adversarial robustness of machine learning models for graphs · 28/10/2019 · s. günnemann...

S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs

Adversarial Robustness ofMachine Learning Models for Graphs

Prof. Dr. Stephan GünnemannDepartment of InformaticsTechnical University of Munich

28.10.2019


Adversarial Robustness ofMachine Learning Models for Graphs

Prof. Dr. Stephan GünnemannDepartment of InformaticsTechnical University of Munich

28.10.2019

Can you trust the predictions of graph-based ML models?


Graphs are Everywhere

Computational Social Sciences

Meshes

Computational Chemistry, Proteomics, Biology

Reasoning Systems

SceneGraphs

2


Machine Learning for Graphs

3

§ Graph neural networks have become extremely popular§ Example: GNNs for semi-supervised node classification

Partially labeled, attributed graph

GNN

??

?

?

?

??Message

passing

ℎ"($) = ' () " ⋅ + $,- ⋅ . $


Are machine learning models for graphs robust with respect to (adversarial) perturbations?

§ Reliable/safe use of ML models requires correctness even in the worst-case– adversarial perturbations = worst-case corruptions

§ Adversaries are common in many application scenarios where graphs are used (e.g. recommender systems, social networks, knowledge graphs)

Graphs & Robustness

4


§ State-of-the-art (deep) learning methods are not robust against small deliberate perturbations

Adversarial Attacks in the Image Domain

5

Training data

Training

Model

99%


92%

Perturbation

§ State-of-the-art (deep) learning methods are not robust against small deliberate perturbations

Adversarial Attacks in the Image Domain

6

Training data

Training

Model

Perturbed image


The relational nature of the data might…

7

Cause Cascading Failures

perturbations in one part of the graph can propagate to the rest

ML for graphs

??

?

?

?

??Message

passing

Improve Robustness

predictions are computed jointlyrather than in isolation


ü Introduction & Motivation

2. Are ML models for graphs robust?

3. Can we give guarantees, i.e. certificates?

4. Conclusion

Remaining Roadmap

8


Semi-Supervised Node Classification

9

Partially labeled, attributed graph

ML for graphs

??

?

?

?

??Message

passing

Can we change the predictions by slightly perturbing the data?


Target node ! ∈ #: node whose classification label we want to changeAttacker nodes $ ⊂ #: nodes the attacker can modify

Direct attack ($ = {!})§ Modify the

target‘s features

§ Add connectionsto the target

§ Remove connectionsfrom the target

Unique Aspects of the Graph Domain

10

Target node

Indirect attack (! ∉ $)§ Modify the

attackers‘ features

§ Add connectionsto the attackers

§ Remove connectionsfrom the attackers

Attacker nodeAttacker node

Change websitecontent

Buy likes/ followers

Example

Unfollowuntrusted users

Hijack friendsof target

Create a link/ spam farm

Example


min$%,'%

min()(*+,

log 01,(*+,2 − log 01,(

2

where 02 = 56 72, 82 = 9:5;<=> ?7′ ABCD ?7′8′E F E G

Single Node Attack for a GCN

11

Message passing

7′ ∈ 0,1 K×K: modified adjacency matrix8′ ∈ 0,1 K×M: modified node attributes

N : target node

Zügner, Akbarnejad, Günnemann. Adversarial Attacks on Neural Networks for Graph Data. KDD 2018

§ Classification margin> 0: no change in classification< 0: change in classification

§ Core idea: Linearization → efficient greedy approach


Results: Cora Data

12

OursDirect

GradientDirect

RandomDirect

Clean Ours-Indirect

�1.0

�0.5

0.0

0.5

1.0

90.3%60.8%2.7%1.0% 67.2%% Correct:

Clas

sific

atio

nm

argi

n

OursDirect

GradientDirect

RandomDirect

Clean Ours-Indirect

�1.0

�0.5

0.0

0.5

1.0

83.8%46.2%9.8%2.1% 59.2%

Poisoning attack on GCN Poisoning attack on DeepWalk

CleanInter-classRandom

Grad.OursDirect

OursIndirect


Grad.OursDirect

OursIndirect

Graph learning models are not robust to adversarial perturbations.

Wrongclassification

Correctclassification


Results: Cora Data

13

OursDirect

GradientDirect

RandomDirect

Clean Ours-Indirect

�1.0

�0.5

0.0

0.5

1.0

90.3%60.8%2.7%1.0% 67.2%% Correct:

Clas

sific

atio

nm

argi

n

OursDirect

GradientDirect

RandomDirect

Clean Ours-Indirect

�1.0

�0.5

0.0

0.5

1.0

83.8%46.2%9.8%2.1% 59.2%

Poisoning attack on GCN Poisoning attack on DeepWalk


Grad.OursDirect

OursIndirect


Grad.OursDirect

OursIndirect

Graph learning models are not robust to adversarial perturbations.

Wrongclassification

Correctclassification


Results: Analysis

14

Given a target node !, what are the properties of the nodes an attack "connects to"/"disconnects from"?

fract

ion

of n

odes


Results: Attacking Multiple Nodes Jointly

15

Using a perturbed graph is worse than using attributes alone!

Clean graph

Poisoned graph

CLN GCN Log. reg.

70

60

50

Acc

urac

y (%

)Zügner, Günnemann. Adversarial Attacks on Graph Neural Networks via Meta Learning. ICLR 2019

Aim: Damage the overallperformance on the test set

Core idea: Meta-learning• Treat the graph as a hyper-

parameter to optimize• Backpropagate through the

learning phase

Accuracy on test set (Citeseer data)


§ Graph neural networks are highly vulnerableto adversarial perturbations– Targeted as well as global attacks

– Performance on the perturbed graph might even be lower compared to only using attributes (no structure)

– Attacks are successful even under restrictive attack scenarios, e.g.no access to target node or limited knowledge about the graph

§ Non-Robustness holds for graph embeddings as well– see e.g. Bojchevski, Günnemann. ICML 2019

Intermediate Summary

16

ℝ"



ü Are ML models for graphs robust? No!

3. Can we give guarantees, i.e. certificates?

4. Conclusion

Remaining Roadmap

17

Robustness certificate: Mathematical guarantee that thepredicted class of an instance does not change underany admissible perturbation


Classification margin

18

111

011

101

000

110?

Graph neuralnetwork

Classification margin:! = min&'&∗ log ,(.

∗) − log ,(.)

> 0: correct classification< 0: incorrect classificationClass 1 Class 2 Class 3

Class predictionsof target nodeGraph

Bojchevski, Günnemann. Certifiable Robustness to Graph Perturbations. NeurIPS 2019Zügner, Günnemann. Certifiable Robustness and Robust Training for Graph Convolutional Networks. KDD 2019


Classification margin

19

Class 1 Class 2 Class 3

111

011

101

000

110?

Graph neuralnetwork

Negative marginafter perturbation

Classification margin:! = min&'&∗ log ,(.

∗) − log ,(.)

> 0: correct classification< 0: incorrect classification

1

0

Class predictionsof target node

Worst-case margin !∗ = minimize345675896:;<=

min>?9== &'&∗

log , .∗ − log ,(.)

Classification margin !Graph

Bojchevski, Günnemann. Certifiable Robustness to Graph Perturbations. NeurIPS 2019Zügner, Günnemann. Certifiable Robustness and Robust Training for Graph Convolutional Networks. KDD 2019


Core Idea: Robustness Certification

20

Reachable viaperturbations

Decisionboundary

log $(&')

log $(&))

Negative margin(not robust)

Positive margin(robust)

Lower bound on theworst-case margin

Worst-casemargin

Classificationmargin

0

No perturbation

Worst possible(intractable, unknown)

Lower bound(tractable)

robu

stno

t rob

ust

Convexrelaxation

Robustnesscertificate


0

20

40

60

80

%ro

bust

for

Q=

12

Robustness Certification: Citeseer

21

<25% of nodes robust, >50% certifiably nonrobustfor 10 perturbations.

Allowed Perturbations


0

20

40

60

80

%ro

bust

for

Q=

12

Robustness Certification: Citeseer

22

<25% of nodes robust, >50% certifiably nonrobustfor 10 perturbations.

Robust training

85% robust!

Allowed Perturbations


Results: Robust Training

23

0

25

50

75

100

%ro

bust

for

Q=

12

0

25

50

75

100

%ro

bust

for

Q=

12

0

25

50

75

100

%ro

bust

for

Q=

12

Citeseer Cora-ML PubMed

RobustHinge

BaselineLoss

CrossEntropy

RobustHinge

BaselineLoss

CrossEntropy

RobustHinge

BaselineLoss

CrossEntropy

> 4x improvement

Baseline loss adapted from [Wong and Kolter 2018]


Results: No Cost in Accuracy

24

Citeseer Cora-ML PubMed

RobustHinge

BaselineLoss

CrossEntropy

RobustHinge

BaselineLoss

CrossEntropy

RobustHinge

BaselineLoss

CrossEntropy

Baseline loss adapted from [Wong and Kolter 2018]



ü Are ML models for graphs robust? No!

ü Can we give guarantees, i.e. certificates? Yes!

4. Conclusion

Remaining Roadmap

25

0 10 20 30Allowed Perturbations

0

50

100

%N

odes

Certifiablyrobust

Certifiablynonrobust


Conclusion

26

Thank you!

0 10 20 30Allowed Perturbations

0

50

100

%N

odes

Certifiablyrobust

Certifiablynonrobust§ Graph learning models are not robust

– Supervised & unsupervised methods, attacks generalize

to many models, only limited knowledge required

§ Crucial for a reliable use of these models:

– Certificates & robustification principles

§ Many open questions

– E.g. exact understanding of what makes a perturbation harmful (underlying "patterns")

– Core challenges in general: discreteness of graph structure, !(#$) potential edges,

dependencies/non-i.i.d., variety of models, heterogeneous data, …

adversarial robustness of machine learning models for graphs · 28/10/2019 · s. günnemann...

Documents