The identical distribution hypothesis is equivalent to the parameter discrepancy hypothesis: Adversarial attacks on graph neural networks

Abstract

Graph neural networks are vulnerable to adversarial attacks. Previous studies have mainly focused on the describing attack methodology, but few attempted to refine model hypotheses. This paper summarizes current attack theories as contradictory data hypotheses, highlighting the lacking vital precondition: distribution consistency between training and test sets. We propose an identical distribution hypothesis to address this issue and consequently establish a consistent attack model. Then we analyze the distinctive problem for a graph poisoning attack, derive the influence of perturbations in the training set on the test set, and delimit the attack feasible region. The attack model’s closed form solution is proposed and proven on the attack gradient, and we show that the proposed method based on the identical distribution hypothesis is equivalent to inducing significant changes for training parameters before and after an attack, establishing the equivalence between the hypotheses of identical distribution and parameter discrepancy. Numerical examples validate the attack gradient correctness and equivalence theorem, and experimental results verify the reasonableness of the identical distribution hypothesis and the effectiveness of the proposed method. The proposed attacks outperform current state-of-the-art attacks.