This repository contains 61 Attack-related papers, 66 Defense-related papers, 12 Robustness Certification papers, 2 Other papers, 4 Surveys, ranging from 2017 to 2020. All papers are available for download from Latest Release.
If you find this repository useful, please cite:
A Survey of Adversarial Learning on Graph, Arxiv'20, 📝Paper
@article{chen2020survey,
title={A Survey of Adversarial Learning on Graph},
author={Chen, Liang and Li, Jintang and Peng, Jiaying and Xie, Tao and Cao, Zengxu and Xu, Kun and He, Xiangnan and Zheng, Zibin},
journal={arXiv preprint arXiv:2003.05730},
year={2020}
}
Efficient Evasion Attacks to Graph Neural Networks via Influence Function 📝Arxiv
Model
Influence-based Attack
Algorithm
Influence Function
Surrogate
Target Task
Node Classification
Target Model
GCN, SGC
Baseline
OTA-KL, OTA-UL, Iter-KL, Iter-UL
Metric
ASR, Running Time
Dataset
Cora, CiteSeer, Pubmed
Reinforcement Learning-based Black-Box Evasion Attacks to Link Prediction in Dynamic Graphs 📝Arxiv
Model
RL-based Attack
Algorithm
Reinforcement Learning
Surrogate
Target Task
Link Prediction
Target Model
DyGCN
Baseline
Random-whole, Random-partial
Metric
F1
Dataset
Haggle, Hypertext, Trapping
Semantic-preserving Reinforcement Learning Attack Against Graph Neural Networks for Malware Detection 📝Arxiv Adaptive Adversarial Attack on Graph Embedding via GAN 📝SocialSec Scalable Adversarial Attack on Graph Neural Networks with Alternating Direction Method of Multipliers 📝Arxiv One Vertex Attack on Graph Neural Networks-based Spatiotemporal Forecasting 📝ICLR OpenReview Single-Node Attack for Fooling Graph Neural Networks 📝ICLR OpenReview Black-Box Adversarial Attacks on Graph Neural Networks as An Influence Maximization Problem 📝ICLR OpenReview Adversarial Attacks on Deep Graph Matching
📝NeurIPS
Black-Box Adversarial Attacks on Graph Neural Networks with Limited Node Access 📝NeurIPS A Graph Matching Attack on Privacy-Preserving Record Linkage 📝CIKM
2019
📝17 papers in total
A Unified Framework for Data Poisoning Attack to Graph-based Semi-supervised Learning 📝NeurIPS Code
Model
G-SSL
Algorithm
Gradient based asymptotic linear algorithm
Surrogate
Target Task
Classification, Regression
Target Model
Label propagation & regularization algs
Baseline
Random, PageRank, Degree
Metric
Error rate, RMSE
Dataset
cadata, E2006, mnist17, rcv1
Adversarial Examples on Graph Data: Deep Insights into Attack and Defense 📝IJCAI Code
Model
IG-FGSM, IG-JSMA
Algorithm
Gradient
Surrogate
GCN
Target Task
Node Classification
Target Model
GCN
Baseline
FGSM, JSMA, Nettack
Metric
Classification Margin, Accuracy
Dataset
Cora, CiteSeer, PolBlogs
Topology Attack and Defense for Graph Neural Networks: An Optimization Perspective 📝IJCAI Code
Model
PGD, Min-Max
Algorithm
Gradient
Surrogate
GCN
Target Task
Node Classification
Target Model
GCN
Baseline
DICE, Metattack, Greedy
Metric
Misclassification Rate
Dataset
Cora, CiteSeer
Adversarial Attacks on Graph Neural Networks via Meta Learning 📝ICLR Code
Model
Metattack
Algorithm
Gradient
Surrogate
GCN
Target Task
Node Classification
Target Model
GCN, CLN, DeepWalk
Baseline
DICE, Nettack, First-order
Metric
Misclassification Rate, Accuracy
Dataset
Cora, CiteSeer, PolBlogs, PubMed
αCyber: Enhancing Robustness of Android Malware Detection System against Adversarial Attacks on Heterogeneous Graph based Model 📝CIKM
Model
HG-Attack
Algorithm
Label propagation algorithm, Nodes injection
Surrogate
Target Task
Malware Detection
Target Model
Orig-HGC
Baseline
AN-Attack
Metric
TP, TN, FP, FN, F1, Precision, Recall, Accuracy
Dataset
Tencent Security Lab Dataset
Data Poisoning Attack against Knowledge Graph Embedding 📝IJCAI
Adversarial Attacks on Node Embeddings via Graph Poisoning 📝ICML Code
Model
Algorithm
Gradient & Eigen-perturbation
Surrogate
DeepWalk
Target Task
Node Classification, Link Prediction
Target Model
DeepWalk
Baseline
Metric
F1 Score, Classification Margin
Dataset
Cora, CiteSeer, PolBlogs
Network Structural Vulnerability A Multi-Objective Attacker Perspective 📝IEEE Trans Multiscale Evolutionary Perturbation Attack on Community Detection 📝Arxiv
Model
EPA
Algorithm
Genetic algorithm
Surrogate
Target Task
Community Detection
Target Model
GRE, INF, LOU
Baseline
,
Metric
NMI, ARI
Dataset
Synthetic networks, Football, Email, Polblogs
Time-aware Gradient Attack on Dynamic Network Link Prediction 📝IJCAI
Model
TGA-Tra, TGA-Gre
Algorithm
Gradient
Surrogate
DDNE
Target Task
Link Prediction
Target Model
DDNE, ctRBM, GTRBM, dynAERNN
Baseline
Random, DGA, CNA
Metric
ASR, AML
Dataset
RADOSLAW, LKML, FB-WOSN
Attacking Graph Convolutional Networks via Rewiring 📝Arxiv
Model
ReWatt
Algorithm
Reinforcement Learning
Surrogate
GCN
Target Task
Graph Classification
Target Model
GCN
Baseline
RL-S2V, RA
Metric
ASR
Dataset
REDDIT-MULTI-12K, REDDIT-MULTI-5K, IMDB-MULTI
Unsupervised Euclidean Distance Attack on Network Embedding 📝Arxiv
Model
EDA
Algorithm
Genetic algorithm
Surrogate
DeepWalk
Target Task
Node Classification, Community Detection
Target Model
HOPE, LPA, EM, DeepWalk
Baseline
Random, DICE, RLS, DBA
Metric
NMI, Micro-F1, Macro-F1
Dataset
Karate, Game, Dolphin
Generalizable Adversarial Attacks with Latent Variable Perturbation Modelling 📝Arxiv
Model
DAGAER
Algorithm
Generative model
Surrogate
VGAE
Target Task
Node Classification
Target Model
GCN
Baseline
Nettack
Metric
ASR
Dataset
Cora, CiteSeer
Vertex Nomination, Consistent Estimation, and Adversarial Modification 📝Arxiv PeerNets Exploiting Peer Wisdom Against Adversarial Attacks 📝ICLR (Poster) Code
2018
📝8 papers in total
Adversarial Attack on Graph Structured Data 📝ICML Code
Provably Robust Node Classification via Low-Pass Message Passing
📝ICDM
Dynamic Knowledge Graph-based Dialogue Generation with Improved Adversarial Meta-Learning 📝Arxiv
Model
KDAD
Algorithm
Adversarial Meta-learning
Defense Type
Objective-based
Target Task
Dialogue Generation
Target Model
Qadpt
Baseline
TAware, Qadpt
Metric
BLEU, PPL, DISTINCT, ...
Dataset
HGZHZ
Robust Collective Classification against Structural Attacks 📝Preprint
Model
R-AMN
Algorithm
Bound Analysis
Defense Type
Objective-based
Target Task
Node Classification
Target Model
AMN
Baseline
Struct-RSAD
Metric
Accuracy
Dataset
Reuters, WebKB, Cora, CiteSeer
Tensor Graph Convolutional Networks for Multi-relational and Robust Learning 📝Arxiv
Model
TGCN
Algorithm
Edge-dithering
Defense Type
Processing-based
Target Task
Node Classification, Protein Prediction
Target Model
GCN
Baseline
GCN
Metric
Accuracy, Macro F1
Dataset
Cora, CiteSeer, Pubmed, Polblogs, ...
Topological Effects on Attacks Against Vertex Classification 📝Arxiv
Model
StratDegree, GreedyCover
Algorithm
GreedyCover
Defense Type
Processing-based
Target Task
Node Classification
Target Model
GCN
Baseline
Random Selection
Metric
Required budget, Median margin
Dataset
Cora, CiteSeer, Pubmed, Polblogs
Evaluating Graph Vulnerability and Robustness using TIGER 📝Arxiv
Model
TIGER
Algorithm
Defense Type
Hybrid
Target Task
Node Classification
Target Model
Baseline
Metric
Average vertex betweenness, Spectral scaling, Effective resistance
Dataset
US power grid, Water Distribution Network
Adversarial Perturbations of Opinion Dynamics in Networks 📝Arxiv
Model
Algorithm
Defense Type
Target Task
Network Disruption
Target Model
Opinion dynamics models
Baseline
Metric
Polarization-disagreement index
Dataset
DefenseVGAE: Defending against Adversarial Attacks on Graph Data via a Variational Graph Autoencoder 📝Arxiv Code
Model
DefenceVGAE
Algorithm
VGAE
Defense Type
Processing-based
Target Task
Node Classification
Target Model
GCN
Baseline
GCN-Jaccard, GCN-SVD, RGCN
Metric
Accuracy
Dataset
Cora, CiteSeer, PolBlogs
GNNGuard: Defending Graph Neural Networks against Adversarial Attacks 📝NeurIPS
Model
GNNGuard
Algorithm
Network theory of homophily
Defense Type
Structure-based
Target Task
Node Classification
Target Model
GCN, GAT, GIN, ...
Baseline
GNN-Jaccard, RobustGCN, GNN-SVD
Metric
Accuracy
Dataset
Cora, CiteSeer, ogbn-arxiv, DP
Adversarial Privacy Preserving Graph Embedding against Inference Attack 📝Arxiv Code
Model
APDGE
Algorithm
Adversarial Privacy-Purged
Defense Type
Structure-based
Target Task
Privacy Protection
Target Model
GAE
Baseline
GAE RM, CDSPIA
Metric
Macro F1
Dataset
Yale, Rochester
RoGAT: a robust GNN combined revised GAT with adjusted graphs 📝Arxiv Uncertainty-Matching Graph Neural Networks to Defend Against Poisoning Attacks 📝Arxiv ResGCN: Attention-based Deep Residual Modeling for Anomaly Detection on Attributed Networks 📝Arxiv A Novel Defending Scheme for Graph-Based Classification Against Graph Structure Manipulating Attack 📝SocialSec Uncertainty-aware Attention Graph Neural Network for Defending Adversarial Attacks 📝Arxiv Iterative Deep Graph Learning for Graph Neural Networks: Better and Robust Node Embeddings 📝NeurIPS Code Towards Robust Graph Neural Networks against Label Noise 📝ICLR OpenReview Graph Adversarial Networks: Protecting Information against Adversarial Attacks 📝ICLR OpenReview Code Ricci-GNN: Defending Against Structural Attacks Through a Geometric Approach 📝ICLR OpenReview Reliable Graph Neural Networks via Robust Location Estimation
📝NeurIPS
Graph Random Neural Networks for Semi-Supervised Learning on Graphs 📝NeurIPS Code Variational Inference for Graph Convolutional Networks in the Absence of Graph Data and Adversarial Settings 📝NeurIPS Provable Overlapping Community Detection in Weighted Graphs 📝NeurIPS Community detection in sparse time-evolving graphs with a dynamical Bethe-Hessian 📝NeurIPS Node Copying for Protection Against Graph Neural Network Topology Attacks 📝Arxiv
2019
📝23 papers in total
Topology Attack and Defense for Graph Neural Networks: An Optimization Perspective 📝IJCAI Code
Model
Algorithm
Adversarial Training
Defense Type
Adversarial Training
Target Task
Node Classification
Target Model
GCN
Baseline
GCN
Metric
Misclassification Rate, Accuracy
Dataset
Cora, CiteSeer
Adversarial Examples on Graph Data: Deep Insights into Attack and Defense 📝IJCAI Code
Model
GCN-Jaccard
Algorithm
Drop Edges
Defense Type
Preprocessing
Target Task
Node Classification
Target Model
GCN
Baseline
GCN
Metric
Classification Margin, Accuracy
Dataset
Cora-ML, CiteSeer, PolBlogs
Investigating Robustness and Interpretability of Link Prediction via Adversarial Modifications 📝NAACL Code
Model
CRIAGE
Algorithm
Adversarial Modification
Defense Type
Robustness Evaluation
Target Task
Link Prediction
Target Model
Knowledge Graph Embedding
Baseline
Metric
Hits@K, MRR
Dataset
Nations, Kinship, WN18, YAGO3-10
Robust Graph Convolutional Networks Against Adversarial Attacks 📝KDD Code
Model
RGCN
Algorithm
Gaussian-based Graph Convolution and Attention Mechanism
Defense Type
Structure Based
Target Task
Node Classification
Target Model
GCN
Baseline
GCN, GAT
Metric
Accuracy
Dataset
Cora, CiteSeer, Pubmed
Virtual Adversarial Training on Graph Convolutional Networks in Node Classification 📝PRCV
Model
SVAT, DVAT
Algorithm
Virtual Adversarial Training
Defense Type
Adversarial Training
Target Task
Node Classification
Target Model
GCN
Baseline
GCN
Metric
Accuracy
Dataset
Cora, CiteSeer, Pubmed
Comparing and Detecting Adversarial Attacks for Graph Deep Learning 📝RLGM@ICLR
Adversarial Robustness of Similarity-Based Link Prediction 📝ICDM
Model
IDOpt, IDRank
Algorithm
Integer Program, Edge Ranking
Defense Type
Target Task
Link Prediction
Target Model
Similarity-based Link Prediction Models
Baseline
PPN
Metric
DPR
Dataset
PA, PLD, TVShow, Gov
mproving Robustness to Attacks Against Vertex Classification 📝MLG@KDD
Model
SVM with a radial basis function kernel
Algorithm
Augmented Feature, Edge Selecting
Defense Type
Hybrid
Target Task
Node Classification
Target Model
SVM
Baseline
GCN
Metric
Classification Marigin
Dataset
Cora, CiteSeer
Graph Adversarial Training: Dynamically Regularizing Based on Graph Structure 📝TKDE Code
Model
GCN-GATV
Algorithm
raph Adversarial Training, Virtual Adversarial Training
Defense Type
Adversarial Training
Target Task
Node Classification
Target Model
GCN
Baseline
LP, DeepWalk, SemiEmb, Planetoid, GCN, GraphSGAN
Metric
Accuracy
Dataset
Cora, CiteSeer, NELL
Adversarial Training Methods for Network Embedding 📝WWW Code
Model
AdvT4NE
Algorithm
Adversarial Training
Defense Type
Adversarial Training
Target Task
Network embedding
Target Model
Deepwalk
Baseline
GF,DeepWalk, LINE,Node2vec, ...
Metric
Accuracy
Dataset
Cora, CiteSeer, Wiki, CA-GrQc, CA-HepTh
GraphDefense: Towards Robust Graph Convolutional Networks 📝Arxiv
Model
GraphDefense
Algorithm
Adversarial Training
Defense Type
Adversarial Training
Target Task
Node Classification
Target Model
GCN
Baseline
Drop Edges, Discrete Adversarial Training
Metric
Accuracy
Dataset
Cora, CiteSeer, Reddit
Can Adversarial Network Attack be Defended? 📝Arxiv
Model
Global-AT, Target-AT, SD, SCEL
Algorithm
Adversarial Training, Smooth Defense
Defense Type
Hybrid
Target Task
Node Classification
Target Model
GNN
Baseline
AT
Metric
ADR, ACD
Dataset
Cora, CiteSeer, PolBlogs
Edge Dithering for Robust Adaptive Graph Convolutional Networks 📝Arxiv
Model
AGCN
Algorithm
Adaptive GCN with Edge Dithering
Defense Type
Structure Based
Target Task
Node Classification
Target Model
GCN
Baseline
GCN
Metric
Accuracy
Dataset
Cora, CiteSeer, Pubmed, PolBlogs
GraphSAC: Detecting anomalies in large-scale graphs 📝Arxiv
Model
GraphSVC
Algorithm
Random, Consensus
Defense Type
Detection Based
Target Task
Anomaly Detection
Target Model
Anomaly Model
Baseline
GAE, Amen, Radar, Degree, ...
Metric
AUC
Dataset
Cora, CiteSeer, Pubmed, PolBlogs
Adversarial Defense Framework for Graph Neural Network 📝Arxiv
Model
DefNet
Algorithm
GAN, GER, ACL
Defense Type
Hybrid
Target Task
Node Classification
Target Model
GCN, GraphSAGE
Baseline
GCN, GraphSAGE
Metric
Classification Margin
Dataset
Cora, CiteSeer, PolBlogs
Graph Interpolating Activation Improves Both Natural and Robust Accuracies in Data-Efficient Deep Learning 📝Arxiv Adversarial Embedding: A robust and elusive Steganography and Watermarking technique 📝Arxiv Examining Adversarial Learning against Graph-based IoT Malware Detection Systems 📝Arxiv Target Defense Against Link-Prediction-Based Attacks via Evolutionary Perturbations 📝Arxiv
2018
📝1 papers in total
Adversarial Personalized Ranking for Recommendation 📝SIGIR Code
Model
APR, AMF
Algorithm
Adversarial Training based on MF-BPR
Defense Type
Adversarial Training
Target Task
Recommendation
Target Model
MF-BPR
Baseline
ItemPop, MF-BPR, CDAE, NeuMF, IRGAN
Metric
HR, NDCG
Dataset
Yelp, Pinterest, Gowalla
2017
📝1 papers in total
Adversarial Sets for Regularising Neural Link Predictors 📝UAI Code
Collective Robustness Certificates 📝ICLR‘21 OpenReview Certifying Robustness of Graph Laplacian Based Semi-Supervised Learning 📝ICLR‘21 OpenReview Certified Robustness of Graph Convolution Networks for Graph Classification under Topological Attacks
📝NeurIPS'20
Certified Robustness of Community Detection against Adversarial Structural Perturbation via Randomized Smoothing 📝WWW'20 Efficient Robustness Certificates for Discrete Data: Sparsity - Aware Randomized Smoothing for Graphs, Images and More 📝ICML'20 Code Abstract Interpretation based Robustness Certification for Graph Convolutional Networks 📝ECAI'20 Certifiable Robustness of Graph Convolutional Networks under Structure Perturbation 📝NeurIPS Code Certified Robustness of Graph Classification against Topology Attack with Randomized Smoothing 📝NeurIPS Adversarial Immunization for Improving Certifiable Robustness on Graphs 📝Arxiv'20 Certified Robustness of Graph Neural Networks against Adversarial Structural Perturbation 📝Arxiv'20 Certifiable Robustness and Robust Training for Graph Convolutional Networks 📝KDD'19 Code Certifiable Robustness to Graph Perturbations 📝NeurIPS'19 Code
A Survey of Adversarial Learning on Graph 📝Arxiv'20 Adversarial Attacks and Defenses on Graphs: A Review and Empirical Study 📝Arxiv'20 Adversarial Attacks and Defenses in Images, Graphs and Text: A Review 📝Arxiv'19 Adversarial Attack and Defense on Graph Data: A Survey 📝Arxiv'18