Adversarial attacks on Graph Neural Networks (GNNs) reveal their security vulnerabilities, limiting their adoption in safety-critical applications. However, existing attack strategies rely on the knowledge of either the GNN model being used or the predictive task being attacked. Is this knowledge necessary? For example, a graph may be used for multiple downstream tasks unknown to a practical attacker. It is thus important to test the vulnerability of GNNs to adversarial perturbations in a model and task agnostic setting. In this work, we study this problem and show that GNNs remain vulnerable even when the downstream task and model are unknown. The proposed algorithm, TANDIS (Targeted Attack via Neighborhood DIStortion) shows that distortion of node neighborhoods is effective in drastically compromising prediction performance. Although neighborhood distortion is an NP-hard problem, TANDIS designs an effective heuristic through a novel combination of Graph Isomorphism Network with deep Q-learning. Extensive experiments on real datasets and state-of-the-art models show that, on average, TANDIS is up to 50% more effective than state-of-the-art techniques, while being more than 1000 times faster.
翻译:对图形神经网络(GNNs)的Aversarial攻击暴露了它们的安全弱点,限制了它们在安全关键应用中的采用。然而,现有的攻击战略依赖于对正在使用的GNN模型或正在攻击的预测任务的知识。例如,这种知识是否必要?例如,一个图表可用于实际攻击者所不知道的多个下游任务。因此,必须测试GNNs在模型和任务定点设置中易受对抗性干扰的脆弱性。在这项工作中,我们研究这一问题,并表明即使在下游任务和模型未知时,GNNNs仍然脆弱。拟议的算法,TANDIS(通过邻里站分散点进行目标攻击)显示,扭曲节点街区对大大损害预测性能是有效的。尽管邻里扭曲是一个NP硬的问题,但TANDIS设计了一种有效的超音量理论,通过一种新型的、有深度学习的图形形态网络的新型组合。关于真实数据集和状态模型的广泛实验显示,平均而言,TANDIS(通过邻居地攻击)将比州一级技术更快的50%。
相关内容
微信扫码咨询专知VIP会员