GNNGuard: Defending Graph Neural Networks against Adversarial Attacks

TL;DR

GNNGuard is a novel defense algorithm that enhances the robustness of Graph Neural Networks against various adversarial attacks by intelligently weighting and pruning graph edges based on node similarity.

Contribution

It introduces a general, easily integrable defense method with two novel components, neighbor importance estimation and layer-wise graph memory, to improve GNN robustness against attacks.

Findings

GNNGuard outperforms existing defenses by 15.3% on average.

It effectively restores GNN performance under various attack types.

The method is effective on heterophily graphs and diverse datasets.

Abstract

Deep learning methods for graphs achieve remarkable performance across a variety of domains. However, recent findings indicate that small, unnoticeable perturbations of graph structure can catastrophically reduce performance of even the strongest and most popular Graph Neural Networks (GNNs). Here, we develop GNNGuard, a general algorithm to defend against a variety of training-time attacks that perturb the discrete graph structure. GNNGuard can be straight-forwardly incorporated into any GNN. Its core principle is to detect and quantify the relationship between the graph structure and node features, if one exists, and then exploit that relationship to mitigate negative effects of the attack.GNNGuard learns how to best assign higher weights to edges connecting similar nodes while pruning edges between unrelated nodes. The revised edges allow for robust propagation of neural messages in the underlying GNN. GNNGuard introduces two novel components, the neighbor importance estimation, and the layer-wise graph memory, and we show empirically that both components are necessary for a successful defense. Across five GNNs, three defense methods, and five datasets,including a challenging human disease graph, experiments show that GNNGuard outperforms existing defense approaches by 15.3% on average. Remarkably, GNNGuard can effectively restore state-of-the-art performance of GNNs in the face of various adversarial attacks, including targeted and non-targeted attacks, and can defend against attacks on heterophily graphs.