagation by manipulating the trust relationship closest to the trustee. To discover the key social trust chain, we achieve this by sequentially perturbing the trust relationships leading to the trustee within each trust chain and calculating the resulting gradient from the surrogate model. The specific trust chain that corresponds to the maximum gradient is chosen as the attack target, i.e.,

$$L=-{\displaystyle \frac{1}{\left|\kappa \right|}}\sum _{(<x\to y>,T_{xy}\in \kappa )}{T}_{xy}log\widehat{l}\left(xy\right)$$

(25)

$$OPTB=max\left(\mathcal{G}\right(\Theta \left)\right)$$

(26)

where L is the loss valve of the surrogate model after adding a manipulated trust rating adjacent to a trustee in a specific shortest trust chain. $\Theta$ is the set of loss values $L_1,L_2,L_3,···L_n$, calculated for each of the multiple shortest trust chains that exist between an unobserved trustor–trustee pair. $\mathcal{G}$ represents the set of all gradients corresponding to the loss values in $\Theta .$ Then, we select the trust chain with the maximum gradient in $\mathcal{G}$ as the target trust chain. Finally, the perturbed trust link adjacent to the trustee in the trust chain is used to obtain the predicted trustworthiness with the lowest probability from the surrogate model.

4.4. Attack Strategy Implementation

Subsequently, the pseudocode for the overall attack strategy of T-Attack can be described as shown in Algorithm 1.

Algorithm 1 The overall attack strategy of T-Attack.

Require:  We take the graph-structured data G as the input of the surrogate model. 1: The initial user embeddings are generated by Node2vec. 2: train the surrogate model 3: initialize $\widehat{u}\left(x\right)={\sigma }_2\left(W_2\left({\sigma }_1\left(W_{1}u\left(x\right)\right)\right)\right)$ 4: while For each pairwise users $<x,y>$ in the training dataset do 5:     $\widehat{u}\left(x\right)={\sigma }_2\left(W_2\left({\sigma }_1\left(W_{1}u\left(x\right)\right)\right)\right)$ 6:     the output of the generator is the input of the surrogate model 7:     calculate the loss function $OPTA$ 8:     update the weight of $\widehat{u}\left(x\right)={\sigma }_2\left(W_2\left({\sigma }_1\left(W_{1}u\left(x\right)\right)\right)\right)$ 9: end while 10: use the generator to provide the perturbation 11: use BFS algorithm to discover all shortest trust chain in pairwise users 12: while each shortest trust chain in any user pairs in the training dataset do 13:     $L=-{\displaystyle \frac{1}{\left|\kappa \right|}}{\sum }_{(<x\to y>,T_{xy}\in \kappa )}{T}_{xy}log\widehat{l}\left(xy\right)$ 14: end while 15: $OPTB=max\left(\mathcal{G}\right(\Theta \left)\right)$ 16: Based on the $OPTB,$ we choose the disrupted trust chain. 17: choose the trust level with minimum prediction confidence in the surrogate model as the manipulated trust rating connected to trustee in the key trust chain. 18: return $\widehat{G}$

According to the pseudocode, we represent the details of our attack strategy implementation, which injects unnoticeable perturbations into GNN-based trust prediction models leveraging feature attacks and trust relationship attacks.

1:

Training the surrogate model: We treat OSNs with trust relationships as a signed graph. Then, we adopt the graph embedding technique to capture user features associated with network structure. The surrogate model is trained and used to assess the trust scores of between unobserved trust links by using user features and pre-existing trust relationships as inputs, as described in Section 4.2.

2:

Feature perturbations attacks: We discover all trust ratings with the lowest probability from the surrogate model’s prediction outcome and regard it as the target label in the loss function. Subsequently, we design a user feature perturbation generator which is composed of a two-layer fully connected network. To generate unnoticeable perturbations, we use Euclidean distance and Cosine similarity as the constraint in the loss function. Using the loss function, we optimize the user feature perturbation generator to implement feature perturbation attacks in a subtle way.

3:

Trust relationship attacks: We find all shortest trust chains between trustor–trustee pairs in the signed graph, using the BFS algorithm. Then, we manipulate the trust rating connected to the trustee in all shortest trust chains, where the manipulated trust ratings choose the trust classification label with the smallest probability in the prediction result of the surrogate model. Considering the existence of multiple shortest trust chains in a trustor–trustee pair, we compute the gradient of the surrogate model’s loss function when disrupting any trust chain in the trustor–trustee pair, as shown in Equation (25). We select the trust chain exhibiting the largest gradient as the crucial target for the attack.

4:

Craft attack strategy: Finally, we train a user feature perturbation generator to produce adversarial samples using the training datasets. Targeted toward each trustor–trustee pair in the training set, we depend on gradient information to modify the trust ratings that are part of a shortest trust chain between a trustor–trustee pair. We utilize the user feature perturbation and the manipulated trust rating to modify the input of GNN-based trust prediction models, performing transfer attacks.

5. Experimental Results and Discussion

In this section, we evaluate the black-box attack strategy T-Attack on GNN-based trust prediction models through extensive experiments, comparing it with several existing attack methods. More precisely, we first benchmark the surrogate model against the mainstream trust prediction methods based on GNN, namely Guardian [14] and GATrust [15]. Building on this, we then apply our designed attack strategy to this GNN-based trust prediction to evaluate its effectiveness in the untargeted attack scenario.

5.1. Experimental Set up

5.1.1. Datasets

To verify the performance of our crafted attack strategy, we conduct a series of experiment on two widely utilized benchmark datasets, Advogato and PGP, from the real world [42].

• Advogato [14]: The dataset comes from an online community for software development. In this community, through a trust metric mechanism, evaluate the reputation and contribution of free software contributors and help users understand the experience and skills of developers. Furthermore, mutual evaluations of users’ software development capabilities essentially constitute social trust relationships on the network. The dataset consists of four types of trustworthiness.
• Pretty-Good-Privacy (PGP) [14]: The dataset is sourced from a public key authentication network based on the web-of-trust mechanism. This network is primarily used to secure the confidentiality of emails and documents. Consequently, an edge between users represents the act of one user authenticating the trustworthiness of another user in PGP. The trust ratings are classified into four specific levels just as in Advogato.

  Table 2. Statistics Information of the Advogato and PGP datasets.

  Datasets	Users	Edges	Avg Deg
  Advogato	6541	51,127	19.2
  PGP	38,546	317,979	16.5

  summarizes the statistics of both datasets. The aforementioned datasets are divided into two sections: the training set and the test set. To conduct an untargeted attack, we randomly sample $80\%$ of the pre-existing trust links and their associated users from this dataset to form the training set. We use the remaining $20\%$ of this dataset as the test set. Furthermore, we hypothesize that there are no social relationships among users in the test set to verify the untargeted attack performance of all attack strategies.

5.1.2. Victim Models

We adopt two common GNN-based trust prediction models as the baseline and target model to assess the performance of the surrogate model and our proposed attack strategies, as detailed below:

• Guardian is an innovative end-to-end framework that leverages Graph Convolutional Networks (GCNs) to learn latent factors in a trust relationship. The framework is subtly designed to integrate social network architectures and trust relationships, enabling the estimation of social trust in pairwise users.
• GATrust fuses heterogeneous information from multiple sources: user situation-aware information, network topology, and pre-existing trust links. Through the integration of graph attention networks and graph convolution networks, the framework is capable of learning multiple latent factors originating from heterogeneous information of users for pairwise users in OSNs, thereby constructing a social trust evaluation model.
• TrustGNN extracts trust-related embeddings along trust chains to explicitly model the propagative nature of social trust. Subsequently, the model leverages an attention mechanism to capture the composable nature of social trust for evaluating trust relationships between users.

In our experiment, Guardian and TrustGNN employ the same parameter configurations as documented in the respective research works [14,16]. For ease of comparison, GATrust overlooks the influence of user situation-aware information on social trust. Consequently, the input of the model is limited to pre-existing trust links and user features associated with network structure. Specifically, the user features are identical to those of the surrogate model. The remaining parameters and configurations of GATrust adopt the default settings from those outlined in the literature [15].

5.1.3. Baseline Solutions for Comparison

For the untargeted attack, in the absence of prior research work for comparison, we consider the following adversarial attacks on GNN as baselines:

• ${\mathbf{Random}}_T$: An attacker randomly manipulates the trust rating between users in OSNs.
• $\mathbf{Meta}$ [28]: An attacker utilizes meta-gradients to regard the graph structure as a hyperparameter and inject unnoticeable perturbation into the graph by adding or removing edges. To adapt to the trust prediction domain, attackers randomly assign trust levels to the edges added by Meta-Train.
• $\mathbf{Grab}$ [31]: An attacker uses Gradient Debias to design a loss function for untargeted attacks on graphs, where unweighted gradients are generated for manipulating graph structures. In particular, these unweighted gradients are unaffected by the node confidence. Therefore, trust levels are also randomly assigned while the attacker adds edges in GNN-based trust prediction models.
• $\mathbf{NAG}-\mathbf{R}$ [21]: The attack strategy includes a node perturbation generator based on Nesterov Accelerated Gradient and leverages an edge rewiring operation (e.g., rewire trust relationship) to manipulate the graph structure to evade detection. Meanwhile, the trust rating of the rewiring edge is also set randomly.

In our experimental setup, the weight configurations for Meta, Grab and NAG-R follow the settings described in the existing literature [21,28,31].

5.1.4. Metrics and Parameter Setting

Given that GNN-based trust assessment models utilize F1-score as a metric for performance evaluation, we adopt the same metric to quantify our attack performance. Specifically, a lower F1-score signifies a more effective attack, since it reflects the diminished predictive accuracy of the surrogate model.

To conduct the experiment, we choose a computing platform equipped with E5-2686v4 CPU, 24 GB GeForce RTX 3090GPU, and 64 GB RAM. Both the surrogate model and the attack strategy are built upon PyTorch 2.8.0 and its GNN extension, PyTorch Geometric. We employ Node2vec [39] to derive initial user embeddings associated with the network structure. For the two real-world datasets, the embedding dimensions for both users and trust relationships are set to $128.$ The GNN layers of the surrogate model comprise a three-layer DTNN network. Following extensive experimentation, the hidden embedding dimensions of each layer were determined to be $[32,64,32]$, respectively. We use the Xavier initializer [43] to ensure training stability for the surrogate model by properly initializing its parameters. Throughout extensive training, we find that the optimal batch size is 32. The dropout rate is set to $0.0$ for achieving the best experimental outcomes. The user feature perturbation generator consists of a two-layer FC network whose hidden dimension is empirically set to 128 through extensive experiments. The dropout rate of the user feature perturbation generator is $0.2.$ The penalty coefficient of the Euclidean distance metric $\alpha$ and the Cosine similarity metric $\beta$ are 2 in the loss function of the user feature perturbations generator. To reduce the search complexity of the BFS algorithm, we restrict its search scope to the first-order or the second-order neighbor of trustor for discovering the shortest trust chain in a trustor–trustee pair. To guarantee the performance of our proposed attack strategy, all experimental runs will be conducted in 100 epochs when training the user feature perturbation generator. If the loss function of the user feature perturbation generator exhibits a increase for a consecutive period of 5 epochs, the training process will be terminated. All experimental procedures are repeated 5 times to ensure statistical significance. The average outcomes from these 5 experiments are used for comparative analysis. To maintain an unnoticeable attack on GNN-based trust prediction models, the manipulated trust relationship is set to constitute only $5\%$ of the total observed trust relationship in OSNs; i.e., the perturbations rate is $5\%.$ To ensure the absolute fairness of the experiment, all attack strategies targeting the graph structure are also limited to manipulating $5\%$ of the total observed edges in the graph. For brevity and readability, we use the per rate in the following tables and figures to denote the perturbation rate.

5.2. The Performance of the Surrogate Model for Comparison

We initially implemented experiments on the datasets Advogato and PGP to demonstrate the performance of our crafted surrogate model, which is not inferior to common GNN-based trust prediction models, including GATrust, Guardian and TrustGNN.

Table 3. Performance of all trust prediction models.

Dataset	Advogato	PGP
Guardian	0.733	0.864
GATrust	0.746	0.873
TrustGNN	0.739	0.878
Surrogate model	0.719	0.841

describes the performance of the surrogate model in both datasets. As shown in the table, our surrogate model achieves an F1-score of $0.719,$ reaching $96\%$ of the performance of the best baseline, GATrust on Advogato. For the dataset PGP, the F1-score of the surrogate model reaches $95.7\%$ of TrustGNN, which is the best-performing model. Specifically, the F1-score of the surrogate model is $0.719$ on Advogato, underperforming compared to Guardian and TrustGNN by $2\%$ and $2.8\%$, respectively. In PGP, the performance of the surrogate model achieves an F1-score as high as $0.841$, which is also worse than Guardian and TrustGNN. However, the performance of the surrogate model on PGP still outperforms that on Advogato in terms of F1-score. The primary reason for this difference is that the PGP network has a lower average degree, which yields fewer social trust chains among users, thereby reducing the complexity of the trust prediction task and leading to a higher F1-score. Based on the aforementioned analysis, the performance of the surrogate model nearly reaches the level of the victim models, successfully emulating the predictive outcomes of GNN-based trust prediction models.

5.3. Attack Performance for Comparisons

Our designed experiments aim to compare our proposed attack strategy with other baselines developed for adversarial attacks on GNN. The experiments are classified into weak transfer scenarios and strong transfer scenarios, depending on the disparities between the surrogate and victim models. In a weak transfer scenario, both the target approach Guardian and the surrogate model are designed by graph convolution networks (GCN). Although they differ in the integration of user features related to network structure and observed trust relationships, the commonality in their process of understanding the rules of trust propagation and aggregation makes the attack in this scenario less challenging. In a strong transfer scenario, the victim models GATrust and TrustGNN use GAT to combine user features with observed trust relationships or integrate different types of social trust chains, in contrast to the surrogate model. The model shows unique interpretations of the principles of trust propagation and aggregation, rendering attacks in this context more challenging. In addition, the control group Clean denotes the performance of the victim model on the original unmodified graph.

5.3.1. Weak Transfer Scenario

As shown in

Table 4. Attack performance in weak transfer scenario.

Dataset	Advogato	PGP
Victim	Guardian	Guardian
Per rate	5%	5%
Clean	0.733	0.864
Random	0.694	0.821
Meta	0.642	0.794
Grab	0.628	0.773
NAG-R	0.632	0.770
T-Attack	0.586	0.736

, when the perturbation rate is set to $5\%,$ we can observe the experiment results in a weak transfer scenario when both the victim and the surrogate model employ a GCN-like architecture to extract the mechanisms of trust propagation and aggregation. In this scenario, the representation learning process for the surrogate and victim models is similar, which makes the attack transfer less challenging. According to Table 4, our proposed attack strategy T-Attack outperforms other baselines in untargeted attack experiments. More precisely, the attack performance of T-Attack is superior to the performance of the second-best attack strategy Grab on the Advogato dataset by $6.7\%$. Meanwhile, in the PGP dataset, the proposed attack strategy also outperforms the second-best attack strategy NAG-R by $4.4\%$. Additionally, T-Attack achieves performance $7.3\%$ and $8.8\%$ higher than those of NAG-R and Meta in Advogato. In the PGP dataset, T-Attack surpasses Grab by $4.8\%$, whereas the F1-score of Guardian under T-Attack is $7.4\%$ lower than that of Meta attack. In addition, $Rando{m}_T$ is the worst attack strategy in terms of F1-score in both datasets, compared to other attack strategies. According to the above analysis, the experimental outcomes demonstrate that our attack strategy significantly enhances the attack performance on GNN-based trust prediction models.

5.3.2. Strong Transfer Scenario

Table 5. Attack performance in strong transfer scenario.

Dataset	Advogato	PGP	Advogato	PGP
Victim	GATrust	GATrust	TrustGNN	TrustGNN
Per rate	5%	5%	5%	5%
Clean	0.746	0.873	0.739	0.878
Random	0.712	0.843	0.714	0.840
Meta	0.698	0.821	0.703	0.818
Grab	0.675	0.808	0.672	0.813
NAG-R	0.678	0.818	0.678	0.815
T-Attack	0.644	0.773	0.649	0.769

illustrates the experimental results where the surrogate model is established using GCN, whereas the victim models employ GAT (such as GATrust and TrustGNN). The perturbation rate remains constant at $5\%.$ As shown by comparing Table 5 and Table 4, although both are black-box attacks, the transfer performance of our strategy suffers when there is an architectural mismatch between the victim and surrogate models. Under the strong transfer scenario, T-Attack reduces the F1-score of GATrust by $4.6\%$ and $4.4\%$ compared to Grab on both datasets, respectively. Furthermore, T-Attack outperforms NAG-R by $5.1\%$ and $5.6\%$ in terms of attack performance on these datasets. Similarly, T-Attack consistently achieves better performance than Grab and NAG-R when targeting TrustGNN on the two datasets. In addition, T-Attack also outperforms Meta when attacking GATrust and TrustGNN. Ultimately, $Rando{m}_T$ continued to exhibit the poorest performance in the strong transfer scenario. The experimental results reveal that the transferability of the attack is degraded by architectural discrepancies in the strong transfer scenario, particularly the gap between the GAT employed in the victim models and the GCN used in the surrogate. In essence, the aforementioned experiments have validated the effectiveness of our proposed attack strategy on GNN-based trust prediction in both transfer attack scenarios.

5.4. Attack Results with Various Perturbation Rate

We evaluate how our proposed attack strategy performs against the Guardian and GATrust models across different perturbation rates. Furthermore, TrustGNN is not evaluated as a target in this experiment due to its adoption of GAT, which makes it architecturally similar to GATrust. The adjustment range of the perturbation rate is $3\%, 5\%, 10\%, 15\%, 20\%.$ In Figure 6a,b, we can observe the decline in the F1-score of Guardian and GATrust as the perturbation rate increases following the application of our proposed attack strategy. Specifically, in Advogato, the performance of T-Attack on Guardian is $0.613,$ when the perturbation rate is $3\%.$ Due to the differences in model architecture between GATrust and the surrogate model, the performance of T-Attack on GATrust is $7.3\%$ lower than T-Attack on Guardian when the perturbation rate is set to $3\%.$ Furthermore, the F1-score of Guardian and GATrust under our proposed attack strategy decreases as the perturbation rate escalates in Advogato. The performance of T-Attack on Guardian and GATrust (with a $20\%$ perturbation rate) is up to $28.1\%$ and is $23.5\%$ higher, respectively, than that on Advogato (with a $3\%$ perturbation rate). Similarly, T-Attack is capable of diminishing the prediction accuracy of Guardian and GATrust, and this degradation intensifies as the perturbation rate increases in PGP. In summary, the performance of T-Attack is inherently tied to the perturbation rate. An increase in the perturbation rate corresponds to a more potent attack effectiveness. Moreover, owing to the existence of user feature perturbation, even at a very low perturbation rate, our crafted attack strategy against GNN-based trust prediction models remains notably effective.

5.5. Sensitivity to User Feature Perturbation Hyperparameters

In the user feature perturbation generator, the hyperparameters $\alpha$ and $\beta$ govern the magnitude of the perturbation and the balance between different feature modalities, respectively. Therefore, to evaluate the sensitivity of our attack strategy to the hyperparameters $\alpha$ and $\beta$ in the user feature perturbation generator, we configure $\alpha$ and $\beta$ with values from the set $0.5, 1.0, 1.5, 2.0$, rather than fine-tuning them specifically for each dataset.

As shown in tab

Table 6. The sensitivity analysis of $\alpha$ and $\beta$.

Datasets	Advogato		PGP
Victim	Guardian	GATrust	Guardian	GATrust
Per rate	5%	5%	5%	5%
$\alpha =0.5$ and $\beta =0.5$	0.601	0.666	0.751	0.778
$\alpha =0.5$ and $\beta =1.0$	0.608	0.663	0.754	0.781
$\alpha =0.5$ and $\beta =1.5$	0.603	0.659	0.760	0.779
$\alpha =1$ and $\beta =1$	0.589	0.653	0.746	0.786
$\alpha =1$ and $\beta =0.5$	0.592	0.660	0.749	0.788
$\alpha =1$ and $\beta =1.5$	0.595	0.657	0.741	0.782
$\alpha =1.5$ and $\beta =1.5$	0.593	0.656	0.742	0.780
$\alpha =1.5$ and $\beta =0.5$	0.596	0.661	0.748	0.783
$\alpha =1.5$ and $\beta =1.0$	0.592	0.663	0.744	0.787
$\alpha =2$ and $\beta =2$	0.586	0.644	0.736	0.773

, the results demonstrate that our T-Attack is highly robust to the choice of $\alpha$ and $\beta$ in a wide range (e.g., from 0.5 to 2.0). The attack performance remains consistently superior without significant fluctuations. This indicates that the success of our method stems from the core attack mechanism rather than delicate hyper-parameter tuning.

5.6. Effect of the Feature Perturbation Generator Network Depth on Attack Performance

The feature perturbation generator is built upon a multilayer fully connected network, whose depth significantly impacts the attack performance. To assess this effect, the F1-score is adopted as the primary metric, with the perturbation rate set to $5\%$. Specifically, when the feature perturbation generator from our proposed attack strategy consists of a single-layer fully connected network, it is denoted as T-Attack(one-layer). Similarly, the three-layer counterpart is treated as T-Attack(three-layer). T-Attack represents its two-layer counterpart.

Table 7. The analysis of the influence of feature perturbation and the manipulated trust relationship.

Datasets	Advogato		PGP
Victim	Guardian	GATrust	Guardian	GATrust
Per rate	5%	5%	5%	5%
T-Attack(one-layer)	0.665	0.683	0.805	0.831
T-Attack(three-layer)	0.623	0.659	0.782	0.811
T-Attack	0.586	0.644	0.736	0.773

illustrates the attack performance of T-Attack with different network depths on common GNN-based social trust evaluation models, such as Guardian and GATrust. It is worth noting that the effect of T-Attack on Guardian and GATrust is superior to that of T-Attack with a one-layer or two-layer fully connected network on the Advogato dataset. In particular, the attack performance of T-Attack is $6\%$ and $3.3\%$ higher than that of T-Attack(three-layer), respectively. Notably, the performance gap between T-Attack and T-Attack(three-layer) is smaller on GATrust. This is because the structural discrepancy between GATrust and the surrogate model significantly degrades the overall effectiveness of T-Attack. Additionally, T-Attack(three-layer) significantly outperforms T-Attack(one-layer). A possible reason is that a single-layer network lacks the representational power to generate user feature perturbations under the imperceptibility constraint. In terms of PGP, T-Attack also achieves superior attack performance compared to T-Attack(three-layer) and T-Attack(one-layer). Therefore, a two-layer fully connected network proves to be the optimal architecture for the feature perturbation generator in T-Attack.

5.7. Influence Analysis of Feature Perturbation and Manipulated Trust Relationship

Recalling that in our proposed attack strategy, T-Attack is composed of a user feature perturbation attack and manipulated trust relationship attack. We also evaluate the importance of the user feature perturbation attack and manipulated trust relationship attack in T-Attack in terms of F1-score, specifically at a perturbation rate of $5\%$.

Table 8. The analysis of the influence of feature perturbation and manipulated trust relationship.

Datasets	Advogato		PGP
Victim	Guardian	GATrust	Guardian	GATrust
Per rate	5%	5%	5%	5%
T-Attack(UP)	0.617	0.658	0.776	0.792
T-Attack(TP)	0.642	0.692	0.813	0.846
T-Attack	0.586	0.644	0.736	0.773

describes the attack performance of each component of our proposed attack strategy, where T-Attack(UP) and T-Attack(TP) represent the performance of user feature perturbation and manipulated trust relationship attack, respectively, on GNN-based trust prediction models, including Guardian and GATrust. Notably, T-Attack(UP) outperforms T-Attack(TP). More precisely, on the Advogato dataset, the performance of T-Attack(UP) on Guardian and GATrust is $3.9\%$ and $5\%$ higher than that of T-Attack(TP) in terms of F1-score, respectively. Regarding PGP, the F1-score of T-Attack(UP) on Guardian and GATrust has dropped to $0.776$ and $0.792,$ which demonstrates considerably superior attack performance compared to T-Attack(TP). Moreover, T-Attack(UP) remains unaffected by the change in perturbation rate. Hence, despite the relatively low perturbation rate, T-Attack still maintains a considerable level of attack performance on GNN-based trust prediction models.

6. Conclusions

This article addresses the adversarial attacks problem of GNN-based trust prediction in untargeted attack scenarios.

Without prior knowledge of the target GNN-based trust prediction models, we design a surrogate model to learn the mechanisms of trust propagation and aggregation, thereby simulating their behavior in OSNs. Subsequently, we utilize user feature perturbations and manipulated trust ratings to attack the surrogate model, with the aim of executing transfer attacks on GNN-based trust prediction models. Extensive experiments demonstrate that the designed attack strategy effectively degrades the prediction accuracy of the prevalent GNN-based trust evaluation models, achieving superior performance over existing methods.

For future work, it is necessary to construct larger-scale dynamic trust-related datasets to validate our proposed adversarial attack strategy, given that trust assessment in the real world is more complex. Meanwhile, it is worth investigating how to further enhance the effect of the attack strategy. Moreover, delving into attacks and defense strategies in trust relationship prediction within large-scale and dynamic social networks represents another significant and promising research domain.