We bridge two research directions on graph neural networks (GNNs), by formalizing the relation between heterophily of node labels (i.e., connected nodes tend to have dissimilar labels) and the robustness of GNNs to adversarial attacks. Our theoretical and empirical analyses show that for homophilous graph data, impactful structural attacks always lead to reduced homophily, while for heterophilous graph data the change in the homophily level depends on the node degrees. These insights have practical implications for defending against attacks on real-world graphs: we deduce that separate aggregators for ego- and neighbor-embeddings, a design principle which has been identified to significantly improve prediction for heterophilous graph data, can also offer increased robustness to GNNs. Our comprehensive experiments show that GNNs merely adopting this design achieve improved empirical and certifiable robustness compared to the best-performing unvaccinated model. Additionally, combining this design with explicit defense mechanisms against adversarial attacks leads to an improved robustness with up to 18.33% performance increase under attacks compared to the best-performing vaccinated model.
翻译:在图形神经网络(GNNs)上,我们通过正式确定节点标签(即连接节点往往有不同标签)和GNNs对对抗性攻击的稳健性之间的关系,将图形神经网络(GNNs)的两个研究方向连接起来。我们的理论和经验分析表明,对于同质图形数据而言,冲击性的结构攻击总是导致同质图形数据减少,而对于异性图数据而言,同质水平的变化取决于节点度。这些洞察对防御真实世界图表攻击具有实际影响:我们推论,自我和邻居组合的单独聚合体是显著改进对异性图数据的预测的设计原则。我们的全面实验表明,GNNs仅仅采用这一设计,就实现了更好的经验性和可证实的稳健性,与最佳的无漏模式相比。此外,将这一设计与明确的防御机制结合起来,防止对立性攻击的明显防御机制导致更稳健性,与最佳的防疫模型相比,攻击下性性性能提高至18.33%。