Towards More Practical Adversarial Attacks on Graph Neural Networks

NIPS 2020, 2020.

Cited by: 0|Bibtex|Views123
Weibo:
We propose a novel black-box adversarial attack setup for Graph neural networks models with constraint of limited node access, which we believe is by far the most restricted and realistic black-box attack setup

Abstract:

We study the black-box attacks on graph neural networks (GNNs) under a novel and realistic constraint: attackers have access to only a subset of nodes in the network, and they can only attack a small number of them. A node selection step is essential under this setup. We demonstrate that the structural inductive biases of GNN models can b...More

Code:

Data:

0
Introduction
  • Graph neural networks (GNNs) [20], the family of deep learning models on graphs, have shown promising empirical performance on various applications of machine learning to graph data, such as recommender systems [25], social network analysis [11], and drug discovery [15].
  • Like other deep learning models, GNNs have been shown to be vulnerable under adversarial attacks [28], which has recently attracted increasing research interest [8].
  • As graph data have more complex structures than image or text data, researchers have come up with diverse adversarial attack setups.
  • In a real-world social network, the attackers usually only have access to a few bot accounts, and they are unlikely to be among the top nodes in the network; it is difficult for
Highlights
  • Graph neural networks (GNNs) [20], the family of deep learning models on graphs, have shown promising empirical performance on various applications of machine learning to graph data, such as recommender systems [25], social network analysis [11], and drug discovery [15]
  • We propose a novel setup of black-box attacks for GNNs with a constraint of limited node access, which is by far the most restricted and realistic compared to existing work
  • We demonstrate that the structural inductive biases of GNNs can be exploited as an effective information source of black-box adversarial attacks
  • We propose a novel black-box adversarial attack setup for GNN models with constraint of limited node access, which we believe is by far the most restricted and realistic black-box attack setup
  • Our experimental results show that the proposed strategy significantly outperforms competing attack strategies under the same setup
  • We propose a principled attack strategy, GC-RWCS, based on our theoretical analyses on the connection between the Graph Convolutional Networks (GCN) model and random walk, which corrects the diminishing-return effect of the mis-classification rate
Methods
  • Baseline methods for comparison

    As the authors summarized in Section 2.1, the proposed black-box adversarial attack setup is by far the most restricted, and none of existing attack strategies for GNN can be applied.
  • The authors compare the proposed attack strategies with baseline strategies by selecting nodes with top centrality metrics.
  • In classical network analysis literature [14], real-world networks are shown to be fragile under attacks to high-centrality nodes.
  • The authors believe these centrality metrics serve as reasonable baselines under the restricted black-box setup.
  • For the purpose of sanity check, the authors include a trivial baseline Random, which randomly selects the nodes to be attacked
Results
  • Verifying the discrepancy between the loss and the mis-classification rate. The authors first provide empirical evidence for the discrepancy between classification loss (cross-entropy) and mis-classification rate.
  • The authors first provide empirical evidence for the discrepancy between classification loss and mis-classification rate.
  • RWCS performs much better than other centrality metrics in increasing the classification loss, showing the effectiveness of Proposition 1.
  • The authors see the decrease of classification accuracy when attacked by RWCS quickly saturates as λ increases.
  • The GC-RWCS strategy that is proposed to correct the importance scores is able to decreases the classification accuracy the most as λ becomes larger, it increases the classification loss the least
Conclusion
  • The authors propose a novel black-box adversarial attack setup for GNN models with constraint of limited node access, which the authors believe is by far the most restricted and realistic black-box attack setup
  • Through both theoretical analyses and empirical experiments, the authors demonstrate that the strong and explicit structural inductive biases of GNN models make them still vulnerable to this type of adversarial attacks.
  • Even without accessing any information about the model training, the graph structure alone can be exploited to damage a deep learning framework with a rather executable strategy
Summary
  • Introduction:

    Graph neural networks (GNNs) [20], the family of deep learning models on graphs, have shown promising empirical performance on various applications of machine learning to graph data, such as recommender systems [25], social network analysis [11], and drug discovery [15].
  • Like other deep learning models, GNNs have been shown to be vulnerable under adversarial attacks [28], which has recently attracted increasing research interest [8].
  • As graph data have more complex structures than image or text data, researchers have come up with diverse adversarial attack setups.
  • In a real-world social network, the attackers usually only have access to a few bot accounts, and they are unlikely to be among the top nodes in the network; it is difficult for
  • Objectives:

    As the goal is to study the node selection strategy under the black-box setup, the authors set τ as a pre-determined function.
  • Methods:

    Baseline methods for comparison

    As the authors summarized in Section 2.1, the proposed black-box adversarial attack setup is by far the most restricted, and none of existing attack strategies for GNN can be applied.
  • The authors compare the proposed attack strategies with baseline strategies by selecting nodes with top centrality metrics.
  • In classical network analysis literature [14], real-world networks are shown to be fragile under attacks to high-centrality nodes.
  • The authors believe these centrality metrics serve as reasonable baselines under the restricted black-box setup.
  • For the purpose of sanity check, the authors include a trivial baseline Random, which randomly selects the nodes to be attacked
  • Results:

    Verifying the discrepancy between the loss and the mis-classification rate. The authors first provide empirical evidence for the discrepancy between classification loss (cross-entropy) and mis-classification rate.
  • The authors first provide empirical evidence for the discrepancy between classification loss and mis-classification rate.
  • RWCS performs much better than other centrality metrics in increasing the classification loss, showing the effectiveness of Proposition 1.
  • The authors see the decrease of classification accuracy when attacked by RWCS quickly saturates as λ increases.
  • The GC-RWCS strategy that is proposed to correct the importance scores is able to decreases the classification accuracy the most as λ becomes larger, it increases the classification loss the least
  • Conclusion:

    The authors propose a novel black-box adversarial attack setup for GNN models with constraint of limited node access, which the authors believe is by far the most restricted and realistic black-box attack setup
  • Through both theoretical analyses and empirical experiments, the authors demonstrate that the strong and explicit structural inductive biases of GNN models make them still vulnerable to this type of adversarial attacks.
  • Even without accessing any information about the model training, the graph structure alone can be exploited to damage a deep learning framework with a rather executable strategy
Tables
  • Table1: Summary of the attack performance. The lower the accuracy (in %) the better the attacks
  • Table2: Summary statistics of datasets
  • Table3: Summary of the accuracy (in %) when L = {3, 4, 5, 6, 7}. The bold number and the asterisk
  • Table4: Accuracy decrease (in %) comparison with clean dataset
Download tables as Excel
Related work
  • 2.1 Adversarial Attack on GNNs

    The study of adversarial attacks on graph neural networks has surged recently. A taxonomy of existing work has been summarized by Jin et al [8], and we give a brief introduction here. First, there are two types of machine learning tasks on graphs that are commonly studied, node-level classification and graph-level classification. We focus on the node-level classification in this paper. Next, there are a couple of choices of the attack form. For example, the attack can happen either during model training (poisoning) or during model testing (evasion); the attacker may aim to mislead the prediction on specific nodes (targeted attack) [28] or damage the overall task performance (untargeted attack) [27]; the adversarial perturbation can be done by modifying node features, adding or deleting edges, or injecting new nodes [16]. Our work belongs to untargeted evasion attacks. For the adversarial perturbation, most existing works of untargeted attacks apply global constraints on the proportion of node features or the number of edges to be altered. Our work sets a novel local constraint on node access, which is more realistic in practice: perturbation on top (e.g., celebrity) nodes is prohibited and only a small number of nodes can be perturbed. Finally, depending on the attacker’s knowledge about the GNN model, existing work can be split into three categories: white-box attacks [21, 4, 19] have access to full information about the model, including model parameters, input data, and labels; grey-box attacks [27, 28, 16] have partial information about the model and the exact setups vary in a range; in the most challenging setting, black-box attacks [5, 1, 3] can only access the input data and sometimes the black-box predictions of the model. In this work, we consider an even more strict black-box attack setup, where model predictions are invisible to the attackers. As far as we know, the only existing works that conduct untargeted black-box attacks without access to model predictions are those by Bojchevski and Günnemann [1] and Chang et al [3]. However both of them require the access to embeddings of nodes, which are prohibited as well in our setup.
Funding
  • It is also worth noting that the proposed GCRWCS strategy is able to decrease the node classification accuracy by up to 33.5%, and GC-RWCS achieves a 70% larger decrease of the accuracy than the Random baseline in most cases (see Table 4 in Appendix A.5)
  • Our experimental results show that the proposed strategy significantly outperforms competing attack strategies under the same setup
Study subjects and analysis
real-world benchmark datasets: 3
We further propose a greedy correction procedure for calculating the importance scores. Experiments on three real-world benchmark datasets and popular GNN models show that the proposed attack strategy significantly outperforms baseline methods. We summarize our main contributions as follows: 1

benchmark datasets with popular GNN models: 3
4. We empirically verify the effectiveness of the proposed method on three benchmark datasets with popular GNN models. 2 Related Work

datasets: 3
Full experiment results. We then provide the full experiment results of attacking GCN, JKNetConcat, and JKNetMaxpool on all three datasets in Table 1. The perturbation strength is set as λ = 1

Reference
  • Aleksandar Bojchevski and Stephan Günnemann. Adversarial attacks on node embeddings via graph poisoning. arXiv preprint arXiv:1809.01093, 2018.
    Findings
  • Nicholas Carlini and David Wagner. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp), pages 39–57. IEEE, 2017.
    Google ScholarLocate open access versionFindings
  • Heng Chang, Yu Rong, Tingyang Xu, Wenbing Huang, Honglei Zhang, Peng Cui, Wenwu Zhu, and Junzhou Huang. A restricted black-box adversarial framework towards attacking graph embedding models. In AAAI Conference on Artificial Intelligence, 2020.
    Google ScholarLocate open access versionFindings
  • Jinyin Chen, Yangyang Wu, Xuanheng Xu, Yixian Chen, Haibin Zheng, and Qi Xuan. Fast gradient attack on network embedding. arXiv preprint arXiv:1809.02797, 2018.
    Findings
  • Hanjun Dai, Hui Li, Tian Tian, Xin Huang, Lin Wang, Jun Zhu, and Le Song. Adversarial attack on graph structured data. arXiv preprint arXiv:1806.02371, 2018.
    Findings
  • Jonathan Frankle and Michael Carbin. The lottery ticket hypothesis: Finding sparse, trainable neural networks. arXiv preprint arXiv:1803.03635, 2018.
    Findings
  • Thibaut Horel and Yaron Singer. Maximization of approximately submodular functions. In Advances in Neural Information Processing Systems, pages 3045–3053, 2016.
    Google ScholarLocate open access versionFindings
  • Wei Jin, Yaxin Li, Han Xu, Yiqi Wang, and Jiliang Tang. Adversarial attacks and defenses on graphs: A review and empirical study. arXiv preprint arXiv:2003.00653, 2020.
    Findings
  • Thomas N Kipf and Max Welling. Semi-supervised classification with graph convolutional networks. arXiv preprint arXiv:1609.02907, 2016.
    Findings
  • Johannes Klicpera, Aleksandar Bojchevski, and Stephan Günnemann. Predict then propagate: Graph neural networks meet personalized pagerank. arXiv preprint arXiv:1810.05997, 2018.
    Findings
  • Cheng Li, Jiaqi Ma, Xiaoxiao Guo, and Qiaozhu Mei. Deepcas: An end-to-end predictor of information cascades. In Proceedings of the 26th international conference on World Wide Web, pages 577–586, 2017.
    Google ScholarLocate open access versionFindings
  • László Lovász et al. Random walks on graphs: A survey. Combinatorics, Paul erdos is eighty, 2(1):1–46, 1993.
    Google ScholarLocate open access versionFindings
  • Christopher Morris, Martin Ritzert, Matthias Fey, William L Hamilton, Jan Eric Lenssen, Gaurav Rattan, and Martin Grohe. Weisfeiler and leman go neural: Higher-order graph neural networks. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 33, pages 4602–4609, 2019.
    Google ScholarLocate open access versionFindings
  • Mark Newman. Networks. Oxford university press, 2018.
    Google ScholarFindings
  • Chence Shi, Minkai Xu, Zhaocheng Zhu, Weinan Zhang, Ming Zhang, and Jian Tang. Graphaf: a flow-based autoregressive model for molecular graph generation. arXiv preprint arXiv:2001.09382, 2020.
    Findings
  • Yiwei Sun, Suhang Wang, Xianfeng Tang, Tsung-Yu Hsieh, and Vasant Honavar. Node injection attacks on graphs via reinforcement learning. arXiv preprint arXiv:1909.06543, 2019.
    Findings
  • Minjie Wang, Lingfan Yu, Da Zheng, Quan Gan, Yu Gai, Zihao Ye, Mufei Li, Jinjing Zhou, Qi Huang, Chao Ma, et al. Deep graph library: Towards efficient and scalable deep learning on graphs. arXiv preprint arXiv:1909.01315, 2019.
    Findings
  • Andrew Gordon Wilson. The case for bayesian deep learning. arXiv preprint arXiv:2001.10995, 2020.
    Findings
  • Huijun Wu, Chen Wang, Yuriy Tyshetskiy, Andrew Docherty, Kai Lu, and Liming Zhu. Adversarial examples for graph data: Deep insights into attack and defense. In IJCAI, 2019.
    Google ScholarLocate open access versionFindings
  • Zonghan Wu, Shirui Pan, Fengwen Chen, Guodong Long, Chengqi Zhang, and S Yu Philip. A comprehensive survey on graph neural networks. IEEE Transactions on Neural Networks and Learning Systems, 2020.
    Google ScholarLocate open access versionFindings
  • Kaidi Xu, Hongge Chen, Sijia Liu, Pin-Yu Chen, Tsui-Wei Weng, Mingyi Hong, and Xue Lin. Topology attack and defense for graph neural networks: An optimization perspective. arXiv preprint arXiv:1906.04214, 2019.
    Findings
  • Keyulu Xu, Weihua Hu, Jure Leskovec, and Stefanie Jegelka. How powerful are graph neural networks? arXiv preprint arXiv:1810.00826, 2018.
    Findings
  • Keyulu Xu, Chengtao Li, Yonglong Tian, Tomohiro Sonobe, Ken-ichi Kawarabayashi, and Stefanie Jegelka. Representation learning on graphs with jumping knowledge networks. arXiv preprint arXiv:1806.03536, 2018.
    Findings
  • Zhilin Yang, William W Cohen, and Ruslan Salakhutdinov. Revisiting semi-supervised learning with graph embeddings. arXiv preprint arXiv:1603.08861, 2016.
    Findings
  • Rex Ying, Ruining He, Kaifeng Chen, Pong Eksombatchai, William L Hamilton, and Jure Leskovec. Graph convolutional neural networks for web-scale recommender systems. In Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, pages 974–983, 2018.
    Google ScholarLocate open access versionFindings
  • Barret Zoph and Quoc V Le. Neural architecture search with reinforcement learning. arXiv preprint arXiv:1611.01578, 2016.
    Findings
  • Daniel Zügner and Stephan Günnemann. Adversarial attacks on graph neural networks via meta learning. In International Conference on Learning Representations (ICLR), 2019.
    Google ScholarLocate open access versionFindings
  • Daniel Zügner, Amir Akbarnejad, and Stephan Günnemann. Adversarial attacks on neural networks for graph data. In Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, pages 2847–2856, 2018.
    Google ScholarLocate open access versionFindings
Full Text
Your rating :
0

 

Tags
Comments