Adversarial Attacks on Node Embeddings via Graph Poisoning - - PowerPoint PPT Presentation
Adversarial Attacks on Node Embeddings via Graph Poisoning Aleksandar Bojchevski, Stephan Gnnemann Technical University of Munich ICML 2019 Node embeddings are used to Classify scientific papers Recommend items Classify proteins
Aleksandar Bojchevski, Stephan GΓΌnnemann Technical University of Munich ICML 2019
200 100
Adversarial Attacks on Node Embeddings via Graph Poisoning 2 Aleksandar Bojchevski
Every node π€ β π² is mapped to a low-dimensional vector π¨π€ β βπ such that the graph structure is captured. Similar nodes are close to each other in the embedding space.
Adversarial Attacks on Node Embeddings via Graph Poisoning 3
node classification link prediction
β2
Aleksandar Bojchevski
Let nodes = words and random walks = sentences. Train a language model, e.g. Word2Vec. Nodes that co-occur in the random-walks have similar embeddings.
sample train random walks graph embeddings
Adversarial Attacks on Node Embeddings via Graph Poisoning 4 Aleksandar Bojchevski
In domains where graph embeddings are used (e.g. the Web) adversaries are common and false data is easy to inject.
Adversarial Attacks on Node Embeddings via Graph Poisoning 5 Aleksandar Bojchevski
clean graph adversarial flips: add ( ) and/or remove ( ) edges
poisoned graph
Adversarial Attacks on Node Embeddings via Graph Poisoning 6 Aleksandar Bojchevski
Adversarial Attacks on Node Embeddings via Graph Poisoning
clean graph train clean embedding node classification link prediction
π π
eval β β β
Aleksandar Bojchevski 7
poisoned graph poisoned embedding node classification link prediction
π π
train eval X X X
π» β πππ ππ ππβπ‘ π»πππππβπ» β€ππ£ππππ’
π
The graph after perturbing some edges The optimal embedding from the to be optimized graph π»
Adversarial Attacks on Node Embeddings via Graph Poisoning 8 Aleksandar Bojchevski
π» β πππ ππ ππβπ‘ π»πππππβπ» β€ππ£ππππ’
π
1, π 2, β¦ π», π) π π = π ππ_π₯πππ π»
The graph after perturbing some edges The optimal embedding from the to be optimized graph π»
Adversarial Attacks on Node Embeddings via Graph Poisoning 9 Aleksandar Bojchevski
Bi-level optimization problem. Combinatorial search space. Inner optimization includes non-differentiable sampling.
Adversarial Attacks on Node Embeddings via Graph Poisoning 10
Gππππ‘. = argmax
π» β πππ ππ ππβπ‘ π»πππππβπ» β€ππ£ππππ’
min
π β( π 1, π 2, β¦ π», π)
Aleksandar Bojchevski
a) DeepWalk as Matrix Factorization b) Express the optimal β via the graph spectrum
Adversarial Attacks on Node Embeddings via Graph Poisoning 11
random walks
=
(1a) Matrix factorization
+ β
min
π β = π(
) (1b) optimal β via spectrum (2) Approximate poisoned spectrum
Aleksandar Bojchevski
a) DeepWalk corresponds to factorizing the PPMI matrix. Get the embeddings π via SVD of π Rewrite π in terms of the generalized spectrum of π΅.
Adversarial Attacks on Node Embeddings via Graph Poisoning 12
πππ = log max{ππππ, 1} π = Οπ =1
π
ππ πΈβ1
transition/degree matrix
π΅π£ = ππΈπ£ π = π Οπ =1
π
Ξπ ππ
generalized eigenvalues/vectors
Aleksandar Bojchevski
b) The optimal loss is now a simple function of the eigenvalues. Training the embedding is replaced by computing eigenvalues.
Adversarial Attacks on Node Embeddings via Graph Poisoning 13
min
π β(π», π) = π(ππ, ππ+1, β¦ )
π»ππππ‘. = argmax
π»
min
π β(π», π)
π»ππππ‘. = argmax
π»
π(ππ, ππ+1, β¦ )
Aleksandar Bojchevski
Compute the change using Eigenvalue Perturbation Theory. π΅ππππ‘ππππ = π΅πππππ + Ξπ΅ πππππ‘ππππ = ππππππ + π£πππππ
π
Ξπ΅ + ππππππΞπΈ π£πππππ simplifies for a single edge flip (π, π) ππ = ππ + ΞAππ 2π£ππ β π£ππ β ππ(π£ππ
2 + π£ππ 2 )
# compute in π(1)
Adversarial Attacks on Node Embeddings via Graph Poisoning 14 Aleksandar Bojchevski
Adversarial Attacks on Node Embeddings via Graph Poisoning 15
random walks
=
(1a) Matrix factorization
+ β
min
π β = π(
) (1b) optimal β via spectrum (2) Approximate poisoned spectrum
Aleksandar Bojchevski
Poisoning decreases the overall quality of the embeddings.
Adversarial Attacks on Node Embeddings via Graph Poisoning 16
Our attacks: Gradient baseline: Simple baselines: Clean graph:
Aleksandar Bojchevski
Goal: attack a specific node and/or a specific downstream task. Examples:
Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 17
before after General Attack before after Targeted Attack
Most nodes can be misclassified with few adversarial edges. Before attack After attack
Adversarial Attacks on Node Embeddings via Graph Poisoning 18 Aleksandar Bojchevski
Our selected adversarial edges transfer to other (un)supervised methods.
budget DeepWalk SVD DeepWalk Sampling node 2vec Spectral Embed. Label Prop. Graph Conv. 250
500
Adversarial Attacks on Node Embeddings via Graph Poisoning 19
The change in πΊ
1 score (in percentage points) compared to the clean graph. Lower is better.
Aleksandar Bojchevski
There is no simple heuristic that can find the adversarial edges.
Adversarial Attacks on Node Embeddings via Graph Poisoning 20 Aleksandar Bojchevski
Node embeddings are vulnerable to adversarial attacks. Find adversarial edges via matrix factorization and the graph spectrum. Relatively few perturbations degrade the embedding quality and the performance on downstream tasks.
Adversarial Attacks on Node Embeddings via Graph Poisoning 21
Poster: #61, Pacific Ballroom, Today Code: github.com/abojchevski/node_embedding_attack
random walks
=
(1a) Matrix factorization
+ β
min
π β = π(
) (1b) optimal β via spectrum (2) Approximate poisoned spectrum
ο± ο± ο±
Aleksandar Bojchevski