626 research outputs found
A Restricted Black-box Adversarial Framework Towards Attacking Graph Embedding Models
With the great success of graph embedding model on both academic and industry
area, the robustness of graph embedding against adversarial attack inevitably
becomes a central problem in graph learning domain. Regardless of the fruitful
progress, most of the current works perform the attack in a white-box fashion:
they need to access the model predictions and labels to construct their
adversarial loss. However, the inaccessibility of model predictions in real
systems makes the white-box attack impractical to real graph learning system.
This paper promotes current frameworks in a more general and flexible sense --
we demand to attack various kinds of graph embedding model with black-box
driven. To this end, we begin by investigating the theoretical connections
between graph signal processing and graph embedding models in a principled way
and formulate the graph embedding model as a general graph signal process with
corresponding graph filter. As such, a generalized adversarial attacker:
GF-Attack is constructed by the graph filter and feature matrix. Instead of
accessing any knowledge of the target classifiers used in graph embedding,
GF-Attack performs the attack only on the graph filter in a black-box attack
fashion. To validate the generalization of GF-Attack, we construct the attacker
on four popular graph embedding models. Extensive experimental results validate
the effectiveness of our attacker on several benchmark datasets. Particularly
by using our attack, even small graph perturbations like one-edge flip is able
to consistently make a strong attack in performance to different graph
embedding models.Comment: Accepted by the AAAI 202
Revisiting Adversarial Attacks on Graph Neural Networks for Graph Classification
Graph neural networks (GNNs) have achieved tremendous success in the task of
graph classification and its diverse downstream real-world applications.
Despite the huge success in learning graph representations, current GNN models
have demonstrated their vulnerability to potentially existent adversarial
examples on graph-structured data. Existing approaches are either limited to
structure attacks or restricted to local information, urging for the design of
a more general attack framework on graph classification, which faces
significant challenges due to the complexity of generating local-node-level
adversarial examples using the global-graph-level information. To address this
"global-to-local" attack challenge, we present a novel and general framework to
generate adversarial examples via manipulating graph structure and node
features. Specifically, we make use of Graph Class Activation Mapping and its
variant to produce node-level importance corresponding to the graph
classification task. Then through a heuristic design of algorithms, we can
perform both feature and structure attacks under unnoticeable perturbation
budgets with the help of both node-level and subgraph-level importance.
Experiments towards attacking four state-of-the-art graph classification models
on six real-world benchmarks verify the flexibility and effectiveness of our
framework.Comment: 13 pages, 7 figure
Towards Adversarial Malware Detection: Lessons Learned from PDF-based Attacks
Malware still constitutes a major threat in the cybersecurity landscape, also
due to the widespread use of infection vectors such as documents. These
infection vectors hide embedded malicious code to the victim users,
facilitating the use of social engineering techniques to infect their machines.
Research showed that machine-learning algorithms provide effective detection
mechanisms against such threats, but the existence of an arms race in
adversarial settings has recently challenged such systems. In this work, we
focus on malware embedded in PDF files as a representative case of such an arms
race. We start by providing a comprehensive taxonomy of the different
approaches used to generate PDF malware, and of the corresponding
learning-based detection systems. We then categorize threats specifically
targeted against learning-based PDF malware detectors, using a well-established
framework in the field of adversarial machine learning. This framework allows
us to categorize known vulnerabilities of learning-based PDF malware detectors
and to identify novel attacks that may threaten such systems, along with the
potential defense mechanisms that can mitigate the impact of such threats. We
conclude the paper by discussing how such findings highlight promising research
directions towards tackling the more general challenge of designing robust
malware detectors in adversarial settings
Single-Node Attack for Fooling Graph Neural Networks
Graph neural networks (GNNs) have shown broad applicability in a variety of
domains. Some of these domains, such as social networks and product
recommendations, are fertile ground for malicious users and behavior. In this
paper, we show that GNNs are vulnerable to the extremely limited scenario of a
single-node adversarial example, where the node cannot be picked by the
attacker. That is, an attacker can force the GNN to classify any target node to
a chosen label by only slightly perturbing another single arbitrary node in the
graph, even when not being able to pick that specific attacker node. When the
adversary is allowed to pick a specific attacker node, the attack is even more
effective. We show that this attack is effective across various GNN types, such
as GraphSAGE, GCN, GAT, and GIN, across a variety of real-world datasets, and
as a targeted and a non-targeted attack. Our code is available at
https://github.com/benfinkelshtein/SINGLE
A Comprehensive Survey on Trustworthy Graph Neural Networks: Privacy, Robustness, Fairness, and Explainability
Graph Neural Networks (GNNs) have made rapid developments in the recent
years. Due to their great ability in modeling graph-structured data, GNNs are
vastly used in various applications, including high-stakes scenarios such as
financial analysis, traffic predictions, and drug discovery. Despite their
great potential in benefiting humans in the real world, recent study shows that
GNNs can leak private information, are vulnerable to adversarial attacks, can
inherit and magnify societal bias from training data and lack interpretability,
which have risk of causing unintentional harm to the users and society. For
example, existing works demonstrate that attackers can fool the GNNs to give
the outcome they desire with unnoticeable perturbation on training graph. GNNs
trained on social networks may embed the discrimination in their decision
process, strengthening the undesirable societal bias. Consequently, trustworthy
GNNs in various aspects are emerging to prevent the harm from GNN models and
increase the users' trust in GNNs. In this paper, we give a comprehensive
survey of GNNs in the computational aspects of privacy, robustness, fairness,
and explainability. For each aspect, we give the taxonomy of the related
methods and formulate the general frameworks for the multiple categories of
trustworthy GNNs. We also discuss the future research directions of each aspect
and connections between these aspects to help achieve trustworthiness
Recommended from our members
Towards Interpretability and Robustness of Machine Learning Models
Modern machine learning models can be difficult to probe and understand after they have been trained. This is a major problem for the field, with consequences for trustworthiness, diagnostics, debugging, robustness, and a range of other engineering and human interaction issues surrounding the deployment of a model. Another problem of modern machine learning models is their vulnerability to small adversarial perturbations to the input, which incurs a security risk when they are applied to critical areas.In this thesis, we develop systematic and efficient tools for interpreting machine learning models and evaluating their adversarial robustness. Part I focuses on model interpretation. We derive an efficient feature scoring method by exploiting the graph structure in data. We also develop a learning-based method under an information-based framework. As an attempt to leverage prior knowledge about what constitutes a satisfying interpretation in a given domain, we propose a systematic approach to exploiting syntactic constituency structure by leveraging a parse tree for interpretation of models in the setting of linguistic data. Part II focuses on the evaluation of adversarial robustness. We first propose a probabilistic framework for generating adversarial examples on discrete data, and develop two algorithms to implement it. We also introduce a novel attack method in the setting where the attacker has access to model decisions alone. We investigate the robustness of various machine learning models and existing defense mechanisms under the proposed attack method. In Part III, we build a connection between the two fields by developing a method for detecting adversarial examples via tools in model interpretation
- …