Timezone: »

Randomized Message-Interception Smoothing: Gray-box Certificates for Graph Neural Networks
Yan Scholten · Jan Schuchardt · Simon Geisler · Aleksandar Bojchevski · Stephan Günnemann

Tue Nov 29 09:00 AM -- 11:00 AM (PST) @ Hall J #205

Randomized smoothing is one of the most promising frameworks for certifying the adversarial robustness of machine learning models, including Graph Neural Networks (GNNs). Yet, existing randomized smoothing certificates for GNNs are overly pessimistic since they treat the model as a black box, ignoring the underlying architecture. To remedy this, we propose novel gray-box certificates that exploit the message-passing principle of GNNs: We randomly intercept messages and carefully analyze the probability that messages from adversarially controlled nodes reach their target nodes. Compared to existing certificates, we certify robustness to much stronger adversaries that control entire nodes in the graph and can arbitrarily manipulate node features. Our certificates provide stronger guarantees for attacks at larger distances, as messages from farther-away nodes are more likely to get intercepted. We demonstrate the effectiveness of our method on various models and datasets. Since our gray-box certificates consider the underlying graph structure, we can significantly improve certifiable robustness by applying graph sparsification.

Author Information

Yan Scholten (Technical University of Munich)
Jan Schuchardt (Department of Informatics, Technical University Munich)
Simon Geisler (Technical University of Munich)
Aleksandar Bojchevski (CISPA Helmholtz Center for Information Security)
Stephan Günnemann (Technical University of Munich)

More from the Same Authors