Improved defense method for graph convolutional network based on singular value decomposition

doi:10.11772/j.issn.1001-9081.2022040553

Journal of Computer Applications ›› 2023, Vol. 43 ›› Issue (5): 1511-1517.DOI: 10.11772/j.issn.1001-9081.2022040553

• Cyber security • Previous Articles Next Articles

Improved defense method for graph convolutional network based on singular value decomposition

Kejun JIN, Hongtao YU(), Yiteng WU, Shaomei LI, Jianpeng ZHANG, Honghao ZHENG

Information Engineering University，Zhengzhou Henan 450001，China

Received:2022-04-21 Revised:2022-06-01 Accepted:2022-06-06 Online:2022-07-26 Published:2023-05-10
Contact: Hongtao YU
About author:JIN Kejun， born in 1993， M. S. candidate. His research interest include artificial intelligence security.
YU Hongtao， born in 1970， Ph. D.， research fellow. His research interests include big data and artificial intelligence.
WU Yiteng， born in 1992， Ph. D. His research interests include cyberspace security.
LI Shaomei， born in 1982， Ph. D.， associate research fellow. Her research interests include computer vision.
ZHANG Jianpeng， born in 1988， Ph. D.， assistant research fellow. His research interests include complex network analysis.
ZHENG Honghao， born in 1992， M. S. His research interests include natural language understanding.
Supported by:
National Natural Science Foundation of China(62002384);China Postdoctoral Science Foundation(2020M683760)

改进的基于奇异值分解的图卷积网络防御方法

金柯君, 于洪涛(), 吴翼腾, 李邵梅, 张建朋, 郑洪浩

信息工程大学，郑州 450001

通讯作者: 于洪涛
作者简介:金柯君（1993—），男，浙江诸暨人，硕士研究生，主要研究方向：人工智能安全
于洪涛（1970—），男，辽宁丹东人，研究员，博士，主要研究方向：大数据与人工智能 yht_ndsc@126.com
吴翼腾（1992—），男，吉林吉林人，博士，主要研究方向：网络空间安全
李邵梅（1982—），女，湖北钟祥人，副研究员，博士，主要研究方向：计算机视觉
张建朋（1988—），男，河北廊坊人，助理研究员，博士，主要研究方向：复杂网络分析
郑洪浩（1992—），男，山东济宁人，硕士，主要研究方向：自然语言理解。
基金资助:
国家自然科学基金资助项目(62002384);中国博士后科学基金资助项目(2020M683760)

Abstract

Abstract:

Graph Neural Network （GNN） is vulnerable to adversarial attacks， leading to performance degradation， which affects downstream tasks such as node classification， link prediction and community detection. Therefore， the defense methods of GNN have important research value. Aiming at the problem that GNN has poor robustness when being adversarially attacked， taking Graph Convolutional Network （GCN） as the model， an improved Singular Value Decomposition （SVD） based poisoning attack defense method was proposed， named ISVDatt. In the poisoning attack scenario， the attacked graph was able to be purified by the proposed method. When the GCN was attacked by poisoning， the connected edges with large different features were first screened and deleted to keep the graph features smooth. Then， SVD and low-rank approximation operations were performed to keep the low rank of the attacked graph and clean it up. Finally， the purified graph was used for training GCN model to achieve effective defense against poisoning attack. Experiments against Metattack and DICE were conducted on the open source datasets such as Citeseer， Cora and Pubmed， and compared with the defense methods based on SVD， Pro_GNN and Robust Graph Convolutional Network （RGCN）， respectively. The results show that ISVDatt has relatively better defense effect， although the classification accuracy is lower than that of Pro_GNN， but it has low complexity and negligible time overhead. Experimental results verify that ISVDatt can resist poisoning attack effectively with the consideration of both the complexity and versatility of the algorithm， and has a high practical value.

Key words: Graph Neural Network (GNN), Graph Convolutional Network (GCN), adversarial attack, poisoning attack, adversarial defense, Singular Value Decomposition (SVD)

摘要：

图神经网络（GNN）容易受到对抗性攻击而导致性能下降，影响节点分类、链路预测和社区检测等下游任务，因此GNN的防御方法具有重要研究价值。针对GNN在面对对抗性攻击时鲁棒性差的问题，以图卷积网络（GCN）为模型，提出一种改进的基于奇异值分解（SVD）的投毒攻击防御方法ISVDatt。在投毒攻击场景下，该方法可对扰动图进行净化处理。GCN遭受投毒攻击后，首先筛选并删除特征差异较大的连边使图保持特征光滑性；然后进行SVD和低秩近似操作使扰动图保持低秩性，并完成对它的净化处理；最后将净化后的扰动图用于GCN模型训练，从而实现对投毒攻击的有效防御。在开源的Citeseer、Cora和Pubmed数据集上针对Metattack和DICE（Delete Internally， Connect Externally）攻击进行实验，并与基于SVD、Pro_GNN和鲁棒图卷积网络（RGCN）的防御方法进行了对比，结果显示ISVDatt的防御效果相对较优，虽然分类准确率比Pro_GNN低，但复杂度低，时间开销可以忽略不计。实验结果表明ISVDatt能有效抵御投毒攻击，兼顾算法的复杂度和通用性，具有较高的实用价值。

关键词: 图神经网络, 图卷积网络, 对抗性攻击, 投毒攻击, 对抗性防御, 奇异值分解

CLC Number:

TP18

Kejun JIN, Hongtao YU, Yiteng WU, Shaomei LI, Jianpeng ZHANG, Honghao ZHENG. Improved defense method for graph convolutional network based on singular value decomposition[J]. Journal of Computer Applications, 2023, 43(5): 1511-1517.

金柯君, 于洪涛, 吴翼腾, 李邵梅, 张建朋, 郑洪浩. 改进的基于奇异值分解的图卷积网络防御方法[J]. 《计算机应用》唯一官方网站, 2023, 43(5): 1511-1517.

Figures/Tables 7

References 31

1	陈晋音，黄国瀚，张敦杰，等. 一种面向图神经网络的图重构防御方法［J］. 计算机研究与发展， 2021， 58（5）： 1075-1091. 10.7544/issn1000-1239.2021.20200935
	CHEN J Y， HUANG G H， ZHANG D J， et al. GRD-GNN： graph reconstruction defense for graph neural network［J］. Journal of Computer Research and Development， 2021， 58（5）： 1075-1091. 10.7544/issn1000-1239.2021.20200935
2	TANG J， QU M， MEI Q Z. PTE： predictive text embedding through large-scale heterogeneous text networks［C］// Proceedings of the 21st ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York： ACM， 2015： 1165-1174. 10.1145/2783258.2783307
3	WANG S H， TANG J L， AGGARWAL C， et al. Signed network embedding in social media［C］// Proceedings of the 2017 SIAM International Conference on Data Mining. Pennsylvania， PA： Society for Industrial and Applied Mathematics， 2017： 327-335. 10.1137/1.9781611974973.37
4	XUAN Q， WANG J H， ZHAO M H， et al. Subgraph networks with application to structural feature space expansion［J］. IEEE Transactions on Knowledge and Data Engineering， 2021， 33（6）： 2776-2789. 10.1109/tkde.2019.2957755
5	赵霞，张泽华，张晨威，等. RGNE：粗糙粒化的网络嵌入式重叠社区发现方法［J］. 计算机研究与发展， 2020， 57（6）：1302-1311. 10.7544/issn1000-1239.2020.20190572
	ZHAO X， ZHANG Z H， ZHANG C W， et al. RGNE： a network embedding method for overlapping community detection based on rough granulation［J］. Journal of Computer Research and Development， 2020， 57（6）：1302-1311. 10.7544/issn1000-1239.2020.20190572
6	ZÜGNER D， AKBARNEJAD A， GÜNNEMANN S. Adversarial attacks on neural networks for graph data［C］// Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York： ACM， 2018： 2847-2856. 10.1145/3219819.3220078
7	翟正利，李鹏辉，冯舒. 图对抗攻击研究综述［J］. 计算机工程与应用， 2021， 57（7）：14-21. 10.3778/j.issn.1002-8331.2012-0367
	ZHAI Z L， LI P H， FENG S. Research overview of adversarial attacks on graphs［J］. Computer Engineering and Applications， 2021， 57（7）：14-21. 10.3778/j.issn.1002-8331.2012-0367
8	JIN W， LI Y X， XU H， et al. Adversarial attacks and defenses on graphs： a review and empirical study［J］ ACM SIGKDD Explorations Newsletter， 2020， 22（2）：19-34. 10.1145/3447556.3447566
9	CHEN L， LI J T， PENG J Y， et al. A survey of adversarial learning on graphs［EB/OL］. ［2022-01-15］..
10	ZHOU K， ZHA H Y， SONG L. Learning social infectivity in sparse low-rank networks using multi-dimensional Hawkes processes［C］// Proceedings of the 16th International Conference on Artificial Intelligence and Statistics. New York： JMLR.org， 2013： 641-649.
11	FORTUNATO S. Community detection in graphs［J］. Physics Reports， 2010， 486（3/4/5）： 75-174. 10.1016/j.physrep.2009.11.002
12	McPHERSON M， SMITH-LOVIN L， COOK J M. Birds of a feather： homophily in social networks［J］. Annual Review of Sociology， 2001， 27：415-444. 10.1146/annurev.soc.27.1.415
13	KIPF T N， WELLING M. Semi-supervised classification with graph convolutional networks［EB/OL］. ［2022-02-04］.. 10.48550/arXiv.1609.02907
14	ENTEZARI N， AL-SAYOURI S A， DARVISHZADEH A， et al. All you need is low （rank）： defending against adversarial attacks on graphs［C］// Proceedings of the 13th ACM International Conference on Web Search and Data Mining. New York： ACM， 2020： 169-177. 10.1145/3336191.3371789
15	WANG S H， TANG J L， AGGARWAL C， et al. Linked document embedding for classification［C］// Proceedings of the 25th ACM International Conference on Information and Knowledge Management. New York： ACM， 2016： 115-124. 10.1145/2983323.2983755
16	DAI H J， LI H， TIAN T， et al. Adversarial attack on graph structured data［C］// Proceedings of the 35th International Conference on Machine Learning. New York： JMLR.org， 2018： 1115-1124.
17	CHEN J， WU Y， XU X， et al. Fast gradient attack on network embedding［EB/OL］. ［2022-03-24］..
18	ZÜGNER D， GÜNNEMANN S. Adversarial attacks on graph neural networks via meta learning［EB/OL］. ［2022-01-12］.. 10.24963/ijcai.2019/872
19	CHANG H， RONG Y， XU T Y， et al. A restricted black-box adversarial framework towards attacking graph embedding models［C］// Proceedings of the 34th AAAI Conference on Artificial Intelligence. Palo Alto， CA： AAAI Press， 2020： 3389-3396. 10.1609/aaai.v34i04.5741
20	MA Y， WANG S H， DERR T， et al. Graph adversarial attack via rewiring［C］// Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery and Data Mining. New York： ACM， 2021： 1161-1169. 10.1145/3447548.3467416
21	李鹏辉，翟正利，冯舒. 图对抗防御研究进展［J］. 计算机科学与探索， 2021， 15（12）：2292-2303.
	LI P H， ZHAI Z L， FENG S. Research progress of adversarial defenses on graphs［J］. Journal of Frontiers of Computer Science and Technology， 2021， 15（12）：2292-2303.
22	FENG F L， HE X N， TANG J， et al. Graph adversarial training： dynamically regularizing based on graph structure［J］. IEEE Transactions on Knowledge and Data Engineering， 2021， 33（6）：2493-2504. 10.1109/tkde.2019.2957786
23	ZHU D Y， ZHANG Z W， CUI P， et al. Robust graph convolutional networks against adversarial attacks［C］// Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York： ACM， 2019： 1399-1407. 10.1145/3292500.3330851
24	JIN W， MA Y， LIU X R， et al. Graph structure learning for robust graph neural networks［C］// Proceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York： ACM， 2020： 66-74. 10.1145/3394486.3403049
25	WU H J， WANG C， TYSHETSKIY Y， et al. Adversarial examples on graph data： deep insights into attack and defense［C］// Proceedings of the 28th International Joint Conference on Artificial Intelligence. California： ijcai.org， 2019： 4816-4823. 10.24963/ijcai.2019/669
26	TAN P N， STEINBACK M， KUMAR V. 数据挖掘导论（完整版）［M］. 范明，范宏建，译. 北京：人民邮电出版社， 2011：263-266.
	TAN P N， STEINBACK M， KUMAR V. Introduction to Data Mining［M］. FAN M， FAN H J， translated. Beijing： Posts & Telecom Press， 2011：263-266.
27	赵楠，皮文超，许长桥. 一种面向多维特征分析过滤的视频推荐算法［J］. 计算机科学， 2020， 47（4）： 103-107. 10.11896/jsjkx.190700177
	ZHAO N， PI W C， XU C Q. Video recommendation algorithm for multidimensional feature analysis and filtering［J］. Computer Science， 2020， 47（4）： 103-107. 10.11896/jsjkx.190700177
28	McCALLUM A K， NIGAM K， RENNIE J. Automating the construction of internet portals with machine learning［J］. Information Retrieval， 2000， 3（2）：127-163. 10.1023/a:1009953814988
29	GILES C L， BOLLACKER K D， LAWRENCE S. CiteSeer： an automatic citation indexing system［C］// Proceedings of the 3rd ACM Conference on Digital Libraries. New York： ACM， 1998： 89-98. 10.1145/276675.276685
30	SEN P， NAMATA G， BILGIC M， et al. Collective classification in network data［J］. AI Magazine， 2008， 29（3）： 93-106. 10.1609/aimag.v29i3.2157
31	WANIEK M， MICHALAK T P， WOOLDRIDGE M J， et al. Hiding individuals and communities in a social network［J］. Nature Human Behaviour， 2018， 2： 139-147. 10.1038/s41562-017-0290-3

攻击类型	模型/防御方法	发表年份	应用场景	求解方法
图对抗性攻击	Nettack^［6］	2018	投毒/逃逸	逐元素遍历筛选扰动
	FGA/GradArgmax^［17］	2018	逃逸	以梯度为指导进行扰动筛选
	Metattack^［18］	2019	投毒	以元梯度为指导进行扰动筛选
	GF-Attack^［19］	2020	逃逸	基于特征值的扰动理论求得的闭式解指导扰动筛选
	ReWatt^［20］	2021	逃逸	采用策略梯度优化学习策略以取得最大化奖励值
图对抗性防御	GAT/GATV^［22］	2019	逃逸	基于图动态正则化进行对抗训练
	SVD^［14］	2020	投毒/逃逸	利用奇异值分解和低秩近似进行预处理
	RGCN^［23］	2019	投毒	使用高斯分布表示GCN 中隐藏层输出
	Pro-GNN^［24］	2020	投毒	通过约束，迭代地重构干净图并优化GNN 参数

攻击类型	模型/防御方法	发表年份	应用场景	求解方法
图对抗性攻击	Nettack^［6］	2018	投毒/逃逸	逐元素遍历筛选扰动
	FGA/GradArgmax^［17］	2018	逃逸	以梯度为指导进行扰动筛选
	Metattack^［18］	2019	投毒	以元梯度为指导进行扰动筛选
	GF-Attack^［19］	2020	逃逸	基于特征值的扰动理论求得的闭式解指导扰动筛选
	ReWatt^［20］	2021	逃逸	采用策略梯度优化学习策略以取得最大化奖励值
图对抗性防御	GAT/GATV^［22］	2019	逃逸	基于图动态正则化进行对抗训练
	SVD^［14］	2020	投毒/逃逸	利用奇异值分解和低秩近似进行预处理
	RGCN^［23］	2019	投毒	使用高斯分布表示GCN 中隐藏层输出
	Pro-GNN^［24］	2020	投毒	通过约束，迭代地重构干净图并优化GNN 参数

数据集	节点数	连边数	标签类别	特征数
Citeseer	2 110	3 668	6	3 703
Cora	2 485	5 069	7	1 433
Pubmed	19 717	44 338	3	500

数据集	节点数	连边数	标签类别	特征数
Citeseer	2 110	3 668	6	3 703
Cora	2 485	5 069	7	1 433
Pubmed	19 717	44 338	3	500

扰动比例	GCN	ISVD_0	ISVDatt
0.00	0.832	0.635	0.806
0.05	0.765	0.648	0.785
0.10	0.704	0.639	0.769
0.15	0.651	0.628	0.737
0.20	0.597	0.613	0.675
0.25	0.475	0.546	0.571

Improved defense method for graph convolutional network based on singular value decomposition

改进的基于奇异值分解的图卷积网络防御方法

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 7

References 31

Related Articles 15

Recommended Articles

Metrics

实验对象	τ	k=5	k=10	k=15	k=20	k=25
扰动图	0.00	0.782	0.783	0.763	0.712	0.683
	0.05	0.763	0.806	0.793	0.786	0.776
	0.10	0.707	0.753	0.701	0.697	0.672
	0.15	0.718	0.707	0.692	0.679	0.668
	0.20	0.667	0.680	0.707	0.673	0.657
	0.25	0.648	0.653	0.659	0.623	0.607
原始图	0.00	0.689	0.749	0.732	0.707	0.673
	0.05	0.707	0.769	0.743	0.729	0.707
	0.10	0.683	0.701	0.692	0.661	0.687
	0.15	0.668	0.670	0.651	0.638	0.627
	0.20	0.643	0.650	0.672	0.630	0.627
	0.25	0.612	0.600	0.591	0.572	0.553

数据集	原始图	Pro_GNN	RGCN	SVD	ISVDatt
Cora	0.843	0.828	0.829	0.814	0.806
Citeseer	0.721	0.726	0.725	0.714	0.707
Pubmed	0.860	0.865	0.857	0.839	0.832

数据集	扰动比例	Metattack攻击					DICE攻击
数据集	扰动比例	GCN	Pro_GNN	RGCN	SVD	ISVD	GCN	Pro_GNN	RGCN	SVD	ISVD
Cora	0.00	0.832	0.828	0.828	0.814	0.806	0.843	0.828	0.828	0.814	0.806
	0.05	0.765	0.823	0.774	0.784	0.785	0.819	0.820	0.828	0.678	0.776
	0.10	0.704	0.790	0.774	0.715	0.769	0.795	0.786	0.777	0.687	0.806
	0.15	0.651	0.765	0.722	0.667	0.737	0.790	0.795	0.769	0.693	0.783
	0.20	0.597	0.733	0.668	0.589	0.675	0.766	0.787	0.768	0.704	0.791
	0.25	0.475	0.697	0.554	0.521	0.571	0.742	0.776	0.750	0.714	0.788
Citeseer	0.00	0.720	0.726	0.725	0.714	0.707	0.739	0.726	0.725	0.714	0.707
	0.05	0.709	0.731	0.705	0.688	0.693	0.732	0.734	0.737	0.734	0.689
	0.10	0.676	0.724	0.677	0.689	0.691	0.725	0.713	0. 725	0.712	0.709
	0.15	0.656	0.708	0.657	0.633	0.663	0.717	0.693	0.713	0.692	0.713
	0.20	0.620	0.662	0.625	0.586	0.639	0.698	0.703	0.698	0.687	0.717
	0.25	0.569	0.664	0.554	0.572	0.603	0.661	0.696	0.664	0.668	0.698
Pubmed	0.00	0.872	0.865	0.857	0.839	0.828	0.871	0.865	0.857	0.839	0.832
	0.05	0.831	0.873	0.711	0.834	0.822	0.852	0.857	0.857	0.814	0.839
	0.10	0.812	0.873	0.775	0.833	0.820	0.837	0.846	0.829	0.793	0.828
	0.15	0.787	0.872	0.739	0.831	0.827	0.829	0.843	0.824	0.787	0.826
	0.20	0.774	0.871	0.712	0.830	0.831	0.824	0.842	0.815	0.794	0.820
	0.25	0.755	0.867	0.680	0.827	0.827	0.814	0.841	0.809	0.802	0.809

[1]	Cheng FANG, Bei LI, Ping HAN, Qiong WU. Fine-grained emotion classification of Chinese microblog based on syntactic dependency graph [J]. Journal of Computer Applications, 2023, 43(4): 1056-1061.
[2]	Hao SUN, Jian CAO, Haisheng LI, Dianhui MAO. Session-based recommendation model based on enhanced capsule network [J]. Journal of Computer Applications, 2023, 43(4): 1043-1049.
[3]	Yingmao YAO, Xiaoyan JIANG. Video-based person re-identification method based on graph convolution network and self-attention graph pooling [J]. Journal of Computer Applications, 2023, 43(3): 728-735.
[4]	Zhenliang LI, Bo LI. Improved method of convolution neural network based on matrix decomposition [J]. Journal of Computer Applications, 2023, 43(3): 685-691.
[5]	Lubao LI, Tian CHEN, Fuji REN, Beibei LUO. Bimodal emotion recognition method based on graph neural network and attention [J]. Journal of Computer Applications, 2023, 43(3): 700-705.
[6]	Tao PENG, Yalong KANG, Feng YU, Zili ZHANG, Junping LIU, Xinrong HU, Ruhan HE, Li LI. Pedestrian trajectory prediction based on multi-head soft attention graph convolutional network [J]. Journal of Computer Applications, 2023, 43(3): 736-743.
[7]	Yu WANG, Yubo YUAN, Yi GUO, Jiajie ZHANG. Sentiment boosting model for emotion recognition in conversation text [J]. Journal of Computer Applications, 2023, 43(3): 706-712.
[8]	Ruoying WANG, Fan LYU, Liuqing ZHAO, Fuyuan HU. Floorplan generation algorithm integrating user requirements and boundary constraints [J]. Journal of Computer Applications, 2023, 43(2): 575-582.
[9]	Yating SU, Cuixiang LIU. Three-dimensional human reconstruction model based on high-resolution net and graph convolutional network [J]. Journal of Computer Applications, 2023, 43(2): 583-588.
[10]	Jie LIANG, Xiaoyan HAO, Yongle CHEN. Poisoning attack toward visual classification model [J]. Journal of Computer Applications, 2023, 43(2): 467-473.
[11]	Jun ZHANG, Pengli WU, Lukui SHI, Jin SHI, Bin PAN. Deep learning model for multi-station temperature prediction combined with MOD11A1 and surface meteorological station data [J]. Journal of Computer Applications, 2023, 43(1): 321-328.
[12]	Lining YUAN, Zhao LIU. Graph representation learning by autoencoder with one-shot aggregation [J]. Journal of Computer Applications, 2023, 43(1): 8-14.
[13]	Jiaxuan WEI, Shikang DU, Zhixuan YU, Ruisheng ZHANG. Review of white-box adversarial attack technologies in image classification [J]. Journal of Computer Applications, 2022, 42(9): 2732-2741.
[14]	Bo LIU, Linbo QING, Zhengyong WANG, Mei LIU, Xue JIANG. Group activity recognition based on partitioned attention mechanism and interactive position relationship [J]. Journal of Computer Applications, 2022, 42(7): 2052-2057.
[15]	Jiafan ZHOU, Yuefeng DU, Baoyan SONG, Xiaoguang LI, Azhu ZHAO, Xujie XIAO. MOOC video recommendation method based on meta-path attention mechanism [J]. Journal of Computer Applications, 2022, 42(6): 1808-1813.