GraphMU: Repairing Robustness of Graph Neural Networks via Machine Unlearning

TL;DR

This paper proposes a repair framework, Repairing Robustness of Graph Neural Networks via Machine Unlearning (GraphMU), which aims to fine-tune poisoned GNN to forget adversarial samples without the need for complete retraining.

Abstract

Graph Neural Networks (GNNs) have demonstrated significant application potential in various fields. However, GNNs are still vulnerable to adversarial attacks. Numerous adversarial defense methods on GNNs are proposed to address the problem of adversarial attacks. However, these methods can only serve as a defense before poisoning, but cannot repair poisoned GNN. Therefore, there is an urgent need for a method to repair poisoned GNN. In this paper, we address this gap by introducing the novel concept of model repair for GNNs. We propose a repair framework, Repairing Robustness of Graph Neural Networks via Machine Unlearning (GraphMU), which aims to fine-tune poisoned GNN to forget adversarial samples without the need for complete retraining. We also introduce a unlearning validation method to ensure that our approach effectively forget specified poisoned data. To evaluate the effectiveness of GraphMU, we explore three fine-tuned subgraph construction scenarios based on the available perturbation information: (i) Known Perturbation Ratios, (ii) Known Complete Knowledge of Perturbations, and (iii) Unknown any Knowledge of Perturbations. Our extensive experiments, conducted across four citation datasets and four adversarial attack scenarios, demonstrate that GraphMU can effectively restore the performance of poisoned GNN.

Figures (8)

• Figure 1: Illustration of model repair framework and its difference from traditional adversarial defense methods adversarial training, robust model design, and graph purification.
• Figure 2: Illustration of GraphMU. Firstly, we use attack detection method to obtain anomalous nodes or edges. According to distinct scenarios of poisoned sample awareness, access to anomalous nodes is also different. Secondly, we construct fine-tuned subgraph based on these detected anomalous nodes or edges. Finally, we use constructed fine-tuned subgraph to optimize the parameters of the poisoned GNN.
• Figure 3: Anomaly detection methods used in this paper. (a)For node injection attacks, we use BWGNN to detect anomalous injected nodes. (b)For feature modification attacks, we identify the anomalous nodes by calculating the jaccard similarity between each node and its neighboring nodes. (c)For structure perturbation attacks, we compute the simrank similarity between each node and its neighboring nodes as a way to identify maliciously edges.
• Figure 4: The effectiveness of GraphMU in repairing the poisoned GCN under conditions of 2-hop fine-tuned subgraph and 5-round fine-tuning. (a) The effectiveness of GraphMU in repairing the poisoned GCN under Nettack. (b) The effectiveness of GraphMU in repairing the poisoned GCN under GANI. (c) The effectiveness of GraphMU in repairing the poisoned GCN under SGA. (d) The effectiveness of GraphMU in repairing the poisoned GCN under Min-Max.
• Figure 5: Visualization of Cora-ML distribution under Nettack. (a) Clean graph. (b) Graph including poisoned samples. (c) Graph including poisoned samples detected by anomaly detection under the limitations of number. (d) Graph including poisoned samples detected by anomaly detection