Adversarial Attacks On Neural Networks For Graph Data

This paper describes how Graph data is affected by adversarial attacks. Graph data is the core for many high impact applications ranging from the analysis of social networks like Facebook, Amazon to interlinked document collections like PubMed, Arxiv. Node Classification is one of the most frequently applied tasks on graph data. Given a single large graph and the class labels of a few nodes the goal is to predict the labels of the remaining nodes. In the recent times, Deep Learning for graphs has brought great improvements on many tasks like node classification. Specifically, approaches from the class of graph convolutional networks, have achieved strong performance in many graph-learning tasks including node classification.

Many researchers have noticed that deep learning architectures for classical learning tasks can easily be fooled/attacked. So far, however, the question of adversarial perturbations for deep learning methods on graphs has not been addressed. Adversaries are very common in domains where they are likely to be used, e. g. the web, search engines, or recommender systems. These adversaries will exploit any vulnerabilities exposed.

In an adversarial attack scenario, the attackers try to modify the input data such that the changes are unnoticeable. The core idea is to allow only those perturbations that preserve specific inherent properties of the input graph. Graph structure preserving perturbations. The most prominent characteristic of the graph structure is its degree distribution, which often resembles a power-law like shape in real networks. If two networks show very different degree distributions, it is easy to tell them apart. Therefore, the paper aims to only generate perturbations which follow similar power-law behavior as the input. The Experiments to evaluate the algorithm were conducted by exploring how our attacks affect the surrogate model, and evaluate transferability to other models and for multiple datasets. Experimental evaluations were conducted on these three datasets: Cora (ML), Citeseer, PolBlogs. They split the network into labelled (20%) and unlabeled nodes (80%). They further split the labelled nodes in equal parts training and validation sets to train our surrogate model and average over five different random initializations/ splits, where for each they perform the following steps and then first train our surrogate model on the labelled data and among all nodes from the test set that have been correctly classified, they select the 10 nodes with highest margin of classification, i. e. they are clearly correctly classified, the 10 nodes with lowest margin (but still correctly classified) and 20 more nodes randomly. These will serve as the target nodes for our attacks. Then, they corrupt the input graph using Nettack for direct attacks, and Nettack-In for influence attacks, respectively. We compare our method against two baselines Fast Gradient Sign Method (FGSM) as a direct attack on and Rnd is an attack in which we modify the structure of the graph.

Upon analyzing the results for attacks on the surrogate model we can say that perturbations in the structure lead to a stronger change in the surrogate loss compared to feature attacks. Still, combining both is the most powerful, only requiring around 3 changes to obtain a misclassification and we can also see that Rnd is clearly not able to achieve good performance. Direct Attacks need fewer perturbations when compared to influencer attacks. We also observe that even when using unnoticeability constraints the authors were able to generate perturbations.

They were able to deduce that direct attacks are extremely successful – even for the challenging poisoning case we observe that almost every target gets misclassified. We therefore conclude that the surrogate model and loss are a sufficient approximation of the true loss on the non-linear model after re-training on the perturbed data. By the results we can conclude that the corruptions generated by Nettack are successfully transferred to different (semi-supervised) graph convolutional methods: GCN and CLN. Most remarkably, even the unsupervised model DeepWalk is strongly affected by the perturbations. In these plots, we also compare against the two baselines Rnd and FGSM, both operating in the direct attack setting and Nettack outperforms both. We conclude by saying that Deep learning models for graphs are highly vulnerable to adversarial attacks. They proposed an efficient algorithm for performing transferable attacks. These attacks are successful even under restrictive attack scenarios, e. g. no access to target node or limited knowledge about the graph. No weaknesses of this method can be observed at this time, because this is the first significant published work in this domain.