图神经网络的标签翻转对抗攻击

吴翼腾; 刘伟; 于洪涛

doi:10.11959/j.issn.1000-436x.2021167

您当前的位置：

首页 >

文章列表页 >

图神经网络的标签翻转对抗攻击

学术论文 | 更新时间：2024-06-05

- 图神经网络的标签翻转对抗攻击
- Label flipping adversarial attack on graph neural network
- 通信学报 2021年42卷第9期页码：65-74
- 作者机构：
  
  信息工程大学，河南郑州 450002
- 作者简介：
  
  [ "吴翼腾（1992− ），男，吉林省吉林市人，信息工程大学博士生，主要研究方向为人工智能安全、对抗机器学习" ]
  [ "刘伟（1992− ），男，河北保定人，信息工程大学硕士生，主要研究方向为人工智能安全、自然语言处理" ]
  [ "于洪涛（1970− ），男，辽宁丹东人，博士，信息工程大学研究员、博士生导师，主要研究方向为大数据和人工智能" ]
- 基金信息：
  
  国家自然科学基金创新群体基金资助项目(61521003);国家重点研发计划基金资助项目(2016QY03D0502);郑州市协同创新重大专项基金资助项目(162/32410218)
- DOI：10.11959/j.issn.1000-436x.2021167
  中图分类号： TP18
- 网络出版日期：2021-09，
  
  纸质出版日期：2021-09-25
- 稿件说明：
移动端阅览
吴翼腾, 刘伟, 于洪涛. 图神经网络的标签翻转对抗攻击[J]. 通信学报, 2021,42(9):65-74.

Yiteng WU, Wei LIU, Hongtao YU. Label flipping adversarial attack on graph neural network[J]. Journal on communications, 2021, 42(9): 65-74.
吴翼腾, 刘伟, 于洪涛. 图神经网络的标签翻转对抗攻击[J]. 通信学报, 2021,42(9):65-74. DOI： 10.11959/j.issn.1000-436x.2021167.

Yiteng WU, Wei LIU, Hongtao YU. Label flipping adversarial attack on graph neural network[J]. Journal on communications, 2021, 42(9): 65-74. DOI： 10.11959/j.issn.1000-436x.2021167.

摘要

为扩展图神经网络对抗攻击类型以填补相关研究空白，提出了评估图神经网络对标签噪声稳健性的标签翻转对抗攻击方法。将对抗攻击的有效性机理提炼为矛盾数据假设、参数差异假设和同分布假设等3种基本假设，并基于3种假设建立标签翻转对抗攻击模型。采用基于梯度的攻击方法，理论证明了基于参数差异假设模型的攻击梯度与基于同分布假设模型的攻击梯度相同，建立2种攻击方法的等价关系。设计实验对比分析了基于不同假设建立模型的优势和不足；大量实验验证了标签翻转攻击模型的有效性。

Abstract

To expand the adversarial attack types of graph neural networks and fill the relevant research gaps

label flipping attack methods were proposed to evaluate the robustness of graph neural network aimed at label noise.The effectiveness mechanisms of adversarial attacks were summarized as three basic hypotheses

contradictory data hypothesis

parameter discrepancy hypothesis and identically distributed hypothesis.Based on the three hypotheses

label flipping attack models were established.Using the gradient oriented attack methods

it was theoretically proved that attack gradients based on the parameter discrepancy hypothesis were the same as gradients of identically distributed hypothesis

and the equivalence between two attack methods was established.Advantages and disadvantages of proposed models based on different hypotheses were compared and analyzed by experiments.Extensive experimental results verify the effectiveness of the proposed attack models.

关键词

Keywords

references

YUAN X Y , HE P , ZHU Q L , et al . Adversarial examples:attacks and defenses for deep learning [J ] . IEEE Transactions on Neural Networks and Learning Systems , 2019 , 30 ( 9 ): 2805 - 2824 .

韦博成 , 鲁国斌 , 史建清 . 统计诊断引论 [M ] . 南京 : 东南大学出版社 , 1991 .

WEI B C , LU G B , SHI J Q . Introduction to statistical diagnosis [M ] . Nanjing : Southeast University Press , 1991 .

SZEGEDY C , ZAREMBA W , SUTSKEVER I , et al . Intriguing properties of neural networks [J ] . arXiv Preprint,arXiv:1312.6199 , 2013 .

司念文 , 张文林 , 屈丹 , 等 . 基于对抗补丁的可泛化的 Grad-CAM攻击方法 [J ] . 通信学报 , 2021 , 42 ( 3 ): 23 - 35 .

SI N W , ZHANG W L , QU D , et al . Generalized Grad-CAM attacking method based on adversarial patch [J ] . Journal on Communications , 2021 , 42 ( 3 ): 23 - 35 .

ZÜGNER D , AKBARNEJAD A , GÜNNEMANN S , . Adversarial attacks on neural networks for graph data [C ] // Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery ＆Data Mining . New York:ACM Press , 2018 : 2847 - 2856 .

MA J , DING S , MEI Q . Towards more practical adversarial attacks on graph neural networks [C ] // Advances in Neural Information Processing Systems . Massachusetts:MIT Press , 2020 : 4756 - 4766 .

LI J , ZHANG H L , HAN Z C , et al . Adversarial attack on community detection by hiding individuals [C ] // Proceedings of The Web Conference 2020 . New York:ACM Press , 2020 : 917 - 927 .

BOJCHEVSKI A , GÜNNEMANN S , . Adversarial attacks on node embeddings via graph poisoning [J ] . arXiv Preprint,arXiv:1809.01093 , 2018 .

CHEN L , LI J , PENG J , et al . A survey of adversarial learning on graphs [J ] . arXiv Preprint,arXiv:2003.05730 , 2020 .

XU H , MA Y , LIU H C , et al . Adversarial attacks and defenses in images,graphs and text:a review [J ] . International Journal of Automation and Computing , 2020 , 17 ( 2 ): 151 - 178 . 673 - 683 .

SUN Y W , WANG S H , TANG X F , et al . Adversarial attacks on graph neural networks via node injections:a hierarchical reinforcement learning approach [C ] // Proceedings of The Web Conference 2020 . New York:ACM Press , 2020 : 673 - 683 .

WU Y T , LIU W , HU X B , et al . Parameter discrepancy hypothesis:adversarial attack for graph data [J ] . Information Sciences , 2021 , 577 : 234 - 244 .

ZÜGNER D , GÜNNEMANN S , . Adversarial attacks on graph neural networks via meta learning [J ] . arXiv Preprint,arXiv:1902.08412 , 2019 .

韦博成 , 林金官 , 解锋昌 . 统计诊断 [M ] . 北京 : 高等教育出版社 , 2009 .

WEI B C , LIN J G , XIE F C . Statistical diagnostics [M ] . Beijing : Higher Education Press , 2009 .

COOK R D . Detection of influential observation in linear regression [J ] . Technometrics , 1977 , 19 ( 1 ): 15 - 18 .

COOK R D . Influential observations in linear regression [J ] . Journal of the American Statistical Association , 1979 , 74 ( 365 ): 169 - 174 .

COOK R D , WEISBERG S . Residuals and influence in regression [M ] . New York : Chapman and Hall , 1982 .

张宏坡 , 程宁 , 张博 , 等 . 一种基于熵值法的标签翻转攻击方法:CN112700081A [P ] . 2021 - 04 - 23 .

ZHANG H P , CHENG N , ZHANG B , et al . A label flipping attack method based on entropy:CN112700081A [P ] . 2021 - 04 - 23 .

MUÑOZ-GONZÁLEZ L , BIGGIO B , DEMONTIS A , et al . Towards poisoning of deep learning algorithms with back-gradient optimization [C ] // Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security . New York:ACM Press , 2017 : 27 - 38 .

LIU X , SI S , ZHU X , et al . A unified framework for data poisoning attack to graph-based semi-supervised learning [C ] // Proceedings of the 33rd International Conference on Neural Information Processing Systems . Massachusetts:MIT Press , 2019 : 9780 - 9790 .

JIN W , LI Y , XU H , et al . Adversarial attacks and defenses on graphs:a review and empirical study [J ] . arXiv Preprint,arXiv:2003.00653 , 2020 .

费宇 , 陈飞 , 喻达磊 . 线性和广义线性混合模型及其统计诊断 [M ] . 科学出版社 , 2013 .

FEI Y , CHEN F , YU D L , et al . Linear and generalized linear mixed models and their statistical diagnosis [M ] . Beijing : Science Press , 2013 .

LI Q M , WU X M , LIU H , et al . Label efficient semi-supervised learning via graph filtering [C ] // 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway:IEEE Press , 2019 : 9574 - 9583 .

NT H , MAEHARA T . Revisiting graph neural networks:all we have is low-pass filters [J ] . arXiv Preprint,arXiv:1905.09550 , 2019 .

WU F , SOUZA A , ZHANG T , et al . Simplifying graph convolutional networks [C ] // International conference on machine learning . Long Beach:PMLR , 2019 : 6861 - 6871 .

WEI B C , SHIH J Q . On statistical models for regression diagnostics [J ] . Annals of the Institute of Statistical Mathematics , 1994 , 46 ( 2 ): 267 - 278 .

HOERL A E , KENNARD R W . Ridge regression:biased estimation for nonorthogonal problems [J ] . Technometrics , 1970 , 12 ( 1 ): 55 - 67 .

MARQUARDT D W . An algorithm for least-squares estimation of nonlinear parameters [J ] . Journal of the Society for Industrial and Applied Mathematics , 1963 , 11 ( 2 ): 431 - 441 .

SEN P , NAMATA G , BILGIC M , et al . Collective classification in network data [J ] . AI Magazine , 2008 , 29 ( 3 ): 93 .

MCCALLUM A K , NIGAM K , RENNIE J , et al . Automating the construction of Internet portals with machine learning [J ] . Information Retrieval , 2000 , 3 ( 2 ): 127 - 163 .

ADAMIC L A , GLANCE N . The political blogosphere and the 2004 US election:divided they blog [C ] // Proceedings of the 3rd International Workshop on Link Discovery . New York:ACM Press , 2005 : 36 - 43 .

XU K D , CHEN H G , LIU S J , et al . Topology attack and defense for graph neural networks:an optimization perspective [C ] // Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence . Palo Alto:AAAI Press , 2019 : 3961 - 3967 .

陈晋音 , 黄国瀚 , 张敦杰 , 等 . 一种面向图神经网络的图重构防御方法 [J ] . 计算机研究与发展 , 2021 , 58 ( 5 ): 1075 - 1091 .

CHEN J Y , HUANG G H , ZHANG D J , et al . GRD-GNN:graph reconstruction defense for graph neural network [J ] . Journal of Computer Research and Development , 2021 , 58 ( 5 ): 1075 - 1091 .

浏览量

659

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

面向WSN异常节点检测的融合重构机制与对比学习方法

基于预训练与新型时序图神经网络的智能合约漏洞检测方法

新增未知攻击场景下的工业互联网恶意流量识别方法

移动边缘计算中基于图到序列深度强化学习的复杂任务部署策略

面向智能无人通信系统的因果性对抗攻击生成算法