Attacking Graph Neural Networks with Bit Flips: Weisfeiler and Leman Go Indifferent

Publications: Contribution to bookContribution to proceedingsPeer Reviewed

Abstract

Prior attacks on graph neural networks have focused on graph poisoning and evasion, neglecting the network's weights and biases. For convolutional neural networks, however, the risk arising from bit flip attacks is well recognized. We show that the direct application of a traditional bit flip attack to graph neural networks is of limited effectivity. Hence, we discuss the Injectivity Bit Flip Attack, the first bit flip attack designed specifically for graph neural networks. Our attack targets the learnable neighborhood aggregation functions in quantized message passing neural networks, degrading their ability to distinguish graph structures and impairing the expressivity of the Weisfeiler-Leman test. We find that exploiting mathematical properties specific to certain graph neural networks significantly increases their vulnerability to bit flip attacks. The Injectivity Bit Flip Attack can degrade the maximal expressive Graph Isomorphism Networks trained on graph property prediction datasets to random output by flipping only a small fraction of the network's bits, demonstrating its higher destructive power compared to traditional bit flip attacks transferred from convolutional neural networks. Our attack is transparent, motivated by theoretical insights and confirmed by extensive empirical results.

Original languageEnglish
Title of host publicationProceedings of the 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining
Subtitle of host publicationKDD 2024
Place of PublicationNew York
PublisherAssociation for Computing Machinery (ACM)
Pages1428-1439
Number of pages12
ISBN (Electronic)9798400704901
ISBN (Print)979-8-4007-0490-1
DOIs
Publication statusPublished - 25 Aug 2024
Event30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining - Barcelona, Spain
Duration: 25 Aug 202429 Aug 2024

Conference

Conference30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining
Country/TerritorySpain
CityBarcelona
Period25/08/2429/08/24

Austrian Fields of Science 2012

  • 102019 Machine learning

Keywords

  • bit flip attacks
  • graph neural network

Cite this