Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AGNNCert: Defending Graph Neural Networks against Arbitrary Perturbations with Deterministic Certification

Jiate Li, Binghui Wang

TL;DR

We address the vulnerability of GNNs to adversarial perturbations across edges, nodes, and features by proposing AGNNCert, a deterministic certified defense applicable to both node and graph classification. AGNNCert employs a voting-based ensemble over subgraphs generated by edge-centric and node-centric graph division strategies, and establishes a formal sufficient condition that bounds the number of altered subgraph predictions under arbitrary perturbations. The method subsumes existing certified defenses as special cases and demonstrates competitive or superior performance on standard benchmarks and real-world datasets, at the cost of scalable overhead tied to the number of subgraphs. This work enables provable robustness for practical GNN deployments and provides a foundation for future improvements in certifiable graph learning.

Abstract

Graph neural networks (GNNs) achieve the state-of-the-art on graph-relevant tasks such as node and graph classification. However, recent works show GNNs are vulnerable to adversarial perturbations include the perturbation on edges, nodes, and node features, the three components forming a graph. Empirical defenses against such attacks are soon broken by adaptive ones. While certified defenses offer robustness guarantees, they face several limitations: 1) almost all restrict the adversary's capability to only one type of perturbation, which is impractical; 2) all are designed for a particular GNN task, which limits their applicability; and 3) the robustness guarantees of all methods except one are not 100% accurate. We address all these limitations by developing AGNNCert, the first certified defense for GNNs against arbitrary (edge, node, and node feature) perturbations with deterministic robustness guarantees, and applicable to the two most common node and graph classification tasks. AGNNCert also encompass existing certified defenses as special cases. Extensive evaluations on multiple benchmark node/graph classification datasets and two real-world graph datasets, and multiple GNNs validate the effectiveness of AGNNCert to provably defend against arbitrary perturbations. AGNNCert also shows its superiority over the state-of-the-art certified defenses against the individual edge perturbation and node perturbation.

AGNNCert: Defending Graph Neural Networks against Arbitrary Perturbations with Deterministic Certification

TL;DR

We address the vulnerability of GNNs to adversarial perturbations across edges, nodes, and features by proposing AGNNCert, a deterministic certified defense applicable to both node and graph classification. AGNNCert employs a voting-based ensemble over subgraphs generated by edge-centric and node-centric graph division strategies, and establishes a formal sufficient condition that bounds the number of altered subgraph predictions under arbitrary perturbations. The method subsumes existing certified defenses as special cases and demonstrates competitive or superior performance on standard benchmarks and real-world datasets, at the cost of scalable overhead tied to the number of subgraphs. This work enables provable robustness for practical GNN deployments and provides a foundation for future improvements in certifiable graph learning.

Abstract

Graph neural networks (GNNs) achieve the state-of-the-art on graph-relevant tasks such as node and graph classification. However, recent works show GNNs are vulnerable to adversarial perturbations include the perturbation on edges, nodes, and node features, the three components forming a graph. Empirical defenses against such attacks are soon broken by adaptive ones. While certified defenses offer robustness guarantees, they face several limitations: 1) almost all restrict the adversary's capability to only one type of perturbation, which is impractical; 2) all are designed for a particular GNN task, which limits their applicability; and 3) the robustness guarantees of all methods except one are not 100% accurate. We address all these limitations by developing AGNNCert, the first certified defense for GNNs against arbitrary (edge, node, and node feature) perturbations with deterministic robustness guarantees, and applicable to the two most common node and graph classification tasks. AGNNCert also encompass existing certified defenses as special cases. Extensive evaluations on multiple benchmark node/graph classification datasets and two real-world graph datasets, and multiple GNNs validate the effectiveness of AGNNCert to provably defend against arbitrary perturbations. AGNNCert also shows its superiority over the state-of-the-art certified defenses against the individual edge perturbation and node perturbation.

Paper Structure

This paper contains 25 sections, 11 theorems, 21 equations, 26 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Background and Problem Definition
  3. Graph Neural Network (GNN)
  4. Adversarial Attacks on GNNs
  5. Voting based Certified Defense
  6. Problem Statement
  7. Our Voting-based Defense: AGNNCert
  8. Overview
  9. Edge-Centric Graph Division
  10. Node-Centric Graph Division
  11. Experiments
  12. Experiment Settings
  13. Experiment Results
  14. AGNNCert against Arbitrary Perturbation
  15. Comparing AGNNCert with Bi-RS and GNNCert
  16. ...and 10 more sections

Key Result

Theorem 1

Let $y_a, y_b, c_{y_a}, c_{y_b}$ be defined above in node classification or graph classification, and let $M = {\lfloor c_{y_a}-c_{y_b}-\mathbb{I}(y_{a}>y_{b})\rfloor} / {2}$. The voting classifier $\bar{f}$ guarantees the same prediction on both $G'$ and $G$ for the target node $v$ in node classifi

Figures (26)

  • Figure 1: Overview of our AGNNCert (use node classification for illustration), which consists of three steps. Assume we are given an input graph $G$, a GNN node classifier $f$, and a target node $v$ with label $y_v$ for classification. Step I: it divides $G$ into a set of (e.g., 4) subgraphs via the proposed Edge-Centric Graph Division (Section \ref{['Sec:edgebased']}) or Node-Centric Graph Division (Section \ref{['Sec:nodebased']}) strategy. Step II: it builds a voting node classifier $\bar{f}$ based on all the subgraphs. Specifically, the target node's predicted class by $f$ on all subgraphs are treated as votes, and $\bar{f}$ returns the class with the most vote as the final prediction. Step III: it derives the certified perturbation size $M$ for $\bar{f}$ against arbitrary perturbations with a deterministic (100%) guarantee.
  • Figure 2: Illustration of our edge-centric and node-centric graph division strategies for node classification. We use edge injection and node injection attacks to show the bounded number of altered predictions on the generated subgraphs after the attack. To summarize: 1 injected edge affects at most 1 subgraph prediction in both graph division strategies. In contrast, 1 injected node with, e.g., $3$ injected edges can affect (at most) 3 subgraph predictions with edge-centric graph division, but at most 1 subgraph prediction with node-centric graph division. Figures \ref{['fig:subgraphs_NC_more']}-\ref{['fig:subgraphs_GC']} in Appendix also show other attacks and on graph classification.
  • Figure 3: Certified node accuracy of our AGNNCert-E w.r.t. the number of subgraphs $T$.
  • Figure 4: Certified node accuracy of our AGNNCert-N w.r.t. the number of subgraphs $T$.
  • Figure 5: Certified graph accuracy of our AGNNCert-E w.r.t. the number of subgraphs $T$.
  • ...and 21 more figures

Theorems & Definitions (15)

  • Theorem 1: Sufficient Condition for Certified Robustness
  • Theorem 2
  • proof
  • Theorem 3
  • Theorem 4
  • proof
  • Theorem 5: Bounded Number of Edge-Centric Subgraphs with Altered Predictions under Arbitrary Perturbation
  • Theorem 6: Certified Robustness Guarantee with Edge-Centric Subgraphs against Arbitrary Perturbation
  • Theorem 7
  • proof
  • ...and 5 more