Transferring Robustness for Graph Neural Network Against Poisoning Attacks (1908.07558v3)

Abstract: Graph neural networks (GNNs) are widely used in many applications. However, their robustness against adversarial attacks is criticized. Prior studies show that using unnoticeable modifications on graph topology or nodal features can significantly reduce the performances of GNNs. It is very challenging to design robust graph neural networks against poisoning attack and several efforts have been taken. Existing work aims at reducing the negative impact from adversarial edges only with the poisoned graph, which is sub-optimal since they fail to discriminate adversarial edges from normal ones. On the other hand, clean graphs from similar domains as the target poisoned graph are usually available in the real world. By perturbing these clean graphs, we create supervised knowledge to train the ability to detect adversarial edges so that the robustness of GNNs is elevated. However, such potential for clean graphs is neglected by existing work. To this end, we investigate a novel problem of improving the robustness of GNNs against poisoning attacks by exploring clean graphs. Specifically, we propose PA-GNN, which relies on a penalized aggregation mechanism that directly restrict the negative impact of adversarial edges by assigning them lower attention coefficients. To optimize PA-GNN for a poisoned graph, we design a meta-optimization algorithm that trains PA-GNN to penalize perturbations using clean graphs and their adversarial counterparts, and transfers such ability to improve the robustness of PA-GNN on the poisoned graph. Experimental results on four real-world datasets demonstrate the robustness of PA-GNN against poisoning attacks on graphs. Code and data are available here: https://github.com/tangxianfeng/PA-GNN.

• The paper introduces PA-GNN, a novel framework that transfers robustness from clean graphs to counteract adversarial poisoning attacks on GNNs.
• It employs a penalized aggregation mechanism to reduce the influence of adversarial edges by lowering their attention coefficients during training.
• Empirical validation on four real-world datasets shows that PA-GNN outperforms existing methods in mitigating performance degradation under poisoning scenarios.

Overview of "Transferring Robustness for Graph Neural Network Against Poisoning Attacks"

The paper, titled "Transferring Robustness for Graph Neural Network Against Poisoning Attacks," addresses the susceptibility of Graph Neural Networks (GNNs) to adversarial poisoning attacks. These attacks strategically modify the graph topology or nodal features to degrade the performance of GNNs. Recognizing the limitations of existing methodologies which attempt to mitigate adversarial edges using only the poisoned graph, the authors propose an innovative framework named PA-GNN. This framework enhances the robustness of GNNs by leveraging clean graphs from similar domains to train a model capable of identifying adversarial edges.

Key Contributions

1. Penalized Aggregation Mechanism: The PA-GNN incorporates a penalized aggregation mechanism that reduces the influence of adversarial edges. By assigning lower attention coefficients to potential adversarial edges, the method effectively diminishes their impact during the GNN's training phase. This aspect of the framework aims to uphold the integrity of the graph's topological and feature information during the learning process.
2. Meta-Optimization Strategy: To facilitate robust training on a poisoned graph, the authors introduce a meta-optimization technique. This approach uses clean graphs, subjected to controlled perturbations, as supervised information. The meta-optimization algorithm effectively captures the adversarial edge patterns from the clean graphs and transfers this capacity to enhance the robustness of GNNs when they are applied to a more compromised setting.
3. Empirical Validation: Utilizing four real-world datasets, the authors demonstrate the resilience of PA-GNN in withstanding poisoning attacks. Notably, the experiments indicate that PA-GNN consistently outperforms existing GNN models and state-of-the-art robust GNN frameworks under various adversarial settings.

Theoretical and Practical Implications

The framework proposed in this paper significantly advances the current state of GNN robustness against adversarial attacks. Practically, it offers a means to safeguard GNN applications in sensitive fields such as financial systems and social network analysis, where adversarial manipulation could have drastic consequences. Theoretically, PA-GNN introduces a novel perspective by capitalizing on the often overlooked potential of clean graphs, thus setting a precedent for future research into domain transfer techniques for graph data.

Future Directions

This research opens multiple avenues for exploration. Future works might delve into transferring robustness techniques to broader applications such as graph classification and anomaly detection. Additionally, further refinement of the penalizing mechanism could lead to more nuanced and adaptive frameworks capable of handling diverse adversarial tactics. Extending this approach to accommodate dynamic graphs, where topology changes over time, also poses an engaging challenge for future studies.

In conclusion, "Transferring Robustness for Graph Neural Network Against Poisoning Attacks" provides a comprehensive solution to a critical vulnerability in GNNs, presenting a methodologically sound and empirically validated approach that enhances model resilience against adversarial threats.