RSGNN: A Model-agnostic Approach for Enhancing the Robustness of Signed Graph Neural Networks

Graph neural networks (GNNs) have rapidly revolutionized the field of machine learning on graphs and are state of the art in many tasks such as node classification, link prediction, and graph classification. Moreover, GNNs have been adopted in industry for applications such as recommendation, drug discovery, or estimation of arrival time in routing. In this thesis we look at GNNs from a perspective of adversarial robustness. We generalize the notion of adversarial attacks -small perturbations to the input data deliberately crafted to mislead a machine learning model -from traditional vector data such as images to graphs. We present adversarial attack algorithms on GNNs that target the training phase of the models, leading to drastically reduced performance after training on the poisoned data. In some cases, a small number of perturbations is sufficient to degrade the performance of a state-of-the-art GNN below that of a simple classifier that neglects graph information altogether. In addition to adversarial attacks, we also focus on improving the robustness of GNNs against attacks. We propose robustness certification procedures for perturbations of the node attributes as well as the graph structure. These certificates guarantee that no perturbation within some constraints can change the prediction of the model. Further, we use our certification in a robust training procedure which strongly improves the GNN robustness. We further provide retrospective insight and summarize the current state of the research field of studying adversarial robustness of GNNs. Finally, we consider broader impact aspects of ML in general and GNNs in particular, and highlight open questions for future research. iii I am deeply grateful to my supervisor Prof. Stephan Günnemann. I could not have wished for a better PhD supervisor. I am humbled by your technical expertise and personal mentoring skills, which you generously and extensively provided to me throughout my studies. I have learned incredibly much from you and I hope to continue to do so in the future. I will always remember our intense and fruitful research discussions and the wonderful time I had with the DAML group you have created at TUM. Thank you. Special thanks also to Prof. Jure Leskovec from Stanford University for hosting me during my research stay, for which I am very grateful. I also thank my PhD mentor Dr. Michele Catasta, whom I got to know at Stanford. Thank you for supporting me and making me feel welcome during my research stay with your warm and positive energy. Thank you for continuing to support me after my stay; for your support finishing our research project and for providing valuable advice whenever I needed it. Thank you Tim Januschowski, François-Xavier Aubet, Jan Gasthaus, Simon Durand, and Jan van Balen for your mentorship and support throughout my internships. I would also like to thank my colleagues, collaborators, and co-authors at the Technical University of Munich. Thank you Aleksandar Bojchevski and Oleksandr Shchur for teaching me to do research during my Master thesis and for being great colleagues and friends after I joined as a PhD student. Special thanks also to Bertrand Charpentier for many great research collaborations and for always being a source of friendliness and calmness even under stress. I would also like to thank Simon Geisler and Anna Kopetzki for being great co-authors. You all have made my PhD studies some of the best years of my life and I am grateful for that. Thanks also to the great people at the database Chair, most importantly Moritz for his support setting up our computing infrastructure. Throughout my studies I was lucky to get to work with bright and curious students. Thank you