On Measuring Unnoticeability of Graph Adversarial Attacks: Observations, New Measure, and Applications

TL;DR

This paper introduces HideNSeek, a learnable measure for graph attack unnoticeability that overcomes limitations of existing statistical methods by using a learnable edge scorer and imbalance-aware aggregation, improving attack detection and robustness.

Contribution

The paper proposes HideNSeek, a novel learnable measure with a learnable edge scorer and imbalance-aware aggregation to better detect and mitigate graph adversarial attacks.

Findings

HideNSeek outperforms eleven competitors in attack edge detection.

LEO improves robust GNN performance by removing attack edges.

HideNSeek effectively addresses limitations of existing measures.

Abstract

Adversarial attacks are allegedly unnoticeable. Prior studies have designed attack noticeability measures on graphs, primarily using statistical tests to compare the topology of original and (possibly) attacked graphs. However, we observe two critical limitations in the existing measures. First, because the measures rely on simple rules, attackers can readily enhance their attacks to bypass them, reducing their attack "noticeability" and, yet, maintaining their attack performance. Second, because the measures naively leverage global statistics, such as degree distributions, they may entirely overlook attacks until severe perturbations occur, letting the attacks be almost "totally unnoticeable." To address the limitations, we introduce HideNSeek, a learnable measure for graph attack noticeability. First, to mitigate the bypass problem, HideNSeek learns to distinguish the original and (potential) attack edges using a learnable edge scorer (LEO), which scores each edge on its likelihood of being an attack. Second, to mitigate the overlooking problem, HideNSeek conducts imbalance-aware aggregation of all the edge scores to obtain the final noticeability score. Using six real-world graphs, we empirically demonstrate that HideNSeek effectively alleviates the observed limitations, and LEO (i.e., our learnable edge scorer) outperforms eleven competitors in distinguishing attack edges under five different attack methods. For an additional application, we show that LEO boost the performance of robust GNNs by removing attack-like edges.