Home

Awesome

<div align="center"> <h1>Awesome Graph Adversarial Learning Literature</h1> <a href="https://awesome.re"><img src="https://awesome.re/badge.svg"/></a> <a href="http://makeapullrequest.com"><img src="https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square"/></a> </div>

A curated list of adversarial attacks and defenses papers on graph-structured data.

Papers are sorted by their uploaded dates in descending order.

If you want to add new entries, please make PRs with the same format.

This list serves as a complement to the survey below.

Adversarial Attack and Defense on Graph Data: A Survey (Updated in Oct 2022. More than 110 papers reviewed).

@article{sun2018adversarial,
  title={Adversarial Attack and Defense on Graph Data: A Survey},
  author={Sun, Lichao and Dou, Yingtong and Yang, Carl and Kai Zhang and Wang, Ji and Yixin Liu and Yu, Philip S. and He, Lifang and Li, Bo},
  journal={arXiv preprint arXiv:1812.10528},
  year={2018}
}
@article{sun2022adversarial,
  title={Adversarial attack and defense on graph data: A survey},
  author={Sun, Lichao and Dou, Yingtong and Yang, Carl and Zhang, Kai and Wang, Ji and Philip, S Yu and He, Lifang and Li, Bo},
  journal={IEEE Transactions on Knowledge and Data Engineering},
  year={2022},
  publisher={IEEE}
}

If you feel this repo is helpful, please cite the survey above.

How to Search?

Search keywords like conference name (e.g., NeurIPS), task name (e.g., Link Prediction), model name (e.g., DeepWalk), or method name (e.g., Robust) over the webpage to quickly locate related papers.

Quick Links

Attack papers sorted by year: | 2023 | 2022 | 2021 | 2020 | 2019 | 2018 | 2017 |

Defense papers sorted by year: | 2023 | 2022 | 2021 | 2020 | 2019 | 2018 |

Attack

Attack Papers 2023 [Back to Top]

YearTitleTypeTarget TaskTarget ModelVenuePaperCode
2023Revisiting Robustness in Graph Machine LearningAttackNode ClassificationGCN, SGC, APPNP, GAT, GATv2, GraphSAGE, LPICLR'23LinkLink
2023Unnoticeable Backdoor Attacks on Graph Neural NetworksAttackNode classification, Graph classificationGCN, GraphSage, and GATArXivLinkLink
2023Attacking Fake News Detectors via Manipulating News Social EngagementAttackFake News DetectionGAT, GCN, and GraphSAGE)WWW'23LinkLink
2023HyperAttack: Multi-Gradient-Guided White-box Adversarial Structure Attack of Hypergraph Neural NetworksAttackNode ClassificationHGNNsArXivLink
2023Turning Strengths into Weaknesses: A Certified Robustness Inspired Attack Framework against Graph Neural NetworksAttackNode ClassificationGCNCVPR'23Link
2023Adversary for Social Good: Leveraging Attribute-Obfuscating Attack to Protect User Privacy on Social NetworksAttackAttribute Protection On Social NetworksGNNsSecureComm 2022Link
2023Node Injection for Class-specific Network PoisoningAttackNode ClassificationGCNarXivLinkLink
2023GUAP: Graph Universal Attack Through Adversarial PatchingAttackNode ClassificationGCNarXivLinkLink

Attack Papers 2022 [Back to Top]

YearTitleTypeTarget TaskTarget ModelVenuePaperCode
2022GANI: Global Attacks on Graph Neural Networks via Imperceptible Node InjectionsAttackNode ClassificationGCN/SGC/Jaccard/SimPGCNArxivLink
2022Motif-Backdoor: Rethinking the Backdoor Attack on Graph Neural Networks via MotifsAttackGraph ClassificationGCN/SAGPool/GIN/ArxivLink
2022Towards Reasonable Budget Allocation in Untargeted Graph Structure Attacks via Gradient DebiasAttackNode ClassificationGCN/GAT/GraphSAGENeurIPS 2022LinkLink
2022Imperceptible Adversarial Attacks on Discrete-Time Dynamic Graph ModelsAttackDynamic Link Prediction/Node ClassificationGC-LSTM/EVOLVEGCN/DYSATNeurIPS 2022 Workshop TGLLink
2022A2S2-GNN: Rigging GNN-Based Social Status by Adversarial Attacks in Signed Social NetworksAttackClassification in unsigned or undirected graphsGNNsIEEE Transactions on Information Forensics and SecurityLink
2022Let Graph be the Go Board: Gradient-free Node Injection Attack for Graph Neural Networks via Reinforcement LearningAttackNode ClassificationGCN/SGC/GAT/APPNPAAAI23LinkLink
2022QuerySnout: Automating the Discovery of Attribute Inference Attacks against Query-Based SystemsAttackQuery-based systems attribute inferenceDiffix/TableBuilder/SimpleQBSCCS 2022LinkLink
2022Are Defenses for Graph Neural Networks Robust?AttackNode ClassificationGNN, GCN, Jaccard GCN, SVD GCN, GNNGuard, RGCN, ProGNN, GRAND, Soft Median GDCNeurIPS 2022LinkLink
2022Poisoning GNN-based Recommender Systems with Generative Surrogate-based AttacksAttackPromotion/Recommendation/Re-producingGNNACM TISLink
2022Dealing with the unevenness: deeper insights in graph-based attack and defenseAttackSet-Cover problemGCN, RGCN, GCN-Jaccard, Pro-GNNMachine LearningLink
2022Membership Inference Attacks Against Robust Graph Neural NetworkAttackMembership InferenceGCNCSS 2022Link
2022Sparse Vicious Attacks on Graph Neural NetworksAttackLink predictionGNNarXivLinkLink
2022Model Inversion Attacks against Graph Neural NetworksAttackNode ClassificationGCN, GAT and GraphSAGETKDELinkLink
2022Exploratory Adversarial Attacks on Graph Neural Networks for Semi-Supervised Node ClassificationAttackSemi-Supervised Node ClassificationGNNPattern RecognitionLink
2022Adversarial Inter-Group Link Injection Degrades the Fairness of Graph Neural NetworksAttacknode classificationGNNIEEE ICDM 2022LinkLink
2022Resisting Graph Adversarial Attack via Cooperative Homophilous AugmentationAttacksemi-Supervised Node ClassificationGNNECML PKDD 2022Link
2022What Does the Gradient Tell When Attacking the Graph StructureAttackNode ClassificationGCN, GraphSage and H2GCNarXivLink
2022Robust Node Classification on Graphs: Jointly from Bayesian Label Transition and Topology-based Label PropagationAttackNode ClassificationGNNsCIKM 2022LinkLink
2022Revisiting Item Promotion in GNN-based Collaborative Filtering: A Masked Targeted Topological Attack PerspectiveAttackCollaborative filteringLightGCNarXivLink
2022Link-Backdoor: Backdoor Attack on Link Prediction via Node InjectionAttackLink PredictionGAE, VGAE, GIC, ARGA, ARVGAarXivLinkLink
2022Graph Structural Attack by Perturbing Spectral DistanceAttacknode classificationtwo-layer GCNKDD 2022Link
2022Are Gradients on Graph Structure Reliable in Gray-box Attacks?Attacknode classification tasksGraphSageCIKM 2022Link
2022Adversarial Camouflage for Node Injection Attack on GraphsAttacksemi-supervised information retrieval taskGNNsarXivLink
2022CLUSTER ATTACK: Query-based Adversarial Attacks on Graphs with Graph-Dependent PriorsAttacknode classificationGNNsIJCAI 2022Link
2022IoT-based Android Malware Detection Using Graph Neural Network With Adversarial DefenseAttackMalware DetectionGNNIEEE Internet of ThingsLink
2022Private Graph Extraction via Feature ExplanationsAttacknode classification2-layer GCNarXivLink
2022Towards Secrecy-Aware Attacks Against Trust Prediction in Signed GraphsAttacktrust prediction in signed graphsSGCN, SNEAarXivLink
2022Camouflaged Poisoning Attack on Graph Neural NetworksAttacknode classificationGCNICMR 2022Link
2022LOKI: A Practical Data Poisoning Attack Framework against Next Item RecommendationsAttackNext Item RecommendationsBPRMF, FPMC, GRU4REC, TransRecTKDE 2022Link
2022Poisoning GNN-based Recommender Systems with Generative Surrogate-based AttacksAttackPromotion/Recommendation/Re-producingGNNsACM Transactions on Information Systems 2022Link
2022Transferable Graph Backdoor AttackAttackGraph ClassificationGNNsRAID 2022Link
2022Cluster Attack: Query-based Adversarial Attacks on Graphs with Graph-Dependent PriorsAttackNode ClassificationGNNsIJCAI 2022LinkLink
2022Adversarial Robustness of Graph-based Anomaly DetectionAttackAnomaly DetectionGNNsArxivLink
2022Adversarial Attack Framework on Graph Embedding Models with Limited KnowledgeAttackNode ClassificationGNNsPreprintLink
2022Label specificity attack: Change your label as I wantAttackNode ClassificationGNNsIJISLink
2022Bandits for Structure Perturbation-based Black-box Attacks to Graph Neural Networks with Theoretical GuaranteesAttackNode ClassificationGNNsCVPR 2022LinkLink
2022AdverSparse: An Adversarial Attack Framework for Deep Spatial-Temporal Graph Neural NetworksAttackSpatial-Temporal Graph EmbeddingDeep Spatial-Temporal GNNsICASSP 2022Link
2022Projective Ranking-based GNN Evasion AttacksAttackGraph ClassificationGNNsArxivLink
2022Attacking Community Detectors: Mislead Detectors via Manipulating the Graph StructureAttackCommunity DetectionCommunity Detection Algs, GNNsMobiCASE 2021Link
2022A Targeted Universal Attack on Graph Convolutional Network by Using Fake NodesAttackNode ClassificationGCNNeural Processing LettersLinkLink
2022Surrogate Representation Learning with Isometric Mapping for Gray-box Graph Adversarial AttacksAttackNode ClassificationGNNsWSDM 2022Link
2022Black-box Node Injection Attack for Graph Neural NetworksAttackNode ClassificationGCNArxivLinkLink
2022Understanding and Improving Graph Injection Attack by Promoting UnnoticeabilityAttackNode ClassificationGNNsICLR 2022LinkLink
2022Unsupervised Graph Poisoning Attack via Contrastive Loss Back-propagationAttackNode Classification, Link PredictionGCNWWW 2022LinkLink
2022Neighboring Backdoor Attacks on Graph Convolutional NetworkAttackNode ClassificationGCNArxivLink
2022Interpretable and Effective Reinforcement Learning for Attacking against Graph-based Rumor DetectionAttackRumor DetectionRGCNArxivLink

Attack Papers 2021 [Back to Top]

YearTitleTypeTarget TaskTarget ModelVenuePaperCode
2021Task and Model Agnostic Adversarial Attack on Graph Neural NetworksAttackNode ClassificationGNNsArxivLink
2021Model Stealing Attacks Against Inductive Graph Neural NetworksAttackNode Classification, Model StealingGNNsIEEE S&P 2022LinkLink
2021How Members of Covert Networks Conceal the Identities of Their LeadersAttackCovert Network Leader DetectionCentrality MeasuresACM TIST 2021Link
2021Adapting Membership Inference Attacks to GNN for Graph Classification: Approaches and ImplicationsAttackGraph ClassificationGNNsICDM 2021LinkLink
2021Graph Structural Attack by Spectral DistanceAttackNode ClassificationGCNArxivLink
2021Structural Attack against Graph Based Android Malware DetectionAttackMalware DetectionGraph Based Android Malware DetectorCCS 2021Link
2021Adversarial Attacks on Knowledge Graph Embeddings via Instance Attribution MethodsAttackKnowledge Graph EmbeddingsKnowledge Graph Embedding ModelsEMNLP 2021LinkLink
2021Adversarial Attack against Cross-lingual Knowledge Graph AlignmentAttackKnowledge Graph AlignmentKnowledge Graph Embedding ModelsEMNLP 2021Link
2021Graph Robustness Benchmark: Benchmarking the Adversarial Robustness of Graph Machine LearningAttackNode ClassificationGNNsNeurIPS 2021LinkLink
2021Adversarial Attacks on Graph Classification via Bayesian OptimisationAttackGraph ClassificationGNNsNeurIPS 2021LinkLink
2021Robustness of Graph Neural Networks at ScaleAttackNode ClassificationGNNsNeurIPS 2021LinkLink
2021Large-Scale Adversarial Attacks on Graph Neural Networks via Graph CoarseningAttackNode ClassificationGNNsICLR 2022 OpenReviewLink
2021Mind Your Solver! On Adversarial Attack and Defense for Combinatorial OptimizationAttackCombinatorial OptimizationCombinatorial Optimization SolversICLR 2022 OpenReviewLink
2021Bandits for Black-box Attacks to Graph Neural Networks with Structure PerturbationAttackNode ClassificationGNNsICLR 2022 OpenReviewLink
2021Poisoning Attacks against Knowledge Graph-based Recommendation Systems Using Deep Reinforcement LearningAttackKnowledge Graph-based Recommender SystemsGNNsNeural Computing and ApplicationsLink
2021FHA: Fast Heuristic Attack Against Graph Convolutional NetworksAttackNode ClassificationGNNsICDS 2021Link
2021Inference Attacks Against Graph Neural NetworksAttackGraph/Property InferenceGNNsUSENIX Security 2022LinkLink
2021Graph-Fraudster: Adversarial Attacks on Graph Neural Network Based Vertical Federated LearningAttackNode Classification, Federated LearningGNNsArxivLink
2021Query-based Adversarial Attacks on Graph with Fake NodesAttackNode ClassificationGCNArxivLink
2021Single Node Injection Attack against Graph Neural NetworksAttackNode ClassificationGNNsCIKM 2021LinkLink
2021Projective Ranking: A Transferable Evasion Attack Method on Graph Neural NetworksAttackGraph ClassificationGCNCIKM 2021Link
2021Spatially Focused Attack against Spatiotemporal Graph Neural NetworksAttackSpatiotemporal ForecastingGNNsArxivLink
2021Derivative-free optimization adversarial attacks for graph convolutional networksAttackNode ClassificationGCNPeerJ Computer ScienceLink
2021A Hard Label Black-box Adversarial Attack Against Graph Neural NetworksAttackGraph ClassificationGNNsCCS 2021Link
2021Single-Node Attack for Fooling Graph Neural NetworksAttackNode ClassificationGNNsKDD 2021 WorkshopLinkLink
2021Jointly Attacking Graph Neural Network and its ExplanationsAttackGNN ExplanationGNNEXPLAINER, PGExplainerArxivLink
2021The Robustness of Graph k-shell Structure under Adversarial AttacksAttackK-shell ValueK-shell DecompositionArxivLink
2021Poisoning Knowledge Graph Embeddings via Relation Inference PatternsAttackKnowledge Graph EmbeddingKnowledge Graph Embedding ModelsACL 2021LinkLink
2021Structack: Structure-based Adversarial Attacks on Graph Neural NetworksAttackNode ClassificationGCNACM HypertextLinkLink
2021Optimal Edge Weight Perturbations to Attack Shortest PathsAttackShortest PathShortest Path AlgsArxivLink
2021Adversarial Attack on Graph Neural Networks as An Influence Maximization ProblemAttackNode ClassificationGNNsArxivLink
2021BinarizedAttack: Structural Poisoning Attacks to Graph-based Anomaly DetectionAttackAnomaly DetectionGraph Anomaly Detection AlgsArxivLink
2021TDGIA: Effective Injection Attacks on Graph Neural NetworksAttackNode ClassificationGNNsKDD 2021Link
2021Graph Adversarial Attack via RewiringAttackNode ClassificationGCNKDD 2021Link
2021Evaluating Graph Vulnerability and Robustness using TIGERAttackRobustness MeasureRobustness MeasureArxivLinkLink
2021Adversarial Attack Framework on Graph Embedding Models with Limited KnowledgeAttackNode ClassificationGraph Embedding ModelsArxivLink
2021Attacking Graph Neural Networks at ScaleAttackNode ClassificationGCNAAAI 2021 WorkshopLink
2021Black-box Gradient Attack on Graph Neural Networks: Deeper Insights in Graph-based Attack and DefenseAttackNode ClassificationGNNsArxivLink
2021Enhancing Robustness and Resilience of Multiplex Networks Against Node-Community Cascading FailuresAttackComplex Networks RobustnessComplex NetworksIEEE TSMCLink
2021PATHATTACK: Attacking Shortest Paths in Complex NetworksAttackShortest PathShortest PathArxivLink
2021Universal Spectral Adversarial Attacks for Deformable ShapesAttackShape ClassificationChebyNet, PointNetCVPR 2021Link
2021Preserve, Promote, or Attack? GNN Explanation via Topology PerturbationAttackObject DetectionGNNsArxivLink
2021Towards Revealing Parallel Adversarial Attack on Politician Socialnet of Graph StructureAttackNode ClassificationGCNSecurity and Communication NetworksLink
2021Network Embedding Attack: An Euclidean Distance Based MethodAttackNode Classification, Community DetectionNetwork Embedding MethodsMDATALink
2021Adversarial Attack on Network Embeddings via Supervised Network PoisoningAttackNode Classification, Link PredictionDeepWalk, Node2vec, LINE, GCNPAKDD 2021LinkLink
2021GraphAttacker: A General Multi-Task Graph Attack FrameworkAttackNode Classification, Graph Classification, Link PredictionGNNsArxivLink
2021Membership Inference Attack on Graph Neural NetworksAttackMembership InferenceGNNsArxivLink

Attack Papers 2020 [Back to Top]

YearTitleTypeTarget TaskTarget ModelVenuePaperCode
2020Adversarial Label-Flipping Attack and Defense for Graph Neural NetworksAttackNode ClassificationGNNsICDM 2020LinkLink
2020Exploratory Adversarial Attacks on Graph Neural NetworksAttackNode ClassificationGCNICDM 2020LinkLink
2020A Targeted Universal Attack on Graph Convolutional NetworkAttackNode ClassificationGCNArxivLinkLink
2020Attacking Graph-Based Classification without Changing Existing ConnectionsAttackNode ClassificationCollective Classification ModelsACSAC 2020Link
2020Learning to Deceive Knowledge Graph Augmented Models via Targeted PerturbationAttackCommonsense Reasoning Recommender SystemKnowledge GraphICLR 2021LinkLink
2020One Vertex Attack on Graph Neural Networks-based Spatiotemporal ForecastingAttackSpatiotemporal ForecastingGNNsICLR 2021 OpenReviewLink
2020Single-Node Attack for Fooling Graph Neural NetworksAttackNode ClassificationGNNsICLR 2021 OpenReviewLink
2020Black-Box Adversarial Attacks on Graph Neural Networks as An Influence Maximization ProblemAttackNode ClassificationGNNsICLR 2021 OpenReviewLink
2020Adversarial Attacks on Deep Graph MatchingAttackGraph MatchingDeep Graph Matching ModelsNeurIPS 2020Link
2020Towards More Practical Adversarial Attacks on Graph Neural NetworksAttackNode ClassificationGNNsNeurIPS 2020LinkLink
2020A Graph Matching Attack on Privacy-Preserving Record LinkageAttackRecord LinkageRrivacy-preserving Record Linkage MethodsCIKM 2020Link
2020Adaptive Adversarial Attack on Graph Embedding via GANAttackNode ClassificationGCN, DeepWalk, LINESocialSecLink
2020Scalable Adversarial Attack on Graph Neural Networks with Alternating Direction Method of MultipliersAttackNode ClassificationGNNsArxivLink
2020Semantic-preserving Reinforcement Learning Attack Against Graph Neural Networks for Malware DetectionAttackMalware DetectionGCNArxivLink
2020Adversarial Attack on Large Scale GraphAttackNode ClassificationGNNArxivLink
2020Efficient Evasion Attacks to Graph Neural Networks via Influence FunctionAttackNode ClassificationGNNArxivLink
2020Reinforcement Learning-based Black-Box Evasion Attacks to Link Prediction in Dynamic GraphsAttackLink PredictionDyGCNArxivLink
2020Adversarial attack on BC classification for scale-free networksAttackBroido and Clauset classificationscale-free networkAIP ChaosLink
2020Adversarial Attacks on Link Prediction Algorithms Based on Graph Neural NetworksAttackLink PredictionGNNAsia CCS 2020Link
2020Practical Adversarial Attacks on Graph Neural NetworksAttackNode ClassificationGNNICML 2020 WorkshopLink
2020Link Prediction Adversarial Attack Via Iterative Gradient AttackAttackLink PredictionGAEIEEE TCSSLink
2020An Efficient Adversarial Attack on Graph Structured DataAttackNode ClassificationGCNIJCAI 2020 WorkshopLink
2020Graph BackdoorAttackNode Classification Graph ClassificationGNNsUSENIX Security 2021Link
2020Backdoor Attacks to Graph Neural NetworksAttackGraph ClassificationGNNsArxivLink
2020Robust Spammer Detection by Nash Reinforcement LearningAttackFraud DetectionGraph-based Fraud DetectorKDD 2020LinkLink
2020Adversarial Attacks on Graph Neural Networks: Perturbations and their PatternsAttackNode ClassificationGNNTKDDLink
2020Adversarial Attack on Hierarchical Graph Pooling Neural NetworksAttackGraph ClassificationGNNArxivLink
2020Stealing Links from Graph Neural NetworksAttackInferring LinkGNNsUSENIX Security 2021Link
2020Scalable Attack on Graph Data by Injecting Vicious NodesAttackNode ClassificationGCNECML-PKDD 2020Link
2020Network disruption: maximizing disagreement and polarization in social networksAttackManipulating OpinionGraph Model, Social NetworkArxivLink
2020Adversarial Perturbations of Opinion Dynamics in NetworksAttackManipulating OpinionGraph ModelArxivLink
2020Non-target-specific Node Injection Attacks on Graph Neural Networks: A Hierarchical Reinforcement Learning ApproachAttackNode ClassificationGCNWWW 2020Link
2020MGA: Momentum Gradient Attack on NetworkAttackNode Classification, Community DetectionGCN, DeepWalk, node2vecArxivLink
2020Indirect Adversarial Attacks via Poisoning Neighbors for Graph Convolutional NetworksAttackNode ClassificationGCNBigData 2019Link
2020Graph Universal Adversarial Attacks: A Few Bad Actors Ruin Graph Learning ModelsAttackNode ClassificationGCNArxivLinkLink
2020Adversarial Attacks to Scale-Free Networks: Testing the Robustness of Physical CriteriaAttackNetwork StructurePhysical CriteriaArxivLink
2020Adversarial Attack on Community Detection by Hiding IndividualsAttackCommunity DetectionGCNWWW 2020LinkLink

Attack Papers 2019 [Back to Top]

YearTitleTypeTarget TaskTarget ModelVenuePaperCode
2019How Robust Are Graph Neural Networks to Structural Noise?AttackNode Structural Identity PredictionGINArxivLink
2019Time-aware Gradient Attack on Dynamic Network Link PredictionAttackLink PredictionDynamic Network Embedding AlgsArxivLink
2019All You Need is Low (Rank): Defending Against Adversarial Attacks on GraphsAttackNode ClassificationGCN, Tensor EmbeddingWSDM 2020LinkLink
2019αCyber: Enhancing Robustness of Android Malware Detection System against Adversarial Attacks on Heterogeneous Graph based ModelAttackMalware DetectionHINCIKM 2019Link
2019A Unified Framework for Data Poisoning Attack to Graph-based Semi-supervised LearningAttackSemi-supervised LearningLabel PropagationNeurIPS 2019Link
2019Manipulating Node Similarity Measures in NetworksAttackNode SimilarityNode Similarity MeasuresAAMAS 2020Link
2019Multiscale Evolutionary Perturbation Attack on Community DetectionAttackCommunity DetectionCommunity MetricsArxivLink
2019Attacking Graph Convolutional Networks via RewiringAttackNode ClassificationGCNOpenreviewLink
2019Node Injection Attacks on Graphs via Reinforcement LearningAttackNode ClassificationGCNArxivLink
2019A Restricted Black-box Adversarial Framework Towards Attacking Graph Embedding ModelsAttackNode ClassificationGCN, SGCAAAI 2020LinkLink
2019Topology Attack and Defense for Graph Neural Networks: An Optimization PerspectiveAttackNode ClassificationGNNIJCAI 2019LinkLink
2019Unsupervised Euclidean Distance Attack on Network EmbeddingAttackNode EmbeddingGCNArxivLink
2019Generalizable Adversarial Attacks Using Generative ModelsAttackNode ClassificationGCNArxivLink
2019Vertex Nomination, Consistent Estimation, and Adversarial ModificationAttackVertex NominationVN SchemeArxivLink
2019Data Poisoning Attack against Knowledge Graph EmbeddingAttackFact Plausibility PredictionTransE, TransRIJCAI 2019Link
2019Adversarial Examples on Graph Data: Deep Insights into Attack and DefenseAttackNode ClassificationGCNIJCAI 2019LinkLink
2019Adversarial Attacks on Node Embeddings via Graph PoisoningAttackNode Classification, Community Detectionnode2vec, DeepWalk, GCN, Spectral Embedding, Label PropagationICML 2019LinkLink
2019Attacking Graph-based Classification via Manipulating the Graph StructureAttackNode ClassificationBelief Propagation, GCNCCS 2019Link
2019Adversarial Attacks on Graph Neural Networks via Meta LearningAttackNode ClassificationGCN, CLN, DeepWalkICLR 2019LinkLink

Attack Papers 2018 [Back to Top]

YearTitleTypeTarget TaskTarget ModelVenuePaperCode
2018Poisoning Attacks to Graph-Based Recommender SystemsAttackRecommender SystemGraph-based Recommendation AlgsACSAC 2018Link
2018GA Based Q-Attack on Community DetectionAttackCommunity DetectionModularity, Community Detection AlgIEEE TCSSLink
2018Data Poisoning Attack against Unsupervised Node Embedding MethodsAttackLink PredictionLINE, DeepWalkArxivLink
2018Attack Graph Convolutional Networks by Adding Fake NodesAttackNode ClassificationGCNArxivLink
2018Link Prediction Adversarial AttackAttackLink PredictionGAE, GCNArxivLink
2018Attack Tolerance of Link Prediction Algorithms: How to Hide Your Relations in a Social NetworkAttackLink PredictionTraditional Link Prediction AlgsScientific ReportsLink
2018Attacking Similarity-Based Link Prediction in Social NetworksAttackLink Predictionlocal&global similarity metricsAAMAS 2019Link
2018Fast Gradient Attack on Network EmbeddingAttackNode ClassificationGCNArxivLink
2018Adversarial Attack on Graph Structured DataAttackNode Classification, Graph ClassificationGNN, GCNICML 2018LinkLink
2018Adversarial Attacks on Neural Networks for Graph DataAttackNode ClassificationGCNKDD 2018LinkLink
2018Hiding individuals and communities in a social networkAttackCommunity DetectionCommunity Detection AlgsNature Human BehaviorLinkLink

Attack Papers 2017 [Back to Top]

YearTitleTypeTarget TaskTarget ModelVenuePaperCode
2017Practical Attacks Against Graph-based ClusteringAttackGraph ClusteringSVD, node2vec, Community Detection AlgCCS 2017Link
2017Adversarial Sets for Regularising Neural Link PredictorsAttackLink PredictionKnowledge Graph EmbeddingsUAI 2017LinkLink

Defense

Defense Papers 2023 [Back to Top]

YearTitleTypeTarget TaskTarget ModelVenuePaperCode
2023Revisiting Robustness in Graph Machine LearningDefenseNode ClassificationGCN, SGC, APPNP, GAT, GATv2, GraphSAGE, LPICLR'23LinkLink
2023Empowering Graph Representation Learning with Test-Time Graph TransformationDefenseNode ClassificationGCNICLRLinkLink
2023Adversarial Danger Identification on Temporally Dynamic GraphDefenseTemporally Dynamic GraphsHybrid GNN-based time series classifierIEEE Transactions on Neural Networks and Learning SystemsLink

Defense Papers 2022 [Back to Top]

YearTitleTypeTarget TaskTarget ModelVenuePaperCode
2022Privacy Protection for Marginal-Sensitive Community Individuals Against Adversarial Community Detection AttacksDefenseCommunity DetectionDICE, Random Target Attack (RTA)IEEE Transactions on Computational Social SystemsLink
2022DeepInsight: Topology Changes Assisting Detection of Adversarial Samples on GraphsDefenseNode ClassificationTwo-layer GCNsIEEE Transactions on Computational Social SystemsLink
2022ERGCN: Data enhancement-based robust graph convolutional network against adversarial attacksDefenseInformation SciencesNode ClassificationGCN/GCN-Jaccard/RGGCN/Pro-GNN/SimP-GCN/EGCNLinkLink
2022On the Vulnerability of Graph Learning based Collaborative FilteringDefenseGraph Learning based Collaborative FilteringNGCF/LightGCNACM Transactions on Information SystemsLink
2022FocusedCleaner: Sanitizing Poisoned Graphs for Robust GNN-based Node ClassificationDefenseNode ClassificationGNN-Jaccard/ProGNN/RGCN/MedianGNN/SimPGCN/GNNGUARD/ElasticGNN/AirGNNGASOLINE/maskGVAEArxivLink
2022Robust cross-network node classification via constrained graph mutual informationDefensecross-network node classificationGNNsKnowledge-Based SystemsLink
2022On the Robustness of Graph Neural Diffusion to Topology PerturbationsDefenseNode ClassificationGAT, GraphSAGE, GIN, APPNParXiv preprintLinkLink
2022Defending Against Backdoor Attack on Graph Nerual Network by ExplainabilityDefensegraph classification taskGraphConv, GINarXivLink
2022Adversarial for Social Privacy: A Poisoning Strategy to Degrade User Identity LinkageDefenseuser identity linkageGCNsarXivLink
2022Towards an Optimal Asymmetric Graph Structure for Robust Semi-supervised Node ClassificationDefensesemi-supervised node classificationGCNKDD 2022Link
2022Reliable Representations Make A Stronger Defender: Unsupervised Structure Refinement for Robust GNNDefenseNode ClassificationGNNsKDD 2022Link
2022Robust Graph Representation Learning for Local Corruption RecoveryDefenseNode Attribute RecoveryGNNsICML 2022 WorkshopLink
2022Appearance and Structure Aware Robust Deep Visual Graph Matching: Attack, Defense and BeyondDefenseGraph MatchingGraph Matching AlgsCVPR 2022LinkLink
2022Large-Scale Privacy-Preserving Network Embedding against Private Link Inference AttacksDefensePrivacy ProtectionNetwork Embedding AlgsArxivLink
2022Detecting Topology Attacks against Graph Neural NetworksDefenseNode ClassificationGNNsArxivLink
2022GUARD: Graph Universal Adversarial DefenseDefenseNode ClassificationGNNsArxivLinkLink
2022Robust Graph Neural Networks via Ensemble LearningDefenseNode ClassificationGNNsMathematicsLink
2022AN-GCN: An Anonymous Graph Convolutional Network Against Edge-Perturbing AttacksDefenseNode ClassificationGNNsIEEE TNNLSLink
2022Exploring High-Order Structure for Robust Graph Structure LearningDefenseNode ClassificationGNNsArxivLink
2022Defending Graph Convolutional Networks against Dynamic Graph Perturbations via Bayesian Self-supervisionDefenseNode ClassificationGNNsAAAI 2022LinkLink
2022Graph alternate learning for robust graph neural networks in node classificationDefenseNode ClassificationGNNsNeural Computing and ApplicationsLink
2022Robust Heterogeneous Graph Neural Networks against Adversarial AttacksDefenseNode ClassificationHeterogeneous GNNsAAAI 2022Link
2022How Does Bayesian Noisy Self-Supervision Defend Graph Convolutional Networks?DefenseNode ClassificationGNNsNeural Processing LettersLink
2022GARNET: Reduced-Rank Topology Learning for Robust and Scalable Graph Neural NetworksDefenseNode ClassificationGNNsArxivLink
2022Mind Your Solver! On Adversarial Attack and Defense for Combinatorial OptimizationDefenseCombinatorial OptimizationCombinatorial Optimization MethodsArxivLink
2022Unsupervised Adversarially Robust Representation Learning on GraphsDefenseNode Classification, Link Prediction, Community DetectionGNNsAAAI 2022Link

Defense Papers 2021 [Back to Top]

YearTitleTypeTarget TaskTarget ModelVenuePaperCode
2021Mind Your Solver! On Adversarial Attack and Defense for Combinatorial OptimizationDefenseCombinatorial OptimizationCombinatorial Optimization MethodsArxivLink
2021Robust Graph Neural Networks via Probabilistic Lipschitz ConstraintsDefenseDecentralized ControlGNNsArxivLink
2021Graph-based Adversarial Online Kernel Learning with Adaptive EmbeddingDefenseNode ClassificationKernel Learning ModelsICDM 2021
2021Not All Low-Pass Filters are Robust in Graph Convolutional NetworksDefenseNode ClassificationGCNNeurIPS 2021Link
2021Graph Neural Networks with Adaptive ResidualDefenseNode Classification, Abnormal FeaturesGNNsNeurIPS 2021Link
2021Generalization of Neural Combinatorial Solvers Through the Lens of Adversarial RobustnessDefenseCombinatorial OptimizationCombinatorial SolversNeurIPS 2021Link
2021Defending Graph Neural Networks via Tensor-Based Robust Graph AggregationDefenseNode ClassificationGNNsICLR 2022 OpenReviewLink
2021Robust Graph Data Learning with Latent Graph Convolutional RepresentationDefenseNode Classification, Node ClusteringGNNsICLR 2022 OpenReviewLink
2021Edge Rewiring Goes Neural: Boosting Network Resilience via Policy GradientDefenseGraph ResilienceGNNsICLR 2022 OpenReviewLink
2021On the Relationship between Heterophily and Robustness of Graph Neural NetworksDefenseNode ClassificationGNNsICLR 2022 OpenReviewLink
2021A General Unified Graph Neural Network Framework Against Adversarial AttacksDefenseNode ClassificationGNNsICLR 2022 OpenReviewLink
2021Node Copying: A Random Graph Model for Effective Graph SamplingDefenseNode ClassificationGNNsSignal ProcessingLink
2021Node Feature Kernels Increase Graph Convolutional RobustnessDefenseNode ClassificationGNNsArxivLinkLink
2021Speedup Robust Graph Structure Learning with Low-Rank InformationDefenseNode ClassificationGNNsCIKM 2021Link
2021A Lightweight Metric Defence Strategy for Graph Neural Networks Against Poisoning AttacksDefenseNode ClassificationGNNsICICS 2021LinkLink
2021CoG: a Two-View Co-training Framework for Defending Adversarial Attacks on GraphDefenseNode ClassificationGCNArxivLink
2021Robust Counterfactual Explanations on Graph Neural NetworksDefenseLink PredictionProbabilistic Network Embedding ModelsArxivLink
2021Elastic Graph Neural NetworksDefenseNode classificationGNNsICML 2021LinkLink
2021Expressive 1-Lipschitz Neural Networks for Robust Multiple Graph Learning against Adversarial AttacksDefenseGraph Classification, Graph MatchingGNNsICML 2021Link
2021Integrated Defense for Resilient Graph MatchingDefenseGraph MatchingGraph Matching AlgsICML 2021Link
2021NetFense: Adversarial Defenses against Privacy Attacks on Neural Networks for Graph DataDefensePrivacy ProtectionGNNsTKDELink
2021Stability of graph convolutional neural networks to stochastic perturbationsDefenseRobustness CertificationGNNsSignal ProcessingLink
2021DeepInsight: Interpretability Assisting Detection of Adversarial Samples on GraphsDefenseNode ClassificationGNNsArxivLink
2021Improving Robustness of Graph Neural Networks with Heterophily-Inspired DesignsDefenseNode ClassificationGNNsArxivLink
2021Understanding Structural Vulnerability in Graph Convolutional NetworksDefenseNode ClassificationGNNsIJCAI 2021LinkLink
2021Certified Robustness of Graph Neural Networks against Adversarial Structural PerturbationDefenseRobustness CertificationGNNsKDD 2021Link
2021Unveiling Anomalous Nodes Via Random Sampling and Consensus on GraphsDefenseAnomaly DetectionAnomaly Detection AlgsICASSP 2021Link
2021Graph Sanitation with Application to Node ClassificationDefenseNode ClassificationGNNsArxivLink
2021Robust Network Alignment via Attack Signal Scaling and Adversarial Perturbation EliminationDefenseNetwork AlignmentNetwork Alignment AlgorithmsWWW 2021Link
2021Information Obfuscation of Graph Neural NetworksDefenseRecommender System, Knowledge Graph, Quantum ChemistryGNNsICML 2021LinkLink
2021Graph Embedding for Recommendation against Attribute Inference AttacksDefenseRecommender SystemGCNWWW 2021Link
2021Spatio-Temporal Sparsification for General Robust Graph Convolution NetworksDefenseNode ClassificationGCNArxivLink
2021Detection and Defense of Topological Adversarial Attacks on GraphsDefenseNode ClassificationGCNAISTATS 2021Link
2021Robust graph convolutional networks with directional graph adversarial trainingDefenseNode ClassificationGCNApplied IntelligenceLink
2021Interpretable Stability Bounds for Spectral Graph FiltersDefenseRobustness CertificationSpectral Graph FilterArxivLink
2021Personalized privacy protection in social networks through adversarial modelingDefensePrivacy ProtectionGCNAAAI 2021Link
2021Node Similarity Preserving Graph Convolutional NetworksDefenseNode ClassificationGNNsWSDM 2021LinkLink

Defense Papers 2020 [Back to Top]

YearTitleTypeTarget TaskTarget ModelVenuePaperCode
2020Graph Stochastic Neural Networks for Semi-supervised LearningDefenseNode ClassificationGNNsNeurIPS 2020LinkLink
2020Smoothing Adversarial Training for GNNDefenseNode Classification, Community DetectionGCNIEEE TCSSLink
2020Unsupervised Adversarially-Robust Representation Learning on GraphsDefenseNode ClassificationGNNsArxivLink
2020AANE: Anomaly Aware Network Embedding For Anomalous Link DetectionDefenseNode ClassificationGNNsICDM 2020Link
2020Provably Robust Node Classification via Low-Pass Message PassingDefenseAnomaly DetectionGNNsICDM 2020Link
2020Learning to Drop: Robust Graph Neural Network via Topological DenoisingDefenseNode ClassificationGNNsWSDM 2021LinkLink
2020Robust Android Malware Detection Based on Attributed Heterogenous Graph EmbeddingDefenseMalware DetectionHeterogeneous Information Network EmbeddingFCS 2020Link
2020Adversarial Detection on Graph Structured DataDefenseGraph ClassificationGNNsPPMLP 2020Link
2020On the Stability of Graph Convolutional Neural Networks under Edge RewiringDefenseRobustness CertificationGNNsArxivLink
2020Collective Robustness CertificatesDefenseRobustness CertificationGNNsICLR 2021Link
2020Towards Robust Graph Neural Networks against Label NoiseDefenseNode ClassificationGNNsICLR 2021 OpenReviewLink
2020Certifying Robustness of Graph Laplacian Based Semi-Supervised LearningDefenseRobustness CertificationGNNsICLR 2021 OpenReviewLink
2020Graph Adversarial Networks: Protecting Information against Adversarial AttacksDefenseNode Attribute InferenceGNNsICLR 2021 OpenReviewLink
2020Ricci-GNN: Defending Against Structural Attacks Through a Geometric ApproachDefenseNode ClassificationGNNsICLR 2021 OpenReviewLink
2020Graph Contrastive Learning with AugmentationsDefenseNode ClassificationGNNsNeurIPS 2020LinkLink
2020Graph Information BottleneckDefenseNode ClassificationGNNsNeurIPS 2020LinkLink
2020Certified Robustness of Graph Convolution Networks for Graph Classification under Topological AttacksDefenseGraph ClassificationGCNNeurIPS 2020LinkLink
2020Reliable Graph Neural Networks via Robust AggregationDefenseNode ClassificationGNNsNeurIPS 2020LinkLink
2020Graph Random Neural Networks for Semi-Supervised Learning on GraphsDefenseNode ClassificationGCNNeurIPS 2020LinkLink
2020Variational Inference for Graph Convolutional Networks in the Absence of Graph Data and Adversarial SettingsDefenseNode ClassificationGCNNeurIPS 2020LinkLink
2020GNNGuard: Defending Graph Neural Networks against Adversarial AttacksDefenseNode ClassificationGNNsNeurIPS 2020LinkLink
2020A Feature-Importance-Aware and Robust Aggregator for GCNDefenseNode Classification Graph ClassificationGNNsCIKM 2020LinkLink
2020Uncertainty-Matching Graph Neural Networks to Defend Against Poisoning AttacksDefenseNode ClassificationGNNsAAAI 2021Link
2020Cross Entropy Attack on Deep Graph InfomaxDefenseNode ClassificationDGIIEEE ISCASLink
2020RoGAT: a robust GNN combined revised GAT with adjusted graphsDefenseNode ClassificationGNNsArxivLink
2020A Novel Defending Scheme for Graph-Based Classification Against Graph Structure Manipulating AttackDefenseNode ClassificationMRFSocialSecLink
2020Uncertainty-aware Attention Graph Neural Network for Defending Adversarial AttacksDefenseNode ClassificationGNNsAAAI 2021Link
2020Certified Robustness of Graph Classification against Topology Attack with Randomized SmoothingDefenseGraph ClassificationGCBIEEE GLOBECOM 2020Link
2020Adversarial Immunization for Improving Certifiable Robustness on GraphsDefenseNode ClassificationGNNsWSDM 2021Link
2020Robust Collective Classification against Structural AttacksDefenseNode ClassificationAssociative Markov NetworksUAI 2020Link
2020Enhancing Robustness of Graph Convolutional Networks via Dropping Graph ConnectionsDefenseNode ClassificationGCNPreprintLink
2020Robust Training of Graph Convolutional Networks via Latent PerturbationDefenseNode ClassificationGCNECML-PKDD 2020Link
2020Backdoor Attacks to Graph Neural NetworksDefenseGraph ClassificationGNNsArxivLink
2020DefenseVGAE: Defending against Adversarial Attacks on Graph Data via a Variational Graph AutoencoderDefenseNode ClassificationGNNsArxivLinkLink
2020Robust Spammer Detection by Nash Reinforcement LearningDefenseFraud DetectionGraph-based Fraud DetectorKDD 2020LinkLink
2020Certifiable Robustness of Graph Convolutional Networks under Structure PerturbationsDefenseRobustness CertificationGCNKDD 2020LinkLink
2020Efficient Robustness Certificates for Discrete Data: Sparsity-Aware Randomized Smoothing for Graphs, Images and MoreDefenseRobustness CertificationGNNICML 2020LinkLink
2020Robust Graph Representation Learning via Neural SparsificationDefenseNode ClassificationGNNICML 2020Link
2020Graph Structure Learning for Robust Graph Neural NetworksDefenseNode ClassificationGCNKDD 2020LinkLink
2020GCN-Based User Representation Learning for Unifying Robust Recommendation and Fraudster DetectionDefenseRecommender SystemGCNSIGIR 2020Link
2020Anonymized GCN: A Novel Robust Graph Embedding Method via Hiding Node Position in NoiseDefenseNode ClassificationGCNArxivLink
2020A Robust Hierarchical Graph Convolutional Network Model for Collaborative FilteringDefenseRecommender SystemGCNArxivLink
2020On The Stability of Polynomial Spectral Graph FiltersDefenseGraph PropertySpectral Graph FilterICASSP 2020LinkLink
2020On the Robustness of Cascade Diffusion under Node AttacksDefenseInfluence MaximizationIC ModelWWW 2020 WorkshopLinkLink
2020Friend or Faux: Graph-Based Early Detection of Fake Accounts on Social NetworksDefenseFraud DetectionGraph-based Fraud DetectorsWWW 2020Link
2020Tensor Graph Convolutional Networks for Multi-relational and Robust LearningDefenseNode ClassificationGCNArxivLink
2020Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial AttacksDefenseNode ClassificationPrivacy ProtectionAAAI 2020Link
2020Improving the Robustness of Wasserstein Embedding by Adversarial PAC-Bayesian LearningDefenseRobustness CertificationWasserstein EmbeddingAAAI 2020Link
2020Adversarial Perturbations of Opinion Dynamics in NetworksDefenseManipulating OpinionGraph ModelArxivLink
2020Topological Effects on Attacks Against Vertex ClassificationDefenseNode ClassificationGCNArxivLink
2020Towards an Efficient and General Framework of Robust Training for Graph Neural NetworksDefenseNode ClassificationGCNICASSP 2020Link
2020Certified Robustness of Community Detection against Adversarial Structural Perturbation via Randomized SmoothingDefenseCommunity DetectionCommunity Detection AlgsWWW 2020Link
2020Data Poisoning Attacks on Graph Convolutional Matrix CompletionDefenseRecommender SystemGCMCICA3PP 2019Link

Defense Papers 2019 [Back to Top]

YearTitleTypeTarget TaskTarget ModelVenuePaperCode
2019How Robust Are Graph Neural Networks to Structural Noise?DefenseNode Structural Identity PredictionGINArxivLink
2019GraphDefense: Towards Robust Graph Convolutional NetworksDefenseNode ClassificationGCNArxivLink
2019All You Need is Low (Rank): Defending Against Adversarial Attacks on GraphsDefenseNode ClassificationGCN, Tensor EmbeddingWSDM 2020LinkLink
2019αCyber: Enhancing Robustness of Android Malware Detection System against Adversarial Attacks on Heterogeneous Graph based ModelDefenseMalware DetectionHINCIKM 2019Link
2019Edge Dithering for Robust Adaptive Graph Convolutional NetworksDefenseNode ClassificationGCNArxivLink
2019GraphSAC: Detecting anomalies in large-scale graphsDefenseAnomaly DetectionAnomaly Detection AlgsArxivLink
2019Certifiable Robustness to Graph PerturbationsDefenseRobustness CertificationGNNNeurIPS 2019LinkLink
2019Power up! Robust Graph Convolutional Network based on Graph PoweringDefenseNode ClassificationGCNOpenreviewLinkLink
2019Adversarial Robustness of Similarity-Based Link PredictionDefenseLink PredictionLocal Similarity MetricsICDM 2019Link
2019Adversarial Training Methods for Network EmbeddingDefenseNode ClassificationDeepWalkWWW 2019LinkLink
2019Transferring Robustness for Graph Neural Network Against Poisoning AttacksDefenseNode ClassificationGNNWSDM 2020LinkLink
2019Improving Robustness to Attacks Against Vertex ClassificationDefenseNode ClassificationGCNKDD Workshop 2019Link
2019Target Defense Against Link-Prediction-Based Attacks via Evolutionary PerturbationsDefenseLink PredictionLink Prediction AlgsTKDELink
2019Latent Adversarial Training of Graph Convolution NetworksDefenseNode ClassificationGCNLRGSD@ICMLLink
2019Certifiable Robustness and Robust Training for Graph Convolutional NetworksDefenseRobustness CertificationGCNKDD 2019LinkLink
2019Topology Attack and Defense for Graph Neural Networks: An Optimization PerspectiveDefenseNode ClassificationGNNIJCAI 2019LinkLink
2019Adversarial Examples on Graph Data: Deep Insights into Attack and DefenseDefenseNode ClassificationGCNIJCAI 2019LinkLink
2019Adversarial Defense Framework for Graph Neural NetworkDefenseNode ClassificationGCN, GraphSAGEArxivLink
2019Investigating Robustness and Interpretability of Link Prediction via Adversarial ModificationsDefenseLink PredictionKnowledge Graph EmbeddingNAACL 2019Link
2019Robust Graph Convolutional Networks Against Adversarial AttacksDefenseNode ClassificationGCNKDD 2019LinkLink
2019Can Adversarial Network Attack be Defended?DefenseNode ClassificationGNNArxivLink
2019Virtual Adversarial Training on Graph Convolutional Networks in Node ClassificationDefenseNode ClassificationGCNPRCV 2019Link
2019Batch Virtual Adversarial Training for Graph Convolutional NetworksDefenseNode ClassificationGCNLRGSD@ICMLLink
2019Comparing and Detecting Adversarial Attacks for Graph Deep LearningDefenseNode ClassificationGCN, GAT, NettackRLGM@ICLR 2019Link
2019Graph Adversarial Training: Dynamically Regularizing Based on Graph StructureDefenseNode ClassificationGCNTKDELinkLink

Defense Papers 2018 [Back to Top]

YearTitleTypeTarget TaskTarget ModelVenuePaperCode
2018Characterizing Malicious Edges targeting on Graph Neural NetworksDefenseDetected Added EdgesGNN, GCNOpenReviewLink
2018PeerNets: Exploiting Peer Wisdom Against Adversarial AttacksDefenseImage ClassificationLeNet, ResNetICLR 2019Link