Journal on Communications ›› 2021, Vol. 42 ›› Issue (9): 65-74.doi: 10.11959/j.issn.1000-436x.2021167
• Papers • Previous Articles Next Articles
Yiteng WU, Wei LIU, Hongtao YU
Revised:
2021-08-01
Online:
2021-09-25
Published:
2021-09-01
Supported by:
CLC Number:
Yiteng WU, Wei LIU, Hongtao YU. Label flipping adversarial attack on graph neural network[J]. Journal on Communications, 2021, 42(9): 65-74.
"
k | 方法 | Polblogs | Cora_ml | Cora | Citeseer |
未扰动 | 94.54% | 86.45% | 85.04% | 74.20% | |
Min-max | 92.62% | 84.87% | 82.38% | 73.40% | |
Mettack | 93.32% | 86.03% | 84.81% | 74.79% | |
1 | Random | 94.02% | 86.11% | 84.20% | 73.53% |
91.87% | 83.54% | 80.12% | 69.10% | ||
69.01% | |||||
91.07% | 79.25% | ||||
未扰动 | 95.60% | 88.05% | 87.08% | 74.52% | |
Min-max | 94.61% | 87.61% | 85.74% | 74.12% | |
Mettack | 93.70% | 87.26% | 86.74% | 74.86% | |
2 | Random | 95.41% | 88.04% | 86.78% | 74.04% |
94.75% | 87.35% | 85.02% | 70.77% | ||
82.85% | 82.23% | ||||
93.65% | 69.78% |
"
假设 | 损失函数 | 扰动量 | ||||||||||
无扰动 | 1% | 2% | 3% | 4% | 5% | 6% | 7% | 8% | 9% | 10% | ||
训练准确率 | 99.65% | 98.51% | 98.45% | 98.32% | 98.13% | 97.83% | 97.53% | 97.18% | 96.84% | 96.42% | 95.95% | |
测试准确率 | 86.45% | 85.71% | 85.04% | 84.43% | 83.96% | 83.54% | 83.10% | 82.61% | 82.12% | 81.70% | 81.25% | |
矛盾数据 | 77.84 | 243.80 | 295.95 | 337.10 | 371.11 | 399.91 | 428.22 | 454.47 | 479.39 | 503.16 | 527.14 | |
102.77 | 195.60 | 224.89 | 250.35 | 273.50 | 295.88 | 318.07 | 339.39 | 360.19 | 380.71 | 404.29 | ||
77.84 | 180.13 | 209.41 | 234.72 | 257.65 | 279.80 | 301.76 | 322.91 | 343.53 | 363.89 | 387.28 | ||
训练准确率 | 99.66% | 97.83% | 96.78% | 95.79% | 94.93% | 93.94% | 92.89% | 91.98% | 91.10% | 90.23% | 89.30% | |
测试准确率 | 86.45% | 85.05% | 83.64% | 82.28% | 81.05% | 79.99% | 78.85% | 77.80% | 76.78% | 75.78% | 74.65% | |
参数差异 | 77.85 | 175.58 | 181.74 | 186.29 | 194.25 | 199.43 | 202.84 | 205.52 | 209.44 | 214.92 | 219.92 | |
102.78 | 189.84 | 217.24 | 248.54 | 277.21 | 310.66 | 345.39 | 381.92 | 417.88 | 452.05 | 492.05 | ||
77.85 | 173.25 | 200.42 | 231.60 | 260.22 | 293.66 | 328.38 | 364.88 | 400.80 | 434.92 | 474.88 | ||
训练准确率 | 99.66% | 97.85% | 96.83% | 95.79% | 94.97% | 93.96% | 92.95% | 91.95% | 91.02% | 90.25% | 89.29% | |
测试准确率 | 86.42% | 85.12% | 83.60% | 82.28% | 81.12% | 79.99% | 78.85% | 77.80% | 76.77% | 75.80% | 74.68% | |
同分布 | 77.87 | 173.47 | 181.53 | 186.50 | 192.86 | 197.10 | 200.70 | 202.68 | 206.56 | 212.37 | 216.85 | |
102.80 | 189.06 | 216.25 | 248.45 | 278.29 | 315.38 | 351.02 | 389.25 | 425.06 | 460.38 | 501.39 | ||
77.87 | 172.48 | 199.48 | 231.60 | 261.39 | 298.47 | 334.14 | 372.40 | 408.17 | 443.43 | 484.41 | ||
训练准确率 | 99.66% | 98.34% | 98.21% | 97.96% | 97.81% | 97.59% | 97.42% | 97.21% | 97.01% | 96.88% | 96.68% | |
测试准确率 | 86.46% | 86.70% | 86.59% | 86.48% | 86.23% | 86.11% | 86.00% | 85.86% | 85.76% | 85.68% | 85.56% | |
随机攻击 | 77.89 | 148.36 | 158.79 | 166.53 | 175.08 | 181.54 | 188.93 | 195.55 | 202.00 | 207.06 | 214.97 | |
102.82 | 163.38 | 171.55 | 179.66 | 187.36 | 194.66 | 201.20 | 208.75 | 215.47 | 221.05 | 228.50 | ||
77.89 | 147.08 | 155.27 | 163.37 | 171.10 | 178.37 | 184.90 | 192.39 | 199.09 | 204.64 | 212.08 |
"
假设 | 损失函数 | 扰动量 | ||||||||||
无扰动 | 1% | 2% | 3% | 4% | 5% | 6% | 7% | 8% | 9% | 10% | ||
训练准确率 | 96.49% | 94.98% | 94.88% | 94.88% | 94.83% | 94.69% | 94.58% | 94.35% | 94.11% | 93.88% | 93.52% | |
测试准确率 | 88.05% | 88.21% | 87.99% | 87.79% | 87.68% | 87.35% | 87.08% | 86.87% | 86.56% | 86.27% | 85.96% | |
矛盾数据 | 158.58 | 344.39 | 420.66 | 479.22 | 528.69 | 572.72 | 611.05 | 648.31 | 683.45 | 716.71 | 750.49 | |
181.84 | 266.66 | 292.22 | 316.58 | 338.95 | 360.68 | 381.91 | 403.02 | 424.26 | 445.29 | 468.01 | ||
158.58 | 252.93 | 279.12 | 303.77 | 326.28 | 348.09 | 369.31 | 390.45 | 411.68 | 432.71 | 455.41 | ||
训练准确率 | 96.51% | 94.58% | 93.38% | 92.38% | 91.25% | 90.05% | 88.83% | 87.70% | 86.54% | 85.48% | 84.47% | |
测试准确率 | 88.06% | 87.64% | 86.42% | 85.11% | 83.91% | 82.85% | 81.63% | 80.48% | 79.23% | 77.91% | 76.60% | |
参数差异 | 158.57 | 269.89 | 278.94 | 285.41 | 292.11 | 297.75 | 299.60 | 302.78 | 305.69 | 308.04 | 312.26 | |
181.84 | 265.07 | 288.56 | 315.32 | 341.76 | 369.31 | 395.93 | 426.15 | 457.87 | 489.82 | 530.75 | ||
158.57 | 249.86 | 273.22 | 299.88 | 326.27 | 353.83 | 380.44 | 410.72 | 442.51 | 474.52 | 515.59 | ||
训练准确率 | 96.50% | 94.62% | 93.53% | 92.42% | 91.37% | 90.13% | 88.86% | 87.72% | 86.51% | 85.47% | 84.58% | |
测试准确率 | 88.05% | 87.71% | 86.50% | 85.35% | 84.01% | 82.94% | 81.67% | 80.46% | 79.23% | 78.05% | 76.92% | |
同分布 | 158.61 | 268.73 | 278.24 | 282.96 | 290.70 | 295.65 | 296.99 | 302.46 | 303.10 | 305.86 | 310.32 | |
181.87 | 265.31 | 288.51 | 317.72 | 345.52 | 373.91 | 401.51 | 432.71 | 466.63 | 501.98 | 546.42 | ||
158.61 | 250.14 | 273.19 | 302.31 | 330.08 | 358.48 | 386.07 | 417.36 | 451.37 | 486.81 | 531.40 | ||
训练准确率 | 96.51% | 94.89% | 94.80% | 94.77% | 94.65% | 94.60% | 94.55% | 94.46% | 94.44% | 94.36% | 94.28% | |
测试准确率 | 88.05% | 88.34% | 88.29% | 88.18% | 88.12% | 88.04% | 88.02% | 87.97% | 87.86% | 87.80% | 87.74% | |
随机攻击 | 158.59 | 236.73 | 254.61 | 268.65 | 282.00 | 293.60 | 306.80 | 319.12 | 330.61 | 339.74 | 353.35 | |
181.85 | 243.15 | 249.12 | 254.59 | 259.88 | 264.98 | 270.04 | 275.63 | 280.81 | 285.24 | 291.25 | ||
158.59 | 228.03 | 234.21 | 239.81 | 245.25 | 250.44 | 255.61 | 261.28 | 266.54 | 271.03 | 277.14 |
[1] | YUAN X Y , HE P , ZHU Q L ,et al. Adversarial examples:attacks and defenses for deep learning[J]. IEEE Transactions on Neural Networks and Learning Systems, 2019,30(9): 2805-2824. |
[2] | 韦博成, 鲁国斌, 史建清 . 统计诊断引论[M]. 南京: 东南大学出版社, 1991. |
WEI B C , LU G B , SHI J Q . Introduction to statistical diagnosis[M]. Nanjing: Southeast University Press, 1991. | |
[3] | SZEGEDY C , ZAREMBA W , SUTSKEVER I ,et al. Intriguing properties of neural networks[J]. arXiv Preprint,arXiv:1312.6199, 2013. |
[4] | 司念文, 张文林, 屈丹 ,等. 基于对抗补丁的可泛化的 Grad-CAM攻击方法[J]. 通信学报, 2021,42(3): 23-35. |
SI N W , ZHANG W L , QU D ,et al. Generalized Grad-CAM attacking method based on adversarial patch[J]. Journal on Communications, 2021,42(3): 23-35. | |
[5] | ZüGNER D , AKBARNEJAD A , GüNNEMANN S , . Adversarial attacks on neural networks for graph data[C]// Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery &Data Mining. New York:ACM Press, 2018: 2847-2856. |
[6] | MA J , DING S , MEI Q . Towards more practical adversarial attacks on graph neural networks[C]// Advances in Neural Information Processing Systems. Massachusetts:MIT Press, 2020: 4756-4766. |
[7] | LI J , ZHANG H L , HAN Z C ,et al. Adversarial attack on community detection by hiding individuals[C]// Proceedings of The Web Conference 2020. New York:ACM Press, 2020: 917-927. |
[8] | BOJCHEVSKI A , GüNNEMANN S , . Adversarial attacks on node embeddings via graph poisoning[J]. arXiv Preprint,arXiv:1809.01093, 2018. |
[9] | CHEN L , LI J , PENG J ,et al. A survey of adversarial learning on graphs[J]. arXiv Preprint,arXiv:2003.05730, 2020. |
[10] | XU H , MA Y , LIU H C ,et al. Adversarial attacks and defenses in images,graphs and text:a review[J]. International Journal of Automation and Computing, 2020,17(2): 151-178.673-683. |
[11] | SUN Y W , WANG S H , TANG X F ,et al. Adversarial attacks on graph neural networks via node injections:a hierarchical reinforcement learning approach[C]// Proceedings of The Web Conference 2020. New York:ACM Press, 2020: 673-683. |
[12] | WU Y T , LIU W , HU X B ,et al. Parameter discrepancy hypothesis:adversarial attack for graph data[J]. Information Sciences, 2021,577: 234-244. |
[13] | ZüGNER D , GüNNEMANN S , . Adversarial attacks on graph neural networks via meta learning[J]. arXiv Preprint,arXiv:1902.08412, 2019. |
[14] | 韦博成, 林金官, 解锋昌 . 统计诊断[M]. 北京: 高等教育出版社, 2009. |
WEI B C , LIN J G , XIE F C . Statistical diagnostics[M]. Beijing: Higher Education Press, 2009. | |
[15] | COOK R D . Detection of influential observation in linear regression[J]. Technometrics, 1977,19(1): 15-18. |
[16] | COOK R D . Influential observations in linear regression[J]. Journal of the American Statistical Association, 1979,74(365): 169-174. |
[17] | COOK R D , WEISBERG S . Residuals and influence in regression[M]. New York: Chapman and Hall, 1982. |
[18] | 张宏坡, 程宁, 张博 ,等. 一种基于熵值法的标签翻转攻击方法:CN112700081A[P]. 2021-04-23. |
ZHANG H P , CHENG N , ZHANG B ,et al. A label flipping attack method based on entropy:CN112700081A[P]. 2021-04-23. | |
[19] | MU?OZ-GONZáLEZ L , BIGGIO B , DEMONTIS A ,et al. Towards poisoning of deep learning algorithms with back-gradient optimization[C]// Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security. New York:ACM Press, 2017: 27-38. |
[20] | LIU X , SI S , ZHU X ,et al. A unified framework for data poisoning attack to graph-based semi-supervised learning[C]// Proceedings of the 33rd International Conference on Neural Information Processing Systems. Massachusetts:MIT Press, 2019: 9780-9790. |
[21] | JIN W , LI Y , XU H ,et al. Adversarial attacks and defenses on graphs:a review and empirical study[J]. arXiv Preprint,arXiv:2003.00653, 2020. |
[22] | 费宇, 陈飞, 喻达磊 . 线性和广义线性混合模型及其统计诊断[M]. 科学出版社, 2013. |
FEI Y , CHEN F , YU D L ,et al. Linear and generalized linear mixed models and their statistical diagnosis[M]. Beijing: Science Press, 2013. | |
[23] | LI Q M , WU X M , LIU H ,et al. Label efficient semi-supervised learning via graph filtering[C]// 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2019: 9574-9583. |
[24] | NT H , MAEHARA T . Revisiting graph neural networks:all we have is low-pass filters[J]. arXiv Preprint,arXiv:1905.09550, 2019. |
[25] | WU F , SOUZA A , ZHANG T ,et al. Simplifying graph convolutional networks[C]// International conference on machine learning. Long Beach:PMLR, 2019: 6861-6871. |
[26] | WEI B C , SHIH J Q . On statistical models for regression diagnostics[J]. Annals of the Institute of Statistical Mathematics, 1994,46(2): 267-278. |
[27] | HOERL A E , KENNARD R W . Ridge regression:biased estimation for nonorthogonal problems[J]. Technometrics, 1970,12(1): 55-67. |
[28] | MARQUARDT D W . An algorithm for least-squares estimation of nonlinear parameters[J]. Journal of the Society for Industrial and Applied Mathematics, 1963,11(2): 431-441. |
[29] | SEN P , NAMATA G , BILGIC M ,et al. Collective classification in network data[J]. AI Magazine, 2008,29(3): 93. |
[30] | MCCALLUM A K , NIGAM K , RENNIE J ,et al. Automating the construction of Internet portals with machine learning[J]. Information Retrieval, 2000,3(2): 127-163. |
[31] | ADAMIC L A , GLANCE N . The political blogosphere and the 2004 US election:divided they blog[C]// Proceedings of the 3rd International Workshop on Link Discovery. New York:ACM Press, 2005: 36-43. |
[32] | XU K D , CHEN H G , LIU S J ,et al. Topology attack and defense for graph neural networks:an optimization perspective[C]// Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence. Palo Alto:AAAI Press, 2019: 3961-3967. |
[33] | 陈晋音, 黄国瀚, 张敦杰 ,等. 一种面向图神经网络的图重构防御方法[J]. 计算机研究与发展, 2021,58(5): 1075-1091. |
CHEN J Y , HUANG G H , ZHANG D J ,et al. GRD-GNN:graph reconstruction defense for graph neural network[J]. Journal of Computer Research and Development, 2021,58(5): 1075-1091. |
[1] | Jinyin CHEN, Haiyang XIONG, Haonan MA, Yayu ZHENG. CLB-Defense: based on contrastive learning defense for graph neural network against backdoor attack [J]. Journal on Communications, 2023, 44(4): 154-166. |
[2] | Shiwen HE, Jun YUAN, Zhenyu AN, Min ZHANG, Yongming HUANG, Yaoxue ZHANG. GNN-based optimization algorithm for joint user scheduling and beamforming [J]. Journal on Communications, 2022, 43(7): 73-84. |
[3] | Tao LENG, Lijun CAI, Aimin YU, Ziyuan ZHU, Jian’gang MA, Chaofei LI, Ruicheng NIU, Dan MENG. Review of threat discovery and forensic analysis based on system provenance graph [J]. Journal on Communications, 2022, 43(7): 172-188. |
[4] | Chenxi LIU, Dong WANG, Huiling CHEN, Renfa LI. Study of forecasting urban private car volumes based on multi-source heterogeneous data fusion [J]. Journal on Communications, 2021, 42(3): 54-64. |
[5] | Qixu LIU, Junnan WANG, Jie YIN, Yanhui CHEN, Jiaxi LIU. Application of adversarial machine learning in network intrusion detection [J]. Journal on Communications, 2021, 42(11): 1-12. |
[6] | Xu CHENG, Yingying WANG, Nianjie ZHANG, Zhangjie FU, Beijing CHEN, Guoying ZHAO. Multi-level loss object tracking adversarial attack method based on spatial perception [J]. Journal on Communications, 2021, 42(11): 242-254. |
[7] | Leqing ZHU,Yu GUO,Lingqiang MO,Daxing ZHANG. DGANS:robustness image steganography model based on double GAN [J]. Journal on Communications, 2020, 41(1): 125-133. |
[8] | Xingming ZHANG,Zeyu GU,Shuai WEI,Jianliang SHEN. Markov game modeling of mimic defense and defense strategy determination [J]. Journal on Communications, 2018, 39(10): 143-154. |
[9] | Wei-wei ZHANG,Chen ZHAO,De-tian HUANG,Pei ZHANG,Yi-xian YANG. Semi-fragile video watermarking algorithm for H.264/AVC based on cost strategy [J]. Journal on Communications, 2015, 36(10): 110-118. |
[10] | . Robustness design of templates for logic OR operation CNN in gray-scale images [J]. Journal on Communications, 2014, 35(5): 12-94. |
[11] | Qun ZHANG,Le-quan MIN. Robustness design of templates for logic OR operation CNN in gray-scale images [J]. Journal on Communications, 2014, 35(5): 88-94. |
[12] | . Packet-loss robust scalable authentication algorithm for compressed image streaming [J]. Journal on Communications, 2014, 35(4): 20-181. |
[13] | Xiao-wei YI,Heng-tai MA,Gang ZHENG,Chang-wen ZHENG. Packet-loss robust scalable authentication algorithm for compressed image streaming [J]. Journal on Communications, 2014, 35(4): 174-181. |
[14] | Guang-hui YANG,Jian-ping WU,You-jian ZHAO,Shu-tao SUN. Robustness measurement for scalable switch fabric [J]. Journal on Communications, 2012, 33(5): 1-11. |
[15] | Tian-yu YE. Self-embedding robust digital watermarking algorithm with perfectly blind detection [J]. Journal on Communications, 2012, 33(10): 7-15. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||
|