Countering adversarial perturbations in graphs using error correcting codes

TL;DR

This work addresses safeguarding graph-based inputs for GNNs against adversarial edge perturbations by introducing a sender-side repetition encoding $\mathbf{t} = \mathbf{s} \otimes \mathbf{1}_K$ with defender-added randomness and a receiver-side majority-voting decoder. The authors derive a probabilistic bound on the required number of repetitions $K$ to achieve a target reconstruction accuracy, prove an unbiased estimator for the decoding success probability, and provide a concentration guarantee via McDiarmid's inequality. Empirically, the method reliably reconstructs Erdős-Rényi graphs with relatively small $K$, while Barabási-Albert graphs (scale-free) demand larger $K$ due to topology, highlighting the impact of network structure on robustness. The approach complements randomized smoothing by enabling input correction under unknown attack strategies and suggests future topology-aware enhancements for scale-free networks.

Abstract

We consider the problem of a graph subjected to adversarial perturbations, such as those arising from cyber-attacks, where edges are covertly added or removed. The adversarial perturbations occur during the transmission of the graph between a sender and a receiver. To counteract potential perturbations, this study explores a repetition coding scheme with sender-assigned noise and majority voting on the receiver's end to rectify the graph's structure. The approach operates without prior knowledge of the attack's characteristics. We analytically derive a bound on the number of repetitions needed to satisfy probabilistic constraints on the quality of the reconstructed graph. The method can accurately and effectively decode Erdős-Rényi graphs that were subjected to non-random edge removal, namely, those connected to vertices with the highest eigenvector centrality, in addition to random addition and removal of edges by the attacker. The method is also effective against attacks on large scale-free graphs generated using the Barabási-Albert model but require a larger number of repetitions than needed to correct Erdős-Rényi graphs.

Figures (11)

• Figure 1: An illustration of the proposed graph encoding and decoding schemes. The adjacency matrix $A$ is first vectorized $A \mapsto \mathbf{s}$. $K$ copies of $\mathbf{s}$ are transmitted, each randomly perturbed by the sender $\mathbf{s} \mapsto (\mathbf{s} \otimes \mathbf{1}_K) \oplus \vec{\zeta}$. The $K$ graphs undergo adversarial perturbation by attackers. The nature of the attack is not known to the defenders. In the illustration, the attacker removes all edges attached to the vertex with the highest eigenvector centrality and randomly removes and adds other edges to the graph. Finally, the receiver applies majority voting on the perturbed graphs to reconstruct an estimate of the adjacency matrix $\widehat{A}$. Solid blue edges in the figure are randomly added edges, and dashed red edges are edges removed from the graph.
• Figure 2: An example graph with $|\mathcal{V}| = 6 \Rightarrow N = 15$. Clearly, the relationship between $A$ and $\mathbf{s}$ is one-to-one, that is, given $A$, one calculates a unique vectorization $\mathbf{s}$, and vice versa. The two representations are, thus, equivalent. We use the vector representation to simplify the mathematical exposition.
• Figure 3: $K$ versus $N$ and $\eta$ for $\epsilon_{\rm tol} = 0.025$.
• Figure 4: Empirical probability density functions of $\frac{1}{N} \| \widehat{\mathbf{s}}_K - \mathbf{s} \|_1$ for different values of $K$, calculated using kernel density estimators, $\widehat{f}_{h,M}$, over $M=1000$ randomly simulated graphs, attacked, and reconstructed using the proposed approach. In all cases, $h = 0.005$ to avoid negative probabilities. We employed a mild sender-assigned perturbation of $\nu = 0.01$. For $N=1000$, (a), we observe that $\widehat{f}_{h,M}$ ceases to change after $K=4$, indicating that larger graphs require fewer repetitions to correct. For $N = 100$ and $N=50$, (b) and (c), respectively, we observe slight oscillatory behavior in $\widehat{f}_{h,M}$. The distributions stabilize after $K = 6$ in (b) and $K = 14$ in (c). The peaks in the stable distributions are approximately (a) $\rho_{\rm peak} \approx 0.003$, (b) $\rho_{\rm peak} \approx 0.03$, (c) $\rho_{\rm peak} \approx 0.07$.
• Figure 5: Top view of $\widehat{f}_{h,M}$ for $N=100$. (a) When $\nu = 0.01$, we see that $\widehat{f}_{h,M}$ stabilizes at $K=6$ with a peak around $\rho_{\rm peak} = 0.03$. (b) When $\nu = 0.1$, we see that $\widehat{f}_{h,M}$ stabilizes late (around $K=12$) but at a smaller peak around $\rho_{\rm peak} = 0.01$.