65 research outputs found
Revisiting Adversarial Attacks on Graph Neural Networks for Graph Classification
Graph neural networks (GNNs) have achieved tremendous success in the task of
graph classification and its diverse downstream real-world applications.
Despite the huge success in learning graph representations, current GNN models
have demonstrated their vulnerability to potentially existent adversarial
examples on graph-structured data. Existing approaches are either limited to
structure attacks or restricted to local information, urging for the design of
a more general attack framework on graph classification, which faces
significant challenges due to the complexity of generating local-node-level
adversarial examples using the global-graph-level information. To address this
"global-to-local" attack challenge, we present a novel and general framework to
generate adversarial examples via manipulating graph structure and node
features. Specifically, we make use of Graph Class Activation Mapping and its
variant to produce node-level importance corresponding to the graph
classification task. Then through a heuristic design of algorithms, we can
perform both feature and structure attacks under unnoticeable perturbation
budgets with the help of both node-level and subgraph-level importance.
Experiments towards attacking four state-of-the-art graph classification models
on six real-world benchmarks verify the flexibility and effectiveness of our
framework.Comment: 13 pages, 7 figure
What Does the Gradient Tell When Attacking the Graph Structure
Recent research has revealed that Graph Neural Networks (GNNs) are
susceptible to adversarial attacks targeting the graph structure. A malicious
attacker can manipulate a limited number of edges, given the training labels,
to impair the victim model's performance. Previous empirical studies indicate
that gradient-based attackers tend to add edges rather than remove them. In
this paper, we present a theoretical demonstration revealing that attackers
tend to increase inter-class edges due to the message passing mechanism of
GNNs, which explains some previous empirical observations. By connecting
dissimilar nodes, attackers can more effectively corrupt node features, making
such attacks more advantageous. However, we demonstrate that the inherent
smoothness of GNN's message passing tends to blur node dissimilarity in the
feature space, leading to the loss of crucial information during the forward
process. To address this issue, we propose a novel surrogate model with
multi-level propagation that preserves the node dissimilarity information. This
model parallelizes the propagation of unaggregated raw features and multi-hop
aggregated features, while introducing batch normalization to enhance the
dissimilarity in node representations and counteract the smoothness resulting
from topological aggregation. Our experiments show significant improvement with
our approach.Furthermore, both theoretical and experimental evidence suggest
that adding inter-class edges constitutes an easily observable attack pattern.
We propose an innovative attack loss that balances attack effectiveness and
imperceptibility, sacrificing some attack effectiveness to attain greater
imperceptibility. We also provide experiments to validate the compromise
performance achieved through this attack loss
- …