Robust Defense Method for Graph Convolutional Neural Network

Abstract

Abstract: Recently， graph convolutional neural networks （GCNs） have been increasingly mature in research and application. Although its performance has reached a high level， but GCNs have poor model robustness when subjected to adversarial attacks. Most of the existing defense methods are based on heuristic empirical algorithms and do not consider the reasons of the structural vulnerability of GCNs. Nowadays， researches have shown that GCNs are vulnerable due to non-robust aggregation functions. This paper analyzes the robustness of the winsorised mean function and the mean aggregation function in terms of the breakdown point and the impact function resistance. The winsorised mean has a higher breakdown point compared to the mean function. The influence function of the winsorised mean is bounded in jumps and can resistant to outliers， while the influence function of the mean function is unbounded and very sensitive to outliers. An improved robust defense method， WinsorisedGCN， is then proposed based on the GCNs framework by replacing the aggregation function in the graph convolution operator with a more robust winsorised mean. Finally， this paper uses the Nettack counter-attack method to study and analyze the robustness of the proposed model under different perturbation budgets， and the model performance is evaluated by accuracy and classification margin evaluation metrics. The experimental results demonstrate that the proposed defense scheme can effectively improve the robustness of the model under adversarial attacks while ensuring the model accuracy compared to other benchmark models.

Key words: graph convolutional neural networks, graph adversarial training, robustness

QIAN Xiao-zhao, WANG Peng. Robust Defense Method for Graph Convolutional Neural Network[J]. Computer and Modernization, 2023, 0(01): 74-80.

References ［29］

［1］	徐冰冰，岑科延，黄俊杰，等. 图卷积神经网络综述［J］. 计算机学报， 2020，43（5）:755-780.
［2］	JIANG Z R， GAO Z， DUAN Y， et al. Camouflaged Chinese spam content detection with semi-supervised generative active learning［C］// Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics. 2020:3080-3085.
［3］	DHAWAN S， GANGIREDDY S C R， KUMAR S， et al. Spotting collective behaviour of online frauds in customer reviews［J］. arXiv preprint arXiv:1905.13649， 2019.
［4］	KIPF T N， WELLING M. Semi-supervised classification with graph convolutional networks［C］// Proceedings of the 5th International Conference on Learning Representations. 2017.
［5］	ZUGNER D， AKBARNEJAD A， GUNNEMANN S. Adversarial attacks on neural networks for graph data［C］// Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 2018:2847-2856.
［6］	DAI H J， LI H， TIAN T， et al. Adversarial attack on graph structured data［C］// Proceedings of the 35th International Conference on Machine Learning. 2018:1115-1124.
［7］	WANG X Y， EATON J， HSIEH C J， et al. Attack graph convolutional networks by adding fake nodes［J］. arXiv preprint arXiv:1810.10751， 2018.
［8］	ZHOU K， MICHALAK T P， WANIEK M， et al. Attacking similarity-based link prediction in social networks［C］// Proceedings of the 18th International Conference on Autonomous Agents and Multi Agent Systems. 2019:305-313.
［9］	SUN Y W， WANG S H， TANG X F， et al. Node injection attacks on graphs via reinforcement learning［J］. arXiv preprint arXiv:1909.06543， 2019.
［10］	GUNNEMANN S. Graph neural networks: Adversarial robustness［M］// Graph Neural Networks: Foundations， Frontiers， and Applications. Springer， Singapore， 2022:149-176.
［11］	ENTEZARI N， AL-SAYOURI S A， DARVISHZADEH A， et al. All you need is low （rank） defending against adversarial attacks on graphs［C］// Proceedings of the 13th International Conference on Web Search and Data Mining. 2020:169-177.
［12］	JIN M， CHANG H， ZHU W W， et al. Power up! Robust graph convolutional network via graph powering［C］// 35th AAAI Conference on Artificial Intelligence. 2021:8004-8012.
［13］	CHEN J Y， LIN X， XIONG H， et al. Smoothing adversarial training for GNN［J］. IEEE Transactions on Computational Social Systems， 2020，8（3）:618-629.
［14］	XU K D， CHEN H G， LIU S J， et al. Topology attack and defense for graph neural networks: An optimization perspective［J］. arXiv preprint arXiv:1906.04214， 2019.
［15］	ZUGNER D， GUNNEMANN S. Adversarial attacks on graph neural networks via meta learning［J］. arXiv preprint arXiv:1902.08412， 2019.
［16］	GEISLER S， ZUGNER D， GUNNEMANN S. Reliable graph neural networks via robust aggregation［C］// Proceedings of the 34th International Conference on Neural Information Processing Systems. 2020:13272-13284.
［17］	CHEN L， LI J T， PENG Q B， et al. Understanding structural vulnerability in graph convolutional networks［J］. arXiv preprint arXiv:2108.06280， 2021.
［18］	GEISLER S， SCHMIDT T， SIRIN H， et al. Robustness of graph neural networks at scale［C］// Proceedings of the 35th International Conference on Neural Information Processing Systems. 2021:7637-7649.
［19］	周世健. 截尾均值与平尾均值［J］. 西安地质学院学报， 1996，18（4）:84-90.
［20］	周江文. 经典误差理论与抗差估计［J］. 测绘学报， 1989，18（2）:115-120.
［21］	HAMPEL F R， RONCHETTI E M， ROUSSEEUW P J， et al. Robust Statistics: The Approach Based on influence Functions［M］. John Wiley & Sons， 2011.
［22］	ZHU D Y， ZHANG Z W， PENG CUI， et al. Robust graph convolutional networks against adversarial attacks［C］// Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 2019:1399-1407.
［23］	MCCALLUM A K， NIGAM K， RENNIE J， et al. Automating the construction of internet portals with machine learning［J］. Information Retrieval， 2000，3（2）:127-163.
［24］	XU B B， SHEN H W， CAO Q， et al. Graph wavelet neural network［J］. arXiv preprint arXiv:1904.07785， 2019.
［25］	THEKUMPARAMPIL K K， WANG C， OH S， et al. Attention-based graph neural network for semi-supervised learning［J］. arXiv preprint arXiv:1803.03735， 2018.
［26］	HU W B， CHEN C， CHANG Y M， et al. Robust graph convolutional networks with directional graph adversarial training［J］. Applied Intelligence， 2021，51（11）:7812-7826.
［27］	VELICKOVIC P， CUCURULL G， CASANOVA A， et al. Graph attention networks［J］. arXiv preprint arXiv: 1710.10903， 2018.
［28］	KINGMA D P， BA J. Adam: A method for stochastic optimization［C］// 2015 International Conference on Learning Representations （ICLR）. 2015.
［29］	陈晋音.张敦杰.黄国瀚.等. 面向图神经网络的对抗攻击与防御综述［J］. 网络与信息安全学报， 2021，7（3）: 1-28.

[1]	WANG Jian-hua, RAN Yu-kun. Eye-movement Tracking Based on Deep Neural Network for Portable Devices [J]. Computer and Modernization, 2021, 0(08): 58-63.
[2]	LI Wei-dong, XU Shu-kun, WANG Yun-ming. Analysis of New York Rail Transit Network Characteristics Based on Complex Network [J]. Computer and Modernization, 2021, 0(02): 94-99.
[3]	JIANGSu-ying. FractionalOrderControlBasedonImprovedPSOAlgorithmforHeatingSystem [J]. Computer and Modernization, 2018, 0(07): 39-.
[4]	GOU Xin-ke1，2，3， XU Gao-peng1，2，3. Research on Speech Recognition Robustness Based on Gabor Filtering [J]. Computer and Modernization, 2018, 0(05): 20-.
[5]	ZHANG Chan， FENG Guojun， XIAO Yunbo. Study on Indices of DCN Structural Robustness [J]. Computer and Modernization, 2016, 0(5): 55-60.
[6]	KE Jiang-sheng, NI Jian-jun, WU Liu-ying. An Improved Robust SLAM Algorithm [J]. Computer and Modernization, 2016, 0(2): 104-106,111.
[7]	CHEN Xue-song1, LI Hao-tian1, JIA Rui-cheng2, SUN Li-na2, BU Guang-long1. A Digital Audio Watermarking Algorithm Based on Chaotic Encrypting in DWT [J]. Computer and Modernization, 2014, 0(8): 46-49+74.
[8]	LU Jian, TU Guang-yi, WU Hai-yan. A Digital Watermarking Algorithm of Color Images Based on Surface Fitting [J]. Computer and Modernization, 2014, 0(7): 133-136.
[9]	LU Yang. ROPART：A Robust Network Partition Algorithm [J]. Computer and Modernization, 2013, 1(3): 67-70.
[10]	MU Junpeng;LI Xin;ZHANG Ming. Research on Watermark Embedded Rules’ Performance Based on DWT [J]. Computer and Modernization, 2012, 8(08): 93-97.
[11]	张帅;曹晓钧. Application and Comparison of Two Blind Watermarking Algorithms Based on DCT Domain  [J]. Computer and Modernization, 2012, 8(08): 77-79.
[12]	YIN Hui. Video Watermarking Algorithm for Interframe Prediction Block Partition Based on H.264 Encoded [J]. Computer and Modernization, 2010, 1(8): 139-142.
[13]	DENG Hua;ZHANG Ji-fu. Design Method of Video Watermark Technology Based on MPEG-4 [J]. Computer and Modernization, 2010, 1(6): 67-0070.
[14]	TAN Ping. A Blind MPEG4 Video Watermarking Algorithm Based on  Errorcorrecting Bits in Discrete Cosine Translation Domain [J]. Computer and Modernization, 2010, 1(02): 39-42.
[15]	WANG Zongli. Realization and Comparison of Two Kinds of Transformations Territories Digital Watermark Algorithm  [J]. Computer and Modernization, 2009, 169(9): 87-91.