ML Security PapersOptimal Transport-Guided Adversarial Attacks on Graph Neural Network-Based Bot Detection
Kunal Mukherjee 1, Zulfikar Alom 2, Tran Gia Bao Ngo 3, Cuneyt Gurcan Akcora 4, Murat Kantarcioglu 1
Published on arXiv
2602.00318
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
BOCLOAK achieves up to 80.13% higher attack success rates against five state-of-the-art GNN-based bot detectors while using 99.80% less GPU memory under realistic real-world constraints.
BOCLOAK
Novel technique introduced
The rise of bot accounts on social media poses significant risks to public discourse. To address this threat, modern bot detectors increasingly rely on Graph Neural Networks (GNNs). However, the effectiveness of these GNN-based detectors in real-world settings remains poorly understood. In practice, attackers continuously adapt their strategies as well as must operate under domain-specific and temporal constraints, which can fundamentally limit the applicability of existing attack methods. As a result, there is a critical need for robust GNN-based bot detection methods under realistic, constraint-aware attack scenarios. To address this gap, we introduce BOCLOAK to systematically evaluate the robustness of GNN-based social bot detection via both edge editing and node injection adversarial attacks under realistic constraints. BOCLOAK constructs a probability measure over spatio-temporal neighbor features and learns an optimal transport geometry that separates human and bot behaviors. It then decodes transport plans into sparse, plausible edge edits that evade detection while obeying real-world constraints. We evaluate BOCLOAK across three social bot datasets, five state-of-the-art bot detectors, three adversarial defenses, and compare it against four leading graph adversarial attack baselines. BOCLOAK achieves up to 80.13% higher attack success rates while using 99.80% less GPU memory under realistic real-world constraints. Most importantly, BOCLOAK shows that optimal transport provides a lightweight, principled framework for bridging the gap between adversarial attacks and real-world bot detection.
Key Contributions
- BOCLOAK: an optimal transport-guided adversarial attack framework for GNN-based bot detection that constructs probability measures over spatio-temporal neighbor features and decodes OT plans into sparse, plausible edge edits
- Constraint-aware attack formulation that enforces real-world limits (partial observability, behavioral plausibility, limited connectivity) absent in prior graph adversarial attack methods
- Achieves up to 80.13% higher attack success rates while using 99.80% less GPU memory than four SOTA graph adversarial attack baselines across three datasets and five bot detectors
🛡️ Threat Analysis
BOCLOAK crafts adversarial graph structures (edge editing and node injection) to cause GNN classifiers to misclassify bot accounts as humans at inference time — a canonical evasion/input manipulation attack. The OT framework provides a novel method for generating sparse, plausible adversarial perturbations against GNN-based classifiers under domain-specific constraints.