Adversarial Attacks on Deep Graph Matching
Authors: Zijie Zhang, Zeru Zhang, Yang Zhou, Yelong Shen, Ruoming Jin, Dejing Dou
NeurIPS 2020 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We evaluate the effectiveness of the attack model on real datasets and validate that the attacks can be transferable to other graph learning models.Empirical evaluation on real datasets demonstrates the superior performance of the GMA model against several state-of-the-art adversarial attack methods on graph data. Moreover, we validate that the attack strategies are transferable to other popular graph learning models in Appendix A.2.In this section, we will show the effectiveness of the GMA model in this work for deep graph matching tasks over three groups of datasets: social networks (SNS) [98], autonomous systems (AS) [2], and DBLP coauthor graphs [1], as shown in Table 1.Baselines. We compare the GMA model with six state-of-the-art graph attack models.Random Attack randomly adds and removes edges to generate perturbed graphs. RL-S2V [14, 123] generates adversarial attacks on graph data based on reinforcement learning. Meta-Self [125] is a poisoning attack model for node classification by using meta-gradients to solve the bilevel optimization problem. CW-PGD [86] developed a PGD topology attack to attack a predefined or a retrainable GNN. GFAttack [5] attacks general learning methods by devising new loss and approximating the spectrum. CD-ATTACK [41] hides nodes in the community by attacking the graph autoencoder model. The majority of existing efforts focus on adversarial attacks on single graph learning. To our best knowledge, there are no other attack baselines on graph matching available. We replace the original losses in the baselines with the matching loss for fair comparison in the experiments. |
| Researcher Affiliation | Collaboration | Zijie Zhang Auburn University zzz0092@auburn.edu Zeru Zhang Auburn University zzz0054@auburn.edu Yang Zhou Auburn University yangzhou@auburn.edu Yelong Shen Microsoft Dynamics 365 AI yeshe@microsoft.com Ruoming Jin Kent State University rjin1@kent.edu Dejing Dou University of Oregon, Baidu Research dou@cs.uoregon.edu, doudejing@baidu.com |
| Pseudocode | Yes | Algorithm 1 Bandwidth Matrix Estimation Input: graph G1 = (V 1, E1), parameter 0 < s < 1, initial bandwidth b0, and parameter c. Output: Bandwidth matrix B.Algorithm 2 Meta Learning-based Projected Gradient Descent (MLPGD) Input: Batches D1, , DC in a set D of node pairs, initial general policy parameters {θ1, θ2}, adaptation step size α, meta step size β. Output: Optimized {θ1, θ2}.Algorithm 3 Gradient Estimation e Dc, {θ1, θ2}, N, λ Input: Batch Dc, general parameters {θ1, θ2}, number of samples N in Monte Carlo REINFORCE, smoothing parameter λ. Output: Gradient estimation of a.Algorithm 4 Adversarial Attack a Dc, {θ1 c, θ2 c} Input: Batch Dc, perturbation budget ϵ, specific parameters {θ1 c, θ2 c} Output: Attack loss LDc on Dc. |
| Open Source Code | No | The paper does not provide an explicit statement about releasing source code for the methodology or a link to a code repository. It mentions validating attack strategies transferable to other models in an appendix, but this is not a code release statement. |
| Open Datasets | Yes | In this section, we will show the effectiveness of the GMA model in this work for deep graph matching tasks over three groups of datasets: social networks (SNS) [98], autonomous systems (AS) [2], and DBLP coauthor graphs [1], as shown in Table 1.Table 1: Experiment Datasets Dataset AS SNS DBLP Graph v1 v2 Last.fm Live Journal 2013 2014 #Nodes 10,900 11,113 5,682 17,828 28,478 26,455 #Edges 31,180 31,434 23,393 244,496 128,073 114,588 #Matched Nodes 6,462 2,138 4,000 |
| Dataset Splits | No | The paper states, "We randomly sample 10% of known matched node pairs as training data and the rest as test data." This specifies training and test splits but does not mention a separate validation split or how one might be derived. |
| Hardware Specification | No | The paper does not specify the hardware used for running the experiments (e.g., CPU, GPU models, memory, or cloud computing instances with their specifications). |
| Software Dependencies | No | The paper does not provide specific details about ancillary software dependencies with version numbers (e.g., programming languages, libraries, or frameworks with their versions). |
| Experiment Setup | Yes | ϵ specifies the budget of allowed perturbed edges for each attacked node. For all attack models, the number of perturbed edges is fixed to 5% in these experiments. We use two popular measures in graph matching to verify the attack quality: Accuracy [93, 10, 95] and Precision@K [101, 13, 97]. A larger mismatching rate (i.e., 1 Accuracy on test data) or a smaller Precision@K shows a better attack. K is fixed to 30 in all tests. Here, the number of perturbed edges is fixed to 5%. We make the following observations on the performances by eight attack models. Figure 6 (a) measures the performance effect of ϵ in the MLPGD model for the graph matching by varying ϵ from 1 to 5. Figure 6 (b) shows the impact of α in our MLPGD model over three groups of datasets. |