CoG: a Two-View Co-training Framework for Defending Adversarial Attacks on Graph

TL;DR

This paper introduces CoG, a co-training framework that combines structure and feature views of graph data to improve the robustness of GNNs against adversarial attacks, without losing accuracy on clean data.

Contribution

The paper proposes a novel co-training framework that leverages two orthogonal views of graph data to enhance GNN robustness against adversarial perturbations.

Findings

CoG significantly improves robustness against adversarial attacks.

CoG maintains high performance on clean data.

Effective even when both node features and structures are perturbed.

Abstract

Graph neural networks exhibit remarkable performance in graph data analysis. However, the robustness of GNN models remains a challenge. As a result, they are not reliable enough to be deployed in critical applications. Recent studies demonstrate that GNNs could be easily fooled with adversarial perturbations, especially structural perturbations. Such vulnerability is attributed to the excessive dependence on the structure information to make predictions. To achieve better robustness, it is desirable to build the prediction of GNNs with more comprehensive features. Graph data, in most cases, has two views of information, namely structure information and feature information. In this paper, we propose CoG, a simple yet effective co-training framework to combine these two views for the purpose of robustness. CoG trains sub-models from the feature view and the structure view independently and allows them to distill knowledge from each other by adding their most confident unlabeled data into the training set. The orthogonality of these two views diversifies the sub-models, thus enhancing the robustness of their ensemble. We evaluate our framework on three popular datasets, and results show that CoG significantly improves the robustness of graph models against adversarial attacks without sacrificing their performance on clean data. We also show that CoG still achieves good robustness when both node features and graph structures are perturbed.