The Defender's Dilemma: Are Defense Methods Against Different Attacks on Machine Learning Models Compatible?

With the increasing use of artificial intelligence (AI) models, more attention is being paid to issues of trust and security in AI systems against various types of threats (evasion attacks, poisoning, membership inference, etc.). In this work, we focus on the task of graph node classification, highlighting it as one of the most complex. To the best of our knowledge, this is the first study exploring the relationship between defense methods for AI models against different types of threats on graph data. Our experiments are conducted on citation and purchase graph datasets. We demonstrate that, in general, it is not advisable to simply combine defense methods for different types of threats, as this can lead to severe negative consequences, including a complete loss of model effectiveness. Furthermore, we provide theoretical proof of the contradiction between defense methods against poisoning attacks on graphs and adversarial training.

1. Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I. J., & Fergus, R. (2014). Intriguing properties of neural networks. In 2nd International Conference on Learning Representations.

2. Goodfellow, I. J., Shlens, J., & Szegedy, C. (2014). Explaining and Harnessing Adversarial Examples. CoRR, abs/1412.6572.

3. Madry, A., Makelov, A., Schmidt, L., Tsipras, D., & Vladu, A. (2017). Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083.

4. Moosavi-Dezfooli, S.-M., Fawzi, A., & Frossard, P. (2016). Deepfool: a simple and accurate method to fool deep neural networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2574–2582.

5. Zügner, D., & Günnemann, S. (2019). Adversarial Attacks on Graph Neural Networks via Meta Learning. In International Conference on Learning Representations, Workshop Track. Available at: https://arxiv.org/abs/1902.08412.

6. Zhang, S., Chen, H., Sun, X., Li, Y., & Xu, G. (2022). Unsupervised graph poisoning attack via contrastive loss back-propagation. In Proceedings of the ACM Web Conference 2022, 1322–1330.

7. Zhang, X., & Zitnik, M. (2020). Gnnguard: Defending graph neural networks against adversarial attacks. In Advances in neural information processing systems, 33, 9263–9275.

8. Wu, H., Wang, C., Tyshetskiy, Y., Docherty, A., Lu, K., & Zhu, L. (2019). Adversarial examples on graph data: Deep insights into attack and defense. arXiv preprint arXiv:1903.01610.

9. Goodfellow, I. J., Shlens, J., & Szegedy, C. (2014). Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572.

10. Zügner, D., Akbarnejad, A., & Günnemann, S. (2018). Adversarial attacks on neural networks for graph data. In Proceedings of the 24th ACM SIGKDD international conference on knowledge discovery & data mining, 2847–2856.

11. Dai, H., Li, H., Tian, T., Huang, X., Wang, L., Zhu, J., & Song, L. (2018). Adversarial attack on graph structured data. In International conference on machine learning, 1115–1124.

12. Zhang, Z., Jia, J., Wang, B., & Gong, N. Z. (2021). Backdoor attacks to graph neural networks. In Proceedings of the 26th ACM Symposium on Access Control Models and Technologies, 15–26.

13. Zheng, H., Xiong, H., Chen, J., Ma, H., & Huang, G. (2022). Motif-Backdoor: Rethinking the Backdoor Attack on Graph Neural Networks via Motifs. arXiv preprint arXiv:2210.13710.

14. Shaikhelislamov, D., Lukyanov, K., Severin, N., Drobyshevskiy, M., Makarov, I., & Turdakov, D. (2024). A study of graph neural networks for link prediction on vulnerability to membership attacks. Journal of Mathematical Sciences, 1–11.

15. Conti, M., Li, J., Picek, S., & Xu, J. (2022). Label-Only Membership Inference Attack against Node-Level Graph Neural Networks. In Proceedings of the 15th ACM Workshop on Artificial Intelligence and Security, 1–12.

16. Yuan, X., Ding, L., Zhang, L., Li, X., & Wu, D. O. (2022). Es attack: Model stealing against deep neural networks without data hurdles. IEEE Transactions on Emerging Topics in Computational Intelligence, 6(5), 1258–1270.

17. Wang, S., & Gong, Y. (2022). Adversarial example detection based on saliency map features. Applied Intelligence, 52(6), 6262–6275.

18. Ma, J., Deng, J., & Mei, Q. (2022). Adversarial attack on graph neural networks as an influence maximization problem. In Proceedings of the fifteenth ACM international conference on web search and data mining, 675–685.

19. Zhu, D., Zhang, Z., Cui, P., & Zhu, W. (2019). Robust graph convolutional networks against adversarial attacks. In Proceedings of the 25th ACM SIGKDD international conference on knowledge discovery & data mining, 1399–1407.

20. Feng, F., He, X., Tang, J., & Chua, T.-S. (2019). Graph adversarial training: Dynamically regularizing based on graph structure. IEEE Transactions on Knowledge and Data Engineering, 33(6), 2493–2504.

21. Finlay, C., & Oberman, A. M. (2019). Scaleable input gradient regularization for adversarial robustness. arXiv preprint arXiv:1905.11468.

22. Szyller, S., & Asokan, N. (2023). Conflicting interactions among protection mechanisms for machine learning models. In Proceedings of the AAAI Conference on Artificial Intelligence, 37(12), 15179–15187.

23. Sen, P., Namata, G., Bilgic, M., Getoor, L., Galligher, B., & Eliassi-Rad, T. (2008). Collective classification in network data. AI Magazine, 29(3), 93–93.

24. McAuley, J., Targett, C., Shi, Q., & Van Den Hengel, A. (2015). Image-based recommendations on styles and substitutes. In Proceedings of the 38th international ACM SIGIR conference on research and development in information retrieval, 43–52.