arxiv: 2602.00318 · v2 · submitted 2026-01-30 · 💻 cs.LG · cs.AI· cs.CR

Recognition: 2 theorem links

· Lean Theorem

Optimal Transport-Guided Adversarial Attacks on Graph Neural Network-Based Bot Detection

Kunal Mukherjee , Zulfikar Alom , Tran Gia Bao Ngo , Cuneyt Gurcan Akcora , Murat Kantarcioglu

Authors on Pith no claims yet

Pith reviewed 2026-05-16 08:58 UTC · model grok-4.3

classification 💻 cs.LG cs.AIcs.CR

keywords adversarial attacksgraph neural networksbot detectionoptimal transportsocial networksedge editingrobustness

0 comments

The pith

Optimal transport geometry generates realistic adversarial edits that significantly improve success against GNN bot detectors under real constraints.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents BOCLOAK as a way to test the robustness of GNN-based social bot detectors through adversarial attacks that respect real-world limits on edits and timing. It builds a probability measure on neighbor features over time and space, then finds an optimal transport map that moves bot-like features toward human-like ones or vice versa. This map is decoded into actual sparse changes to the graph, such as adding or removing edges, that fool the detectors. Experiments show these attacks succeed much more often than previous approaches while using almost no extra memory on the GPU. The core idea is that optimal transport supplies a natural, efficient way to create believable perturbations for graph attacks.

Core claim

BOCLOAK constructs a probability measure over spatio-temporal neighbor features and learns an optimal transport geometry that separates human and bot behaviors. It decodes transport plans into sparse, plausible edge edits that evade detection while obeying real-world constraints. On three social bot datasets and five detectors, it reaches up to 80.13 percent higher attack success rates using 99.80 percent less GPU memory than baselines.

What carries the argument

Optimal transport geometry over spatio-temporal neighbor features that separates human and bot behavior distributions and decodes into constraint-satisfying adversarial graph edits.

If this is right

Existing GNN bot detectors are vulnerable to constraint-aware attacks that prior methods overlook.
Adversarial attacks on graphs can be made more realistic and efficient using transport plans instead of gradient-based searches.
Defenses for bot detection must be evaluated against optimal transport perturbations to be reliable in practice.
Node injection attacks can be integrated with edge editing through the same geometric framework.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

This method could extend to testing robustness in other graph anomaly tasks such as fraud detection.
The memory efficiency opens the door to running many attack simulations in parallel on standard hardware.
Bot detectors might be improved by adding terms that penalize deviations measured by optimal transport distances.

Load-bearing premise

The decoded transport plans produce edits that are genuinely plausible under unmodeled real-world social constraints and evade detection by any unaccounted features.

What would settle it

Running the generated adversarial graphs through independent human review or a separate set of bot features and finding that many still appear obviously bot-like or violate platform rules.

Figures

Figures reproduced from arXiv: 2602.00318 by Cuneyt Gurcan Akcora, Kunal Mukherjee, Murat Kantarcioglu, Tran Gia Bao Ngo, Zulfikar Alom.

**Figure 1.** Figure 1: Relationship counts for classified bots in TwiBot-22 by BotRGCN. Counts are computed from the perspective of bot accounts. Each category indicates whether a bot has at least one outgoing or incoming relationship of the specified type. Categories are not mutually exclusive: a single bot may contribute to multiple bars. Misclassified bots are more likely to have edges incident to humans, especially incoming … view at source ↗

**Figure 2.** Figure 2: Overview of BOCLOAK. The method learns an optimal transport geometry over k-hop neighborhood distributions and uses transport plans to guide sparse, plausible local edge edits for evasion. Victim Models. We consider two categories of victim models (Bacciu et al., 2020): vanilla detectors, which are trained without explicit adversarial robustness objectives, and defended detectors, which integrate adversa… view at source ↗

**Figure 3.** Figure 3: BOCLOAK pipeline for node injection and node editing. It operates on local neighborhoods rather than individual edges. Boundary bot cloaks are identified in the learned optimal transport geometry and used to guide sparse, plausible edge edits. (a) Injection constructs a new bot with a human-like neighborhood. (b) Editing transforms an existing bot’s neighborhood to induce misclassification. 4.5. Approximat… view at source ↗

**Figure 5.** Figure 5: Sensitivity Analysis of OT regularizer (ε) and margin threshold (τbdry) Misclassification rate (↑, in %) for flipping fifty existing correctly classified bots as ε and τbdry is varied. Extended results in App. 20. most effective at intermediate OT regularization and margin threshold. With very small ε (e.g., 0.01), transport plans become sharp and unstable, leading to higher variance and moderate flips (ab… view at source ↗

**Figure 4.** Figure 4: Node Injection Attack: Misclassification rate (↑, in %) for fifty target nodes by BOCLOAK against best SOTA bot detector, BotRGCN. Extended results in App [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗

**Figure 6.** Figure 6: Overview of bot detector detection pipeline. Dataset Victim Vanilla (↑) GNN Defense +GNNGuard (↑) +GRAND (↑) +RobustGCN (↑) Cresci-15 GCN 0.93±0.01 0.93±0.05 0.93±0.01 0.92±0.06 GAT 0.97±0.03 0.97±0.05 0.98±0.01 0.97±0.07 BotRGCN 0.98±0.08 0.98±0.05 0.98±0.03 0.98±0.02 S-HGN 0.97±0.02 0.98±0.06 0.96±0.02 0.97±0.07 RGT 0.97±0.02 0.97±0.01 0.97±0.03 0.98±0.04 TwiBot-22 GCN 0.52±0.05 0.50±0.05 0.48±0.03 0.51±… view at source ↗

**Figure 7.** Figure 7: BOCLOAK induced edits in practice (Twibot-22). Bars compare (i) the distribution of candidate cloaks across structural categories and (ii) the normalized sampling mass assigned to those categories (Sampling weight). (Left) Outgoing follow categories (target bot → others). (Right) Incoming follower categories (others → target bot). Outgoing edges (to humans vs. bots). Using the structural categories [PITH_… view at source ↗

**Figure 8.** Figure 8: Temporal distribution of neighbor accounts for TwiBot-22. Top row shows followers; bottom row shows following. Shaded histograms represent human neighbors and outlined curves represent bot neighbors. 0 200 400 Node degree (in + out) 0.00 0.05 0.10 0.15 0.20 Density Humans followers 0 200 400 Node degree (in + out) 0.00 0.05 0.10 0.15 0.20 Density Bots followers 0 200 400 Node degree (in + out) 0.00 0.05 0.… view at source ↗

**Figure 9.** Figure 9: Degree distribution of neighbor accounts for TwiBot-22. Top row shows followers; bottom row shows following. Shaded histograms represent human neighbors and outlined curves represent bot neighbors. BOCLOAK degree alignment for cloak selection [PITH_FULL_IMAGE:figures/full_fig_p040_9.png] view at source ↗

**Figure 10.** Figure 10: Cloaking target bot (node id=81779) with misclassified boundary bot cloak (node id=41575) in TwiBot-22 dataset. Target bot (T) is yellow; pre-existing neighbors are orange; new neighbors introduced by BOCLOAK are light blue. Red dotted arrows denote deleted incident edges; blue arrows denote newly added edges. U. BOCLOAK Case Study Target bot 81779 and (cloak 41575). Case study in [PITH_FULL_IMAGE:figure… view at source ↗

read the original abstract

The rise of bot accounts on social media poses significant risks to public discourse. To address this threat, modern bot detectors increasingly rely on Graph Neural Networks (GNNs). However, the effectiveness of these GNN-based detectors in real-world settings remains poorly understood. In practice, attackers continuously adapt their strategies as well as must operate under domain-specific and temporal constraints, which can fundamentally limit the applicability of existing attack methods. As a result, there is a critical need for robust GNN-based bot detection methods under realistic, constraint-aware attack scenarios. To address this gap, we introduce BOCLOAK to systematically evaluate the robustness of GNN-based social bot detection via both edge editing and node injection adversarial attacks under realistic constraints. BOCLOAK constructs a probability measure over spatio-temporal neighbor features and learns an optimal transport geometry that separates human and bot behaviors. It then decodes transport plans into sparse, plausible edge edits that evade detection while obeying real-world constraints. We evaluate BOCLOAK across three social bot datasets, five state-of-the-art bot detectors, three adversarial defenses, and compare it against four leading graph adversarial attack baselines. BOCLOAK achieves up to 80.13% higher attack success rates while using 99.80% less GPU memory under realistic real-world constraints. Most importantly, BOCLOAK shows that optimal transport provides a lightweight, principled framework for bridging the gap between adversarial attacks and real-world bot detection.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

BOCLOAK applies optimal transport to generate sparse, constraint-aware adversarial edits for GNN bot detectors and reports large gains in success rate plus memory savings, but the decoding step needs explicit checks to confirm edits stay valid.

read the letter

The core of this paper is a method called BOCLOAK that uses optimal transport on spatio-temporal neighbor features to produce adversarial edge edits and node injections for GNN-based bot detectors. It claims up to 80% higher attack success than baselines while cutting GPU memory by 99.8%, all while trying to respect domain and temporal constraints that real attackers face. That framing is the main new piece: treating OT as a lightweight way to decode transport plans into plausible graph changes instead of relying on gradient-based or random perturbations that often ignore constraints.

Referee Report

2 major / 2 minor

Summary. The paper introduces BOCLOAK, a framework that constructs probability measures over spatio-temporal neighbor features, learns an optimal transport geometry separating human and bot behaviors, and decodes the resulting transport plans into sparse edge edits and node injections for adversarial attacks on GNN-based bot detectors. The attacks are claimed to respect real-world domain and temporal constraints while achieving up to 80.13% higher attack success rates and 99.80% lower GPU memory usage than four baselines, evaluated on three social bot datasets and five detectors plus three defenses.

Significance. If the decoding step reliably yields constraint-compliant edits, the work supplies a lightweight, memory-efficient, and theoretically grounded approach to stress-testing GNN bot detectors under realistic conditions. This could help close the gap between theoretical adversarial robustness and practical deployment in social media, with the OT formulation offering a reusable template for constrained graph attacks.

major comments (2)

[Abstract] Abstract: The headline results (80.13% ASR gain, 99.80% memory reduction) are stated without error bars, statistical tests, or ablations isolating the effect of constraint handling; post-hoc enforcement could inflate the reported improvements and must be quantified.
[Method (Decoding)] Decoding step (Method section): No separate metric or verification is provided for the fraction of decoded edits that violate stated constraints (future timestamps, duplicate edges, non-neighbor injections). Because attack success is only meaningful for valid edits, this omission is load-bearing for the central claim that the OT plans produce genuinely plausible attacks.

minor comments (2)

[Experiments] Experimental section: Clarify exactly how the four baseline attack methods were adapted to obey the same domain/temporal constraints to ensure the comparison is fair.
[Preliminaries] Notation: Explicitly define the construction of the input probability measures on spatio-temporal features and the precise decoding map from transport plan to graph edit.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the detailed and constructive feedback. The comments highlight important aspects of result presentation and constraint verification that we will address to strengthen the manuscript. We respond to each major comment below.

read point-by-point responses

Referee: [Abstract] Abstract: The headline results (80.13% ASR gain, 99.80% memory reduction) are stated without error bars, statistical tests, or ablations isolating the effect of constraint handling; post-hoc enforcement could inflate the reported improvements and must be quantified.

Authors: We agree that the headline results would be more robust with error bars, statistical tests, and an ablation isolating constraint handling. In the revised version we will report standard deviations over multiple random seeds, include paired statistical significance tests against baselines, and add an ablation comparing the full constraint-aware OT decoding against a post-hoc enforcement variant. This will directly quantify any inflation in the reported gains. revision: yes
Referee: [Method (Decoding)] Decoding step (Method section): No separate metric or verification is provided for the fraction of decoded edits that violate stated constraints (future timestamps, duplicate edges, non-neighbor injections). Because attack success is only meaningful for valid edits, this omission is load-bearing for the central claim that the OT plans produce genuinely plausible attacks.

Authors: We acknowledge that a quantitative verification of constraint compliance is necessary to substantiate that reported attack success rates reflect only valid edits. Although the OT geometry and decoding are constructed to operate exclusively on valid spatio-temporal features and to avoid duplicates by design, we did not report the empirical fraction of violations. In revision we will add a dedicated table (or subsection) reporting the percentage of constraint-compliant edits for every dataset and attack type, together with any minimal post-processing required. revision: yes

Circularity Check

0 steps flagged

No significant circularity in derivation chain

full rationale

The paper presents BOCLOAK as an empirical framework that constructs probability measures on spatio-temporal features, applies standard optimal transport to separate human/bot behaviors, and decodes resulting plans into constraint-aware edits whose success is measured directly against external GNN detectors. No equation or step reduces the reported attack success rates or memory savings to a fitted parameter by construction, nor does any load-bearing claim rest on a self-citation chain whose validity is presupposed. The central results are obtained from independent evaluation on three datasets, five detectors, and four baselines, making the derivation self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review provides insufficient detail to enumerate specific free parameters or axioms; the separation of behaviors rests on a learned probability measure whose construction details are not given.

pith-pipeline@v0.9.0 · 5584 in / 994 out tokens · 29209 ms · 2026-05-16T08:58:34.312194+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

BOCLOAK constructs a probability measure over spatio-temporal neighbor features and learns an optimal transport geometry that separates human and bot behaviors. It then decodes transport plans into sparse, plausible edge edits... cθ(z,z′)=∥hθ(z)−hθ(z′)∥²_M ... entropic OT ... Sinkhorn iterations
IndisputableMonolith/Foundation/AbsoluteFloorClosure.lean absolute_floor_iff_bare_distinguishability unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

We define the OT distance between nodes v and ξ as the transport cost induced by the optimal plan: Dθ(v,ξ)≜⟨P⋆vξ,Cvξ⟩

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

21 extracted references · 21 canonical work pages · 1 internal anchor

[1]

Fast Gradient Attack on Network Embedding

arXiv:1809.02797. Cresci, S., Di Pietro, R., Petrocchi, M., Spognardi, A., and Tesconi, M. Fame for sale: Efficient detection of fake twitter followers.Decision Support Systems, 80:56–71,

work page internal anchor Pith review Pith/arXiv arXiv
[2]

Cuturi, M

doi: 10.5210/fm.v26i7.11474. Cuturi, M. Sinkhorn distances: Lightspeed computation of optimal transport.Advances in neural information processing systems, 26,

work page doi:10.5210/fm.v26i7.11474
[3]

Twibot-20: A comprehensive twitter bot detection benchmark

Feng, S., Wan, H., Wang, N., Li, J., and Luo, M. Twibot-20: A comprehensive twitter bot detection benchmark. In Proceedings of the 30th ACM International Conference on Information and Knowledge Management (CIKM), pp. 4485–4494, 2021a. doi: 10.1145/3459637.3482019. Feng, S., Wan, H., Wang, N., and Luo, M. Botrgcn: Twit- ter bot detection with relational gr...

work page doi:10.1145/3459637.3482019
[4]

Flamary, R., Courty, N., Gramfort, A., Alaya, M

doi: 10.1145/2818717. Flamary, R., Courty, N., Gramfort, A., Alaya, M. Z., Bois- bunon, A., Chambon, S., Chapel, L., Corenflos, A., Fa- tras, K., Fournier, N., et al. Pot: Python optimal trans- port.Journal of Machine Learning Research, 22(78):1–8,

work page doi:10.1145/2818717
[5]

and Ferrara, E

Kudugunta, S. and Ferrara, E. Deep neural networks for bot detection. InProceedings of the 2018 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM), pp. 551–558,

work page 2018
[6]

Liu, A., Xie, Y ., Wang, L., Jin, G., Guo, J., and Li, J

doi: 10.1109/ASONAM.2018.8508764. Liu, A., Xie, Y ., Wang, L., Jin, G., Guo, J., and Li, J. So- cial bot detection on Twitter: Robustness evaluation and improvement.Multimedia Systems, 30(3),

work page doi:10.1109/asonam.2018.8508764 2018
[7]

Liu, Y ., Xu, S., Li, Y ., and Yu, S

doi: 10.1007/s00530-024-01364-2. Liu, Y ., Xu, S., Li, Y ., and Yu, S. Evolution of malicious social bot detection: From individual profiling to group analysis and beyond.Journal of Social Computing, 6 (3):258–284, September

work page doi:10.1007/s00530-024-01364-2
[8]

doi: 10.23919/JSC.2025

work page doi:10.23919/jsc.2025 2025
[9]

Z-rex: human-interpretable gnn explanations for real estate rec- ommendations.arXiv preprint arXiv:2503.18001,

Mukherjee, K., Harrison, Z., and Balaneshin, S. Z-rex: human-interpretable gnn explanations for real estate rec- ommendations.arXiv preprint arXiv:2503.18001,

work page arXiv
[10]

Zhang, C., He, Y ., Cen, Y ., Hou, Z., Feng, W., Dong, Y ., Cheng, X., Cai, H., He, F., and Tang, J

doi: 10.1109/TCSS.2025.3599730. Zhang, C., He, Y ., Cen, Y ., Hou, Z., Feng, W., Dong, Y ., Cheng, X., Cai, H., He, F., and Tang, J. Scr: Training graph neural networks with consistency reg- ularization.arXiv preprint arXiv:2112.04319,

work page doi:10.1109/tcss.2025.3599730 2025
[11]

URL https://arxiv

doi: 10.48550/arXiv.2112.04319. URL https://arxiv. org/abs/2112.04319. Zhang, X. and Zitnik, M. Gnnguard: Defending graph neural networks against adversarial attacks. InAdvances in Neural Information Processing Systems (NeurIPS),

work page doi:10.48550/arxiv.2112.04319
[12]

10 Table 5.Summary of notations used in this paper

doi: 10.1145/3219819.3220078. 10 Table 5.Summary of notations used in this paper. Symbol Description Graph and Nodes G= (V,E,X)Directed social graph with node setV, edge setE, and node featuresX vGeneric nodevt Target bot node ξGeneric comparison/anchor node (e.g., template or human) Vbot,V hum Sets of bot and human nodes N(v)k-hop ego neighborhood of nod...

work page doi:10.1145/3219819.3220078 2011
[13]

X i,j PijCij +ε X i,j Pij logP ij −1 # LetP ⋆ vw denote an optimal entropic transport plan, i.e., P ⋆ vw ∈arg min P∈U(a,b)

applied in a learned embedding space. It is expressive enough to reweight and correlate features, while remaining smooth, differentiable, and computationally efficient for entropic OT and Sinkhorn solvers (Flamary et al., 2021; Peyr´e & Cuturi, 2019). C.4. Step 4: Entropic OT Between Neighborhoods Given two neighborhoods µv =Pm i=1 aiδzi and µw =Pn j=1 bj...

work page 2021
[14]

• BotRGCN(Feng et al., 2021b), a heterogeneous GNN where a standard GCN is enhanced using relation-aware message propagation for bot detection

an attention-based model for heterogeneous graphs that operate on the social graph with node features. • BotRGCN(Feng et al., 2021b), a heterogeneous GNN where a standard GCN is enhanced using relation-aware message propagation for bot detection. • Simple-HGNN (S-HGN)(Lv et al., 2021), a heterogeneous GNN similar to BotRGCN, but complex relation-specific ...

work page 2021
[15]

This creates an important constraint: the two layers must see afixededge set so that the attention tensor dimensions match. Therefore, weguard 1https://github.com/LuoUndergradXJTU/TwiBot-22 2https://github.com/danielzuegner/nettack, https://deeprobust.readthedocs.io/en/latest/_modules/ deeprobust/graph/targeted_attack/fga.html, https://github.com/sigeisle...

work page 2020
[16]

and train to convergence with large epochs (typically 1000 epochs), so robustness comparisons are not driven by under-training. Architectural differences then reflect model capacity rather than tuning artifacts (e.g., GAT uses 4 layers with 2 heads; RGT increases hidden size to 256 and batch size to 512 while using fewer epochs, 500, to balance compute). ...

work page 2015
[17]

Consistent with this realism, the degree gap between bots and humans is present (Avg Deg

TwiBot-22 is by far the largest benchmark in our study (1M nodes and170M edges), and its scale comes with heterogeneous social signals (multiple relation types and rich user metadata) that more closely resemble real-world detection settings. Consistent with this realism, the degree gap between bots and humans is present (Avg Deg. 3.56 vs. 7.00), which red...

work page 2015
[18]

also, is that absolute F1 scores on TwiBot-22 are lower for all models than on Cresci-15 and BotSim-24, reflecting the larger scale and higher ambiguity of TwiBot-22 where graph size, diverse behaviors, and heterogeneous relations makes behavioral modeling challenging. Defense variants exhibit mixed behaviors such as on Cresci-15, defenses largely preserv...

work page 2052
[19]

human manifold

We demonstrate that BOCLOAKis (to our knowledge) the first framework to explicitly evaluate and succeed atdomain-constrained node injectionon social bot detectors, rather than restricting attention to perturbing existing nodes. Injection here is constrained toonlyadd edges for a new bot, without forcing human follow-backs, so success depends on constructi...

work page 2096
[20]

fingerprint

The best performance is shown in bold, and the second best is underlined. DatasetAttack BotRGCN Vanilla(↑)+GNNGuard(↑)+GRAND(↑)+RobustGCN(↑) ∆ =1 Cresci-15 Nettack 4.32±2.10 3.78±1.95 3.21±1.88 2.67±1.72 FGA 3.95±2.443.40±2.122.98±1.762.15±1.60 PR-BCD 4.10±3.053.60±2.802.85±2.201.90±1.45 GOttack 3.55±2.343.41±2.522.28±1.222.66±1.67 BOCLOAK100.00±0.00100.0...

work page 2010
[21]

bot cloak

The best performance is shown in bold, and the second best is underlined. Because the reused template is intentionally chosen from the most human-like region of the detector’s decision boundary, it acts as a highly transferable cloak: once we decode its neighborhood structure into a feasible set of edits, the resulting perturbations repeatedly push many d...

work page 2068