Provable Robustness of (Graph) Neural Networks Against Data Poisoning and Backdoor Attacks

Lukas Gosch,Mahalakshmi Sabanayagam,Debarghya Ghoshdastidar,Stephan Günnemann
2024-10-14
Abstract:Generalization of machine learning models can be severely compromised by data poisoning, where adversarial changes are applied to the training data. This vulnerability has led to interest in certifying (i.e., proving) that such changes up to a certain magnitude do not affect test predictions. We, for the first time, certify Graph Neural Networks (GNNs) against poisoning attacks, including backdoors, targeting the node features of a given graph. Our certificates are white-box and based upon $(i)$ the neural tangent kernel, which characterizes the training dynamics of sufficiently wide networks; and $(ii)$ a novel reformulation of the bilevel optimization problem describing poisoning as a mixed-integer linear program. Consequently, we leverage our framework to provide fundamental insights into the role of graph structure and its connectivity on the worst-case robustness behavior of convolution-based and PageRank-based GNNs. We note that our framework is more general and constitutes the first approach to derive white-box poisoning certificates for NNs, which can be of independent interest beyond graph-related tasks.
Machine Learning,Cryptography and Security
What problem does this paper attempt to address?
The paper aims to address the robustness of machine learning models when faced with data poisoning and backdoor attacks. Specifically, the authors propose, for the first time, a white-box certification method for data poisoning and backdoor attacks targeting Graph Neural Networks (GNNs) and general Neural Networks (NNs). This method is based on the Neural Tangent Kernel (NTK) and the technique of transforming a bilevel optimization problem into a Mixed-Integer Linear Programming (MILP) problem. The main contributions of the paper include: 1. **Proposing a new certification framework** (called QPCert) that can prove the robustness of GNNs against data poisoning and backdoor attacks in node classification tasks. This framework leverages NTK to capture complex training dynamics and can be applied to general neural networks. 2. **Investigating the impact of graph data and architecture choices on the robustness of GNNs**. Through the white-box certification method, the authors systematically analyze, for the first time, the worst-case robustness of different architectures (such as convolution-based and PageRank-based GNNs) when facing data poisoning and backdoor attacks. 3. **Developing a new expression for the bilevel optimization problem**, transforming it into an MILP form, thereby allowing white-box certification for Support Vector Machines (SVMs). Although the focus is primarily on NTK as the kernel function, this method can also be extended to other arbitrary kernel function choices. The experimental section demonstrates the effectiveness of QPCert on different datasets (such as Cora-ML, WikiCS, and graphs generated from Contextual Stochastic Block Models), evaluating the robustness performance of different GNN models (such as GCN, SGC, (A)PPNP, GIN, GraphSAGE, etc.) against various types of attacks. Through these experiments, the paper not only validates the effectiveness of the proposed method but also reveals the significant impact of graph structure and connectivity on robustness.