With the rapid development of artificial intelligence, a series of machine learning algorithms, e.g., graph neural networks, have been proposed to facilitate network analysis or graph data mining. Unfortunately, recent studies indicate that such advanced methods may suffer from adversarial attacks, i.e., they may lose effectiveness when only a small fraction of links are purposely changed. However, little is known what's the difference between adversarial nodes and clean nodes, and what's the preference of each attack method, in terms of network structure. In this paper, we theoretically investigate three well-known adversarial attack methods, i.e., Nettack, Meta Attack, and GradArgmax, and find that different attack methods have their specific attack preferences on changing network structure. Such attack patterns are further validated by the experimental results on real-world networks, i.e., generally the top 4 most important network attributes on detecting adversarial samples are sufficient to explain the preference of each attack method. Based on these findings, we further utilize the network attributes to design machine learning models for adversarial sample detection and attack method recognition, achieving the outstanding performance.

中文翻译：

---

DeepInsight：可解释性辅助检测图上的对抗样本

随着人工智能的飞速发展，人们提出了一系列机器学习算法，例如图神经网络，以促进网络分析或图数据挖掘。不幸的是，最近的研究表明，这种先进的方法可能会受到对抗性攻击，即当只有一小部分链接被故意更改时，它们可能会失去有效性。然而，在网络结构方面，对抗性节点和干净节点之间有什么区别，以及每种攻击方法的偏好是什么，我们知之甚少。在本文中，我们从理论上研究了三种著名的对抗性攻击方法，即 Nettack、Meta Attack 和 GradArgmax，并发现不同的攻击方法对改变网络结构有其特定的攻击偏好。这种攻击模式在现实世界网络上的实验结果得到进一步验证，即通常检测对抗样本的前 4 个最重要的网络属性足以解释每种攻击方法的偏好。基于这些发现，我们进一步利用网络属性来设计用于对抗样本检测和攻击方法识别的机器学习模型，实现了出色的性能。