面向图神经网络模型提取攻击的图数据生成方法  被引量：2

作　　者：杨莹 郝晓燕[1] 于丹[1] 马垚 陈永乐[1] YANG Ying;HAO Xiaoyan;YU Dan;MA Yao;CHEN Yongle(College of Computer Science and Technology(College of Data Science),Taiyuan University of Technology,Jinzhong Shanxi 030600,China)

机构地区：[1]太原理工大学计算机科学与技术学院(大数据学院),山西晋中030600

出　　处：《计算机应用》2024年第8期2483-2492,共10页journal of Computer Applications

基　　金：山西省基础研究计划项目(20210302123131,20210302124395);山西省自然科学基金面上项目(202203021221234);计划外技术服务横向项目(RH2100005181)。

摘　　要：无数据模型提取攻击是基于攻击者在进行攻击时所需的训练数据信息未知的情况下提出的一类机器学习安全问题。针对无数据模型提取攻击在图神经网络(GNN)领域的研究缺乏,提出分别用GNN可解释性方法GNNExplainer和图数据增强方法GAUG-M优化图节点特征信息和边信息生成所需图数据,最终提取GNN模型的方法。首先,利用GNNExplainer方法对目标模型的响应结果进行可解释性分析得到重要的图节点特征信息;其次,通过对重要的图节点特征加权,对非重要图节点特征降权,实现图节点特征信息的整体优化;然后,使用图形自动编码器作为边信息预测模块,根据优化后的图节点特征得到节点与节点之间的连接概率;最后,根据概率增加或者删减相应边优化边信息。实验采用5个图数据集训练的3种GNN模型架构作为目标模型提取攻击,得到的替代模型达到了73%~87%的节点分类任务准确性和76%~89%的与目标模型性能的一致性,验证了所提方法的有效性。Data-free model extraction attacks are a class of machine learning security problems based on the fact that the attacker has no knowledge of the training data information required to carry out the attack.Aiming at the research gap of datafree model extraction attacks in the field of Graphical Neural Network(GNN),a GNN model extraction attack method was proposed.The graph node feature information and edge information were optimized with the graph neural network interpretability method GNNExplainer and the graph data enhancement method GAUG-M,respectively,so as to generate the required graph data and achieve the final GNN model extraction.Firstly,the GNNExplainer method was used to obtain the important graph node feature information from the interpretable analysis of the response results of the target model.Secondly,the overall optimization of the graph node feature information was achieved by up weighting the important graph node features and downweighting the non-important graph node features.Then,the graph autoencoder was used as the edge information prediction module,which obtained the connection probability information between nodes according to the optimized graph node features.Finally,the edge information was optimized by adding or deleting the corresponding edges according to the probability.Three GNN model architectures trained on five graph datasets were experimented as the target models for extraction attacks,and the obtained alternative models achieve 73%to 87%accuracy in node classification task and 76%to 89%fidelity with the target model performance,which verifies the effectiveness of the proposed method.

关 键 词：无数据模型提取攻击 图数据生成 图神经网络 图神经网络可解释性 图数据增强 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]