ML Security PapersEnhancing Graph Classification Robustness with Singular Pooling
Sofiane Ennadir 1,2, Oleg Smirnov 1,2, Yassine Abbahaddou 3, Lele Cao 1,2, Johannes F. Lutzeyer 3
Published on arXiv
2510.22643
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
RS-Pool achieves better adversarial robustness than sum, average, and max pooling under state-of-the-art attacks on real-world graph classification benchmarks while maintaining competitive clean accuracy
RS-Pool (Robust Singular Pooling)
Novel technique introduced
Graph Neural Networks (GNNs) have achieved strong performance across a range of graph representation learning tasks, yet their adversarial robustness in graph classification remains underexplored compared to node classification. While most existing defenses focus on the message-passing component, this work investigates the overlooked role of pooling operations in shaping robustness. We present a theoretical analysis of standard flat pooling methods (sum, average and max), deriving upper bounds on their adversarial risk and identifying their vulnerabilities under different attack scenarios and graph structures. Motivated by these insights, we propose \textit{Robust Singular Pooling (RS-Pool)}, a novel pooling strategy that leverages the dominant singular vector of the node embedding matrix to construct a robust graph-level representation. We theoretically investigate the robustness of RS-Pool and interpret the resulting bound leading to improved understanding of our proposed pooling operator. While our analysis centers on Graph Convolutional Networks (GCNs), RS-Pool is model-agnostic and can be implemented efficiently via power iteration. Empirical results on real-world benchmarks show that RS-Pool provides better robustness than the considered pooling methods when subject to state-of-the-art adversarial attacks while maintaining competitive clean accuracy. Our code is publicly available at:\href{https://github.com/king/rs-pool}{https://github.com/king/rs-pool}.
Key Contributions
- Theoretical adversarial risk bounds for standard flat pooling methods (sum, average, max) under different attack scenarios and graph structures
- Robust Singular Pooling (RS-Pool): a model-agnostic pooling strategy using the dominant singular vector of the node embedding matrix, with provable robustness guarantees
- Empirical validation on real-world graph classification benchmarks showing RS-Pool outperforms standard pooling under state-of-the-art adversarial attacks while maintaining competitive clean accuracy
🛡️ Threat Analysis
Proposes RS-Pool as a defense against adversarial input perturbations targeting GNN graph classifiers at inference time, with theoretical upper bounds on adversarial risk for standard and proposed pooling methods.