Adversarial Attacks on Graph Neural Networks via Meta Learning

TL;DR

This paper introduces a novel meta-learning approach to generate training-time adversarial attacks on graph neural networks by perturbing graph structures, significantly degrading their performance without requiring access to the models.

Contribution

It presents a new meta-gradient based method for attacking graph neural networks during training by optimizing graph perturbations as hyperparameters.

Findings

Small graph perturbations cause significant performance drops in GNNs.

Attacks transfer across different GNN architectures and embeddings.

Perturbations can mislead GNNs to perform worse than non-relational baselines.

Abstract

Deep learning models for graphs have advanced the state of the art on many tasks. Despite their recent success, little is known about their robustness. We investigate training time attacks on graph neural networks for node classification that perturb the discrete graph structure. Our core principle is to use meta-gradients to solve the bilevel problem underlying training-time attacks, essentially treating the graph as a hyperparameter to optimize. Our experiments show that small graph perturbations consistently lead to a strong decrease in performance for graph convolutional networks, and even transfer to unsupervised embeddings. Remarkably, the perturbations created by our algorithm can misguide the graph neural networks such that they perform worse than a simple baseline that ignores all relational information. Our attacks do not assume any knowledge about or access to the target classifiers.