Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Debiased Graph Poisoning Attack via Contrastive Surrogate Objective

Kanghoon Yoon, Yeonjun In, Namkyeong Lee, Kibum Kim, Chanyoung Park

TL;DR

The paper addresses the vulnerability of Graph Neural Networks to adversarial graph-structure perturbations and reveals a bias in existing meta-gradient attacks toward training nodes. It introduces Metacon, a meta-gradient attack that uses a contrastive surrogate objective to include unlabeled nodes in surrogate training, thereby expanding the attack surface to UU edges and reducing bias. Two concrete instantiations, Metacon-S (sample contrastive) and Metacon-D (dimension contrastive), pair with a cross-entropy goal to effectively degrade victim GNNs across datasets and models, including robust defenses. Experimental results across benchmark graphs show Metacon outperforms prior meta-gradient methods, demonstrating the practical impact of bias mitigation for graph poisoning attacks and suggesting new directions for defense research.

Abstract

Graph neural networks (GNN) are vulnerable to adversarial attacks, which aim to degrade the performance of GNNs through imperceptible changes on the graph. However, we find that in fact the prevalent meta-gradient-based attacks, which utilizes the gradient of the loss w.r.t the adjacency matrix, are biased towards training nodes. That is, their meta-gradient is determined by a training procedure of the surrogate model, which is solely trained on the training nodes. This bias manifests as an uneven perturbation, connecting two nodes when at least one of them is a labeled node, i.e., training node, while it is unlikely to connect two unlabeled nodes. However, these biased attack approaches are sub-optimal as they do not consider flipping edges between two unlabeled nodes at all. This means that they miss the potential attacked edges between unlabeled nodes that significantly alter the representation of a node. In this paper, we investigate the meta-gradients to uncover the root cause of the uneven perturbations of existing attacks. Based on our analysis, we propose a Meta-gradient-based attack method using contrastive surrogate objective (Metacon), which alleviates the bias in meta-gradient using a new surrogate loss. We conduct extensive experiments to show that Metacon outperforms existing meta gradient-based attack methods through benchmark datasets, while showing that alleviating the bias towards training nodes is effective in attacking the graph structure.

Debiased Graph Poisoning Attack via Contrastive Surrogate Objective

TL;DR

The paper addresses the vulnerability of Graph Neural Networks to adversarial graph-structure perturbations and reveals a bias in existing meta-gradient attacks toward training nodes. It introduces Metacon, a meta-gradient attack that uses a contrastive surrogate objective to include unlabeled nodes in surrogate training, thereby expanding the attack surface to UU edges and reducing bias. Two concrete instantiations, Metacon-S (sample contrastive) and Metacon-D (dimension contrastive), pair with a cross-entropy goal to effectively degrade victim GNNs across datasets and models, including robust defenses. Experimental results across benchmark graphs show Metacon outperforms prior meta-gradient methods, demonstrating the practical impact of bias mitigation for graph poisoning attacks and suggesting new directions for defense research.

Abstract

Graph neural networks (GNN) are vulnerable to adversarial attacks, which aim to degrade the performance of GNNs through imperceptible changes on the graph. However, we find that in fact the prevalent meta-gradient-based attacks, which utilizes the gradient of the loss w.r.t the adjacency matrix, are biased towards training nodes. That is, their meta-gradient is determined by a training procedure of the surrogate model, which is solely trained on the training nodes. This bias manifests as an uneven perturbation, connecting two nodes when at least one of them is a labeled node, i.e., training node, while it is unlikely to connect two unlabeled nodes. However, these biased attack approaches are sub-optimal as they do not consider flipping edges between two unlabeled nodes at all. This means that they miss the potential attacked edges between unlabeled nodes that significantly alter the representation of a node. In this paper, we investigate the meta-gradients to uncover the root cause of the uneven perturbations of existing attacks. Based on our analysis, we propose a Meta-gradient-based attack method using contrastive surrogate objective (Metacon), which alleviates the bias in meta-gradient using a new surrogate loss. We conduct extensive experiments to show that Metacon outperforms existing meta gradient-based attack methods through benchmark datasets, while showing that alleviating the bias towards training nodes is effective in attacking the graph structure.
Paper Structure (34 sections, 1 theorem, 5 equations, 6 figures, 8 tables)

This paper contains 34 sections, 1 theorem, 5 equations, 6 figures, 8 tables.

Table of Contents

  1. Introduction
  2. Related Works
  3. Adversarial Attacks on GNNs
  4. Targeted and Untargeted attack
  5. Attacker's Knowledge
  6. Problem Formulation
  7. On Meta-gradient-based Attack
  8. Revisiting Meta-gradient-based Attack
  9. Investigating Meta-gradient
  10. Empirical Study
  11. Bias-mitigated Meta-gradient-based Attack
  12. Overview
  13. Meta Attack via Contrastive Surrogate Objective
  14. Sample Contrastive Surrogate Objective (Metacon-S)
  15. Dimension Contrastive Surrogate Objective (Metacon-D)
  16. ...and 19 more sections

Key Result

theorem 1

Assume that a surrogate model $f_\theta (\cdot)$ consists of multiple GCN layers without non-linear activation, and the mean of the probabilities obtained from $p_u$ and $\hat{p}_u$ is the same. When the node classes are balanced, $\mathcal{L}_{\text{s-con}}$ is the upper bound of the cross entropy.

Figures (6)

  • Figure 1: The adjacency matrix of 5% perturbed Citeseer dataset. Red represents the flipped edges. The gray represents the original edges.
  • Figure 2: (a) The ratio of flipped edges for each edge set. A large value means attacks are biased. (b) The ratio of flipped edges over various portions of training nodes. (c) $L_1$ norm visualization of (i) $\nabla_{\mathbf{A}} f_{\theta_T}(\mathbf{A}, \mathbf{X})$ and (ii) $\sum_{t=1}^{T} \nabla_{\mathbf{A}}\nabla_{\theta_{t}} \mathcal{L}_{\text{sur}}$ when $T=10$ in Eqn. \ref{['eq:meta-grad']}. (d) Node classification accuracy of MetaAttack and MetaAttack-No. Citeseer dataset is used for the experiments.
  • Figure 3: Node classification accuracy over perturbation ratios under the strong transfer scenario.
  • Figure 4: Node classification accuracy over perturbation ratios on large-scale networks under the strong transfer scenario. Amazon Photo and Computers datasets are used.
  • Figure 5: Number of flipped edges on Cora and Citeseer datasets when MetaAttack and Metacon-S are applied.
  • ...and 1 more figures

Theorems & Definitions (1)

  • theorem 1