CN117171639A - Deep clustering-based efficient attack resistance method for graph neural network - Google Patents
Deep clustering-based efficient attack resistance method for graph neural network Download PDFInfo
- Publication number
- CN117171639A CN117171639A CN202311117521.0A CN202311117521A CN117171639A CN 117171639 A CN117171639 A CN 117171639A CN 202311117521 A CN202311117521 A CN 202311117521A CN 117171639 A CN117171639 A CN 117171639A
- Authority
- CN
- China
- Prior art keywords
- node
- graph
- nodes
- representations
- clustering
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 17
- 238000013528 artificial neural network Methods 0.000 title abstract description 10
- 238000012986 modification Methods 0.000 claims abstract description 7
- 230000004048 modification Effects 0.000 claims abstract description 7
- 231100000572 poisoning Toxicity 0.000 claims abstract description 6
- 230000000607 poisoning effect Effects 0.000 claims abstract description 6
- 239000011159 matrix material Substances 0.000 claims description 12
- 230000006870 function Effects 0.000 claims description 7
- 239000013598 vector Substances 0.000 claims description 6
- 238000012549 training Methods 0.000 claims description 4
- 238000012935 Averaging Methods 0.000 claims description 2
- 230000004913 activation Effects 0.000 claims description 2
- 238000000691 measurement method Methods 0.000 claims description 2
- 238000005096 rolling process Methods 0.000 claims description 2
- 239000002574 poison Substances 0.000 abstract description 2
- 231100000614 poison Toxicity 0.000 abstract description 2
- 230000000694 effects Effects 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 230000000593 degrading effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 230000001902 propagating effect Effects 0.000 description 1
- 238000000547 structure data Methods 0.000 description 1
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The graph neural network has achieved great success in various graph tasks. However, studies have found that the graph neural network is vulnerable to challenge, and thus it is very important to study the robustness of the graph neural network against challenge. Although the existing work has made certain progress in the aspect of poison node selection of the graph against attacks, the graph data information utilized by the existing method is very limited, and the topology modification and the characteristic disturbance are seldom covered at the same time, so that the effectiveness of the attacks is reduced. The invention provides a resistance attack method based on deep clustering, which fuses topological information and attribute information of a graph to select poisoning nodes with more influence so as to improve the efficiency of network attack. The method first trains a coding framework to obtain node representations, learns clustering algorithms based on the node representations to further define importance scores for the nodes, and then ranks and selects a representative node of the budget as a poisoning node based on the scores. Finally, the selected nodes are disturbed to limited characteristics according to the gradient.
Description
Technical Field
The invention relates to the field of graph neural networks, node classification, and resistance attacks. The challenge attack is a security threat to machine learning systems aimed at spoofing machine learning models and causing erroneous output results by making minor but elaborate modifications to the input data.
Background
The graph neural network (Graph Neural Networks, GNN) is a class of deep learning methods aimed at reasoning the graph data, and achieves excellent performance in various practical applications, such as text classification, recommendation systems and traffic prediction. The development of GNNs has prompted the widespread use of graph analysis in real-world tasks, namely node classification, graph classification, link prediction, and community detection. However, existing work has shown that GNNs are very vulnerable to resistant attacks, i.e. those that intentionally fool the model by slight, even human-imperceptible, modifications to the input map. These imperceptible perturbations on the graph structure or node characteristics can reduce the learned node representation, thereby degrading GNN performance in downstream tasks. Thus, a resistance attack is of great importance for identifying vulnerabilities of graph-based models.
Existing research efforts for graph fight attacks have focused mainly on graph modification attacks and graph injection attacks. Graph modification attacks directly modify existing graphs, including graph structure attacks that modify edges, such as Nettack, PGD; feature attacks that modify node features, such as GC-RWCS, infmax-Unif. Graph injection attacks add new malicious nodes, such as AFGSM, TDGIA, HAO, without modifying the original graph. However, most of the existing attacks simply adopt a gradient-based optimization method, and the information of the graph data itself is not fully utilized, so that the graph data has considerable potential in realizing higher-performance attacks. Meanwhile, a considerable gap exists between the existing attack setting and reality. It is unreasonable to assume that an attacker can change the input of a large part of the nodes, and even with budget constraints, the effect of the attack is still not significant enough when only a small number of disturbances are made. For example, in real world social networks, an attacker typically has access to only a few robotic accounts, and it is difficult for the attacker to invade and change the attributes of the accounts.
Aiming at the problems, on the basis of the graph structure attack GSAtk, a feature anti-attack AGRC based on deep clustering is provided. The method fuses the multi-view graph data information and improves the attack resistance efficiency. The attack consists of two phases: 1) Acquiring node representations of the node attribute and structure information captured simultaneously, further defining a new node measurement method by using a clustering algorithm learned according to the representations, and selecting nodes with representativeness in the characteristic and local structure by virtue of the scores; 2) The characteristics of the nodes are changed under the budget of each selected node. The present invention focuses on the node selection strategy in the first stage. In particular, the node representation with multi-view information is obtained by training a coding framework combined by a self-encoder and a graph rolling network (Graph Convolutional-Networks, GCN), and the importance score of the node is defined by a clustering center, a node prediction category and a node degree obtained by a clustering algorithm.
Disclosure of Invention
The invention provides a feature anti-attack method based on deep clustering, and the architecture of the method is shown in figure 1. The AGRC attack method comprises two steps of node selection and characteristic disturbance, and the research of a node selection strategy is focused. First, a coding framework consisting of a self-encoder and a GCN is constructed and trained, thereby yielding a node representation of the graph data. And then obtaining a learned clustering algorithm according to the representation training, so as to define importance scores of the nodes through clustering results and node degrees. And finally, carrying out characteristic disturbance on the nodes in the budget selected by virtue of the scores according to the domain knowledge.
1. Node selection
In a graph-against-attack, an attacker wants the model to make as many errors as possible, and therefore it is very important for node selection to do feature perturbation. If an attacking node is selected randomly, it may result in wasting budget on some useless nodes. For example, an attacker may repeatedly poison nodes in the same cluster that are very similar in pattern, which is not necessary. In order to make full use of the attack budget, it is proposed to select a representative different node in the graph as the poisoning node. One straightforward way to obtain representative nodes is to cluster node features. However, this approach does not take into account the graph topology that is critical to the graph structure data. Furthermore, learning a valid data representation is important for clustering. It is therefore proposed to use an encoder to obtain node representations for clustering, the policy framework being as shown in fig. 2.
In the present invention, for the sake of generality, a basic automatic encoder is employed to learn representations of raw data to accommodate different types of data features. Let i represent the number of layers, assuming that the auto encoder has L layers. Layer i learned representation H of encoder section (i) Can be expressed as:
where φ is an activation function of the full connectivity layer, such as a Relu or Sigmoid function.And->The weight matrix and the bias of the i-th layer in the encoder, respectively. In addition, defining the F-dimensional node characteristics of the X representation graph, H is (0) Represented as raw data X.
The encoder section is followed by a decoder section which reconstructs the input data through several fully connected layers, the formula of which is:
wherein the method comprises the steps ofAnd->The weight matrix and bias of the i-th layer in the decoder, respectively.
The output of the decoder section is a reconstruction of the original dataThis leads to the following objective function:
where N is the number of nodes in the graph, the auto-encoder can learn useful representations, e.g., H, from the data itself (1) ,H (2) ,...,H (L) And ignores the relationship between samples. Thus, it will next be described how the representations generated by the deep neural network (Deep Neural Networks, DNN) modules are propagated using the GCN modules, as shown in fig. 3. Once all the representations learned by the DNN module are integrated into the GCN, the GCN-learnable representations will be able to accommodate two different pieces of information, namely the data itself and the relationship between the data. In particular, with the weight matrix W, the representation Z learned by the ith layer of GCN (i) The method can be obtained by the following convolution operation:
where a is the binary adjacency matrix of the graph,is the adjacency matrix of graph G with self-loops, < >>Is an angle matrix. W (W) (i-1) Is the trainable weight matrix of layer i-1. As can be seen from equation 4, Z is represented (i-1) Will be ∈>Propagating to get a new representation Z (i) . Taking into account an automatic encoder H (i-1) The learned representation is capable of reconstructing the data itself and contains different valuable information, the two representations Z (i-1) And H (i-1) Combining together, transferring the learned representation of each DNN layer to the corresponding GCN layer for information propagation, further yielding a more complete and powerfulThe representation is as follows:
where ε is a balance factor, here uniformly set to 0.5. In this way, a layer-by-layer connection of the auto encoder and the GCN is achieved. And then useGenerating a representation Z as input to an ith layer in the GCN (i) :
The last layer of the GCN module is a multi-classification layer with softmax function:
by the above coding framework, a node representation can be obtained that captures both attribute and structural information. Then, for each category, a K-Medoids clustering algorithm trained from the learned representation is used to select representative nodes. It is generally believed that nodes near the center point of each cluster are more representative. However, the node closest to the center point may have a higher degree. Malicious perturbation of a high-level node may lead to significant degradation in predictive performance, as negative effects may propagate to its neighbors, making the attack apparent. The present invention therefore proposes an index that balances the representativeness and the negative impact on the predicted performance. Definition node v i Expressed as z i ,Representing the center of the kth cluster, then for nodes belonging to the kth clusterThe calculation formula of the metric score can be expressed as follows:
where lambda is used to control the contribution of the node selection midrange. After the score for each node is obtained, the highest scoring node is selected to meet the budget.
2. Feature perturbation
After the node selection step, it is also necessary to specify how to perturb the node features, and it is necessary to add the same small noise vector to the features of each attacked node:
thus, the goal of an attacker is to find a perturbation vector η to misguide the classification of the model. In a practical scenario, the design should be done with domain knowledge about classification tasks without accessing the GNN model. Since each feature in the reference dataset lacks semantics, domain knowledge must be simulated. The invention provides a feature vector with the maximum disturbance loss gradient among feature vectors of selected nodes. Formally, definition j=1, 2,., F, constructing a constant disturbance eta epsilon R F :
Where c represents the model predictive value or truth label, f is the trained model,is a loss function intended for optimization. Beta is the modification amplitude and J is the number of modified features. Only limited gradient information is used here, and by averaging the gradients across all nodes only a few important features and the binary disturbance direction of each selected feature are determined at the global level. Thought to be thatSuch coarse information is typically available from domain knowledge of the classification task. The disturbance amplitude of each feature is fixed to a constant β, independent of the model. Furthermore, the same disturbance vector is added to the features of all selected nodes, the construction of the disturbance being completely independent of the selected nodes.
Detailed Description
The whole framework of the invention is shown in fig. 1, and the implementation flow is as follows:
(1) The coding framework is constructed and trained as in fig. 3, resulting in a node representation of the graph data.
(2) And learning a clustering algorithm according to the node representation, and defining importance scores of the nodes through clustering results and node degrees. The representative nodes are sorted by score and selected as poisoning nodes, as in fig. 2.
(3) The selected nodes are perturbed by a finite characteristic according to the gradient.
(4) Updating the original graph, and calculating the node classification accuracy.
Claims (3)
1. The method is characterized in that the method fuses graph topology information and attribute information to select poisoning nodes with more influence so as to improve the efficiency of network attack, and the attack comprises two stages: 1) Acquiring node representations of the node attribute and structure information captured simultaneously, further defining a new node measurement method by using a clustering algorithm learned according to the representations, and selecting nodes with representativeness in the characteristic and local structure by virtue of the scores; 2) Changing the characteristics of the nodes under the budget of each selected node; in particular, the node representation with multi-view information is obtained by training the coding framework combined by the self-encoder and the graph rolling network GCN, and the importance score of the node is defined by the clustering center, the node prediction category and the node degree obtained by a clustering algorithm.
2. The method of combating attacks according to the features of claim 1, further characterized by designing a new node selection strategy having the steps of:
(1) Learning node representations of raw data using a basic automatic encoderTo accommodate different types of data features, where φ is the activation function of the fully-connected layer, +.>And->Respectively a weight matrix and a deviation of a first layer in the encoder;
(2) Using the GCN module to propagate these representations generated by the auto-encoder module, integrating the auto-encoder learned representations into the GCN, i.e., transferring the learned representations of each DNN layer to the corresponding GCN layer for information propagation, further yielding a more complete and powerful representation:wherein E is a balance coefficient, uniformly set to 0.5, and then +.>Generating a representation Z as input to layer I in the GCN (l) :/>Wherein A is the binary adjacency matrix of the graph, +.>Is the adjacency matrix of graph G with self-loops, < >>Is an angle matrix, W (l-1) Is a trainable weight matrix of layer 1;
(3) Then, for each category, clustering the nodes using a learned representation training K-Medoids clustering algorithm;
(4) Clustering center obtained through clustering algorithmNode prediction category k and node degree deg (·) to define a importance score for a node +.>Selecting a representative node as a poisoning node by virtue of the score, wherein node v i Expressed as z i Lambda is used to control the contribution of the node selection middleness.
3. The graph challenge method is further characterized by feature perturbation of nodes within the budget selected by means of the score according to domain knowledge, defining a perturbation vector according to the features of claim 1:
where c represents the model predictor or truth label, f is the trained model,is the loss function intended to be optimized, β is the modification amplitude, J is the number of modified features, where limited gradient information is used, by averaging the gradients across all nodes, only a few important features are determined at the global level, and the binary disturbance direction of each selected feature.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311117521.0A CN117171639A (en) | 2023-08-31 | 2023-08-31 | Deep clustering-based efficient attack resistance method for graph neural network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311117521.0A CN117171639A (en) | 2023-08-31 | 2023-08-31 | Deep clustering-based efficient attack resistance method for graph neural network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117171639A true CN117171639A (en) | 2023-12-05 |
Family
ID=88940516
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311117521.0A Pending CN117171639A (en) | 2023-08-31 | 2023-08-31 | Deep clustering-based efficient attack resistance method for graph neural network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117171639A (en) |
-
2023
- 2023-08-31 CN CN202311117521.0A patent/CN117171639A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ma et al. | Graph adversarial attack via rewiring | |
| CN110263227B (en) | Group partner discovery method and system based on graph neural network | |
| CN111046664A (en) | False news detection method and system based on multi-granularity graph convolution neural network | |
| CN112434171A (en) | Knowledge graph reasoning and complementing method and system based on reinforcement learning | |
| CN111859454B (en) | Privacy protection method for defending link prediction based on graph neural network | |
| CN111178504B (en) | Information processing method and system of robust compression model based on deep neural network | |
| CN117201122B (en) | Unsupervised attribute network anomaly detection method and system based on view level graph comparison learning | |
| CN114708479B (en) | Self-adaptive defense method based on graph structure and characteristics | |
| CN114936639A (en) | Progressive confrontation training method and device | |
| Zheng et al. | Towards data-centric graph machine learning: Review and outlook | |
| CN115018057A (en) | Robust neural architecture searching method and system for graph neural network | |
| Hong et al. | Variational gridded graph convolution network for node classification | |
| CN114676435A (en) | Knowledge graph-based software vulnerability availability prediction method | |
| Deng et al. | Network Intrusion Detection Based on Sparse Autoencoder and IGA‐BP Network | |
| Yu et al. | Unsupervised euclidean distance attack on network embedding | |
| CN117171639A (en) | Deep clustering-based efficient attack resistance method for graph neural network | |
| CN116226864A (en) | Network security-oriented code vulnerability detection method and system | |
| CN113159976B (en) | Identification method for important users of microblog network | |
| CN115102868A (en) | Web service QoS prediction method based on SOM clustering and depth self-encoder | |
| CN113837360B (en) | DNN robust model reinforcement method based on relational graph | |
| CN117354013B (en) | Fishing attack detection method based on wolf group hunting algorithm | |
| CN117473124B (en) | Self-supervision heterogeneous graph representation learning method with capability of resisting excessive smoothing | |
| Al-Obaidi et al. | The effectiveness of deploying machine learning techniques in information security to detect nine attacks: UNSW-NB15 dataset as a case study | |
| CN115809698A (en) | Black box escape map injection attack method for map neural network | |
| CN116994042A (en) | Graph classification method and system integrating graph neural network and interpretability mechanism |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |