Untargeted Adversarial Attack on Knowledge Graph Embeddings

TL;DR

This work tackles the robustness of knowledge graph embeddings (KGE) under data perturbations by proposing untargeted adversarial attacks that do not assume knowledge of test triples or the attacked model. The approach leverages logic-rule extraction via NCRL to identify influential KG patterns and performs adversarial deletion of high-influence triples and adversarial addition by corrupting low-confidence rules to inject negative patterns, guided by a defined perturbation budget $\delta$. Experiments on FB15k-237 and WN18RR across seven KGE methods show the untargeted attacks effectively degrade global link prediction performance, with robustness patterns depending on model class and graph density; notably, TransE shows vulnerability to additions, while GNN-based models exhibit resilience linked to graph density. The study provides insights into how rule-based knowledge and KG structure interact with embedding learning, highlighting practical implications for building more robust KGE systems and guiding future exploration of high-level semantic perturbations.

Abstract

Knowledge graph embedding (KGE) methods have achieved great success in handling various knowledge graph (KG) downstream tasks. However, KGE methods may learn biased representations on low-quality KGs that are prevalent in the real world. Some recent studies propose adversarial attacks to investigate the vulnerabilities of KGE methods, but their attackers are target-oriented with the KGE method and the target triples to predict are given in advance, which lacks practicability. In this work, we explore untargeted attacks with the aim of reducing the global performances of KGE methods over a set of unknown test triples and conducting systematic analyses on KGE robustness. Considering logic rules can effectively summarize the global structure of a KG, we develop rule-based attack strategies to enhance the attack efficiency. In particular,we consider adversarial deletion which learns rules, applying the rules to score triple importance and delete important triples, and adversarial addition which corrupts the learned rules and applies them for negative triples as perturbations. Extensive experiments on two datasets over three representative classes of KGE methods demonstrate the effectiveness of our proposed untargeted attacks in diminishing the link prediction results. And we also find that different KGE methods exhibit different robustness to untargeted attacks. For example, the robustness of methods engaged with graph neural networks and logic rules depends on the density of the graph. But rule-based methods like NCRL are easily affected by adversarial addition attacks to capture negative rules

Figures (7)

• Figure 1: (a) Illustration of targeted and untargeted adversarial attacks on KGE. (b) Illustration of KG perturbation examples that can lead to positive rules missing and negative rules learned, respectively.
• Figure 2: The overall framework of our proposed untargeted adversarial attacks.
• Figure 3: The confidence distribution of different rule bodies and link prediction results of NCRL on different relations. ($\ast$) denotes the results under an addition attack. The hierarchy structure of the relations in FB15k-237 are simplified to its final split in (a); the relations _derivationally_related_form, _hypernym, _also_see and _member_meronym are marked as _drf, _hyp, _as and _mm in (b) for convenience.
• Figure 4: The comparison of robustness between different classes of KGE methods.
• Figure 5: Link prediction performances of KGEs under different perturbation ratios.