面向图卷积神经网络鲁棒防御方法

摘要/Abstract

摘要： 近来对图卷积神经网络（GCNs）的研究及其应用日益成熟，虽然它的性能已经达到很高的水准，但GCNs在受到对抗攻击时模型鲁棒性较差。现有的防御方法大都基于启发式经验算法，没有考虑GCNs结构脆弱的原因。最近，已有研究表明GCNs脆弱的原因是非鲁棒的聚合函数。本文从崩溃点和影响函数抗差性角度出发，分析平尾均值函数和均值聚合函数二者的鲁棒性。平尾均值相较于均值函数，其崩溃点更高。平尾均值的影响函数跳跃有界，可抵抗异常值；而均值函数的影响函数无界，对异常值十分敏感。随后在GCNs框架的基础上，通过将图卷积算子中的聚合函数更换为更为鲁棒的平尾均值，提出一种改进的鲁棒防御方法WinsorisedGCN。最后采用Nettack对抗攻击方法研究分析所提出的模型在不同扰动代价下的鲁棒性，通过准确率和分类裕度评价指标对模型性能进行评估。实验结果表明，所提出的防御方案相较于其他基准模型，能够在保证模型准确率的前提下，有效提高模型在对抗攻击下的鲁棒性。

关键词: 图卷积神经网络, 图对抗训练, 鲁棒性

Abstract: Recently， graph convolutional neural networks （GCNs） have been increasingly mature in research and application. Although its performance has reached a high level， but GCNs have poor model robustness when subjected to adversarial attacks. Most of the existing defense methods are based on heuristic empirical algorithms and do not consider the reasons of the structural vulnerability of GCNs. Nowadays， researches have shown that GCNs are vulnerable due to non-robust aggregation functions. This paper analyzes the robustness of the winsorised mean function and the mean aggregation function in terms of the breakdown point and the impact function resistance. The winsorised mean has a higher breakdown point compared to the mean function. The influence function of the winsorised mean is bounded in jumps and can resistant to outliers， while the influence function of the mean function is unbounded and very sensitive to outliers. An improved robust defense method， WinsorisedGCN， is then proposed based on the GCNs framework by replacing the aggregation function in the graph convolution operator with a more robust winsorised mean. Finally， this paper uses the Nettack counter-attack method to study and analyze the robustness of the proposed model under different perturbation budgets， and the model performance is evaluated by accuracy and classification margin evaluation metrics. The experimental results demonstrate that the proposed defense scheme can effectively improve the robustness of the model under adversarial attacks while ensuring the model accuracy compared to other benchmark models.

Key words: graph convolutional neural networks, graph adversarial training, robustness

钱晓钊, 王澎. 面向图卷积神经网络鲁棒防御方法[J]. 计算机与现代化, 2023, 0(01): 74-80.

QIAN Xiao-zhao, WANG Peng. Robust Defense Method for Graph Convolutional Neural Network[J]. Computer and Modernization, 2023, 0(01): 74-80.

参考文献［29］

［1］	徐冰冰，岑科延，黄俊杰，等. 图卷积神经网络综述［J］. 计算机学报， 2020，43（5）:755-780.
［2］	JIANG Z R， GAO Z， DUAN Y， et al. Camouflaged Chinese spam content detection with semi-supervised generative active learning［C］// Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics. 2020:3080-3085.
［3］	DHAWAN S， GANGIREDDY S C R， KUMAR S， et al. Spotting collective behaviour of online frauds in customer reviews［J］. arXiv preprint arXiv:1905.13649， 2019.
［4］	KIPF T N， WELLING M. Semi-supervised classification with graph convolutional networks［C］// Proceedings of the 5th International Conference on Learning Representations. 2017.
［5］	ZUGNER D， AKBARNEJAD A， GUNNEMANN S. Adversarial attacks on neural networks for graph data［C］// Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 2018:2847-2856.
［6］	DAI H J， LI H， TIAN T， et al. Adversarial attack on graph structured data［C］// Proceedings of the 35th International Conference on Machine Learning. 2018:1115-1124.
［7］	WANG X Y， EATON J， HSIEH C J， et al. Attack graph convolutional networks by adding fake nodes［J］. arXiv preprint arXiv:1810.10751， 2018.
［8］	ZHOU K， MICHALAK T P， WANIEK M， et al. Attacking similarity-based link prediction in social networks［C］// Proceedings of the 18th International Conference on Autonomous Agents and Multi Agent Systems. 2019:305-313.
［9］	SUN Y W， WANG S H， TANG X F， et al. Node injection attacks on graphs via reinforcement learning［J］. arXiv preprint arXiv:1909.06543， 2019.
［10］	GUNNEMANN S. Graph neural networks: Adversarial robustness［M］// Graph Neural Networks: Foundations， Frontiers， and Applications. Springer， Singapore， 2022:149-176.
［11］	ENTEZARI N， AL-SAYOURI S A， DARVISHZADEH A， et al. All you need is low （rank） defending against adversarial attacks on graphs［C］// Proceedings of the 13th International Conference on Web Search and Data Mining. 2020:169-177.
［12］	JIN M， CHANG H， ZHU W W， et al. Power up! Robust graph convolutional network via graph powering［C］// 35th AAAI Conference on Artificial Intelligence. 2021:8004-8012.
［13］	CHEN J Y， LIN X， XIONG H， et al. Smoothing adversarial training for GNN［J］. IEEE Transactions on Computational Social Systems， 2020，8（3）:618-629.
［14］	XU K D， CHEN H G， LIU S J， et al. Topology attack and defense for graph neural networks: An optimization perspective［J］. arXiv preprint arXiv:1906.04214， 2019.
［15］	ZUGNER D， GUNNEMANN S. Adversarial attacks on graph neural networks via meta learning［J］. arXiv preprint arXiv:1902.08412， 2019.
［16］	GEISLER S， ZUGNER D， GUNNEMANN S. Reliable graph neural networks via robust aggregation［C］// Proceedings of the 34th International Conference on Neural Information Processing Systems. 2020:13272-13284.
［17］	CHEN L， LI J T， PENG Q B， et al. Understanding structural vulnerability in graph convolutional networks［J］. arXiv preprint arXiv:2108.06280， 2021.
［18］	GEISLER S， SCHMIDT T， SIRIN H， et al. Robustness of graph neural networks at scale［C］// Proceedings of the 35th International Conference on Neural Information Processing Systems. 2021:7637-7649.
［19］	周世健. 截尾均值与平尾均值［J］. 西安地质学院学报， 1996，18（4）:84-90.
［20］	周江文. 经典误差理论与抗差估计［J］. 测绘学报， 1989，18（2）:115-120.
［21］	HAMPEL F R， RONCHETTI E M， ROUSSEEUW P J， et al. Robust Statistics: The Approach Based on influence Functions［M］. John Wiley & Sons， 2011.
［22］	ZHU D Y， ZHANG Z W， PENG CUI， et al. Robust graph convolutional networks against adversarial attacks［C］// Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 2019:1399-1407.
［23］	MCCALLUM A K， NIGAM K， RENNIE J， et al. Automating the construction of internet portals with machine learning［J］. Information Retrieval， 2000，3（2）:127-163.
［24］	XU B B， SHEN H W， CAO Q， et al. Graph wavelet neural network［J］. arXiv preprint arXiv:1904.07785， 2019.
［25］	THEKUMPARAMPIL K K， WANG C， OH S， et al. Attention-based graph neural network for semi-supervised learning［J］. arXiv preprint arXiv:1803.03735， 2018.
［26］	HU W B， CHEN C， CHANG Y M， et al. Robust graph convolutional networks with directional graph adversarial training［J］. Applied Intelligence， 2021，51（11）:7812-7826.
［27］	VELICKOVIC P， CUCURULL G， CASANOVA A， et al. Graph attention networks［J］. arXiv preprint arXiv: 1710.10903， 2018.
［28］	KINGMA D P， BA J. Adam: A method for stochastic optimization［C］// 2015 International Conference on Learning Representations （ICLR）. 2015.
［29］	陈晋音.张敦杰.黄国瀚.等. 面向图神经网络的对抗攻击与防御综述［J］. 网络与信息安全学报， 2021，7（3）: 1-28.

[1]	徐鑫强, 何鹏, . 基于图过滤框架对图卷积滤波器灵活性的研究[J]. 计算机与现代化, 2022, 0(03): 103-110.
[2]	王建华, 冉煜琨. 适用于便携式设备的深度神经网络眼动跟踪[J]. 计算机与现代化, 2021, 0(08): 58-63.
[3]	李卫东, 徐澍锟, 王运明. 基于复杂网络的纽约轨道交通网络特性分析[J]. 计算机与现代化, 2021, 0(02): 94-99.
[4]	姜苏英. 基于改进PSO算法的加热系统分数阶控制[J]. 计算机与现代化, 2018, 0(07): 39-.
[5]	缑新科1，2，3,徐高鹏1，2，3. 基于Gabor滤波的语音识别鲁棒性研究[J]. 计算机与现代化, 2018, 0(05): 20-.
[6]	张婵，冯国军，肖云波. 数据中心网络结构鲁棒性指标研究[J]. 计算机与现代化, 2016, 0(5): 55-60.
[7]	柯江胜,倪建军,吴榴迎. 一种改进的鲁棒SLAM算法[J]. 计算机与现代化, 2016, 0(2): 104-106,111.
[8]	陈雪松1，李昊天1，贾瑞成2，孙立娜2，卜广龙1. 一种基于混沌加密的DWT数字音频水印算法[J]. 计算机与现代化, 2014, 0(8): 46-49+74.
[9]	鲁坚，涂广毅，吴海燕. 基于曲面拟合的彩色图像数字水印算法[J]. 计算机与现代化, 2014, 0(7): 133-136.
[10]	钟艳. 基于四元数傅里叶梅林变换的RST不变彩色图像水印算法[J]. 计算机与现代化, 2014, 0(5): 113-117.
[11]	罗宇,吕光宏. 基于鲁棒性的链路权重规划算法[J]. 计算机与现代化, 2014, 0(1): 71-76.
[12]	陆洋. ROPART:一种鲁棒的网络切分算法[J]. 计算机与现代化, 2013, 1(3): 67-70.
[13]	穆俊鹏;李鑫;张明. 基于DWT的水印嵌入规则性能研究 [J]. 计算机与现代化, 2012, 8(08): 93-97.
[14]	ZHANGShuai;CAOXiaojun. 基于DCT域的两种盲水印算法的应用与比较  [J]. 计算机与现代化, 2012, 8(08): 77-79.
[15]	尹辉. 基于H.264编码的帧间预测块划分视频水印算法[J]. 计算机与现代化, 2010, 1(8): 139-142.