Structural Adversarial Attacks on Relational Deep Learning under Integrity Constraints
Summary
Relational Deep Learning (RDL) systems, which convert relational databases into heterogeneous temporal graphs for GNN-based prediction, are vulnerable to structural adversarial attacks. Researchers investigated a white-box attacker model that rewires foreign-key references while strictly preserving database integrity constraints like foreign-key validity and functional dependencies. This creates a complex, combinatorial attack space that is intractable to explore exhaustively. The study evaluated seven attack heuristics, including two random baselines and five gradient-guided variants that leverage differentiable edge masks. On the RelBench rel-f1 benchmark, gradient-based attacks consistently outperformed random baselines for regression tasks. However, gains were smaller for classification, attributed to lower label-flip rates and increased local stability of classification outputs.
Key takeaway
For AI Security Engineers developing or deploying Relational Deep Learning systems, understanding the specific vulnerabilities to structural adversarial attacks is crucial. You should prioritize robust defenses against gradient-based attacks, especially for regression models, as these methods significantly outperform random perturbations even under strict database integrity constraints. Consider implementing monitoring for foreign-key reference changes that could indicate malicious activity.
Key insights
Relational Deep Learning models are susceptible to structural adversarial attacks that manipulate foreign-key references while maintaining database integrity.
Principles
- Gradient-based attacks surpass random baselines.
- Classification tasks show greater local stability.
- Integrity constraints define attack boundaries.
Method
The study investigates seven attack heuristics, including two random sampling baselines and five gradient-guided variants that exploit differentiable edge masks to perturb graph structures by rewiring foreign-key references.
In practice
- Evaluate RDL models against structural attacks.
- Prioritize regression task robustness.
Topics
- Relational Deep Learning
- Adversarial Attacks
- Graph Neural Networks
- Database Integrity
- Foreign-Key References
- Model Robustness
Best for: Research Scientist, AI Scientist, Machine Learning Engineer, AI Security Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Machine Learning.