TY - GEN
T1 - Jointly Attacking Graph Neural Network and its Explanations
AU - Fan, Wenqi
AU - Xu, Han
AU - Jin, Wei
AU - Liu, Xiaorui
AU - Tang, Xianfeng
AU - Wang, Suhang
AU - Li, Qing
AU - Tang, Jiliang
AU - Wang, Jianping
AU - Aggarwal, Charu
N1 - Funding Information:
ACKNOWLEDGMENT The research described in this paper has been partly supported by NSFC (Project No. 62102335), an internal research fund from The Hong Kong Polytechnic University (Project No. P0036200, P0042693, and P0043302), a General Research Fund from the Hong Kong Research Grants Council (Project No. PolyU 15200021 and PolyU 15207322), and Hong Kong Research Grant Council under RIF R5060-19. Han Xu, Wei Jin, Xiaorui Liu, and Jiliang Tang are supported by the National Science Foundation (NSF) under grant numbers IIS1714741, CNS1815636, IIS1845081, IIS1907704, IIS1928278, IIS1955285, IOS2107215, and IOS2035472, and the Army Research Office (ARO) under grant number W911NF-21-1-0198. Suhang Wang is supported by NSF under grant number IIS-1909702, ARO under grant W911NF21-1-0198, and Department of Homeland Security (DHS) CINA under grant E205949D.
Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - Graph Neural Networks (GNNs) have boosted the performance for many graph-related tasks. Despite the great success, recent studies have shown that GNNs are still vulnerable to adversarial attacks, where adversaries can mislead the GNNs' prediction by modifying graphs. On the other hand, the explanation of GNNs (GnnExplainer for short) provides a better understanding of a trained GNN model by generating a small subgraph and features that are most influential for its prediction. In this paper, we first perform empirical studies to validate that GnnExplainer can act as an inspection tool and have the potential to detect the adversarial perturbations for graphs. This finding motivates us to further investigate a new problem: Whether a graph neural network and its explanations can be jointly attacked by modifying graphs with malicious desires? It is challenging to answer this question since the goals of adversarial attack and bypassing the GnnExplainer essentially contradict with each other. In this work, we give a confirmative answer for this question by proposing a novel attack framework (GEAttack) for graphs, which can attack both a GNN model and its explanations by exploiting their vulnerabilities simultaneously. To the best of our knowledge, this is the very first effort to attack both GNNs and explanations on graph-structured data for the trustworthiness of GNNs. Comprehensive experiments on various real-world datasets demonstrate the effectiveness of the proposed method.
AB - Graph Neural Networks (GNNs) have boosted the performance for many graph-related tasks. Despite the great success, recent studies have shown that GNNs are still vulnerable to adversarial attacks, where adversaries can mislead the GNNs' prediction by modifying graphs. On the other hand, the explanation of GNNs (GnnExplainer for short) provides a better understanding of a trained GNN model by generating a small subgraph and features that are most influential for its prediction. In this paper, we first perform empirical studies to validate that GnnExplainer can act as an inspection tool and have the potential to detect the adversarial perturbations for graphs. This finding motivates us to further investigate a new problem: Whether a graph neural network and its explanations can be jointly attacked by modifying graphs with malicious desires? It is challenging to answer this question since the goals of adversarial attack and bypassing the GnnExplainer essentially contradict with each other. In this work, we give a confirmative answer for this question by proposing a novel attack framework (GEAttack) for graphs, which can attack both a GNN model and its explanations by exploiting their vulnerabilities simultaneously. To the best of our knowledge, this is the very first effort to attack both GNNs and explanations on graph-structured data for the trustworthiness of GNNs. Comprehensive experiments on various real-world datasets demonstrate the effectiveness of the proposed method.
UR - http://www.scopus.com/inward/record.url?scp=85148766772&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85148766772&partnerID=8YFLogxK
U2 - 10.1109/ICDE55515.2023.00056
DO - 10.1109/ICDE55515.2023.00056
M3 - Conference contribution
AN - SCOPUS:85148766772
T3 - Proceedings - International Conference on Data Engineering
SP - 654
EP - 667
BT - Proceedings - 2023 IEEE 39th International Conference on Data Engineering, ICDE 2023
PB - IEEE Computer Society
T2 - 39th IEEE International Conference on Data Engineering, ICDE 2023
Y2 - 3 April 2023 through 7 April 2023
ER -