Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Collective Certified Robustness against Graph Injection Attacks

Yuni Lai, Bailin Pan, Kaihuang Chen, Yancheng Yuan, Kai Zhou

TL;DR

This paper tackles the problem of certified robustness for graph neural networks under graph injection attacks (GIAs) by introducing the first collective certification scheme that certifies a set of target nodes simultaneously. It formulates the certification as a worst-case budget-allocation problem and converts an NP-hard binary quadratic constrained program into tractable linear programs (Collective-LP1 and the more efficient Collective-LP2) through novel linearization techniques. The approach leverages the locality of message-passing GNNs and node-aware randomized smoothing to bound the influence of injected nodes, achieving substantial gains in the certified ratio (e.g., up to 81.2% on Citeseer with 5% injected nodes) while maintaining practical runtimes (~1 minute). Overall, the work delivers a practical, largely model-agnostic provable defense against GIAs and points to future improvements via tighter relaxations and deeper GNNs.

Abstract

We investigate certified robustness for GNNs under graph injection attacks. Existing research only provides sample-wise certificates by verifying each node independently, leading to very limited certifying performance. In this paper, we present the first collective certificate, which certifies a set of target nodes simultaneously. To achieve it, we formulate the problem as a binary integer quadratic constrained linear programming (BQCLP). We further develop a customized linearization technique that allows us to relax the BQCLP into linear programming (LP) that can be efficiently solved. Through comprehensive experiments, we demonstrate that our collective certification scheme significantly improves certification performance with minimal computational overhead. For instance, by solving the LP within 1 minute on the Citeseer dataset, we achieve a significant increase in the certified ratio from 0.0% to 81.2% when the injected node number is 5% of the graph size. Our step marks a crucial step towards making provable defense more practical.

Collective Certified Robustness against Graph Injection Attacks

TL;DR

This paper tackles the problem of certified robustness for graph neural networks under graph injection attacks (GIAs) by introducing the first collective certification scheme that certifies a set of target nodes simultaneously. It formulates the certification as a worst-case budget-allocation problem and converts an NP-hard binary quadratic constrained program into tractable linear programs (Collective-LP1 and the more efficient Collective-LP2) through novel linearization techniques. The approach leverages the locality of message-passing GNNs and node-aware randomized smoothing to bound the influence of injected nodes, achieving substantial gains in the certified ratio (e.g., up to 81.2% on Citeseer with 5% injected nodes) while maintaining practical runtimes (~1 minute). Overall, the work delivers a practical, largely model-agnostic provable defense against GIAs and points to future improvements via tighter relaxations and deeper GNNs.

Abstract

We investigate certified robustness for GNNs under graph injection attacks. Existing research only provides sample-wise certificates by verifying each node independently, leading to very limited certifying performance. In this paper, we present the first collective certificate, which certifies a set of target nodes simultaneously. To achieve it, we formulate the problem as a binary integer quadratic constrained linear programming (BQCLP). We further develop a customized linearization technique that allows us to relax the BQCLP into linear programming (LP) that can be efficiently solved. Through comprehensive experiments, we demonstrate that our collective certification scheme significantly improves certification performance with minimal computational overhead. For instance, by solving the LP within 1 minute on the Citeseer dataset, we achieve a significant increase in the certified ratio from 0.0% to 81.2% when the injected node number is 5% of the graph size. Our step marks a crucial step towards making provable defense more practical.
Paper Structure (47 sections, 6 theorems, 40 equations, 10 figures, 1 table, 3 algorithms)

This paper contains 47 sections, 6 theorems, 40 equations, 10 figures, 1 table, 3 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Graph Node Classification
  4. Message-Passing Graph Neural Networks
  5. Certified Robustness from Randomized Smoothing
  6. Problem Statements
  7. Threat Model: Graph Injection Attack
  8. Problem of Collective Certified Robustness
  9. Collective Certified Robustness
  10. Overview
  11. Condition for Certified Robustness
  12. Message interference event
  13. Bounding the change of prediction
  14. Certifying Condition
  15. Collective Certification as Optimization
  16. ...and 32 more sections

Key Result

Lemma 1

Let $A$ be the adjacency matrix of the perturbed graph with $\rho$ injected nodes, and the injected nodes are in the last $\rho$ rows and columns. With smoothing $p_n>0$ and $p_e>0$, we have the upper bound of $p(E_v)$: where $p_i:=1-(\bar{p}_e\bar{p}_n)^{i},\, \forall i\in\{1,2,\cdots,k\}$, and adjacency matrix $A$ contains the injected nodes encoded in the $(n+1)^{th}$ to $(n+\rho)^{th}$ row, a

Figures (10)

  • Figure 1: Illustration of collective certification.
  • Figure 2: Comparison of certified performance (More results with other parameters are shown in Appendix. \ref{['Sec:Appendix_D']}).
  • Figure 3: Trade-off between clean accuracy and certified ratio (More results with other $\rho$ are shown in Appendix. \ref{['Sec:Appendix_D']}).
  • Figure 4: Runtime comparison of LP collective models.
  • Figure 5: Certified ratio comparison between optimizing original BQCLP problem and relaxed LP problem.
  • ...and 5 more figures

Theorems & Definitions (12)

  • Lemma 1
  • proof
  • Lemma 2
  • proof
  • Theorem 1
  • proof
  • Corollary 1
  • proof
  • Lemma 1
  • proof
  • ...and 2 more