Our group will present four papers at this year's NeurIPS. The works cover graph neural networks and ML robustness/certification. Links to the papers/preprints will follow soon!
- Jan Schuchardt, Stephan Günnemann
Invariance-Aware Randomized Smoothing Certificates
Incorporating invariances/symmetries in neural networks, such as invariance under translation or rotation, is a key aspect of applying machine learning to real world problems like molecular property prediction, medical imaging, protein folding or LiDAR classification. For the first time, we study how the invariances of a model can be leveraged to provably guarantee the robustness of its predictions. We propose the first gray-box approach, enhancing the powerful black-box randomized smoothing technique with white-box knowledge about invariances.
- Yan Scholten, Jan Schuchardt, Simon Geisler, Aleksandar Bojchevski, Stephan Günnemann
Randomized Message-Interception Smoothing: Gray-box Certificates for Graph Neural Networks
Randomized smoothing is one of the most promising frameworks for certifying robustness of machine learning models. Treating the ML model as black box, it has extremely wide applicability and (unlike white-box certificates) does not require designing new certification techniques with every new model at hand. Yet, due to this black-box nature, randomized smoothing certificates are overly pessimistic since the underlying architecture (e.g. a GNN) is ignored. In this work, we propose the first gray-box certificate for GNNs, exploiting their core paradigm: the message-passing principle.
- Felix Mujkanovic, Simon Geisler, Aleksandar Bojchevski, Stephan Günnemann
Are Defenses for Graph Neural Networks Robust?
A cursory reading of the literature suggests that we made a lot of progress in designing effective adversarial defenses for Graph Neural Networks. Yet, the standard methodology has a serious flaw – virtually all of the defenses are evaluated against non-adaptive attacks leading to overly optimistic robustness estimates. We perform a thorough robustness analysis of the most popular defenses. The results are sobering – most defenses show no or only marginal improvement compared to an undefended baseline. We advocate using custom adaptive attacks as a gold standard and we outline the lessons we learned from successfully designing such attacks.
- Leon Hetzel, Simon Boehm, Niki Kilbertus, Stephan Günnemann, Mohammad Lotfollahi, Fabian J Theis
Predicting Single-Cell Perturbation Responses for Unseen Drugs
Perturbation screens lie at the core of drug discovery. However, scaling high-throughput screens (HTSs) to measure cellular responses for many drugs remains challenging due to technical limitations and, more importantly, the cost of such multiplexed experiments. To overcome these limitations, we propose leveraging routinely performed bulk RNA HTS data and incorporating molecular priors. Concerning these priors, our method, chemCPA, is flexible and can include any (pretrained) GNN or molecular fingerprints such as RDKit features. ChemCPA can enrich single-cell data meaningfully and is able to predict perturbation effects for unseen drugs.