Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

PEANUT: Perturbations by Eigenvector Alignment for Attacking Graph Neural Networks Under Topology-Driven Message Passing

Bhavya Kohli, Biplab Sikdar

Abstract

Graph Neural Networks (GNNs) have achieved remarkable performance on tasks involving relational data. However, small perturbations to the graph structure can significantly alter GNN outputs, raising concerns about their robustness in real-world deployments. In this work, we explore the core vulnerability of GNNs which explicitly consume graph topology in the form of the adjacency matrix or Laplacian as a means for message passing, and propose PEANUT, a simple, gradient-free, restricted black-box attack that injects virtual nodes to capitalize on this vulnerability. PEANUT is a injection based attack, which is widely considered to be more practical and realistic scenario than graph modification attacks, where the attacker is able to modify the original graph structure directly. Our method works at the inference phase, making it an evasion attack, and is applicable almost immediately, since it does not involve lengthy iterative optimizations or parameter learning, which add computational and time overhead, or training surrogate models, which are susceptible to failure due to differences in model priors and generalization capabilities. PEANUT also does not require any features on the injected node and consequently demonstrates that GNN performance can be significantly deteriorated even with injected nodes with zeros for features, highlighting the significance of effectively designed connectivity in such attacks. Extensive experiments on real-world datasets across three graph tasks demonstrate the effectiveness of our attack despite its simplicity.

PEANUT: Perturbations by Eigenvector Alignment for Attacking Graph Neural Networks Under Topology-Driven Message Passing

Abstract

Graph Neural Networks (GNNs) have achieved remarkable performance on tasks involving relational data. However, small perturbations to the graph structure can significantly alter GNN outputs, raising concerns about their robustness in real-world deployments. In this work, we explore the core vulnerability of GNNs which explicitly consume graph topology in the form of the adjacency matrix or Laplacian as a means for message passing, and propose PEANUT, a simple, gradient-free, restricted black-box attack that injects virtual nodes to capitalize on this vulnerability. PEANUT is a injection based attack, which is widely considered to be more practical and realistic scenario than graph modification attacks, where the attacker is able to modify the original graph structure directly. Our method works at the inference phase, making it an evasion attack, and is applicable almost immediately, since it does not involve lengthy iterative optimizations or parameter learning, which add computational and time overhead, or training surrogate models, which are susceptible to failure due to differences in model priors and generalization capabilities. PEANUT also does not require any features on the injected node and consequently demonstrates that GNN performance can be significantly deteriorated even with injected nodes with zeros for features, highlighting the significance of effectively designed connectivity in such attacks. Extensive experiments on real-world datasets across three graph tasks demonstrate the effectiveness of our attack despite its simplicity.

Paper Structure

This paper contains 41 sections, 3 theorems, 14 equations, 8 figures, 6 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Evasion and poisoning attacks
  3. Vulnerability of adjacency-input architectures
  4. Contributions
  5. Threat Model
  6. Related works
  7. Structural Attacks on GNNs
  8. Graph Injection Attacks
  9. Graph-level tasks and regression.
  10. Preliminaries
  11. Virtual-node perturbation
  12. Simplified Graph Convolution Network (SGC)
  13. Attack Efficacy and Constraints
  14. Attack Goal
  15. Methodology
  16. ...and 26 more sections

Key Result

lemma 1

For a given real-valued ${\mathbf{Z}}\in{\mathbb{R}}^{N\times d}$, and budget ${\boldsymbol{\Delta}}$, we define the following optimization objective: The solution ${\mathbf{B}}^*$ for the above is ${\mathbf{B}}^* = {\boldsymbol{\Delta}}\cdot{\mathbf{u}}_1{\mathbf{v}}^\top$, where ${\mathbf{u}}$ is the dominant eigenvector (corresponding to the eigenvalue of largest magnitude) of ${\mathbf{Z}}{\m

Figures (8)

  • Figure 1: PEA when used on a graph-level task. The attacker queries the model once to obtain the (clean) node-level embeddings, using them to create the perturbation ${\mathbf{S}}_v$ using the eigenvector ${\mathbf{u}}_1$ of ${\mathbf{Z}}{\mathbf{Z}}^\top$ which induces a high ${\mathcal{L}}({\mathbf{S}}_v)$.
  • Figure 2: GIN Regression performance vs number of virtual nodes on the five regression datasets.
  • Figure 3: GIN Classification accuracy vs number of virtual nodes on the six classification datasets. All reported numbers have been averaged over the 10-Fold CV.
  • Figure 4: GIN Regression performance for PEA, PEA-D, Rand and Rand-D for the same budget (normalized for the discrete variants), across the five regression datasets.
  • Figure 5: Norm difference (${\mathcal{L}}({\mathbf{S}}_v)$) between PEA-W, PEA, and a randomly chosen ${\mathbf{S}}_v$, illustrating how the white-box version compares with the black-box approximation and randomly chosen perturbations, using SGC on the NC datasets.
  • ...and 3 more figures

Theorems & Definitions (3)

  • lemma 1
  • theorem 1
  • lemma 1