adversarial attacks on node embeddings via graph poisoning
play

Adversarial Attacks on Node Embeddings via Graph Poisoning - PowerPoint PPT Presentation

Jan 28, 2024 •116 likes •336 views

Adversarial Attacks on Node Embeddings via Graph Poisoning Aleksandar Bojchevski, Stephan Gnnemann Technical University of Munich ICML 2019 Node embeddings are used to Classify scientific papers Recommend items Classify proteins

  1. Adversarial Attacks on Node Embeddings via Graph Poisoning Aleksandar Bojchevski, Stephan Günnemann Technical University of Munich ICML 2019

  2. Node embeddings are used to • Classify scientific papers • Recommend items • Classify proteins • Detect fraud • Predict disease-gene associations num. papers • Spam filtering 200 • ….. 100 0 Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 2

  3. Background: Node embeddings Every node 𝑤 ∈ 𝒲 is mapped to a low-dimensional vector 𝑨 𝑤 ∈ ℝ 𝑒 such that the graph structure is captured. node classification link prediction 𝑗 𝑘 … other tasks ℝ 2 Similar nodes are close to each other in the embedding space. Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 3

  4. Background: Random walk based embeddings Let nodes = words and random walks = sentences. Train a language model, e.g. Word2Vec. train sample graph random walks embeddings Nodes that co-occur in the random-walks have similar embeddings. Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 4

  5. Are node embeddings robust to adversarial attacks? In domains where graph embeddings are used (e.g. the Web) adversaries are common and false data is easy to inject. Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 5

  6. Adversarial attacks in the graph domain adversarial flips: + = add ( ) and/or remove ( ) edges poisoned graph clean graph Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 6

  7. Poisoning: train after the attack ✓ node classification train eval ✓ 𝑗 𝑘 link prediction … ✓ other tasks clean graph clean embedding X node classification train eval X 𝑗 𝑘 link prediction … X other tasks poisoned graph poisoned embedding Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 7

  8. Poisoning attack formally The graph after perturbing some edges ℒ(𝐻, 𝑎 ∗ (𝐻)) 𝐻 𝑞𝑝𝑗𝑡. = argmax 𝐻 ∈ 𝑏𝑚𝑚 𝑕𝑠𝑏𝑞ℎ𝑡 𝐻 𝑑𝑚𝑓𝑏𝑜 −𝐻 ≤𝑐𝑣𝑒𝑕𝑓𝑢 𝑎 ∗ (𝐻) = argmin ℒ(𝐻, 𝑎) 𝑎 The optimal embedding from the to be optimized graph 𝐻 Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 8

  9. Poisoning attack for random walk models The graph after perturbing some edges ℒ(𝐻, 𝑎 ∗ (𝐻)) 𝐻 𝑞𝑝𝑗𝑡. = argmax 𝐻 ∈ 𝑏𝑚𝑚 𝑕𝑠𝑏𝑞ℎ𝑡 𝐻 𝑑𝑚𝑓𝑏𝑜 −𝐻 ≤𝑐𝑣𝑒𝑕𝑓𝑢 𝑎 ∗ (𝐻) = argmin ℒ( 𝑠 1 , 𝑠 2 , … 𝐻 , 𝑎) 𝑠 𝑗 = 𝑠𝑜𝑒_𝑥𝑏𝑚𝑙 𝐻 𝑎 The optimal embedding from the to be optimized graph 𝐻 Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 9

  10. G 𝑞𝑝𝑗𝑡. = argmax min 𝑎 ℒ( 𝑠 1 , 𝑠 2 , … 𝐻 , 𝑎) 𝐻 ∈ 𝑏𝑚𝑚 𝑕𝑠𝑏𝑞ℎ𝑡 𝐻 𝑑𝑚𝑓𝑏𝑜 −𝐻 ≤𝑐𝑣𝑒𝑕𝑓𝑢 Challenges Bi-level optimization problem. Combinatorial search space. Inner optimization includes non-differentiable sampling. Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 10

  11. random walks min 𝑎 ℒ = 𝑔( ) = + ≈ (1b) optimal ℒ via spectrum (1a) Matrix factorization (2) Approximate poisoned spectrum Overview 1. Reduce the bi-level problem to a single-level a) DeepWalk as Matrix Factorization b) Express the optimal ℒ via the graph spectrum 2. Approximate the poisoned graph’s spectrum Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 11

  12. 1. Reduce bi-level problem to a single-level a) DeepWalk corresponds to factorizing the PPMI matrix. transition/degree matrix 𝑄 𝑠 𝐸 −1 𝑈 𝑇 = σ 𝑠=1 𝑁 𝑗𝑘 = log max{𝑑𝑇 𝑗𝑘 , 1} Get the embeddings 𝑎 via SVD of 𝑁 Rewrite 𝑇 in terms of the generalized spectrum of 𝐵 . Λ 𝑠 𝑉 𝑈 𝑈 𝑇 = 𝑉 σ 𝑠=1 𝐵𝑣 = 𝜇𝐸𝑣 generalized eigenvalues/vectors Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 12

  13. 1. Reduce bi-level problem to a single-level b) The optimal loss is now a simple function of the eigenvalues. min 𝑎 ℒ(𝐻, 𝑎) = 𝑔(𝜇 𝑗 , 𝜇 𝑗+1 , … ) Training the embedding is replaced by computing eigenvalues. ⇒ 𝐻 𝑞𝑝𝑗𝑡. = argmax 𝑔(𝜇 𝑗 , 𝜇 𝑗+1 , … ) 𝐻 𝑞𝑝𝑗𝑡. = argmax min 𝑎 ℒ(𝐻, 𝑎) 𝐻 𝐻 Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 13

  14. 2. Approximate the poisoned graph’s spectrum Compute the change using Eigenvalue Perturbation Theory. 𝐵 𝑞𝑝𝑗𝑡𝑝𝑜𝑓𝑒 = 𝐵 𝑑𝑚𝑓𝑏𝑜 + Δ𝐵 𝑈 𝜇 𝑞𝑝𝑗𝑡𝑝𝑜𝑓𝑒 = 𝜇 𝑑𝑚𝑓𝑏𝑜 + 𝑣 𝑑𝑚𝑓𝑏𝑜 Δ𝐵 + 𝜇 𝑑𝑚𝑓𝑏𝑜 Δ𝐸 𝑣 𝑑𝑚𝑓𝑏𝑜 simplifies for a single edge flip (𝑗, 𝑘) 2 + 𝑣 𝑑𝑘 2 ) 𝜇 𝑞 = 𝜇 𝑑 + ΔA 𝑗𝑘 2𝑣 𝑑𝑗 ⋅ 𝑣 𝑑𝑘 − 𝜇 𝑑 (𝑣 𝑑𝑗 # compute in 𝑃(1) Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 14

  15. random walks min 𝑎 ℒ = 𝑔( ) = + ≈ (1b) optimal ℒ via spectrum (1a) Matrix factorization (2) Approximate poisoned spectrum Overall algorithm 1. Compute generalized eigenvalues/vectors ( Λ/𝑉 ) of the graph 2. For all candidate edge flips ( 𝑗 , 𝑘 ) compute the change in 𝜇 𝑗 3. Greedily pick the top candidates leading to largest optimal loss Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 15

  16. General attack Poisoning decreases the overall quality of the embeddings. Our attacks: Gradient baseline: Simple baselines: Clean graph: Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 16

  17. Targeted attack Goal: attack a specific node and/or a specific downstream task. before after before after General Attack Targeted Attack Examples: • Misclassify a single given target node 𝑢 • Increase/decrease the similarity of a set of node pairs 𝒰 ⊂ 𝒲 × 𝒲 Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 17

  18. Targeted attack Most nodes can be misclassified with few adversarial edges. Before attack After attack Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 18

  19. Transferability Our selected adversarial edges transfer to other (un)supervised methods. DeepWalk DeepWalk node Spectral Label Graph budget SVD Sampling 2vec Embed. Prop. Conv. 250 -7.59 -5.73 -6.45 -3.58 -4.99 -2.21 500 -9.68 -11.47 -10.24 -4.57 -6.27 -8.61 The change in 𝐺 1 score (in percentage points) compared to the clean graph. Lower is better. Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 19

  20. Analysis of adversarial edges There is no simple heuristic that can find the adversarial edges. Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 20

  21. Poster: #61, Pacific Ballroom, Today Code: github.com/abojchevski/node_embedding_attack random walks min 𝑎 ℒ = 𝑔( ) = + ≈ (1b) optimal ℒ via spectrum (1a) Matrix factorization (2) Approximate poisoned spectrum Summary  Node embeddings are vulnerable to adversarial attacks.  Find adversarial edges via matrix factorization and the graph spectrum.  Relatively few perturbations degrade the embedding quality and the performance on downstream tasks. Aleksandar Bojchevski Adversarial Attacks on Node Embeddings via Graph Poisoning 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Domain Adaptation with Adversarial Training and Graph Embeddings Firoj Alam Shafiq Joty

Domain Adaptation with Adversarial Training and Graph Embeddings Firoj Alam Shafiq Joty

Domain Adaptation with Adversarial Training and Graph Embeddings Firoj Alam Shafiq Joty Muhammad Imran @firojalam04 @mimran15 Qatar Computing Research Institute (QCRI), HBKU, Qatar School of Computer Science and Engineering Nanyang

986 views • 33 slides
Exploiting Graph Embeddings for Graph Analysis Tasks Fatemeh Salehi Rizi Graph Embedding Day

Exploiting Graph Embeddings for Graph Analysis Tasks Fatemeh Salehi Rizi Graph Embedding Day

Exploiting Graph Embeddings for Graph Analysis Tasks Fatemeh Salehi Rizi Graph Embedding Day University of Lyon September 7, 2018 Outline Circle Prediction Social labels in an ego-network Semantic Content of Vector Embeddings Network

810 views • 46 slides
Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem

Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem

images from Geris Game (Pixar, 1997) Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem Aykut Erdem Levent Karacan Computer Vision Lab, Hacettepe University Outline Part 1: Attacks on

1.11k views • 72 slides
Poisoning Attacks: p-Tampering and Poison Frogs Simons Robustness Reading Group Bolton Bailey

Poisoning Attacks: p-Tampering and Poison Frogs Simons Robustness Reading Group Bolton Bailey

Poisoning Attacks: p-Tampering and Poison Frogs Simons Robustness Reading Group Bolton Bailey July 1, 2019 What is a Poisoning Attack? Data poisoning is an attack on machine learning models wherein the attacker adds (or modifies) examples

1.28k views • 12 slides
DNS Poisoning: Developments, Attacks and Research Directions Suggestions for the Idle and Curious

DNS Poisoning: Developments, Attacks and Research Directions Suggestions for the Idle and Curious

DNS Poisoning Attack Scenarios Vulnerability Analysis Remedies DNS Poisoning: Developments, Attacks and Research Directions Suggestions for the Idle and Curious Researcher David Dagon 1 1 Georgia Institute of Technology Atlanta, Georgia

327 views • 28 slides
Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning Stronger Jingfeng Zhang 1 * , Xilie Xu 2* , Bo Han 34 , Gang Niu 4 , Lichen Cui 5 , Masashi Sugiyama 46 , and Mohan Kankanhalli 1 1 Department of Computer

376 views • 14 slides
Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed

Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed

Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed Mahloujifar Mohammad Mahmoody Ameer Mohammed, ICML 2019 Multi-party Learning Application: Federated Learning Federated Learning : Train a centralized

589 views • 34 slides
TRANSFERABLE CLEAN-LABEL POISONING ATTACKS ON DEEP NEURAL NETS Chen Zhu*, W. Ronny Huang*^, Ali

TRANSFERABLE CLEAN-LABEL POISONING ATTACKS ON DEEP NEURAL NETS Chen Zhu*, W. Ronny Huang*^, Ali

TRANSFERABLE CLEAN-LABEL POISONING ATTACKS ON DEEP NEURAL NETS Chen Zhu*, W. Ronny Huang*^, Ali Shafahi, Hengduo Li, Gavin Taylor, Christoph Studer, Tom Goldstein * equal contribution ^ presenter WHAT IS POISONING? Training data Testing

218 views • 19 slides
Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work

Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work

Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work with Allen Wang and Yaoliang Yu K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 1 / 18 Adversarial Examples Adversarial

1.04k views • 38 slides
Graph Embeddings Alicia Frame, PhD October 10, 2019 Overview Whats an embedding? How do

Graph Embeddings Alicia Frame, PhD October 10, 2019 Overview Whats an embedding? How do

Graph Embeddings Alicia Frame, PhD October 10, 2019 Overview Whats an embedding? How do these work? Motivating Example - Word2Vec - Motivating Example - DeepWalk - Graph embeddings overview Graph embedding techniques Graph embeddings

952 views • 40 slides
of Graph Embeddings Aleksandar Bojchevski Technical University of Munich, Germany Graph

of Graph Embeddings Aleksandar Bojchevski Technical University of Munich, Germany Graph

Uncertainty and Robustness of Graph Embeddings Aleksandar Bojchevski Technical University of Munich, Germany Graph Embedding Day 2018 - Lyon Neglected aspects of graph embeddings Capturing uncertainty Robustness to noise Robustness to

885 views • 67 slides
Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias

Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias

Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias Hein, Bernt Schiele 2-Minute Overview Problem: Robustness to various adversarial examples. Adversarial training on L adversarial examples:

635 views • 34 slides
Eugene Syriani Project n = new Node(); n = new Node(); n = new Node(); n.add(graph);

Eugene Syriani Project n = new Node(); n = new Node(); n = new Node(); n.add(graph);

COMP 522 Presented by Eugene Syriani Project n = new Node(); n = new Node(); n = new Node(); n.add(graph); n.add(graph); n.add(graph); lbl = n1; lbl = n1; lbl = n1; n.label = lbl; n.label = lbl; n.label = lbl; n = new

271 views • 15 slides
On Adaptive Attacks to Adversarial Example Defenses Florian Tramr USENIX ScAINet August 10 th

On Adaptive Attacks to Adversarial Example Defenses Florian Tramr USENIX ScAINet August 10 th

On Adaptive Attacks to Adversarial Example Defenses Florian Tramr USENIX ScAINet August 10 th , 2020 Joint work with Nicholas Carlini, Wieland Brendel and Aleksander Madry What Are Adversarial Examples? 88% Tabby Cat 99% Guacamole Biggio

360 views • 21 slides
Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc Nguyen, Phillip Rieger, Markus Miettinen, Ahmad-Reza Sadeghi Typical IoT Devices 2 IoT The S stands for Security 3 Mirai: Largest Disruptive

508 views • 33 slides
Attacks Meet Interpretability: Attribute-steered Detection of Adversarial Samples Guanhong Tao ,

Attacks Meet Interpretability: Attribute-steered Detection of Adversarial Samples Guanhong Tao ,

Attacks Meet Interpretability: Attribute-steered Detection of Adversarial Samples Guanhong Tao , Shiqing Ma, Yingqi Liu, Xiangyu Zhang Understanding Adversarial Samples Legitimate input Isla Fisher Model Pixel-wise Differences ( 50 times)

482 views • 34 slides
Using Node.js to improve the performance of Mobile apps and Mobile web Tom Hughes-Croucher @sh 1

Using Node.js to improve the performance of Mobile apps and Mobile web Tom Hughes-Croucher @sh 1

Using Node.js to improve the performance of Mobile apps and Mobile web Tom Hughes-Croucher @sh 1 mmer Scalable Server-Side Code with JavaScript Who is Tom? Wrote W3C Standards 10+ years in the web industry Node Worked on projects

705 views • 58 slides
Graph Neural Networks Prof. Srijan Kumar http://cc.gatech.edu/~srijan 1 Srijan Kumar, Georgia

Graph Neural Networks Prof. Srijan Kumar http://cc.gatech.edu/~srijan 1 Srijan Kumar, Georgia

CSE 6240: Web Search and Text Mining. Spring 2020 Graph Neural Networks Prof. Srijan Kumar http://cc.gatech.edu/~srijan 1 Srijan Kumar, Georgia Tech, CSE6240 Spring 2020: Web Search and Text Mining Todays Lecture Introduction to deep

653 views • 39 slides
Hacking NodeJS applications for fun and profit Testing NodeJS Security by @jmortegac Agenda

Hacking NodeJS applications for fun and profit Testing NodeJS Security by @jmortegac Agenda

Hacking NodeJS applications for fun and profit Testing NodeJS Security by @jmortegac Agenda Introduction nodejS security Npm security packages Node Goat project Tools Node JS JavaScript in the backend Built on

762 views • 43 slides
Express-Node Back-end Building a simple back-end application with Express, Node, and MongoDB

Express-Node Back-end Building a simple back-end application with Express, Node, and MongoDB

Express-Node Back-end Building a simple back-end application with Express, Node, and MongoDB Need for back-end Back-end will connect to a DB, get some results, and do some processing with those results Back-end will save data to the DB

360 views • 17 slides
Dev Lab: Node + Express What is Node? Node.js = JavaScript + File I/O + A Package Manager or:

Dev Lab: Node + Express What is Node? Node.js = JavaScript + File I/O + A Package Manager or:

Dev Lab: Node + Express What is Node? Node.js = JavaScript + File I/O + A Package Manager or: Node.js = JavaScript - A Web Browser Whats it like? Single-threaded Asynchronous & non-blocking Great for real-time applications

493 views • 24 slides
Visualization Techniques for Big Data Jonathon Storrick Jon.Storrick@gmail.com Center for

Visualization Techniques for Big Data Jonathon Storrick Jon.Storrick@gmail.com Center for

CASOS Visualization Techniques for Big Data Jonathon Storrick Jon.Storrick@gmail.com Center for Computational Analysis of Social and Organizational Systems http://www.casos.cs.cmu.edu/ A brief intro to Meta-Nodes A meta-node is what we

595 views • 11 slides
Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru Staicu 1 Michael Pradel 1 Ben Livshits 2 1 TU Darmstadt 2 Imperial College London, Brave Software February 20, 2018 This Talk Node.JS and

492 views • 47 slides
REST APIs with NodeJS Winter Semester 2016/17 Tobias Seitz Ludwig-Maximilians-Universitt

REST APIs with NodeJS Winter Semester 2016/17 Tobias Seitz Ludwig-Maximilians-Universitt

Practical Course: Web Development REST APIs with NodeJS Winter Semester 2016/17 Tobias Seitz Ludwig-Maximilians-Universitt Mnchen Practical Course Web Development WS 16/17 - 04 - 1 Todays Agenda APIs What is it? REST

849 views • 39 slides

More recommend