Defense Against Adversarial Examples For Graph Neural Networks

Researches of analyzing graphs with machine learning have achieved rapid development in recent years.Especially,graph neural network has provided a very competitive solution for tasks in many application scenarios of graph.However,graph neural network can be fooled by adversarial examples which are generated by adding some subtle distortions to the original graph.In some application scenarios with high requirements on system security,graph neural networks will threaten public security and personal privacy if attacked by hackers.Therefore,it is of great significance to study the defense strategy against adversarial examples on graph neural network,which can promote the development of the application of graph neural network in practical life.The defense schemes against adversarial samples on graph neural network can be divided into three categories: adversarial training,model optimization and data transformation.Compared with adversarial training,data transformation and model optimization have lower computation cost and higher extensibility.Therefore,in order to improve the robustness of graph neural network,data transformation and model optimization are studied in this thesis,and it is found that using these two ideas in scheme designing is more effective than using one alone.Based on above findings,a robust graph application architecture is proposed in this thesis,which is implemented in the graph node classification scenario later.The architecture of robust graph data application system proposed in this thesis includes two modules: graph pre-process module and model optimization module.The design goal of the graph pre-process module is to purify the adversarial sample on the premise of retaining the key structure of the original graph,and of model optimization is to simply optimize the target model so that it can defend against the adversarial samples with small perturbations.According to the design goals,the graph pre-process module of the robust graph node classification model is designed to measure the node pair similarity by combining the node attributes and topological features of the graph,and a limited greedy method is used to remove the perturbation,which can keep the key topology of the graph when when it gets purified to ensure the stability of defense effect.The model optimization module in the model is optimized by replacing the aggregation function in the graph convolutional neural network with a more robust aggregation function.This design effectively avoids large computation cost and improves efficiency.In this thesis,the proposed scheme of graph node classification model is implemented and verified by relevant experiments.Firstly,the defense capability of each module in the node classification model is tested,and the experimental results show that both the graph pre-process module and the model optimization module achieved the expected defensive effect against adversarial attacks.Subsequently,the experiment compares the node classification model with other existing defense schemes in terms of time and accuracy,and the results show that the proposed model has higher performance in accuracy and time than other input data transformation or model optimization defense schemes.Finally,experiments to compare the defense effect of node classification model under different parameter settings were carried out,and the results show that the model has stable defense capability.In conclusion,the experiments show the strong defense ability of the classification model and reflects the rationality and feasibility of the proposed framework.