Transferable Hypergraph Attack via Injecting Nodes into Pivotal Hyperedges

Conference: AAAI 2026 arXiv: 2511.10698 Code: None Area: AI Safety Keywords: Hypergraph Neural Networks, Adversarial Attack, Node Injection, Hyperedge Pivotality, Transferable Attack

TL;DR

This paper proposes TH-Attack, a transferable node injection attack framework targeting Hypergraph Neural Networks (HGNNs). By identifying pivotal hyperedges in information aggregation pathways and injecting semantically inverted malicious nodes, TH-Attack effectively attacks diverse HGNN architectures in a black-box setting, reducing accuracy from 80%+ to below 30%.

Background & Motivation

Hypergraphs allow hyperedges to connect two or more nodes, enabling the modeling of higher-order relationships more complex than ordinary graphs, demonstrating superior performance in recommendation systems, biological networks, and 3D vision. HGNNs capture high-order features through a two-stage "node→hyperedge→node" aggregation mechanism.

As HGNNs are deployed in critical domains such as medical diagnosis and financial risk control, their adversarial robustness becomes urgent. However, existing hypergraph attack methods exhibit notable limitations:

Limitations of Prior Work: - Hypergraph modification attacks (e.g., HyperAttack, MGHGA): rely on gradient information from the target model, requiring white-box/gray-box assumptions. - Hypergraph injection attacks (e.g., IE-Attack, H3NI): IE-Attack selects "elite hyperedges" to inject KDE-generated homogeneous nodes; H3NI uses genetic algorithms for hyperedge selection — both depend on the information mechanisms of specific HGNNs.

Core Insight: All existing methods overlook a universal vulnerability in HGNNs — the significant variation in hyperedge pivotality within the information aggregation pathway.

As illustrated in Figure 1: node \(v_1\) acquires high-order features only through hyperedge \(e_1\), while node \(v_3\) has two aggregation paths (\(e_2, e_3\)). Attacking \(e_1\) directly disrupts information propagation for \(v_1\), preventing correct HGNN prediction; attacking \(e_3\) has limited impact on \(v_3\) since \(e_2\) serves as a backup path.

Consequently, \(e_1\) exhibits higher pivotality than \(e_2\) and \(e_3\). This universal vulnerability exists across all HGNNs based on the "node-hyperedge-node" aggregation mechanism, and attacking pivotal hyperedges enables cross-architecture transferability.

Method

Overall Architecture

TH-Attack comprises three key modules:

1. Hyperedge Recognizer (HR): Identifies critical hyperedges via pivotality assessment.
2. Feature Inverter (FI): Generates semantically inverted malicious nodes based on critical hyperedge features.
3. Injection Attack: Injects malicious nodes into critical hyperedges to disrupt information propagation.

Key Designs

1. Hyperedge Pivotality Assessment and Recognizer

Starting from the HGNN aggregation process:

Node→Hyperedge aggregation: \(\mathbf{z}_j^{(l)} = \frac{1}{|e_j|} \sum_{v_i \in e_j} \frac{1}{\sqrt{d_{v_i}}} \mathbf{x}_i^{(l)} \Theta^{(l)}\)

Hyperedge→Node aggregation: \(\mathbf{x}_i^{(l+1)} = \frac{1}{\sqrt{d_{v_i}}} \sum_{e_j \ni v_i} w_{e_j} \mathbf{z}_j^{(l)}\)

For node \(v_i\), its isolation degree is defined as its hyperdegree (number of hyperedges it belongs to):

\[d_h(v_i) = |\{e_j \in \mathcal{E} \mid v_i \in e_j\}|\]

If \(d_h(v_i) \leq \tau\) (pivotality level threshold), the hyperedges containing \(v_i\) are identified as critical.

Theoretical Support:

Theorem 1 (Perturbation Amplification via High-Pivotality Hyperedges): When node \(v_i\) aggregates information through high-pivotality hyperedges, the lower bound of feature perturbation is:

\[\|\Delta \mathbf{x}_i^{(l+1)}\|_2 \geq \frac{1}{\sqrt{d_{v_i}}} \min_{e_j \ni v_i} w_{e_j} \cdot \|\Delta \mathbf{z}_j^{(l)}\|_2\]

Theorem 2 (Perturbation Attenuation via Low-Pivotality Hyperedges): When node \(v_k\) aggregates through low-pivotality hyperedges, perturbation is dispersed across multiple paths:

\[\|\Delta \mathbf{x}_k^{(l+1)}\|_2 \leq \frac{1}{\sqrt{d_{v_k}}} \sum_{e_j \ni v_k} w_{e_j} \|\Delta \mathbf{z}_j^{(l)}\|_2\]

Design Motivation: High-pivotality hyperedges serve as the sole or scarce channels for information propagation; attacking them induces a perturbation amplification effect. Low-pivotality hyperedges possess redundant paths that dissipate perturbation energy. This constitutes a structural vulnerability independent of the specific HGNN architecture, enabling transferable attacks.

The final set of critical hyperedges selected:

\[\mathcal{E}_{all\_piv} = \{e_j \in \mathcal{E} \mid \exists v_i \in e_j \text{ s.t. } d_h(v_i) \leq \tau\}\]

2. Feature Inverter Based on Critical Hyperedges

Objective: Generate malicious node features that maximally deviate semantically from the features of the target hyperedge, thereby injecting "poison" during aggregation.

Initial Confusion Feature Generation:

\[\mathbf{x}_{ini}^{(j)} = \mathbf{x}_{pro}^{(j)} \oplus \mathcal{N}(0, \mu^2)\]

where \(\mathbf{x}_{pro}^{(j)} = \prod_{v_i \in e_j} \mathbf{x}_i\) is the element-wise product of node features within the hyperedge, preserving statistical correlations while introducing Gaussian noise to enhance diversity.

MLP Enhancement: Multi-layer MLP with LeakyReLU activation enhances the confusion effect, with Softmax producing the final malicious features.

Loss Function — maximizing semantic deviation while constraining deviation magnitude:

\[\mathcal{L}_{cos\_dis} = \cos(\mathbf{x}_{mal}^{(j)}, \mathbf{z}_{e_j}) + \lambda \cdot \mathcal{L}_{reg}\]

where \(\mathcal{L}_{reg} = \max(\cos(\mathbf{x}_{mal}^{(j)}, \mathbf{z}_{e_j}) - t, 0)\), and \(t\) is the similarity threshold.

Design Motivation: - Minimizing cosine similarity orients malicious node features in the opposite direction to hyperedge features, inducing maximal interference during aggregation. - The regularization term constrains the deviation magnitude to preserve attack stealthiness. - The hyperedge feature \(\mathbf{z}_{e_j} = H^\top \cdot \mathcal{X}\) depends only on the hypergraph structure, requiring no model parameters — enabling black-box attacks.

3. Injection Attack and Cross-Model Transferability

The generated malicious nodes are injected into critical hyperedges: \(e_j = \{v_1, v_2\} \to \{v_1, v_2, v_{mal}^{(j)}\}\)

The updated incidence matrix \(\hat{H}\) increases the node dimension by \(m\), while the hyperedge dimension remains unchanged. The attacked hypergraph \(\hat{\mathcal{G}} = (\hat{\mathcal{V}}, \hat{\mathcal{E}})\) can be directly fed into any HGNN without knowledge of the target model's parameters or architectural details.

Sources of Transferability: - Critical hyperedge identification relies solely on hypergraph structure, not on any specific HGNN. - Feature inversion relies only on hyperedge feature aggregation (\(H^\top \mathcal{X}\)), not on model parameters. - All HGNNs based on "node-hyperedge-node" aggregation share this structural vulnerability.

Loss & Training

• The Feature Inverter is optimized via backpropagation on \(\mathcal{L}_{cos\_dis}\).
• The attack budget \(\Phi\) is determined by the perturbation rate \(\eta\) and node count \(N\), typically not exceeding 5% of total nodes.
• Optimal hyperparameter combination: \(\lambda=0.1, t=0.9\) (low regularization + high similarity threshold = maximum attack strength).

Key Experimental Results

Main Results

6 Datasets × 5 HGNNs × 6 Attack Methods, Accuracy Comparison (%)

Dataset/Model	Clean	Random	DICE	FGA	IGA	IE-Attack	TH-Attack
Cora/HGNN	76.41	74.71	74.45	74.41	73.84	73.20	36.08
Cora/HyperGCN	75.95	73.14	73.93	72.62	71.09	68.37	31.55
Cora/UniGCNII	80.08	75.82	77.23	76.65	76.01	76.57	39.42
Cora-CA/UniGCNII	84.68	79.53	80.15	80.57	79.07	83.95	32.72
Pubmed/HGNN	84.28	80.99	81.29	81.99	81.60	84.53	40.96
DBLP/HyperGCN	89.54	83.84	81.72	85.85	81.83	82.64	46.23
ModelNet40/UniGCNII	97.86	93.45	93.51	93.36	93.48	96.65	53.50

TH-Attack substantially outperforms all baselines, typically degrading accuracy by 30–50 percentage points, whereas baselines typically achieve only 2–10 percentage points of degradation.

Ablation Study

Variant	Cora	Cora-CA	Citeseer	Pubmed
w/o Hyperedge Recognizer (HR)	41.19 / 34.87 / 43.48	38.30 / 24.51 / 40.00	28.69 / 21.43 / 34.05	45.16 / 36.47 / 47.14
w/o Feature Inverter (FI)	61.80 / 38.65 / 73.85	58.40 / 26.57 / 77.72	54.26 / 43.93 / 66.94	44.25 / 38.97 / 47.95
w/o Cosine Distance Loss (CDL)	61.05 / 59.42 / 59.80	59.31 / 54.66 / 60.34	54.45 / 52.64 / 66.06	55.85 / 52.76 / 46.40
Full TH-Attack	36.08 / 31.55 / 39.42	32.03 / 17.02 / 32.72	24.17 / 20.59 / 27.00	40.96 / 35.14 / 44.13

(Each group of three values corresponds to HGNN / HyperGCN / UniGCNII)

• CDL removal has the largest impact: Removing the cosine distance loss causes a substantial drop in attack effectiveness, confirming that maximizing semantic deviation is the core driver of the attack.
• HR and FI each contribute significantly: Validating the complementary roles of critical hyperedge selection and malicious feature generation.

Key Findings

1. Extreme attack effectiveness: On Cora, HGNN accuracy drops from 76.41% to 36.08%, a decline of 40+ percentage points; on Cora-CA, HyperGCN drops from 76.32% to 17.72%.
2. High efficiency under extremely low budget: At \(\eta=1\%\), injecting only 23 nodes (Cora) reduces HGNN accuracy by 17.17%, while baselines achieve at most 5%.
3. Strong cross-architecture transferability: The same attacked data is effective against 5 different HGNN architectures; baselines (especially IE-Attack) are typically effective only against specific architectures.
4. Effect of pivotality level \(\tau\): Attack strength is highest at \(\tau=1,2\) and decreases for \(\tau \geq 3\), validating the pivotality hypothesis.
5. Greater advantage on complex datasets: On complex datasets such as ModelNet40, baselines are nearly ineffective (accuracy drop of 2–4%), while TH-Attack still substantially degrades performance.

Highlights & Insights

• Depth of problem formulation: This work is the first to shift the attack perspective from "which nodes/edges to attack" to "structural bottlenecks in the information aggregation pathway," reflecting a deep understanding of HGNN architectural vulnerabilities.
• Theoretical-empirical coherence: Theorems 1 and 2 formally characterize the concept of pivotality from aggregation formulas, with experimental results validating the theoretical predictions.
• Simplicity and efficiency of the attack: No gradient information, no surrogate model, and no knowledge of the target architecture are required — a purely black-box attack based on hypergraph structure and node features.
• Remarkable attack effectiveness: Under a 5% injection budget, classification accuracy of state-of-the-art HGNNs is reduced to near-random-guess levels.

Limitations & Future Work

1. Limited to node classification: The effectiveness on other tasks such as hypergraph link prediction and community detection has not been validated.
2. Absence of a defense perspective: No discussion of potential defense strategies, such as detecting injected nodes with anomalous degrees or downweighting pivotal hyperedges during aggregation.
3. Stealthiness of the Feature Inverter: Although regularization is applied, the paper does not quantitatively evaluate the anomaly degree of injected nodes in feature space — whether they can be readily identified by anomaly detectors remains open.
4. Dynamic hypergraphs not considered: The authors note that future work includes attacks on dynamic HGNNs.
5. Poisoning setting used in experiments: IE-Attack was originally designed as an evasion attack; converting it to a poisoning setting may render the comparison not entirely fair.

Related Work & Insights

• The concept of pivotality can be generalized to attacks targeting "bridge edges" or "articulation points" in ordinary GNNs.
• The Feature Inverter paradigm can be applied to generate high-quality adversarial examples in other settings.
• This work reveals the universal vulnerability of structural bottlenecks in message-passing mechanisms, serving as an important warning for HGNN robustness research.
• Inspiring defense directions include: redundant aggregation path design and adaptive protection of pivotal hyperedges.

Rating

• Novelty: ⭐⭐⭐⭐⭐ — The pivotality concept is novel and theoretically grounded; the attack perspective from structural bottlenecks is highly original.
• Experimental Thoroughness: ⭐⭐⭐⭐⭐ — 6 datasets × 5 models × 6 baselines × multiple perturbation rates, with comprehensive ablation and parameter analysis.
• Writing Quality: ⭐⭐⭐⭐ — Clear structure with intuitive motivation figures, though some formula derivations could be more concise.
• Value: ⭐⭐⭐⭐⭐ — Makes an important contribution to HGNN security research by revealing a universal structural vulnerability.

Related Papers

• [CVPR 2026] Towards Highly Transferable Vision-Language Attack via Semantic-Augmented Dynamic Contrastive Interaction
• [AAAI 2026] Transferable Backdoor Attacks for Code Models via Sharpness-Aware Adversarial Perturbation
• [AAAI 2026] Reference Recommendation based Membership Inference Attack against Hybrid-based Recommender Systems
• [AAAI 2026] Privacy Auditing of Multi-Domain Graph Pre-Trained Model under Membership Inference Attack
• [CVPR 2026] When Robots Obey the Patch: Universal Transferable Patch Attacks on Vision-Language-Action Models