Fixed-point graph convolutional networks against adversarial attacks
Shakib Khan, A. Ben Hamza, Amr Youssef
TL;DR
Graph neural networks are vulnerable to adversarial perturbations on graph structure and node features. The authors propose Fix-GCN, a fixed-point iterative GCN that uses a spectral modulation filter with $h_s(λ)=\frac{1}{(1+s)λ - sλ^2}$ and a propagation operator $P=((1-s)I+s\hat{A})\hat{A}$ to perform higher-order diffusion while attenuating high-frequency perturbations. The model updates via $\mathbf{H}^{(\ell+1)}=\sigma( P\mathbf{H}^{(\ell)}\mathbf{W}^{(\ell)}+\mathbf{X}\widetilde{\mathbf{W}}^{(\ell)})$ with an initial residual path, and recovers standard GCN behavior when $s=0$ and a second-order GCN when $s=1$. Empirical results across multiple datasets show Fix-GCN achieves superior robustness against poisoning, random, feature, and evasion attacks, with best performance near $s=0.2$ and comparable computational complexity to conventional GCNs. Overall, Fix-GCN provides a practical, scalable defense that leverages fixed-point spectral filtering to bolster graph representations under adversarial conditions.
Abstract
Adversarial attacks present a significant risk to the integrity and performance of graph neural networks, particularly in tasks where graph structure and node features are vulnerable to manipulation. In this paper, we present a novel model, called fixed-point iterative graph convolutional network (Fix-GCN), which achieves robustness against adversarial perturbations by effectively capturing higher-order node neighborhood information in the graph without additional memory or computational complexity. Specifically, we introduce a versatile spectral modulation filter and derive the feature propagation rule of our model using fixed-point iteration. Unlike traditional defense mechanisms that rely on additional design elements to counteract attacks, the proposed graph filter provides a flexible-pass filtering approach, allowing it to selectively attenuate high-frequency components while preserving low-frequency structural information in the graph signal. By iteratively updating node representations, our model offers a flexible and efficient framework for preserving essential graph information while mitigating the impact of adversarial manipulation. We demonstrate the effectiveness of the proposed model through extensive experiments on various benchmark graph datasets, showcasing its resilience against adversarial attacks.