Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Deterministic Certification of Graph Neural Networks against Graph Poisoning Attacks with Arbitrary Perturbations

Jiate Li, Meng Pang, Yun Dong, Binghui Wang

TL;DR

PGNNCert introduces a deterministic certified defense against graph poisoning attacks for both node and graph classification. The method builds an ensemble of subgraph classifiers derived from two graph-division strategies (edge-centric and node-centric), combined via majority voting to certify predictions under arbitrary perturbations up to a computable bound P. The defense unifies and surpasses prior certified defenses by accommodating multiple perturbation types and attaining 100% guarantees, demonstrated across diverse datasets and GNN backbones. Empirical results show PGNNCert achieves higher certified robustness than state-of-the-art baselines, with an explicit trade-off between the number of subgraphs S and clean accuracy, and practical considerations discussed for scalability and future extensions.

Abstract

Graph neural networks (GNNs) are becoming the de facto method to learn on the graph data and have achieved the state-of-the-art on node and graph classification tasks. However, recent works show GNNs are vulnerable to training-time poisoning attacks -- marginally perturbing edges, nodes, or/and node features of training graph(s) can largely degrade GNNs' testing performance. Most previous defenses against graph poisoning attacks are empirical and are soon broken by adaptive / stronger ones. A few provable defenses provide robustness guarantees, but have large gaps when applied in practice: 1) restrict the attacker on only one type of perturbation; 2) design for a particular GNN architecture or task; and 3) robustness guarantees are not 100\% accurate. In this work, we bridge all these gaps by developing PGNNCert, the first certified defense of GNNs against poisoning attacks under arbitrary (edge, node, and node feature) perturbations with deterministic robustness guarantees. Extensive evaluations on multiple node and graph classification datasets and GNNs demonstrate the effectiveness of PGNNCert to provably defend against arbitrary poisoning perturbations. PGNNCert is also shown to significantly outperform the state-of-the-art certified defenses against edge perturbation or node perturbation during GNN training.

Deterministic Certification of Graph Neural Networks against Graph Poisoning Attacks with Arbitrary Perturbations

TL;DR

PGNNCert introduces a deterministic certified defense against graph poisoning attacks for both node and graph classification. The method builds an ensemble of subgraph classifiers derived from two graph-division strategies (edge-centric and node-centric), combined via majority voting to certify predictions under arbitrary perturbations up to a computable bound P. The defense unifies and surpasses prior certified defenses by accommodating multiple perturbation types and attaining 100% guarantees, demonstrated across diverse datasets and GNN backbones. Empirical results show PGNNCert achieves higher certified robustness than state-of-the-art baselines, with an explicit trade-off between the number of subgraphs S and clean accuracy, and practical considerations discussed for scalability and future extensions.

Abstract

Graph neural networks (GNNs) are becoming the de facto method to learn on the graph data and have achieved the state-of-the-art on node and graph classification tasks. However, recent works show GNNs are vulnerable to training-time poisoning attacks -- marginally perturbing edges, nodes, or/and node features of training graph(s) can largely degrade GNNs' testing performance. Most previous defenses against graph poisoning attacks are empirical and are soon broken by adaptive / stronger ones. A few provable defenses provide robustness guarantees, but have large gaps when applied in practice: 1) restrict the attacker on only one type of perturbation; 2) design for a particular GNN architecture or task; and 3) robustness guarantees are not 100\% accurate. In this work, we bridge all these gaps by developing PGNNCert, the first certified defense of GNNs against poisoning attacks under arbitrary (edge, node, and node feature) perturbations with deterministic robustness guarantees. Extensive evaluations on multiple node and graph classification datasets and GNNs demonstrate the effectiveness of PGNNCert to provably defend against arbitrary poisoning perturbations. PGNNCert is also shown to significantly outperform the state-of-the-art certified defenses against edge perturbation or node perturbation during GNN training.

Paper Structure

This paper contains 27 sections, 11 theorems, 20 equations, 17 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background and Problem Definition
  3. Graph Neural Network (GNN)
  4. Poisoning Attack on GNNs
  5. Problem Statement
  6. Our Certified Defense: PGNNCert
  7. Overview
  8. Edge-Centric Graph Division
  9. Generating edge-centric subgraphs
  10. Bounding the number of different sub-classifiers
  11. Deriving the robustness guarantee
  12. Node-Centric Graph Division
  13. Generating node-centric directed subgraphs
  14. Bounding the number of different sub-classifiers
  15. Deriving the robustness guarantee
  16. ...and 12 more sections

Key Result

Theorem 1

Let $y_a, y_b, {\bf n}_{y_a}, {\bf n}_{y_b}$ be defined above in node classification or graph classification, and let $P = {\lfloor {\bf n}_{y_a}-{\bf n}_{y_b}-\mathbb{I}(y_{a}>y_{b})\rfloor} / {2}$. The voting classifier $\bar{f}$ trained on $\mathcal{G}_\text{tr}$ guarantees the same predictio

Figures (17)

  • Figure 1: Overview of our PGNNCert (use node classification for illustration), which consists of four steps.
  • Figure 2: Illustration of our edge-centric and node-centric graph division strategies for node classification. We use edge injection and node injection poisoning attacks to show the bounded number of altered predictions on the generated subgraphs after the attack. Figures \ref{['fig:subgraphs_NC_more']}-\ref{['fig:subgraphs_GC']} in Appendix also show other attacks and on graph classification.
  • Figure 3: Certified node accuracy of our PGNNCert-E w.r.t. the number of subgraphs $S$.
  • Figure 4: Certified node accuracy of our PGNNCert-N w.r.t. the number of subgraphs $S$.
  • Figure 5: Certified graph accuracy of our PGNNCert-E w.r.t. the number of subgraphs $S$.
  • ...and 12 more figures

Theorems & Definitions (15)

  • Theorem 1: Sufficient Condition for Certified Robustness
  • Theorem 2: Bounded Number of Edge-Centric Subgraphs with Altered Predictions under Arbitrary Perturbation
  • Theorem 3: Certified Robustness Guarantee with Edge-Centric Subgraphs against Arbitrary Perturbation
  • Theorem 4: Bounded Number of Node-Centric Subgraphs with Altered Predictions under Arbitrary Perturbation
  • Theorem 5: Certified Robustness Guarantee with Node-Centric Subgraphs against Arbitrary Perturbation
  • Theorem 6
  • proof
  • Theorem 7
  • Theorem 8
  • proof
  • ...and 5 more