On Measuring Unnoticeability of Graph Adversarial Attacks: Observations, New Measure, and Applications
This work addresses the problem of evaluating adversarial attack stealthiness in graph machine learning, which is incremental as it improves upon existing measures rather than introducing a new paradigm.
The paper tackles the problem of measuring the noticeability of adversarial attacks on graphs, identifying limitations in existing measures that attackers can bypass or that overlook attacks until severe perturbations. It introduces HideNSeek, a learnable measure that uses a learnable edge scorer (LEO) to distinguish attack edges and imbalance-aware aggregation, demonstrating on six real-world graphs that LEO outperforms eleven competitors under five attack methods and boosts robust GNN performance.
Adversarial attacks are allegedly unnoticeable. Prior studies have designed attack noticeability measures on graphs, primarily using statistical tests to compare the topology of original and (possibly) attacked graphs. However, we observe two critical limitations in the existing measures. First, because the measures rely on simple rules, attackers can readily enhance their attacks to bypass them, reducing their attack "noticeability" and, yet, maintaining their attack performance. Second, because the measures naively leverage global statistics, such as degree distributions, they may entirely overlook attacks until severe perturbations occur, letting the attacks be almost "totally unnoticeable." To address the limitations, we introduce HideNSeek, a learnable measure for graph attack noticeability. First, to mitigate the bypass problem, HideNSeek learns to distinguish the original and (potential) attack edges using a learnable edge scorer (LEO), which scores each edge on its likelihood of being an attack. Second, to mitigate the overlooking problem, HideNSeek conducts imbalance-aware aggregation of all the edge scores to obtain the final noticeability score. Using six real-world graphs, we empirically demonstrate that HideNSeek effectively alleviates the observed limitations, and LEO (i.e., our learnable edge scorer) outperforms eleven competitors in distinguishing attack edges under five different attack methods. For an additional application, we show that LEO boost the performance of robust GNNs by removing attack-like edges.