Zhe Zhao,Guangke Chen,Jingyi Wang,Yiwei Yang,Fu Song,Jun Sun

DOI: https://doi.org/10.1145/3460319.3464822

2021-01-01

Abstract:As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning software, many of them are ineffective against adaptive attacks. In this work, we propose a novel characterization to distinguish adversarial examples from benign ones based on the observation that adversarial examples are significantly less robust than benign ones. As existing robustness measurement does not scale to large networks, we propose a novel defense framework, named attack as defense (A2D), to detect adversarial examples by effectively evaluating an example’s robustness. A2D uses the cost of attacking an input for robustness evaluation and identifies those less robust examples as adversarial since less robust examples are easier to attack. Extensive experiment results on MNIST, CIFAR10 and ImageNet show that A2D is more effective than recent promising approaches. We also evaluate our defense against potential adaptive attacks and show that A2D is effective in defending carefully designed adaptive attacks, e.g., the attack success rate drops to 0% on CIFAR10.

Jiaming Mu,Binghui Wang,Qi Li,Kun Sun,Mingwei Xu,Zhuotao Liu

DOI: https://doi.org/10.1145/3460120.3484796

2021-01-01

Abstract:Graph Neural Networks (GNNs) have achieved state-of-the-art performance in various graph structure related tasks such as node classification and graph classification. However, GNNs are vulnerable to adversarial attacks. Existing works mainly focus on attacking GNNs for node classification; nevertheless, the attacks against GNNs for graph classification have not been well explored. In this work, we conduct a systematic study on adversarial attacks against GNNs for graph classification via perturbing the graph structure. In particular, we focus on the most challenging attack, i.e., hard label black-box attack, where an attacker has no knowledge about the target GNN model and can only obtain predicted labels through querying the target model.To achieve this goal, we formulate our attack as an optimization problem, whose objective is to minimize the number of edges to be perturbed in a graph while maintaining the high attack success rate. The original optimization problem is intractable to solve, and we relax the optimization problem to be a tractable one, which is solved with theoretical convergence guarantee. We also design a coarse-grained searching algorithm and a query-efficient gradient computation algorithm to decrease the number of queries to the target GNN model. Our experimental results on three real-world datasets demonstrate that our attack can effectively attack representative GNNs for graph classification with less queries and perturbations. We also evaluate the effectiveness of our attack under two defenses: one is well-designed adversarial graph detector and the other is that the target GNN model itself is equipped with a defense to prevent adversarial graph generation. Our experimental results show that such defenses are not effective enough, which highlights more advanced defenses.

Shen Wang,Zhengzhang Chen,Jingchao Ni,Xiao Yu,Zhichun Li,Haifeng Chen,Philip S. Yu

DOI: https://doi.org/10.48550/arXiv.1905.03679

2019-05-11

Abstract:Graph neural network (GNN), as a powerful representation learning model on graph data, attracts much attention across various disciplines. However, recent studies show that GNN is vulnerable to adversarial attacks. How to make GNN more robust? What are the key vulnerabilities in GNN? How to address the vulnerabilities and defense GNN against the adversarial attacks? In this paper, we propose DefNet, an effective adversarial defense framework for GNNs. In particular, we first investigate the latent vulnerabilities in every layer of GNNs and propose corresponding strategies including dual-stage aggregation and bottleneck perceptron. Then, to cope with the scarcity of training data, we propose an adversarial contrastive learning method to train the GNN in a conditional GAN manner by leveraging the high-level graph representation. Extensive experiments on three public datasets demonstrate the effectiveness of DefNet in improving the robustness of popular GNN variants, such as Graph Convolutional Network and GraphSAGE, under various types of adversarial attacks.

Machine Learning,Cryptography and Security

Xinglong Chang,Gillian Dobbie,Jörg Wicker

2023-10-17

Abstract:Machine learning models are increasingly used in fields that require high reliability such as cybersecurity. However, these models remain vulnerable to various attacks, among which the adversarial label-flipping attack poses significant threats. In label-flipping attacks, the adversary maliciously flips a portion of training labels to compromise the machine learning model. This paper raises significant concerns as these attacks can camouflage a highly skewed dataset as an easily solvable classification problem, often misleading machine learning practitioners into lower defenses and miscalculations of potential risks. This concern amplifies in tabular data settings, where identifying true labels requires expertise, allowing malicious label-flipping attacks to easily slip under the radar. To demonstrate this risk is inherited in the adversary's objective, we propose FALFA (Fast Adversarial Label-Flipping Attack), a novel efficient attack for crafting adversarial labels. FALFA is based on transforming the adversary's objective and employs linear programming to reduce computational complexity. Using ten real-world tabular datasets, we demonstrate FALFA's superior attack potential, highlighting the need for robust defenses against such threats.

Machine Learning

Jintang Li,Tao Xie,Liang Chen,Fenfang Xie,Xiangnan He,Zibin Zheng

DOI: https://doi.org/10.1109/tkde.2021.3078755

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Recent studies have shown that graph neural networks (GNNs) are vulnerable against perturbations due to lack of robustness and can therefore be easily fooled. Currently, most works on attacking GNNs are mainly using gradient information to guide the attack and achieve outstanding performance. However, the high complexity of time and space makes them unmanageable for large scale graphs and becomes the major bottleneck that prevents the practical usage. We argue that the main reason is that they have to use the whole graph for attacks, resulting in the increasing time and space complexity as the data scale grows. In this work, we propose an efficient Simplified Gradient-based Attack (SGA) method to bridge this gap. SGA can cause the GNNs to misclassify specific target nodes through a multi-stage attack framework, which needs only a much smaller subgraph. In addition, we present a practical metric named Degree Assortativity Change (DAC) to measure the impacts of adversarial attacks on graph data. We evaluate our attack method on four real-world graph networks by attacking several commonly used GNNs. The experimental results demonstrate that SGA can achieve significant time and memory efficiency improvements while maintaining competitive attack performance compared to state-of-art attack techniques.

Jinyin Chen,Yangyang Wu,Xiang Lin,Qi Xuan

DOI: https://doi.org/10.48550/arXiv.1903.05994

2019-03-11

Abstract:Machine learning has been successfully applied to complex network analysis in various areas, and graph neural networks (GNNs) based methods outperform others. Recently, adversarial attack on networks has attracted special attention since carefully crafted adversarial networks with slight perturbations on clean network may invalid lots of network applications, such as node classification, link prediction, and community detection etc. Such attacks are easily constructed with serious security threat to various analyze methods, including traditional methods and deep models. To the best of our knowledge, it is the first time that defense method against network adversarial attack is discussed. In this paper, we are interested in the possibility of defense against adversarial attack on network, and propose defense strategies for GNNs against attacks. First, we propose novel adversarial training strategies to improve GNNs' defensibility against attacks. Then, we analytically investigate the robustness properties for GNNs granted by the use of smooth defense, and propose two special smooth defense strategies: smoothing distillation and smoothing cross-entropy loss function. Both of them are capable of smoothing gradient of GNNs, and consequently reduce the amplitude of adversarial gradients, which benefits gradient masking from attackers. The comprehensive experiments show that our proposed strategies have great defensibility against different adversarial attacks on four real-world networks in different network analyze tasks.

Social and Information Networks,Physics and Society

Jinyin Chen,Xiang Lin,Dunjie Zhang,Wenrong Jiang,Guohan Huang,Hui Xiong,Yun Xiang

DOI: https://doi.org/10.48550/arXiv.2102.12284

2021-02-24

Abstract:Deep learning is effective in graph analysis. It is widely applied in many related areas, such as link prediction, node classification, community detection, and graph classification etc. Graph embedding, which learns low-dimensional representations for vertices or edges in the graph, usually employs deep models to derive the embedding vector. However, these models are vulnerable. We envision that graph embedding methods based on deep models can be easily attacked using adversarial examples. Thus, in this paper, we propose Graphfool, a novel targeted label adversarial attack on graph embedding. It can generate adversarial graph to attack graph embedding methods via classifying boundary and gradient information in graph convolutional network (GCN). Specifically, we perform the following steps: 1),We first estimate the classification boundaries of different classes. 2), We calculate the minimal perturbation matrix to misclassify the attacked vertex according to the target classification boundary. 3), We modify the adjacency matrix according to the maximal absolute value of the disturbance matrix. This process is implemented iteratively. To the best of our knowledge, this is the first targeted label attack technique. The experiments on real-world graph networks demonstrate that Graphfool can derive better performance than state-of-art techniques. Compared with the second best algorithm, Graphfool can achieve an average improvement of 11.44% in attack success rate.

Machine Learning,Cryptography and Security

Jinyin Chen,Huiling Xu,Jinhuan Wang,Qi Xuan,Xuhong Zhang

DOI: https://doi.org/10.1145/3411501.3419424

2020-01-01

Abstract:Graph Neural Networks (GNNs) has achieved tremendous development on perceptual tasks in recent years, such as node classification, graph classification, link prediction, etc. However, recent studies show that deep learning models of GNNs are incredibly vulnerable to adversarial attacks, so enhancing the robustness of such models remains a significant challenge. In this paper, we propose a subgraph based adversarial sample detection against adversarial perturbations. To the best of our knowledge, this is the first work on the adversarial detection in the deep-learning graph classification models, using the Subgraph Networks (SGN) to restructure the graph's features. Moreover, we develop the joint adversarial detector to cope with the more complicated and unknown attacks. Specifically, we first explain how adversarial attacks can easily fool the models and then show that the SGN can facilitate the distinction of adversarial examples generated by state-of-the-art attacks. We experiment on five real-world graph datasets using three different kinds of attack strategies on graph classification. Our empirical results show the effectiveness of our detection method and further explain the SGN's capacity to tell apart malicious graphs.

Marco Arazzi,Mauro Conti,Stefanos Koffas,Marina Krcek,Antonino Nocera,Stjepan Picek,Jing Xu

2024-04-18

Abstract:Federated learning enables collaborative training of machine learning models by keeping the raw data of the involved workers private. Three of its main objectives are to improve the models' privacy, security, and scalability. Vertical Federated Learning (VFL) offers an efficient cross-silo setting where a few parties collaboratively train a model without sharing the same features. In such a scenario, classification labels are commonly considered sensitive information held exclusively by one (active) party, while other (passive) parties use only their local information. Recent works have uncovered important flaws of VFL, leading to possible label inference attacks under the assumption that the attacker has some, even limited, background knowledge on the relation between labels and data. In this work, we are the first (to the best of our knowledge) to investigate label inference attacks on VFL using a zero-background knowledge strategy. To formulate our proposal, we focus on Graph Neural Networks (GNNs) as a target model for the underlying VFL. In particular, we refer to node classification tasks, which are widely studied, and GNNs have shown promising results. Our proposed attack, BlindSage, provides impressive results in the experiments, achieving nearly 100% accuracy in most cases. Even when the attacker has no information about the used architecture or the number of classes, the accuracy remains above 90% in most instances. Finally, we observe that well-known defenses cannot mitigate our attack without affecting the model's performance on the main classification task.

Machine Learning,Cryptography and Security

Xin Wang,Heng Chang,Beini Xie,Tian Bian,Shiji Zhou,Daixin Wang,Zhiqiang Zhang,Wenwu Zhu

DOI: https://doi.org/10.48550/arXiv.2208.06651

2023-09-06

Abstract:Graph neural networks (GNNs) have achieved tremendous success in the task of graph classification and its diverse downstream real-world applications. Despite the huge success in learning graph representations, current GNN models have demonstrated their vulnerability to potentially existent adversarial examples on graph-structured data. Existing approaches are either limited to structure attacks or restricted to local information, urging for the design of a more general attack framework on graph classification, which faces significant challenges due to the complexity of generating local-node-level adversarial examples using the global-graph-level information. To address this "global-to-local" attack challenge, we present a novel and general framework to generate adversarial examples via manipulating graph structure and node features. Specifically, we make use of Graph Class Activation Mapping and its variant to produce node-level importance corresponding to the graph classification task. Then through a heuristic design of algorithms, we can perform both feature and structure attacks under unnoticeable perturbation budgets with the help of both node-level and subgraph-level importance. Experiments towards attacking four state-of-the-art graph classification models on six real-world benchmarks verify the flexibility and effectiveness of our framework.

Social and Information Networks,Cryptography and Security,Machine Learning

Jinyin Chen,Xiang Lin,Hui Xiong,Yangyang Wu,Haibin Zheng,Qi Xuan

DOI: https://doi.org/10.1109/tcss.2020.3042628

2020-01-01

IEEE Transactions on Computational Social Systems

Abstract:Recently, a graph neural network (GNN) was proposed to analyze various graphs/networks, which has been proven to outperform many other network analysis methods. However, it is also shown that such state-of-the-art methods suffer from adversarial attacks, i.e., carefully crafted adversarial networks with slight perturbation on clean one may invalid these methods on lots of applications, such as network embedding, node classification, link prediction, and community detection. Adversarial training has been testified as an efficient defense strategy against adversarial attacks in computer vision and graph mining. However, almost all the algorithms based on adversarial training focus on global defense through overall adversarial training. In a more practical scene, certain users would be targeted to attack, i.e., specific labeled users. It is still a challenge to defend against target node attack by existing adversarial training methods. Therefore, we propose smoothing adversarial training (SAT) to improve the robustness of GNNs. In particular, we analytically investigate the robustness of graph convolutional network (GCN), one of the classic GNNs, and propose two smooth defensive strategies: smoothing distillation and smoothing cross-entropy loss function. Both of them smooth the gradients of GCN and, consequently, reduce the amplitude of adversarial gradients, benefiting gradient masking from attackers in both global attack and target label node attack. The comprehensive experiments on five real-world networks testify that the proposed SAT method shows state-of-the-art defensibility against different adversarial attacks on node classification and community detection. Especially, the average attack success rate of different attack methods can be decreased by about 40% by SAT at the cost of tolerable embedding performance decline of the original network.

Jinyin Chen,Wenbo Mu,Luxin Zhang,Guohan Huang,Haibin Zheng,Yao Cheng

2024-11-05

Abstract:Graph neural network (GNN) has captured wide attention due to its capability of graph representation learning for graph-structured data. However, the distributed data silos limit the performance of GNN. Vertical federated learning (VFL), an emerging technique to process distributed data, successfully makes GNN possible to handle the distributed graph-structured data. Despite the prosperous development of vertical federated graph learning (VFGL), the robustness of VFGL against the adversarial attack has not been explored yet. Although numerous adversarial attacks against centralized GNNs are proposed, their attack performance is challenged in the VFGL scenario. To the best of our knowledge, this is the first work to explore the adversarial attack against VFGL. A query-efficient hybrid adversarial attack framework is proposed to significantly improve the centralized adversarial attacks against VFGL, denoted as NA2, short for Neuron-based Adversarial Attack. Specifically, a malicious client manipulates its local training data to improve its contribution in a stealthy fashion. Then a shadow model is established based on the manipulated data to simulate the behavior of the server model in VFGL. As a result, the shadow model can improve the attack success rate of various centralized attacks with a few queries. Extensive experiments on five real-world benchmarks demonstrate that NA2 improves the performance of the centralized adversarial attacks against VFGL, achieving state-of-the-art performance even under potential adaptive defense where the defender knows the attack method. Additionally, we provide interpretable experiments of the effectiveness of NA2 via sensitive neurons identification and visualization of t-SNE.

Machine Learning

Feilong Cao,Qiyang Chen,Hailiang Ye

DOI: https://doi.org/10.1016/j.knosys.2024.111689

IF: 8.139

2024-03-30

Knowledge-Based Systems

Abstract:Although graph neural networks (GNNs) have been extensively employed in various research fields, they are susceptible to adversarial attacks, as revealed in previous studies. Targeted label attacks, in which the victim node is anticipated to fall into a desired category, are more consistent with practical circumstances than untargeted label attacks. However, there has been relatively little research on them, and existing attackers require access to the target model and do not consider the budget allocation; the budget refers to the maximum number of perturbations permitted. Furthermore, the performance of untargeted label attacks is weakened when they are converted into targeted label attacks. From the perspective of budget allocation, we devise an effective targeted label attack (ETLA). The prior knowledge includes training labels, node features, and the graph structure. The main concept is based on the strategical allocation of a given budget from the search space and optimisation objective. For the search space, a stratified node selection strategy and an adaptive edge choice strategy are developed to capture insertable and removable candidates. The former exploits unlabelled node information through massive pseudo-labels, whereas the latter capitalises on the similarity of node features. Regarding the optimisation objective, a temperature factor is introduced into the attack loss to better direct the flipping of the candidates. After a finite number of perturbations, the final disturbed graph is fed into various target models to evaluate attack performance. Generous trials indicate that our ETLA has excellent attack capability compared with other attack techniques with the same budget.

computer science, artificial intelligence

Felix Mujkanovic,Simon Geisler,Stephan Günnemann,Aleksandar Bojchevski

DOI: https://doi.org/10.48550/arXiv.2301.13694

IF: 5.414

2023-01-31

Machine Learning

Abstract:A cursory reading of the literature suggests that we have made a lot of progress in designing effective adversarial defenses for Graph Neural Networks (GNNs). Yet, the standard methodology has a serious flaw - virtually all of the defenses are evaluated against non-adaptive attacks leading to overly optimistic robustness estimates. We perform a thorough robustness analysis of 7 of the most popular defenses spanning the entire spectrum of strategies, i.e., aimed at improving the graph, the architecture, or the training. The results are sobering - most defenses show no or only marginal improvement compared to an undefended baseline. We advocate using custom adaptive attacks as a gold standard and we outline the lessons we learned from successfully designing such attacks. Moreover, our diverse collection of perturbed graphs forms a (black-box) unit test offering a first glance at a model's robustness.

Haibo Wang,Chuan Zhou,Xin Chen,Jia Wu,Shirui Pan,Zhao Li,Jilong Wang,Philip S. Yu

DOI: https://doi.org/10.1109/tkde.2024.3403925

2024-01-01

Abstract:Graph Neural Networks (GNNs) have achieved impressive performance in many tasks on graph data. Recent studies show that they are vulnerable to adversarial attacks. Deliberate and unnoticeable perturbations on topology structure could render them near-useless in applications. How to design effective methods to improve the robustness of GNNs is a crucial problem. To solve this problem, some works attempt to design more robust GNN models, while others attempt to remove perturbations from the poisoned graph. Different from the previous works, this paper proposes a general framework termed as GraphReshape to enhance the robustness of GNNs via directly correcting the shifted classification boundary of GNN models in the presence of adversarial attacks. GraphReshape consists of two modules: locating tractive nodes that could correct GNNs and reshaping local structure to improve their representations in the latent space. Extensive experiments on four real-world datasets show that GraphReshape achieves significant performance gain compared with state-of-the-art baselines against different adversarial attacks.

Jianfu Zhang,Yan Hong,Dawei Cheng,Liqing Zhang,Qibin Zhao

DOI: https://doi.org/10.1016/j.patcog.2024.110954

IF: 8

2025-01-01

Pattern Recognition

Abstract:Graph Neural Networks (GNNs) have demonstrated remarkable success across diverse fields, yet remain susceptible to subtle adversarial perturbations that significantly degrade performance. Addressing this vulnerability remains a formidable challenge. Current defense strategies focus on edge-specific regularization within adversarial graphs, often overlooking the inter-edge structural dependencies and the interplay of various robustness attributes. This paper introduces a novel tensor-based framework for GNNs, aimed at reinforcing graph robustness against adversarial influences. By employing tensor approximation, our method systematically aggregates and compresses diverse predefined robustness features of adversarial graphs into a low-rank representation. This approach harmoniously combines the integrity of graph structure and robustness characteristics. Comprehensive experiments on real-world graph datasets demonstrate that our framework not only effectively counters diverse types of adversarial attacks but also surpasses existing leading defense mechanisms in performance.

Xiaoyun Wang,Xuanqing Liu,Cho-Jui Hsieh

DOI: https://doi.org/10.48550/arXiv.1911.04429

IF: 5.414

2019-11-11

Machine Learning

Abstract:In this paper, we study the robustness of graph convolutional networks (GCNs). Despite the good performance of GCNs on graph semi-supervised learning tasks, previous works have shown that the original GCNs are very unstable to adversarial perturbations. In particular, we can observe a severe performance degradation by slightly changing the graph adjacency matrix or the features of a few nodes, making it unsuitable for security-critical applications. Inspired by the previous works on adversarial defense for deep neural networks, and especially adversarial training algorithm, we propose a method called GraphDefense to defend against the adversarial perturbations. In addition, for our defense method, we could still maintain semi-supervised learning settings, without a large label rate. We also show that adversarial training in features is equivalent to adversarial training for edges with a small perturbation. Our experiments show that the proposed defense methods successfully increase the robustness of Graph Convolutional Networks. Furthermore, we show that with careful design, our proposed algorithm can scale to large graphs, such as Reddit dataset.

Xiaodong Yang,Xiaoting Li,Huiyuan Chen,Yiwei Cai

2024-08-20

Abstract:Recent studies show that well-devised perturbations on graph structures or node features can mislead trained Graph Neural Network (GNN) models. However, these methods often overlook practical assumptions, over-rely on heuristics, or separate vital attack components. In response, we present GAIM, an integrated adversarial attack method conducted on a node feature basis while considering the strict black-box setting. Specifically, we define an adversarial influence function to theoretically assess the adversarial impact of node perturbations, thereby reframing the GNN attack problem into the adversarial influence maximization problem. In our approach, we unify the selection of the target node and the construction of feature perturbations into a single optimization problem, ensuring a unique and consistent feature perturbation for each target node. We leverage a surrogate model to transform this problem into a solvable linear programming task, streamlining the optimization process. Moreover, we extend our method to accommodate label-oriented attacks, broadening its applicability. Thorough evaluations on five benchmark datasets across three popular models underscore the effectiveness of our method in both untargeted and label-oriented targeted attacks. Through comprehensive analysis and ablation studies, we demonstrate the practical value and efficacy inherent to our design choices.

Machine Learning,Artificial Intelligence

J. Bolton,H. K. Roud,C. Redekopp,J. Livesey,M. Nicholls,R. Donald

DOI: https://doi.org/10.1055/s-2007-1018802

1983-12-01

Abstract:The hormonal secretory effects of intravenously and intracerebroventricularly administered DAMME have been studied in the sheep. Serum prolactin and growth hormone levels were significantly elevated after i.v. injection of DAMME (14 micrograms kg-1) while a significant and considerably more prolonged increase occurred following i.c.v. administration of 20 micrograms of the analogue. The responses to i.c.v. but not to i.v. injected DAMME were attenuated by prior i.v. injection of naloxone. Administration of DAMME i.c.v. resulted in a detectable concentration in the peripheral circulation within two minutes and maximal levels at 120-150 minutes. No significant changes occurred in circulating concentrations of the pancreatic hormones investigated although there was a trend to somatostatin and pancreatic polypeptide levels being elevated after systemic injection of the analogue.

Hanjun Dai,Hui Li,Tian Tian,Xin Huang,Lin Wang,Jun Zhu,Le Song

DOI: https://doi.org/10.48550/arXiv.1806.02371

IF: 5.414

2018-06-06

Machine Learning

Abstract:Deep learning on graph structures has shown exciting results in various applications. However, few attentions have been paid to the robustness of such models, in contrast to numerous research work for image or text adversarial attack and defense. In this paper, we focus on the adversarial attacks that fool the model by modifying the combinatorial structure of data. We first propose a reinforcement learning based attack method that learns the generalizable attack policy, while only requiring prediction labels from the target classifier. Also, variants of genetic algorithms and gradient methods are presented in the scenario where prediction confidence or gradients are available. We use both synthetic and real-world data to show that, a family of Graph Neural Network models are vulnerable to these attacks, in both graph-level and node-level classification tasks. We also show such attacks can be used to diagnose the learned classifiers.