Search papers, labs, and topics across Lattice.
This paper investigates the adversarial robustness of Relational Deep Learning (RDL) by exploring how a white-box attacker can manipulate the upstream database while adhering to integrity constraints. The authors evaluate seven attack heuristics, including both random sampling and gradient-guided methods, revealing that gradient-based attacks significantly outperform random baselines on regression tasks. Key findings indicate that while classification tasks show smaller gains due to local stability and low label-flip rates, the overall results highlight vulnerabilities in RDL systems that could be exploited under constrained conditions.
Gradient-guided adversarial attacks reveal critical vulnerabilities in relational deep learning systems, outperforming random strategies and exposing the fragility of classification outputs.
Relational Deep Learning (RDL) has become a standard methodology for machine learning on relational databases: the database is encoded as a heterogeneous temporal graph in which tuples become nodes and primary-key to foreign-key (PK-FK) dependencies become typed edges, over which a graph neural network is trained for downstream prediction. We study the adversarial robustness of this pipeline. We consider a white-box attacker who knows how the graph is built and the model is trained, reasons about perturbations on the graph, but can only act on the upstream database, by rewiring foreign-key references while preserving the integrity constraints of the schema (foreign-key validity, the degree-one FK constraint, and functional dependencies). This restricts the attacker to a constrained, combinatorial set of admissible edits under a global perturbation budget, which is intractable to explore exhaustively and made non-additive by GNN message passing. We investigate seven attack heuristics - two random sampling baselines and five gradient-guided variants that exploit differentiable edge masks - and evaluate them on the RelBench rel-f1 benchmark. Gradient-based attacks consistently outperform random baselines on regression tasks, whereas gains on classification are smaller, which we attribute to low label-flip rates and greater local stability of classification outputs.