Table: Attack Success Rates of FCGHUNTER and Baselines.

Note: BagAmmo operates in a white-box setting. And BagAmmo_M is a supplementary setting.

In our evaluation (the above Table), the performance of HRAT (the second row) differed significantly from the claims made in the paper, prompting us to conduct a detailed analysis. Indeed, its replicability was also proven challenging in another survey article[1].

In HRAT, the process of conducting adversarial attacks on graph structures is defined as a reinforcement learning process. Specifically, the researchers have defined four types of graph modification rules that maintain semantic consistency. Utilizing a DQN, these four operations are considered as potential actions to determine which one to execute. In each action, given that the graph can be represented as an adjacency matrix, a gradient calculation is performed across the entire graph to select the position with the highest gradient for the operation. If the operation successfully reverses the sample's label, a positive reward is obtained; otherwise, a negative reward is received, the magnitude of which correlates with the changes in the number of edges and nodes in the graph.

We summary the limitation about HRAT in four aspects:

(1) Memory-Intensive: HRAT cannot run in Malscan (Average and Concentrate) due to their memory requirements, which are four times greater than those of Malscan (Degree). When running Malscan (Degree) with KNN-1, the GPU memory (i.e., 46GB memory of L40) is exhausted approximately 30GB because the entire training set needs to be loaded into memory, along with the large adjacency matrix of the graph.

(2) Gradient-Dependent: tree-based classifiers such as AdaBoost and Random Forest are non-differentiable, rendering the gradient search technique used by the authors ineffective.

(3) Coarse Gradient Information: In addition to using gradient information from the model to guide the direction of optimization, the authors also calculate gradients on the adjacency matrix to estimate the position of perturbations. However, due to the enormous perturbation space, estimating the position of perturbations on the graph is coarse. This is because the values in the matrix are binary, making it difficult to treat the gradient of a value of 0 as the optimal result when the value is 1. This leads to the continuous accumulation of erroneous optimizations.

(4) Ineffective Reward Mechanism: The authors used the amount of perturbation (changes in the number of edges and nodes) as a reward to guide reinforcement learning. However, fewer perturbations do not necessarily indicate proximity to the decision boundary, which can also lead to the accumulation of errors.

[1] Olszewski, Daniel, et al. "" Get in Researchers; We're Measuring Reproducibility": A Reproducibility Study of Machine Learning Papers in Tier 1 Security Conferences." Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. 2023.

To replicate another white-box setting of BagAmmo, we use an MLP as the surrogate model, consistent with our experimental setup. We still use the scores from both the surrogate model and the target model to select perturbations.