Abstract
Deep learning models for graphs have achieved
strong performance for the task of node classifi-
cation. Despite their proliferation, currently there
is no study of their robustness to adversarial attacks. Yet, in domains where they are likely to be
used, e.g. the web, adversaries are common. Can
deep learning models for graphs be easily fooled?
In this extended abstract we summarize the key
findings and contributions of our work [Zugner ¨
and Gunnemann, 2019a ¨ ], in which we introduce
the first study of adversarial attacks on attributed
graphs, specifically focusing on models exploiting
ideas of graph convolutions. In addition to attacks at test time, we tackle the more challenging
class of poisoning/causative attacks, which focus
on the training phase of a machine learning model.
We generate adversarial perturbations targeting the
node’s features and the graph structure, thus, taking the dependencies between instances in account.
Moreover, we ensure that the perturbations remain
unnoticeable by preserving important data characteristics. To cope with the underlying discrete domain we propose an efficient algorithm NETTACK
exploiting incremental computations. Our experimental study shows that accuracy of node classi-
fication significantly drops even when performing
only few perturbations. Even more, our attacks are
transferable: the learned attacks generalize to other
state-of-the-art node classification models and unsupervised approaches, and likewise are successful
given only limited knowledge about the graph