adversarial robustness of machine learning models for
play

Adversarial Robustness of Machine Learning Models for Graphs Prof. - PowerPoint PPT Presentation

Jan 10, 2024 •382 likes •669 views

Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann Department of Informatics Technical University of Munich 28.10.2019 Adversarial Robustness of Machine Learning Models for Graphs S. Gnnemann Can you

  1. Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Günnemann Department of Informatics Technical University of Munich 28.10.2019 Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann

  2. Can you trust the predictions of Adversarial Robustness of Machine Learning Models for Graphs graph-based ML models? Prof. Dr. Stephan Günnemann Department of Informatics Technical University of Munich 28.10.2019 Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann

  3. Graphs are Everywhere Computational Computational Chemistry, Social Proteomics, Biology Sciences Reasoning Systems Scene Graphs Meshes Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 2

  4. Machine Learning for Graphs § Graph neural networks have become extremely popular § Example: GNNs for semi-supervised node classification ($) = ' ) " ⋅ + $,- ⋅ . $ ( ℎ " ? Message ? passing ? ? ? GNN ? ? Partially labeled, attributed graph Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 3

  5. Graphs & Robustness Are machine learning models for graphs robust with respect to (adversarial) perturbations? § Reliable/safe use of ML models requires correctness even in the worst-case – adversarial perturbations = worst-case corruptions § Adversaries are common in many application scenarios where graphs are used (e.g. recommender systems, social networks, knowledge graphs) Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 4

  6. Adversarial Attacks in the Image Domain § State-of-the-art (deep) learning methods are not robust against small deliberate perturbations Training data Model 99% Training Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 5

  7. Adversarial Attacks in the Image Domain § State-of-the-art (deep) learning methods are not robust against small deliberate perturbations Training data Model 92% Training Perturbed image Perturbation Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 6

  8. The relational nature of the data might… Improve Robustness Cause Cascading Failures predictions are computed jointly perturbations in one part of the graph rather than in isolation can propagate to the rest ? Message ? ? passing ? ? ML for graphs ? ? Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 7

  9. Remaining Roadmap ü Introduction & Motivation 2. Are ML models for graphs robust? 3. Can we give guarantees, i.e. certificates? 4. Conclusion Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 8

  10. Semi-Supervised Node Classification ? Message ? ? passing ? ? ML for graphs ? ? Partially labeled, attributed graph Can we change the predictions by slightly perturbing the data? Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 9

  11. Unique Aspects of the Graph Domain Target node Attacker node Attacker node Target node ! ∈ # : node whose classification label we want to change Attacker nodes $ ⊂ # : nodes the attacker can modify Direct attack ( $ = {!} ) Indirect attack ( ! ∉ $ ) Example Example Modify the Modify the § § Change website Hijack friends attackers ‘ features target ‘s features content of target § Add connections Add connections § Buy likes/ to the attackers to the target followers Create a link/ spam farm Remove connections § Remove connections § Unfollow from the attackers from the target untrusted users Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 10

  12. 7′ ∈ 0,1 K×K : modified adjacency matrix 8′ ∈ 0,1 K×M : modified node attributes Single Node Attack for a GCN N : target node 2 2 $ % ,' % min min ()( *+, log 0 1,( *+, − log 0 1,( where 0 2 = 5 6 7 2 , 8 2 = 9:5;<=> ? 7′8′E F E G 7′ ABCD ? § Classification margin > 0: no change in classification < 0: change in classification Message passing § Core idea: Linearization → efficient greedy approach Zügner, Akbarnejad, Günnemann. Adversarial Attacks on Neural Networks for Graph Data. KDD 2018 Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 11

  13. Results: Cora Data Poisoning attack on GCN Poisoning attack on DeepWalk 1 . 0 1 . 0 Correct Classification margin classification 0 . 5 0 . 5 0 . 0 0 . 0 Wrong − 0 . 5 − 0 . 5 classification − 1 . 0 − 1 . 0 Ours Gradient Random Clean Ours- Ours Gradient Random Clean Ours- Ours Grad. Inter-class Clean Ours Ours Grad. Inter-class Clean Ours Direct Direct Direct Indirect Direct Direct Direct Indirect Direct Random Indirect Direct Random Indirect % Correct: 1.0% 2.7% 60.8% 90.3% 67.2% 2.1% 9.8% 46.2% 83.8% 59.2% Graph learning models are not robust to adversarial perturbations. Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 12

  14. Results: Cora Data Poisoning attack on GCN Poisoning attack on DeepWalk 1 . 0 1 . 0 Correct Classification margin classification 0 . 5 0 . 5 0 . 0 0 . 0 Wrong − 0 . 5 − 0 . 5 classification − 1 . 0 − 1 . 0 Ours Gradient Random Clean Ours- Ours Gradient Random Clean Ours- Ours Grad. Inter-class Clean Ours Ours Grad. Inter-class Clean Ours Direct Direct Direct Indirect Direct Direct Direct Indirect Direct Random Indirect Direct Random Indirect % Correct: 1.0% 2.7% 60.8% 90.3% 67.2% 2.1% 9.8% 46.2% 83.8% 59.2% Graph learning models are not robust to adversarial perturbations. Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 13

  15. Results: Analysis Given a target node ! , what are the properties of the nodes an attack "connects to"/"disconnects from"? fraction of nodes Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 14

  16. Results: Attacking Multiple Nodes Jointly Aim: Damage the overall Accuracy on test set (Citeseer data) performance on the test set 70 Accuracy (%) Clean graph Core idea: Meta-learning Poisoned graph Treat the graph as a hyper- • 60 parameter to optimize Backpropagate through the • 50 learning phase CLN GCN Log. reg. Using a perturbed graph is worse than using attributes alone! Zügner, Günnemann. Adversarial Attacks on Graph Neural Networks via Meta Learning. ICLR 2019 Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 15

  17. Intermediate Summary § Graph neural networks are highly vulnerable to adversarial perturbations – Targeted as well as global attacks – Performance on the perturbed graph might even be lower compared to only using attributes (no structure) – Attacks are successful even under restrictive attack scenarios , e.g. no access to target node or limited knowledge about the graph § Non-Robustness holds for graph embeddings as well – see e.g. Bojchevski, Günnemann. ICML 2019 ℝ " Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 16

  18. Remaining Roadmap ü Introduction & Motivation ü Are ML models for graphs robust? No! 3. Can we give guarantees, i.e. certificates? Robustness certificate: 4. Conclusion Mathematical guarantee that the predicted class of an instance does not change under any admissible perturbation Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 17

  19. Classification margin 1 Classification margin: 1 1 1 1 0 &'& ∗ log ,(. ∗ ) − log ,(.) ! = min 1 1 0 ? > 0: correct classification 0 Graph neural 0 0 < 0: incorrect classification Class 1 Class 2 Class 3 network 1 0 1 Class predictions Graph of target node Bojchevski, Günnemann. Certifiable Robustness to Graph Perturbations. NeurIPS 2019 Zügner, Günnemann. Certifiable Robustness and Robust Training for Graph Convolutional Networks. KDD 2019 Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 18

  20. Classification margin 1 after perturbation Classification margin: Negative margin 1 1 1 1 0 &'& ∗ log ,(. ∗ ) − log ,(.) ! = min 0 1 1 0 ? > 0: correct classification 1 0 Graph neural 0 0 < 0: incorrect classification Class 1 Class 2 Class 3 network 1 0 1 Class predictions Graph of target node Classification margin ! Worst-case margin ! ∗ = minimize log , . ∗ − log ,(.) min >?9== &'& ∗ 345675896:;<= Bojchevski, Günnemann. Certifiable Robustness to Graph Perturbations. NeurIPS 2019 Zügner, Günnemann. Certifiable Robustness and Robust Training for Graph Convolutional Networks. KDD 2019 Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 19

  21. Core Idea: Robustness Certification Classification Reachable via margin log $(& ) ) perturbations Positive margin No perturbation (robust) Worst possible Decision (intractable, unknown) robust boundary Worst-case Convex Lower bound margin relaxation (tractable) 0 Lower bound on the not robust Robustness worst-case margin Negative margin (not robust) certificate log $(& ' ) Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 20

  22. Robustness Certification: Citeseer 80 60 40 <25% of nodes robust, 20 >50% certifiably nonrobust 0 for 10 perturbations. Allowed Perturbations Adversarial Robustness of Machine Learning Models for Graphs S. Günnemann 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Adversarial Domain Adaptation and Adversarial Robustness Judy Hoffman + = Big Deep success

Adversarial Domain Adaptation and Adversarial Robustness Judy Hoffman + = Big Deep success

Adversarial Domain Adaptation and Adversarial Robustness Judy Hoffman + = Big Deep success data learning Benchmark Performance 100 95 Accuracy 90 85 Millions of Images 80 Deep models 75 Challenge to recognize 1000

1.2k views • 60 slides
Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 ,

Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 ,

The 37th International Conference on Machine Learning (ICML20), Jul 12 th - 18 th , 2020. Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 , My T. Thai 2 , Han Hu 1 , Ruoming Jin 3 , Tong Sun 4 ,

860 views • 23 slides
Adversarial Robustness: Theory and Practice Zico Kolter Aleksander Mdry madry-lab.ml

Adversarial Robustness: Theory and Practice Zico Kolter Aleksander Mdry madry-lab.ml

Adversarial Robustness: Theory and Practice Zico Kolter Aleksander Mdry madry-lab.ml Tutorial website: @zicokolter @aleks_madry adversarial-ml-tutorial.org Machine Learning: The Success Story Image classification Reinforcement Learning

528 views • 49 slides
Adversarial Approaches to Bayesian Learning and Bayesian Approaches to Adversarial Robustness

Adversarial Approaches to Bayesian Learning and Bayesian Approaches to Adversarial Robustness

Adversarial Approaches to Bayesian Learning and Bayesian Approaches to Adversarial Robustness Ian Goodfellow, OpenAI Research Scientist NIPS 2016 Workshop on Bayesian Deep Learning Barcelona, 2016-12-10 Speculation on Three Topics Can we

769 views • 21 slides
Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of

Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of

Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of Computer Science The Czech Academy of Sciences Hora Informaticae 2016 Outline Introduction Works on adversarial examples Our work Genetic

855 views • 46 slides
Adversarial Robustness via Runtime Masking and Cleansing Yi-Hsuan Wu Chia-Hung Yuan Shan-Hung

Adversarial Robustness via Runtime Masking and Cleansing Yi-Hsuan Wu Chia-Hung Yuan Shan-Hung

Adversarial Robustness via Runtime Masking and Cleansing Yi-Hsuan Wu Chia-Hung Yuan Shan-Hung Wu Department of Computer Science, National Tsing Hua University, Taiwan International Conference on Machine Learning, 2020 Y.H. Wu, C.H. Yuan,

1.3k views • 52 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. &quot;Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop September 14, 2017 Why Prove Things? Attackers often have more motivation/resources than defenders Heuristic defenses: arms race between attack and

738 views • 52 slides
Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes &amp; George

Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes &amp; George

Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes &amp; George Danezis UCL Adversarial examples transfer between different models. An adversarial example crafted against one model will generally fool other models.

515 views • 18 slides
Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu xiwu@cs.wisc.edu Joint work with Uyeong Jang, Jiefeng Chen, Lingjiao Chen, and Somesh Jha July 19, 2018 Xi Wu Model Confidence and Adversarial

740 views • 9 slides
Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &amp;

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &amp;

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &amp; Dan Boneh NeurIPS 2019 Adversarial examples 88% Tabby Cat 99% Guacamole Szegedy et al., 2014 Goodfellow et al., 2015 Athalye, 2017 Adversarial

564 views • 23 slides
Adversarial Training for Deep Learning : A Framework for Improving Robustness, Generalization and

Adversarial Training for Deep Learning : A Framework for Improving Robustness, Generalization and

Adversarial Training for Deep Learning : A Framework for Improving Robustness, Generalization and Interpretability Zhanxing Zhu School of Mathematical Sciences, Peking University zhanxing.zhu@pku.edu.cn

1.02k views • 66 slides
Generative Adversarial Nets(GANs) Troy Cary and Chenzhi Zhao A generative adversarial net is

Generative Adversarial Nets(GANs) Troy Cary and Chenzhi Zhao A generative adversarial net is

Generative Adversarial Nets(GANs) Troy Cary and Chenzhi Zhao A generative adversarial net is a type of neural net, used in deep learning/machine learning problems The goal of a GAN is to train two simultaneous models: a generative model

441 views • 18 slides
AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning Florian Tramr November

AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning Florian Tramr November

AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning Florian Tramr November 14 th 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The Future of Ad-Blocking easylist.txt markup

612 views • 23 slides
Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to

Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to

Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to Nicolas Papernot, Ian Goodfellow, and Jerry Zhu for some slides . Machine learning brings social disruption at scale Healthcare Energy Source: Peng and

821 views • 71 slides
Improving Adversarial Robustness via Promoting Ensemble Diversity Tianyu

Improving Adversarial Robustness via Promoting Ensemble Diversity Tianyu

Improving Adversarial Robustness via Promoting Ensemble Diversity Tianyu Pang, Kun Xu, Chao Du, Ning Chen and Jun Zhu Department of Computer Science and Technology Tsinghua University TSAIL ICML | 2019 Adversarial

864 views • 14 slides
Critical Friends Panel 1 EQ Communications Who we are Housekeeping Agenda 2 Purpose

Critical Friends Panel 1 EQ Communications Who we are Housekeeping Agenda 2 Purpose

September 2018 Critical Friends Panel 1 EQ Communications Who we are Housekeeping Agenda 2 Purpose of today Provide you with Get your valued an update on what input into our weve been doing future stakeholder since we last

988 views • 53 slides
Development in the Civil Infrastructure Platform Yoshitake Kobayashi Embedded Linux Conference,

Development in the Civil Infrastructure Platform Yoshitake Kobayashi Embedded Linux Conference,

SLTS Kernel and Base-Layer Development in the Civil Infrastructure Platform Yoshitake Kobayashi Embedded Linux Conference, Portland, February 21-23, 2017 1 Our Civilization is Run by Linux 2

619 views • 43 slides
VoIP Security* Professor Patrick McDaniel CSE545 - Advanced Network Security Spring 2011

VoIP Security* Professor Patrick McDaniel CSE545 - Advanced Network Security Spring 2011

VoIP Security* Professor Patrick McDaniel CSE545 - Advanced Network Security Spring 2011 *Thanks to Prof. Angelos Keromytis for materials for these lecture slides. CSE545 - Advanced Network Security - Professor McDaniel Page 1 Example of

941 views • 34 slides
Vancouver 2010 Olympics Lessons Learned: Cyber Robert Pitcher, Cyber Incident Handler

Vancouver 2010 Olympics Lessons Learned: Cyber Robert Pitcher, Cyber Incident Handler

Vancouver 2010 Olympics Lessons Learned: Cyber Robert Pitcher, Cyber Incident Handler robert.pitcher@ps.gc.ca Public Safety Canada FIRST Conference 15 June 2011 Agenda Canadian Cyber Incident Response Centre Roles and Responsibilities

408 views • 21 slides
Some recent results from ICARUS C. FARNESE INFN Padova On behalf of the ICARUS Collaboration

Some recent results from ICARUS C. FARNESE INFN Padova On behalf of the ICARUS Collaboration

Some recent results from ICARUS C. FARNESE INFN Padova On behalf of the ICARUS Collaboration NEUTRINO 2014 Boston 2-7 June 2014 The ICARUS Collaboration M. Antonello a , B. Baibussinov b , P. Benetti c , F. Boffelli c , A. Bubak l , E.

420 views • 19 slides
Results from the ICARUS experimental search in the LSND

Results from the ICARUS experimental search in the LSND

Results from the ICARUS experimental search in the LSND anomaly region E&gt;ore Segreto on behalf of the ICARUS Collabora@on The ICARUS Collabora0on M.

497 views • 26 slides
Looking for chiral anomaly in K K reactions Phys. Rev. D93 , 094029 (2016); 1512.04438 M.

Looking for chiral anomaly in K K reactions Phys. Rev. D93 , 094029 (2016); 1512.04438 M.

Looking for chiral anomaly in K K reactions Phys. Rev. D93 , 094029 (2016); 1512.04438 M. I. Vysotsky, E. V. Zhemchugov A. I. Alikhanov Institute for Theoretical and Experimental Physics Moscow, Russia 14th International Workshop on

469 views • 18 slides
Scattering Amplitudes and Extra Dimensions in AdS/CFT Eric Perlmutter Caltech, Simons

Scattering Amplitudes and Extra Dimensions in AdS/CFT Eric Perlmutter Caltech, Simons

Scattering Amplitudes and Extra Dimensions in AdS/CFT Eric Perlmutter Caltech, Simons Collaboration on Nonperturbative Bootstrap SISSA/ICTP Joint Seminar, 18 September 2019 One of the physical worlds most fascinating features is its

1.38k views • 94 slides

More recommend