Adversarial Attacks on Graph Neural Networks via Meta Learning (1902.08412v2)

Abstract: Deep learning models for graphs have advanced the state of the art on many tasks. Despite their recent success, little is known about their robustness. We investigate training time attacks on graph neural networks for node classification that perturb the discrete graph structure. Our core principle is to use meta-gradients to solve the bilevel problem underlying training-time attacks, essentially treating the graph as a hyperparameter to optimize. Our experiments show that small graph perturbations consistently lead to a strong decrease in performance for graph convolutional networks, and even transfer to unsupervised embeddings. Remarkably, the perturbations created by our algorithm can misguide the graph neural networks such that they perform worse than a simple baseline that ignores all relational information. Our attacks do not assume any knowledge about or access to the target classifiers.

• The paper presents a meta-learning strategy to optimize adversarial perturbations as a bilevel problem during training.
• Experiments show that minor graph structure changes drastically degrade node classification performance compared to baseline models.
• The approach requires no access to target classifiers, demonstrating strong transferability and realistic threat model applicability.

Adversarial Attacks on Graph Neural Networks via Meta Learning

This paper presents a novel approach to understanding and evaluating the robustness of Graph Neural Networks (GNNs) to adversarial attacks, particularly during the training phase. In the context of node classification tasks, where a subset of nodes has known class labels and the objective is to infer the classes of the unlabelled nodes, this kind of vulnerability assessment is crucial. The authors focus on perturbations to the discrete graph structure and employ a technique of meta-learning to optimize these perturbations in a training-time attack scenario.

The core contribution of this paper lies in its ability to utilize meta-gradients to solve the bilevel optimization problem underlying training-time adversarial attacks. By treating the graph structure as a hyperparameter, the authors explore how minor, deliberate perturbations can drastically degrade the performance of GNN models. These perturbations are independent of any specific knowledge of the classification model and demonstrate significant transferability to unsupervised embeddings, marking an impactful stride in the paper of robust GNNs.

Key Findings

• Performance Degradation: The experiments highlight that even minor modifications to the graph's structure consistently result in significant decreases in GNN performance. For graph convolutional networks, these perturbations can reduce performance levels to ones worse than a baseline model that disregards relational information entirely.
• Algorithm Effectiveness: The adversarial attack algorithm proposed does not require access to target classifiers, making it substantially more applicable under realistic threat models where an attacker has limited information about the system being attacked.
• Meta-Learning Insights: By turning the typical gradient-based learning process on its head, meta-learning is leveraged to optimize adversarial perturbations. The results obtained through this approach provide fascinating insights into both the effectiveness of data manipulation and the vulnerabilities of graph-based learning systems.

Implications

The insights derived have both theoretical and practical implications. Theoretically, the paper contributes to an evolving understanding of GNN vulnerabilities, a field that traditionally focused on computer vision models. Practically, the results emphasize the need for developing defense mechanisms against adversarial attacks in graph-based systems, which are increasingly used in sensitive applications like social network analysis, biochemistry, and more. There is a distinct recognition that these systems, if left unsecured, could propagate damaging conclusions based on manipulated inputs.

Future Developments

The paper opens several avenues for further exploration. An immediate extension is the development of countermeasures against such training-time attacks, possibly through robustness training strategies or incorporating adversarial defenses as integral facets of model architecture. Additionally, more efficient algorithms that can handle larger graphs and potentially continuous data modifications will broaden the scope and applicability of the findings.

Conclusion

This paper makes a compelling case for the efficacy of adversarial attacks on GNNs using meta-learning. It advances our understanding and highlights the need for developing robust strategies against such vulnerabilities. As GNNs gain popularity across various domains, considerations for their security and robustness against adversarial manipulations will become increasingly paramount. This research provides a foundational step toward comprehensively understanding and addressing these critical concerns in graph-based learning systems.