Tao Wu,Nan Yang,Long Chen,Xiaokui Xiao,Shaojie Qiao,Jun Liu,Xingping Xian

DOI: https://doi.org/10.2139/ssrn.4157770

2022-01-01

SSRN Electronic Journal

Abstract:With recent advancements, graph neural networks (GNNs) have shown great potential in various graph-related tasks and their applications have gained considerable attention. However, the adversarial attacks can significantly degrade the performance of GNN models, hindering the adoption of GNNs in real-world critical tasks. GNNs must be robust against adversarial attacks wherein imperceptible adversarial perturbations are introduced to produce erroneous results. To achieve this goal, we propose a robust graph convolutional network for node classification via data enhancement (ERGCN), able to withstand adversarial attacks. ERGCN simultaneously utilizes properties from the ``data domain'' and ``model space'' as guidance. Based on the feature smoothness assumption, a graph structure enhancement (GSE) mechanism is proposed to detect inconsistencies between node features and graph structure, which enhances the structural reliability of the input graphs. Moreover, according to the distance of input samples to the decision boundary of GNNs, a practical metric, the model boundary distance (MBD), is defined for reliable node selection to enhance the training set of node classification models. Finally, a self-training based robust graph convolutional network is proposed for node classification. Experimental results demonstrate the superiority of our model over existing state-of-the-art methods.

Dingyuan Zhu,Ziwei Zhang,Peng Cui,Wenwu Zhu

DOI: https://doi.org/10.1145/3292500.3330851

2019-01-01

Abstract:Graph Convolutional Networks (GCNs) are an emerging type of neural network model on graphs which have achieved state-of-the-art performance in the task of node classification. However, recent studies show that GCNs are vulnerable to adversarial attacks, i.e. small deliberate perturbations in graph structures and node attributes, which poses great challenges for applying GCNs to real world applications. How to enhance the robustness of GCNs remains a critical open problem. To address this problem, we propose Robust GCN (RGCN), a novel model that "fortifies'' GCNs against adversarial attacks. Specifically, instead of representing nodes as vectors, our method adopts Gaussian distributions as the hidden representations of nodes in each convolutional layer. In this way, when the graph is attacked, our model can automatically absorb the effects of adversarial changes in the variances of the Gaussian distributions. Moreover, to remedy the propagation of adversarial attacks in GCNs, we propose a variance-based attention mechanism, i.e. assigning different weights to node neighborhoods according to their variances when performing convolutions. Extensive experimental results demonstrate that our proposed method can effectively improve the robustness of GCNs. On three benchmark graphs, our RGCN consistently shows a substantial gain in node classification accuracy compared with state-of-the-art GCNs against various adversarial attack strategies.

Qian Tao,Jianpeng Liao,Enze Zhang,Lusi Li

DOI: https://doi.org/10.1016/j.neunet.2024.106276

IF: 7.8

2024-01-01

Neural Networks

Abstract:Graph Neural Networks (GNNs) have gained widespread usage and achieved remarkable success in various real-world applications. Nevertheless, recent studies reveal the vulnerability of GNNs to graph adversarial attacks that fool them by modifying graph structure. This vulnerability undermines the robustness of GNNs and poses significant security and privacy risks across various applications. Hence, it is crucial to develop robust GNN models that can effectively defend against such attacks. One simple approach is to remodel the graph. However, most existing methods cannot fully preserve the similarity relationship among the original nodes while learning the node representation required for reweighting the edges. Furthermore, they lack supervision information regarding adversarial perturbations, hampering their ability to recognize adversarial edges. To address these limitations, we propose a novel Dual Robust Graph Neural Network (DualRGNN) against graph adversarial attacks. DualRGNN first incorporates a node-similarity-preserving graph refining (SPGR) module to prune and refine the graph based on the learned node representations, which contain the original nodes’ similarity relationships, weakening the poisoning of graph adversarial attacks on graph data. DualRGNN then employs an adversarial-supervised graph attention (ASGAT) network to enhance the model’s capability in identifying adversarial edges by treating these edges as supervised signals. Through extensive experiments conducted on four benchmark datasets, DualRGNN has demonstrated remarkable robustness against various graph adversarial attacks.

Hu Weibo,Chen Chuan,Chang Yaomin,Zheng Zibin,Du Yunfei

DOI: https://doi.org/10.1007/s10489-021-02272-y

IF: 5.3

2021-01-01

Applied Intelligence

Abstract:Graph convolutional networks (GCNs), an emerging type of neural network model on graphs, have presented state-of-the-art performance on the node classification task. However, recent studies show that neural networks are vulnerable to the small but deliberate perturbations on input features. And GCNs could be more sensitive to the perturbations since the perturbations from neighbor nodes exacerbate the impact on a target node through the convolution. Adversarial training (AT) is a regularization technique that has been shown capable of improving the robustness of the model against perturbations on image classification. However, directly adopting AT on GCNs is less effective since AT regards examples as independent of each other and does not consider the impact from connected examples. In this work, we explore AT on graph and propose a graph-specific AT method, Directional Graph Adversarial Training (DGAT), which incorporates the graph structure into the adversarial process and automatically identifies the impact of perturbations from neighbor nodes. Concretely, we consider the impact from the connected nodes to define the neighbor perturbation which restricts the perturbation direction on node features towards their neighbor nodes, and additionally introduce an adversarial regularizer to defend the worst-case perturbations. In this way, DGAT can resist the impact of worst-case adversarial perturbations and reduce the impact of perturbations from neighbor nodes. Extensive experiments demonstrate that DGAT can effectively improve the robustness and generalization performance of GCNs. Specially, GCNs with DGAT can provide better performance when there are rare few labels available for training.

Xiaoyun Wang,Xuanqing Liu,Cho-Jui Hsieh

DOI: https://doi.org/10.48550/arXiv.1911.04429

IF: 5.414

2019-11-11

Machine Learning

Abstract:In this paper, we study the robustness of graph convolutional networks (GCNs). Despite the good performance of GCNs on graph semi-supervised learning tasks, previous works have shown that the original GCNs are very unstable to adversarial perturbations. In particular, we can observe a severe performance degradation by slightly changing the graph adjacency matrix or the features of a few nodes, making it unsuitable for security-critical applications. Inspired by the previous works on adversarial defense for deep neural networks, and especially adversarial training algorithm, we propose a method called GraphDefense to defend against the adversarial perturbations. In addition, for our defense method, we could still maintain semi-supervised learning settings, without a large label rate. We also show that adversarial training in features is equivalent to adversarial training for edges with a small perturbation. Our experiments show that the proposed defense methods successfully increase the robustness of Graph Convolutional Networks. Furthermore, we show that with careful design, our proposed algorithm can scale to large graphs, such as Reddit dataset.

Binghui Wang,Jinyuan Jia,Xiaoyu Cao,Neil Zhenqiang Gong

DOI: https://doi.org/10.1145/3447548.3467295

2021-08-14

Abstract:Graph neural networks (GNNs) have recently gained much attention for node and graph classification tasks on graph-structured data. However, multiple recent works showed that an attacker can easily make GNNs predict incorrectly via perturbing the graph structure, i.e., adding or deleting edges in the graph. We aim to defend against such attacks via developing certifiably robust GNNs. Specifically, we prove the first certified robustness guarantee of any GNN for both node and graph classifications against structural perturbation. Moreover, we show that our certified robustness guarantee is tight. Our results are based on a recently proposed technique called randomized smoothing, which we extend to graph data. We also empirically evaluate our method for both node and graph classifications on multiple GNNs and multiple benchmark datasets. For instance, on the Cora dataset, Graph Convolutional Network with our randomized smoothing can achieve a certified accuracy of 0.49 when the attacker can arbitrarily add/delete at most 15 edges in the graph.

Yingying Wan,Changan Yuan,Mengmeng Zhan,Long Chen

DOI: https://doi.org/10.1016/j.ipm.2022.102916

2022-05-01

Abstract:Graph convolutional network (GCN) is a powerful tool to process the graph data and has achieved satisfactory performance in the task of node classification. In general, GCN uses a fixed graph to guide the graph convolutional operation. However, the fixed graph from the original feature space may contain noises or outliers, which may degrade the effectiveness of GCN. To address this issue, in this paper, we propose a robust graph learning convolutional network (RGLCN). Specifically, we design a robust graph learning model based on the sparse constraint and strong connectivity constraint to achieve the smoothness of the graph learning. In addition, we introduce graph learning model into GCN to explore the representative information, aiming to learning a high-quality graph for the downstream task. Experiments on citation network datasets show that the proposed RGLCN outperforms the existing comparison methods with respect to the task of node classification.

computer science, information systems,information science & library science

Yassine Abbahaddou,Sofiane Ennadir,Johannes F. Lutzeyer,Michalis Vazirgiannis,Henrik Boström

2024-04-27

Abstract:Graph Neural Networks (GNNs) have demonstrated state-of-the-art performance in various graph representation learning tasks. Recently, studies revealed their vulnerability to adversarial attacks. In this work, we theoretically define the concept of expected robustness in the context of attributed graphs and relate it to the classical definition of adversarial robustness in the graph representation learning literature. Our definition allows us to derive an upper bound of the expected robustness of Graph Convolutional Networks (GCNs) and Graph Isomorphism Networks subject to node feature attacks. Building on these findings, we connect the expected robustness of GNNs to the orthonormality of their weight matrices and consequently propose an attack-independent, more robust variant of the GCN, called the Graph Convolutional Orthonormal Robust Networks (GCORNs). We further introduce a probabilistic method to estimate the expected robustness, which allows us to evaluate the effectiveness of GCORN on several real-world datasets. Experimental experiments showed that GCORN outperforms available defense methods. Our code is publicly available at: \href{

Machine Learning,Artificial Intelligence,Cryptography and Security

Yu Zhengfei,Yang Hao,Wang Lin,Sun Lijian,Zhou Yun

DOI: https://doi.org/10.1007/978-3-031-09726-3_15

2022-01-01

Abstract:Graph Neural Networks (GNNs for short), a generalization of neural networks to graph-structured data, performance good in closed setting with perfect data for variety tasks, including node classification, link prediction and graph classification. However, GNNs are vulnerable to adversarial attacks, i.e., a small perturbation to the graph structure and node features in wild setting can lead to non-trivial performance degradation. Non-robustness is one of the main obstacle to applying GNNs in the wild. In this work, we focus on one of the most popular GNNs, Graph Convolutional Networks (GCN for short), and propose Stochastic Activation GCN (SA-GCN for short) to improve the robustness of GCN models. More specifically, we propose building a roust model by directly introducing a regularization term to the objective function and maximizing the feature distribution variance. Extensive experiments show that this simple design makes SA-GCN achieving significantly improved robustness against adversarial attacks. Moreover, our approach generalizes well and can be equipped with various models. Conducted empirical experiments demonstrate the effectiveness of SA-GCN.

Ming Jin,Heng Chang,Wenwu Zhu,Somayeh Sojoudi

DOI: https://doi.org/10.1609/aaai.v35i9.16976

2021-01-01

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Graph convolutional networks (GCNs) are powerful tools for graph-structured data. However, they have been recently shown to be vulnerable to topological attacks. To enhance adversarial robustness, we go beyond spectral graph theory to robust graph theory. By challenging the classical graph Laplacian, we propose a new convolution operator that is provably robust in the spectral domain and is incorporated in the GCN architecture to improve expressivity and interpretability. By extending the original graph to a sequence of graphs, we also propose a robust training paradigm that encourages transferability across graphs that span a range of spatial and spectral characteristics. The proposed approaches are demonstrated in extensive experiments to simultaneously improve performance in both benign and adversarial situations.

Xiaobing Pei,Haoran Yang,Gang Shen

DOI: https://doi.org/10.48550/arXiv.2312.04879

2023-12-08

Abstract:Recent studies have shown that attackers can catastrophically reduce the performance of GNNs by maliciously modifying the graph structure or node features on the graph. Adversarial training, which has been shown to be one of the most effective defense mechanisms against adversarial attacks in computer vision, holds great promise for enhancing the robustness of GNNs. There is limited research on defending against attacks by performing adversarial training on graphs, and it is crucial to delve deeper into this approach to optimize its effectiveness. Therefore, based on robust adversarial training on graphs, we propose a hierarchical constraint refinement framework (HC-Ref) that enhances the anti-perturbation capabilities of GNNs and downstream classifiers separately, ultimately leading to improved robustness. We propose corresponding adversarial regularization terms that are conducive to adaptively narrowing the domain gap between the normal part and the perturbation part according to the characteristics of different layers, promoting the smoothness of the predicted distribution of both parts. Moreover, existing research on graph robust adversarial training primarily concentrates on training from the standpoint of node feature perturbations and seldom takes into account alterations in the graph structure. This limitation makes it challenging to prevent attacks based on topological changes in the graph. This paper generates adversarial examples by utilizing graph structure perturbations, offering an effective approach to defend against attack methods that are based on topological changes. Extensive experiments on two real-world graph benchmarks show that HC-Ref successfully resists various attacks and has better node classification performance compared to several baseline methods.

Machine Learning

Chenhui Deng,Xiuyu Li,Zhuo Feng,Zhiru Zhang

DOI: https://doi.org/10.48550/arXiv.2201.12741

2023-01-08

Abstract:Graph neural networks (GNNs) have been increasingly deployed in various applications that involve learning on non-Euclidean data. However, recent studies show that GNNs are vulnerable to graph adversarial attacks. Although there are several defense methods to improve GNN robustness by eliminating adversarial components, they may also impair the underlying clean graph structure that contributes to GNN training. In addition, few of those defense models can scale to large graphs due to their high computational complexity and memory usage. In this paper, we propose GARNET, a scalable spectral method to boost the adversarial robustness of GNN models. GARNET first leverages weighted spectral embedding to construct a base graph, which is not only resistant to adversarial attacks but also contains critical (clean) graph structure for GNN training. Next, GARNET further refines the base graph by pruning additional uncritical edges based on probabilistic graphical model. GARNET has been evaluated on various datasets, including a large graph with millions of nodes. Our extensive experiment results show that GARNET achieves adversarial accuracy improvement and runtime speedup over state-of-the-art GNN (defense) models by up to 13.27% and 14.7x, respectively.

Machine Learning

Mengmei Zhang,Xiao Wang,Meiqi Zhu,Chuan Shi,Zhiqiang Zhang,Jun Zhou

DOI: https://doi.org/10.1609/aaai.v36i4.20357

2022-01-01

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Heterogeneous Graph Neural Networks (HGNNs) have drawn increasing attention in recent years and achieved outstanding performance in many tasks. However, despite their wide use, there is currently no understanding of their robustness to adversarial attacks. In this work, we first systematically study the robustness of HGNNs and show that they can be easily fooled by adding the adversarial edge between the target node and large-degree node (i.e., hub). Furthermore, we show two key reasons for such vulnerability of HGNNs: one is perturbation enlargement effect, i.e., HGNNs, failing to encode transiting probability, will enlarge the effect of the adversarial hub in comparison of GCNs, and the other is soft attention mechanism, i.e., such mechanism assigns positive attention values to obviously unreliable neighbors. Based on the two facts, we propose a novel robust HGNN framework RoHe against topology adversarial attacks by equipping an attention purifier, which can prune malicious neighbors based on topology and feature. Specifically, to eliminate the perturbation enlargement, we introduce the metapath-based transiting probability as the prior criterion of the purifier, restraining the confidence of malicious neighbors from the adversarial hub. Then the purifier learns to mask out neighbors with low confidence, thus can effectively alleviate the negative effect of malicious neighbors in the soft attention mechanism. Extensive experiments on different benchmark datasets for multiple HGNNs are conducted, where the considerable improvement of HGNNs under adversarial attacks will demonstrate the effectiveness and generalization ability of our defense framework.

Fuli Feng,Xiangnan He,Jie Tang,Tat-Seng Chua

DOI: https://doi.org/10.1109/tkde.2019.2957786

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Recent efforts show that neural networks are vulnerable to small but intentional perturbations on input features in visual classification tasks. Due to the additional consideration of connections between examples (e.g., articles with citation link tend to be in the same class), graph neural networks could be more sensitive to the perturbations, since the perturbations from connected examples exacerbate the impact on a target example. Adversarial Training (AT), a dynamic regularization technique, can resist the worst-case perturbations on input features and is a promising choice to improve model robustness and generalization. However, existing AT methods focus on standard classification, being less effective when training models on graph since it does not model the impact from connected examples. In this work, we explore adversarial training on graph, aiming to improve the robustness and generalization of models learned on graph. We propose Graph Adversarial Training (GraphAT), which takes the impact from connected examples into account when learning to construct and resist perturbations. We give a general formulation of GraphAT, which can be seen as a dynamic regularization scheme based on the graph structure. To demonstrate the utility of GraphAT, we employ it on a state-of-the-art graph neural network model - Graph Convolutional Network (GCN). We conduct experiments on two citation graphs (Citeseer and Cora) and a knowledge graph (NELL), verifying the effectiveness of GraphAT which outperforms normal training on GCN by 4.51 percent in node classification accuracy. Codes are available via: https://github.com/fulifeng/GraphAT.

Ao Liu,Beibei Li,Tao Li,Pan Zhou,Rui Wang

DOI: https://doi.org/10.1109/tnnls.2022.3172296

IF: 14.255

2022-01-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:Recent studies have revealed the vulnerability of graph convolutional networks (GCNs) to edge-perturbing attacks, such as maliciously inserting or deleting graph edges. However, theoretical proof of such vulnerability remains a big challenge, and effective defense schemes are still open issues. In this article, we first generalize the formulation of edge-perturbing attacks and strictly prove the vulnerability of GCNs to such attacks in node classification tasks. Following this, an anonymous GCN, named AN-GCN, is proposed to defend against edge-perturbing attacks. In particular, we present a node localization theorem to demonstrate how GCNs locate nodes during their training phase. In addition, we design a staggered Gaussian noise-based node position generator and a spectral graph convolution-based discriminator (in detecting the generated node positions). Furthermore, we provide an optimization method for the designed generator and discriminator. It is demonstrated that the AN-GCN is secure against edge-perturbing attacks in node classification tasks, as AN-GCN is developed to classify nodes without the edge information (making it impossible for attackers to perturb edges anymore). Extensive evaluations verify the effectiveness of the general edge-perturbing attack (G-EPA) model in manipulating the classification results of the target nodes. More importantly, the proposed AN-GCN can achieve 82.7% in node classification accuracy without the edge-reading permission, which outperforms the state-of-the-art GCN.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, hardware & architecture

Zhebin Wu,Lin Shu,Ziyue Xu,Yaomin Chang,Chuan Chen,Zibin Zheng

DOI: https://doi.org/10.1145/3534678.3539436

2022-01-01

Abstract:Graph Neural Networks (GNNs) have exhibited their powerful ability of tackling nontrivial problems on graphs. However, as an extension of deep learning models to graphs, GNNs are vulnerable to noise or adversarial attacks due to the underlying perturbations propagating in message passing scheme, which can affect the ultimate performances dramatically. Thus, it's vital to study a robust GNN framework to defend against various perturbations. In this paper, we propose a Robust Tensor Graph Convolutional Network (RT-GCN) model to improve the robustness. On the one hand, we utilize multi-view augmentation to reduce the augmentation variance and organize them as a third-order tensor, followed by the truncated T-SVD to capture the low-rankness of the multi-view augmented graph, which improves the robustness from the perspective of graph preprocessing. On the other hand, to effectively capture the inter-view and intra-view information on the multi-view augmented graph, we propose tensor GCN (TGCN) framework and analyze the mathematical relationship between TGCN and vanilla GCN, which improves the robustness from the perspective of model architecture. Extensive experimental results have verified the effectiveness of RT-GCN on various datasets, demonstrating the superiority to the state-of-the-art models on diverse adversarial attacks for graphs.

Jianfu Zhang,Yan Hong,Dawei Cheng,Liqing Zhang,Qibin Zhao

DOI: https://doi.org/10.1016/j.patcog.2024.110954

IF: 8

2025-01-01

Pattern Recognition

Abstract:Graph Neural Networks (GNNs) have demonstrated remarkable success across diverse fields, yet remain susceptible to subtle adversarial perturbations that significantly degrade performance. Addressing this vulnerability remains a formidable challenge. Current defense strategies focus on edge-specific regularization within adversarial graphs, often overlooking the inter-edge structural dependencies and the interplay of various robustness attributes. This paper introduces a novel tensor-based framework for GNNs, aimed at reinforcing graph robustness against adversarial influences. By employing tensor approximation, our method systematically aggregates and compresses diverse predefined robustness features of adversarial graphs into a low-rank representation. This approach harmoniously combines the integrity of graph structure and robustness characteristics. Comprehensive experiments on real-world graph datasets demonstrate that our framework not only effectively counters diverse types of adversarial attacks but also surpasses existing leading defense mechanisms in performance.

Xiaodong Wei,Yong Li,Xiaowei Qin,Xiaodong Xu,Ximin Li,Mengjie Liu

DOI: https://doi.org/10.1109/wcsp49889.2020.9299720

2020-01-01

Abstract:Graph neural networks (GNNs) are criticized for poor robustness; their performance will decline seriously even with unnoticeable edge perturbations in node classification tasks. To against topology attacks, recent works punish edges based on data and attack characteristics (such as node similarity or SVD), or utilize the graph data distribution to absorb attacks (such as BayesianGCN or RGCN). We propose a robust GNN model based on topology reconstruction, which does not explicitly assume data or attack distributions. Our proposed method decouples graph data into attribute subgraph and topology subgraph and makes classifier cooperate with topology generator to label nodes. The classifier starts training from the attribute subgraph and labels some high-confidence nodes to join the trainset. Meanwhile, the generator reconstructs topology based on classification loss, topology subgraph, and link prediction, providing the classifier with new information. Extensive node classification experiments show that under the same attack conditions, our model has higher classification accuracy and stronger robustness compared with other latest robust GNN models.

Binghui Wang,Meng Pang,Yun Dong

DOI: https://doi.org/10.48550/arXiv.2303.06199

2023-03-11

Abstract:Graph neural networks (GNNs) have achieved state-of-the-art performance in many graph learning tasks. However, recent studies show that GNNs are vulnerable to both test-time evasion and training-time poisoning attacks that perturb the graph structure. While existing attack methods have shown promising attack performance, we would like to design an attack framework to further enhance the performance. In particular, our attack framework is inspired by certified robustness, which was originally used by defenders to defend against adversarial attacks. We are the first, from the attacker perspective, to leverage its properties to better attack GNNs. Specifically, we first derive nodes' certified perturbation sizes against graph evasion and poisoning attacks based on randomized smoothing, respectively. A larger certified perturbation size of a node indicates this node is theoretically more robust to graph perturbations. Such a property motivates us to focus more on nodes with smaller certified perturbation sizes, as they are easier to be attacked after graph perturbations. Accordingly, we design a certified robustness inspired attack loss, when incorporated into (any) existing attacks, produces our certified robustness inspired attack counterpart. We apply our framework to the existing attacks and results show it can significantly enhance the existing base attacks' performance.

Cryptography and Security

Jiayan Guo,Shangyang Li,Yue Zhao,Yan Zhang

DOI: https://doi.org/10.1007/978-3-031-00123-9_54

2022-01-31

Abstract:Existing studies show that node representations generated by graph neural networks (GNNs) are vulnerable to adversarial attacks, such as unnoticeable perturbations of adjacent matrix and node features. Thus, it is requisite to learn robust representations in graph neural networks. To improve the robustness of graph representation learning, we propose a novel Graph Adversarial Contrastive Learning framework (GraphACL) by introducing adversarial augmentations into graph self-supervised learning. In this framework, we maximize the mutual information between local and global representations of a perturbed graph and its adversarial augmentations, where the adversarial graphs can be generated in either supervised or unsupervised approaches. Based on the Information Bottleneck Principle, we theoretically prove that our method could obtain a much tighter bound, thus improving the robustness of graph representation learning. Empirically, we evaluate several methods on a range of node classification benchmarks and the results demonstrate GraphACL could achieve comparable accuracy over previous supervised methods.

Machine Learning