Understanding the Robustness of Graph Neural Networks against Adversarial Attacks

TL;DR

This work proposes a comprehensive empirical framework for analyzing the adversarial robustness of GNNs by considering the patterns of input graphs, the architecture of GNNs, and their model capacity, along with discussions on sensitive neurons and adversarial transferability.

Abstract

Recent studies have shown that graph neural networks (GNNs) are vulnerable to adversarial attacks, posing significant challenges to their deployment in safety-critical scenarios. This vulnerability has spurred a growing focus on designing robust GNNs. Despite this interest, current advancements have predominantly relied on empirical trial and error, resulting in a limited understanding of the robustness of GNNs against adversarial attacks. To address this issue, we conduct the first large-scale systematic study on the adversarial robustness of GNNs by considering the patterns of input graphs, the architecture of GNNs, and their model capacity, along with discussions on sensitive neurons and adversarial transferability. This work proposes a comprehensive empirical framework for analyzing the adversarial robustness of GNNs. To support the analysis of adversarial robustness in GNNs, we introduce two evaluation metrics: the confidence-based decision surface and the accuracy-based adversarial transferability rate. Through experimental analysis, we derive 11 actionable guidelines for designing robust GNNs, enabling model developers to gain deeper insights. The code of this study is available at https://github.com/star4455/GraphRE.

Figures (10)

• Figure 1: Adversarial robustness exploration framework of GNNs. (1) The adversarial robustness analysis of models trained on regular and irregular graph patterns. (2) The adversarial robustness analysis of models with different model architectures (${{\mathcal{M}}_1}$ vs. ${{\mathcal{M}}_2}$), as well as the impact of adversarial attacks on sensitive neurons. (3) The adversarial robustness analysis of models with different model capacities (${{\mathcal{M}}_2}$ vs. ${{\mathcal{M}}_2}'$).
• Figure 2: Illustration of GCN's decision boundaries on Cora. (a) Decision boundaries of GCN. (b) Decision boundaries of GCN under Mettack with 5% perturbation. (c) Decision boundaries before and after adversarial attack.
• Figure 3: Artificial graphs with different structural regularities.
• Figure 4: Accuracy of GNNs under Mettack with 5% perturbation rate on Cora. The output spaces of the classification models are visualized using t-SNE. Colors represent different class labels; color separation shows the effectiveness of the models.
• Figure 5: Heatmap visualization of GNNs' layer-2 node representations on 25 perturbed nodes under 5% Mettack. Rows in each subfigure represent perturbed nodes, and columns represent feature dimensions from the second (hidden) layer. Darker colors indicate higher activation values. More consistent and smoother activation distributions indicate stronger adversarial robustness.