Skip to main content
Applied Network Science

Table 4 Results of influence attacks against each classifier with the PubMed dataset, with attacker budgets of 10, 30, and 50 edge perturbations

From: Complex network effects on the robustness of graph convolutional networks

  

Budget 10

Budget 30

Budget 50

Defense

Training

Net

FGA

IG

Net

FGA

IG

Net

FGA

IG

Jaccard

Rand.

0.224

N/A

N/A

0.576

N/A

N/A

0.744

N/A

N/A

Jaccard

SD

0.12

N/A

N/A

0.136

N/A

N/A

0.16

N/A

N/A

Jaccard

GC

0.128

N/A

N/A

0.192

N/A

N/A

0.2

N/A

N/A

GCN

Rand.

0.456

N/A

N/A

0.76

N/A

N/A

0.888

N/A

N/A

GCN

SD

0.6

N/A

N/A

0.936

N/A

N/A

0.976

N/A

N/A

GCN

GC

0.544

N/A

N/A

0.88

N/A

N/A

0.952

N/A

N/A

Cheb

Rand.

0.056

N/A

N/A

0.072

N/A

N/A

0.072

N/A

N/A

Cheb

SD

0.072

N/A

N/A

0.128

N/A

N/A

0.136

N/A

N/A

Cheb

GC

0.136

N/A

N/A

0.16

N/A

N/A

0.192

N/A

N/A

  1. Results are included for Nettack (Net), FGA, and IG-FGSM (IG). For each classifier, we train with random (Rand.), StratDegree (SD), and GreedyCover (GC). Each entry is a probability of attack success, thus higher is better for the attacker and lower is better for the defender. To yield the most robust classifier, the defender picks the classifier/training method combination that minimizes the worst-case attack probability. These entries are listed in bold. Entries listed as N/A did not finish in the allotted time (24 h per trial). Only results using Jaccard, GCN, and ChebNet were obtained in time. While StratDegree and GreedyCover improve performance with the Jaccard-based classifier, the best performance is achieved by a ChebNet classifier with random training. In our experiments, this classifier with the PubMed data typically has a much higher margin before the attack takes place
Back to article page