Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Graph Agent Network: Empowering Nodes with Inference Capabilities for Adversarial Resilience

Ao Liu, Wenshan Li, Tao Li, Beibei Li, Guangquan Xu, Pan Zhou, Wengang Ma, Hanyuan Huang

TL;DR

The paper addresses vulnerabilities of graph neural networks to adversarial edge perturbations arising from global end-to-end training. It introduces Graph Agent Network (GAgN), a decentralized framework where each node is a 1-hop-view agent that learns embeddings, degree distributions, and neighbor relationships through restricted local communication to filter adversarial edges during classification. The authors prove that a single hidden layer MLP suffices for these tasks and demonstrate, through extensive experiments on real-world datasets, that GAgN achieves state-of-the-art accuracy under both primary and secondary edge-perturbation attacks. The approach offers a scalable, robust alternative to global-defense strategies by constraining information propagation and enabling distributed adversarial edge detection and filtering, with practical implications for secure graph-based learning in adversarial settings.

Abstract

End-to-end training with global optimization have popularized graph neural networks (GNNs) for node classification, yet inadvertently introduced vulnerabilities to adversarial edge-perturbing attacks. Adversaries can exploit the inherent opened interfaces of GNNs' input and output, perturbing critical edges and thus manipulating the classification results. Current defenses, due to their persistent utilization of global-optimization-based end-to-end training schemes, inherently encapsulate the vulnerabilities of GNNs. This is specifically evidenced in their inability to defend against targeted secondary attacks. In this paper, we propose the Graph Agent Network (GAgN) to address the aforementioned vulnerabilities of GNNs. GAgN is a graph-structured agent network in which each node is designed as an 1-hop-view agent. Through the decentralized interactions between agents, they can learn to infer global perceptions to perform tasks including inferring embeddings, degrees and neighbor relationships for given nodes. This empowers nodes to filtering adversarial edges while carrying out classification tasks. Furthermore, agents' limited view prevents malicious messages from propagating globally in GAgN, thereby resisting global-optimization-based secondary attacks. We prove that single-hidden-layer multilayer perceptrons (MLPs) are theoretically sufficient to achieve these functionalities. Experimental results show that GAgN effectively implements all its intended capabilities and, compared to state-of-the-art defenses, achieves optimal classification accuracy on the perturbed datasets.

Graph Agent Network: Empowering Nodes with Inference Capabilities for Adversarial Resilience

TL;DR

The paper addresses vulnerabilities of graph neural networks to adversarial edge perturbations arising from global end-to-end training. It introduces Graph Agent Network (GAgN), a decentralized framework where each node is a 1-hop-view agent that learns embeddings, degree distributions, and neighbor relationships through restricted local communication to filter adversarial edges during classification. The authors prove that a single hidden layer MLP suffices for these tasks and demonstrate, through extensive experiments on real-world datasets, that GAgN achieves state-of-the-art accuracy under both primary and secondary edge-perturbation attacks. The approach offers a scalable, robust alternative to global-defense strategies by constraining information propagation and enabling distributed adversarial edge detection and filtering, with practical implications for secure graph-based learning in adversarial settings.

Abstract

End-to-end training with global optimization have popularized graph neural networks (GNNs) for node classification, yet inadvertently introduced vulnerabilities to adversarial edge-perturbing attacks. Adversaries can exploit the inherent opened interfaces of GNNs' input and output, perturbing critical edges and thus manipulating the classification results. Current defenses, due to their persistent utilization of global-optimization-based end-to-end training schemes, inherently encapsulate the vulnerabilities of GNNs. This is specifically evidenced in their inability to defend against targeted secondary attacks. In this paper, we propose the Graph Agent Network (GAgN) to address the aforementioned vulnerabilities of GNNs. GAgN is a graph-structured agent network in which each node is designed as an 1-hop-view agent. Through the decentralized interactions between agents, they can learn to infer global perceptions to perform tasks including inferring embeddings, degrees and neighbor relationships for given nodes. This empowers nodes to filtering adversarial edges while carrying out classification tasks. Furthermore, agents' limited view prevents malicious messages from propagating globally in GAgN, thereby resisting global-optimization-based secondary attacks. We prove that single-hidden-layer multilayer perceptrons (MLPs) are theoretically sufficient to achieve these functionalities. Experimental results show that GAgN effectively implements all its intended capabilities and, compared to state-of-the-art defenses, achieves optimal classification accuracy on the perturbed datasets.
Paper Structure (37 sections, 4 theorems, 32 equations, 11 figures, 3 tables)

This paper contains 37 sections, 4 theorems, 32 equations, 11 figures, 3 tables.

Table of Contents

  1. Introduction
  2. The Proposed Method
  3. Preliminaries
  4. Action Spaces
  5. Individual Function
  6. Communicable Functions
  7. I/O Interface
  8. Input
  9. Output
  10. Decision Rules
  11. Aggregator
  12. Embedding Func.
  13. Inference Func.
  14. Neighboring Confidence Func.
  15. Action Update Rules
  16. ...and 22 more sections

Key Result

Theorem 1

Denote $\mathbb{M}(\mathcal{G})=\{\mathbf{z}^{\mathbb{M}}_i = \mathcal{M}_i(\mathbf{z}_i):v_i \in \mathcal{V}\}$ as the embedding result of all nodes, $\texttt{SAGE}(\mathcal{G})=\{ \mathbf{z}^{\texttt{S}}_i,...\mathbf{z}^{\texttt{S}}_{|\mathcal{V}|} \}$ as the classification result of GraphSAGE, an

Figures (11)

  • Figure 1: The principle of adversary exploiting the inherent vulnerabilities caused by global optimization to attack GNNs, and the defense mechanism of GAgN against these attacks.
  • Figure 2: The internal structure and communication paradigm of an agent within GAgN.
  • Figure 3: Independent training flow of $\mathcal{A}_i$ and $\mathcal{M}_i$.
  • Figure 4: The training strategy for middleware function $\mathscr{D}_i$.
  • Figure 5: Attentions of random direction & inverse direction on the same edges.
  • ...and 6 more figures

Theorems & Definitions (4)

  • Theorem 1: Equivalence
  • Corollary 1
  • Theorem 2
  • Theorem 3