Research And Implementation Of Defense Algorithm Against Adversarial Attack For Graph Convolution Neural Network

Graph convolution neural network can study the effective information of graph data through graph convolution.It is widely used in node classification,link prediction,graph classification and other tasks in the fields of recommendation system,computer vision,drug discovery and so on.However,just like convolutional neural network,graph convolutional neural network is also vulnerable to adversarial attack,resulting in the decline of model performance,and its vulnerability will lead to security problems in various application fields.For example,the node classification results can be manipulated by forging links,the graph classification results can be affected by inserting false nodes and links,and the downstream models can be maliciously and continuously affected by constructing backdoor attacks.Therefore,the research on adversarial attack and defense technology of graph convolutional neural network has attracted extensive attention.At present,the research on the adversarial defense algorithm of graph convolution neural network mainly faces the following problems:the structure and characteristics of graph data are discrete,and the sparsity of data makes a series of gradient based methods unable to apply,and may lead to high computational cost.Moreover,most of the existing defense algorithms are aimed at specific attack methods,and there is a lack of research on the general principle of graph adversarial attack.Based on the above problems,this paper aims at mining information of structure and attributes of graph data.Starting from the characteristics of data set,this paper studies the robustness algorithm of graph convolution neural network based on adversarial training and ensemble learning.The main research contents of this paper are as follows:(1)A non-robust features extraction method for topology and node attributes of graph data is proposed.According to the characteristics of graph data,the definitions of non-robust features in two kinds of data including structure and attributes are given.Random graph is generated by implementing random attack on graph data.With the help of random graph,structural non-robust features and attribute non-robust features that will make model confuse the original graph with random graph are distilled from the embedding space of graph convolution neural network based on the similarity of structural matrix and the difference of feature smoothness between the original graph and random graph.(2)An adversarial training model based on non-robust features is proposed.The non-robust features distilled from the original graph are used as adversarial samples to train the graph convolution neural network.Distilling non-robust features in embedding space greatly reduces the construction cost and difficulty of adversarial samples.Through adversarial training,the model can improve the recognition ability of nonrobust features,and can improve the defense ability against adversarial attacks without reducing the performance of the model in clean data.(3)An ensemble adversarial training algorithm based on non-robust features is proposed and implemented,named VDERG.Based on the information of the topology and node attributes of graph,two kinds of sub models with different adversarial subspaces are constructed.The sub models distill the non-robust features from graph and implement adversarial training based on the distilled features.Finally,the node embedding vector obtained by two kind of sub models are integrated,and then entered the mapping function to get the final prediction result.The structure and attribute features of graph data are fully learned through the ensemble algorithm.(4)The defense capability of VDERG is verified on Cora,CiteSeer and PubMed data sets with others defense algorithms.And the effectiveness of two non-features distillation methods is also tested respectively.Based on the representative adversarial attack algorithm Metattack,the model accuracy is compared with other defense methods under different disturbance rates.The experiments show that the accuracy of VDERG on clean data is improved by 0.8%on average,and the accuracy of VDERG against adversarial attacks is improved by 6.91%at most,It is verified that the adversarial training algorithm proposed in this paper can effectively improve the robustness of graph convolution neural network and improve its learning ability on clean data as well.