Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AuditVotes: A Framework Towards More Deployable Certified Robustness for Graph Neural Networks

Yuni Lai, Yulin Zhu, Yixuan Sun, Yulun Wu, Bin Xiao, Gaolei Li, Jianhua Li, Kai Zhou

TL;DR

AuditVotes tackles the robustness-accuracy trade-off in certifiably robust GNNs by integrating graph rewiring augmentation and confidence-based conditional smoothing into the randomized smoothing pipeline. The augmentation pre-processes noisy graphs to restore data quality, while the conditional smoothing filters low-quality votes to enhance voting consistency, jointly achieving higher clean and certified accuracy. The framework is instantiated with JacAug, FAEAug, and SimAug, and is shown to substantially improve certified accuracy and empirical robustness across node and image tasks, with efficient training and testing. Beyond graphs, AuditVotes generalizes to de-randomized smoothing and Gaussian smoothing, offering a practical, scalable path toward deploying certifiably robust models in security-sensitive real-world settings.

Abstract

Despite advancements in Graph Neural Networks (GNNs), adaptive attacks continue to challenge their robustness. Certified robustness based on randomized smoothing has emerged as a promising solution, offering provable guarantees that a model's predictions remain stable under adversarial perturbations within a specified range. However, existing methods face a critical trade-off between accuracy and robustness, as achieving stronger robustness requires introducing greater noise into the input graph. This excessive randomization degrades data quality and disrupts prediction consistency, limiting the practical deployment of certifiably robust GNNs in real-world scenarios where both accuracy and robustness are essential. To address this challenge, we propose \textbf{AuditVotes}, the first framework to achieve both high clean accuracy and certifiably robust accuracy for GNNs. It integrates randomized smoothing with two key components, \underline{au}gmentation and con\underline{dit}ional smoothing, aiming to improve data quality and prediction consistency. The augmentation, acting as a pre-processing step, de-noises the randomized graph, significantly improving data quality and clean accuracy. The conditional smoothing, serving as a post-processing step, employs a filtering function to selectively count votes, thereby filtering low-quality predictions and improving voting consistency. Extensive experimental results demonstrate that AuditVotes significantly enhances clean accuracy, certified robustness, and empirical robustness while maintaining high computational efficiency. Notably, compared to baseline randomized smoothing, AuditVotes improves clean accuracy by $437.1\%$ and certified accuracy by $409.3\%$ when the attacker can arbitrarily insert $20$ edges on the Cora-ML datasets, representing a substantial step toward deploying certifiably robust GNNs in real-world applications.

AuditVotes: A Framework Towards More Deployable Certified Robustness for Graph Neural Networks

TL;DR

AuditVotes tackles the robustness-accuracy trade-off in certifiably robust GNNs by integrating graph rewiring augmentation and confidence-based conditional smoothing into the randomized smoothing pipeline. The augmentation pre-processes noisy graphs to restore data quality, while the conditional smoothing filters low-quality votes to enhance voting consistency, jointly achieving higher clean and certified accuracy. The framework is instantiated with JacAug, FAEAug, and SimAug, and is shown to substantially improve certified accuracy and empirical robustness across node and image tasks, with efficient training and testing. Beyond graphs, AuditVotes generalizes to de-randomized smoothing and Gaussian smoothing, offering a practical, scalable path toward deploying certifiably robust models in security-sensitive real-world settings.

Abstract

Despite advancements in Graph Neural Networks (GNNs), adaptive attacks continue to challenge their robustness. Certified robustness based on randomized smoothing has emerged as a promising solution, offering provable guarantees that a model's predictions remain stable under adversarial perturbations within a specified range. However, existing methods face a critical trade-off between accuracy and robustness, as achieving stronger robustness requires introducing greater noise into the input graph. This excessive randomization degrades data quality and disrupts prediction consistency, limiting the practical deployment of certifiably robust GNNs in real-world scenarios where both accuracy and robustness are essential. To address this challenge, we propose \textbf{AuditVotes}, the first framework to achieve both high clean accuracy and certifiably robust accuracy for GNNs. It integrates randomized smoothing with two key components, \underline{au}gmentation and con\underline{dit}ional smoothing, aiming to improve data quality and prediction consistency. The augmentation, acting as a pre-processing step, de-noises the randomized graph, significantly improving data quality and clean accuracy. The conditional smoothing, serving as a post-processing step, employs a filtering function to selectively count votes, thereby filtering low-quality predictions and improving voting consistency. Extensive experimental results demonstrate that AuditVotes significantly enhances clean accuracy, certified robustness, and empirical robustness while maintaining high computational efficiency. Notably, compared to baseline randomized smoothing, AuditVotes improves clean accuracy by and certified accuracy by when the attacker can arbitrarily insert edges on the Cora-ML datasets, representing a substantial step toward deploying certifiably robust GNNs in real-world applications.

Paper Structure

This paper contains 61 sections, 4 theorems, 21 equations, 14 figures, 11 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Problem Definition
  3. Inductive Node Classification
  4. Certified Robustness for GNNs
  5. Randomized Smoothing
  6. De-randomized Smoothing
  7. Certified Robustness for Image Classification
  8. Threat Model
  9. Attacker
  10. Defender
  11. The AuditVotes Framework
  12. Noise-adaptive Augmentation
  13. Conditional Smoothing
  14. Instantiation
  15. Efficient and Inductive Augmentations
  16. ...and 46 more sections

Key Result

Theorem 1

Let the conditional smoothed classifier $g^c(\cdot)$ be as defined in Eq. eqn:consmooth_g. We divide $\mathbb{G}$ into $I$ disjoint regions $\mathbb{G}=\bigcup_{i=1}^I \mathcal{R}_i$, where $\mathcal{R}_i$ denote the consent likelihood ratio region that $\frac{\mathbb{P}(\phi(\mathcal{G})=Z)}{\mathb Then for $\forall \mathcal{G}'\in \mathcal{B}_{r_a,r_b}(\mathcal{G})$, we have $g_v(\mathcal{G}')=g

Figures (14)

  • Figure 1: AuditVotes framework introduces two added components: augmentation and conditional smoothing. The graph rewiring augmentation de-noises the randomized graph to improve data quality, and the confidence filter removes low-quality predictions to enhance prediction consistency.
  • Figure 2: We propose three graph rewiring augmentations (JacAug, FAEAug, and SimAug). JacAug is a learning-free augmenter, and the others are learnable augmenters that are trained to recover the original graph via edge prediction.
  • Figure 3: Certified accuracy comparison and confidence score distribution analysis. The correctly classified nodes tend to have high confidence scores. By filtering the low-confidence predictions, conditional smoothing improves the certified accuracy.
  • Figure 4: Prediction consistency w/wo confidence filter.
  • Figure 5: Clean accuracy and certified accuracy trade-off.
  • ...and 9 more figures

Theorems & Definitions (4)

  • Theorem 1
  • Theorem 2
  • Theorem 1
  • Theorem 2