IDEA: Invariant Causal Defense for Graph Adversarial Robustness

Shuchang Tao; Qi Cao; Huawei Shen; Yunfan Wu; Xu Bingbing; Xueqi Cheng

IDEA: Invariant Causal Defense for Graph Adversarial Robustness

Shuchang Tao, Qi Cao, Huawei Shen, Yunfan Wu, Xu Bingbing, Xueqi Cheng

22 Sept 2023 (modified: 11 Feb 2024)Submitted to ICLR 2024EveryoneRevisionsBibTeX

Primary Area: societal considerations including fairness, safety, privacy

Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.

Keywords: Invariant Causal Defense, Adversarial Robustness, Invariant Learning, Graph Neural Networks

Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.

TL;DR: To enhance adversarial robustness, we creatively propose IDEA defense method to learn causal features that exhibit strong and invariant predictability across attacks

Abstract: Despite the success of graph neural networks (GNNs), their vulnerability to adversarial attacks poses tremendous challenges for practical applications. Existing defense methods suffer from severe performance decline under some unknown attacks, due to either limited observed adversarial examples (adversarial training) or pre-deﬁned heuristics (graph puriﬁcation or robust aggregation). To address these limitations, we analyze the causalities in graph adversarial attacks and conclude that causal features are desirable to achieve graph adversarial robustness, owing to their determinedness for labels and invariance across attacks. To learn these causal features, we innovatively propose an Invariant causal DEfense method against adversarial Attacks (IDEA). We derive node-based and structurebased invariance objectives from an information-theoretic perspective. IDEA is provably a causally invariant defense across various attacks. Extensive experiments demonstrate that IDEA signiﬁcantly outperforms all baselines under both poisoning and evasion attacks on ﬁve benchmark datasets, highlighting its strong and invariant predictability. The implementation of IDEA is available at https://anonymous.4open.science/r/IDEA_repo-666B.

Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.

Supplementary Material: zip

No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.

Submission Number: 5591

Loading