网络与信息安全学报 ›› 2021, Vol. 7 ›› Issue (3): 1-28.doi: 10.11959/j.issn.2096-109x.2021051
• 专栏Ⅰ:神经网络技术应用 • 下一篇
陈晋音1,2, 张敦杰2, 黄国瀚2, 林翔2, 鲍亮3
修回日期:
2020-10-09
出版日期:
2021-06-15
发布日期:
2021-06-01
作者简介:
陈晋音(1982- ),女,浙江象山人,博士,浙江工业大学副教授,主要研究方向为人工智能安全、图数据挖掘和进化计算基金资助:
Jinyin CHEN1,2, Dunjie ZHANG2, Guohan HUANG2, Xiang LIN2, Liang BAO3
Revised:
2020-10-09
Online:
2021-06-15
Published:
2021-06-01
Supported by:
摘要:
面向已有的图神经网络的攻击与防御方法,较全面地综述了图神经网络对抗攻防技术与鲁棒性分析。首先,综述了图神经网络在不同任务下的对抗攻击与基于不同策略的防御方法,并全面介绍了鲁棒性分析技术;随后,介绍了常用的基准数据集与评价指标;最后,提出了未来可能的研究方向和发展趋势。
中图分类号:
陈晋音, 张敦杰, 黄国瀚, 林翔, 鲍亮. 面向图神经网络的对抗攻击与防御综述[J]. 网络与信息安全学报, 2021, 7(3): 1-28.
Jinyin CHEN, Dunjie ZHANG, Guohan HUANG, Xiang LIN, Liang BAO. Adversarial attack and defense on graph neural networks: a survey[J]. Chinese Journal of Network and Information Security, 2021, 7(3): 1-28.
表1
常用符号及定义Table 1 Definition of common symbols"
符号 | 定义 | 符号 | 定义 | 符号 | 定义 |
原始图集合 | G | 原始图 | V | 节点集合 | |
E | 连边集合 | 节点特征矩阵 | 邻接矩阵 | ||
M | 图数量 | N | 节点数量 | D | 节点特征维度 |
标记图集合 | VL | 标记节点集合 | EL | 标记连边集合 | |
ei ,j | 节点vi与vj间的连边 | Yn | n的类标 | yn | 节点n的类标 |
Ii ,j | 连边ei,j 的类标 | C | 社团集合 | 目标实例集合 | |
τi | 目标实例 | ci | 目标实例类标 | 特征集合 | |
共同出现的特征矩阵 | f | 神经网络模型 | 防御模型 | ||
损失函数 | 训练损失函数 | 目标攻击损失函数 | |||
受扰动后的图 | 受扰动后的节点特征 | 受扰动后的邻接矩阵 | |||
连边梯度矩阵 | K | 修改连边数 | H | 隐藏层中的特征映射数 | |
Δ | 扰动代价 | Z | 节点嵌入表示 | 0范数 |
表2
对抗攻击算法分类Table 2 The classification of adversarial attack algorithm"
任务分类 | 攻击方法 | 攻击背景 | 扰动类型 | 原理 | 攻击目标 |
NETTACK | 灰盒 | 修改连边/修改特征 | 基于数据特征修改连边/特征 | GCN/CLN/DeepWalk | |
RL-S2V | 黑盒 | 修改连边 | 基于强化学习修改连边 | GNN | |
FGA | 白盒 | 修改连边 | 根据模型梯度信息修改连边 | GCN/Deepwalk/Node2vec/LINE | |
Greedy-GAN | 白盒 | 添加节点 | 利用GAN[ | GCN | |
ADW | 黑盒 | 修改连边 | 利用矩阵摄动理论进行连边翻转 | GCN/Node2vec/DeepWalk | |
Metattack | 灰盒 | 修改连边 | 通过元梯度来构造攻击 | GNN/CLN/DeepWalk | |
Manipulating | 白盒 | 修改连边 | 基于图的优化问题修改连边 | DeepWalk/GCN/LINE/LBP/JW/LinBP | |
节点分类 | DAGAER | 白盒 | 修改特征 | 基于编码器-解码器框架修改特征 | GCN |
IG-FGSM/JSMA | 白盒 | 修改连边/修改特征 | 根据模型梯度信息修改连边与特征 | GCN | |
梯度投影攻击 | 白盒 | 修改连边 | 根据模型梯度信息修改连边 | GCN | |
GF-Attack | 黑盒 | 修改连边 | 基于近似的图滤波器和属性构造攻击 | Network Emebdding | |
ReWatt | 黑盒 | 重布线 | 基于强化学习,重新布线 | GCN | |
NIPA | 灰盒 | 添加节点 | 基于强化学习向网络中添加虚假节点 | GCN | |
GUA | 白盒 | 修改连边 | 利用梯度迭代寻找攻击向量翻转连边 | GCN/DeepWalk/Node2vec/GAT | |
POISONPROBE | 白盒 | 修改特征 | 基于梯度,攻击中毒效率分数最高的非直接邻居的节点特征 | GCN | |
MGA | 白盒 | 重布线 | 在基于梯度的迭代过程中加入动量项 | GCN/DeepWalk/Node2vec | |
Triads Attack | 白盒 | 修改连边 | 基于图结构的邻居评分与启发式算法增加或删除连边,降低连边相似性 | similarity metrics | |
IGA | 白盒 | 修改连边 | 根据模型梯度信息修改连边 | GAE | |
链路预测 | Opt-attack | 白盒 | 修改连边 | 基于一阶KKT条件和投影梯度下降构造攻击 | Network Emebdding |
Approx-Local | 白盒 | 修改连边 | 删除有限子集的连边,以最小化一组目标链路的总加权相似度得分 | Local/Global similarity metrics | |
TGA | 白盒 | 重布线 | 根据模型梯度信息重布线 | Deep dynamic network embedding model | |
RL-S2V | 黑盒 | 修改连边 | 基于强化学习修改连边 | GNN | |
图分类 | 多层次图池化神经网络攻击 | 白盒 | 修改特征/修改连边 | 基于梯度攻击图池化层保留的节点 | SAG/ HGP-SL |
PA后门攻击 | 黑盒 | 修改连边 | 生成随机子图进行后门攻击 | GIN | |
GTA | 黑盒 | 修改特征/修改连边 | 为每个图生成自适应的子图进行后门攻击 | GCN/GraphSAGE/GAT | |
FGA | 白盒 | 修改连边 | 根据模型梯度信息修改连边 | GCN/Deepwalk/Node2vec/LINE | |
Q-Attack | 白盒 | 重布线 | 基于遗传算法,重新布线 | Community Detectior | |
EPA | 白盒 | 修改连边 | 基于遗传算法修改连边 | Community Metrics | |
社区检测 | EDA | 白盒 | 修改连边 | 基于遗传算法(GA)的欧几里得距离攻击策略(EDA)修改连边 | HOPE/LPA/EM/DeepWalk |
MGA | 白盒 | 重布线 | 在基于梯度的迭代过程中加入动量项 | Community Detectior | |
CD-ATTACK | 黑盒 | 修改连边 | 利用图自编码作为生成器生成不明显的扰动,代理算法对扰动加以限制 | Surrogate community detection model | |
DICE | 白盒 | 重布线 | 利用启发式算法,删除部分连边,随后通过添加连边恢复其影响力 | Community Detectior |
表3
防御方法分类Table 3 The classification of defense methods"
防御策略 | 防御方法 | 任务 | 原理 | 方式 | 目标模型 |
随机防御 | 节点分类 | 在训练期间随机丢弃一些连边 | 修改图结构 | GNN | |
BVAT | 节点分类 | 通过对远离彼此的节点子集或所有节点产生虚拟的对抗性扰动来提高GCN分类器的平滑性 | 修改模型 | GCN | |
GCN-GATV | 节点分类 | 通过最大化图虚拟对抗正则化器生成对抗样本 | 修改图结构 | GCN | |
对抗训练 | Global/TargetAT/平滑防御 | 节点分类 | 针对全局/目标的对抗攻击进行对抗训练,用平滑蒸馏和平滑交叉熵损失函数实现梯度平滑 | 修改模型 | GNN |
S/DVAT | 节点分类 | 将基于标记和未标记数据的虚拟对抗训练应用在GCN的损失函数上,进行虚拟对抗训练 | 修改模型 | GCN | |
GraphDefense | 节点分类 | 利用原始分类器为未类标数据做出预测类标,使用所有节点进行对抗训练 | 修改模型 | GCN | |
对抗性扰动检测 | KL散度检测 | 节点分类 | 通过计算节点及其邻域的 softmax 概率之间的 KL 散度的平均值来衡量差异 | 修改图结构 | GCN, GAT |
GraphSAC | 异常检测 | 随机绘制节点子集,并依赖于图形感知标准,过滤掉被异常节点污染的集 | 修改图结构 | 异常模型 | |
启发式防御 | IDOpt/Rank | 链路预测 | 将防御者和攻击者之间的交互建模为一个非零和的贝叶斯Stackelberg博弈 | 修改模型 | 基于相似度的链路预测模型 |
图纯化防御 | Low-Rank Defense | 节点分类 | 对图进行低秩逼近(用顶部奇异分量进行重构) | 修改图结构 | GCN |
注意力机制 | PA-GNN | 节点分类 | 限制通过扰动连边的消息传递,使聚合函数更加专注于真实邻居节点 | 修改模型 | GNN |
RGCN | 节点分类 | 使用高斯分布作为图卷积层中节点的隐藏表示,并根据它们的方差为邻居节点分配注意力权重 | 修改模型 | GCN | |
VPN | 节点分类 | 使用可变功率算子代替Laplacian算子 | — | GCN | |
CRIAGE | 链路预测 | 识别要在知识图中添加或删除的事实,模型经过重新训练后改变对目标事实的预测 | 知识图嵌入 | ||
AGCN | 节点分类 | 通过抖动(增加或删除)连边并选择概率来增强GCN的鲁棒性 | — | GCN | |
鲁棒性分析 | 具有径向基函数核的SVM | 节点分类 | 将节点的属性附加到表示节点的欧几里得向量上而获得增强节点特征向量 | — | GCN |
可训练邻接矩阵 | 节点分类 | 通过在训练过程中学习到选定的连边的权重来充分修改图结构 | 修改图结构 | GCN | |
Pro-GNN | 节点分类 | 通过保持图的低秩性、稀疏性和特征光滑性,迭代地重构干净图并优化GNN参数 | 修改图结构/修改模型 | GNN |
表4
数据集内容Table 4 The details of datasets"
类别 | 任务 | 数据集 | 来源 | 图数量 | 节点数 | 连边数 | 特征数 | 类标数 |
NC/LP | Cora | 文献[ | 1 | 2 708 | 5 429 | 1,433 | 7 | |
NC | Cora-ML | 文献[ | 1 | 2 995 | 8 416 | 2,879 | 3 | |
引文网络数据集 | NC/LP | Citeseer | 文献[ | 1 | 3 327 | 4 732 | 3,703 | 6 |
NC | Pubmed | 文献[ | 1 | 19 717 | 44 338 | 500 | 3 | |
NC/CD | DBLP | 文献[ | 1 | 4 107 340 | 36 624 464 | — | — | |
NC/LP | PolBlogs | 文献[ | 1 | 1 490 | 19 025 | — | 2 | |
NC | 文献[ | 1 | 232 965 | 11 606 919 | 602 | 41 | ||
NC/LP | 文献[ | 1 | — | — | — | — | ||
社交网络数据集 | NC/CD | Google+ | 文献[ | 1 | 107614 | 13 673 453 | — | — |
CD | 文献[ | 1 | 1 005 | 25 571 | — | — | ||
CD | Dolphin | 文献[ | 1 | 62 | 159 | — | — | |
CD | Karate | 文献[ | 1 | 34 | 78 | — | — | |
CD | Football | 文献[ | 1 | 115 | 613 | — | — | |
GC | ENZYMES | 文献[ | 600 | 32.63 | 62.14 | 18 | 6 | |
GC | NCI-1 | 文献[ | 4 110 | 29.87 | 32.30 | 37 | 2 | |
生物-化学数据集 | GC | MUTAG | 文献[ | 188 | 17.93 | 19.79 | 7 | 2 |
GC | D&D | 文献[ | 1 178 | 284.31 | 715.65 | 82 | 2 | |
GC | PROTEIN | 文献[ | 1 113 | 39.06 | 72.81 | 4 | 2 | |
GC | PTC | 文献[ | 344 | 25.5 | — | 19 | 2 | |
注:NC(node classification);LP(link prediction);CD(community detection);GC(graph classification) |
[1] | DENG L , LIU Y . A joint introduction to natural language processing and to deep learning[C]// Deep Learning in Natural Language Processing. Springer,Singapore, 2018: 1-22. |
[2] | COLLOBERT R , WESTON J , BOTTOU L ,et al. Natural language processing (almost) from scratch[J]. Journal of Machine Learning Research, 2011,12(8): 2493-2537. |
[3] | XIONG W , DROPPO J , HUANG X ,et al. Achieving human parity in conversational speech recognition[J]. arXiv Preprint Arxiv:1610.05256, 2016. |
[4] | LITJENS G , KOOI T , BEJNORDI B E ,et al. A survey on deep learning in medical image analysis[J]. Medical Image Analysis, 2017,42: 60-88. |
[5] | MOUSAVI A , BARANIUK R G . Learning to invert:signal recovery via deep convolutional networks[C]// 2017 IEEE International Conference on Acoustics,Speech and Signal Processing (ICASSP). 2017: 2272-2276. |
[6] | KRISHNAMURTHY B , SARKAR M . Deep-learning network architecture for object detection:U.S.Patent 10,152,655[R]. 2018-12-11. |
[7] | GOYAL P , FERRARA E . Graph embedding techniques,applications,and performance:a survey[J]. Knowledge-Based Systems, 2018,151: 78-94. |
[8] | FRASCONI P , GORI M , SPERDUTI A . A general framework for adaptive processing of data structures[J]. IEEE Transactions on Neural Networks, 1998,9(5): 768-786. |
[9] | SPERDUTI A , STARITA A . Supervised neural networks for the classification of structures[J]. IEEE Transactions on Neural Networks, 1997,8(3): 714-735. |
[10] | GORI M , MONFARDINI G , SCARSELLI F . A new model for learning in graph domains[C]// 2005 IEEE International Joint Conference on Neural Networks. 2005: 729-734. |
[11] | SCARSELLI F , GORI M , TSOI A C ,et al. The graph neural network model[J]. IEEE Transactions on Neural Networks, 2008,20(1): 61-80. |
[12] | BRUNA J , ZAREMBA W , SZLAM A ,et al. Spectral networks and locally connected networks on graphs[C]// 2nd International Conference on Learning Representations. 2014. |
[13] | DEFFERRARD M , BRESSON X , VANDERGHEYNST P . Convolutional neural networks on graphs with fast localized spectral filtering[C]// Advances in Neural Information Processing Systems 29. 2016: 3837-3845. |
[14] | VELI?KOVI? P , CUCURULL G , CASANOVA A ,et al. Graph attention networks[J]. arXiv preprint arXiv:1710.10903, 2017. |
[15] | CAO S , LU W , XU Q . Deep neural networks for learning graph representations[C]// Proceedings of the 30th AAAI Conference on Artificial Intelligence. 2016: 1145-1152. |
[16] | KIPF T N , WELLING M . Variational graph auto-encoders[J]. arXiv preprint arXiv:1611.07308, 2016. |
[17] | TANG J , QU M , MEI Q . Pte:Predictive text embedding through large-scale heterogeneous text networks[C]// Proceedings of the 21th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 2015: 1165-1174. |
[18] | WANG S , TANG J , AGGARWAL C ,et al. Linked document embedding for classification[C]// Proceedings of the 25th ACM International on Conference on Information and Knowledge Management. 2016: 115-124. |
[19] | PEROZZI B , AL-RFOU R , SKIENA S . Deepwalk:Online learning of social representations[C]// Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 2014: 701-710. |
[20] | WANG S , TANG J , AGGARWAL C ,et al. Signed network embedding in social media[C]// Proceedings of the 2017 SIAM International Conference on Data Mining. 2017: 327-335. |
[21] | TIAN F , GAO B , CUI Q ,et al. Learning deep representations for graph clustering[C]// Proceedings of the Twenty-Eighth AAAI Conference on Artificial Intelligence. 2014: 1293-1299. |
[22] | ALLAB K , LABIOD L , NADIF M . A semi-NMF-PCA unified framework for data clustering[J]. IEEE Transactions on Knowledge and Data Engineering, 2016,29(1): 2-16. |
[23] | LEE J B , ROSSI R , KONG X . Graph classification using structural attention[C]// Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery. 2018: 1666-1674. |
[24] | PEI Y , CHAKRABORTY N , SYCARA K . Nonnegative matrix tri-factorization with graph regularization for community detection in social networks[C]// Proceedings of the Twenty-Fourth International Joint Conference on Artificial Intelligence. 2015: 2083-2089. |
[25] | CHEN L , LIU Y , ZHENG Z ,et al. Heterogeneous neural attentive factorization machine for rating prediction[C]// Proceedings of the 27th ACM International Conference on Information and Knowledge Management. 2018: 833-842. |
[26] | XIE F , CHEN L , YE Y ,et al. Factorization machine based service recommendation on heterogeneous information networks[C]// 2018 IEEE International Conference on Web Services,ser.ICWS ’18. 2018: 115-122. |
[27] | WANG J , HUANG P , ZHAO H ,et al. Billion-scale commodity embedding for e-commerce recommendation in Alibaba[C]// Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining,ser.KDD ’18. 2018: 839-848. |
[28] | ZüGNER D , AKBARNEJAD A , AND GüNNEMANN S . Adversarial attacks on neural networks for graph data[C]// Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining,ser.KDD ’18. 2018:2847C2856. |
[29] | DAI H , LI H , TIAN T ,et al. Adversarial attack on graph structured data[C]// Proceedings of the 35th International Conference on Machine Learning,ser.ICML ’18. 2018: 1123-1132. |
[30] | WANG X , EATON J , HSIEH C J ,et al. Attack graph convolutional networks by adding fake nodes[J]. arXiv preprint arXiv:1810.10751, 2018. |
[31] | ZHOU K , MICHALAK T P , WANIEK M ,et al. Attacking similarity-based link prediction in social networks[C]// Proceedings of the 18th International Conference on Autonomous Agents and MultiAgent Systems,ser.AAMAS ’19. 2019: 305-313. |
[32] | BOJCHEVSKI A AND GüNNEMANN S . Adversarial attacks on node embeddings via graph poisoning[C]// Proceedings of the 36th International Conference on Machine Learning,ICML 2019. 2019: 695-704. |
[33] | SUN Y , WANG S , TANG X ,et al. Node injection attacks on graphs via reinforcement learning[J]. arXiv preprint arXiv:1909.06543, 2019. |
[34] | CHEN J , WU Y , XU X ,et al. Fast gradient attack on network embedding[J]. arXiv preprint arXiv:1809.02797, 2018. |
[35] | CHEN J , LIN X , SHI Z ,et al. Link prediction adversarial attack via iterative gradient attack[J]. IEEE Transactions on Computational Social Systems, 2020,7(4): 1081-1094. |
[36] | CHEN J , CHEN L , CHEN Y ,et al. Ga-based Q-attack on community detection[J]. IEEE Transactions on Computational Social Systems, 2019,6(3): 491-503. |
[37] | CHEN J , CHEN Y , CHEN L ,et al. Multiscale evolutionary perturbation attack on community detection[J]. IEEE Transactions on Computational Social Systems, 2021,8(1): 62-75. |
[38] | CHANG H , RONG Y , XU T ,et al. A restricted black-box adversarial framework towards attacking graph embedding models[C]// Proceedings of the AAAI Conference on Artificial Intelligence. 2020: 3389-3396. |
[39] | MA Y , WANG S , WU L ,et al. Attacking graph convolutional networks via rewiring[J]. arXiv preprint arXiv:1906.03750, 2019. |
[40] | ZüGNER D AND GüNNEMANN S . Adversarial attacks on graph neural networks via meta learning[C]// 7th International Conference on Learning Representations,ser.ICLR ’19. 2019. |
[41] | SUN M , TANG J , LI H ,et al. Data poisoning attack against unsupervised node embedding methods[J]. arXiv preprint arXiv:1810.12881, 2018. |
[42] | WANIEK M , ZHOU K , VOROBEYCHIK Y ,et al. Attack tolerance of link prediction algorithms:How to hide your relations in a social network[J]. arXiv preprint arXiv:1809.00152, 2018. |
[43] | FARD A M , WANG K , AND YU P . Limiting link disclosure in social network analysis through subgraph-wise perturbation[C]// 15th International Conference on Extending Database Technology,ser.EDBT ’12. 2012: 109-119. |
[44] | FARD A AND WANG K . Neighborhood randomization for link privacy in social network analysis[J]. World Wide Web, 2015,18(1): 9-32. |
[45] | LI J , ZHANG H , HAN Z ,et al. Adversarial attack on community detection by hiding individuals[C]// WWW ’20:The Web Conference 2020. 2020: 917-927. |
[46] | FENG F , HE X , TANG J ,et al. Graph adversarial training:Dynamically regularizing based on graph structure[J]. IEEE Transactions on Knowledge and Data Engineering. 2019. |
[47] | CHEN J , LIN X , XIONG H ,et al. Smoothing adversarial training for gnn[J]. IEEE Transactions on Computational Social Systems, 2020. |
[48] | SUN K , LIN Z , GUO H ,et al. Virtual adversarial training on graph convolutional networks in node classification[C]// Pattern Recognition and Computer Vision - Second Chinese Conference,PRCV 2019. 2019: 431-443. |
[49] | ZHANG Y , KHAN S , AND COATES M . Comparing and detecting adversarial attacks for graph deep learning[C]// Proc Representation Learning on Graphs and Manifolds Workshop,Int Conf Learning Representations. 2019. |
[50] | ENTEZARI N , AL-SAYOURI S A , DARVISHZADEH A ,et al. All you need is low (rank):Defending against adversarial attacks on graphs[C]// WSDM ’20:The Thirteenth ACM International Conference on Web Search and Data Mining. 2020: 169-177. |
[51] | TANG X , LI Y , SUN Y ,et al. Transferring robustness for graph neural network against poisoning attacks[C]// WSDM ’20:The Thirteenth ACM International Conference on Web Search and Data Mining. 2020: 600-608. |
[52] | ZHU D , ZHANG Z , CUI P ,et al. Robust graph convolutional networks against adversarial attacks[C]// Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery &Data Mining. 2019: 1399-1407. |
[53] | JIN M , CHANG H , ZHU W ,et al. Power up! robust graph convolutional network against evasion attacks based on graph powering[J]. arXiv preprint arXiv:1905.10029, 2019. |
[54] | IOANNIDIS V N AND GIANNAKIS G B . Edge dithering for robust adaptive graph convolutional networks[J]. arXiv preprint arXiv:1910.09590, 2019. |
[55] | MILLER B A , ?AMURCU M , GOMEZ A J ,et al. Improving robustness to attacks against vertex classification[C]// 15th International Workshop on Mining and Learning with Graphs. 2019. |
[56] | WU H , WANG C , TYSHETSKIY Y ,et al. Adversarial examples for graph data:Deep insights into attack and defense[C]// Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence. 2019: 4816-4823. |
[57] | JIN W , LI Y , XU H ,et al. Adversarial attacks and defenses on graphs:a review and empirical study[J]. arXiv preprint arXiv:2003.00653, 2020. |
[58] | SUN L , DOU Y , YANG C ,et al. Adversarial attack and defense on graph data:A survey[J]. arXiv preprint arXiv:1812.10528, 2018. |
[59] | CHEN L , LI J , PENG J ,et al. A survey of adversarial learning on graph[J]. arXiv preprint arXiv:2003.05730, 2020. |
[60] | DOMENICO M , LIMA A , MOUGEL P ,et al. The anatomy of a scientific rumor[J]. Scientific Reports, 2013,3(10): 65. |
[61] | LESKOVEC J , KLEINBERG J , FALOUTSOS C . Graph evolution:Densification and shrinking diameters[J]. ACM Transactions on Knowledge Discovery from Data (TKDD). 2006,1. |
[62] | LI Y , YU R , SHAHAB CI ,et al. Diffusion convolutional recurrent neural network:Data-driven traffic forecasting[C]// 6th International Conference on Learning Representations. 2018. |
[63] | GONG Y , ZHU Y , DUAN L ,et al. Exact-k recommendation via maximal clique optimization[C]// Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery &Data Mining,KDD 2019. 2019: 617-626. |
[64] | TANG J , ZHANG J , YAO L ,et al. Arnetminer:extraction and mining of academic social networks[C]// Proceedings of the 14th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 2008: 990-998. |
[65] | ADAMIC L A AND GLANCE N . The political blogosphere and the 2004 us election:divided they blog[C]// Proceedings of the 3rd International Workshop on Link Discovery. 2005: 36-43. |
[66] | DEBNATH A K , COMPADRE R L , DEBNATH G ,et al. Structure-activity relationship of mutagenic aromatic and heteroaromatic nitro compounds.correlation with molecular orbital energies and hydrophobicity[J]. Journal of Medicinal Chemistry, 1991,34(2): 786-797. |
[67] | GOODFELLOW I , POUGET-ABADIE J , MIRZA M ,et al. Generative adversarial nets[C]// Advances in Neural Information Processing Systems 27:Annual Conference on Neural Information Processing Systems 2014. 2014: 2672-2680. |
[68] | KIPF T N , WELLING M . Semi-supervised classification with graph convolutional networks[C]// International Conference on Learning Representations,ser.ICLR ’17. 2017. |
[69] | WANG B AND WANG N . Attacking graphbased classification via manipulating the graph structure[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2019: 2023-2040. |
[70] | AVISHEK J , CIANFLFLONE A , HAMILTION W . Generalizable adversarial attacks using generative models[J]. arXiv preprint arXiv:1905.10864, 2019. |
[71] | WU H , WANG C , TYSHETSKIY Y ,et al. Adversarial examples for graph data:deep insights into attack and defense[C]// Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence,IJCAI 2019. 2019: 4816-4823. |
[72] | XU K , CHEN H , LIU S ,et al. Topology attack and defense for graph neural networks:An optimization perspective[C]// Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence,IJCAI 2019. 2019: 3961-3967. |
[73] | ZANG X , XIE Y , CHEN J ,et al. Graph universal adversarial attacks:A few bad actors ruin graph learning models[J]. arXiv preprint arXiv:2002.04784, 2020. |
[74] | TAKAHASHI T , . Indirect adversarial attacks via poisoning neighbors for graph convolutional networks[C]// 2019 IEEE International Conference on Big Data (Big Data). 2019: 1395-1400. |
[75] | CHEN J , CHEN Y , ZHENG H ,et al. Mga:Momentum gradient attack on network[J]. arXiv preprint arXiv:2002.11320, 2020. |
[76] | WANIEK M , ZHOU K , VOROBEYCHIK Y ,et al. Attack tolerance of link prediction algorithms:How to hide your relations in a social network[J]. arXiv preprint arXiv:1809.00152, 2018. |
[77] | QIU J , DONG Y , MA H ,et al. Network embedding as matrix factorization[C]// Proceedings of the Eleventh ACM International Conference on Web Search and Data Mining,WSDM 2018. 2018: 459-467. |
[78] | CHEN J , ZHANG J , CHEN Z ,et al. Time-aware gradient attack on dynamic network link prediction[J]. arXiv preprint arXiv:1911.10561, 2019. |
[79] | TANG H , MA G , CHEN Y ,et al. Adversarial attack on hierarchical graph pooling neural networks[J]. arXiv preprint arXiv:2005.11560, 2020. |
[80] | BáLEK M , GOODALL A . Large networks and graph limits[J]. Comput Sci Rev, 2013,10: 35-46. |
[81] | FALOUTSOS C , KOUTRA D , VOGELSTEIN J . Deltacon:A principled massive-graph similarity function[C]// Proceedings of the 13th SIAM International Conference on Data Mining. 2013: 162-170. |
[82] | ZHANG Z , JIA J , WANG B ,et al. Backdoor attacks to graph neural networks[J]. arXiv preprint arXiv:2006.11165, 2020. |
[83] | XI Z , PANG R , JI S ,et al. Graph backdoor[C]// USENIX Security. 2021. |
[84] | CORDELLA L , FOGGIA P , SANSONE C ,et al. A (sub)graph isomorphism algorithm for matching large graphs[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2004,26(10): 1367-1372. |
[85] | YU S , ZHENG J , CHEN J ,et al. Unsupervised euclidean distance attack on network embedding[C]// 5th IEEE International Conference on Data Science in Cyberspace. 2020: 71-77. |
[86] | LI J , ZHANG H , HAN Z ,et al. Adversarial attack on community detection by hiding individuals[C]// WWW ’20:The Web Conference 2020. 2020: 917-927. |
[87] | WANIEK M , MICHALAK T , WOOLDRIDGE M ,et al. Hiding individuals and communities in a social network[J]. Nature Human Behaviour, 2018,2(2): 139-147. |
[88] | DENG Z , DONG Y , ZHU J . Batch virtual adversarial training for graph convolutional networks[J]. arXiv preprint arXiv:1902.09192, 2019. |
[89] | WANG X , LIU X , HSIEH C . Graphdefense:Towards robust graph convolutional networks[J]. arXiv preprint arXiv:1911.04429, 2019. |
[90] | IOANNIDIS V , BERBERIDIS D AND GIANNAKIS B . Graphsac:Detecting anomalies in large-scale graphs[J]. arXiv preprint arXiv:1910.09589, 2019. |
[91] | ZHOU K , MICHALAK T , VOROBEYCHIK Y ,et al. Adversarial robustness of similarity-based link prediction[J]. arXiv preprint arXiv:1909.01432, 2019. |
[92] | PEZESHKPOUR P , IRVINE C , TIAN Y ,et al. Investigating robustness and interpretability of link prediction via adversarial modifications[C]// Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics:Human Language Technologies. 2019: 3336-3347. |
[93] | JIN W , MA Y , LIU X ,et al. Graph structure learning for robust graph neural networks[C]// KDD ’20:The 26th ACM SIGKDD Conference on Knowledge Discovery and Data Mining,Virtual Even. 2020: 66-74. |
[94] | SUN M , TANG J , LI H ,et al. Data poisoning attack against unsupervised node embedding methods[J]. arXiv preprint arXiv:1810.12881, 2018. |
[95] | SEN P , NAMATA G , BILGIC M ,et al. Collective classification in network data[J]. AI Magazine, 2008,29(3): 93. |
[96] | MCCALLUM A , NIGAM K , RENNIE J ,et al. Automating the construction of internet portals with machine learning[J]. Information Retrieval, 2000,3(2): 127-163. |
[97] | HAMILTON W , YING Z ,AND LESKOVEC J . Inductive representation learning on large graphs[C]// Advances in Neural Information Processing Systems 30:Annual Conference on Neural Information Processing Systems 2017. 2017: 1024-1034. |
[98] | LUSSEAU D , SCHNEIDER K , BOISSEAU O ,et al. The bottlenose dolphin community of doubtful sound features a large proportion of long-lasting associations[J]. Behavioral Ecology and Sociobiology, 2003,54(4): 396-405. |
[99] | ZACHARY W . An information flow model for conflict and fission in small groups[J]. Journal of anthropological research, 1977,33(4): 452-473. |
[100] | GIRVAN M AND NEWMAN M . Community structure in social and biological networks[C]// Proceedings of the National Academy of Sciences. 2002: 7821-7826. |
[101] | BORGWARDT K , ONG C , SCHOENAUER S ,et al. Protein function prediction via graph kernels[J]. Bioinformatics, 2005,21(1): 47-56. |
[102] | WALE N , KARYPIS G . Comparison of descriptor spaces for chemical compound retrieval and classification[C]// Proceedings of the 6th IEEE International Conference on Data Mining (ICDM 2006). 2006: 678-689. |
[103] | DOBSON P , DOIG A . Distinguishing enzyme structures from non-enzymes without alignments[J]. Journal of molecular biology, 2003,330(4): 771-783. |
[104] | ZUGNER D AND GUNNEMANN DS . Certifiable robustness and robust training for graph convolutional networks[C]// Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 2019: 246-256. |
[1] | 陈先意, 顾军, 颜凯, 江栋, 许林峰, 付章杰. 针对车牌识别系统的双重对抗攻击[J]. 网络与信息安全学报, 2023, 9(3): 16-27. |
[2] | 陈晋音, 李荣昌, 黄国瀚, 刘涛, 郑海斌, 程瑶. 纵向联邦学习方法及其隐私和安全综述[J]. 网络与信息安全学报, 2023, 9(2): 1-20. |
[3] | 蔡召, 荆涛, 任爽. 以太坊钓鱼诈骗检测技术综述[J]. 网络与信息安全学报, 2023, 9(2): 21-32. |
[4] | 单棣斌, 杜学绘, 王文娟, 刘敖迪, 王娜. 基于GNN双源学习的访问控制关系预测方法[J]. 网络与信息安全学报, 2022, 8(5): 40-55. |
[5] | 张宇, 李海良. 基于RSA的图像可识别对抗攻击方法[J]. 网络与信息安全学报, 2021, 7(5): 40-48. |
[6] | 陈皓, 易平. 基于图神经网络的代码漏洞检测方法[J]. 网络与信息安全学报, 2021, 7(3): 37-45. |
[7] | 刘西蒙,谢乐辉,王耀鹏,李旭如. 深度学习中的对抗攻击与防御[J]. 网络与信息安全学报, 2020, 6(5): 36-53. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|