Certified Robustness of Graph Neural Networks against Adversarial Structural Perturbation

TL;DR

This paper develops a method using randomized smoothing to provide provable robustness guarantees for graph neural networks against structural perturbations, ensuring reliable predictions despite adversarial graph modifications.

Contribution

It extends randomized smoothing to graph data to certify GNN robustness against edge modifications, providing tight guarantees for node and graph classification.

Findings

Achieves a certified accuracy of 0.49 on Cora with up to 15 edge modifications.

Provides tight robustness guarantees for GNNs against structural attacks.

Empirically validates the method on multiple datasets and GNN architectures.

Abstract

Graph neural networks (GNNs) have recently gained much attention for node and graph classification tasks on graph-structured data. However, multiple recent works showed that an attacker can easily make GNNs predict incorrectly via perturbing the graph structure, i.e., adding or deleting edges in the graph. We aim to defend against such attacks via developing certifiably robust GNNs. Specifically, we prove the certified robustness guarantee of any GNN for both node and graph classifications against structural perturbation. Moreover, we show that our certified robustness guarantee is tight. Our results are based on a recently proposed technique called randomized smoothing, which we extend to graph data. We also empirically evaluate our method for both node and graph classifications on multiple GNNs and multiple benchmark datasets. For instance, on the Cora dataset, Graph Convolutional Network with our randomized smoothing can achieve a certified accuracy of 0.49 when the attacker can arbitrarily add/delete at most 15 edges in the graph.