Provable Robustness of (Graph) Neural Networks Against Data Poisoning and Backdoor Attacks
This work addresses the critical security problem of data poisoning for users of GNNs and neural networks, offering a novel certification approach that is foundational but incremental in extending existing robustness methods to graph domains.
The paper tackles the vulnerability of Graph Neural Networks (GNNs) to data poisoning and backdoor attacks by providing the first white-box certificates to prove robustness against such attacks on node features, leveraging the neural tangent kernel and a mixed-integer linear program reformulation. It offers insights into how graph structure affects robustness in convolution-based and PageRank-based GNNs, with the framework being generalizable to other neural networks.
Generalization of machine learning models can be severely compromised by data poisoning, where adversarial changes are applied to the training data. This vulnerability has led to interest in certifying (i.e., proving) that such changes up to a certain magnitude do not affect test predictions. We, for the first time, certify Graph Neural Networks (GNNs) against poisoning attacks, including backdoors, targeting the node features of a given graph. Our certificates are white-box and based upon $(i)$ the neural tangent kernel, which characterizes the training dynamics of sufficiently wide networks; and $(ii)$ a novel reformulation of the bilevel optimization problem describing poisoning as a mixed-integer linear program. Consequently, we leverage our framework to provide fundamental insights into the role of graph structure and its connectivity on the worst-case robustness behavior of convolution-based and PageRank-based GNNs. We note that our framework is more general and constitutes the first approach to derive white-box poisoning certificates for NNs, which can be of independent interest beyond graph-related tasks.