基于改进投影梯度下降算法的图卷积网络投毒攻击

doi:10.19678/j.issn.1000-3428.0063533

计算机工程 ›› 2022, Vol. 48 ›› Issue (10): 176-183. doi: 10.19678/j.issn.1000-3428.0063533

基于改进投影梯度下降算法的图卷积网络投毒攻击

金柯君¹, 于洪涛¹, 吴翼腾¹, 李邵梅¹, 操晓春²

1. 中国人民解放军战略支援部队信息工程大学信息技术研究所, 郑州 450000;
2. 中国科学院信息工程研究所信息安全国家重点实验室, 北京 100093

收稿日期:2021-12-15 修回日期:2022-02-18 发布日期:2022-03-21
作者简介:金柯君(1993—),男,硕士研究生,主研方向为人工智能安全;于洪涛(通信作者),研究员、博士、博士生导师;吴翼腾,博士;李邵梅,副研究员、博士;操晓春,教授、博士。
基金资助:
国家自然科学基金创新研究群体项目（61521003）；郑州市协同创新重大专项（162/32410218）。

Poisoning Attack on Graph Convolutional Network Based on Improved Projection Gradient Descent Algorithm

JIN Kejun¹, YU Hongtao¹, WU Yiteng¹, LI Shaomei¹, CAO Xiaochun²

1. Information Technology Research Institute, PLA Strategic Support Force Information Engineering University, Zhengzhou 450000, China;
2. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China

Received:2021-12-15 Revised:2022-02-18 Published:2022-03-21

摘要/Abstract

摘要： 图神经网络在面对节点分类、链路预测、社区检测等与图数据处理相关的任务时，容易受到对抗性攻击的安全威胁。基于梯度的攻击方法具有有效性和高效性，被广泛应用于图神经网络对抗性攻击，高效利用攻击梯度信息与求取离散条件下的攻击梯度是攻击离散图数据的关键。提出基于改进投影梯度下降算法的投毒攻击方法。将模型训练参数看作与扰动相关的函数，而非固定的常数，在模型的对抗训练中考虑了扰动矩阵的影响，同时在更新攻击样本时研究模型对抗训练的作用，实现数据投毒与对抗训练两个阶段的结合。采用投影梯度下降算法对变量实施扰动，并将其转化为二进制，以高效利用攻击梯度信息，从而解决贪婪算法中时间开销随扰动比例线性增加的问题。实验结果表明，当扰动比例为5%时，相比Random、DICE、Min-max攻击方法，在Citeseer、Cora、Cora_ml和Polblogs数据集上图卷积网络模型被该方法攻击后的分类准确率分别平均降低3.27%、3.06%、3.54%、9.07%，在时间开销和攻击效果之间实现了最佳平衡。

关键词: 图卷积网络, 对抗性攻击, 投毒攻击, 投影梯度下降, 对抗训练

Abstract: Graph neural network is widely used in graph data processing-related tasks, such as node classification, link prediction, and community detection.However, it is susceptible to security threats from adversarial attacks.Gradient-based attack methods are widely used in graph neural network adversary attacks because of their effectiveness and efficiency.The efficient use of attack gradient information and the acquisition of the attack gradient under discrete conditions are key to obtain attack discrete graph data.This study proposes a poisoning attack method based on an improved Projection Gradient Descent(PGD) algorithm.Using the model training parameters as a function related to disturbance instead of a fixed constant, the effect of disturbance is considered in the model adversarial training, and the effect of model adversarial training is considered when updating the attack samples to realize the combination of data poisoning and adversarial training.The PGD algorithm is used to perturb the variables and convert them into binary such that the attack gradient information can be used effectively to solve the linear increase in the time cost with the disturbance ratio in the greedy algorithm.Experimental results show that when the disturbance ratio is 5%, compared with the performances of Random, DICE, Min-max, and other attack methods, on Citeseer, Cora, Cora_ml, and Polblogs datasets, the classification accuracy of a Graph Convolutional Network(GCN) model attacked by the proposed method reduced by 3.27%, 3.06%, 3.54%, and 9.07% on average, respectively, demonstrating the best balance between time overhead and attack effect.

Key words: Graph Convolutional Network(GCN), adversarial attack, poisoning attack, Projection Gradient Descent(PGD), adversarial training

中图分类号:

TP18

金柯君, 于洪涛, 吴翼腾, 李邵梅, 操晓春. 基于改进投影梯度下降算法的图卷积网络投毒攻击[J]. 计算机工程, 2022, 48(10): 176-183.

JIN Kejun, YU Hongtao, WU Yiteng, LI Shaomei, CAO Xiaochun. Poisoning Attack on Graph Convolutional Network Based on Improved Projection Gradient Descent Algorithm[J]. Computer Engineering, 2022, 48(10): 176-183.

http://www.ecice06.com/CN/Y2022/V48/I10/176

图/表 11

参考文献

[1] WU Z H, PAN S R, CHEN F W, et al.A comprehensive survey on graph neural networks[J].IEEE Transactions on Neural Networks and Learning Systems, 2021, 32(1):4-24.
[2] TANG J, QU M, MEI Q.PTE:predictive text embedding through large-scale heterogeneous text networks[C]//Proceedings of the 21th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining.New York, USA:ACM Press, 2015:1165-1174.
[3] WANG S H, TANG J L, AGGARWAL C, et al.Linked document embedding for classification[C]//Proceedings of the 25th ACM International on Conference on Information and Knowledge Management.New York, USA:ACM Press, 2016:115-124.
[4] PEROZZI B, Al-RFOU R, SKIENA S.Deepwalk:online learning of social representations[EB/OL].[2021-11-10].https://arxiv.org/pdf/1403.6652.pdf.
[5] WANG S H, TANG J L, AGGARWAL C, et al.Signed network embedding in social media[C]//Proceedings of SIAM International Conference on Data Mining.Philadelphia, USA:Society for Industrial and Applied Mathematics, 2017:327-335.
[6] TIAN F, GAO B, CUI Q, et al.Learning deep representations for graph clustering[C]//Proceedings of the 28th AAAI Conference on Artificial Intelligence.[S.l.]:AAAI Press, 2014:1293-1299.
[7] ALLAB K, LABIOD L, NADIF M.A semi-NMF-PCA unified framework for data clustering[J].IEEE Transactions on Knowledge and Data Engineering, 2017, 29(1):2-16.
[8] DAI H J, LI H, TIAN T, et al.Adversarial attack on graph structured data[EB/OL].[2021-11-10].https://arxiv.org/pdf/1806.02371.pdf.
[9] ZÜGNER D, AKBARNEJAD A, GÜNNEMANN S.Adversarial attacks on neural networks for graph data[C]//Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining.New York, USA:ACM Press, 2018:2847-2856.
[10] WANG X Y, EATON J, HSIEH C J, et al.Attack graph convolutional networks by adding fake nodes[EB/OL].[2021-11-10].https://arxiv.org/pdf/1810.10751.pdf.
[11] 吴翼腾, 刘伟, 于溆乔.基于参数差异假设的图卷积网络对抗性攻击[J/OL].电子学报:1-13[2021-11-10].http://kns.cnki.net/kcms/detail/11.2087.TN.20211018.1732.002.html. WU Y T, LIU W, YU X Q.Adversarial attacks on graph convolution networks based on parameter discrepancy hypothesis[J/OL].Acta Electronica Sinica:1-13[2021-11-10].http://kns.cnki.net/kcms/detail/11.2087.TN.20211018.1732.002.html. (in Chinese)
[12] 吴翼腾, 刘伟, 于洪涛.图神经网络的标签翻转对抗攻击[J].通信学报, 2021, 42(9):65-74. WU Y T, LIU W, YU H T.Label flipping adversarial attack on graph neural network[J].Journal on Communications, 2021, 42(9):65-74.(in Chinese)
[13] 姜妍, 张立国.面向深度学习模型的对抗攻击与防御方法综述[J].计算机工程, 2021, 47(1):1-11. JIANG Y, ZHANG L G.Survey of adversarial attacks and defense methods for deep learning model[J].Computer Engineering, 2021, 47(1):1-11.(in Chinese)
[14] JIN W, LI Y X, XU H, et al.Adversarial attacks and defenses on graphs:a review and empirical study[EB/OL].[2021-11-10].https://arxiv.org/abs/2003.00653v2.
[15] CHEN L, LI J T, PENG J Y, et al.A survey of adversarial learning on graphs[EB/OL].[2021-11-10].https://arxiv.org/abs/2003.05730?.
[16] WU Y T, LIU W, HU X B, et al.Parameter discrepancy hypothesis:adversarial attack for graph data[J].Information Sciences, 2021, 577:234-244.
[17] LIN X X, ZHOU C, YANG H, et al.Exploratory adversarial attacks on graph neural networks[C]//Proceedings of IEEE International Conference on Data Mining.Washington D.C., USA:IEEE Press, 2020:1136-1141.
[18] XU K D, CHEN H G, LIU S J, et al.Topology attack and defense for graph neural networks:an optimization perspective[C]//Proceedings of the 28th International Joint Conference on Artificial Intelligence.New York, USA:ACM Press, 2019:3961-3967.
[19] 陈晋音, 张敦杰, 黄国瀚, 等.面向图神经网络的对抗攻击与防御综述[J].网络与信息安全学报, 2021, 7(3):1-28. CHEN J Y, ZHANG D J, HUANG G H, et al.Adversarial attack and defense on graph neural networks:a survey[J].Chinese Journal of Network and Information Security, 2021, 7(3):1-28.(in Chinese)
[20] SUN M J, TANG J, LI H C, et al.Data poisoning attack against unsupervised node embedding methods[EB/OL].[2021-11-10].https://arxiv.org/pdf/1810.12881.pdf.
[21] LIU S J, CHEPURI S P, FARDAD M, et al.Sensor selection for estimation with correlated measurement noise[J].IEEE Transactions on Signal Processing, 2016, 64(13):3509-3522.
[22] SEN P, NAMATA G, BILGIC M, et al.Collective classification in network data[J].AI Magazine, 2008, 29(3):93.
[23] MCCALLUM A, NIGAM K, RENNIE J D M, et al.Automating the construction of Internet portals with machine learning[J].Information Retrieval, 2000, 3(2):127-163.
[24] ADAMIC L A, GLANCE N.The political blogosphere and the 2004 US election:divided they blog[C]//Proceedings of the 3rd International Workshop on Link Discovery.New York, USA:ACM Press, 2005:36-43.
[25] WANIEK M, MICHALAK T P, WOOLDRIDGE M J, et al.Hiding individuals and communities in a social network[J].Nature Human Behaviour, 2018, 2(2):139-147.
[26] ZÜGNER D, GÜNNEMANN S.Adversarial attacks on graph neural networks via meta learning[EB/OL].[2021-11-10].https://arxiv.org/pdf/1902.08412.pdf.

选择文件类型/文献管理软件名称

选择包含的内容

基于改进投影梯度下降算法的图卷积网络投毒攻击

Poisoning Attack on Graph Convolutional Network Based on Improved Projection Gradient Descent Algorithm

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 11

参考文献

相关文章 15

编辑推荐

Metrics

本文评价

[1]	马建红, 龚天, 姚爽. 基于证据句与图卷积网络的文档级关系抽取[J]. 计算机工程, 2023, 49(8): 104-110.
[2]	朱红, 牛浩然, 朱彤. 基于字词融合与对抗训练的行业人物实体识别[J]. 计算机工程, 2023, 49(5): 56-62.
[3]	陈文轩, 曾碧, 郭植星. 融合多特征与语义图卷积网络的摔倒检测方法[J]. 计算机工程, 2023, 49(5): 277-285,294.
[4]	陈昱瑾, 王晶, 武志昊, 赵耀帅, 林友芳. 基于图卷积网络融合群组关系的社会化推荐方法[J]. 计算机工程, 2023, 49(5): 112-121.
[5]	袁立宁, 胡皓, 刘钊. 基于多通道图卷积自编码器的图表示学习[J]. 计算机工程, 2023, 49(2): 150-160,174.
[6]	王曙燕, 郭睿涵, 孙家泽. 基于图对比学习的MOOC推荐方法[J]. 计算机工程, 2023, 49(1): 57-64,72.
[7]	俞莎莎, 牛保宁. 基于交易不可信度的比特币非法交易检测[J]. 计算机工程, 2022, 48(8): 166-172.
[8]	苗雨欣, 宋春花, 牛保宁, 康瑞雪. 双通道图协同过滤推荐算法[J]. 计算机工程, 2022, 48(8): 121-128.
[9]	冯思芸, 施振佺, 曹阳. 基于全局时空特性的城市路网交通速度预测模型[J]. 计算机工程, 2022, 48(5): 112-117.
[10]	车超, 刘迪. 基于双向对齐与属性信息的跨语言实体对齐[J]. 计算机工程, 2022, 48(3): 74-80.
[11]	胡彬, 王晓军, 张雷. 一种半监督对抗鲁棒模型无关元学习方法[J]. 计算机工程, 2022, 48(12): 112-118.
[12]	贺煜航, 刘棪, 陈刚. 基于自适应图卷积网络的心电图多标签分类模型[J]. 计算机工程, 2022, 48(12): 261-269.
[13]	王庆荣, 魏怡萌, 朱昌锋, 田可可. 基于时空图卷积网络的交通事故风险预测研究[J]. 计算机工程, 2022, 48(11): 22-29.
[14]	舒冲, 欧阳智, 杜逆索, 何庆, 魏琴. 基于改进图节点的图神经网络多跳阅读理解研究[J]. 计算机工程, 2022, 48(1): 99-104.
[15]	袁自勇, 高曙, 曹姣, 陈良臣. 基于异构图卷积网络的小样本短文本分类方法[J]. 计算机工程, 2021, 47(12): 87-94.

模态框（Modal）标题

选择文件类型/文献管理软件名称

选择包含的内容

基于改进投影梯度下降算法的图卷积网络投毒攻击

Poisoning Attack on Graph Convolutional Network Based on Improved Projection Gradient Descent Algorithm

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 11

参考文献

相关文章 15

编辑推荐

Metrics

本文评价