[论文解读] Adversarial Examples on Graph Data: Deep Insights into Attack and Defense
本论文在图卷积网络上引入基于 integrated-gradients 的攻击,并提出一种轻量级前处理防御,用以移除不相似节点之间的边,提升对图数据对抗扰动的鲁棒性。
Graph deep learning models, such as graph convolutional networks (GCN) achieve remarkable performance for tasks on graph data. Similar to other types of deep models, graph deep learning models often suffer from adversarial attacks. However, compared with non-graph data, the discrete features, graph connections and different definitions of imperceptible perturbations bring unique challenges and opportunities for the adversarial attacks and defenses for graph data. In this paper, we propose both attack and defense techniques. For attack, we show that the discreteness problem could easily be resolved by introducing integrated gradients which could accurately reflect the effect of perturbing certain features or edges while still benefiting from the parallel computations. For defense, we observe that the adversarially manipulated graph for the targeted attack differs from normal graphs statistically. Based on this observation, we propose a defense approach which inspects the graph and recovers the potential adversarial perturbations. Our experiments on a number of datasets show the effectiveness of the proposed methods.
研究动机与目标
- Motivate robustness issues in graph neural networks (GNNs) and node classification on graphs.
- Develop effective adversarial attack methods tailored to discrete graph inputs.
- Propose a defense strategy that leverages graph pre-processing to improve GCN robustness.
- Provide empirical evaluation on real-world graph datasets to demonstrate attack efficacy and defense efficiency.
提出的方法
- Adopt Graph Convolutional Networks (GCN) for semi-supervised node classification and analyze their vulnerability to adversarial perturbations.
- Propose integrated gradients guided attacks (IG-FGSM and IG-JSMA) to tackle discrete graph data where features and edges are binary/1-0, using integrated gradients to prioritize perturbations.
- Define perturbation budgets and use a pseudo-code (IG-JSMA) to iteratively perturb edges or features based on IG scores.
- Investigate a defense by making edge weights trainable and, more efficiently, by a graph pre-processing step that removes edges connecting dissimilar nodes (low Jaccard similarity) prior to training.
- Evaluate attack effectiveness via classification margins and accuracy on datasets CORA-ML, Citeseer, and Polblogs; compare IG-JSMA against baselines like FGSM, JSMA, and nettack.
- Analyze why edge perturbations are more impactful than feature perturbations and how similarity-based edge removal mitigates attacks.
实验结果
研究问题
- RQ1Can integrated gradients provide accurate guidance for adversarial perturbations in graphs with discrete features and unweighted edges?
- RQ2How do IG-guided attacks compare to traditional gradient-based attacks in effectiveness and stability on graph data?
- RQ3What defense strategies can reduce attack success while preserving model performance on GCNs?
- RQ4Does pre-processing based on node feature similarity (e.g., Jaccard similarity) effectively defend against targeted adversarial attacks on GCNs?
主要发现
- IG-JSMA outperforms baselines (random, FGSM, nettack) in reducing the classification margin on targeted nodes across CORA, Citeseer, and Polblogs datasets.
- Integrated gradients provide more accurate and stable importance estimates than vanilla gradients for guiding attacks on discrete graph data.
- Edge perturbations are more effective than feature perturbations in compromising target classifications across attacks (FGSM, JSMA, nettack, IG-JSMA).
- Defending by removing edges that connect dissimilar nodes (low Jaccard similarity) yields robustness gains with negligible or no loss in clean accuracy, and is attack-agnostic.
- Training with a learnable/adjusted adjacency (edge weights) can recover correct classifications for previously attacked nodes, indicating robustness improvement through adaptable graph structure.
- The defense maintains computation efficiency with O(N) complexity for the pre-processing step and minimal impact on training time.
更好的研究,从现在开始
从论文设计到论文写作,大幅缩短您的研究时间。
无需绑定信用卡
本解读由 AI 生成,并经人工编辑审核。