Robustness Verification of Graph Neural Networks Via Lightweight Satisfiability Testing
This addresses the detection of adversarial attacks on GNNs, which is crucial for security in graph-based applications, but it is incremental as it builds on existing verification techniques.
The paper tackles the problem of verifying adversarial robustness for graph neural networks (GNNs) by developing a method that uses efficient partial solvers instead of powerful constraint solvers, achieving improvements in structural robustness verification.
Graph neural networks (GNNs) are the predominant architecture for learning over graphs. As with any machine learning model, and important issue is the detection of adversarial attacks, where an adversary can change the output with a small perturbation of the input. Techniques for solving the adversarial robustness problem - determining whether such an attack exists - were originally developed for image classification, but there are variants for many other machine learning architectures. In the case of graph learning, the attack model usually considers changes to the graph structure in addition to or instead of the numerical features of the input, and the state of the art techniques in the area proceed via reduction to constraint solving, working on top of powerful solvers, e.g. for mixed integer programming. We show that it is possible to improve on the state of the art in structural robustness by replacing the use of powerful solvers by calls to efficient partial solvers, which run in polynomial time but may be incomplete. We evaluate our tool RobLight on a diverse set of GNN variants and datasets.