Attacking Graph Neural Networks with Bit Flips: Weisfeiler and Lehman Go Indifferent

• URL: http://arxiv.org/abs/2311.01205v2
• Date: Fri, 16 Aug 2024 09:42:19 GMT
• Title: Attacking Graph Neural Networks with Bit Flips: Weisfeiler and Lehman Go Indifferent
• Authors: Lorenz Kummer, Samir Moustafa, Nils N. Kriege, Wilfried N. Gansterer,
• Abstract summary: We propose the first bit flip attack designed specifically for graph neural networks. Our attack targets the learnable neighborhood aggregation functions in quantized message passing neural networks. Our findings suggest that exploiting mathematical properties specific to certain graph neural network architectures can significantly increase their vulnerability to bit flip attacks.
• Score: 0.0
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Prior attacks on graph neural networks have mostly focused on graph poisoning and evasion, neglecting the network's weights and biases. Traditional weight-based fault injection attacks, such as bit flip attacks used for convolutional neural networks, do not consider the unique properties of graph neural networks. We propose the Injectivity Bit Flip Attack, the first bit flip attack designed specifically for graph neural networks. Our attack targets the learnable neighborhood aggregation functions in quantized message passing neural networks, degrading their ability to distinguish graph structures and losing the expressivity of the Weisfeiler-Lehman test. Our findings suggest that exploiting mathematical properties specific to certain graph neural network architectures can significantly increase their vulnerability to bit flip attacks. Injectivity Bit Flip Attacks can degrade the maximal expressive Graph Isomorphism Networks trained on various graph property prediction datasets to random output by flipping only a small fraction of the network's bits, demonstrating its higher destructive power compared to a bit flip attack transferred from convolutional neural networks. Our attack is transparent and motivated by theoretical insights which are confirmed by extensive empirical results.

Related papers

• Graph Neural Networks for Learning Equivariant Representations of Neural Networks [55.04145324152541]
  We propose to represent neural networks as computational graphs of parameters. Our approach enables a single model to encode neural computational graphs with diverse architectures. We showcase the effectiveness of our method on a wide range of tasks, including classification and editing of implicit neural representations.
  arXiv  Detail & Related papers  (2024-03-18T18:01:01Z)
• On The Relationship Between Universal Adversarial Attacks And Sparse Representations [38.43938212884298]
  We show the connection between adversarial attacks and sparse representations. Common attacks on neural networks can be expressed as attacks on the sparse representation of the input image.
  arXiv  Detail & Related papers  (2023-11-14T16:00:29Z)
• Dynamics-aware Adversarial Attack of Adaptive Neural Networks [75.50214601278455]
  We investigate the dynamics-aware adversarial attack problem of adaptive neural networks. We propose a Leaded Gradient Method (LGM) and show the significant effects of the lagged gradient. Our LGM achieves impressive adversarial attack performance compared with the dynamic-unaware attack methods.
  arXiv  Detail & Related papers  (2022-10-15T01:32:08Z)
• Searching for the Essence of Adversarial Perturbations [73.96215665913797]
  We show that adversarial perturbations contain human-recognizable information, which is the key conspirator responsible for a neural network's erroneous prediction. This concept of human-recognizable information allows us to explain key features related to adversarial perturbations.
  arXiv  Detail & Related papers  (2022-05-30T18:04:57Z)
• Black-box adversarial attacks using Evolution Strategies [3.093890460224435]
  We study the generation of black-box adversarial attacks for image classification tasks. Our results show that the attacked neural networks can be, in most cases, easily fooled by all the algorithms under comparison. Some black-box optimization algorithms may be better in "harder" setups, both in terms of attack success rate and efficiency.
  arXiv  Detail & Related papers  (2021-04-30T15:33:07Z)
• BreakingBED -- Breaking Binary and Efficient Deep Neural Networks by Adversarial Attacks [65.2021953284622]
  We study robustness of CNNs against white-box and black-box adversarial attacks. Results are shown for distilled CNNs, agent-based state-of-the-art pruned models, and binarized neural networks.
  arXiv  Detail & Related papers  (2021-03-14T20:43:19Z)
• Graph Structure of Neural Networks [104.33754950606298]
  We show how the graph structure of neural networks affect their predictive performance. A "sweet spot" of relational graphs leads to neural networks with significantly improved predictive performance. Top-performing neural networks have graph structure surprisingly similar to those of real biological neural networks.
  arXiv  Detail & Related papers  (2020-07-13T17:59:31Z)
• Graph Structure Learning for Robust Graph Neural Networks [63.04935468644495]
  Graph Neural Networks (GNNs) are powerful tools in representation learning for graphs. Recent studies show that GNNs are vulnerable to carefully-crafted perturbations, called adversarial attacks. We propose a general framework Pro-GNN, which can jointly learn a structural graph and a robust graph neural network model.
  arXiv  Detail & Related papers  (2020-05-20T17:07:05Z)
• Improved Gradient based Adversarial Attacks for Quantized Networks [15.686134908061995]
  We show that quantized networks suffer from gradient vanishing issues and show a fake sense of robustness. By attributing gradient vanishing to poor forward-backward signal propagation in the trained network, we introduce a simple temperature scaling approach to mitigate this issue.
  arXiv  Detail & Related papers  (2020-03-30T14:34:08Z)
• Indirect Adversarial Attacks via Poisoning Neighbors for Graph Convolutional Networks [0.76146285961466]
  Abusing graph convolutions, a node's classification result can be influenced by poisoning its neighbors. We generate strong adversarial perturbations which are effective on not only one-hop neighbors, but more far from the target. Our proposed method shows 99% attack success rate within two-hops from the target in two datasets.
  arXiv  Detail & Related papers  (2020-02-19T05:44:09Z)
• Adversarial Attacks on Graph Neural Networks via Meta Learning [4.139895092509202]
  We investigate training time attacks on graph neural networks for node classification perturbing the discrete graph structure. Our core principle is to use meta-gradients to solve the bilevel problem underlying training-time attacks.
  arXiv  Detail & Related papers  (2019-02-22T09:20:05Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.