MEMFREEZING: TOWARDS PRACTICAL ADVERSARIAL ATTACKS ON TEMPORAL GRAPH NEURAL NETWORKS

Q2. What if the memory updater in TGNNs uses LSTM?

Thank you for the thoughtful question. It is valuable to understand how nodes’ memory is frozen under a memory updater with different RNN-variant.

To evaluate the effectiveness of MemFreezing when using LSTM as the memory updater, we replaced the GRU and RNN components in TGN with LSTM. We then assessed the performance of MemFreezing and baseline attacks under this new configuration. It is worth mentioning that since LSTM has two memories (i.e., long and short terms), they are different from GRU and RNN used in existing TGNNs. To adapt these two memories into one node memory under existing TGNN frameworks, we concatenate the two memories of a node together as its memory and freeze them altogether.

We first investigate the resulting accumulated accuracies in TGN. As shown in Table R.6, the LSTM-based TGN shows better robustness against MemFreezing. However, MemFreezing still effectively compromises predictions of LSTM-based TGN, leading to an average of 8% accuracy drops at $t_{100}$. In contrast, the baseline (i.e., TDGIA) still fails to disturb the predictions under limited-knowledge setups.

Table R.6. The Accumulated accuracy(accumulated) of LSTM-based TGNN w/o attack (i.e., vanilla), under TDGIA attack and under MemFreezing attack. | | | $t_0$ | $t_{10}$ | $t_{20}$ | $t_{30}$ | $t_{40}$ | $t_{50}$ | $t_{60}$ | $t_{70}$ | $t_{80}$ | $t_{90}$ | $t_{100}$ | |--------|---------|------|------|------|------|------|------|------|------|------|------|------| | Wiki | Vanilla | 0.92 | 0.93 | 0.93 | 0.93 | 0.93 | 0.93 | 0.93 | 0.93 | 0.93 | 0.93 | 0.93 | | | TDGIA | 0.85 | 0.91 | 0.92 | 0.93 | 0.93 | 0.93 | 0.93 | 0.93 | 0.93 | 0.93 | 0.93 | | | Ours | 0.9 | 0.89 | 0.91 | 0.9 | 0.9 | 0.89 | 0.87 | 0.86 | 0.85 | 0.85 | 0.85 | | Reddit | Vanilla | 0.92 | 0.92 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | | | TDGIA | 0.81 | 0.89 | 0.9 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | | | Ours | 0.88 | 0.89 | 0.88 | 0.87 | 0.86 | 0.86 | 0.84 | 0.84 | 0.83 | 0.83 | 0.83 |

The LSTM-based TGN makes it more challenging since the attack has to freeze both long-term and short-term memories. To understand the phenomenon, we further investigate the similarities between the victim nodes’ initial memory and its subsequent and 1-hop neighbors’ memories. As shown in Table R.7, the similarities between the victim nodes and their 1-hop neighbors are as low as around 0.6, which is not as high as the cases with GRU/RNNs (e.g., over 0.8).

Table R.7. The similarities between victim nodes’ initial noisy memories (at the time of the attack) and themselves’/their subsequent neighbors’ memories in LSTM-based TGN on the Wikipedia dataset. | | | $t_1$ | $t_2$ | $t_3$ | $t_4$ | $t_5$ | $t_6$ | $t_7$ | $t_8$ | $t_9$ | $t_{10}$ | $t_{11}$ | $t_{12}$ | $t_{13}$ | $t_{14}$ | $t_{15}$ | |--------|-------|-------|-------|------|------|------|------|------|------|------|------|------|------|------|------|------| | Wiki | Root | 0.95 | 0.95 | 0.94 | 0.94 | 0.94 | 0.93 | 0.93 | 0.93 | 0.93 | 0.92 | 0.91 | 0.91 | 0.90 | 0.91 | 0.90 | | | Hop-1 | 0.02 | 0.14 | 0.26 | 0.33 | 0.39 | 0.45 | 0.52 | 0.54 | 0.57 | 0.59 | 0.60 | 0.59 | 0.61 | 0.63 | 0.63 | | Reddit | Root | 0.96 | 0.95 | 0.95 | 0.95 | 0.95 | 0.95 | 0.95 | 0.95 | 0.95 | 0.94 | 0.94 | 0.94 | 0.94 | 0.94 | 0.94 | | | Hop-1 | -0.02 | -0.03 | 0.00 | 0.02 | 0.08 | 0.19 | 0.29 | 0.37 | 0.43 | 0.46 | 0.48 | 0.51 | 0.52 | 0.54 | 0.57 |

We also added the above analysis to Appendix C.16. in our revised paper.

Q3. Notation consistency and Typos.

We appreciate the suggestions from the reviewer and carefully revised our paper, including the following changes:

• As for the $node_u$ and $u$, we consistently used its index $u$ to represent a node.
• For $x(t_1)$ in equation(1), it also represents a single event, as we used in the following equations. The description is included in our original submitted paper and highlighted in teal color. To address the confusion, we change $x(t)$ in the following statements to $x(t_i)
• We correct the typos in line 480 and the legends in Figures 12 and 13.

We sincerely thank the reviewer for the positive feedback and valuable comments. In response, we analyze the time complexity of our attack and add results on LSTM-based TGNNs. We also revise our paper following the suggestions from the reviewer. We hope our response can help clarify the reviewer's questions.

Q1. What is the time complexity of MemFreezing?

Thank you for the valuable question. Studying the time complexity of an attack is crucial for understanding its practicality. The time complexity of MemFreezing is approximately $O(V + VD)$, where $V$ is the number of victim nodes being attacked and $D$ is their average degree.

The computation can be divided into three main parts:

1. Finding the Stable State: For each victim node in a total of $V$ nodes, we iteratively update its state using its two support neighbors until reaching the ideal stable state. Assuming a constant number of iterations for convergence, this step incurs a time complexity of $\mathcal{O}(V)$.

2. Solving the Target Memory Using SGD: For each victim node, we optimize the target memory state using stochastic gradient descent (SGD), considering (a) the node itself, (b) its two support neighbors, and (3) its augmented neighbor, with the total set of size less than $D + 20$ (current neighbors + those simulated neighbors), where $D$ approximate the amount of node’s current neighbors. This optimization incurs an $\mathcal{O}(D)$ cost per node, leading to a total time complexity of $\mathcal{O}(VD)$ across V victim nodes with D average degree.

3. Introducing Fake Neighbors: For each victim node, we compute and inject a fake neighbor to introduce noise. This step has a cost of O(1) per node, resulting in overall $\mathcal{O}(V)$ time complexity.

In summary, the overall time complexity of MemFreezing is dominated by the SGD optimization step for getting noisy memory, resulting in $\mathcal{O}(V + VD)$ time complexity. Under the worst cases, in which $D=V$ (e.g., fully connected graph), the complexity is $\mathcal{O}(V^2)$. We also added the above analysis to our revised paper as Appendix E.

Q5. How is "Cross-freezing" achieved if attacking at multiple points in time?

Thank you for the question. To achieve 'cross-freezing' when attacking at multiple points in time, we ensure that a victim node and its two supporting neighbors (i.e., three connected victim nodes) are attacked in close temporal proximity. Specifically, for each group of victim nodes (i.e., mutually connected three nodes), the MemFreezing either attacks them in a single injection or within consecutive attack rounds. By minimizing the time between attacks on these nodes, their memories are less likely to diverge before mutual support is established, enabling them to reinforce each other and remain in stable states after the attack.

To evaluate the effectiveness of cross-freezing under multiple-time attack cases, we investigate the similarities between victim nodes' initial noisy memories (at the time of the attack) and themselves'/their subsequent neighbors' memories in MemFreezing under one-time attack setup and multiple-times attack setup (following the setup in Figure 7 in our paper).

As shown in Table R.2, even when attacks occur at multiple points in time, the victim nodes still exhibit high similarity in their memory states during subsequent updates as the one-time attack, demonstrating that the cross-freezing mechanism is still effective under multiple-attack cases. We have added these results to Appendix C.6 in our revised paper to clarify this mechanism.

Table R.2. The similarities between victim nodes' initial noisy memories (at the time of the attack) and themselves'/their subsequent neighbors' memories in MemFreezing under one-time attack setup and multiple-times attack setup. | | | t1 | t2 | t3 | t4 | t5 | t6 | t7 | t8 | t9 | t10 | t11 | t12 | t13 | t14 | t15 | |--------|------------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------| | Wiki | Multi-time | 0.98 | 0.95 | 0.94 | 0.93 | 0.97 | 0.94 | 0.93 | 0.93 | 0.92 | 0.96 | 0.95 | 0.93 | 0.91 | 0.91 | 0.90 | | | One-Time | 0.99 | 0.97 | 0.97 | 0.96 | 0.95 | 0.94 | 0.93 | 0.93 | 0.93 | 0.93 | 0.93 | 0.93 | 0.93 | 0.92 | 0.92 | | Reddit | Multi-time | 0.95 | 0.94 | 0.93 | 0.92 | 0.94 | 0.93 | 0.92 | 0.91 | 0.91 | 0.93 | 0.93 | 0.92 | 0.91 | 0.89 | 0.89 | | | One-Time | 0.98 | 0.96 | 0.94 | 0.94 | 0.94 | 0.94 | 0.93 | 0.92 | 0.91 | 0.91 | 0.92 | 0.91 | 0.90 | 0.91 | 0.90 |

Q6. Comments on the presentation.

Thanks for the valuable suggestion. We made the following changes in our revised paper:

• We change “sample” in Section 4.3 to “select”.
• We revise Section 4.1 to explain how we get nodes’ ideal frozen state more clearly.
• We apply \text on loss subscripts as suggested, in terms of node indices, we keep their math format to distinguish them from the other texts.

• Multiple timestamp attack

We include more results about multiple-time injection in Table R.1 following our setup in Appendix C6, including TGNN performances under TDGIA and our attacks. The attacks are injected right before $t_0, t_5, t_{10}, t_{15}$ with 1% attack budget (i.e., 1% of all nodes) at each time. As shown, under multiple timestamp attack setups, our attack leads to greater performance degradation in TGNN models against TIGIA. We also add these results to Section C.6 of the revised paper.

Table R.1. The Accumulated accuracy(accumulated) and batch accuracy(current) across different timestamps in multiple-time TIGIA and MemFreezing Attacks. | | | | $t_1$ | $t_2$ | $t_3$ | $t_4$ | $t_5$ | $t_6$ | $t_7$ | $t_8$ | $t_9$ | $t_{10}$ | $t_{11}$ | $t_{12}$ | $t_{13}$ | $t_{14}$ | $t_{15}$ | $t_{16}$ | $t_{17}$ | $t_{18}$ | $t_{19}$ | $t_{20}$ | |--------|-------|-------------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------| | WiKi | TDGIA | Current | 0.86 | 0.88 | 0.92 | 0.87 | 0.92 | 0.91 | 0.94 | 0.95 | 0.89 | 0.93 | 0.87 | 0.95 | 0.82 | 0.87 | 0.87 | 0.94 | 0.89 | 0.95 | 0.90 | 0.82 | | | | Accumulated | 0.86 | 0.87 | 0.89 | 0.89 | 0.90 | 0.90 | 0.90 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.90 | 0.90 | 0.90 | 0.90 | 0.90 | 0.90 | 0.90 | | | MemFreezing | Current | 0.90 | 0.87 | 0.90 | 0.92 | 0.86 | 0.89 | 0.88 | 0.93 | 0.96 | 0.89 | 0.76 | 0.85 | 0.82 | 0.85 | 0.79 | 0.88 | 0.87 | 0.82 | 0.87 | 0.88 | | | | Accumulated | 0.90 | 0.88 | 0.89 | 0.90 | 0.89 | 0.89 | 0.89 | 0.90 | 0.90 | 0.90 | 0.89 | 0.88 | 0.88 | 0.88 | 0.87 | 0.87 | 0.87 | 0.87 | 0.87 | 0.87 | | Reddit | TDGIA | Current | 0.89 | 0.95 | 0.95 | 0.94 | 0.89 | 0.90 | 0.89 | 0.93 | 0.92 | 0.92 | 0.89 | 0.93 | 0.87 | 0.88 | 0.89 | 0.94 | 0.89 | 0.90 | 0.88 | 0.88 | | | | Accumulated | 0.89 | 0.91 | 0.92 | 0.92 | 0.92 | 0.92 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.90 | 0.90 | | | MemFreezing | Current | 0.93 | 0.92 | 0.92 | 0.90 | 0.90 | 0.89 | 0.91 | 0.86 | 0.92 | 0.93 | 0.85 | 0.85 | 0.80 | 0.83 | 0.87 | 0.83 | 0.84 | 0.79 | 0.83 | 0.82 | | | | Accumulated | 0.93 | 0.92 | 0.92 | 0.92 | 0.91 | 0.91 | 0.91 | 0.90 | 0.90 | 0.91 | 0.90 | 0.90 | 0.89 | 0.89 | 0.89 | 0.88 | 0.88 | 0.88 | 0.87 | 0.87 |

It is also worth mentioning that we prioritize one-shot attacks because, without knowing future knowledge, it is challenging to determine when to inject attacks and how much of the attack budget should be used.

Q4. Do benchmarked attacks result in low-degree nodes while MemFreezing results in highest-degree nodes?

Thank you for the question. We would like to clarify that the baseline attacks and MemFreezing are compared using the same attack capabilities. First, to ensure a fair comparison, all attacks target the same set of victim nodes. Second, all benchmarked attacks, including MemFreezing, inject either one-degree nodes or edges into the graph and affect the same number of victim nodes at the time of the attack.

Regarding the second point, MemFreezing specifically targets high-degree nodes by introducing a temporary fake node for each target and creating an event (i.e., an edge) between the fake node and the target. In this way, MemFreezing, like FakeNode, injects nodes with a degree of one into the graph. However, unlike FakeNode, which retains the injected fake nodes and can potentially cause stronger adversarial effects, MemFreezing removes these fake nodes after the attack, minimizing structural changes while inducing long-lasting adversarial effects.

Thus, while MemFreezing targets high-degree nodes, it leverages low-degree nodes through the temporary introduction of fake nodes, offering an effective yet lightweight attack strategy. In contrast, all baseline attacks target the same high-degree nodes while introducing more changes.

We also clarify this in Appendix C.2 (detailed attack setups) in our revised paper and clarify that our attack injects one event per target node in Section 4.3.

Q3. Choices of Attacker’s Capabilities.

Thank you for your detailed and thoughtful comments. We greatly appreciate your insights, as they help us clarify and improve our work. Below, we respond to each of the points in detail and explain how they are considered in our revised paper.

• Is white-box attack and up-to-attack knowledge practical?

It is practical to assume knowledge of the model and all graph data up to $t_0$​ in many dynamic graph applications, as these graph information is often publicly accessible. For instance, platforms like Wikipedia, Reddit, Meta, or X maintain dynamic graphs that can be crawled from official or related tracing websites, enabling adversaries to reconstruct input graph data with reasonable accuracy.

In terms of model parameters, many TGNN architectures and pre-trained models are open-sourced, making them readily available to adversaries. Furthermore, methods such as insider threats or model extracting [1][2] can be employed to extract model parameters when the model itself is not publicly available. These factors collectively make the white-box attack setup relatively more practical and realistic in many real-world scenarios.

However, future knowledge (e.g., data or updates occurring after $t_0$​) is inherently harder to access due to its temporal and evolving nature. Current methods offer no feasible way to reliably predict future changes in graph structure or labels. As such, we focus on the more challenging constraint of using only past knowledge for attacks while adhering to the white-box setup for model parameters.

We clarify this point further in Section 3.1 of the revised paper to address this concern explicitly.

[1] Oliynyk, Daryna, Rudolf Mayer, and Andreas Rauber. "I know what you trained last summer: A survey on stealing machine learning models and defences." ACM Computing Surveys 55.14s (2023): 1-41.

[2] Yao, Yifan, et al. "A survey on large language model (llm) security and privacy: The good, the bad, and the ugly." High-Confidence Computing (2024): 100211.

• How do we access to the highest-degree nodes?

We do not directly access the highest-degree nodes; instead, for each high degree node, we induce their memory into noisy states by injecting an noisy event from a noisy node to it. The noisy node can be removed after the attack.

For instance, in Reddit, we could conduct the attack in the following steps: (1) First, we recognize those most-viewed/most-commented Reddit posts (i.e., highest-degree nodes); (2) Second, we create a new user node (with noisy memory features) and use it to make a comment on those Reddit posts (i.e., injecting a noisy event ). And the user can be removed (e.g., unregister) after attack.

• Why do we limit the noisy message range between -1/+1?

As detailed in Appendix C.2., we limit the message range between -1/+1 since -1 and 1 are the theoretical minimum and maximum values of the clean messages. The messages in TGNNs are usually memories of the nodes updated from previous timestamps. The memory updater in these TGNNs are usually GRUCells or RNNCells, which have tanh activation functions right before the outputs. Therefore, all features of these messages (i.e., memories) should be within the range of -1 and 1 as the minimum and maximum values of the activation functions (i.e., tanh). Hence, using -1 and 1 produces noisy memories and, consequently, noisy messages similar to those of the clean messages in the graph.

We sincerely appreciate the valuable comments and insights from the reviewer. In response, we carefully respond to the reviewer’s questions and revise the paper accordingly, including a more detailed discussion and clarification on the definition and value of the practical attack setup, a clearer explanation of the attacker’s capabilities, additional results and discussions on multiple-time attacks, and adjustments to certain overclaiming statements. We hope our response and revisions can help alleviate the reviewer's concern.

Q1. What is the practicality of the proposed MemFreezing Attack, and why is it valuable to explore TGNN attacks under a more practical setting?

Thank you very much for the thoughtful comment! We agree that it is crucial to clarify the value of studying adversarial attacks under practical constraints and to define what 'practicality' entails in our paper.

Regarding 'practicality', our MemFreezing attack is not intended as a ready-to-use attack for real-world adversaries, which would require additional capabilities, such as crawling online data (e.g., input graph and victim model) and forging fake users or behaviors (e.g., injecting adversarial noise). Instead, compared to prior works that assume oracle-like capabilities, our attack adopts a more realistic setup by operating under limited knowledge. This limited-knowledge setup makes MemFreezing relatively more practical and closer to scenarios that could occur in real-world applications.

While studying worst-case scenarios with oracle-like knowledge is valuable for understanding the upper bounds of vulnerability, attacks under real-world constraints can reveal distinct flaws in TGNNs that might remain hidden in idealized settings. For instance, while all-knowing attacks can demonstrate the most harmful perturbations, they do not necessarily expose how fragile the memory mechanism is under more feasible constraints. By exploring attacks with limited knowledge, our work aims to uncover potential threats that are more relevant to real-world deployments and encourage the community to address these practical challenges.

To address the confusion and better highlight the relevance of practicality, we also add the above discussion in Section 1 to make these points clearer.

Q2. More clarification on Cross-Freezing.

Thank you for the valuable comments. We agree that the frozen nodes (i.e., nodes affected by the attack) are not completely static or unchanging. Rather, these nodes exhibit significantly higher memory similarity before and after updates at subsequent timestamps, which compromises their responsiveness to surrounding changes. We have revised the related statements in the paper to better reflect this observation.

Our conclusion is supported by Figure 7 in the original submission. As shown in Figure 7 (left), under the MemFreezing attack, the memories of frozen nodes maintain high similarity, averaging over 0.92 cosine similarity. In contrast, without the attack, memory similarities among unfrozen nodes decrease significantly over time, with less than 0.20 on average. This demonstrates that MemFreezing induces nodes to remain stable (highly similar) over future updates, limiting their ability to adapt to changes in the graph.

Additionally, we clarify that our attack leverages heuristics like 'cross-freezing' in Section 1 in our revised paper to explicitly mention this feature.

Q3. What is the related attack budget on edges?

Thank you for the question. We would like to clarify that the baseline attacks and MemFreezing are compared using the same attack capabilities. First, to ensure a fair comparison, all attacks target the same set of victim nodes (with high degrees). Second, all benchmarked attacks, including MemFreezing, either inject one-degree nodes or edges into the graph and affect the same number of victim nodes at the time of the attack.

Regarding the second point, MemFreezing specifically targets high-degree nodes by introducing a temporary fake node for each target and creating an event (i.e., an edge) between the fake node and the target. In this way, MemFreezing, like FakeNode, injects nodes with a degree of one into the graph. However, unlike FakeNode, which retains the injected fake nodes and can potentially cause stronger adversarial effects, MemFreezing removes these fake nodes after the attack, minimizing structural changes while inducing long-lasting adversarial effects. Therefore, given a graph with $V$ nodes and $E$ edges and targeting $N = 0.05V$ victim nodes (i.e., 5% budget), MemFreezing adds $N$ fake edges. Since nodes typically have a degree greater than one, $K = 0.05E > 0.05V = N$, the edge changes are less than 5% edges.

We also clarify this in Appendix C.2 (detailed attack setups) in our revised paper and clarify that our attack injects one event per target node in Section 4.3.

Q4. Insufficient notations were used.

We appreciate the reviewer’s feedback regarding the clarity of Sections 3 and 4. To address the concern, we have revised these sections in our updated manuscript to include more consistent notations and formal formulations.

Q2. Why do we use single-time attacks?

Thank you for the valuable comments. While it is indeed possible to attack TGNNs at multiple timestamps, practical scenarios often impose the limitation of lacking future knowledge about graph evolution. Specifically, without future knowledge, it is challenging for attackers to determine optimal injection timestamps or how much the attack budget should be used. As a result, a one-shot attack reflects a more constrained and realistic setup, aligning with the practical challenges faced by adversaries in dynamic graphs.

In our experiments, each attack uses all available knowledge up to the attack timestamp to generate a 'currently optimized' noise. However, as discussed in Section 3 and demonstrated in Section 5, this noise is often nullified quickly due to subsequent changes in the graph.

To evaluate attacks under multiple-time attack setup, we include more results about multiple-time injection in Table R.5 following our setup in Appendix C6, including TGNN performances under TDGIA and our attacks. The attacks are injected right before $t_0, t_5, t_{10}, t_{15}$ with 1% attack budget (i.e., 1% of all nodes) at each time. These results have been added to Section C.6 of the revised paper. As shown, under multiple timestamp attack setups, our attack leads to greater performance degradation in TGNN models against TIGIA.

Table R.5. The Accumulated accuracy(accumulated) and batch accuracy(current) across different timestamps in multiple-time TIGIA and MemFreezing Attacks. | | | | $t_1$ | $t_2$ | $t_3$ | $t_4$ | $t_5$ | $t_6$ | $t_7$ | $t_8$ | $t_9$ | $t_{10}$ | $t_{11}$ | $t_{12}$ | $t_{13}$ | $t_{14}$ | $t_{15}$ | $t_{16}$ | $t_{17}$ | $t_{18}$ | $t_{19}$ | $t_{20}$ | |--------|-------|-------------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------| | WiKi | TDGIA | Current | 0.86 | 0.88 | 0.92 | 0.87 | 0.92 | 0.91 | 0.94 | 0.95 | 0.89 | 0.93 | 0.87 | 0.95 | 0.82 | 0.87 | 0.87 | 0.94 | 0.89 | 0.95 | 0.90 | 0.82 | | | | Accumulated | 0.86 | 0.87 | 0.89 | 0.89 | 0.90 | 0.90 | 0.90 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.90 | 0.90 | 0.90 | 0.90 | 0.90 | 0.90 | 0.90 | | | MemFreezing | Current | 0.90 | 0.87 | 0.90 | 0.92 | 0.86 | 0.89 | 0.88 | 0.93 | 0.96 | 0.89 | 0.76 | 0.85 | 0.82 | 0.85 | 0.79 | 0.88 | 0.87 | 0.82 | 0.87 | 0.88 | | | | Accumulated | 0.90 | 0.88 | 0.89 | 0.90 | 0.89 | 0.89 | 0.89 | 0.90 | 0.90 | 0.90 | 0.89 | 0.88 | 0.88 | 0.88 | 0.87 | 0.87 | 0.87 | 0.87 | 0.87 | 0.87 | | Reddit | TDGIA | Current | 0.89 | 0.95 | 0.95 | 0.94 | 0.89 | 0.90 | 0.89 | 0.93 | 0.92 | 0.92 | 0.89 | 0.93 | 0.87 | 0.88 | 0.89 | 0.94 | 0.89 | 0.90 | 0.88 | 0.88 | | | | Accumulated | 0.89 | 0.91 | 0.92 | 0.92 | 0.92 | 0.92 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.91 | 0.90 | 0.90 | | | MemFreezing | Current | 0.93 | 0.92 | 0.92 | 0.90 | 0.90 | 0.89 | 0.91 | 0.86 | 0.92 | 0.93 | 0.85 | 0.85 | 0.80 | 0.83 | 0.87 | 0.83 | 0.84 | 0.79 | 0.83 | 0.82 | | | | Accumulated | 0.93 | 0.92 | 0.92 | 0.92 | 0.91 | 0.91 | 0.91 | 0.90 | 0.90 | 0.91 | 0.90 | 0.90 | 0.89 | 0.89 | 0.89 | 0.88 | 0.88 | 0.88 | 0.87 | 0.87 |

These results show that MemFreezing attack consistently achieves greater performance degradation on TGNN models than baseline methods. In contrast, other attacks, whether one-time or multiple-time, suffer from the effects of future changes and result in limited performance degradation.

We sincerely appreciate the valuable comments and insights from the reviewer. In response, we answer the reviewer’s questions and revised the paper accordingly, including clarifying the rationale of using a white-box setup, providing more results on the multiple-time attacks, clarifying the edge changes in the attacks, and revising the paper for better presentation. We hope our response and revisions can help alleviate the reviewer's concern.

Q1.Will the white-box setup limit the practicality of MemFreezing?

Thank you for the thoughtful question. We recognize the concern regarding the practicality of white-box attacks.

In terms of model parameters, many TGNN architectures and pre-trained models are open-sourced, making them readily available to adversaries. Furthermore, methods such as insider threats or model extracting [1][2] can be employed to extract model parameters when the model itself is not publicly available. These factors collectively make the white-box attack setup relatively more practical and realistic in many real-world scenarios.

However, future knowledge (e.g., data or updates occurring after $t_0$​) is inherently harder to access due to its temporal and evolving nature. Current methods offer no feasible way to reliably predict future changes in graph structure or labels. As such, we focus on the more challenging constraint of using only past knowledge for attacks while adhering to the white-box setup for model parameters. We clarify this point further in Section 3.1 of the revised paper to address this concern explicitly.

[1] Oliynyk, Daryna, Rudolf Mayer, and Andreas Rauber. "I know what you trained last summer: A survey on stealing machine learning models and defences." ACM Computing Surveys 55.14s (2023): 1-41.

[2] Yao, Yifan, et al. "A survey on large language model (llm) security and privacy: The good, the bad, and the ugly." High-Confidence Computing (2024): 100211.

Dear Reviewer YKJ1,

Thank you again for your time and valuable feedback. We hope that our responses have addressed your concerns.

We noticed that the confidence score was updated from 3 to 5, but the overall rating remained unchanged. Could we kindly ask if any concerns remain, or if our responses have raised any new questions?

We sincerely look forward to your comments and would be glad to address any additional feedback or questions you may have.

Best,

Authors

Q2. How does using current neighbors to surrogate future neighbors deal with highly irregular and random graphs? (2/2)

As shown in Table R.4, although resulting in lower similarities, MemFreezing effectively freezes these random neighbors. This demonstrates that our future simulation schemes (i.e., Current Simulation) are effective in irregular setups. The reason behind this is that, in addition to using current neighbors, we also simulate "new future neighbors" with all-zero memories, which further enhance the noise's capability to freeze unseen nodes.

Although the alternative scheme (i.e., Random Simulation) performs better under random neighbor cases (i.e., Noise Future), it shows worse performances in the real cases (i.e., Normal Future). These findings collectively suggest that using current neighbors as surrogates is both practical and effective, even in challenging dynamic graph scenarios.

We also add this discussion in Appendix C.15 in our revised paper and add a pointer to it in Section 4.2.

Table R.4. The similarities between victim nodes’ initial noisy memories (at the time of the attack) and themselves’/their subsequent neighbors’ memories in Wikipedia dataset (Normal Future) and its randomized version (Noise Future) under (a) no-attack (i.e., Vanilla), (b) MemFreezing using current neighbor for simulation (i.e., Current Simulation), and MemFreezing using random memory neighbor for simulation (i.e., Random Simulation). | | | | $t_1$ | $t_2$ | $t_3$ | $t_4$ | $t_5$ | $t_6$ | $t_7$ | $t_8$ | $t_9$ | $t_{10}$ | $t_{11}$ | $t_{12}$ | $t_{13}$ | $t_{14}$ | $t_{15}$ | |--------------------|---------------|-------|-------|------|------|------|------|------|------|------|------|------|------|------|------|------|------| | Vanilla | Noise Future | Root | 0.90 | 0.80 | 0.73 | 0.67 | 0.63 | 0.59 | 0.56 | 0.54 | 0.52 | 0.50 | 0.48 | 0.47 | 0.46 | 0.44 | 0.43 | | | | 1-Hop | 0.17 | 0.15 | 0.14 | 0.13 | 0.12 | 0.12 | 0.11 | 0.11 | 0.11 | 0.10 | 0.10 | 0.10 | 0.10 | 0.10 | 0.10 | | | | 2-Hop | 0.04 | 0.04 | 0.03 | 0.03 | 0.03 | 0.03 | 0.03 | 0.03 | 0.03 | 0.02 | 0.03 | 0.03 | 0.03 | 0.03 | 0.03 | | | Normal Future | Root | 0.90 | 0.84 | 0.81 | 0.78 | 0.76 | 0.74 | 0.72 | 0.72 | 0.71 | 0.69 | 0.67 | 0.68 | 0.67 | 0.67 | 0.66 | | | | 1-Hop | 0.22 | 0.26 | 0.28 | 0.28 | 0.28 | 0.27 | 0.26 | 0.25 | 0.24 | 0.23 | 0.22 | 0.21 | 0.20 | 0.19 | 0.18 | | | | 2-Hop | 0.07 | 0.07 | 0.06 | 0.06 | 0.06 | 0.06 | 0.06 | 0.06 | 0.05 | 0.05 | 0.05 | 0.06 | 0.06 | 0.06 | 0.06 | | Current Simulation| Noise Future | Root | 0.96 | 0.94 | 0.91 | 0.89 | 0.89 | 0.87 | 0.86 | 0.85 | 0.84 | 0.83 | 0.82 | 0.82 | 0.81 | 0.81 | 0.80 | | | | 1-Hop | 0.24 | 0.38 | 0.47 | 0.54 | 0.58 | 0.62 | 0.64 | 0.67 | 0.69 | 0.70 | 0.72 | 0.73 | 0.74 | 0.75 | 0.75 | | | | 2-Hop | -0.03 | 0.10 | 0.22 | 0.31 | 0.37 | 0.41 | 0.47 | 0.49 | 0.50 | 0.54 | 0.57 | 0.58 | 0.60 | 0.62 | 0.64 | | | Normal Future | Root | 0.99 | 0.97 | 0.97 | 0.96 | 0.95 | 0.94 | 0.93 | 0.93 | 0.93 | 0.93 | 0.93 | 0.93 | 0.93 | 0.92 | 0.92 | | | | 1-Hop | 0.51 | 0.57 | 0.64 | 0.67 | 0.71 | 0.75 | 0.78 | 0.80 | 0.82 | 0.84 | 0.86 | 0.87 | 0.88 | 0.89 | 0.90 | | | | 2-Hop | 0.06 | 0.21 | 0.34 | 0.44 | 0.51 | 0.58 | 0.64 | 0.67 | 0.71 | 0.74 | 0.77 | 0.79 | 0.81 | 0.82 | 0.84 | | Random Simulation | Noise Future | Root | 0.98 | 0.96 | 0.95 | 0.93 | 0.92 | 0.91 | 0.91 | 0.90 | 0.91 | 0.90 | 0.89 | 0.89 | 0.88 | 0.89 | 0.88 | | | | 1-Hop | 0.33 | 0.45 | 0.51 | 0.56 | 0.57 | 0.61 | 0.65 | 0.68 | 0.71 | 0.73 | 0.74 | 0.76 | 0.78 | 0.79 | 0.81 | | | | 2-Hop | -0.05 | 0.08 | 0.21 | 0.31 | 0.39 | 0.45 | 0.51 | 0.55 | 0.59 | 0.62 | 0.65 | 0.68 | 0.70 | 0.73 | 0.75 | | | Normal Future | Root | 0.98 | 0.97 | 0.95 | 0.93 | 0.93 | 0.93 | 0.92 | 0.91 | 0.88 | 0.89 | 0.89 | 0.88 | 0.87 | 0.88 | 0.88 | | | | 1-Hop | 0.38 | 0.50 | 0.54 | 0.53 | 0.60 | 0.65 | 0.69 | 0.72 | 0.74 | 0.76 | 0.78 | 0.80 | 0.81 | 0.82 | 0.83 | | | | 2-Hop | -0.03 | 0.14 | 0.28 | 0.38 | 0.45 | 0.52 | 0.58 | 0.62 | 0.65 | 0.67 | 0.70 | 0.72 | 0.74 | 0.76 | 0.77 |

We sincerely thank the reviewer for the positive feedback and valuable comments. In response, we clarify the question regarding the propagation of noise in dynamic graphs and provide a quantitative investigation of whether our neighbor simulation scheme remains effective or can be further enhanced under significantly irregular and random cases. We hope our response can help clarify the reviewer's questions.

Q1. Will the propagation of the noises be limited by the changing graph?

Thank you for the insightful question. We agree that changes in graph structure and heterogeneity among nodes and edges could potentially limit the propagation of attack effects. However, as shown in Figure 8 and Appendix C.13 of our paper, the number of affected victim nodes significantly increases over time, with many nodes becoming frozen. This is achieved through two key mechanisms:

Targeting High-Degree Nodes: Noisy events are designed to perturb high-degree nodes at first hand, which act as hubs and influence a large number of neighbors, even as the graph evolves. As shown in Figure 8 and Appendix C.13, targeting high-degree nodes results in nearly twice the number of affected nodes compared to targeting low-degree nodes, making them more effective in real-world scenarios.

Propagation Through Stable States: Once a node enters a stable (frozen) state, it continues to affect its future neighbors. This ensures that, even with changes in structure, edge types, or node types, the attack can propagate through alternate routes. The figures and section cited demonstrate that the number of affected nodes grows consistently over time despite the dynamic nature of the graph.

We also add the abovementioned discussion in Section 5.2 in our revised paper.

Q2. How does using current neighbors to surrogate future neighbors deal with highly irregular and random graphs? (1/2)

Thank you for the insightful question. Yes, using the current neighbor cannot ensure that the noise is perfectly solved for considerably irregular and random neighbors. We opt to use current neighbors to surrogate future neighbors since, as observed across most datasets, a node tends to retain highly similar neighbors over time.

To investigate the generalizability of this observation, we further investigate the similarity distribution across diverse datasets (Table R.3) following the same setup as Figure 4(d) in the paper. These results indicate that, generally, nodes tend to have similar neighbors across diverse datasets. Hence, using current neighbors provides a reasonable approximation of future graph changes in practice.

The distribution of cosine similarities among the ideal frozen states in different nodes in Reddit and Reddit-body datasets. | Cosine Similarity | 0.0-0.1 | 0.1-0.2 | 0.2-0.3 | 0.3-0.4 | 0.4-0.5 | 0.5-0.6 | 0.6-0.7 | 0.7-0.8 | 0.8-0.9 | 0.9-1.0 | |-------------|---------|---------|---------|---------|---------|---------|---------|---------|---------|---------| | Reddit | 0.0130 | 0.0120 | 0.0120 | 0.0680 | 0.2450 | 0.4170 | 0.1800 | 0.0440 | 0.0060 | 0.0030 | | Reddit-Body | 0.0170 | 0.0010 | 0.0140 | 0.0250 | 0.0820 | 0.2630 | 0.4230 | 0.1540 | 0.0820 | 0.0070 |

To investigate if our future neighbor simulation scheme is sufficient to freeze neighbors under irregular or highly random dynamic graphs, we simulate an irregular and random graph on top of the Wikipedia dataset. Specifically, we have victim nodes in the graph connected to nodes with random memories in the future timestamps. We also explored an alternative scheme to investigate whether the heuristic could be further enhanced. Specifically, in this alternative, we simulate nodes' future neighbors using nodes with random memories.