Heng Chang,Yu Rong,Tingyang Xu,Wenbing Huang,Honglei Zhang,Peng Cui,Wenwu Zhu,Junzhou Huang

DOI: https://doi.org/10.1609/aaai.v34i04.5741

2020-01-01

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:With the great success of graph embedding model on both academic and industry area, the robustness of graph embedding against adversarial attack inevitably becomes a central problem in graph learning domain. Regardless of the fruitful progress, most of the current works perform the attack in a white-box fashion: they need to access the model predictions and labels to construct their adversarial loss. However, the inaccessibility of model predictions in real systems makes the white-box attack impractical to real graph learning system. This paper promotes current frameworks in a more general and flexible sense – we demand to attack various kinds of graph embedding model with black-box driven. To this end, we begin by investigating the theoretical connections between graph signal processing and graph embedding models in a principled way and formulate the graph embedding model as a general graph signal process with corresponding graph filter. As such, a generalized adversarial attacker: GF-Attack is constructed by the graph filter and feature matrix. Instead of accessing any knowledge of the target classifiers used in graph embedding, GF-Attack performs the attack only on the graph filter in a black-box attack fashion. To validate the generalization of GF-Attack, we construct the attacker on four popular graph embedding models. Extensive experimental results validate the effectiveness of our attacker on several benchmark datasets. Particularly by using our attack, even small graph perturbations like one-edge flip is able to consistently make a strong attack in performance to different graph embedding models.

Jiarong Xu,Yizhou Sun,Xin Jiang,Yanhao Wang,Chunping Wang,Jiangang Lu,Yang Yang

DOI: https://doi.org/10.48550/arxiv.2012.06757

2022-01-01

Abstract:Adversarial attacks on graphs have attracted considerable research interests. Existing works assume the attacker is either (partly) aware of the victim model, or able to send queries to it. These assumptions are, however, unrealistic. To bridge the gap between theoretical graph attacks and real-world scenarios, in this work, we propose a novel and more realistic setting: strict black-box graph attack, in which the attacker has no knowledge about the victim model at all and is not allowed to send any queries. To design such an attack strategy, we first propose a generic graph filter to unify different families of graph-based models. The strength of attacks can then be quantified by the change in the graph filter before and after attack. By maximizing this change, we are able to find an effective attack strategy, regardless of the underlying model. To solve this optimization problem, we also propose a relaxation technique and approximation theories to reduce the difficulty as well as the computational expense. Experiments demonstrate that, even with no exposure to the model, the Macro-F1 drops 6.4% in node classification and 29.5% in graph classification, which is a significant result compared with existent works.

Jiarong Xu,Yang,Junru Chen,Xin Jiang,Chunping Wang,Jiangang Lu,Yizhou Sun

DOI: https://doi.org/10.1609/aaai.v36i4.20349

2020-01-01

Abstract:Unsupervised/self-supervised pre-training methods for graph representation learning have recently attracted increasing research interests, and they are shown to be able to generalize to various downstream applications. Yet, the adversarial robustness of such pre-trained graph learning models remains largely unexplored. More importantly, most existing defense techniques designed for end-to-end graph representation learning methods require pre-specified label definitions, and thus cannot be directly applied to the pre-training methods. In this paper, we propose an unsupervised defense technique to robustify pre-trained deep graph models, so that the perturbations on the input graph can be successfully identified and blocked before the model is applied to different downstream tasks. Specifically, we introduce a mutual information-based measure, graph representation vulnerability (GRV), to quantify the robustness of graph encoders on the representation space. We then formulate an optimization problem to learn the graph representation by carefully balancing the trade-off between the expressive power and the robustness (i.e., GRV) of the graph encoder. The discrete nature of graph topology and the joint space of graph data make the optimization problem intractable to solve. To handle the above difficulty and to reduce computational expense, we further relax the problem and thus provide an approximate solution. Additionally, we explore a provable connection between the robustness of the unsupervised graph encoder and that of models on downstream tasks. Extensive experiments demonstrate that even without access to labels and tasks, our model is still able to enhance robustness against adversarial attacks on three downstream tasks (node classification, link prediction, and community detection) by an average of +16.5% compared with existing methods.

Jiarong Xu,Yizhou Sun,Xin Jiang,Yanhao Wang,Yang Yang,Chunping Wang,Jiangang Lu

DOI: https://doi.org/10.1609/aaai.v36i4.20350

2021-01-01

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract: Many graph-based machine learning models are known to be vulnerable to adversarial attacks, where even limited perturbations on input data can result in dramatic performance deterioration. Most existing works focus on moderate settings in which the attacker is either aware of the model structure and parameters (white-box), or able to send queries to fetch model information. In this paper, we propose a query-free black-box adversarial attack on graphs, in which the attacker has no knowledge of the target model and no query access to the model. With the mere observation of the graph topology, the proposed attack strategy flips a limited number of links to mislead the graph models. We prove that the impact of the flipped links on the target model can be quantified by spectral changes, and thus be approximated using the eigenvalue perturbation theory. Accordingly, we model the proposed attack strategy as an optimization problem, and adopt a greedy algorithm to select the links to be flipped. Due to its simplicity and scalability, the proposed model is not only generic in various graph-based models, but can be easily extended when different knowledge levels are accessible as well. Extensive experiments demonstrate the effectiveness and efficiency of the proposed model on various downstream tasks, as well as several different graph-based learning models.

Jinyin Chen,Xiang Lin,Dunjie Zhang,Wenrong Jiang,Guohan Huang,Hui Xiong,Yun Xiang

DOI: https://doi.org/10.48550/arXiv.2102.12284

2021-02-24

Abstract:Deep learning is effective in graph analysis. It is widely applied in many related areas, such as link prediction, node classification, community detection, and graph classification etc. Graph embedding, which learns low-dimensional representations for vertices or edges in the graph, usually employs deep models to derive the embedding vector. However, these models are vulnerable. We envision that graph embedding methods based on deep models can be easily attacked using adversarial examples. Thus, in this paper, we propose Graphfool, a novel targeted label adversarial attack on graph embedding. It can generate adversarial graph to attack graph embedding methods via classifying boundary and gradient information in graph convolutional network (GCN). Specifically, we perform the following steps: 1),We first estimate the classification boundaries of different classes. 2), We calculate the minimal perturbation matrix to misclassify the attacked vertex according to the target classification boundary. 3), We modify the adjacency matrix according to the maximal absolute value of the disturbance matrix. This process is implemented iteratively. To the best of our knowledge, this is the first targeted label attack technique. The experiments on real-world graph networks demonstrate that Graphfool can derive better performance than state-of-art techniques. Compared with the second best algorithm, Graphfool can achieve an average improvement of 11.44% in attack success rate.

Machine Learning,Cryptography and Security

Jie Zhang,Bo Li,Jianghe Xu,Shuang Wu,Shouhong Ding,Lei Zhang,Chao Wu

DOI: https://doi.org/10.1109/CVPR52688.2022.01469

2022-01-01

Abstract:Classic black-box adversarial attacks can take advantage of transferable adversarial examples generated by a similar substitute model to successfully fool the target model. However, these substitute models need to be trained by target models' training data, which is hard to acquire due to privacy or transmission reasons. Recognizing the limited availability of real data for adversarial queries, recent works proposed to train substitute models in a data-free black-box scenario. However, their generative adversarial networks (GANs) based framework suffers from the convergence failure and the model collapse, resulting in low efficiency. In this paper, by rethinking the collaborative relationship between the generator and the substitute model, we design a novel black-box attack framework. The proposed method can efficiently imitate the target model through a small number of queries and achieve high attack success rate. The comprehensive experiments over six datasets demonstrate the effectiveness of our method against the state-of-the-art attacks. Especially, we conduct both label-only and probability-only attacks on the Microsoft Azure online model, and achieve a 100% attack success rate with only 0.46% query budget of the SOTA method [49].

Hanjun Dai,Hui Li,Tian Tian,Xin Huang,Lin Wang,Jun Zhu,Le Song

DOI: https://doi.org/10.48550/arXiv.1806.02371

IF: 5.414

2018-06-06

Machine Learning

Abstract:Deep learning on graph structures has shown exciting results in various applications. However, few attentions have been paid to the robustness of such models, in contrast to numerous research work for image or text adversarial attack and defense. In this paper, we focus on the adversarial attacks that fool the model by modifying the combinatorial structure of data. We first propose a reinforcement learning based attack method that learns the generalizable attack policy, while only requiring prediction labels from the target classifier. Also, variants of genetic algorithms and gradient methods are presented in the scenario where prediction confidence or gradients are available. We use both synthetic and real-world data to show that, a family of Graph Neural Network models are vulnerable to these attacks, in both graph-level and node-level classification tasks. We also show such attacks can be used to diagnose the learned classifiers.

Jinyin Chen,Dunjie Zhang,Xiang Lin

DOI: https://doi.org/10.1007/978-981-15-9031-3_7

2020-01-01

Abstract:Graph embedding method learns the low-dimensional representation of graph data, which facilitates downstream graph analysis tasks, such as node classification, graph classification, link prediction and community detection. With the in-depth study of graph analysis tasks, the issues of excessive data mining by graph embedding methods have become increasingly prominent, a number of graph embedding attack methods have been put forward. Inspired by promising performance of generative adversarial network, this paper proposes an adaptive graph adversarial attack framework based on generative adversarial network (AGA-GAN). We use the game between a generator and two discriminators with different functions to iteratively generate the adversarial graph. Specifically, AGA-GAN generates the adversarial subgraph according to different attack strategies to rewire the corresponding parts in the original graph, and finally form the whole adversarial graph. To address the scalability problem of existing graph embedding attack methods, we consider the adaptively selected K-hop neighbor subgraph as the attack target instead of the original graph. Experimental study on real graph datasets verifies that the AGA-GAN can achieve state-of-the-art attack performance in most node classifications.

Zhengyi Wang,Zhongkai Hao,Hang Su,Jun Zhu

2021-01-01

Abstract:While deep neural networks have achieved great success on the graph analysis, recent works have shown that they are also vulnerable to adversarial attacks where fraudulent users can fool the model with a limited number of queries. Compared with adversarial attacks on image classification, performing adversarial attack on graphs is challenging because of the discrete and non-differential nature of a graph. To address these issues, we proposed Cluster Attack, a novel adversarial attack by introducing a set of fake nodes to the original graph which can mislead the classification on certain victim nodes. Specifically, we query the victim model for each victim node to acquire their most adversarial feature, which is related to how the fake node’s feature will affect the victim nodes. We further cluster the victim nodes into several subgroups according to their most adversarial features such that we can reduce the searching space. Moreover, our attack is performed in a practical and unnoticeable manner: (1) We protect the predicted labels of nodes which we are not aimed for from being changed during attack. (2) We attack by introducing fake nodes into the original graph without changing existing links and features. (3) We attack with only partial information about the attacked graph, i.e., by leveraging the information of victim nodes along with their neighbors within k-hop instead of the whole graph. (4) We perform attack with a limited number of queries about the predicted scores of the model in a blackbox manner, i.e., without model architecture and parameters. Extensive experiments demonstrate the effectiveness of our method in terms of the success rate of attack. Department of Computer Science and Technology, Tsinghua University, China. Correspondence to: Zhengyi Wang <wangzy21@mails.tsinghua.edu.cn>. x x x

Jianxin Li,Xingcheng Fu,Hao Peng,Senzhang Wang,Shijie Zhu,Qingyun Sun,Philip S. Yu,Lifang He

DOI: https://doi.org/10.48550/arXiv.2105.10651

2021-05-22

Abstract:Graph embedding is essential for graph mining tasks. With the prevalence of graph data in real-world applications, many methods have been proposed in recent years to learn high-quality graph embedding vectors various types of graphs. However, most existing methods usually randomly select the negative samples from the original graph to enhance the training data without considering the noise. In addition, most of these methods only focus on the explicit graph structures and cannot fully capture complex semantics of edges such as various relationships or asymmetry. In order to address these issues, we propose a robust and generalized framework for adversarial graph embedding based on generative adversarial networks. Inspired by generative adversarial network, we propose a robust and generalized framework for adversarial graph embedding, named AGE. AGE generates the fake neighbor nodes as the enhanced negative samples from the implicit distribution, and enables the discriminator and generator to jointly learn each node's robust and generalized representation. Based on this framework, we propose three models to handle three types of graph data and derive the corresponding optimization algorithms, i.e., UG-AGE and DG-AGE for undirected and directed homogeneous graphs, respectively, and HIN-AGE for heterogeneous information networks. Extensive experiments show that our methods consistently and significantly outperform existing state-of-the-art methods across multiple graph mining tasks, including link prediction, node classification, and graph reconstruction.

Machine Learning,Social and Information Networks

Jinyin Chen,Yangyang Wu,Xuanheng Xu,Yixian Chen,Haibin Zheng,Qi Xuan

2018-01-01

Abstract:Network embedding maps a network into a low-dimensional Euclidean space, and thus facilitate many network analysis tasks, such as node classification, link prediction and community detection etc, by utilizing machine learning methods. In social networks, we may pay special attention to user privacy, and would like to prevent some target nodes from being identified by such network analysis methods in certain cases. Inspired by successful adversarial attack on deep learning models, we propose a framework to generate adversarial networks based on the gradient information in Graph Convolutional Network (GCN). In particular, we extract the gradient of pairwise nodes based on the adversarial network, and select the pair of nodes with maximum absolute gradient to realize the Fast Gradient Attack (FGA) and update the adversarial network. This process is implemented iteratively and terminated until certain condition is satisfied, i.e., the number of modified links reaches certain predefined value. Comprehensive attacks, including unlimited attack, direct attack and indirect attack, are performed on six well-known network embedding methods. The experiments on real-world networks suggest that our proposed FGA behaves better than some baseline methods, i.e., the network embedding can be easily disturbed using FGA by only rewiring few links, achieving state-of-the-art attack performance.

Xin Wang,Heng Chang,Beini Xie,Tian Bian,Shiji Zhou,Daixin Wang,Zhiqiang Zhang,Wenwu Zhu

DOI: https://doi.org/10.48550/arXiv.2208.06651

2023-09-06

Abstract:Graph neural networks (GNNs) have achieved tremendous success in the task of graph classification and its diverse downstream real-world applications. Despite the huge success in learning graph representations, current GNN models have demonstrated their vulnerability to potentially existent adversarial examples on graph-structured data. Existing approaches are either limited to structure attacks or restricted to local information, urging for the design of a more general attack framework on graph classification, which faces significant challenges due to the complexity of generating local-node-level adversarial examples using the global-graph-level information. To address this "global-to-local" attack challenge, we present a novel and general framework to generate adversarial examples via manipulating graph structure and node features. Specifically, we make use of Graph Class Activation Mapping and its variant to produce node-level importance corresponding to the graph classification task. Then through a heuristic design of algorithms, we can perform both feature and structure attacks under unnoticeable perturbation budgets with the help of both node-level and subgraph-level importance. Experiments towards attacking four state-of-the-art graph classification models on six real-world benchmarks verify the flexibility and effectiveness of our framework.

Social and Information Networks,Cryptography and Security,Machine Learning

Heng Chang,Yu Rong,Tingyang Xu,Yatao Bian,Shiji Zhou,Xin Wang,Junzhou Huang,Wenwu Zhu

2021-01-01

Abstract:Graph Convolutional Networks (GCNs) are promising deep learning approaches in learning representations for graph-structured data. Despite the proliferation of such methods, it is well known that they are vulnerable to carefully crafted adversarial attacks on the graph structure. In this paper, we first conduct an adversarial vulnerability analysis based on matrix perturbation theory. We prove that the low-frequency components of the symmetric normalized Laplacian, which is usually used as the convolutional filter in GCNs, could be more robust against structural perturbations when their eigenvalues fall into a certain robust interval. Our results indicate that not all low-frequency components are robust to adversarial attacks and provide a deeper understanding of the relationship between graph spectrum and robustness of GCNs. Motivated by the theory, we present GCN-LFR3, a general robust co-training paradigm for GCN-based models, that encourages transferring the robustness of low-frequency components with an auxiliary neural network. To this end, GCN-LFR could enhance the robustness of various kinds of GCN-based models against poisoning structural attacks in a plug-and-play manner. Extensive experiments across five benchmark datasets and five GCN-based models also confirm that GCN-LFR is resistant to the adversarial attacks without compromising on performance in the benign situation.

Dunjie Zhang

DOI: https://doi.org/10.1109/tnse.2021.3127557

IF: 6.6

2021-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Graph neural networks (GNNs) have been successfully exploited in graph analysis tasks in many real-world applications. The competition between attack and defense methods also enhances the robustness of GNNs. In this competition, the development of adversarial training methods put forward higher requirement for the diversity of attack examples. By contrast, most attack methods with specific attack strategies are difficult to satisfy such a requirement. To address this problem, we propose GraphAttacker, a novel generic graph attack framework that can flexibly adjust the structures and the attack strategies according to the graph analysis tasks. GraphAttacker generates adversarial examples through alternate training on three key components: the multi-strategy attack generator (MAG), the similarity discriminator (SD), and the attack discriminator (AD), based on the generative adversarial network (GAN). Furthermore, we introduce a novel similarity modification rate SMR to conduct a stealthier attack considering the change of node similarity distribution. Experiments on various benchmark datasets demonstrate that GraphAttacker can achieve state-of-the-art attack performance on graph analysis tasks of node classification, graph classification, and link prediction, no matter the adversarial training is conducted or not. Moreover, we also analyze the unique characteristics of each task and their specific response in the unified attack framework. The project code is available at https://github.com/honoluluuuu/GraphAttacker.

Zhili Qin,Han Wang,Zhongjing Yu,Qinli Yang,Junming Shao

DOI: https://doi.org/10.1016/j.ins.2024.120942

IF: 8.1

2024-06-23

Information Sciences

Abstract:The quality of graphs directly affects the result of graph embedding since most existing models are vulnerable and highly sensitive to harmful/missing edges and imperceptible attacks. In this study, we propose a new robust graph embedding approach from a different point of view: Attack-aid Graph Denoising (AGD). AGD mitigates the impact of harmful and missing edges by leveraging adversarial attacks. Initially, AGD generates some auxiliary attacks on the topology by investigating their harm to classification accuracy. Subsequently, we derive a denoised adjacency matrix by removing these similar harmful edges and supplementing missing edges with flipping operations. Finally, we further extract the knowledge of topology to eliminate the influence of remaining harmful edges on the final embedding with Kullback-Leibler divergence. Extensive experiments have demonstrated that AGD not only shows its superiority over many state-of-the-art algorithms on the classification tasks but is also robust to various attacks.

computer science, information systems

Jintang Li,Tao Xie,Liang Chen,Fenfang Xie,Xiangnan He,Zibin Zheng

DOI: https://doi.org/10.1109/tkde.2021.3078755

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Recent studies have shown that graph neural networks (GNNs) are vulnerable against perturbations due to lack of robustness and can therefore be easily fooled. Currently, most works on attacking GNNs are mainly using gradient information to guide the attack and achieve outstanding performance. However, the high complexity of time and space makes them unmanageable for large scale graphs and becomes the major bottleneck that prevents the practical usage. We argue that the main reason is that they have to use the whole graph for attacks, resulting in the increasing time and space complexity as the data scale grows. In this work, we propose an efficient Simplified Gradient-based Attack (SGA) method to bridge this gap. SGA can cause the GNNs to misclassify specific target nodes through a multi-stage attack framework, which needs only a much smaller subgraph. In addition, we present a practical metric named Degree Assortativity Change (DAC) to measure the impacts of adversarial attacks on graph data. We evaluate our attack method on four real-world graph networks by attacking several commonly used GNNs. The experimental results demonstrate that SGA can achieve significant time and memory efficiency improvements while maintaining competitive attack performance compared to state-of-art attack techniques.

Yu Chen,Zhiling Luo,Sha Zhao,Ying Li,Jianwei Yin

2020-01-01

Abstract:Deep neural network models for graph structures have achieved great performance on many tasks, e.g. node classification and link prediction. Despite the success on performance, deep neural network models’ robustness has attracted much attention in recent years. Previous researches have shown that these models can be attacked by manipulating existing edges and features. Changing the edges and features, however, is hard in practice due to the restrict security policies. We witness that adding fake nodes is a more accessible way to attack the models. In this work, we study the adversarial attacks on graph structures by adding fake nodes to change the classification result on the target node. We propose a reinforcement learning method, g-Faker, for black-box attack, and a gradient-based greedy method, GradAtt, for white-box attack, both of which are designed to add fake nodes to graphs. The experimental results on multiple datasets demonstrate the effectiveness and the transferability of our methods.

He Zhao,Zhiwei Zeng,Yongwei Wang,Deheng Ye,Chunyan Miao

2024-01-18

Abstract:Heterogeneous Graph Neural Networks (HGNNs) are increasingly recognized for their performance in areas like the web and e-commerce, where resilience against adversarial attacks is crucial. However, existing adversarial attack methods, which are primarily designed for homogeneous graphs, fall short when applied to HGNNs due to their limited ability to address the structural and semantic complexity of HGNNs. This paper introduces HGAttack, the first dedicated gray box evasion attack method for heterogeneous graphs. We design a novel surrogate model to closely resemble the behaviors of the target HGNN and utilize gradient-based methods for perturbation generation. Specifically, the proposed surrogate model effectively leverages heterogeneous information by extracting meta-path induced subgraphs and applying GNNs to learn node embeddings with distinct semantics from each subgraph. This approach improves the transferability of generated attacks on the target HGNN and significantly reduces memory costs. For perturbation generation, we introduce a semantics-aware mechanism that leverages subgraph gradient information to autonomously identify vulnerable edges across a wide range of relations within a constrained perturbation budget. We validate HGAttack's efficacy with comprehensive experiments on three datasets, providing empirical analyses of its generated perturbations. Outperforming baseline methods, HGAttack demonstrated significant efficacy in diminishing the performance of target HGNN models, affirming the effectiveness of our approach in evaluating the robustness of HGNNs against adversarial attacks.

Machine Learning,Cryptography and Security,Information Retrieval

Jiaming Mu,Binghui Wang,Qi Li,Kun Sun,Mingwei Xu,Zhuotao Liu

DOI: https://doi.org/10.1145/3460120.3484796

2021-01-01

Abstract:Graph Neural Networks (GNNs) have achieved state-of-the-art performance in various graph structure related tasks such as node classification and graph classification. However, GNNs are vulnerable to adversarial attacks. Existing works mainly focus on attacking GNNs for node classification; nevertheless, the attacks against GNNs for graph classification have not been well explored. In this work, we conduct a systematic study on adversarial attacks against GNNs for graph classification via perturbing the graph structure. In particular, we focus on the most challenging attack, i.e., hard label black-box attack, where an attacker has no knowledge about the target GNN model and can only obtain predicted labels through querying the target model.To achieve this goal, we formulate our attack as an optimization problem, whose objective is to minimize the number of edges to be perturbed in a graph while maintaining the high attack success rate. The original optimization problem is intractable to solve, and we relax the optimization problem to be a tractable one, which is solved with theoretical convergence guarantee. We also design a coarse-grained searching algorithm and a query-efficient gradient computation algorithm to decrease the number of queries to the target GNN model. Our experimental results on three real-world datasets demonstrate that our attack can effectively attack representative GNNs for graph classification with less queries and perturbations. We also evaluate the effectiveness of our attack under two defenses: one is well-designed adversarial graph detector and the other is that the target GNN model itself is equipped with a defense to prevent adversarial graph generation. Our experimental results show that such defenses are not effective enough, which highlights more advanced defenses.

Shen Wang,Zhengzhang Chen,Jingchao Ni,Xiao Yu,Zhichun Li,Haifeng Chen,Philip S. Yu

DOI: https://doi.org/10.48550/arXiv.1905.03679

2019-05-11

Abstract:Graph neural network (GNN), as a powerful representation learning model on graph data, attracts much attention across various disciplines. However, recent studies show that GNN is vulnerable to adversarial attacks. How to make GNN more robust? What are the key vulnerabilities in GNN? How to address the vulnerabilities and defense GNN against the adversarial attacks? In this paper, we propose DefNet, an effective adversarial defense framework for GNNs. In particular, we first investigate the latent vulnerabilities in every layer of GNNs and propose corresponding strategies including dual-stage aggregation and bottleneck perceptron. Then, to cope with the scarcity of training data, we propose an adversarial contrastive learning method to train the GNN in a conditional GAN manner by leveraging the high-level graph representation. Extensive experiments on three public datasets demonstrate the effectiveness of DefNet in improving the robustness of popular GNN variants, such as Graph Convolutional Network and GraphSAGE, under various types of adversarial attacks.

Machine Learning,Cryptography and Security