Structural Adversarial Attacks on Relational Deep Learning under Integrity Constraints

📅 2026-07-08
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the problem of structured adversarial attacks in relational deep learning, where an adversary perturbs an upstream relational database by rewiring foreign keys while strictly preserving database integrity constraints—including foreign key validity, one-to-one cardinality, and functional dependencies—to degrade graph neural network performance. To this end, we propose the first constraint-aware adversarial attack framework tailored for relational data, integrating a gradient-guided heuristic based on differentiable edge masks with a stochastic sampling strategy to generate semantically valid adversarial examples on the RelBench rel-f1 benchmark. Experimental results demonstrate that our method significantly outperforms random baselines on regression tasks, whereas gains on classification tasks are limited, which we attribute to low label-flipping rates and local stability of model outputs.
📝 Abstract
Relational Deep Learning (RDL) has become a standard methodology for machine learning on relational databases: the database is encoded as a heterogeneous temporal graph in which tuples become nodes and primary-key to foreign-key (PK-FK) dependencies become typed edges, over which a graph neural network is trained for downstream prediction. We study the adversarial robustness of this pipeline. We consider a white-box attacker who knows how the graph is built and the model is trained, reasons about perturbations on the graph, but can only act on the upstream database, by rewiring foreign-key references while preserving the integrity constraints of the schema (foreign-key validity, the degree-one FK constraint, and functional dependencies). This restricts the attacker to a constrained, combinatorial set of admissible edits under a global perturbation budget, which is intractable to explore exhaustively and made non-additive by GNN message passing. We investigate seven attack heuristics - two random sampling baselines and five gradient-guided variants that exploit differentiable edge masks - and evaluate them on the RelBench rel-f1 benchmark. Gradient-based attacks consistently outperform random baselines on regression tasks, whereas gains on classification are smaller, which we attribute to low label-flip rates and greater local stability of classification outputs.
Problem

Research questions and friction points this paper is trying to address.

Structural Adversarial Attacks
Relational Deep Learning
Integrity Constraints
Graph Neural Networks
Foreign-Key Rewiring
Innovation

Methods, ideas, or system contributions that make the work stand out.

Structural Adversarial Attacks
Relational Deep Learning
Integrity Constraints
Graph Neural Networks
Gradient-Guided Perturbations
🔎 Similar Papers
No similar papers found.