Understanding Structural Vulnerability in Graph Convolutional Networks
This addresses a security issue for users of graph neural networks in applications like social networks or recommendation systems, offering an incremental improvement by modifying the aggregation scheme.
The paper tackled the problem of Graph Convolutional Networks (GCNs) being vulnerable to adversarial attacks on graph structure, attributing this to the non-robust weighted mean aggregation scheme, and showed that using aggregation schemes with high breakdown points like median or trimmed mean significantly enhances robustness, achieving best performance on four real-world datasets.
Recent studies have shown that Graph Convolutional Networks (GCNs) are vulnerable to adversarial attacks on the graph structure. Although multiple works have been proposed to improve their robustness against such structural adversarial attacks, the reasons for the success of the attacks remain unclear. In this work, we theoretically and empirically demonstrate that structural adversarial examples can be attributed to the non-robust aggregation scheme (i.e., the weighted mean) of GCNs. Specifically, our analysis takes advantage of the breakdown point which can quantitatively measure the robustness of aggregation schemes. The key insight is that weighted mean, as the basic design of GCNs, has a low breakdown point and its output can be dramatically changed by injecting a single edge. We show that adopting the aggregation scheme with a high breakdown point (e.g., median or trimmed mean) could significantly enhance the robustness of GCNs against structural attacks. Extensive experiments on four real-world datasets demonstrate that such a simple but effective method achieves the best robustness performance compared to state-of-the-art models.