Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Bounding the Expected Robustness of Graph Neural Networks Subject to Node Feature Attacks

Yassine Abbahaddou, Sofiane Ennadir, Johannes F. Lutzeyer, Michalis Vazirgiannis, Henrik Boström

TL;DR

This work defines the concept of expected robustness for graph neural networks under node feature perturbations and derives theoretical $\gamma$-type upper bounds that link robustness to layer-weight norms and graph walk structure. Building on these insights, it introduces GCORN, a robust GCN variant that enforces approximate weight orthonormality to reduce sensitivity to feature perturbations, and it presents a model-agnostic probabilistic estimator to quantify $Adv^{\alpha,\beta}_{\epsilon}[f]$ in real-world settings. The paper extends the robustness analysis to other GNNs (e.g., GINs) and demonstrates, through extensive experiments on node and graph classification benchmarks, that GCORN achieves superior robustness compared with existing defenses while preserving accuracy. A probabilistic evaluation framework based on uniform sampling within an $\epsilon$-ball enables attack-agnostic robustness assessment and yields practical, certified robustness gains via smoothing-based certificates. Overall, the work provides theoretical guarantees, a robust architectural design, and a practical evaluation protocol for node-feature adversarial robustness in graph learning.

Abstract

Graph Neural Networks (GNNs) have demonstrated state-of-the-art performance in various graph representation learning tasks. Recently, studies revealed their vulnerability to adversarial attacks. In this work, we theoretically define the concept of expected robustness in the context of attributed graphs and relate it to the classical definition of adversarial robustness in the graph representation learning literature. Our definition allows us to derive an upper bound of the expected robustness of Graph Convolutional Networks (GCNs) and Graph Isomorphism Networks subject to node feature attacks. Building on these findings, we connect the expected robustness of GNNs to the orthonormality of their weight matrices and consequently propose an attack-independent, more robust variant of the GCN, called the Graph Convolutional Orthonormal Robust Networks (GCORNs). We further introduce a probabilistic method to estimate the expected robustness, which allows us to evaluate the effectiveness of GCORN on several real-world datasets. Experimental experiments showed that GCORN outperforms available defense methods. Our code is publicly available at: \href{https://github.com/Sennadir/GCORN}{https://github.com/Sennadir/GCORN}.

Bounding the Expected Robustness of Graph Neural Networks Subject to Node Feature Attacks

TL;DR

This work defines the concept of expected robustness for graph neural networks under node feature perturbations and derives theoretical -type upper bounds that link robustness to layer-weight norms and graph walk structure. Building on these insights, it introduces GCORN, a robust GCN variant that enforces approximate weight orthonormality to reduce sensitivity to feature perturbations, and it presents a model-agnostic probabilistic estimator to quantify in real-world settings. The paper extends the robustness analysis to other GNNs (e.g., GINs) and demonstrates, through extensive experiments on node and graph classification benchmarks, that GCORN achieves superior robustness compared with existing defenses while preserving accuracy. A probabilistic evaluation framework based on uniform sampling within an -ball enables attack-agnostic robustness assessment and yields practical, certified robustness gains via smoothing-based certificates. Overall, the work provides theoretical guarantees, a robust architectural design, and a practical evaluation protocol for node-feature adversarial robustness in graph learning.

Abstract

Graph Neural Networks (GNNs) have demonstrated state-of-the-art performance in various graph representation learning tasks. Recently, studies revealed their vulnerability to adversarial attacks. In this work, we theoretically define the concept of expected robustness in the context of attributed graphs and relate it to the classical definition of adversarial robustness in the graph representation learning literature. Our definition allows us to derive an upper bound of the expected robustness of Graph Convolutional Networks (GCNs) and Graph Isomorphism Networks subject to node feature attacks. Building on these findings, we connect the expected robustness of GNNs to the orthonormality of their weight matrices and consequently propose an attack-independent, more robust variant of the GCN, called the Graph Convolutional Orthonormal Robust Networks (GCORNs). We further introduce a probabilistic method to estimate the expected robustness, which allows us to evaluate the effectiveness of GCORN on several real-world datasets. Experimental experiments showed that GCORN outperforms available defense methods. Our code is publicly available at: \href{https://github.com/Sennadir/GCORN}{https://github.com/Sennadir/GCORN}.
Paper Structure (41 sections, 10 theorems, 74 equations, 7 figures, 10 tables, 1 algorithm)

This paper contains 41 sections, 10 theorems, 74 equations, 7 figures, 10 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Expected Adversarial Robustness
  4. The Expected Robustness of Message Passing Neural Networks
  5. On the Expected Robustness of Graph Convolutional Networks
  6. On the Generalization to Other Graph Neural Networks
  7. Enhancing the Robustness of Graph Convolutional Networks
  8. Estimation of Our Robustness Measure
  9. Empirical Investigation
  10. Experimental Setup
  11. Experimental Results
  12. Conclusion
  13. Proof Of Proposition \ref{['prop:equivalence']}
  14. Proof Of Lemma \ref{['lemma:worst_case']}
  15. Proof Of Theorem \ref{['theo:main_result']} and \ref{['theo:structural_perturbtation']}
  16. ...and 26 more sections

Key Result

Lemma 3.2

Let $d^{\alpha, \beta}$ be a defined graph metric on the metric spaces $\mathcal{G}, \mathcal{X}$. Let $f: (\mathcal{G}, \mathcal{X}) \rightarrow \mathcal{Y}$ be a graph-based function, we have the following result: If $f$ is $((d^{\alpha, \beta}, \epsilon),( d_{\mathcal{Y}}, \gamma))$--robust, then

Figures (7)

  • Figure 1: (a) and (b) display $Adv^{\alpha, \beta}_{\epsilon}[f]$ for Cora and OGBN-Arxiv. (c) Robustness guarantees on Cora, where $r_a,r_d$ are respectively the maximum number of adversarial additions and deletions.
  • Figure 2: A toy example on how to randomly partition the set $[0,1]$ into $K=4$ parts such as the sum of the parts lengths is 1. We first uniformly sample $3$ elements from $[0,1]$ and reorder them $[p_1,p_2,p_3]$. And subsequently, we consider $\mathcal{O}_1 = [0,p_1], ~~\mathcal{O}_2= [p_4,p_3], ~~\mathcal{O}_3 = [p_4,p_3], ~~\mathcal{O}_4 = [1,p_4]$
  • Figure 3: Difference (in average and standard deviation) in output for the GCN and our GCORN when subject to random perturbations with different attack budgets for both (a) Cora and (b) CiteSeer. The right-hand side plots are on the log-scale.
  • Figure 4: The Values of $Adv^{\alpha, \beta}_{\epsilon}[f]$ for the dataset Cora. The dotted line and the shaded region represent respectively the mean value and the standard deviation of $Adv^{\alpha, \beta}_{\epsilon}[f]$.
  • Figure 5: The Values of $Adv^{\alpha, \beta}_{\epsilon}[f]$ and the theoretical upper-bound $\gamma$ (c.f. Theorem \ref{['theo:main_result']}) for the dataset Cora using different values of $\sigma$. For this experiment, we used the values $\epsilon=0.1$ and $L_{max}=100$.
  • ...and 2 more figures

Theorems & Definitions (17)

  • Definition 3.1: Expected Adversarial Robustness
  • Lemma 3.2
  • Theorem 4.1
  • Theorem 4.2
  • Theorem 4.3
  • Lemma 5.1
  • Proposition A.1
  • proof
  • proof
  • Theorem
  • ...and 7 more