Adversarial Immunization for Certifiable Robustness on Graphs
This addresses the problem of adversarial robustness in graph-based machine learning for researchers and practitioners, offering a novel immunization approach rather than incremental improvements.
The paper tackles the vulnerability of graph neural networks to adversarial attacks by introducing a graph adversarial immunization problem, where vaccinating a small fraction of node pairs improves certifiable robustness, achieving increases in robust node ratios of 12%, 42%, and 65% with only a 5% edge budget.
Despite achieving strong performance in semi-supervised node classification task, graph neural networks (GNNs) are vulnerable to adversarial attacks, similar to other deep learning models. Existing researches focus on developing either robust GNN models or attack detection methods against adversarial attacks on graphs. However, little research attention is paid to the potential and practice of immunization to adversarial attacks on graphs. In this paper, we propose and formulate the graph adversarial immunization problem, i.e., vaccinating an affordable fraction of node pairs, connected or unconnected, to improve the certifiable robustness of graph against any admissible adversarial attack. We further propose an effective algorithm, called AdvImmune, which optimizes with meta-gradient in a discrete way to circumvent the computationally expensive combinatorial optimization when solving the adversarial immunization problem. Experiments are conducted on two citation networks and one social network. Experimental results demonstrate that the proposed AdvImmune method remarkably improves the ratio of robust nodes by 12%, 42%, 65%, with an affordable immune budget of only 5% edges.