A Qualitative Survey on Community Detection Attack Algorithms

Abstract

Community detection enables the discovery of more connected segments of complex networks. This capability is essential for effective network analysis. But, it raises a growing concern about the disclosure of user privacy since sensitive information may be over-mined by community detection algorithms. To address this issue, the problem of community detection attacks has emerged to subtly perturb the network structure so that the performance of community detection algorithms deteriorates. Three scales of this problem have been identified in the literature to achieve different levels of concealment, such as target node, target community, or global attack. A broad range of community detection attack algorithms has been proposed, utilizing various approaches to tackle the distinct requirements associated with each attack scale. However, existing surveys of the field usually concentrate on studies focusing on target community attacks. To be self-contained, this survey starts with an overview of community detection algorithms used on the other side, along with the performance measures employed to evaluate the effectiveness of the community detection attacks. The core of the survey is a systematic analysis of the algorithms proposed across all three scales of community detection attacks to provide a comprehensive overview. The survey wraps up with a detailed discussion related to the research opportunities of the field. Overall, the main objective of the survey is to provide a starting and diving point for scientists.

1. Introduction

Complex networks exist in almost every aspect of our daily lives, including social networks to understand human interactions like friendships, professional connections, and shared interests, transportation networks of cities and countries to provide better service, population networks to track and manage the spread of disease, and biological networks revealing gene and protein interactions to provide advances in genomics. Such complex networks are modeled by graph structures consisting of a set of nodes and edges. Nodes refer to entities in the network, and edges refer to the connections between them.

A community is a group of members who are closely connected, whereas they are loosely connected to other members in the network. Community detection aims to identify community structures, hence providing insights into the dynamics and organization in the network. Various algorithms have been developed from diverse disciplines for community detection. Some of its applications are given in [1]; these include identifying groups of users with similar political views and activities on social media, detecting terrorist groups with the analysis of friend-of-a-friend connections within social networks, improving retail strategies, generating customer segments and providing personalized recommendations in shopping behavior data, discovering hidden connections between research papers, and predicting financial activities in the stock market.

As community detection algorithms have been improved, a new challenge has emerged, namely over-mining of knowledge [2]. People have become increasingly aware that these social network analysis tools can over-mine even their personal information, being meticulously recorded and stored through various internet platforms, such as identities, social circles, interests, and business relationships. Even if an individual prefers to keep such information private, it may still be revealed if details about other members of the same community are disclosed. This underscores a remedy to protect sensitive information, and the symmetrical concept of a community detection attack on the other side has become a crucial area of research [3]. A community detection attack is devised to intentionally modify the structure of a network, which in turn makes the performance of these detection algorithms worse and reduces the accuracy of their results.

A community detection attack is a privacy-preserving task that involves concealing or obfuscating communities by imperceptibly altering connections. Hence, it is also known as ‘community hiding’. It offers individuals or organizations a guideline for strategically managing their social relationships or adjusting their communication methods. For example, if some members of the community work for the same organization, it is likely that other community members are also affiliated with this organization. Such a data breach could cause consequences such as targeted advertising [4]. Another example is that some groups, including activists or police forces, may collaborate on social networks like Twitter or Facebook but do not want to be detected by detection tools, so they strategically manage their connections to avoid detection. Community detection attack techniques can be used maliciously, such as by terrorists seeking to communicate covertly. Thus, at the same time, it highlights the need for new community detection algorithms that can effectively counter (i.e., that are robust to) deception [5,6].

The problem of community detection attacks is categorized into three distinct scales, i.e., target node attack, target community attack, and global attack [7]. Specifically, they try to achieve different objectives by manipulating the structure of the graph through the modification of a minimal number of edges. A target node attack focuses on concealing or obscuring the community membership of individual node(s) within the network; a target community attack aims to hide a target community. A global attack seeks to alter the overall community structure of the network.

The field of community detection attacks is rapidly advancing and increasingly crucial for solving a variety of problems mentioned above. Numerous studies have been devoted to exploring different methods for these attacks. Existing surveys [8,9] have examined community detection attack algorithms at a particular scale, focusing on target community attacks. There has been a lack of comprehensive reviews that address community detection attacks across all three scales. This paper aims to bridge this gap by conducting a thorough examination of community detection attack algorithms, encompassing target node, target community, and global attacks, thereby providing a more complete understanding of this evolving domain for researchers.

1.1. Scope and Contributions of the Survey

To find the relevant literature on the algorithms proposed for community detection attacks, an exhaustive search has been performed using the keywords ‘community detection attack’ and ‘community hiding’. Following this, relevant papers that are aligned with the inclusion criteria of trustworthy sources have been carefully selected. The key contributions of this survey are outlined as follows.

• The survey provides an overview of the community detection algorithms specially used by community detection attack algorithms.
• Another overview is related to the evaluation measures of community detection attack algorithms.
• An objective-based categorization of the community detection attack problem is introduced by Chen et al. [7], which classifies attacks into three distinct scales: target node, target community, and global attacks. While some surveys have addressed the target community attack scale, this survey is the first to examine all three scales comprehensively.
• Existing surveys often overlook various paradigms, such as genetic algorithms. In contrast, this survey encompasses various methodologies, including genetic algorithms, heuristic approaches, and objective-based strategies. This expanded coverage provides a broader view of the techniques employed in community detection attacks.
• The survey incorporates the recent algorithms for community detection attacks to present an up-to-date overview.
• The survey tries to show future directions for the researchers of the field.

1.2. Outline of the Survey

The remainder of the survey is organized as follows. Section 2 gives the necessary preliminary information on community detection, community detection attacks, and measures employed in evaluating the performance of community detection attack algorithms. Section 3 presents the problem formulation and the existing attack algorithms for each attack scale. Section 4 provides a discussion and future directions. The final section concludes the survey.

2. Preliminaries

This section introduces the preliminaries required to understand the literature in the scope of the review. It starts by introducing the concept of community detection, types of community detection algorithms, and outstanding algorithms of each type in the first subsection. It then continues to explain the concept of the community detection attack, which is the other side of the coin. The last subsection gives the measures used in the performance evaluation of community detection attacks.

2.1. Community Detection

Complex networks intrinsically possess a community structure as one of their characteristics. A community (i.e., a group) within such a network is defined as a subset of nodes that exhibit strong connections among themselves, whereas they maintain relatively sparse connections with nodes outside this group. Community detection is the task of uncovering and identifying these coherent substructures within the network, thus being critical for understanding the underlying organization and structural patterns of interaction and gaining insights into the functional dynamics that emerge from these structures.

Definition 1 

(Community Detection). Let a network $G=(V,E)$ be a graph with V as the set of nodes (vertices) and E as the set of edges. The problem of community detection is to find the community structure, denoted by $\overline{C}$, that is, to divide the nodes in the set V into K communities $\overline{C}=\{C_1,\dots ,C_K\}$, with $C_i\subseteq V$.

Networks can be conceptualized as static or dynamic, depending on whether their structure remains constant or evolves. In static networks, community detection focuses on identifying the community structure; however, when dealing with dynamic networks, they must consider the temporal evolution of communities to effectively capture and manage the dynamicity inherent in such networks. Since there is no attack specifically designed for community detection methods applied to dynamic networks, this study concentrates on static methods. Various community detection methods have been offered for static networks, which can be mainly categorized as traditional methods, spectral methods, optimization methods, statistical methods, and dynamics-driven methods [10,11].

Traditional methods encompass early approaches to community detection, such as partitional clustering, graph partitioning, hierarchical clustering, etc. Partitional clustering splits the network vertices into a predefined number of clusters (i.e., K) by optimizing a specific cost function based on the distances. The most renowned algorithms within this category are k-means and its numerous extensions [12,13]. Graph partitioning involves separating the vertices into g groups with a predetermined size, aiming to minimize the number of edges that connect distinct groups. The Kernighan–Lin algorithm [14] is a popular example of this category. The network may exhibit a hierarchical organization, characterized by multiple levels of clusters. Hierarchical clustering is broadly divided into two categories: agglomerative and divisive approaches. Girvan and Newman [15] offer a divisive algorithm that progressively removes the edge with the highest (shortest path) betweenness. Spectral methods leverage spectral properties of matrices associated with the graph (such as adjacency matrix or Laplacian matrix) to determine the community structure. The works referenced in [16,17,18,19] provide examples of spectral methods.

Optimization methods seek to maximize or minimize a specific function that represents the quality of a partitioning. The most widely used quality function is modularity. Maximizing modularity is proved to be NP-hard [20], leading to the development of various approximation algorithms, including greedy algorithms, genetic algorithms, or simulated annealing [21]. Newman [22] introduces a hierarchical agglomeration algorithm that maximizes modularity through a greedy approach. Clauset et al. [23] significantly enhance its efficiency by applying strategic optimizations and advanced data structures. Newman [24] offers refinement procedures aimed at enhancing the effectiveness of spectral optimization for modularity. The study [20] delves into the use of integer programming for community detection problems. Moreover, Blondel et al. [25] propose the prominent Louvain method based on modularity optimization. It consists of two phases that are repeated iteratively. The Leiden [26] and Combo [27] algorithms are also proposed in this category.

Statistical methods in community detection typically employ a probabilistic framework to fit the observed network data into a generative model. The stochastic block model (SBM) is the most common generative model for graphs with communities. Dynamics-driven methods utilize the behavior of dynamical processes, like random walks, spin dynamics, and synchronization, occurring on the network to detect communities. The idea of random walk-based methods is that vertices with similar properties are highly likely to be grouped within the same partition. Pons and Latapy [28] present the Walktrap method using a distance matrix constructed according to random walks between nodes. Rosvall and Bergstrom [29] introduce the Infomap algorithm that minimizes the description length for a random walk. The work [30] utilizes spin glass models from statistical mechanics by optimizing a Hamiltonian function. Furthermore, Raghavan et al. [31] offer a label propagation algorithm in which at the beginning each node is given a different label, and at every iteration, each node takes the label that most of its neighbors keep. The main advantages are its simplicity and time efficiency.

Communities can be either overlapping or disjoint (non-overlapping) communities. Overlapping communities allow nodes to be assigned to more than one community, reflecting the nature of the real world, where entities often join various groups simultaneously. Non-overlapping communities, on the other hand, are strictly divided, with each node being assigned to only one community. The Clique Percolation Method (CPM) [32] is a well-known example of uncovering overlapping communities with the concept of overlapping cliques, where each clique is a complete subgraph.

Up to this point, the focus has been on exploring conventional techniques for community detection since community detection attack algorithms try to deceive them. However, the field has seen notable progress, particularly in the parallelization of these conventional techniques to improve their practical applicability [33,34]. Additionally, deep learning has gained prominence, demonstrating significant success in this field [35].

2.2. Community Detection Attack

Community detection algorithms can be considerably disrupted by altering only a small percentage of links, with each link having a different role in maintaining the community structure. A community detection attack aims to mislead community detection algorithms and can be considered as a symmetrical operation on the other side of the wall. It involves strategically manipulating the network structure, such as adding new edges and/or removing the existing ones. The goal is to fool the detection algorithms into inaccurately identifying the community structure of the network, effectively obscuring the true community affiliations and interactions within the network. Hence, the attack algorithms seek to achieve obfuscation at the desired scale by rearranging the minimum number of connections.

Definition 2 

(Budget). It refers to the maximum number of edge modifications that an attack algorithm is allowed to perform within the network. This constraint limits the extent of adversarial modifications that can be applied to the graph structure so as to ensure the attack remains imperceptible. Budget is denoted by β.

Definition 3 

(Rewiring). It describes a particular edge operation in which an edge connected to a node is deleted and another edge is added to it, leaving the total degree of the node unchanged. It strategically changes the relationships of the node to other nodes while preserving its overall connectivity, making the attack not so obvious.

Figure 1 illustrates an overview of community detection attack. The community structure of an original graph is identified using a community detection algorithm. Subsequently, a community detection attack algorithm is applied to the graph that makes some update operations (e.g., edge deletions and/or edge additions). The graph is then re-analyzed using the community detection algorithm. There may be significant changes in the community structure. For instance, members from one community may move to different communities, or the total number of communities in the graph may change significantly. This figure is intended to provide an overview only; different attack algorithms may utilize different knowledge and take some additional knowledge as input. The knowledge each algorithm exploits is explained in Section 3.

2.3. Evaluation Measures for Community Detection Attacks

In this section, the prominent performance evaluation measures used to highlight the effectiveness of the community detection attacks are explained. Performance measures listed below are used to indicate the different aspects of the attack algorithms like the quality of a division, similarity of two partitions, hiding success, etc.

• Modularity: To measure the quality of a division of a network, modularity, which was first introduced by [36], is defined as $Q={\sum }_i(e_{ii}-a_i^2)$, where $e_{ii}$ is the fraction of edges in the network that are internal in community $C_i$ and $a_i={\sum }_j{e}_{ij}$ is the fraction of edges in the network which connect to nodes in community $C_i$. That means it measures the difference between the number of intra-community edges and the expected number of such edges with random connections. Higher values of modularity indicate better community structure. It is particularly used for networks whose community structure is unknown. For weighted networks, the formulation of the modularity is given in [37].
• Normalized mutual information (NMI): It is a measure of similarity between two community partitions (X and Y) based on information theory. $H\left(X\right)$ is the entropy associated with the partition X, and $I(X,Y)$ is the mutual information between two partitions, that is, the information that one partition has about the other. It is defined as $NMI={\displaystyle \frac{2I(X,Y)}{H\left(X\right)+H\left(Y\right)}}$. It can be written for the community structures ($\widehat{C}$ and $\widehat{C}$) detected before and after the attack as follows:

  $$NMI={\displaystyle \frac{-2{\sum }_{i=1}^{\left|\overline{C}\right|}{\sum }_{j=1}^{|\widehat{C}|}{m}_{ij}log\left({\displaystyle \frac{m_{ij}n}{M_i{M}_j}}\right)}{{\sum }_{i=1}^{\left|\overline{C}\right|}{M}_{i}log\left({\displaystyle \frac{M_i}{n}}\right)+{\sum }_{j=1}^{|\widehat{C}|}{M}_{j}log\left({\displaystyle \frac{M_j}{n}}\right)}},$$

  (1)

  where m is the confusion matrix containing the ‘real’ communities in the rows and the ‘found’ communities in the columns, $m_{ij}$ is the number of shared nodes between the real community i and the found community j, $M_i$ is the sum over row i, $M_j$ is the sum over column j, and n is the sum of all elements in the matrix (or the number of nodes in the network). A larger NMI value means the partitions are more similar [38].
• Adjusted Rand Index (ARI): It measures the similarity between two partitions. It is based on pair counting and defined as [39]:

  $$ARI={\displaystyle \frac{{\sum }_{ij}\left(\genfrac{}{}{0pt}{}{m_{ij}}{2}\right)-\left[{\sum }_i\left(\genfrac{}{}{0pt}{}{M_i}{2}\right){\sum }_j\left(\genfrac{}{}{0pt}{}{M_j}{2}\right)\right]/\left(\genfrac{}{}{0pt}{}{n}{2}\right)}{{\displaystyle \frac{1}{2}}\left[{\sum }_i\left(\genfrac{}{}{0pt}{}{M_i}{2}\right)+{\sum }_j\left(\genfrac{}{}{0pt}{}{M_j}{2}\right)\right]-\left[{\sum }_i\left(\genfrac{}{}{0pt}{}{M_i}{2}\right){\sum }_j\left(\genfrac{}{}{0pt}{}{M_j}{2}\right)\right]/\left(\genfrac{}{}{0pt}{}{n}{2}\right)}}.$$

  (2)
  Its value is in the range $[-1,1]$. The larger the ARI value, the closer the two partitions are to each other.
• Success rate: It quantifies the ratio of incorrectly clustered target nodes out of all the target nodes [40], or the percentage of times the target node does not belong to its original community when the process is repeated several times [41].
• AML: The average quantity of link alterations to successfully attack a target node [40].
• Percentage degree increase: It is the percentage increase in the degree of the target node due to the attack [7].
• Community retention probability: It is the probability that the target nodes are found within their original communities after the attack [42].
• Miss ratio: It is defined as $FN/|V-C|$, where C is the target community and $FN$ is the fraction of the target community nodes being associated with another community. It demonstrates the fraction of the target community in the part of the network where the nodes of the target community attempt to hide [43].
• Concealment measure (M): It assesses the effectiveness of concealing a target community C within a community structure $\overline{C}$. Two measures (namely M^′ and M^′′) are introduced to evaluate different dimensions. M^′ assesses how well the C members are distributed across communities in $\overline{C}$, while M^″ measures the degree to which C is concealed within the crowd [5].

  $$M=\alpha M^{\prime }+(1-\alpha )M^{″}$$

  (3)

  $$M^{\prime }={\displaystyle \frac{\left|\right\{C_i\in \overline{C}:C_i\cap C\ne \varnothing \left\}\right|-1}{max\left(\right|\overline{C}|-1,1)\underset{C_i\in \overline{C}}{max}\left(\right|C_i\cap C\left|\right)}}$$

  (4)

  $$M^{″}=\sum _{C_i\in \overline{C}}{\displaystyle \frac{|C_i\setminus C|}{max(n-|C|,1)}}$$

  (5)

  where $\alpha \in [0,1]$ and n is the number of nodes in the graph.
• Community deception score (H): Fionda and Pirro [6] establish three indicators of good hiding of a target community C: (i) reachability preservation, the members of the community C should reach each other, that is, modifications should not break its connectivity; (ii) community spread, the C’s members should be spread over as many communities in the network as possible; and (iii) community hiding, the C’s members should be distributed in the largest communities. The deception score H that captures all of them is defined. Given a target community C and a community structure $\overline{C}=\{C_1,C_2,\dots ,C_k\}$, the score H is defined as:

  $$\begin{array}{c}H(C, \overline{C})=\left(1-{\displaystyle \frac{\left|S\right(C\left)\right|-1}{\left|C\right|-1}}\right)\hfill \\ \times \left({\displaystyle \frac{1}{2}}\left(1-\underset{C_i\in \overline{C}}{max}\left\{R(C_i,C)\right\}\right)+{\displaystyle \frac{1}{2}}\left(1-{\displaystyle \frac{{\sum }_{C_i\cap C\ne \varnothing }P(C_i,C)}{|C_i\cap C\ne \varnothing |}}\right)\right),\hfill \end{array}$$

  (6)

  where $\left|S\right(C\left)\right|$ is the number of connected components within the subgraph formed by the members of C, and recall and precision of a community detection algorithm $A_D$ with regard to the C are defined as follows:

  $$R(C_i,C)={\displaystyle \frac{\#C\mathrm{members}\mathrm{in}{C}_i}{\left|C\right|}}\forall C_i\in \overline{C}.$$

  (7)

  $$P(C_i,C)={\displaystyle \frac{\#C\mathrm{members}\mathrm{in}{C}_i}{|C_i|}}\forall C_i\cap C\ne \varnothing .$$

  (8)
  The goals (i), (ii), and (iii) stated above are fulfilled by the left multiplicative factor, the first term in the right factor, and the second term in the right factor, respectively. Let us think whether the deception score H can be directly used (by maximizing it) to approach a target community hiding problem. It includes the knowledge of the community structure $\overline{C}$ and would need to have the knowledge of the community detection algorithm $A_D$, which produced $\overline{C}$. That means, the deception would depend on $A_D$.
• Community splits (CommS): It captures the number of communities in the updated network containing the members of the target community [44].
• Community uniformity (CommU): It captures how members of the target community are distributed among the communities in the updated network using entropy [44].
• Modified NMI (MNMI): In large networks, concealing a target community might not significantly impact the communities that are not directly connected to it. Therefore, this measure evaluates NMI between the community memberships of target community nodes and their directly connected neighbors prior to and following the attack. It has the same range as NMI [44].
• Fitness: The proposed fitness function can be used to assess the attack effect [7].
• Variation of information (VI): It is a measure used for comparing two partitions (X and Y) based on information theory. It is defined as $VI=\left(H\right(X)-I(X,Y\left)\right)+\left(H\right(Y)-I(X,Y\left)\right)$ in [45]. The lower VI value implies that the partitions are more similar.
• Split–join distance (SJD): It calculates the distance between two community partitions (X and Y), proposed in [46]. It is given by $SJ(X,Y)=P{D}_Y\left(X\right)+P{D}_X\left(Y\right)$. The $P{D}_Y\left(X\right)$ is the projection distance of Y from X and found as follows: for each community in Y, determine the community in X with which it has the maximum overlap, then add up the maximal overlap sizes and subtract the sum from the number of elements in Y. A lower value of the split join indicates that the partitions are more similar.
• Jaccard index: It is used to compare two community partitions (X and Y) [47]. It is defined as $J(X,Y)=|X\cap Y|/|X\cup Y|$.
• Recall: Given two community partitions (X and Y), for any distinct vertices i and j, it is defined as [47]:

  $$R(X,Y)={\displaystyle \frac{\left|\right\{(i,j)\in X\mid i\ne j,(i,j)\in Y\left\}\right|}{\left|\right\{(i,j)\in X\mid i\ne j\left\}\right|}}.$$

  (9)
  The numerator is the number of pairs $(i,j)$ that are in the same community in both partitions X and Y. The denominator is the total number of pairs $(i,j)$ that are in the same community in partition X. So, recall measures the proportion of relevant vertex pairs in the same community in partition X that are also found in the same community in partition Y.
• Precision: It is used to compare two community partitions (X and Y) [48]. It is defined as $P(X,Y)=|X\cap Y|/\left|Y\right|$.
• Node-centric measures: It encompasses the gain in the graph safeness and the loss in the graph persistence [49]. The equations for node safeness and persistence (which closely resemble the permanence formula) are provided in Section 3.2, allowing graph-wide computation by summing the values of all nodes in the graph.
• Constant community (CC) measures: Constant communities refer to groups of nodes that consistently belong to the same community across various community detection algorithms. The measures derived from CCs involve the number of nodes within CCs, the average density of such communities, and the average hub dominance [49].
• Attack efficiency: It measures the effectiveness of an attack. It is the number of incorrectly clustered nodes with a limited number of edge modifications ($\beta$). It is defined as [50]:

  $$AE={\displaystyle \frac{\mathrm{Number}\mathrm{of}\mathrm{altered}\mathrm{nodes}}{\beta }}.$$

  (10)
• BN ($\beta$ * NMI): It represents the attack cost. It measures the number of edge modifications required to decrease the NMI value. A lower BN value signifies a more effective attack [3].

3. Community Detection Attacks

Community detection attacks try to deteriorate the performance of community detection algorithms. In this section, the problem of community detection attacks is given in three scales; target node, target community, and global attacks. The available attack algorithms in the literature for each scale are explained. Some algorithms are designed for multi-scale problems like EPA [7] or CH-SNMF [42]; the algorithm explanation is given in the subsection where it first appears in these cases.

3.1. Target Node Attack

In certain cases, a specific node within a network may prefer to avoid detection as part of any particular community. This node may have affiliation with sensitive or private groups, such as political or religious groups, or may not want its group to be known due to personal preferences. The main goal of a target node attack is to obscure the community membership of a target node within a network, ensuring that the community it belongs to cannot easily be detected. This can be executed by altering the connections around the target node, making it harder to accurately place the node within its original community.

Definition 4 

(Target Node Attack). Given a target node u, suppose it is a member of community $C_i$ in the original graph $G=(V,E)$. The target node attack problem is to avoid the target node u from being identified as part of its initial community $C_i$ by altering the connections around it. After the attack, suppose that it is included in $C_j$ in the adversarial graph $G^{\prime }$, which is as different as possible from $C_i$. That means the target node is clustered into the wrong community.

Figure 2 illustrates an example of a target node attack on Zachary’s Karate network [51]. The community structure, comprising four distinct communities, is found using the Louvain algorithm [25]. Node 19 is chosen as the target node, with its border highlighted in red. Initially, it belongs to the blue community indicated by the circle. Given an attack budget of 2, the target node removes its connection with node 1, which is in the same community, and establishes a new connection with node 29 from a different community. That means edge $(19,1)$ is deleted within the community of the target node and edge $(19,29)$ is added between communities. After the attack, when the Louvain is re-applied to the modified network, as shown on the right, the target node is assigned to a different community, marked with plum color and hexagon shape. The goal here is to determine the optimal structural modification to the neighborhood of the target node. This modification should ensure that the target node remains hidden. It is considered successful when the original community and the new community involving the target node are different.

Chen et al. [40] put forward fast gradient attack (FGA) on network embedding to avoid target nodes from being identified (i.e., wrongly clustered in community detection). FGA comprises two parts: (i) generation of the adversarial network based on the graph convolutional network (GCN) gradient and (ii) using the adversarial network to attack the GCN or other network embedding methods. In the first stage, for a target node, a target loss function is computed. The partial derivative of it concerning each element of the adjacency matrix is calculated. Then, the link with the maximum absolute gradient is chosen to add/delete since it affects the result of the target node more. In the experiments, the K-means algorithm is used to obtain the community detection results from the embedding vectors.

The problem of community detection attacks is formalized in three scales, global, target community, and target node attacks, by the study [7]. Each attack problem is modeled as an optimization algorithm, and a genetic algorithm-based EPA method is proposed. The index (ID) of a link (added or deleted link) is used as a gene. Each chromosome represents an attack. For a target node attack, the fitness function is based on only the degree change $f=\mathrm{\Psi }\left(d^{\prime }\right)$, where $\mathrm{\Psi }\left(d^{\prime }\right)=exp(c\times d^{\prime })$, c is a constant to control decay speed, $d^{\prime }=d/\left|E\right|$, $d={\displaystyle \frac{1}{4}}{\sum }_{i=1}^n|d_i-{\widehat{d}}_i|$, n is the number of nodes in the graph, and $d_i$ and ${\widehat{d}}_i$ are the degrees of node i before and after the attack. Unequal crossover is adopted so that the chromosome length can be changeable. In the mutation process, network structural properties (i.e., between pairs of two nodes, betweenness for deletion, and the shortest path lengths for addition) are used.

Bernini et al. [41] address the problem of community membership hiding. The goal of the node deception task is to disassociate a target node u from its original community $C_i$. The objective is defined by setting a threshold for the similarity between the target node’s original community $C_i$ and new community $C_i^{\prime }$ by excluding it, that is, $sim(C_i-\left\{u\right\},C_i^{\prime }-\left\{u\right\})\le \tau$, where $\tau \in [0,1]$. The loss function is formulated as $loss=l_{decept}+\lambda l_{dist}$. The first part evaluates to 1 if node u remains in the community $C_i$ or 0 otherwise (the goal is achieved). The second part assesses the distance between two graphs (G and $G^{\prime }$) and their corresponding community structures ($\overline{C}$ and $\widehat{C}$). The target node can delete edges within its community and add new edges to nodes outside its community. The hiding problem is solved using deep reinforcement learning, and the advantage actor-critic framework is used [52].

A unified framework (CH-SNMF) is introduced for the three scales of community hiding [42]. It utilizes the clustering properties of symmetric non-negative matrix factorization (SNMF). Rather than constructing the feature matrix, the adjacency matrix A is used. Matrix U $=U_{ij}$ (community indicator) specifies the probability of a node $v_i$ being part of community $C_j$. $min\left|\right|$A − UU^T${\left|\right|}_F^2$ is obtained such that U $\ge 0$. At each iteration, nodes having a high membership are chosen when updating the matrix U. For rewiring, it removes the edges between nodes with high membership in a community and creates edges to nodes with high membership that belong to other communities.

Table 1. Summary of target node attacks.

Ref.	Community Detection Attack	Update	Intra/ Inter	Knowledge Needed	Measure	Comparison	Community Detection Algorithm (**)
[40]	FGA	EDel, EAdd	✗	Network	Success rate, AML	Random, Nettack, DICE	emb + km
[7]	EPA	EAdd	✗	Network	Percent. degree increase	Random	gre, inf, lou, wal, eig, spi
[41]	DRL-Agent	EDel, EAdd	✓	Network, CS	Success rate, NMI	Random, Degree, ROAM	opt, lou, wal
[42]	CH-SNMF	EDel, EAdd (Rewire)	✓	Network, community number	Comm. retention prob.	ROAM	gre, inf, lou, lab

(**): Greedy [22] (gre), Infomap [29] (inf), Louvain [25] (lou), Walktrap [28] (wal), Eigenvectors [16] (eig), SpinGlass [30] (spi), Label Propagation [31] (lab), Optimal [20] (opt), Embedding (emb), K-means [12] (km).

summarizes and compares target node attack algorithms. For each study, reference of the study, target node attack algorithm name(s), update operation, whether intra-/inter-commmunity edges are used or not, knowledge needed (if any prior information required), and measures used to compare the attack algorithms with the algorithms in the comparison column are specified in the table. The last column shows the short names of the community detection algorithms used in the study. When the table is examined, it can be seen that the EPA algorithm employs only edge addition, while other methods incorporate both edge addition and removal to modify the network’s structure. Rewiring is only applied in CH-SNMF. Considering the community of the target node and the external communities, the algorithms that delete the intra-community edges and add inter-community edges are DRL-Agent and CH-SNMF. The aim is concealing a specific node in target node attacks, but all attack algorithms utilize the entire network. Some algorithms, such as DRL-Agent and CH-SNMF, even rely on prior knowledge of communities. Although success rate is used as a performance measure in two studies, different measures are also preferred. Comparisons of the algorithms are typically made against random baselines.

3.2. Target Community Attack

There may be scenarios where a group, such as police enforcement or activists, needs to interact and cooperate in a network without disclosing their community membership. A target community attack, also known as community deception, involves disguising a specific community that may be private or sensitive. This attack aims to conceal the existence of a target community within the network. For this, the connections of members of the target community are altered, which complicates the detection. Changing the connections of the target community may spread its members to other communities, causing the target community to become obscure.

Definition 5 

(Target Community Attack). Given a target community $C\subseteq \overline{C}$, identified by a community detection algorithm f on the original graph $G=(V,E)$, the target community attack problem is to hide the target community C by altering the connections of its members within a specified budget β. After the attack, C is no longer detectable by the community detection algorithm f. That is, in the adversarial graph $G^{\prime }$, the nodes in C are distributed among a set of new communities, denoted by $\widehat{C}=\{C_1^{\prime },C_2^{\prime },\dots ,C_L^{\prime }\}$.

An illustrative example for a target community attack on the Karate network [51] is depicted in Figure 3. The community structure identified with the Louvain algorithm on the original network consists of four communities. Assume that the community whose members are shown as octagons and bordered in red is targeted, that is, target community members are $\{23,24,25,27,28,31\}$. Considering that the update budget is 4 and the following updates are applied to the graph (deleting edges $(23,27)$ and $(24,31)$, and adding edges $(24,4)$ and $(25,4)$), the community detection result on the updated network is obtained, as shown on the right, pointing out [6] (i) its members are evenly distributed in two communities, (ii) its members are better ‘hidden’ within the larger communities, and (iii) all its members are reachable from one another.

Nagaraja [43] first introduced the concept of hiding a community to counter community detection algorithms by allowing the community to alter its structure. The study considers only two communities where the nodes of the hidden community try to enter the main network (i.e., the other community). Their strategies are only based on link additions to the nodes with high centrality values, chosen from each of the two communities.

Waniek et al. [5] also focus on how a community can disguise itself to reduce the likelihood of being discovered through community detection. A heuristic algorithm named disconnect internally and connect externally (DICE) is proposed, which works by randomly deleting the links between members of the target community (intra-community edges) and adding the links between members and non-members of the target community (inter-community edges). The DICE algorithm is inspired by modularity. It does not require knowing the entire network topology and can be applied by any group of people.

Fionda and Pirro [6] model community deception as an optimization problem and propose “community safeness”. Before giving it, firstly node safeness $\sigma (\mu ,C)$ of node $\mu$ in G is defined to measure hiding of it in the community C as follows:

$$\sigma (\mu ,C)={\displaystyle \frac{1}{2}}{\displaystyle \frac{|V_C^u|-|E(u,C)|}{\left|C\right|-1}}+{\displaystyle \frac{1}{2}}{\displaystyle \frac{|\tilde{E}(u,C)|}{deg\left(u\right)}},$$

(11)

where $V_C^u\subseteq C$ is the set of nodes of C reachable from u by passing only via nodes in C, $E(u,C)$ is the set of internal edges of node $u\in C$, $\tilde{E}(u,C)$ is the set of external edges of node $u\in C$, and $deg\left(u\right)$ is the degree of node u. Node safeness of u considers two factors related to the indirect connections of the node u with the nodes in the community C and the external connections of the node u. That is, the first factor explains how well u transmits information in C. The second factor explains how u is concealed in the network with respect to its degree. The second one is used to confuse detection because it leads to a better community deception if u is diverse in terms of its edges. Moreover, the community safeness $\sigma \left(C\right)$ is defined as $\sigma \left(C\right)={\sum }_{u\in C}\sigma (u,C)/\left|C\right|$. Higher community safeness means finding the correct set of updates. Based on the community safeness, the Ds algorithm is proposed to deceive a detection algorithm by changing (adding/deleting) a certain number of links of the target community. Let $\mathrm{\Delta }\left(C\right)=\sigma \left(C^{\prime }\right)-\sigma \left(C\right)$ be the safeness gain, where $C^{\prime }$ is the community after one or more link updates. The Ds is a greedy algorithm which selects the edge update that gives the highest $\mathrm{\Delta }\left(C\right)$ at each step. The Ds algorithm only considers inter-community edge additions and intra-community edge deletions. Additionally, in the study [6], the Dm algorithm that is based on the modularity loss is presented for community deception. However, it needs the knowledge of the community structure. Later, Fionda and Pirro [53] offer the SECRETORUM algorithm, in which node safeness is re-defined to work with weighted networks. Further, the same author group explores community deception for directed and/or weighted graphs in the studies [54,55,56].

In the EPA method [7], for target community and global attacks, the fitness function is calculated using entropy and degree change. Entropy is employed to assess the attack effect using the community detection results before and after the attack. Therefore, the EPA method requires the knowledge of the community structure discovered by a particular detection algorithm. The fitness function for a global attack is designed as follows:

$$f=\mathrm{\Psi }\left(d^{\prime }\right)\times (En{t}_A/{log}_2|\widehat{C}|+En{t}_B/{log}_2\left|\overline{C}\right|),$$

(12)

$En{t}_A$ and $En{t}_B$ are the entropy for new communities and original communities, respectively, m is the confusion matrix of two community distributions, $m_{ij}$ is the number of common nodes between the original community $C_i$ and the new community $C_j^{\prime }$, n is the number of nodes in the graph, and

$$En{t}_A=-\sum _{i=1}^{\left|\overline{C}\right|}\sum _{j=1}^{|\widehat{C}|}{\displaystyle \frac{M_i}{n}}\left({\displaystyle \frac{m_{ij}}{M_i}}{log}_2{\displaystyle \frac{m_{ij}}{M_i}}\right).$$

(13)

The maximum value of $En{t}_A$ (resp., $En{t}_B$) is obtained if the values of each row (resp., column) are equal. For a target community attack, the fitness function given in Equation (12) can be adapted to limit the search space [7].

Chen et al. [57] give a new definition for community safeness that considers the total shortest path for every pair of nodes in the target community C. For this, the degree of dispersion of the community C is defined as $\rho \left(C\right)={\sum }_u{\sum }_{v}sp(u,v)$, where $u,v\in C$, $u\ne v$ and $sp(u,v)$ is the length of the shortest path between node u and node v. The higher $\rho \left(C\right)$ is, the better the community hiding. The $\rho \left(C\right)$ is normalized to maintain it in the range $[0,1]$, that is, $\psi \left(C\right)=(\rho \left(C\right)-\rho {\left(C\right)}_{min})/(\rho {\left(C\right)}_{max}-\rho {\left(C\right)}_{min})$. Then, the community safeness is defined as $\sigma \left(C\right)={\displaystyle \frac{1}{2}}\psi \left(C\right)+{\displaystyle \frac{1}{2}}\phi \left(C\right)$, where $\phi \left(C\right)={\sum }_{u\in C}{\displaystyle \frac{|\tilde{E}(u,C)|}{deg\left(u\right)}}$. The Ds algorithm is improved, and the Hs algorithm, which is based on the new safeness definition, is proposed.

Mittal et al. [44] use permanence for community deception. Permanence is a node-based metric which quantifies the belongingness of a node v to its community C [58]:

$$Perm\left(v\right)={\displaystyle \frac{I\left(v\right)}{E_{max}\left(v\right)}}\times {\displaystyle \frac{1}{deg\left(v\right)}}-(1-c_{in}\left(v\right)),$$

(14)

which is based on three factors: (1) internal pull $I\left(v\right)$, the internal connections of v inside its own community; (2) maximum external pull $E_{max}\left(v\right)$, the maximum connections of v to its neighboring communities; and (3) v’s internal clustering coefficient $c_{in}\left(v\right)$, the fraction of the actual and possible number of links among the internal neighbors of v. The permanence of a node increases if its internal pull is greater than its external pull or its internal neighbors are densely connected. Figure 4 illustrates a toy example of the calculation of the permanence of two nodes. The permanence of a network G is calculated as $Perm\left(G\right)={\sum }_{u\in V}Perm\left(v\right)/\left|V\right|$. Mittal et al. propose NEURAL, a permanence-based deception method that aims to reduce the network permanence to hide a target community C. NEURAL is a greedy strategy that maximizes the permanence loss $P_l=Perm\left(G\right)-Perm\left(G^{\prime }\right)$ by choosing the edge update giving the highest $P_l$ at every iteration. NEURAL also allows only intra-community edge deletions and inter-community edge additions. The work [59] then adapts the permanence formula to operate on weighted networks and offers the PERMDEC algorithm using the permanence loss.

The Matthew effect caused by traditional quality function (i.e., modularity)-based methods is identified, where earlier edge perturbation influences the placement of subsequent perturbations at the community level [48]. To address this issue, a probabilistic framework, ProHiCo, is designed to hide a set of target communities. The core concept behind it is to initially allocate the resource of perturbations randomly and sequentially, followed by selecting the suitable edges for perturbation through likelihood minimization. By integrating the stochastic block model and its degree-corrected version into the ProHiCo framework, two scalable algorithms, SBM and DCSBM, employing sampling and pruning techniques, are proposed. Then, the scalable ComDeceptor method [60], leveraging the Laplacian spectrum, also hides an arbitrary set of target communities. It first allocates the resources of perturbations fairly, giving either a pair of communities for edge addition or a community for edge deletion in each round. The method performs inter-community edge additions by maximizing the second smallest Laplacian eigenvalue while performing intra-community edge deletions by minimizing the largest Laplacian eigenvalue. It incorporates heuristics for approximately solving them.

A node-centric approach [61] is introduced for community deception by allowing node updates, where each node operation (node addition or node deletion) results in several edge updates. It relies on node safeness defined in Equation (11). A greedy algorithm, nSAF, is proposed that selects the node operation (between a node addition candidate and a node deletion candidate) that yields the best safeness gain for each step, along with the respective edges. For deletion, the node with the least safeness is chosen among the target community nodes, and its edges are determined as the edges to be deleted. For the addition of a new node (natural or bot), the edges to be added are determined as follows: first, only one edge is established with a node in the target community to form a single component, and then, the remaining edges are established with nodes outside the target community. Another greedy algorithm with a node-centric approach, nDec [62], is based on modularity and considers three node operations (addition, deletion, and moving). Node addition is essential when new members join the network. While moving nodes between communities is generally preferable, node deletion may be necessary in cases where the complete concealment of the target community is critical. A deleted node can be re-added with carefully chosen edge additions.

Chang et al. [63] offer three genetic algorithms for hiding a target community using escape score, dispersion score (deception score H in [6]), and hiding score as the fitness functions. The escape score quantifies the number of nodes in the target community that are concealed. The hiding score formula is obtained from the first two scores.

A swarm intelligence-based method, SCP, is introduced for target community attacks [64]. The edge pool is initialized according to permanence, as in [4] (explained in Section 3.3), but only the edges related to the target community are considered. The search space is tailored for each particle. A self-adaptive mechanism is implemented to balance global and local search resources. The fitness function is derived from the structural entropy given in Equation (16).

Table 2. Summary of target community attacks.

Ref.	Community Detection Attack	Update	Intra/ Inter	Knowledge Needed	Measure	Comparison	Community Detection Algorithm (**)
[43]	Naga.	EAdd	✓	C’s members links, Vertex centralities	Miss ratio	No	smo
[5]	DICE	EDel, EAdd	✓	C’s members links	M	No	cnm, inf, lou, wal, eig, spi, btw
[6]	Ds, Dm	EDel, EAdd	✓	C’s members links for Ds, CS for Dm	H, NMI	DICE	cnm, inf, lou, wal, eig, spi, btw, lab, opt, scd
[7]	EPA	EDel, EAdd (Rewire)	✗	Network, A part of CS	Fitness, H	DICE, Ds	gre, inf, lou, wal, eig, spi
[53]	SECRETORUM	EDel, EAdd	✓	C’s members links	H, NMI	Random, DICE, Ds, NEURAL	cnm, inf, lou, wal, lab
[57]	Hs	EDel, EAdd	✓	C’s members links	H	Ds, Dm	inf, lou, eig, spi, lab
[44]	NEURAL	EDel, EAdd	✓	Node info for a subset of nodes	NMI, MNMI, CommS, CommU	Random, Naga., DICE, Ds	cnm, inf, lou, wal, eig, lab
[48]	ProHiCo (SBM, DCSBM)	EDel, EAdd	✓	Network, CS	Jaccard, Recall, Precision, NMI	Ds, REM	cnm, inf, wal, lab, lei
[60]	ComDeceptor	EDel, EAdd	✓	Network, CS	Jaccard, Recall, Precision, NMI	Ds, REM, DCSBM	cnm, inf, lou, eig, lei, danmf
[41]	DRL-Agent	EDel, EAdd	✓	Network, CS	H, NMI	Ds, Dm	opt, lou, walk
[61]	nSAF	EDel, EAdd, NDel, NAdd	✗	C’s members links	H, NMI	Random, DICE, Ds, Dm, NEURAL	cnm, inf, lou, eig, lab, scd, lei, cmb, spec, kcut
[62]	nDec	EDel, EAdd, NDel, NAdd, NMov	✗	Network, CS	H, MNMI, NMI	Random, DICE, Ds, Dm, NEURAL	cnm, inf, lou, eig, lab, scd, lei, cmb, spec, kcut
[42]	CH-SNMF	EDel, EAdd (Rewire)	✓	Network, Community number	H, M	DICE, Ds	gre, inf, lou, lab
[63]	CEHA, CDHA, CCHA	EDel, EAdd	✓	Network, CS	NMI, Q, M	Random, DICE, Ds, NEURAL	cnm, inf, lou, lab
[64]	SCP	EDel, EAdd	✓	Network, CS	NMI, VI, SJD, Local	Random, DICE, Ds, NEURAL, MOD	cnm, inf, lou, wal, eig, btw

(**): Spectral Modularity Opt. [24] (smo), Greedy [22] (gre), Clauset–Newman–Moore [23] (cnm), Infomap [29] (inf), Louvain [25] (lou), Walktrap [28] (wal), Eigenvectors [16] (eig), SpinGlass [30] (spi), Edge-Betweeness [15] (btw), Label Propagation [31] (lab), Optimal [20] (opt), Scalable Community Detection [33] (scd), Leiden [26] (lei), Combo [27] (cmb), Spectral [18] (spec), Knowledge cut [19] (kcut), Deep Autoencoder-like NMF [65] (danmf).

summarizes and compares target community attack algorithms. For each study, reference of the study, target community attack algorithm name(s), update operation, whether intra-/inter-commmunity edges are used or not, knowledge needed (if any prior information required), and measures used to compare the attack algorithms with the algorithms in the comparison column are specified in the table. The last column shows the short names of the community detection algorithms used in the study. The table indicates that manipulation of the network structure exclusively through the addition of edges is achieved only in the study [43]. The other algorithms modify the network by both adding and removing edges. Additionally, nSAF and nDec algorithms also perform node updates. Notably, edge rewiring is implemented only in the EPA and CH-SNMF algorithms. Rewiring is not applied in greedy optimization-based methods (i.e., Ds, Dm, SECRETORUM, Hs, NEURAL, nSAF, and nDec). Except for EPA, nSAF, and nDec, all of them perform inter-community link addition and intra-community link deletion since the target community to be concealed is known and other communities can be treated as external communities. Some algorithms may need additional prior information to hide a target community. For example, information about neighboring communities is needed to calculate the permanence value in the NEURAL algorithm. Certain algorithms even demand a community structure extracted from the network by a community detection algorithm, implying the necessity of knowing the entire network. This requirement may potentially restrict the practical applicability of these methods in real-world scenarios. When evaluation measures are analyzed, it is observed that the community deception score H, which captures all three desiderata of effective community hiding, and NMI are predominantly preferred. Following them, the measure M is preferred. In the comparative analysis of the attack algorithms, the Ds algorithm emerges as the most frequently utilized, indicating its widespread acceptance and effectiveness in the context of target community attacks.

3.3. Global Attack

In a global attack, all communities within the network are regarded as sensitive. This attack focuses on modifying the least number of connections to significantly alter the overall community structure, thereby ensuring privacy.

Definition 6 

(Global Attack). Let $G=(V,E)$ be a graph. f is a community detection algorithm that discovers the community structure $\overline{C}=\{C_1,\dots ,C_K\}$ on G. The global attack problem aims to maximize the change in the community structure by allowing a certain number (β) of edge modifications (addition or deletion) in the network, where β is the budget. After the attack, the adversarial graph $G^{\prime }$ is obtained. The community structure discovered from $G^{\prime }$ is $\widehat{C}=\{C_1^{\prime },\dots ,C_L^{\prime }\}$ through the community detection algorithm f. The community structure $\widehat{C}$ is as different as possible from the original community structure $\overline{C}$.

Figure 5 presents a visualization of a global attack on the Karate network [51]. The implementation of the Louvain algorithm divides the nodes in the original network into four communities, each represented by a different shape to indicate the membership of the individuals. Performing a global attack, consisting of four strategically selected edge rewirings, produces the adversarial network; the resulting community structure on it by the same detection algorithm is illustrated in Figure 5b [2], revealing the change in the number of communities and exhibiting disorganization at a broader scale by modifications across the network.

The attack strategies for global attacks are designed to disrupt the community structure. Figure 6 shows an ideal case for community obfuscation.

Chen et al. [2] tackle the problem of global community structure deception and develop strategies to attack community detection algorithms by rewiring the minimal number of links. Two heuristic attack strategies, community detection attack (CDA) and degree-based attack (DBA), as baselines, and a genetic algorithm-based strategy, Q-Attack, are given to fool the detection algorithms. These strategies rely on rewiring, that is, adding an edge to a node while deleting one from it. The CDA strategy uses knowledge of the community structure found by a specific detection algorithm. Since there is no target community, it randomly selects a certain number of nodes from the network. In every iteration, for a chosen node, an existent intracommunity edge is deleted and a non-existent inter-community edge is added. The DBA heuristic strategy is also similar to CDA but chooses the nodes of larger degree from the network.

The genetic algorithm is used to search for the optimal set of rewiring links [2]. The Q-Attack algorithm is mainly composed of three parts: encoding, fitness function, and design of genetic operators. For encoding, an attack is represented by a chromosome and a rewiring (a deleted edge and an added edge) is represented by a gene. An example individual consisting of four rewirings is demonstrated in

Table 3. An individual representation.

$(19,38)$	$(29,21)$	$(25,33)$	$(20,15)$
$(19,13)$	$(29,14)$	$(25,28)$	$(20,5)$

. The fitness function used is $f=e^{-Q}$, which indicates that individuals with lower modularity will have larger fitness. The probability of selecting an individual is proportional to its fitness, represented as $p_i=f\left(i\right)/{\sum }_{j=1}^{n}f\left(j\right)$. A single-point crossover between two individuals is adopted with the probability $p_c$, and to promote the diversity, three types of mutation operators, such as link deletion, link addition, and link reconnection, are proposed with probability $p_m$.

In the study [47], structural entropy for a graph $G=(V,E)$ is expressed as follows:

$$\mathcal{H}\left(G\right)=-\sum _{i=1}^{\left|V\right|}{\displaystyle \frac{d\left(i\right)}{2\left|E\right|}}{log}_2{\displaystyle \frac{d\left(i\right)}{2\left|E\right|}},$$

(15)

where $d\left(i\right)$ is the degree of node i. Then, the structural entropy for the graph with respect to the community structure $\overline{C}=\{C_1,C_2,$$\dots ,$$C_k\}$ is defined, in which $v\left(j\right)$ is the sum of degrees in community $C_j$ and $g\left(j\right)$ is the number of external edges from community $C_j$.

$${\mathcal{H}}_C\left(G\right)=-\sum _{j=1}^k\left[{\displaystyle \frac{v\left(j\right)}{2\left|E\right|}}\left(-\sum _{i\in C_j}{\displaystyle \frac{d\left(i\right)}{v\left(j\right)}}{log}_2{\displaystyle \frac{d\left(i\right)}{v\left(j\right)}}\right)-{\displaystyle \frac{g\left(j\right)}{2\left|E\right|}}{log}_2{\displaystyle \frac{v\left(j\right)}{2\left|E\right|}}\right].$$

(16)

To disrupt the community structure, their REM method minimizes $\rho =(\mathcal{H}\left(G\right)-{\mathcal{H}}_C\left(G\right))/\mathcal{H}\left(G\right)$. It only performs edge additions between communities by considering nodes with a low degree.

Network embedding algorithms map the nodes of a network into the vectors in a Euclidean space. These vectors then can be used by downstream network tasks, such as node classification, community detection, and link prediction. Yu et al. [66] focus on attacking the network embedding process. An attack method, namely EDA, is proposed for disturbing the distances between the embedding vectors through minimal changes of the network structure. For embedding, the DeepWalk method is used. To obtain the optimal set of modified links, a genetic algorithm is used. The EDA method iteratively calls DeepWalk and the genetic algorithm and returns the adversarial network at the end. This attack method disturbs the global network structure. Moreover, to observe the effectiveness of the attack on community detection, nodes are converted into vectors using DeepWalk and the embedding vectors are clustered via the K-means algorithm. As an unsupervised attack, EDA does not need any knowledge of communities.

Persistence, which includes the same three factors and is too similar to permanence, is defined in the study [49]. However, persistence is used for global attacks. Two attack strategies, maximization of persistence loss (MPL) and a rewiring strategy, are offered. The MPL strategy aims to maximize the persistence loss of the network. A node is moved to a neighboring community if its persistence score decreases. All the nodes in the network are checked. In MPL, the structure is not altered. A rewiring strategy can be applied after MPL to change the structure of the network. For every shifted node, an edge from the old community is deleted and a new edge is added to a node in the new community.

Modularity vitality reflects the role of a node (i.e., bridge or hub) within a given community structure [67]. This measure can be utilized to execute global attacks, with a greedy approach by removing community hub nodes—those with high modularity vitality. Even an approximation is offered with the calculation of the values only once. Experiments on a network reveal that a specific level of attack effect can be achieved by removing a few nodes or by removing a large number of edges. The suggestion is that users seeking to safeguard their community identity break their connections with community leaders.

Graph neural networks (GNNs) have been widely preferred in graph-related tasks. Liu et al. [50] apply a graph auto-encoder [68] to handle the community hiding problem and propose a method called GCH. A graph auto-encoder is used to reconstruct the probability adjacency matrix. The GCH method takes the community structure discovered by a detection algorithm to generate the adversarial network. The original network is perturbed by deleting the edges with the highest probability within communities and adding the edges with the lowest probability between communities. In this manner, the global community structure is disturbed, which leads the structure to be very different.

Liu et al. [3] propose a community hiding algorithm based on genetic algorithms using normalized mutual information (NMI), called CGN. This algorithm realizes global community structure hiding. It mainly consists of four parts: creating a gene pool with prior information, encoding, fitness function, and genetic operators. A gene pool is established according to preliminary information about the community structure of the original graph found by a community detection algorithm. That means rather than considering all existent graph edges for deletion and all non-existent graph edges for addition, the gene pool includes existent edges within the communities (intra-community edges) for deletion and non-existent edges between the communities (inter-community edges) for addition. In encoding, a chromosome corresponds to an attack and an edge randomly chosen from the gene pool corresponds to a gene. The fitness function is designed as $f=1-NMI$, which indicates the chromosome with a lower NMI value will have larger fitness and produce a better attack. The benefit of employing NMI as a fitness function is that the minimum value of NMI shows that the community structure of the network has changed significantly after the attack. The roulette wheel selection is used. The chromosomes in a population are mapped to a wheel, where those with higher fitness values have a higher probability of being selected. A single-point crossover is applied between two chromosomes with the probability $p_c$, and mutation is performed with probability $p_m$.

Zhao et al. [4] develop SAEP (a self-adaptive evolutionary deception) framework. It offers a permanence-based edge pool initialization mechanism. The permanence of a node is a measure of loyalty to the community it belongs to. A permanence value is in $(-1,1]$. A value close to 1 means a loyal node, while close to −1 means a tendency to leave. For the edge deletion, intra-community edges are sorted by the product of their nodes’ permanence in increasing order. This implies that in a community, the nodes with low loyalty are more likely to leave because they lose the attraction from the ones with high loyalty. For the edge addition, it focuses on the non-existent inter-community edges that are sorted by the product of the nodes’ permanence in increasing order. It means that a node with low permanence in community A receives an invitation from a node loyal to an external community B. Further, a penalty for adding edges to the node from unrelated communities is defined by multiplying the result by 0.5. Then, edges are sampled from the pool with a probability $prob\left(i\right)={\displaystyle \frac{x_i^{-\theta }}{{\Sigma }_{k=1}^{\left|P\right|}{x}_i^{-\theta }}}$, where $x_i$ is the ith element in the sorted pool, $\left|P\right|$ is the pool size, and $\theta$ is empirically assigned to 0.3.

A fitness function is proposed to capture local and global community change [4]. It consists of multiple components ($f=f_1\ast f_2\ast f_3$). To capture local change, the assumption is that if an edge is modified (added/deleted), its two nodes should be affected first. The aim is to observe if the nodes of the modified edge join the other communities. A set of nodes $\mathrm{\Delta }\left(V^{\prime }\right)$ related to the modified edges $\mathrm{\Delta }\left(E^{\prime }\right)$, which includes nodes whose community is not the same as that of its most loyal neighbor after the attack, are identified. $f_1$ is designed as $f_1={\sum }_{v\in \mathrm{\Delta }\left(V^{\prime }\right)}{log}_{2}d\left(v\right)$. To capture global change, two functions are defined based on the confusion matrix. $f_2$ is $En{t}_A$ defined in the study [7]. This will force nodes to leave their initial community. $f_1$ cannot capture local obfuscation if the entire community (the affected node and its most loyal neighbor) combines with another community after the attack. To solve the issues, a variant of the confusion matrix $m^{\prime }$, is introduced as $m_{ij}^{\prime }={\displaystyle \frac{m_{ij}}{|C_j^{\prime }|}}\ast {log}_2\left|C_j^{\prime }\right|$. The first part ${\displaystyle \frac{m_{ij}}{|C_j^{\prime }|}}$ is the proportion of nodes of the original community $C_i$ that form the new community $C_j^{\prime }$. The log part is to prevent a situation like a community with one node. $f_3$ is defined as $f_3=e^{-max\left(m^{\prime }\right)}$ and tries to make the maximum value as small as possible.

In the SAEP [4], each chromosome is assigned a strength vector to evaluate the strength or weakness of its genes. The vector for the jth chromosome is $W^j=[W_1^j,\dots ,W_{\beta }^j]$. An edge distance is introduced to ensure that the edges in the solution are close to each other. The penalty Q of a modified edge is $Q\left(e\right)={\Sigma }_{i=1}^k{\sigma }^i$, where $\sigma$ is set in $[0,1]$ and k indicates there are no modified edges at k-hop distance. The strength of the ith edge (gene) in its chromosome is updated as $W_i=W_i\ast {\displaystyle \frac{1}{1+exp\left(Q\right(e\left)\right)}}$ if $k>1$. Moreover, adaptive crossover and mutation operations are designed according to the strength vectors. To exchange only the inferior genes, a uniform crossover operation is used; exchanging of two genes is performed if a random number is greater than the maximum of the $W_i^m$ and $W_i^f$ that represent the ith gene of the mother chromosome and father chromosome, respectively. Then, the weights of the changed genes are updated according to the fitness gain. In mutation, the weaker a gene is, the more likely it is to mutate. Also, the weight of the changed gene is updated.

A heuristic algorithm, degree first deception (DFP), is proposed [4]. It assumes that nodes with a large degree have a greater impact on the community structure. Therefore, it prioritizes the deletion of intra-community edges between large-degree and small-degree nodes and the addition of inter-community edges with large-degree nodes. That is, it sorts the edges using the following rule:

$$S(u,v)=\left\{\begin{array}{cc}{\displaystyle \frac{min(d_u,d_v)}{max(d_u,d_v)}},\hfill & (u,v)\in E,C_u=C_v\hfill \\ d_u+d_v,\hfill & (u,v)\in \overline{E},C_u\ne C_v.\hfill \end{array}\right.$$

(17)

where E and $\overline{E}$ are all edges and non-existent edges in the graph, $d_x$ is the degree of node x, and $C_x$ is the community that x belongs to. The study [69] later proposes a modified version called DFP-R, which uses the same metric for the addition and removal of edges, but the created edge is chosen to have a vertex in common with the removed edge.

A coevolutionary method [70], called CoeCo, to obfuscate the community structure is offered to also apply on large-scale datasets. It divides the graph into multiple similar-sized subgraphs, and each is optimized separately. In the method, to reduce the search space, initialization is performed. Edges are sorted according to permanence multiplication as in the SAEP [4] for addition and motif weights (the number of triangles containing the edge) for deletion. Two fitness functions are adapted, namely the fitness function for the ith subgraph $f_i=\mathcal{H}\left(sub{G}_i\right)$ defined in Equation (16) [47] and the fitness function for the global graph $f_{glob}=f_1\ast f_2\ast f_3$ introduced in [4]. In the coevolution part, they support each other to identify the optimal set of edges.

Another genetic algorithm-based method for global attack is EPCG [71], which employs two different fitness functions (based on NMI and the difference between an individual and the best one to preserve the population diversity). For better concealment of attack, the number of edge additions and deletions is kept equal. It adopts a co-evolution mechanism with two elite populations to improve evolution.

The study by [72] combines a graph auto-encoder (GAE) and genetic algorithm to deceive community detection algorithms. Initially, small subnetworks are sampled and reconstructed using the GAE with an added community hiding constraint in the loss function. Subsequently, a genetic algorithm is applied to improve the hiding effects through the network, treating each reconstructed subnetwork as an individual. The genetic algorithm fitness function and operators utilized follow those in Chen et al. [2], with elitism retaining the top 15% of individuals.

A heuristic approach based on local structures, namely LSHA, is proposed [69]. It does not depend on the community structure produced by a particular community detection algorithm. Instead, local structures are detected using the local information of nodes. A community can contain multiple local structures. LSHA chooses two local structures (a low degree one and a high degree one) using the modularity concept for attack. Then, to choose the edge in the low-degree structure, an edge vulnerability metric is proposed, which measures the significance of the edge in preserving the structure. It is defined as

$$Vul\left(e\right)={\displaystyle \frac{|N\left(v_i\right)|-|N\left(v_i\right)\cap N_{LS}\left(v_i\right)|+|N\left(v_j\right)|-|N\left(v_j\right)\cap N_{LS}\left(v_j\right)|}{|N\left(v_i\right)|+|N\left(v_j\right)|}}$$

(18)

where e is an edge $(v_i,v_j)$, $N\left(v_x\right)$ is the set of neighbors of $v_x$, and $N_{LS}\left(v_x\right)$ is the set of nodes within the local structure to which $v_x$ belongs. For deletion, the edge with the high vulnerability is chosen, and its lower degree node is chosen for rewiring around it. For addition, the other node is selected from the high degree structure according to the node entropy metric that quantifies the perplexity level of a node for the partition. For a node v, it is defined as

$$Ent\left(v\right)=-\sum _i^M{\displaystyle \frac{|L{S}_i\cap N\left(v\right)|}{\left|N\right(v\left)\right|}}log\left({\displaystyle \frac{|L{S}_i\cap N\left(v\right)|}{\left|N\right(v\left)\right|}}\right)$$

(19)

where $L{S}_i$ is the local structure that has connections with node v and M is the number of such structures. The entropy increase is calculated for each node, and the node with the most increase is selected to connect with.

Table 4. Summary of global attacks.

Ref.	Community Detection Attack	Update	Intra/ Inter	Knowledge Needed	Measure	Comparison	Community Detection Algorithm (**)
[2]	DBA, CDA	EDel, EAdd (Rewire)	✓	Network, CS	Q, NMI	Random-R	gre, inf, lou, eig, lab, n2v, km
	Q-Attack		✗	Network, CS, Q
[47]	REM	EAdd	✓	Network, CS	Jaccard, NMI, Recall	Modularity Min. (MOM), Random-Add	cnm, inf, lou, wal, spi, btw
[7]	EPA	EDel, EAdd (Rewire)	✗	Network, CS	NMI, ARI	Q-Attack, EPA with H, two heuristics	gre, inf, lou, wal, eig, spi
[66]	EDA	EDel, EAdd	✗	Network	NMI	Random, DICE, RLS, DBA	dpw + km
[49]	MPL, Custom Rewiring	EDel, EAdd (Rewire)	✓	Network, CS	Node-centric, NMI, CCs	Ds	gre, cnm, lou, lab, cpm, bis
[67]	Modularity Vitality	EDel, NDel	✗	Network, CS	Modularity Minimization	No	lei
[50]	GCH	EDel, EAdd	✓	Network, CS	NMI, Attack Effic.	Random, DICE, Ds	cnm, inf, lou, wal, eig, spi, btw, lab
[3]	CGN	EDel, EAdd	✓	Network, CS	Q, NMI, BN ($\beta$ * NMI)	Random, DICE, Ds, Q-Attack, NEURAL	cnm, inf, lou, lab
[4]	SAEP, DFP	EDel, EAdd	✓	Network, CS	NMI, VI, SJD	Random, REM, Q-Attack, DFP	cnm, inf, lou, wal, eig, btw
[70]	CoeCo	EDel, EAdd	✓	Network, CS	NMI, ARI	Random, REM, Q-Attack, DFP	cnm, inf, lou, wal, eig, btw
[71]	EPCG	EDel, EAdd $|E^{+}|=|E^{-}|$	✗	Network, CS	NMI, ARI, Purity	Random, CDA, Q-Attack	cnm, lou, wal
[72]	GAE + Genetic alg	EDel, EAdd	✗	Network	NMI, ARI	Random, Barabasi and Albert, CDA, Q-Attack	lou, lab, cpm
[69]	LSHA	EDel, EAdd (Rewire)	✓	Network	NMI, ARI	Random-R, CDA, DBA, DFP-R	cnm, inf, lou, wal, lab
[42]	CH-SNMF	EDel, EAdd (Rewire)	✓	Network, Community number	NMI, ARI	Random, Q-Attack	gre, inf, lou, lab

(**): Greedy [22] (gre), Clauset–Newman–Moore [23] (cnm), Infomap [29] (inf), Louvain [25] (lou), Walktrap [28] (wal), Eigenvectors [16] (eig), SpinGlass [30] (spi), Edge-Betweeness [15] (btw), Label Propagation [31] (lab), Optimal [20] (opt), Node2vec [73] (n2v), K-means [12] (km), DeepWalk [74] (dpw), Clique Percolation Method [32] (cpm), Bisection [14] (bis), Leiden [26] (lei).

summarizes and compares global attack algorithms. For each study, reference of the study, global attack algorithm name(s), update operation, whether intra-/inter-commmunity edges are used or not, knowledge needed (if any prior information is required), and measures used to compare the attack algorithms with the algorithms in the comparison column are specified in the table. The last column shows the short names of the community detection algorithms used in the study. The table shows that in the REM algorithm, modification is performed solely through the addition of edges, while other algorithms, except for the study [67], employ both edge addition and removal to alter the network structure. Rewiring is applied in heuristic approaches, such as DBA, CDA, LSHA, DFP-R, and Custom Rewiring [49]. Although some genetic algorithm-based methods (Q-Attack and EPA) incorporate rewiring, some of them (EDA, CGN, SAEP, CoeCo, EPCG, and GAE+Genetic alg [72]) do not, with the assumption that the genetic algorithm might not achieve its full potential efficiency [3]. Heuristic methods, with the exception of [67], leverage intra-community and inter-community information (intra-community edge deletion and inter-community edge addition) to guide their structural adjustments. While some genetic algorithm-based methods (Q-Attack, EPA, EDA, EPCG, and GAE+Genetic alg) do not utilize intra/inter-community information, recent methods like CGN, SAEP, and CoeCo have integrated it to enhance their effectiveness. Moreover, most global attack methods rely on a community structure, though some methods (EDA, GAE+Genetic alg, and LSHA) are designed to function without prior knowledge of the communities, broadening their applicability in various scenarios. When evaluating the performance of the attack algorithms, NMI emerges as the most frequently used measure, with ARI being the second most commonly employed measure.

4. Discussion and Future Directions

Community detection provides many benefits by uncovering structural insights within networks, but it also presents privacy concerns. Hence, the community detection attack problem has gained prominence, which is investigated across three distinct scales. When the applicability of the attack at each scale is considered, the following conclusions can be drawn:

A target node attack aims to prevent a target node within a network from being identified as part of a specific community. This is achieved by allowing the node to strategically alter its connections to other nodes in the network. Hence, an attack tool can be designed to provide personalized recommendations to escape community detection. For example, the tool might suggest to a user of a social network, “If you remove your connections with users X and Y, your membership in community Z will no longer be detectable [41]”. Nevertheless, concealing a specific target node may be challenging for an individual due to the limitations of resources and the lack of influence over other participants. Moreover, if an attack method depends on knowing about the entire network, its practical application becomes significantly limited in real-world scenarios.

A specific community can act collaboratively to hide its collective existence. In social media platforms like Facebook or Twitter, target community attacks can be implemented through specific actions [6] offered by an attack tool. On Facebook, intra-community edge deletions can be achieved by ‘unfriending’ some members of the target community, whereas inter-community deletions involve breaking ties with individuals outside the community. On Twitter, these actions can be achieved by ‘unfollowing’ the appropriate members inside or outside the community. When it comes to adding connections, intra-community edge additions are straightforward on Facebook, requiring only sending and accepting friend requests. Conversely, adding inter-community edges, which involves identifying new members, can be performed by connecting with individuals from colleagues, classmates, or even random people. On Twitter, this process is performed through the act of ‘following’ other users. However, an attack algorithm might not only require knowledge of the community members and their connections but could also necessitate the community structure discovered from the entire network. Using network-wide knowledge could impose some constraints on the practical applicability of the algorithm.

Attacking at a global scale might be difficult due to the structural changes required throughout the network. Assuming that all nodes within a network can collaborate to manipulate edges—either by deleting or adding them—to avoid detection appears to be less realistic [61]. On the other hand, some systems depend on community detection results, such as recommender systems, and these systems are affected when a general perturbation is made in the network. Therefore, the development of robust detection algorithms is important for such dependent systems. Furthermore, community detection attacks can serve as a robust evaluation index for assessing and comparing the resilience of community detection algorithms against adversarial perturbations [50]. The work [75], which investigates robust community detection, provides examples showing some experiments conducted on networks with adversarial noise produced by certain attacks.

A generic attack algorithm capable of deceiving all community detection methods may be quite challenging since there is no universally accepted or standardized definition of the community. As illustrated in Table 1, Table 2, and Table 4 in Section 3, most attack algorithms are tailored to mislead multiple detection algorithms (e.g., modularity optimization-based, spectral-based, random walk-based, label propagation, etc.). Typically, attacks are designed to target disjoint community detection algorithms, though the study [72] indicates the efficacy of the proposed method against an overlapping algorithm [32] as well. At this point, it is important to mention the transferability of attack algorithms. Since some attack methods rely on the community structure generated by a specific community detection algorithm from a network, their success in deceiving different detection algorithms can be assessed. Thus, this indicates that the use of attack methods with high transferability can effectively protect individuals’ privacy against community detection in practical scenarios.

Different methods, such as genetic algorithms, heuristic approaches, greedy algorithms, reinforcement learning, etc., have been proposed to provide solutions to the problem. Genetic algorithms are promising because of achieving good attack effects. However, the computational requirements may limit their applicability in large graphs. Heuristic algorithms may need less computation but often sacrifice optimality for efficiency. Reinforcement learning methods can yield effective results, whereas applying to large graphs may become a concern.

There are still many unresolved issues in this area. Some potential research directions are explained below:

• Incorporating additional knowledge: Community detection algorithms used in the domain of community detection attacks are mainly restricted to network topology. Nevertheless, real-world networks frequently involve attribute data. Attribute networks combine user attributes with topological data. Future research can explore attack techniques against detection algorithms that consider attribute networks.
• Overlapping communities: Most studies have concentrated mainly on disjoint community detection algorithms in the research of community detection attacks. However, overlapping community detection allows for more flexible and realistic modeling of systems. Although few techniques [76,77] have been introduced to hide target nodes in overlapping areas, attacks at the global scale or target community scale against overlapping community detection algorithms have not yet been investigated. Even target nodes that are not in overlapping areas can be attacked. Exploring such attacks is an important research direction.
• Balancing efficiency and quality: The trade-off between efficiency and solution quality poses a significant limitation for attack algorithms. Achieving the balance between efficiency and solution quality continues to be a critical challenge in progressing this field. Future research should focus on designing new advanced algorithms that offer higher-quality solutions.
• Deception-aware detection: Since community detection algorithms can be misled by strategic manipulation, such as the removal of real links or the introduction of fake ones, deception-aware algorithms can be developed to predict missing links and identify deceptively added links. This can be accomplished by utilizing the network history (containing different snapshots of the network). For instance, analyzing modification of the community structure or detecting anomalies (like a tightly connected community becoming loosely connected after a while) can reveal significant insights.
• Large graphs: Attack algorithms may struggle with scalability issues when applied to large graphs. Among the attack algorithms proposed in the literature, only a limited number have been tested on moderate/large graphs [6,44,47,72]. Implementing global attacks on these graphs, in particular, may be more challenging. Future work in this area will likely involve designing scalable algorithms to handle the large-scale graphs.
• Different network types: An intriguing direction for future exploration lies in applying community detection attack algorithms to different network types like heterogeneous networks, dynamic networks, and multilayer networks.
• Real applications: Adapting attack algorithms to real-life problems is likely to inspire further research, as it may lead to additional problems.

5. Conclusions

Community detection attacks are adversarial attacks that impair the performance of community detection algorithms by imperceptibly modifying the network structure. They have different applications, such as in preventing the detection of community membership information when it is confidential or sensitive or developing more robust community detection algorithms. These attacks operate at three scales: target node, target community, and global, with each scale having a different level of concealment objective. A diverse range of community detection attack algorithms has been offered to achieve network perturbation at these scales. Existing reviews limit their scope to target community attacks, but this survey extends the analysis to encompass community detection attacks across all three scales, offering a more integrated perspective. Additionally, it presents a thorough overview of the performance measures utilized to assess attack algorithms at these three scales, providing valuable guidance for selecting appropriate measures when comparing different algorithms. Moreover, analyzing the community detection algorithms targeted by attacks is crucial for understanding the ones that are commonly employed in this field. This study concludes with a compilation of suggestions for future research opportunities. Ultimately, this study serves as an important resource for researchers to quickly grasp community detection attacks.