adversarial robustness of machine learning models for graphs · 28/10/2019 · s. günnemann...
TRANSCRIPT
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
Adversarial Robustness ofMachine Learning Models for Graphs
Prof. Dr. Stephan GünnemannDepartment of InformaticsTechnical University of Munich
28.10.2019
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
Adversarial Robustness ofMachine Learning Models for Graphs
Prof. Dr. Stephan GünnemannDepartment of InformaticsTechnical University of Munich
28.10.2019
Can you trust the predictions of graph-based ML models?
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
Graphs are Everywhere
Computational Social Sciences
Meshes
Computational Chemistry, Proteomics, Biology
Reasoning Systems
SceneGraphs
2
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
Machine Learning for Graphs
3
§ Graph neural networks have become extremely popular§ Example: GNNs for semi-supervised node classification
Partially labeled, attributed graph
GNN
??
?
?
?
??Message
passing
ℎ"($) = ' () " ⋅ + $,- ⋅ . $
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
Are machine learning models for graphs robust with respect to (adversarial) perturbations?
§ Reliable/safe use of ML models requires correctness even in the worst-case– adversarial perturbations = worst-case corruptions
§ Adversaries are common in many application scenarios where graphs are used (e.g. recommender systems, social networks, knowledge graphs)
Graphs & Robustness
4
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
§ State-of-the-art (deep) learning methods are not robust against small deliberate perturbations
Adversarial Attacks in the Image Domain
5
Training data
Training
Model
99%
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
92%
Perturbation
§ State-of-the-art (deep) learning methods are not robust against small deliberate perturbations
Adversarial Attacks in the Image Domain
6
Training data
Training
Model
Perturbed image
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
The relational nature of the data might…
7
Cause Cascading Failures
perturbations in one part of the graph can propagate to the rest
ML for graphs
??
?
?
?
??Message
passing
Improve Robustness
predictions are computed jointlyrather than in isolation
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
ü Introduction & Motivation
2. Are ML models for graphs robust?
3. Can we give guarantees, i.e. certificates?
4. Conclusion
Remaining Roadmap
8
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
Semi-Supervised Node Classification
9
Partially labeled, attributed graph
ML for graphs
??
?
?
?
??Message
passing
Can we change the predictions by slightly perturbing the data?
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
Target node ! ∈ #: node whose classification label we want to changeAttacker nodes $ ⊂ #: nodes the attacker can modify
Direct attack ($ = {!})§ Modify the
target‘s features
§ Add connectionsto the target
§ Remove connectionsfrom the target
Unique Aspects of the Graph Domain
10
Target node
Indirect attack (! ∉ $)§ Modify the
attackers‘ features
§ Add connectionsto the attackers
§ Remove connectionsfrom the attackers
Attacker nodeAttacker node
Change websitecontent
Buy likes/ followers
Example
Unfollowuntrusted users
Hijack friendsof target
Create a link/ spam farm
Example
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
min$%,'%
min()(*+,
log 01,(*+,2 − log 01,(
2
where 02 = 56 72, 82 = 9:5;<=> ?7′ ABCD ?7′8′E F E G
Single Node Attack for a GCN
11
Message passing
7′ ∈ 0,1 K×K: modified adjacency matrix8′ ∈ 0,1 K×M: modified node attributes
N : target node
Zügner, Akbarnejad, Günnemann. Adversarial Attacks on Neural Networks for Graph Data. KDD 2018
§ Classification margin> 0: no change in classification< 0: change in classification
§ Core idea: Linearization → efficient greedy approach
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
Results: Cora Data
12
OursDirect
GradientDirect
RandomDirect
Clean Ours-Indirect
�1.0
�0.5
0.0
0.5
1.0
90.3%60.8%2.7%1.0% 67.2%% Correct:
Clas
sific
atio
nm
argi
n
OursDirect
GradientDirect
RandomDirect
Clean Ours-Indirect
�1.0
�0.5
0.0
0.5
1.0
83.8%46.2%9.8%2.1% 59.2%
Poisoning attack on GCN Poisoning attack on DeepWalk
CleanInter-classRandom
Grad.OursDirect
OursIndirect
CleanInter-classRandom
Grad.OursDirect
OursIndirect
Graph learning models are not robust to adversarial perturbations.
Wrongclassification
Correctclassification
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
Results: Cora Data
13
OursDirect
GradientDirect
RandomDirect
Clean Ours-Indirect
�1.0
�0.5
0.0
0.5
1.0
90.3%60.8%2.7%1.0% 67.2%% Correct:
Clas
sific
atio
nm
argi
n
OursDirect
GradientDirect
RandomDirect
Clean Ours-Indirect
�1.0
�0.5
0.0
0.5
1.0
83.8%46.2%9.8%2.1% 59.2%
Poisoning attack on GCN Poisoning attack on DeepWalk
CleanInter-classRandom
Grad.OursDirect
OursIndirect
CleanInter-classRandom
Grad.OursDirect
OursIndirect
Graph learning models are not robust to adversarial perturbations.
Wrongclassification
Correctclassification
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
Results: Analysis
14
Given a target node !, what are the properties of the nodes an attack "connects to"/"disconnects from"?
fract
ion
of n
odes
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
Results: Attacking Multiple Nodes Jointly
15
Using a perturbed graph is worse than using attributes alone!
Clean graph
Poisoned graph
CLN GCN Log. reg.
70
60
50
Acc
urac
y (%
)Zügner, Günnemann. Adversarial Attacks on Graph Neural Networks via Meta Learning. ICLR 2019
Aim: Damage the overallperformance on the test set
Core idea: Meta-learning• Treat the graph as a hyper-
parameter to optimize• Backpropagate through the
learning phase
Accuracy on test set (Citeseer data)
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
§ Graph neural networks are highly vulnerableto adversarial perturbations– Targeted as well as global attacks
– Performance on the perturbed graph might even be lower compared to only using attributes (no structure)
– Attacks are successful even under restrictive attack scenarios, e.g.no access to target node or limited knowledge about the graph
§ Non-Robustness holds for graph embeddings as well– see e.g. Bojchevski, Günnemann. ICML 2019
Intermediate Summary
16
ℝ"
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
ü Introduction & Motivation
ü Are ML models for graphs robust? No!
3. Can we give guarantees, i.e. certificates?
4. Conclusion
Remaining Roadmap
17
Robustness certificate: Mathematical guarantee that thepredicted class of an instance does not change underany admissible perturbation
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
Classification margin
18
111
011
101
000
110?
Graph neuralnetwork
Classification margin:! = min&'&∗ log ,(.
∗) − log ,(.)
> 0: correct classification< 0: incorrect classificationClass 1 Class 2 Class 3
Class predictionsof target nodeGraph
Bojchevski, Günnemann. Certifiable Robustness to Graph Perturbations. NeurIPS 2019Zügner, Günnemann. Certifiable Robustness and Robust Training for Graph Convolutional Networks. KDD 2019
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
Classification margin
19
Class 1 Class 2 Class 3
111
011
101
000
110?
Graph neuralnetwork
Negative marginafter perturbation
Classification margin:! = min&'&∗ log ,(.
∗) − log ,(.)
> 0: correct classification< 0: incorrect classification
1
0
Class predictionsof target node
Worst-case margin !∗ = minimize345675896:;<=
min>?9== &'&∗
log , .∗ − log ,(.)
Classification margin !Graph
Bojchevski, Günnemann. Certifiable Robustness to Graph Perturbations. NeurIPS 2019Zügner, Günnemann. Certifiable Robustness and Robust Training for Graph Convolutional Networks. KDD 2019
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
Core Idea: Robustness Certification
20
Reachable viaperturbations
Decisionboundary
log $(&')
log $(&))
Negative margin(not robust)
Positive margin(robust)
Lower bound on theworst-case margin
Worst-casemargin
Classificationmargin
0
No perturbation
Worst possible(intractable, unknown)
Lower bound(tractable)
robu
stno
t rob
ust
Convexrelaxation
Robustnesscertificate
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
0
20
40
60
80
%ro
bust
for
Q=
12
Robustness Certification: Citeseer
21
<25% of nodes robust, >50% certifiably nonrobustfor 10 perturbations.
Allowed Perturbations
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
0
20
40
60
80
%ro
bust
for
Q=
12
Robustness Certification: Citeseer
22
<25% of nodes robust, >50% certifiably nonrobustfor 10 perturbations.
Robust training
85% robust!
Allowed Perturbations
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
Results: Robust Training
23
0
25
50
75
100
%ro
bust
for
Q=
12
0
25
50
75
100
%ro
bust
for
Q=
12
0
25
50
75
100
%ro
bust
for
Q=
12
Citeseer Cora-ML PubMed
RobustHinge
BaselineLoss
CrossEntropy
RobustHinge
BaselineLoss
CrossEntropy
RobustHinge
BaselineLoss
CrossEntropy
> 4x improvement
Baseline loss adapted from [Wong and Kolter 2018]
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
Results: No Cost in Accuracy
24
Citeseer Cora-ML PubMed
RobustHinge
BaselineLoss
CrossEntropy
RobustHinge
BaselineLoss
CrossEntropy
RobustHinge
BaselineLoss
CrossEntropy
Baseline loss adapted from [Wong and Kolter 2018]
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
ü Introduction & Motivation
ü Are ML models for graphs robust? No!
ü Can we give guarantees, i.e. certificates? Yes!
4. Conclusion
Remaining Roadmap
25
0 10 20 30Allowed Perturbations
0
50
100
%N
odes
Certifiablyrobust
Certifiablynonrobust
S. Günnemann Adversarial Robustness of Machine Learning Models for Graphs
Conclusion
26
Thank you!
0 10 20 30Allowed Perturbations
0
50
100
%N
odes
Certifiablyrobust
Certifiablynonrobust§ Graph learning models are not robust
– Supervised & unsupervised methods, attacks generalize
to many models, only limited knowledge required
§ Crucial for a reliable use of these models:
– Certificates & robustification principles
§ Many open questions
– E.g. exact understanding of what makes a perturbation harmful (underlying "patterns")
– Core challenges in general: discreteness of graph structure, !(#$) potential edges,
dependencies/non-i.i.d., variety of models, heterogeneous data, …