Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Robust Graph Learning Against Adversarial Evasion Attacks via Prior-Free Diffusion-Based Structure Purification

Jiayi Luo, Qingyun Sun, Haonan Yuan, Xingcheng Fu, Jianxin Li

TL;DR

DiffSP introduces a prior-free framework that purifies adversarially attacked graphs by learning the intrinsic distribution of clean graphs via a structured diffusion process. The forward diffusion adds controlled, edge-specific noise guided by Local Intrinsic Dimensionality, while the reverse denoising is steered by Graph Transfer Entropy to preserve semantic alignment with the target clean graph. By combining a diffusion-based purification backbone with LID-driven non-isotropic noise and entropy-guided denoising, DiffSP achieves universal robustness across diverse datasets and attack types without relying on dataset- or attack-specific priors. The approach is validated on graph and node classification tasks, showing superior robustness and promising cross-dataset generalization, with insights into purification step count and guidance scale. Overall, DiffSP offers a principled, prior-free pathway for robust graph learning under evasion attacks, with potential extensions to feature perturbations and efficiency improvements.

Abstract

Adversarial evasion attacks pose significant threats to graph learning, with lines of studies that have improved the robustness of Graph Neural Networks (GNNs). However, existing works rely on priors about clean graphs or attacking strategies, which are often heuristic and inconsistent. To achieve robust graph learning over different types of evasion attacks and diverse datasets, we investigate this problem from a prior-free structure purification perspective. Specifically, we propose a novel Diffusion-based Structure Purification framework named DiffSP, which creatively incorporates the graph diffusion model to learn intrinsic distributions of clean graphs and purify the perturbed structures by removing adversaries under the direction of the captured predictive patterns without relying on priors. DiffSP is divided into the forward diffusion process and the reverse denoising process, during which structure purification is achieved. To avoid valuable information loss during the forward process, we propose an LID-driven nonisotropic diffusion mechanism to selectively inject noise anisotropically. To promote semantic alignment between the clean graph and the purified graph generated during the reverse process, we reduce the generation uncertainty by the proposed graph transfer entropy guided denoising mechanism. Extensive experiments demonstrate the superior robustness of DiffSP against evasion attacks.

Robust Graph Learning Against Adversarial Evasion Attacks via Prior-Free Diffusion-Based Structure Purification

TL;DR

DiffSP introduces a prior-free framework that purifies adversarially attacked graphs by learning the intrinsic distribution of clean graphs via a structured diffusion process. The forward diffusion adds controlled, edge-specific noise guided by Local Intrinsic Dimensionality, while the reverse denoising is steered by Graph Transfer Entropy to preserve semantic alignment with the target clean graph. By combining a diffusion-based purification backbone with LID-driven non-isotropic noise and entropy-guided denoising, DiffSP achieves universal robustness across diverse datasets and attack types without relying on dataset- or attack-specific priors. The approach is validated on graph and node classification tasks, showing superior robustness and promising cross-dataset generalization, with insights into purification step count and guidance scale. Overall, DiffSP offers a principled, prior-free pathway for robust graph learning under evasion attacks, with potential extensions to feature perturbations and efficiency improvements.

Abstract

Adversarial evasion attacks pose significant threats to graph learning, with lines of studies that have improved the robustness of Graph Neural Networks (GNNs). However, existing works rely on priors about clean graphs or attacking strategies, which are often heuristic and inconsistent. To achieve robust graph learning over different types of evasion attacks and diverse datasets, we investigate this problem from a prior-free structure purification perspective. Specifically, we propose a novel Diffusion-based Structure Purification framework named DiffSP, which creatively incorporates the graph diffusion model to learn intrinsic distributions of clean graphs and purify the perturbed structures by removing adversaries under the direction of the captured predictive patterns without relying on priors. DiffSP is divided into the forward diffusion process and the reverse denoising process, during which structure purification is achieved. To avoid valuable information loss during the forward process, we propose an LID-driven nonisotropic diffusion mechanism to selectively inject noise anisotropically. To promote semantic alignment between the clean graph and the purified graph generated during the reverse process, we reduce the generation uncertainty by the proposed graph transfer entropy guided denoising mechanism. Extensive experiments demonstrate the superior robustness of DiffSP against evasion attacks.

Paper Structure

This paper contains 33 sections, 2 theorems, 17 equations, 6 figures, 7 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Notations and Problem Formulation
  4. DiffSP
  5. Graph Diffusion Purification Model
  6. LID-Driven Non-Isotropic Diffusion Mechanism
  7. Graph Transfer Entropy Guided Denoising Mechanism
  8. Training Pipeline of DiffSP
  9. Experiment
  10. Adversarial Robustness
  11. Ablation Study
  12. Study on Cross-Dataset Generalization
  13. Study on Purification Steps
  14. Study on Scale of Graph Transfer Entropy
  15. Graph Purification Visualization
  16. ...and 18 more sections

Key Result

Proposition 1

For each edge at time $t$, the adjacency matrix is updated as $\mathbf{A}^{(t)}_{ij} =\mathbf{A}_{ij}(\bar{\mathbf{Q}}^{\prime(t)}_{\mathbf{A}})_{ij}$, where the non-isotropic transition matrix is $(\bar{\mathbf{Q}}_{\mathbf{A}}^{\prime(t)})_{ij} = \bar{\alpha}^{(t)} \mathbf{I} + (\boldsymbol{\Lambd

Figures (6)

  • Figure 1: Comparison of existing robust GNNs and DiffSP. Existing robust GNNs rely on priors that limit adaptability, while DiffSP is prior-free with universal robustness.
  • Figure 2: The overall architecture of DiffSP. DiffSP first employs a diffusion model to learn the predictive patterns of clean graphs. Then for the adversarial graph under evasion attack: 1) DiffSP injects non-isotropic noise by adjusting the diffusion time for each edge based on its adversarial degree, determined by LID. 2) During the generation process, DiffSP reduces uncertainty and guides the generation toward the target clean graph by maximizing the transfer entropy between two successive time steps.
  • Figure 3: Ablation Study
  • Figure 4: Purification Steps Study
  • Figure 5: Guide Scale Study
  • ...and 1 more figures

Theorems & Definitions (2)

  • Proposition 1
  • Proposition 1