A Survey of Adversarial Learning on Graphs (2003.05730v3)

Abstract: Deep learning models on graphs have achieved remarkable performance in various graph analysis tasks, e.g., node classification, link prediction, and graph clustering. However, they expose uncertainty and unreliability against the well-designed inputs, i.e., adversarial examples. Accordingly, a line of studies has emerged for both attack and defense addressed in different graph analysis tasks, leading to the arms race in graph adversarial learning. Despite the booming works, there still lacks a unified problem definition and a comprehensive review. To bridge this gap, we investigate and summarize the existing works on graph adversarial learning tasks systemically. Specifically, we survey and unify the existing works w.r.t. attack and defense in graph analysis tasks, and give appropriate definitions and taxonomies at the same time. Besides, we emphasize the importance of related evaluation metrics, investigate and summarize them comprehensively. Hopefully, our works can provide a comprehensive overview and offer insights for the relevant researchers. Latest advances in graph adversarial learning are summarized in our GitHub repository https://github.com/EdisonLeeeee/Graph-Adversarial-Learning.

• The paper provides a comprehensive review of adversarial attacks on graph neural networks, consolidating methodologies and metrics.
• It details key attack strategies, including gradient-based topology and feature perturbations, evaluated using metrics like ASR.
• The paper outlines robust defenses such as adversarial training and structure-based measures to enhance GNN resilience.

A Survey of Adversarial Learning on Graphs

The paper "A Survey of Adversarial Learning on Graphs" by Chen et al. presents a methodical review of adversarial learning applied to graph data structures, which notably covers adversarial attacks and defenses on Graph Neural Networks (GNNs). The paper addresses the vulnerabilities that arise when graph-based deep learning models meet with adversarially perturbed inputs, a scenario that has significantly drawn the interest of researchers in recent years.

Overview and Context

The survey highlights the susceptibility of GNNs to adversarial examples, defined as inputs intentionally designed to cause models to produce incorrect predictions. These adversarial threats have implications across multiple graph analysis tasks such as node classification, link prediction, and graph clustering. The authors suggest that despite extensive research efforts in this domain, the consolidation of existing definitions, methodologies, and metrics has been lacking—thus motivating their comprehensive review.

Attack Methods

Adversarial attacks on graphs are classified by several criteria including attacker's knowledge, goals, capabilities, strategy, and manipulation potential. Noteworthy methods involve gradient-based strategies that repurpose backpropagation techniques to identify perturbations capable of misleading the model with minimal changes to the graph structure or node attributes. Examples include topology and feature attacks which focus on altering the graph connections and node feature vectors respectively.

Key metrics like Attack Success Rate (ASR) and Classification Margin are employed to evaluate the effectiveness and efficiency of these attack strategies. The paper discusses notable contributions across diverse domains, such as social networks and recommendation systems, where adversarial threats manifest in real-world contexts.

Defense Mechanisms

On the defensive end, the paper classifies strategies into preprocessing-based, structure-based, adversarial-training-based, and objective-optimization-based defenses. A prominent approach is adversarial training which adapts models to be robust against adversarial perturbations by exposing them to adversarial samples during training. Structure-based defenses often revolve around architectural innovations in GNNs to improve their robustness intrinsically.

The review mentions the importance of attack detection, where models are equipped to identify potential adversarial inputs or certify node robustness. While emergent methods showcase promising results, challenges persist in devising scalable and effective defenses without disproportionately increasing computational overhead.

Metrics and Evaluation

The efficacy of both attacks and defenses is evaluated using a robust set of metrics including Accuracy, AUC, and more specialized measures like Average Modified Links (AML) and Robustness Merit (RM). These metrics provide a quantitative foundation to compare different methodologies meaningfully.

Implications and Future Directions

The implications of adversarial learning on graphs span both theoretical and practical dimensions. Theoretically, understanding these vulnerabilities pushes the development of more resilient model architectures. Practically, improved security in graph-based systems translates to enhanced reliability in application areas like fraud detection, cybersecurity, and beyond.

As future directions, the paper emphasizes the need for research into more unnoticeable attacks, efficient algorithms suitable for large-scale graphs, and defense strategies that generalize across various tasks. Additionally, the establishment of standardized metrics specifically tailored to graph-based adversarial scenarios can facilitate more consistent evaluation practices. The authors also encourage exploring certification methods to rigorously substantiate the robustness claims of defense models.

Conclusion

Chen et al.'s survey establishes a vital groundwork for ongoing research into adversarial learning on graphs. By collating existing knowledge, providing actionable taxonomies, and proposing pertinent open questions, this paper is positioned to guide future advancements in the security and efficacy of graph-based machine learning models.