Adversarial Attacks on Neural Networks for Graph Data (1805.07984v4)

Abstract: Deep learning models for graphs have achieved strong performance for the task of node classification. Despite their proliferation, currently there is no study of their robustness to adversarial attacks. Yet, in domains where they are likely to be used, e.g. the web, adversaries are common. Can deep learning models for graphs be easily fooled? In this work, we introduce the first study of adversarial attacks on attributed graphs, specifically focusing on models exploiting ideas of graph convolutions. In addition to attacks at test time, we tackle the more challenging class of poisoning/causative attacks, which focus on the training phase of a machine learning model. We generate adversarial perturbations targeting the node's features and the graph structure, thus, taking the dependencies between instances in account. Moreover, we ensure that the perturbations remain unnoticeable by preserving important data characteristics. To cope with the underlying discrete domain we propose an efficient algorithm Nettack exploiting incremental computations. Our experimental study shows that accuracy of node classification significantly drops even when performing only few perturbations. Even more, our attacks are transferable: the learned attacks generalize to other state-of-the-art node classification models and unsupervised approaches, and likewise are successful even when only limited knowledge about the graph is given.

• The paper introduces a novel framework that manipulates both graph structures and node features for effective adversarial attacks on GCNs.
• It presents Nettack, an efficient algorithm that incrementally computes minimal perturbations to mislead node classification.
• Experimental results reveal transferable attacks, underscoring vulnerabilities across state-of-the-art graph learning models.

Adversarial Attacks on Neural Networks for Graph Data

The paper "Adversarial Attacks on Neural Networks for Graph Data" by Daniel Zügner, Amir Akbarnejad, and Stephan Günnemann introduces a novel paper of adversarial attacks on attributed graphs, particularly focusing on graph convolutional networks (GCNs) for the task of node classification. This issue is crucial given the increasing deployment of graph-based learning models in various domains where adversaries might be common, such as social networks, e-commerce, and bibliographic databases.

Key Contributions

1. Adversarial Perturbations Model: The authors propose a framework for generating adversarial perturbations that can alter both the node features and the graph structure. They emphasize both evasion attacks (manipulating the input during the application phase) and poisoning attacks (manipulating the input during the training phase), reflecting a broader and nuanced understanding of adversarial attacks in graph settings.
2. Efficient Algorithm - Nettack: To implement these attacks, the authors develop a scalable algorithm called "Nettack." This algorithm performs incremental computations that leverage the graph's sparsity, enabling fast and efficient determination of perturbations. The algorithm stands out for its ability to execute in a discrete domain where traditional gradient-based methods are less effective.
3. Transferability of Adversarial Perturbations: The experimental results illustrate that adversarial perturbations on GCNs are transferable to other state-of-the-art node classification models, including Column Networks (CLN) and DeepWalk, an unsupervised model. This finding underlines a significant vulnerability in current graph-based learning systems.
4. Constraints for Realistic Perturbations: To ensure that the perturbations remain unnoticeable, the authors propose preserving key graph characteristics such as the degree distribution and feature co-occurrences. They apply statistical tests to maintain the power-law distribution commonly observed in real-world networks and use a probabilistic random walker to verify the plausibility of feature co-occurrences.

Experimental Insights

The experimental section highlights several critical observations:

• Surrogate Model Performance: Nettack significantly reduces the classification margin, achieving successful misclassifications with minimal perturbations. Both feature changes and structure changes are effective, but combining them yields the best results.
• Effectiveness of Poisoning Attacks: The paper's poisoning attacks, which involve retraining the model on the perturbed data, are notably effective, reflecting the real-world scenario where models are continuously updated based on new data.
• Resilience of High-Degree Nodes: High-degree nodes appear to be more resilient to adversarial attacks compared to low-degree nodes. However, even these nodes can be successfully attacked with a slightly higher number of perturbations.
• Partial Knowledge Attacks: The authors demonstrate that their attack methods remain effective even when the attacker has limited knowledge of the global graph structure, which is a practical consideration for real-world adversarial scenarios.

Implications and Future Work

The implications of this work are profound for the design and deployment of robust graph-based learning systems. The demonstrated transferability of attacks suggests that even models not explicitly designed for robustness against adversarial attacks are vulnerable. This necessitates a deeper exploration into defensive mechanisms that could mitigate such vulnerabilities, including adversarial training and robust graph convolution methodologies.

Future developments in AI will likely need to consider more sophisticated and resilient graph-learning frameworks. There may also be a need to develop standardized benchmarks for robustness to enable consistent evaluation of model vulnerabilities across various graph-based applications.

In conclusion, this paper provides a foundational paper into adversarial attacks on graph neural networks, presenting both a theoretical framework and practical algorithmic solutions that reveal significant vulnerabilities in current models. The insights derived from this work will be instrumental in guiding future research toward more robust and secure graph-based learning systems.