Projekte pro Jahr
Abstract
Prior attacks on graph neural networks have mostly focused on graph poisoning
and evasion, neglecting the network’s weights and biases. Traditional weight-
based fault injection attacks, such as bit flip attacks used for convolutional neural
networks, do not consider the unique properties of graph neural networks. We pro-
pose the Injectivity Bit Flip Attack, the first bit flip attack designed specifically for
graph neural networks. Our attack targets the learnable neighborhood aggregation
functions in quantized message passing neural networks, degrading their ability to
distinguish graph structures and losing the expressivity of the Weisfeiler-Lehman
test. Our findings suggest that exploiting mathematical properties specific to cer-
tain graph neural network architectures can significantly increase their vulnerabil-
ity to bit flip attacks. Injectivity Bit Flip Attacks can degrade the maximal expres-
sive Graph Isomorphism Networks trained on various graph property prediction
datasets to random output by flipping only a small fraction of the network’s bits,
demonstrating its higher destructive power compared to a bit flip attack transferred
from convolutional neural networks. Our attack is transparent and motivated by
theoretical insights which are confirmed by extensive empirical results.
and evasion, neglecting the network’s weights and biases. Traditional weight-
based fault injection attacks, such as bit flip attacks used for convolutional neural
networks, do not consider the unique properties of graph neural networks. We pro-
pose the Injectivity Bit Flip Attack, the first bit flip attack designed specifically for
graph neural networks. Our attack targets the learnable neighborhood aggregation
functions in quantized message passing neural networks, degrading their ability to
distinguish graph structures and losing the expressivity of the Weisfeiler-Lehman
test. Our findings suggest that exploiting mathematical properties specific to cer-
tain graph neural network architectures can significantly increase their vulnerabil-
ity to bit flip attacks. Injectivity Bit Flip Attacks can degrade the maximal expres-
sive Graph Isomorphism Networks trained on various graph property prediction
datasets to random output by flipping only a small fraction of the network’s bits,
demonstrating its higher destructive power compared to a bit flip attack transferred
from convolutional neural networks. Our attack is transparent and motivated by
theoretical insights which are confirmed by extensive empirical results.
| Originalsprache | Englisch |
|---|---|
| Titel | Proceedings of the 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining |
| Untertitel | KDD 2024 |
| Erscheinungsort | New York |
| Herausgeber (Verlag) | Association for Computing Machinery (ACM) |
| Seiten | 1428-1439 |
| Seitenumfang | 12 |
| ISBN (Print) | 979-8-4007-0490-1 |
| DOIs | |
| Publikationsstatus | Veröffentlicht - 24 Aug. 2024 |
| Veranstaltung | 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining - Barcelona, Spanien Dauer: 25 Aug. 2024 → 29 Aug. 2024 |
Konferenz
| Konferenz | 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining |
|---|---|
| Land/Gebiet | Spanien |
| Ort | Barcelona |
| Zeitraum | 25/08/24 → 29/08/24 |
ÖFOS 2012
- 102019 Machine Learning
Fingerprint
Untersuchen Sie die Forschungsthemen von „Attacking Graph Neural Networks with Bit Flips: Weisfeiler and Leman Go Indifferent“. Zusammen bilden sie einen einzigartigen Fingerprint.Projekte
- 1 Laufend
-
Algorithmic Data Science for Computational Drug Discovery
1/05/20 → 30/11/28
Projekt: Forschungsförderung