Abstract:End-to-end training with global optimization have popularized graph neural networks (GNNs) for node classification, yet inadvertently introduced vulnerabilities to adversarial edge-perturbing attacks. Adversaries can exploit the inherent opened interfaces of GNNs' input and output, perturbing critical edges and thus manipulating the classification results. Current defenses, due to their persistent utilization of global-optimization-based end-to-end training schemes, inherently encapsulate the vulnerabilities of GNNs. This is specifically evidenced in their inability to defend against targeted secondary attacks. In this paper, we propose the Graph Agent Network (GAgN) to address the aforementioned vulnerabilities of GNNs. GAgN is a graph-structured agent network in which each node is designed as an 1-hop-view agent. Through the decentralized interactions between agents, they can learn to infer global perceptions to perform tasks including inferring embeddings, degrees and neighbor relationships for given nodes. This empowers nodes to filtering adversarial edges while carrying out classification tasks. Furthermore, agents' limited view prevents malicious messages from propagating globally in GAgN, thereby resisting global-optimization-based secondary attacks. We prove that single-hidden-layer multilayer perceptrons (MLPs) are theoretically sufficient to achieve these functionalities. Experimental results show that GAgN effectively implements all its intended capabilities and, compared to state-of-the-art defenses, achieves optimal classification accuracy on the perturbed datasets.
What problem does this paper attempt to address?
### What problem does this paper attempt to solve?
This paper aims to solve the vulnerability of Graph Neural Networks (GNNs) to adversarial poisoning attacks in node classification tasks. Specifically, existing defense methods usually need to replace the original GNN model with a specialized defense model, which not only leads to the loss of the original model's characteristics and performance, but also limits the universality and portability of these defense methods.
#### Main problems:
1. **Limitations of existing defense methods**: Most current defense methods require replacing the original GNN with a specific defense model, regardless of the type of the original GNN. Although this approach improves adversarial robustness, it sacrifices the efforts made in previous research to improve the practical performance of GNNs.
2. **Need for non - invasive, plug - and - play defense mechanisms**: In order not to interfere with the functions and characteristics of the original GNN and maintain its performance, there is an urgent need for a non - invasive, plug - and - play defense mechanism to resist adversarial attacks.
#### Solutions proposed in the paper:
The paper introduces a new plug - and - play defense model named GRIMM (Graph Rectifier for Immunizing Message - passing Mechanism). GRIMM solves the above problems in the following ways:
- **Feature Trajectories (FTs) analysis**: Use the feature trajectories generated by GNN during the training process to reflect the training state of the network. It is theoretically proven that the feature trajectories of attacked nodes will show obvious abnormal patterns.
- **Biologically - inspired immune system simulation**: Draw on the natural parallelism of biological nervous systems and immune systems to construct a comprehensive artificial immune system. GRIMM not only detects abnormal feature trajectories but also can correct adversarial edges in real - time and runs in parallel with the GNN training process.
- **Four major advantages**:
1. **Harmlessness**: It does not actively interfere with the GNN training process.
2. **Parallelism**: Ensure that the monitoring, detection, and correction functions are independent of the GNN training process.
3. **Generalizability**: It is compatible with mainstream GNN models, such as GCN, GAT, and GraphSAGE.
4. **Transferability**: The abnormal feature trajectory detector can be efficiently transferred between different systems to achieve one - step correction.
#### Formula representation:
Feature Trajectories (FTs) are described as follows:
\[ T_{i,\ell} = [z^{(0)}_{i,\ell}, z^{(1)}_{i,\ell}, \ldots] \]
where \( z^{(t)}_{i,\ell} \) represents the feature vector of the \( i \) - th node at the \( \ell \) - th layer in the \( t \) - th epoch.
Edge Feature Trajectories (Edge FTs) are described as follows:
\[ T_{(i,j),\ell} = [z^{(0)}_{(i,j),\ell}, z^{(1)}_{(i,j),\ell}, \ldots] \]
Through these formulas, GRIMM can monitor and correct adversarial perturbations in the graph structure in real - time, thereby improving the robustness and security of GNNs.
In summary, by introducing the GRIMM model, this paper provides a new, non - invasive, plug - and - play defense mechanism, which effectively solves the limitations of existing GNN defense methods and significantly improves the robustness and practicality of GNNs in an adversarial environment.