CRII: SaTC: Towards Understanding the Robustness of Graph Neural Networks against Graph Perturbations

CRII：SaTC：了解图神经网络对抗图扰动的鲁棒性

• 批准号: 2241713
• 负责人: Binghui Wang
• 金额: $ 17.5万
• 依托单位: Illinois Institute of Technology
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-06-01 至 2025-05-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2241713&HistoricalAwards=false
• 关键词: CRII; SaTC; Towards; Understanding; Robustness

Learning with graphs, such as social networks, biological networks, and financial networks, has drawn continuous attention recently, wherein graph neural networks (GNNs) have been emerging as the most prominent methodology. However, recent studies show that GNNs are vulnerable to graph perturbation attacks: slightly perturbing the graph structure can make GNN model's performance severely degraded. The lack of robustness of GNNs makes them risky for their potential applications. However, existing studies on GNN attacks and defenses are very limited in scope: the attacks are assumed under less practical scenarios (i.e., the attacker has a full or partial knowledge about the GNN model), while the defenses are either heuristic-based that can be easily broken or their robustness in defense is lacking. This project aims to understand how to perform the graph perturbation attack to fool any GNNs with least/no knowledge about the GNN model. Accordingly, the project designs both restricted and stringent black-box graph perturbation attacks to any GNNs, which are inspired by the influence function and bandit algorithms, respectively. Next, the project aims to understand how to protect any GNNs from the strongest white-box attack with robustness guarantees. To this end, it designs provable defenses for any GNNs against white-box graph perturbation attacks via novel randomized smoothing techniques and designs principled methods to optimize the defense performance.The project’s novelties are to gain a holistic understanding on the robustness of GNNs against graph perturbation attacks, to look into more practicable attacks and lastly to devise a more provable defenses. The project’s broader significance and impact are 1)advancing not only the field of secure and trustworthy machine learning, but also other fields (e.g., social science and economy) where graph data model and graph learning are widely used; 2) developing a new seminar course “Graph Learning in the Adversarial Settings”, and 3)supporting cross-disciplinary research for both undergraduate and graduate students.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

尽管图神经网络（GNN）已成为最重要的方法，但最近使用图学习（例如社交网络、生物网络和金融网络）引起了持续关注。然而，最近的研究表明，GNN 很容易受到图扰动的影响。攻击：稍微扰动图结构就会使 GNN 模型的性能严重下降。GNN 缺乏鲁棒性，使其潜在应用面临风险。然而，现有的 GNN 攻击和防御研究范围非常有限：这些攻击都是假设的。在不太实际的场景下（即攻击者对 GNN 模型有全部或部分了解），而防御要么是基于启发式的，很容易被破坏，要么缺乏防御的鲁棒性。该项目旨在了解如何执行。图扰动攻击欺骗任何对 GNN 模型知之甚少/不了解的 GNN，因此，该项目受到影响函数和强盗算法的启发，设计了针对任何 GNN 的受限和严格的黑盒图扰动攻击。接下来，该项目旨在了解如何在鲁棒性保证的情况下保护任何 GNN 免受最强的白盒攻击。为此，它通过新颖的随机平滑技术为任何 GNN 设计可证明的防御白盒图扰动攻击的方法，并设计原则方法。优化防御性能。该项目的新颖之处在于全面了解 GNN 针对图扰动攻击的鲁棒性，研究更实用的攻击，最后设计出更可证明的方法该项目更广泛的意义和影响是：1）不仅推动安全可靠的机器学习领域，而且推动图数据模型和图学习广泛使用的其他领域（例如社会科学和经济）；2）新的研讨会课程“对抗性环境中的图学习”，以及 3）支持本科生和研究生的跨学科研究。该奖项是 NSF 的法定使命，并通过使用基金会的智力评估进行评估，被认为值得支持优点和更广泛的影响审查标准。

项目成果

Efficient, Direct, and Restricted Black-Box Graph Evasion Attacks to Any-Layer Graph Neural Networks via Influence Function

通过影响函数对任意层图神经网络进行高效、直接、受限的黑盒图规避攻击

• DOI: 10.1145/3616855.3635826
• 发表时间: 2020-09-01
• 期刊: IEEE Access
• 影响因子: 3.9
• 作者: Binghui Wang;Tianxiang Zhou;Min;Pan Zhou;Ang Li;Meng Pang;Cai Fu;H. Li;Yiran Chen
• 通讯作者: Yiran Chen

Turning Strengths into Weaknesses: A Certified Robustness Inspired Attack Framework against Graph Neural Networks

将优势转化为劣势：针对图神经网络的经过认证的鲁棒性启发攻击框架

• DOI: 10.1109/cvpr52729.2023.01573
• 发表时间: 2023-03-10
• 期刊: 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)
• 作者: Binghui Wang;Meng Pang;Yun Dong
• 通讯作者: Yun Dong