Bounding the Expected Robustness of Graph Neural Networks Subject to Node Feature Attacks
This work addresses the security and reliability of GNNs in graph representation learning, which is crucial for applications like social networks and recommendation systems, though it is incremental as it builds on existing robustness concepts.
The paper tackles the vulnerability of Graph Neural Networks (GNNs) to adversarial attacks on node features by theoretically defining expected robustness and deriving an upper bound for it, leading to a more robust variant called GCORN that outperforms existing defense methods in experiments on real-world datasets.
Graph Neural Networks (GNNs) have demonstrated state-of-the-art performance in various graph representation learning tasks. Recently, studies revealed their vulnerability to adversarial attacks. In this work, we theoretically define the concept of expected robustness in the context of attributed graphs and relate it to the classical definition of adversarial robustness in the graph representation learning literature. Our definition allows us to derive an upper bound of the expected robustness of Graph Convolutional Networks (GCNs) and Graph Isomorphism Networks subject to node feature attacks. Building on these findings, we connect the expected robustness of GNNs to the orthonormality of their weight matrices and consequently propose an attack-independent, more robust variant of the GCN, called the Graph Convolutional Orthonormal Robust Networks (GCORNs). We further introduce a probabilistic method to estimate the expected robustness, which allows us to evaluate the effectiveness of GCORN on several real-world datasets. Experimental experiments showed that GCORN outperforms available defense methods. Our code is publicly available at: \href{https://github.com/Sennadir/GCORN}{https://github.com/Sennadir/GCORN}.