Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Relaxing Graph Transformers for Adversarial Attacks

Philipp Foth, Lukas Gosch, Simon Geisler, Leo Schwinn, Stephan Günnemann

TL;DR

This work addresses the vulnerability of Graph Transformers (GTs) to adversarial graph perturbations, an area previously explored mainly for MPNNs. It proposes principled continuous relaxations of GT components (Positional Encodings and attention) to enable gradient-based adaptive attacks and extends the attack surface with Node Injection Attacks (NIA) using a PRBCD-based optimization framework. The authors implement architecture-specific relaxations for three GT backbones—GRIT, Graphormer, and SAN—and evaluate robustness on node-classification and graph-classification tasks, revealing that GTs can be highly fragile and that robustness is not uniform across architectures or datasets. The findings highlight the necessity for adaptive attack strategies and robust GT design to ensure reliable deployment in real-world applications.

Abstract

Existing studies have shown that Graph Neural Networks (GNNs) are vulnerable to adversarial attacks. Even though Graph Transformers (GTs) surpassed Message-Passing GNNs on several benchmarks, their adversarial robustness properties are unexplored. However, attacking GTs is challenging due to their Positional Encodings (PEs) and special attention mechanisms which can be difficult to differentiate. We overcome these challenges by targeting three representative architectures based on (1) random-walk PEs, (2) pair-wise-shortest-path PEs, and (3) spectral PEs - and propose the first adaptive attacks for GTs. We leverage our attacks to evaluate robustness to (a) structure perturbations on node classification; and (b) node injection attacks for (fake-news) graph classification. Our evaluation reveals that they can be catastrophically fragile and underlines our work's importance and the necessity for adaptive attacks.

Relaxing Graph Transformers for Adversarial Attacks

TL;DR

This work addresses the vulnerability of Graph Transformers (GTs) to adversarial graph perturbations, an area previously explored mainly for MPNNs. It proposes principled continuous relaxations of GT components (Positional Encodings and attention) to enable gradient-based adaptive attacks and extends the attack surface with Node Injection Attacks (NIA) using a PRBCD-based optimization framework. The authors implement architecture-specific relaxations for three GT backbones—GRIT, Graphormer, and SAN—and evaluate robustness on node-classification and graph-classification tasks, revealing that GTs can be highly fragile and that robustness is not uniform across architectures or datasets. The findings highlight the necessity for adaptive attack strategies and robust GT design to ensure reliable deployment in real-world applications.

Abstract

Existing studies have shown that Graph Neural Networks (GNNs) are vulnerable to adversarial attacks. Even though Graph Transformers (GTs) surpassed Message-Passing GNNs on several benchmarks, their adversarial robustness properties are unexplored. However, attacking GTs is challenging due to their Positional Encodings (PEs) and special attention mechanisms which can be difficult to differentiate. We overcome these challenges by targeting three representative architectures based on (1) random-walk PEs, (2) pair-wise-shortest-path PEs, and (3) spectral PEs - and propose the first adaptive attacks for GTs. We leverage our attacks to evaluate robustness to (a) structure perturbations on node classification; and (b) node injection attacks for (fake-news) graph classification. Our evaluation reveals that they can be catastrophically fragile and underlines our work's importance and the necessity for adaptive attacks.
Paper Structure (11 sections, 23 equations, 5 figures, 5 tables)

This paper contains 11 sections, 23 equations, 5 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Graph transformer relaxations
  4. Node injection attack
  5. Results
  6. Related work
  7. Graph transformers
  8. Node injection attack
  9. Evaluation details
  10. Additional results
  11. Limitations

Figures (5)

  • Figure 1: The classification accuracy for different GNNs with varying attack budget on the two UPFD Twitter fake news datasets (graph classification, node injection attacks) and CLUSTER (node classification, structure attack). The strongest attack for each budget is shown.
  • Figure 2: Generic GT architecture.
  • Figure 3: CLUSTER attack results.
  • Figure 4: CLUSTER constrained attack results.
  • Figure 5: Attack results for the UPFD twitter datasets politifact (pol.) and gossipcop (gos.).