TEMPORAL DYNAMICS AWARE ADVERSARIAL ATTACKS ON DISCRETE-TIME GRAPH MODELS Anonymous authors Paper under double-blind review

Abstract

Real-world graphs such as social networks, communication networks, and rating networks are constantly evolving over time. Many architectures have been developed to learn effective node representations using both graph structure and its dynamics. While the robustness of static graph models is well-studied, the vulnerability of the dynamic graph models to adversarial attacks is underexplored. In this work, we design a novel adversarial attack on discrete-time dynamic graph models where we desire to perturb the input graph sequence in a manner that preserves the temporal dynamics of the graph. To this end, we motivate a novel Temporal Dynamics-Aware Perturbation (TDAP) constraint, which ensures that perturbations introduced at each time step are restricted to only a small fraction of the number of changes in the graph since the previous time step. We present a theoretically-grounded Projected Gradient Descent approach for dynamic graphs to find the effective perturbations under the TDAP constraint. Experiments on two tasks -dynamic link prediction and node classification, show that our approach is up to 4x more effective than the baseline methods for attacking these models. We also consider the practical online setting where graph snapshots become available in real-time and extend our attack approach to use Online Gradient Descent for performing attacks under the TDAP constraint. In this more challenging setting, we demonstrate that our method achieves up to 5x superior performance when compared to representative baselines.

1. INTRODUCTION

Graph Neural Networks (GNNs) have been shown to be vulnerable to adversarial perturbations (Jin et al., 2020; Bojchevski & Günnemann, 2019; Dai et al., 2018; Wu et al., 2019; Zügner et al., 2018; Ma et al., 2020a) . This has raised major concerns against their use in important industrial applications such as friend/product recommendation (Ying et al., 2018; Sankar et al., 2021; Tang et al., 2020) and fraud detection (Zhao et al., 2021; Hooi et al., 2017) . However, these advancements in designing attack and defense mechanisms have predominantly focused on GNN models for static, non-evolving graphs. In reality, the graph structure evolves with time as new interactions happen and new connections are formed (Leskovec et al., 2007; Kossinets & Watts, 2006) . GNN models that incorporate the temporal information are shown to outperform their static counterparts in modeling dynamic networks on tasks such as predicting link existence in the future (Kazemi et al., 2020; Pareja et al., 2020; Sankar et al., 2020; Goyal et al., 2018; Chen et al., 2018) . However, the vulnerability of dynamic graph models to adversarial perturbations is less studied. The design of adversarial attacks for dynamic graphs is challenging for two reasons -(1) Attacks must simultaneously optimize both the edge(s) to perturb and when to perturb them, and more importantly, (2) Attacks must preserve the original graph evolution after perturbation in order to be less detectable. Attacks that disturb original graph evolution are not desired since they can be detected as anomalies by defense mechanisms, e.g. graph anomaly detection methods (Akoglu et al., 2015; Bunke et al., 2007; Cai et al., 2021) . Therefore, it is crucial to formulate adversarial attacks over snapshots such that they do not significantly alter the original change in the graph structure. In this work, we introduce a novel Temporal Dynamics-Aware Perturbation (TDAP) constraint to formulate evolution-preserving attacks on discrete-time dynamic graphs. This constraint asserts that the number of modifications added at the current timestep should only be a small fraction of the actual number of changes with respect to the preceding timestep. We show theoretically that perturbations made under TDAP constraint preserves the rate of change both in the structural and the embedding spaces. To find effective attacks under this proposed constraint, we consider a targeted, white-box, and evasion setting. As noted in Table 1 , no prior works exist that can find attacks under our novel setting. Thus, we present a theoretically-grounded Temporal Dynamics-aware Projected Gradient Descent (TD-PGD) approach. The locality of the constraint in time allows us to easily extend this approach to find attacks in a more practical online setting (Mladenovic et al., 2021) that has not been studied before for dynamic graphs. Here, perturbations are found in real-time without any knowledge of the future snapshots. Our contributions can be summarized as follows: 1. We introduce a novel Temporal Dynamics-Aware Perturbation (TDAP) constraint to make perturbations in discrete-time dynamic graphs that preserves the evolution of the graphs. 2. We present a theoretically-grounded PGD-based white-box attack to find effective attacks on dynamic graphs under the novel TDAP constraint in both offline and online settings. 3. We show that TD-PGD outperforms the baselines across 4 different datasets and 3 victim models on both dynamic link prediction and node classification tasks. 4. We test the attacks on dynamic graphs in a novel online setting and show that the online version of TD-PGD shows improved performance over existing baselines.

2. RELATED WORK

Representation Learning for Dynamic Graphs. GNNs have been combined with sequential modeling architectures (Kazemi et al., 2020) to model dynamic graphs. For instance, discrete-time graphs have been modeled by using GNNs and RNNs together in a pipeline (Narayan & Roe, 2018; Manessi et al., 2020) or an embedded manner (Chen et al., 2018; Pareja et al., 2020) . Attention-based models have also been proposed to jointly encode the graph structure and its dynamics (Sankar et al., 2020) . For continuous-time graphs, both RNN (Kumar et al., 2019; Trivedi et al., 2017; 2019; Ma et al., 2020b) and attention-based models (Rossi et al., 2020; Xu et al., 2020) have been proposed such that embeddings are updated in real time upon an occurrence of a new event. Adversarial attacks on graphs. Static GNNs are known to be vulnerable to adversarial attacks in different settings (Jin et al., 2020 Imperceptible perturbations. The most common strategy to formulate imperceptible attacks on graphs is to bound the total number of perturbations. In the case of dynamic graphs, perturbations must preserve the temporal flow to be imperceptible. Traditional anomaly detection algorithms flag an instance to be anomalous if distance between consecutive snapshots crosses a threshold (Akoglu et al., 2015) . In particular, Graph Edit Distance and Hamming distance between adjacency matrices have been used to monitor communication networks (Shoubridge et al., 2002; Bunke et al., 2007) . Neural approaches have looked at the consecutive change in the embedding space to detect anomalies without feature extraction (Goyal et al., 2018; Cai et al., 2021) .



Comparison of our attack with existing works on graph adversarial attacks. Note that an attack is TDAP if the perturbations made are aware of the temporal dynamics.

). White-box attacks are studied assuming complete knowledge of the underlying model Wu et al. (2019); Xu et al. (2019b). Limiting the model knowledge, gray-box (Zügner et al., 2018) and black-box attacks(Dai et al., 2018)  have also been proposed. In comparison, the literature on adversarial attacks for dynamic graphs is scarce. Time-aware Gradient Attack (TGA) (Chen et al., 2021b) is a white-box evasion attack that greedily selects the perturbations across time under a budget constraint. In addition, attacks to poison training data (Chen et al., 2021a) and black-box attacks using RL approaches(Fan et al., 2020)  have also been proposed.

