Adversarial Attacks on Graph Convolution Networks Based on Parameter Discrepancy Hypothesis

WU Yi-teng; LIU Wei; YU Xu-qiao

doi:10.12263/DZXB.20210222

您当前的位置：

首页 >

文章列表页 >

Adversarial Attacks on Graph Convolution Networks Based on Parameter Discrepancy Hypothesis

PAPERS | 更新时间：2025-12-08

- Adversarial Attacks on Graph Convolution Networks Based on Parameter Discrepancy Hypothesis
- ACTA ELECTRONICA SINICA Vol. 51, Issue 2, Pages: 330-341(2023)
- 作者机构：
  
  1.信息工程大学信息技术研究所，河南郑州 450002
  2.墨尔本大学，澳大利亚墨尔本 3010
- 作者简介：
- 基金信息：
- DOI：10.12263/DZXB.20210222
  CLC： TP18
- Received：04 February 2021，
  
  Revised：2021-06-08，
  
  Published：25 February 2023
- 稿件说明：
移动端阅览
吴翼腾,刘伟,于溆乔.基于参数差异假设的图卷积网络对抗性攻击[J].电子学报,2023,51(02):330-341.

WU Yi-teng,LIU Wei,YU Xu-qiao.Adversarial Attacks on Graph Convolution Networks Based on Parameter Discrepancy Hypothesis[J].ACTA ELECTRONICA SINICA,2023,51(02):330-341.
吴翼腾,刘伟,于溆乔.基于参数差异假设的图卷积网络对抗性攻击[J].电子学报,2023,51(02):330-341. DOI： 10.12263/DZXB.20210222.

WU Yi-teng,LIU Wei,YU Xu-qiao.Adversarial Attacks on Graph Convolution Networks Based on Parameter Discrepancy Hypothesis[J].ACTA ELECTRONICA SINICA,2023,51(02):330-341. DOI： 10.12263/DZXB.20210222.

摘要

图神经网络容易受到对抗性攻击安全威胁.现有图神经网络对抗性攻击思想可以概括为构造矛盾的训练数据.矛盾数据假设不能很好地解释图神经网络过拟合训练数据的攻击场景.本文以有效攻击前后图神经网络模型的训练参数应该具有较大差异为基本出发点，以图卷积网络为具体研究对象，建立基于参数差异假设的对抗性攻击模型.将统计诊断的重要结果Cook距离引入对抗性攻击，提出基于Cook距离的参数差异度量方法.采用基于Cook距离梯度的攻击方法，首次得出了攻击梯度的闭式解，并结合梯度下降算法思想和贪心算法思想提出完整的攻击算法.最后设计实验验证了参数差异假设的合理性和基于该假设导出方法的有效性；验证了梯度信息对图场景离散数据的可用性；仿真示例说明了攻击梯度闭式解的正确性；与其他攻击方法对比分析了攻击方法的有效性

Abstract

Graph neural networks (GNNs) are vulnerable to adversarial attacks. Existing GNN adversarial attacks can be generalized as constructing contradictory training data. However

the existing methods based on contradictory data hypothesis cannot explain well why the false outputs could be generated when GNNs fit the training data well. Firstly

based on the discrepancy of model parameters of GNNs before and after attack

poisoning attack model is proposed taking graph convolution network as a target. Secondly

a parameter difference metric

Cook distance

is proposed. The closed form solution of attack gradients is obtained for the first time

and an attack algorithm is given based on the idea of gradient descent and greedy algorithm. Finally

the rationality of the hypothesis of parameter discrepancy and the effectiveness of the proposed method are verified by experiments; the availability of gradients to discrete data of graph is verified; the correctness of closed form solution of attack gradients is illustrated by a numerical example; the effectiveness of attack method is analyzed compared with other attacks.

关键词

Keywords

references

SZEGEDY C , ZAREMBA W , SUTSKEVER I , et al . Intriguing properties of neural networks [EB/OL]. ( 2013 )[2021]. https://arxiv.org/abs/1312 https://arxiv.org/abs/1312 .

KURAKIN A , GOODFELLOW I , BENGIO S . Adversarial examples in the physical world [EB/OL]. ( 2016 )[2021]. https://arxiv.org/abs/1607.02533v1 https://arxiv.org/abs/1607.02533v1 .

ILYAS A , SANTURKAR S , TSIPRAS D , et al . Adversarial examples are not bugs, they are features [C]// Advances in Neural Information Processing Systems . Vancouver : NIPS , 2019 : 125 - 136 .

YUAN X Y , HE P , ZHU Q L , et al . Adversarial examples: Attacks and defenses for deep learning [J]. IEEE Transactions on Neural Networks and Learning Systems , 2019 , 30 ( 9 ): 2805 - 2824 .

COSTA L DA F , RODRIGUES F A , TRAVIESO G , et al . Characterization of complex networks: A survey of measurements [J]. Advances in Physics , 2007 , 56 ( 1 ): 167 - 242 .

KIPF T N , WELLING M . Semi-supervised classification with graph convolutional networks [EB/OL]. ( 2017 )[2021]. https://arxiv.org/abs/1609.02907v4 https://arxiv.org/abs/1609.02907v4 .

WU F , ZHANG T , SOUZA JR A H d , et al . Simplifying graph convolutional networks [EB/OL]. ( 2019 )[2021]. https://arxiv.org/abs/1902.07153v1 https://arxiv.org/abs/1902.07153v1 .

LI Q M , WU X M , LIU H , et al . Label efficient semi-supervised learning via graph filtering [C]// 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition(CVPR) . Long Beach : IEEE , 2019 : 9574 - 9583 .

NT H , MAEHARA T . Revisiting graph neural networks: All we have is low-pass filters [EB/OL]. ( 2019 )[2021]. https://arxiv.org/abs/1905.09550v1 https://arxiv.org/abs/1905.09550v1 .

SCARSELLI F , GORI M , TSOI A C , et al . The graph neural network model [J]. IEEE Transactions on Neural Networks , 2009 , 20 ( 1 ): 61 - 80 .

WU Z H , PAN S R , CHEN F W , et al . A comprehensive survey on graph neural networks [J]. IEEE Transactions on Neural Networks and Learning Systems , 2021 , 32 ( 1 ): 4 - 24 .

徐冰冰 , 岑科廷 , 黄俊杰 , 等 . 图卷积神经网络综述 [J]. 计算机学报 , 2020 , 43 ( 5 ): 755 - 780 .

XU B B , CEN K T , HUANG J J , et al . A survey on graph convolutional neural network [J]. Chinese Journal of Computers , 2020 , 43 ( 5 ): 755 - 780 . (in Chinese)

白铂 , 刘玉婷 , 马驰骋 , 等 . 图神经网络 [J]. 中国科学: 数学 , 2020 , 50 ( 3 ): 367 - 384 .

BAI B , LIU Y T , MA C C , et al . Graph neural network [J]. Scientia Sinica(Mathematica) , 2020 , 50 ( 3 ): 367 - 384 . (in Chinese)

ZÜGNER D , AKBARNEJAD A , GÜNNEMANN S . Adversarial attacks on neural networks for graph data [C]// KDD'18: Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining . London : ACM , 2018 : 2847 - 2856 .

ENTEZARI N , AL-SAYOURI S A , DARVISHZADEH A , et al . All You need is low (rank): Defending against adversarial attacks on graphs [C]// WSDM'20: Proceedings of the 13th International Conference on Web Search and Data Mining . Houston : ACM , 2020 : 169 - 177 .

LI J , ZHANG H L , HAN Z C , et al . Adversarial attack on community detection by hiding individuals [C]// WWW'20: Proceedings of The Web Conference 2020. Taipei: ACM , 2020 : 917 - 927 .

WU Y T , LIU W , HU X B , et al . Parameter discrepancy hypothesis: Adversarial attack for graph data [J]. Information Sciences , 2021 , 577 : 234 - 244 .

CHEN L , LI J T , PENG JY , et al . A survey of adversarial learning on graphs [EB/OL]. ( 2020 )[2021]. https://arxiv.org/abs/2003.05730 https://arxiv.org/abs/2003.05730 .

JIN W , LI Y , XU H , et al . Adversarial attacks and defenses on graphs: A review and empirical study [EB/OL]. ( 2020 )[2021]. https://arxiv.org/abs/2003.00653v2 https://arxiv.org/abs/2003.00653v2 .

LI Y , JIN W , XU H , et al . DeepRobust: A PyTorch library for adversarial attacks and defenses [EB/OL]. ( 2020 )[2021]. https://arxiv.org/abs/2005.06149 https://arxiv.org/abs/2005.06149 .

BOJCHEVSKI A , GÜNNEMANN S . Adversarial attacks on node embeddings via graph poisoning [C]// International Conference on Machine Learning . Long Beach : PMLR , 2019 : 695 - 704 .

ZÜGNER D , GÜNNEMANN S . Adversarial attacks on graph neural networks via meta learning [C]// International Conference on Learning Representations . New Orleans : ICLR , 2019 : 1112 .

COOK R D . Detection of influential observation in linear regression [J]. Technometrics , 1977 , 19 ( 1 ): 15 - 18 .

COOK R D . Influential observations in linear regression [J]. Journal of the American Statistical Association , 1979 , 74 ( 365 ): 169 - 174 .

COOK R D , WEISBERG S . Residuals and Influence in Regression [M]. New York : Chapman and Hall , 1982 .

WEI B C , SHIH J Q . On statistical models for regression diagnostics [J]. Annals of the Institute of Statistical Mathematics , 1994 , 46 ( 2 ): 267 - 278 .

费宇 , 陈飞 , 喻达磊 . 线性和广义线性混合模型及其统计诊断 [M]. 北京 : 科学出版社 , 2013 .

韦博成 , 林金官 , 解锋昌 . 统计诊断 [M]. 北京 : 高等教育出版社 , 2009 .

WEI B C , LIN J G , XIE F C . Statistical Diagnostics [M]. Beijing : Higher Education Press , 2009 . (in Chinese)

韦博成 , 鲁国斌 , 史建清 . 统计诊断引论 [M]. 南京 : 东南大学出版社 , 1991 .

SEN P , NAMATA G , BILGIC M , et al . Collective classification in network data [J]. AI Magazine , 2008 , 29 ( 3 ): 93 .

MCCALLUM A K , NIGAM K , RENNIE J , et al . Automating the construction of Internet portals with machine learning [J]. Information Retrieval , 2000 , 3 ( 2 ): 127 - 163 .

ADAMIC L A , GLANCE N . The political blogosphere and the 2004 US election: divided they blog [C]// Proceedings of the 3rd International Workshop on Link Discovery . New York : ACM , 2005 : 36 - 43 .

Views

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

The Multi-Behavior Graph Contrastive Learning Recommendation Method with Self-Attention Mechanism

A Rumor Detection Approach Based on Multi-Feature Propagation Tree

Few-Shot Learning on Graph Convolutional Network Based on Meta learning

Cross-Modality Person Re-identification Based on Locally Heterogeneous Polymerization Graph Convolutional Network

Related Author

Wei LIU

Xu-qiao YU

Yi-teng WU

QIAN Zhong-sheng

HUANG Heng

WAN Zi-long

MAO Qin-jiao

ZHANG Xin-xin

Related Institution

Institute of Information Technology，Information Engineering University

School of Computer and Artificial Intelligence, Jiangxi University of Finance & Economics

College of Cyberspace Security, Ningbo University of Technology

College of Information Science and Engineering,Ningbo University

Network Security Detachment， Ziyang Public Security Bureau

⁰