Robust Graph Neural Network Against Poisoning Attacks via Transfer Learning

by   Xianfeng Tang, et al.
Penn State University

Graph neural networks (GNNs) are widely used in many applications. However, their robustness against adversarial attacks is criticized. Prior studies show that using unnoticeable modifications on graph topology or nodal features can significantly reduce the performances of GNNs. It is very challenging to design robust graph neural networks against poisoning attack and several efforts have been taken. Existing work aims at reducing the negative impact from adversarial edges only with the poisoned graph, which is sub-optimal since they fail to discriminate adversarial edges from normal ones. On the other hand, clean graphs from similar domains as the target poisoned graph are usually available in the real world. By perturbing these clean graphs, we create supervised knowledge to train the ability to detect adversarial edges so that the robustness of GNNs is elevated. However, such potential for clean graphs is neglected by existing work. To this end, we investigate a novel problem of improving the robustness of GNNs against poisoning attacks by exploring clean graphs. Specifically, we propose PA-GNN, which relies on a penalized aggregation mechanism that directly restrict the negative impact of adversarial edges by assigning them lower attention coefficients. To optimize PA-GNN for a poisoned graph, we design a meta-optimization algorithm that trains PA-GNN to penalize perturbations using clean graphs and their adversarial counterparts, and transfers such ability to improve the robustness of PA-GNN on the poisoned graph. Experimental results on four real-world datasets demonstrate the robustness of PA-GNN against poisoning attacks on graphs.



There are no comments yet.


page 1

page 2

page 3

page 4


RoGAT: a robust GNN combined revised GAT with adjusted graphs

Graph Neural Networks(GNNs) are useful deep learning models to deal with...

Reliable Graph Neural Networks via Robust Aggregation

Perturbations targeting the graph structure have proven to be extremely ...

Learning to Drop: Robust Graph Neural Network via Topological Denoising

Graph Neural Networks (GNNs) have shown to be powerful tools for graph a...

CoG: a Two-View Co-training Framework for Defending Adversarial Attacks on Graph

Graph neural networks exhibit remarkable performance in graph data analy...

Jointly Attacking Graph Neural Network and its Explanations

Graph Neural Networks (GNNs) have boosted the performance for many graph...

Robustness of Graph Neural Networks at Scale

Graph Neural Networks (GNNs) are increasingly important given their popu...

Improving the Robustness of Graphs through Reinforcement Learning and Graph Neural Networks

Graphs can be used to represent and reason about real world systems. A v...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

Graph neural networks (GNNs) (Kipf and Welling, 2016; Defferrard et al., 2016; Hamilton et al., 2017), which explore the power of neural networks for graph data, have achieved remarkable results in various applications such as social recommendation (Fan et al., 2019)

and natural language processing 

(Zhu et al., 2019a; Ji et al., 2019). The key to the success of GNNs is its signal-passing process (Wu et al., 2019c), where information from neighbors is aggregated for every node in each layer. The collected information enriches node representations, preserving both nodal feature characteristics and topological structure.

Though GNNs are effective for modeling graph data, the way that GNNs aggregate neighbor nodes’ information for representation learning makes them vulnerable to adversarial attacks (Zügner et al., 2018; Zügner and Günnemann, 2019; Dai et al., 2018; Wu et al., 2019b; Xu et al., 2019). Poisoning attack on a graph (Zügner et al., 2018), which adds/deletes carefully chosen edges to the graph topology or injects carefully designed perturbations to nodal features, can contaminate the neighborhoods of nodes, bring noises/errors to node representations, and degrade the performances of GNNs significantly. The lack of robustness become a critical issue of GNNs in many applications such as financial system and risk management (Akoglu et al., 2015). For example, fake accounts created by a hacker can add friends with normal users on social networks to promote their scores predicted by a GNN model. A model that’s not robust enough to resist such “cheap” attacks could lead to serious consequences. Hence, it is important to develop robust GNNs against adversarial attacks. Recent studies of adversarial attacks on GNNs suggest that adding perturbed edges is more effective than deleting edges or adding noises to node features (Wu et al., 2019b). This is because node features are usually high-dimensional, requiring larger budgets to attack. Deleting edges only result in the loss of some information while adding edges is cheap to contaminate information passing dramatically. For example, adding a few bridge edges connecting two communities can affect the latent representations of many nodes. Thus, we focus on defense against the more effective poisoning attacks that a training graph is poisoned with injected adversarial edges.

To defend against the injected adversarial edges, a natural idea is to delete these adversarial edges or reduce their negative impacts. Several efforts have been made in this direction (Zhu et al., 2019b; Wu et al., 2019b; Jin et al., 2019). For example, Wu et al. (Wu et al., 2019b) utilize Jaccard similarity of features to prune perturbed graphs with the assumption that connected nodes have high feature similarity. RGCN in (Zhu et al., 2019b) introduce Gaussian constrains on model parameters to absorb the effects of adversarial changes. The aforementioned models only rely on the poisoned graph for training, leading to sub-optimal solutions. The lack of supervised information about real perturbations in a poisoned graph obstructs models from modeling the distribution of adversarial edges. Therefore, exploring alternative supervision for learning the ability to reduce the negative effects of adversarial edges is promising.

There usually exist clean graphs with similar topological distributions and attribute features to the poisoned graph. For example, Yelp and Foursquare have similar co-review networks where the nodes are restaurants and two restaurants are linked if the number of co-reviewers exceeds a threshold. Facebook and Twitter can be treated as social networks that share similar domains. It is not difficult to acquire similar graphs for the targeted perturbed one. As shown in existing work (Shu et al., 2018; Lee et al., 2017), because of the similarity of topological and attribute features, we can transfer knowledge from source graphs to target ones so that the performance on target graphs is elevated. Similarly, we can inject adversarial edges to clean graphs as supervisions for training robust GNNs, which are able to penalize adversarial edges. Such ability can be further transferred to improve the robustness of GNNs on the poisoned graph. Leveraging clean graphs to build robust GNNs is a promising direction. However, prior studies in this direction are rather limited.

Therefore, in this paper, we investigate a novel problem of exploring clean graphs for improving the robustness of GNNs against poisoning attacks. The basic idea is first learning to discriminate adversarial edges, thereby reducing their negative effects, then transferring such ability to a GNN on the poisoned graph. In essence, we are faced with two challenges: (i) how to mathematically utilize clean graphs to equip GNNs with the ability of reducing negative impacts of adversarial edges; and (ii) how to effectively transfer such ability learned on clean graphs to improve the robustness of GNNs on a poisoned graph. In an attempt to solve these challenges, we propose a novel framework Penalized Aggregation GNN (PA-GNN). Firstly, clean graphs are attacked by adding adversarial edges, which serve as supervisions of known perturbations. With these known adversarial edges, a penalized aggregation mechanism is then designed to learn the ability of alleviating negative influence from perturbations. We further transfer this negative effect alleviation ability to the target poisoned graph with a special meta-optimization approach, so that the robustness of GNNs is elevated. To the best of our knowledge, we are the first one to propose a GNN that can directly penalize perturbations and to leverage transfer learning for enhancing the robustness of GNN models. The main contributions of this paper are:

  • [leftmargin=*]

  • We study a new problem and propose a principle approach of exploring clean graphs for learning a robust GNN against poisoning attacks on a target graph;

  • We provide a novel framework PA-GNN, which is able to alleviate the negative effects of adversarial edges with carefully designed penalized aggregation mechanism, and transfer the alleviation ability to the target poisoned graph with meta-optimization;

  • We conduct extensive experiments on real-world datasets to demonstrate the effectiveness of PA-GNN against various poisoning attacks and to understand its behaviors.

The rest of the paper is organized as follows. We review related work in Section 2. We define our problems in Section 3. We introduce the details of PA-GNN in Section 4. Extensive experiments and their results are illustrated and analyzed in Section 5. We conclude the paper in Section 6.

2. Related Work

In this section, we briefly review related works, including graph neural networks, adversarial attack and defense on graphs.

2.1. Graph Neural Networks

In general, graph neural networks refer to all deep learning methods for graph data

(Wu et al., 2019a). It can be generally categorized into two categories, i.e., spectral-based and spatial-based. Spectral-based GNNs define “convolution” following spectral graph theory (Bruna et al., 2013). The first generation of GCNs are developed by Bruna et al. (Bruna et al., 2013) using spectral graph theory. Various spectral-based GCNs are developed later on (Defferrard et al., 2016; Kipf and Welling, 2016; Henaff et al., 2015; Li et al., 2018). To improve efficiency, spatial-based GNNs are proposed to overcome this issue (Hamilton et al., 2017; Monti et al., 2017; Niepert et al., 2016; Gao et al., 2018). Because spatial-based GNNs directly aggregate neighbor nodes as the convolution, and are trained on mini-batches, they are more scalable than spectral-based ones. Recently, Veličković et al. (Veličković et al., 2017) propose graph attention network (GAT) that leverages self-attention of neighbor nodes for the aggregation process. The major idea of GATs (Zhang et al., 2018) is focusing on most important neighbors and assign higher weights to them during the information passing. However, existing GNNs aggregates neighbors’ information for representation learning, making them vulnerable to adversarial attacks, especially perturbed edges added to the graph topology. Next, we review adversarial attack and defense methods on graphs.

2.2. Adversarial Attack and Defense on Graphs

Neural networks are widely criticized due to the lack of robustness (Goodfellow et al., 2014; Li et al., 2019; Chen et al., 2017; Cheng et al., 2018), and the same to GNNs. Various adversarial attack methods have been designed, showing the vulnerability of GNNs (Dai et al., 2018; Bojchevski and Günnemann, 2019; Chen et al., 2018). There are two major categories of adversarial attack methods, namely evasion attack and poisoning attack. Evasion attack focuses on generating fake samples for a trained model. Dai et al. (Dai et al., 2018)

introduce an evasion attack algorithm based on reinforcement learning. On the contrary, poisoning attack changes training data, which can decrease the performance of GNNs significantly. For example,

Zügner et al. (Zügner et al., 2018) propose nettack which make GNNs fail on any selected node by modifying its neighbor connections. They further develop metattack (Zügner and Günnemann, 2019) that reduces the overall performance of GNNs. Comparing with evasion attack, poisoning attack methods are usually stronger and can lead to an extremely low performance (Zügner et al., 2018; Zhu et al., 2019b), because of its destruction of training data. Besides, it is almost impossible to clean up a graph which is already poisoned. Therefore, we focus on defending the poisoning attack of graph data in this paper.

How to improve the robustness of GNNs against adversarial poising attacks is attracting increasing attention and initial efforts have been taken (Xu et al., 2019; Wu et al., 2019b; Zhu et al., 2019b; Jin et al., 2019). For example, Wu et al. (Wu et al., 2019b) utilize the Jaccard similarity of features to prune perturbed graphs with the assumption that connected nodes should have high feature similarity. RGCN in (Zhu et al., 2019b)

adopts Gaussian distributions as the node representations in each convolutional layer to absorb the effects of adversarial changes in the variances of the Gaussian distributions. The basic idea of aforementioned robust GNNs against poisoning attack is to alleviate the negative effects of the perturbed edges. However, perturbed edges are treated equally as normal edges during aggregation in existing robust GNNs.

The proposed PA-GNN is inherently different from existing works: (i) instead of purely trained on the poisoned target graph, adopting clean graphs with similar domains to learn the ability of alleviating negative effects of adversarial edges; and (ii) investigating meta-learning to transfer such ability to the target poisoned graph for improving the robustness.

3. Preliminaries

3.1. Notations

We use to denote a graph, where is the set of nodes, represents the set of edges, and indicates node features. In a semi-supervised setting, partial nodes come with labels and are defined as , where the corresponding label for node is denoted by . Note that the topology structure of is damaged, and the original clean version is unknown. In addition to the poisoned graph , we assume there exists clean graphs sharing similar domains with . For example, when is the citation network of publications in data mining field, a similar graph can be another citation network from physics. We use to represent clean graphs. Similarly, each clean graph consists of nodes and edges. We use to denote the labeled nodes in graph .

3.2. Basic GNN Design

We introduce the general architecture of a graph neural network. A graph neural network contains multiple layers. Each layer transforms its input node features to another Euclidean space as output. Different from fully-connected layers, a GNN layer takes first-order neighbors’ information into consideration when transforming the feature vector of a node. This “message-passing” mechanism ensures the initial features of any two nodes can affect each other even if they are faraway neighbors, along with the network going deeper. The input node features to the

-th layer in an -layer GNN can be represented by a set of vectors , where corresponds to . Obviously, . The output node features of the -th layer, which also formulate the input to the next layer, are generated as follows:


where is the set of first-order neighbors of node , indicates a generic aggregation function on neighbor nodes, and is an update function that generates a new node representation vector from the previous one and messages from neighbors. Most graph neural networks follow the above definition. For example, Hamilton et al. (Hamilton et al., 2017) introduce mean, pooling and LSTM as the aggregation function, Veličković et al. (Veličković et al., 2017) leverage self-attention mechanism to update node representations. A GNN can be represented by a parameterized function where

represents parameters, the loss function can be represented as

. In semi-supervised learning, the cross-entropy loss function for node classification takes the form:


where is the predicted label generated by passing the output from the final GNN layer to a softmax function.

3.3. Problem Definition

With the aforementioned notations and definitions, the problem of exploring clean graphs for learning a robust GNN against poisoning attacks on a target graph is formally defined as: Given the target graph that is poisoned with adversarial edges, a set of clean graphs from similar domain as , and the partially labeled nodes of each graph (i.e., ), we aim at learning a robust GNN to predict the unlabeled nodes of . It is worth noting that, in this paper, we learn a robust GNN for semi-supervised node classification. The proposed PA-GNN is a general framework for learning robust GNN of various graph mining tasks such as link prediction.

4. Proposed Framework

Figure 1. Overall framework of PA-GNN. Thicker arrows indicate higher attention coefficients. denotes the model initialization from meta-optimization.

In this section, we give the details of PA-GNN. An illustration of the framework is shown in Figure 1. Firstly, clean graphs are introduced to generate perturbed edges. The generated perturbations then serve as supervised knowledge to train a model initialization for PA-GNN using meta-optimization. Finally, we fine-tune the initialization on the target poisoned graph for the best performance. Thanks to the meta-optimization, the ability to reduce negative effects of adversarial attack is retained after adapting to . In the following sections, we introduce technical details of PA-GNN.

4.1. Penalized Aggregation Mechanism

We begin by analyzing the reason why GNNs are vulnerable to adversarial attacks with the general definition of GNNs in Equation 1. Suppose the graph data fed into a GNN is perturbed, the aggregation function treats “fake” neighbors equally as normal ones, and propagates their information to update other nodes. As a result, GNNs fail to generate desired outputs under influence of adversarial attacks. Consequently, if messages passing through perturbed edges are filtered, the aggregation function will focus on “true” neighbors. In an ideal condition, GNNs can work well if all perturbed edges produced by attackers are ignored.

Motivated by above analysis, we design a novel GNN with penalized aggregation mechanism (PA-GNN) which automatically restrict the message-passing through perturbed edge. Firstly, we adopt similar implementation from (Vaswani et al., 2017) and define the self-attention coefficient for node features of and on the -the layer using a non-linear function:


where and are parameters, represents the transposition, and indicates the concatenation of vectors. Note that coefficients are only defined for first-order neighbors. Take as an example,we only compute for , which is the set of direct neighbors of . The attention coefficients related to are further normalized among all nodes in for comparable scores:


We use normalized attention coefficient scores to generate a linear combination of their corresponding node features. The linear combination process serves as the aggregating process, and its results are utilized to update node features. More concretely, a graph neural network layer is constructed as follows:


A similar definition can be found in (Veličković et al., 2017). Clearly, the above design of GNN layer cannot discriminate perturbed edges, let alone alleviate their negative effects on the “message-passing” mechanism, because there is no supervision to teach it how to honor normal edges and punish perturbed ones. A natural solution to this problem is reducing the attention coefficients for all perturbed edges in a poisoned graph. Noticing the exponential rectifier in Equation 4, a lower attention coefficient only allows little information passing through its corresponding edge, which mitigate negative effects if the edge is an adversarial one. Moreover, since normalized attention coefficient scores of one node always sum up to 1, reducing the attention coefficient for perturbed edges will also introduce more attention to clean neighbors. To measure the attention coefficients received by perturbed edges, we propose the following metric:


where is the total number of layers in the network, and denotes the perturbed edges. Generally, a smaller indicates less attention coefficients received by adversarial edges. To further train GNNs such that a lower is guaranteed, we design the following loss function to penalize perturbed edges:


where is a hyper parameter controlling the margin between mean values of two distributions, represents normal edges in the graph, and computes the expectation. Using the expectation of attention coefficients for all normal edges as an anchor, aims at reducing the averaged attention coefficient of perturbed edges, until a certain discrepancy of between these two mean values is satisfied. Note that minimizing directly instead of

will lead to unstable attention coefficients, making PA-GNN hard to converge. The expectations of attention coefficients are estimated by their empirical means:


where denotes the cardinality of a set. We combine with the original cross-entropy loss and create the following learning objective for PA-GNN:


where balances the semi-supervised classification loss and the attention coefficient scores on perturbed edges.

Training PA-GNN with the above objective directly is non-trivial, because it is unlikely to distinguish exact perturbed edges from normal edges in a poisoned graph. However, it is practical to discover vulnerable edges from clean graphs with adversarial attack methods on graphs. For example, metattack poisons a clean graph to reduces the performance of GNNs by adding adversarial edges, which can be treated as the set . Therefore, we explore clean graphs from domains similar to the poisoned graph. Specifically, as shown in Figure 1, we first inject perturbation edges to clean graphs using adversarial attack methods, then leverage those adversarial counterparts to train the ability to penalize perturbed edges. Such ability is further transferred to GNNs on the target graph, so that the robustness is improved. In the following section, we discuss how we transfer the ability to penalize perturbed edges from clean graphs to the target poisoned graph in detail.

4.2. Transfer with Meta-Optimization

As discussed above, it is very challenging to train PA-GNN for a poisoned graph because the adversarial edge distribution remains unknown. We turn to exploit clean graphs from similar domains to create adversarial counterparts that serve as supervised knowledge. One simple solution to utilize them is pre-training PA-GNN on clean graphs with perturbations, which formulate the set of adversarial edges . Then the pre-trained model is fine-tuned on target graph purely with the node classification objective. However, the performance of pre-training with clean graphs and adversarial edges is rather limited, because graphs have different data distributions, making it difficult to equip GNNs with a generalized ability to discriminate perturbations. Our experimental results in Section 5.3 also confirm the above analysis.

In recent years, meta-learning has shown promising results in various applications (Santoro et al., 2016; Sung et al., 2017; Vinyals et al., 2016; Munkhdalai and Yu, 2017). The goal of meta-learning is to train a model on a variety of learning tasks, such that it can solve new tasks with a small amount or even no supervision knowledge (Hochreiter et al., 2001; Finn et al., 2017). Finn et al. (Finn et al., 2017) propose model-agnostic meta-learning algorithm where the model is trained explicitly such that a small number of gradient steps and few training data from a new task can also produce good generalization performance on that task. This motivates us to train a meta model with a generalized ability to penalize perturbed edges (i.e., assign lower attention coefficients). The meta model serve as the initialization of PA-GNN, and its fast-adaptation capability helps retain such penalizing ability as much as possible on the target poisoned graph. To achieve the goal, we propose a meta-optimization algorithm that trains the initialization of PA-GNN. With manually generated perturbations on clean graphs, PA-GNN receive full supervision and its initialization preserve the penalizing ability. Further fine-tuned model on the poisoned graph is able to defend adversarial attacks and maintain an excellent performance.

We begin with generating perturbations on clean graphs. State-of-the-art adversarial attack method for graph – metattack (Zügner and Günnemann, 2019) is chosen. Let represent the set of adversarial edges created for clean graph . Next, we define learning tasks for the meta-optimization. The learning objective of any task is defined in Equation 10

, which aims at classifying nodes accurately while assigning low attention coefficient scores to perturbed edges on its corresponding graph. Let

denote the specific task for . Namely, there are tasks in accordance with clean graphs. Because clean graphs are specified for every task, we use to denote the loss function of task . We then compile support sets and query sets for learning tasks. Labeled nodes from each clean graph is split into two groups – one for the support set and the other as the query set. Let and denote the support set and the query set for , respectively.

Given learning tasks, the optimization algorithm first adapts the initial model parameters to every learning task separately. Formally, becomes when adapting to . We use gradient descent to compute the updated model parameter . The gradient w.r.t is evaluated using on corresponding support set , and the initial model parameters are updated as follows:


where controls the learning rate. Note that only one gradient step is shown in Equation 11, but using multiple gradient updates is a straightforward extension, as suggested by (Finn et al., 2017). There are different versions of the initial model (i.e., ) constructed in accordance with learning tasks.

The model parameters are trained by optimizing for the performance of with respect to across all tasks. More concretely, we define the following objective function for the meta-optimization:


Because both classifying nodes and penalizing adversarial edges are considered by the objective of PA-GNN, model parameters will preserve the ability to reduce the negative effects from adversarial attacks while maintaining a high accuracy for the classification. Note that we perform meta-optimization over with the objective computed using the updated model parameters for all tasks. Consequently, model parameters are optimized such that few numbers of gradient steps on a new task will produce maximally effective behavior on that task. The characteristic of fast-adaptation on new tasks would help the model retain the ability to penalize perturbed edges on , which is proved by the experiential results in Section 5.3.1

. Formally, stochastic gradient descent (SGD) is used to update model parameters

cross tasks:


In practice, the above gradients are estimated using labeled nodes from query sets of all tasks. Our empirical results suggest that splitting support sets and query sets on-the-fly through iterations of the meta-optimization improves overall performance. We adopt this strategy for the training procedure of PA-GNN.

Training Algorithm An overview of the training procedure of PA-GNN is illustrated in Algorithm 1. Adversarial edges are injected to clean graphs using metattack (Line 2 to 4). Support sets and query sets are randomly split on-the-fly for each task in Line 7. We then adapt initial model parameter to for each task . The model parameters are updated by optimizing for the performance of all w.r.t using labeled nodes from query sets (Line 11). Finally, we adapt the trained model initialization to the targeted poisoned graph by minimizing the classification loss on .

Input: and
Output: Model parameters
1 Randomly initialize ;
2 for  do
3       Select perturbed edge set with metattack;
5 end for
6while not early-stop do
7       for  do
8             Split labeled nodes of into support set and ;
9             Evaluating with and ;
10             Compute adapted parameters with gradient descent: ;
12       end for
13      Update on with: ;
15 end while
Fine-tune on  use ;
Algorithm 1 The training framework of PA-GNN

5. Experiments

In this section, we conduct experiments to evaluate the effectiveness of PA-GNN. We aim to answer the following questions:

  • [leftmargin=*]

  • Can PA-GNN outperform existing robust GNNs under representative and state-of-the-art adversarial attacks on graphs?

  • How the penalized aggregation mechanism and the meta-optimization algorithm contribute to PA-GNN?

  • How sensitive of PA-GNN on the hyper-parameters?

Next, we start by introducing the experimental settings followed by experiments on node classification to answer these questions.

5.1. Experimental Setup

5.1.1. Datasets.

To conduct comprehensive studies of PA-GNN, we conduct experiments under two different settings:

  • [leftmargin=*]

  • Same-domain setting: We sample the poisoned graph and clean graphs from the same data distribution. Two popular benchmark networks (i.e., Pubmed (Sen et al., 2008) and Reddit (Hamilton et al., 2017)) are selected as large graphs. Pubmed is a citation network where nodes are documents and edges represent citations; Reddit is compiled from where nodes are threads and edges denote two threads are commented by a same user. Both graphs build nodal features using averaged word embedding vectors (Mikolov et al., 2013) of documents/threads. We create desired graphs using sub-graphs of the large graph. Each of them is randomly split into 5 similar-size non-overlapping sub-graphs. One graph is perturbed as the poisoned graph, while the remained ones are used as clean graphs.

  • Similar-domain setting: We put PA-GNN in real-world settings where graphs come from different scenarios. More concretely, we compile two datasets from Yelp Review111, which contains point-of-interests (POIs) and user reviews from various cities in Northern American. Firstly, each city in Yelp Review is transferred into a graph, where nodes are POIs, nodal features are averaged word-embedding vector (Pennington et al., 2014) of all reviews that a POI received, and binary labels are created to tell whether corresponding POIs are restaurants. We further define edges using co-reviews (i.e., reviews from the same author). Graphs from different cities have different data distribution because of the differences in tastes, culture, lifestyle, etc. The first dataset (Yelp-Small) contains four middle-scale cities including Cleveland, Madison, Mississauga, and Glendale where Cleveland is perturbed as . The second dataset (Yelp-Large) contains top-3 largest cities including Charlotte, Phoenix, and Toronto. Specifically, we inject adversarial edges to the graph from Toronto to validate the transferability of PA-GNN because Toronto is a foreign city compared with others.

We itemize statistics of datasets in Table 1. We randomly select 10% of nodes for training, 20% for validation and remained for testing on all datasets (i.e., on ). 40% nodes from each clean graph are selected to build support and query sets, while remained ones are treated as unlabeled. Support sets and query sets are equally split on-the-fly randomly for each iteration of the meta-optimization (i.e., after is updated) to ensure the maximum performance.

Pubmed Reddit Yelp-Small Yelp-Large
Avg. # of nodes 1061 3180 3426 15757
Avg. # of edges 2614 14950 90431 160893
# of features 500 503 200 25
# of classes 3 7 2 2
Table 1. Statistics of datasets

5.1.2. Attack Methods.

To evaluate how robust PA-GNN is under different attack methods and settings, three representative and state-of-the-art adversarial attack methods on graphs are chosen:

  • [leftmargin=*]

  • Non-Targeted Attack: Non-targeted attack aims at reducing the overall performance of GNNs. We adopt metattack (Zügner and Günnemann, 2019) for non-targeted attack, which is also state-of-the-art adversarial attack method on graph data. We increase the perturbation rate (i.e., number of perturbed edges over all normal edges) from 0 to 30%, by a step size of 5% (10% for Yelp-Large dataset due to the high computational cost of metattack). We use the setting with best attack performance according to (Zügner and Günnemann, 2019).

  • Targeted Attack: Targeted attack focuses on misclassifying specific target nodes. nettack (Zügner et al., 2018) is adopted as the targeted attack method. Specifically, we first randomly perturb 500 nodes with nettack on target graph, then randomly assign them to training, validating, and testing sets according to their proportions (i.e., 1:2:7). This creates a realistic setting since not all nodes will be attacked (hacked) in a real-world scenario, and perturbations can happen in training, validating and testing sets. We adopt the original setting for nettack from (Zügner et al., 2018).

  • Random Attack: Random attack randomly select some node pairs, and flip their connectivity (i.e., remove existing edges and connect non-adjacent nodes). It can be treated as an injecting random noises to a clean graph. The ratio of the number of flipped edges to the number of clean edges varies from 0 to 100% with a step size of 20%.

We evaluate compared methods against state-of-the-art non-targeted attack method metattack on all datasets. We analyze the performances against targeted attack on Reddit and Yelp-Large datasets. For random attack, we compare each method on Pubmed and Yelp-Small datasets as a complementary. Consistent results are observed on remained datasets.

Dataset Ptb Rate (%) 0 5 10 15 20 25 30
Pubmed GCN 77.810.34 76.000.24 74.740.55 73.690.37 70.390.32 68.780.56 67.130.32
GAT 74.281.80 70.191.59 69.361.76 68.791.34 68.291.53 66.351.95 65.471.99
PreProcess 73.690.42 73.490.29 73.760.45 73.600.26 73.850.48 73.460.55 73.650.36
RGCN 77.810.24 78.070.21 74.860.37 74.310.35 70.830.28 67.630.21 66.890.48
VPN 77.920.93 75.831.14 74.032.84 74.310.93 70.141.26 68.471.11 66.531.09
PA-GNN 82.920.13 81.670.21 80.560.07 80.280.25 78.750.17 76.670.42 75.470.39
Reddit GCN 96.330.13 91.870.18 89.260.16 87.260.14 85.550.17 83.500.14 80.920.27
GAT 93.810.35 92.130.49 89.880.60 87.910.45 85.430.61 83.400.39 81.270.38
PreProcess 95.220.18 95.140.19 88.400.35 87.000.27 85.700.25 83.590.27 81.170.30
RGCN 93.150.44 89.200.37 85.810.35 83.580.29 81.830.42 80.220.36 76.420.82
VPN 95.910.17 91.950.17 89.030.28 86.970.15 85.380.24 83.490.29 80.850.28
PA-GNN 95.800.11 94.350.33 92.160.49 90.740.56 88.440.20 86.600.17 84.450.34
Yelp-Small GCN 87.270.31 74.540.98 73.440.35 73.300.83 72.160.88 69.700.90 68.550.85
GAT 86.220.18 81.090.31 76.290.74 74.210.51 73.430.78 71.800.69 70.581.22
PreProcess 86.530.97 82.890.33 73.521.59 72.990.68 71.720.99 70.380.62 69.311.32
RGCN 88.190.31 79.700.69 77.252.12 75.851.31 75.650.33 74.710.21 73.302.95
VPN 86.051.60 78.130.38 74.361.54 74.330.59 72.540.35 71.860.78 70.131.72
PA-GNN 86.530.18 86.340.18 84.170.17 82.410.46 77.690.25 76.770.60 76.200.39
Yelp-Large GCN 84.210.48 80.961.66 80.561.69 78.640.46
GAT 84.730.22 81.250.36 79.820.42 77.810.39
PreProcess 84.540.25 82.164.12 78.802.17 78.052.63
RGCN 85.090.13 79.420.27 78.310.08 77.740.12
VPN 84.360.23 82.770.25 80.642.41 79.222.32
PA-GNN 84.980.16 84.660.09 82.710.29 81.480.12
Table 2. Node classification performance (AccuracyStd) under non-targeted metattack (Zügner and Günnemann, 2019)

5.1.3. Baselines.

We compare PA-GNN with representative and state-of-the-art GNNs and robust GNNs. The details are:

  • [leftmargin=*]

  • GCN (Kipf and Welling, 2016): GCN is a widely used graph neural network. It defines graph convolution via spectral analysis. We adopt the most popular version from (Kipf and Welling, 2016).

  • GAT (Hamilton et al., 2017): As introduced in Section 2.1, GAT leverages multi-head self-attention to assign different weights to neighborhoods.

  • PreProcess (Wu et al., 2019b)

    : This method improves the robustness of GNNs by removing existing edges whose connected nodes have low feature similarities. Jaccard similarity is used sparse features and Cosine similarity is adopted for dense features.

  • RGCN (Zhu et al., 2019b): RGCN aims to defend against adversarial edges with Gaussian distributions as the latent node representation in hidden layers to absorb the negative effects of adversarial edges.

  • VPN (Jin et al., 2019): Different from GCN, parameters of VPN are trained on a family of powered graphs of . The family of powered graphs increases the spatial field of normal graph convolution, thus improves the robustness.

Note that PreProcess, RGCN and VPN are state-of-the-art robust GNNs developed to defend against adversarial attacks on graphs.

5.1.4. Settings and Parameters.

We report the averaged results of 10 runs for all experiments. We deploy a multi-head mechanism (Vaswani et al., 2017) to enhance the performance of self-attention. We adopt metattack to generate perturbations on clean graphs. All hyper-parameters are tuned on the validation set to achieve the best performance. For a fair comparison, following a common way (Zhu et al., 2019b), we fix the number of layers to 2 and the total number of hidden units per layer to 64 for all compared models. We set to 1.0 and to 100 for all settings. Parameter sensitivity on and will be analyzed in Section 5.4. We perform 5 gradient steps to estimate as suggested by (Finn et al., 2017).

5.2. Robustness Comparison

To answer the first question, we evaluate the robustness of PA-GNN under various adversarial attack scenarios with comparison to baseline methods. We adopt semi-supervised node classification as our evaluation task as described in Section 5.1.4.

5.2.1. Defense Against Non-Targeted Attack.

We first conduct experiments under non-targeted attack on four datasets. Each experiment is conducted 10 times. The average accuracy with standard deviation is reported in Table

2. From the table, we make the following observations: (i) As illustrated, the accuracy of vanilla GCN and GAT decays rapidly when the perturbation rate goes higher, while other robust GNN models achieve relatively higher performance in most cases. This suggests the necessity of improving the robustness of GNN models; (ii) The prepossessing-based method shows consistent results on the Pubmed dataset with sparse features. However, it fails for other datasets. Because the feature similarity and neighbor relationship are often complementary, purely relying on feature similarity to determining perturbation edges is not a promising solution. On the contrary, PA-GNN aims at learning the ability to detect and penalizing perturbations from data, which is more dynamic and reliable; (iii) Comparing with RGCN, PA-GNN achieves higher performance under different scenarios. This is because PA-GNN successfully leverages clean graphs for improving the robustness. Moreover, instead of constraining model parameters with Gaussian distributions, PA-GNN directly restricts the attention coefficients of perturbed edges, which is more straightforward. The above observations articulate the efficacy of PA-GNN, which successfully learns to penalize perturbations thanks to the meta-optimization on clean graphs. Lastly, we point out that PA-GNN achieves slightly higher or comparable performance even if is clean (i.e., no adversarial edges), showing the advantage of the meta-optimization process.

5.2.2. Defense Against Targeted Attack

We further study how robust PA-GNN is under targeted attack. As shown in Table 3, PA-GNN outperforms all the compared methods under targeted attack, with approximate 5% performance improvements on both datasets compared with second accurate methods. This confirms the reliability of PA-GNN against targeted attack. Moreover, note that the perturbations of clean graphs are generated by metattack, which is a non-target adversarial attack algorithm. We conclude that PA-GNN does not rely on specific adversarial attack algorithm to train model initialization. The ability to penalize perturbation can be generalized to defend other adversarial attacks. A similar conclusion can be drawn from following experiments against random attack.

Dataset GCN GAT PreProcess RGCN VPN PA-GNN
Reddit 74.250.20 73.830.12 73.020.18 74.750.15 74.000.07 79.570.13
Yelp-Large 71.970.12 71.120.73 74.830.12 77.010.24 72.090.73 82.280.49
Table 3. Node classification accuracy under targeted attack.

5.2.3. Defense Against Random Attack.

Finally, we evaluate all compared methods against random attack. As shown in Figure 2, PA-GNN consistently out-performs all compared methods. Thanks to the meta-optimization process, PA-GNN successfully learns to penalize perturbations, and transfers such ability to target graph with a different kind of perturbation. Besides, the low performance of GAT indicates the vulnerability of the self-attention, which confirms the effectiveness of the proposed penalizing aggregation mechanism.

(a) Pubmed
(b) Yelp-Small
Figure 2. Node classification accuracy under random attack.
Ptb Rate (%) 0 5 10 15 20 25 30
95.250.81 92.170.23 90.450.72 88.720.61 86.660.18 84.680.52 81.530.34
77.110.67 75.431.11 71.181.24 68.511.95 64.861.59 63.161.29 61.081.07
96.720.09 91.890.14 89.790.24 87.560.25 85.410.17 83.880.35 82.140.38
96.630.18 92.130.19 88.620.35 87.000.27 84.650.25 82.750.27 81.200.30
PA-GNN 95.800.11 94.350.33 92.160.49 90.740.56 88.440.20 86.600.17 84.450.34
Table 4. Node classification accuracy of ablations.

5.3. Ablation Study

To answer the second question, we conduct ablation studies to understand the penalized aggregation and meta-optimization algorithm.

Normal edges Ptb. edges
W/o penalty 12.63 12.80
With penalty 4.76 3.86
Table 5. Mean values of attention coefficients.

5.3.1. Varying the Penalized Aggregation Mechanism.

We analyze the effect of proposed penalized aggregation mechanism from two aspects. Firstly, we propose , a variant of PA-GNN that removes the penalized aggregation mechanism by setting . We validate on Reddit dataset, and its performance against different perturbation rates is reported in Table 4. As we can see, PA-GNN consistently out-performs

by 2% of accuracy. The penalized aggregation mechanism limits negative effects from perturbed edges, in turns improves the performance on the target graph. Secondly, we explore distributions of attention coefficient on the poisoned graph of PA-GNN with/without the penalized aggregation mechanism. Specifically, the normalized distributions of attention coefficients for normal and perturbed edges are plotted in Figure

3. We further report their mean values in Table 5. Without the penalized aggregation, perturbed edges obtain relatively higher attention coefficients. This explains how adversarial attacks hurt the aggregation process of a GNN. As shown in Figure 2(b), normal edges receive relative higher attention coefficients through PA-GNN, confirming the ability to penalize perturbations is transferable since PA-GNN is fine-tuned merely with the node classification objective. These observations reaffirm the effectiveness of the penalized aggregation mechanism and the meta-optimization algorithm, which successfully transfers the ability to penalize perturbations in the poisoned graph.

(a) W/o penalized aggregation.
(b) With penalized aggregation.
Figure 3. Distributions of attention coefficients in PA-GNN.

5.3.2. Varying the Meta-Optimization Algorithm.

Next, we study the contribution of the meta-optimization algorithm. As discussed in Section 4.2, three ablations are created accordingly: , , and . ignores clean graphs and rely on a second-time attack to generate perturbed edges. omit the meta-optimization process, training the model initialization on clean graphs and their adversarial counterparts jointly. We then fine-tune the initialization for using the classification loss . further simplifies by adding to the joint training step. Note that we remove for because detailed perturbation information is unknown for a poisoned graph. All three variants are evaluated on Reddit dataset, and their performance is reported in Table 4.

performs the worst among all variations. Because perturbed edges from the adversarial attack can significantly hurt the accuracy, treating them as clean edges is not a feasible solution. , and slightly out-perform PA-GNN when is clean. This is not amazing since more training data can contribute to the model. However, their performance decreases rapidly as the perturbation rate raises up. Because the data distribution of a perturbed graph is changed, barely aggregate all available data is not an optimal solution for defending adversarial attack. It is vital to design PA-GNN which leverages clean graphs from similar domains for improving the robustness of GNNs. At last, consistently out-performs , and in perturbed cases. shown advantages of the meta-optimization algorithm which utilizes clean graphs to train the model regardless of the penalized aggregation mechanism.

5.4. Parameter Sensitivity Analysis

We investigate the sensitivity of and for PA-GNN. controls the penalty of perturbed edges, while balances the classification objective and the penalized aggregation mechanism. Generally, a larger pull the distribution of perturbed edges farther away from that of normal edges. We explore the sensitivity on Pubmed and Reddit datasets, both with a 10% perturbation rate. We alter and among and , respectively. The performance of PA-GNN is illustrated in Figure 4. As we can see, the accuracy of PA-GNN is relatively smooth when parameters are within certain ranges. However, extremely large values of and result in low performances on both datasets, which should be avoided in practice. Moreover, increasing from 0 to 1 improves the accuracy on both datasets, demonstrating the proposed penalized aggregation mechanism can improve the robustness of PA-GNN.

(a) Pubmed with 10% Ptb.
(b) Reddit with 10% Ptb.
Figure 4. Parameter sensitivity analysis.

6. Conclusion and Future Work

In this paper, we study a new problem of exploring extra clean graphs for learning a robust GNN against the poisoning attacks on a target graph. We propose a new framework PA-GNN, that leverages penalized attention mechanism to learn the ability to reduce the negative impact from perturbations on clean graphs and meta-optimization to transfer the alleviation ability to the target poisoned graph. Experimental results of node classification tasks demonstrate the efficacy of PA-GNN against different poisoning attacks such as targeted attack (metatack), non-targeted attack (netattack) and random attack. Further experiments are conducted to understand the contribution of the key components of PA-GNN and its parameter sensitivity. In the future, we would like to explore the potential of transfer learning for improving robustness on other models, such as community detection and graph classification.