Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/safe-graph/graph-adversarial-learning-literature
A curated list of adversarial attacks and defenses papers on graph-structured data.
https://github.com/safe-graph/graph-adversarial-learning-literature
List: graph-adversarial-learning-literature
adversarial-attacks adversarial-machine-learning awesome-list data-mining deep-learning graph-algorithms graph-attack graph-data literature-review machine-learning security survey
Last synced: 3 months ago
JSON representation
A curated list of adversarial attacks and defenses papers on graph-structured data.
- Host: GitHub
- URL: https://github.com/safe-graph/graph-adversarial-learning-literature
- Owner: safe-graph
- Created: 2019-04-26T19:41:49.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2023-12-15T22:03:27.000Z (6 months ago)
- Last Synced: 2024-03-25T12:09:21.430Z (3 months ago)
- Topics: adversarial-attacks, adversarial-machine-learning, awesome-list, data-mining, deep-learning, graph-algorithms, graph-attack, graph-data, literature-review, machine-learning, security, survey
- Homepage:
- Size: 544 KB
- Stars: 797
- Watchers: 37
- Forks: 128
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Lists
- RS-Adversarial-Learning - :octocat:Link
- Awesome-Paper-List - Graph Adversarial Learning
- awesome-machine-learning-resources - **[List - graph/graph-adversarial-learning-literature?style=social) (Table of Contents)
- awesome-stars - graph-adversarial-learning-literature - structured data. | safe-graph | 814 | (Others)
- awesome-artificial-intelligence-research - Graph Adversarial Learning
- ultimate-awesome - graph-adversarial-learning-literature - A curated list of adversarial attacks and defenses papers on graph-structured data. (Other Lists / Julia Lists)
README
Awesome Graph Adversarial Learning Literature
A curated list of adversarial attacks and defenses papers on graph-structured data.
Papers are sorted by their uploaded dates in descending order.
If you want to add new entries, please make PRs with the same format.
This list serves as a complement to the survey below.
[**Adversarial Attack and Defense on Graph Data: A Survey** ](https://arxiv.org/abs/1812.10528) **(Updated in Oct 2022. More than 110 papers reviewed).**
- Arxiv Version (Latest)
```bibtex
@article{sun2018adversarial,
title={Adversarial Attack and Defense on Graph Data: A Survey},
author={Sun, Lichao and Dou, Yingtong and Yang, Carl and Kai Zhang and Wang, Ji and Yixin Liu and Yu, Philip S. and He, Lifang and Li, Bo},
journal={arXiv preprint arXiv:1812.10528},
year={2018}
}
```
- TKDE Version
```bibtex
@article{sun2022adversarial,
title={Adversarial attack and defense on graph data: A survey},
author={Sun, Lichao and Dou, Yingtong and Yang, Carl and Zhang, Kai and Wang, Ji and Philip, S Yu and He, Lifang and Li, Bo},
journal={IEEE Transactions on Knowledge and Data Engineering},
year={2022},
publisher={IEEE}
}
```
If you feel this repo is helpful, please cite the survey above.
## How to Search?
Search keywords like conference name (e.g., ```NeurIPS```), task name (e.g., ```Link Prediction```), model name (e.g., ```DeepWalk```), or method name (e.g., ```Robust```) over the webpage to quickly locate related papers.
## Quick Links
**Attack papers sorted by year:** | [2023](#attack-papers-2023-back-to-top) | [2022](#attack-papers-2022-back-to-top) | [2021](#attack-papers-2021-back-to-top) | [2020](#attack-papers-2020-back-to-top) | [2019](#attack-papers-2019-back-to-top) | [2018](#attack-papers-2018-back-to-top) | [2017](#attack-papers-2017-back-to-top) |
**Defense papers sorted by year:** | [2023](#defense-papers-2023-back-to-top) | [2022](#defense-papers-2022-back-to-top) | [2021](#defense-papers-2021-back-to-top) | [2020](#defense-papers-2020-back-to-top) | [2019](#defense-papers-2019-back-to-top) | [2018](#defense-papers-2018-back-to-top) |
## Attack
### Attack Papers 2023 [[Back to Top](#graph-adversarial-learning-literature)]
| Year | Title | Type | Target Task | Target Model | Venue | Paper | Code |
| ---- | ------------------------------------------------------------ | ------ | ----------------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
| 2023 | **Revisiting Robustness in Graph Machine Learning**| Attack | Node Classification | GCN, SGC, APPNP, GAT, GATv2, GraphSAGE, LP | ICLR'23 | [Link](https://arxiv.org/pdf/2305.00851.pdf) | [Link](https://github.com/saper0/revisiting_robustness)|
| 2023 | **Unnoticeable Backdoor Attacks on Graph Neural Networks**| Attack | Node classification, Graph classification | GCN, GraphSage, and GAT | ArXiv | [Link](https://arxiv.org/abs/2303.01263) | [Link](https://github.com/ventr1c/UGBA)
| 2023 | **Attacking Fake News Detectors via Manipulating News Social Engagement** | Attack | Fake News Detection| GAT, GCN, and GraphSAGE) | WWW'23 | [Link](https://arxiv.org/pdf/2302.07363.pdf) | [Link](https://github.com/hwang219/AttackFakeNews)
| 2023 | **HyperAttack: Multi-Gradient-Guided White-box Adversarial Structure Attack of Hypergraph Neural Networks** | Attack | Node Classification | HGNNs | ArXiv | [Link](https://arxiv.org/abs/2302.12407) |
| 2023 | **Turning Strengths into Weaknesses: A Certified Robustness Inspired Attack Framework against Graph Neural Networks** | Attack | Node Classification | GCN | CVPR'23 | [Link](https://arxiv.org/abs/2303.06199) |
| 2023 | **Adversary for Social Good: Leveraging Attribute-Obfuscating Attack to Protect User Privacy on Social Networks** | Attack | Attribute Protection On Social Networks | GNNs | SecureComm 2022 | [Link](https://link.springer.com/chapter/10.1007/978-3-031-25538-0_37) | |
| 2023 | **Node Injection for Class-specific Network Poisoning** | Attack | Node Classification | GCN | arXiv | [Link](https://arxiv.org/abs/2301.12277) | [Link](https://github.com/rahulk207/nicki) |
| 2023 | **GUAP: Graph Universal Attack Through Adversarial Patching** | Attack | Node Classification | GCN | arXiv | [Link](https://arxiv.org/abs/2301.01731) | [Link](https://anonymous.4open.science/r/ffd4fad9-367f-4a2a-bc65-1a7fe23d9d7f/) |
### Attack Papers 2022 [[Back to Top](#graph-adversarial-learning-literature)]
| Year | Title | Type | Target Task | Target Model | Venue | Paper | Code |
| ---- | ------------------------------------------------------------ | ------ | ----------------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
| 2022 | **GANI: Global Attacks on Graph Neural Networks via Imperceptible Node Injections** | Attack | Node Classification | GCN/SGC/Jaccard/SimPGCN | Arxiv | [Link](https://arxiv.org/abs/2210.12598) | |
| 2022 | **Motif-Backdoor: Rethinking the Backdoor Attack on Graph Neural Networks via Motifs** | Attack | Graph Classification | GCN/SAGPool/GIN/ | Arxiv | [Link](https://arxiv.org/abs/2210.13710) | |
| 2022 | **Towards Reasonable Budget Allocation in Untargeted Graph Structure Attacks via Gradient Debias** | Attack | Node Classification | GCN/GAT/GraphSAGE | NeurIPS 2022 | [Link](https://openreview.net/forum?id=vkGk2HI8oOP) | [Link](https://github.com/Zihan-Liu-00/GraD--NeurIPS22) |
| 2022 | **Imperceptible Adversarial Attacks on Discrete-Time Dynamic Graph Models** | Attack | Dynamic Link Prediction/Node Classification | GC-LSTM/EVOLVEGCN/DYSAT | NeurIPS 2022 Workshop TGL | [Link](https://openreview.net/forum?id=YMrdoXP3x_A) | |
| 2022 | **A2S2-GNN: Rigging GNN-Based Social Status by Adversarial Attacks in Signed Social Networks** | Attack | Classification in unsigned or undirected graphs | GNNs | IEEE Transactions on Information Forensics and Security | [Link](https://ieeexplore.ieee.org/abstract/document/9936655) | |
| 2022 | **Let Graph be the Go Board: Gradient-free Node Injection Attack for Graph Neural Networks via Reinforcement Learning** | Attack | Node Classification | GCN/SGC/GAT/APPNP | AAAI23 | [Link](https://arxiv.org/abs/2211.10782) | [Link](https://github.com/jumxglhf/G2A2C) |
| 2022 | **QuerySnout: Automating the Discovery of Attribute Inference Attacks against Query-Based Systems** | Attack | Query-based systems attribute inference | Diffix/TableBuilder/SimpleQBS | CCS 2022 | [Link](https://dl.acm.org/doi/abs/10.1145/3548606.3560581) | [Link](https://github.com/computationalprivacy/querysnout) |
| 2022 | **Are Defenses for Graph Neural Networks Robust?** | Attack | Node Classification | GNN, GCN, Jaccard GCN, SVD GCN, GNNGuard, RGCN, ProGNN, GRAND, Soft Median GDC | NeurIPS 2022 | [Link](https://www.cs.cit.tum.de/daml/are-gnn-defenses-robust/) | [Link](https://github.com/LoadingByte/are-gnn-defenses-robust) |
| 2022 | **Poisoning GNN-based Recommender Systems with Generative Surrogate-based Attacks** | Attack | Promotion/Recommendation/Re-producing | GNN | ACM TIS | [Link](https://dl.acm.org/doi/abs/10.1145/3567420) | |
| 2022 | **Dealing with the unevenness: deeper insights in graph-based attack and defense** | Attack | Set-Cover problem | GCN, RGCN, GCN-Jaccard, Pro-GNN | Machine Learning | [Link](https://link.springer.com/article/10.1007/s10994-022-06234-4) | |
| 2022 | **Membership Inference Attacks Against Robust Graph Neural Network** | Attack | Membership Inference | GCN | CSS 2022 | [Link](https://link.springer.com/chapter/10.1007/978-3-031-18067-5_19) | |
| 2022 | **Sparse Vicious Attacks on Graph Neural Networks** | Attack | Link prediction | GNN | arXiv | [Link](https://arxiv.org/abs/2209.09688) | [Link](https://github.com/GiovanniTRA/SAVAGE) |
| 2022 | **Model Inversion Attacks against Graph Neural Networks** | Attack | Node Classification | GCN, GAT and GraphSAGE | TKDE | [Link](https://ieeexplore.ieee.org/abstract/document/9895303/) | [Link](https://github.com/zaixizhang/GraphMI) |
| 2022 | **Exploratory Adversarial Attacks on Graph Neural Networks for Semi-Supervised Node Classification** | Attack | Semi-Supervised Node Classification | GNN | Pattern Recognition | [Link](https://www.sciencedirect.com/science/article/pii/S0031320322005222) | |
| 2022 | **Adversarial Inter-Group Link Injection Degrades the Fairness of Graph Neural Networks** | Attack | node classification | GNN | IEEE ICDM 2022 | [Link](https://arxiv.org/abs/2209.05957) | [Link](https://github.com/mengcao327/attack-gnn-fairness) |
| 2022 | **Resisting Graph Adversarial Attack via Cooperative Homophilous Augmentation** | Attack | semi-Supervised Node Classification | GNN | ECML PKDD 2022 | [Link](https://2022.ecmlpkdd.org/wp-content/uploads/2022/09/sub_938.pdf) | |
| 2022 | **What Does the Gradient Tell When Attacking the Graph Structure** | Attack | Node Classification | GCN, GraphSage and H2GCN | arXiv | [Link](https://arxiv.org/abs/2208.12815) | |
| 2022 | **Robust Node Classification on Graphs: Jointly from Bayesian Label Transition and Topology-based Label Propagation** | Attack | Node Classification | GNNs | CIKM 2022 | [Link](https://dl.acm.org/doi/abs/10.1145/3511808.3557437) | [Link](https://github.com/junzhuang-code/LInDT) |
| 2022 | **Revisiting Item Promotion in GNN-based Collaborative Filtering: A Masked Targeted Topological Attack Perspective** | Attack | Collaborative filtering | LightGCN | arXiv | [Link](https://arxiv.org/abs/2208.09979) | |
| 2022 | **Link-Backdoor: Backdoor Attack on Link Prediction via Node Injection** | Attack | Link Prediction | GAE, VGAE, GIC, ARGA, ARVGA | arXiv | [Link](https://arxiv.org/abs/2208.06776) | [Link](https://github.com/Seaocn/Link-Backdoor) |
| 2022 | **Graph Structural Attack by Perturbing Spectral Distance** | Attack | node classification | two-layer GCN | KDD 2022 | [Link](https://dl.acm.org/doi/abs/10.1145/3534678.3539435) | |
| 2022 | **Are Gradients on Graph Structure Reliable in Gray-box Attacks?** | Attack | node classification tasks | GraphSage | CIKM 2022 | [Link](https://dl.acm.org/doi/abs/10.1145/3511808.3557238) | |
| 2022 | **Adversarial Camouflage for Node Injection Attack on Graphs** | Attack | semi-supervised information retrieval task | GNNs | arXiv | [Link](https://arxiv.org/abs/2208.01819) | |
| 2022 | **CLUSTER ATTACK: Query-based Adversarial Attacks on Graphs with Graph-Dependent Priors** | Attack | node classification | GNNs | IJCAI 2022 | [Link](https://www.ijcai.org/proceedings/2022/0108.pdf) | |
| 2022 | **IoT-based Android Malware Detection Using Graph Neural Network With Adversarial Defense** | Attack | Malware Detection | GNN | IEEE Internet of Things | [Link](https://ieeexplore.ieee.org/abstract/document/9814995/) | |
| 2022 | **Private Graph Extraction via Feature Explanations** | Attack | node classification | 2-layer GCN | arXiv | [Link](https://arxiv.org/abs/2206.14724) | |
| 2022 | **Towards Secrecy-Aware Attacks Against Trust Prediction in Signed Graphs** | Attack | trust prediction in signed graphs | SGCN, SNEA | arXiv | [Link](https://arxiv.org/abs/2206.13104) | |
| 2022 | **Camouflaged Poisoning Attack on Graph Neural Networks** | Attack | node classification | GCN | ICMR 2022 | [Link](https://dl.acm.org/doi/abs/10.1145/3512527.3531373) | |
| 2022 | **LOKI: A Practical Data Poisoning Attack Framework against Next Item Recommendations** | Attack | Next Item Recommendations | BPRMF, FPMC, GRU4REC, TransRec | TKDE 2022 | [Link](https://ieeexplore.ieee.org/abstract/document/9806383/) | |
| 2022 | **Poisoning GNN-based Recommender Systems with Generative Surrogate-based Attacks** | Attack | Promotion/Recommendation/Re-producing | GNNs | ACM Transactions on Information Systems 2022 | [Link](https://dl.acm.org/doi/abs/10.1145/3567420) | |
| 2022 | **Transferable Graph Backdoor Attack** | Attack | Graph Classification | GNNs | RAID 2022 | [Link](https://arxiv.org/abs/2207.00425) | |
| 2022 | **Cluster Attack: Query-based Adversarial Attacks on Graphs with Graph-Dependent Priors** | Attack | Node Classification | GNNs | IJCAI 2022 | [Link](https://arxiv.org/abs/2109.13069) | [Link](https://github.com/thuwzy/Cluster-Attack) |
| 2022 | **Adversarial Robustness of Graph-based Anomaly Detection** | Attack | Anomaly Detection | GNNs | Arxiv | [Link](https://arxiv.org/abs/2206.08260) | |
| 2022 | **Adversarial Attack Framework on Graph Embedding Models with Limited Knowledge** | Attack | Node Classification | GNNs | Preprint | [Link](https://www.researchgate.net/publication/351901618_Adversarial_Attack_Framework_on_Graph_Embedding_Models_with_Limited_Knowledge) | |
| 2022 | **Label specificity attack: Change your label as I want** | Attack | Node Classification | GNNs | IJIS | [Link](https://onlinelibrary.wiley.com/doi/full/10.1002/int.22902) | |
| 2022 | **Bandits for Structure Perturbation-based Black-box Attacks to Graph Neural Networks with Theoretical Guarantees** | Attack | Node Classification | GNNs | CVPR 2022 | [Link](https://arxiv.org/abs/2205.03546) | [Link](https://github.com/Metaoblivion/Bandit_GNN_Attack) |
| 2022 | **AdverSparse: An Adversarial Attack Framework for Deep Spatial-Temporal Graph Neural Networks** | Attack | Spatial-Temporal Graph Embedding | Deep Spatial-Temporal GNNs | ICASSP 2022 | [Link](https://ieeexplore.ieee.org/abstract/document/9747850) | |
| 2022 | **Projective Ranking-based GNN Evasion Attacks** | Attack | Graph Classification | GNNs | Arxiv | [Link](https://arxiv.org/abs/2202.12993) | |
| 2022 | **Attacking Community Detectors: Mislead Detectors via Manipulating the Graph Structure** | Attack | Community Detection | Community Detection Algs, GNNs | MobiCASE 2021 | [Link](https://link.springer.com/chapter/10.1007/978-3-030-99203-3_8) | |
| 2022 | **A Targeted Universal Attack on Graph Convolutional Network by Using Fake Nodes** | Attack | Node Classification | GCN | Neural Processing Letters | [Link](https://link.springer.com/article/10.1007/s11063-022-10764-2) | [Link](https://github.com/Nanyuu/TUA) |
| 2022 | **Surrogate Representation Learning with Isometric Mapping for Gray-box Graph Adversarial Attacks** | Attack | Node Classification | GNNs | WSDM 2022 | [Link](https://dl.acm.org/doi/10.1145/3488560.3498481) | |
| 2022 | **Black-box Node Injection Attack for Graph Neural Networks** | Attack | Node Classification | GCN | Arxiv | [Link](https://arxiv.org/abs/2202.09389) | [Link](https://github.com/jumxglhf/GA2C) |
| 2022 | **Understanding and Improving Graph Injection Attack by Promoting Unnoticeability** | Attack | Node Classification | GNNs | ICLR 2022 | [Link](https://openreview.net/forum?id=wkMG8cdvh7-) | [Link](https://github.com/LFhase/GIA-HAO) |
| 2022 | **Unsupervised Graph Poisoning Attack via Contrastive Loss Back-propagation** | Attack | Node Classification, Link Prediction | GCN | WWW 2022 | [Link](https://arxiv.org/abs/2201.07986) | [Link](https://github.com/RinneSz/CLGA) |
| 2022 | **Neighboring Backdoor Attacks on Graph Convolutional Network** | Attack | Node Classification | GCN | Arxiv | [Link](https://arxiv.org/abs/2201.06202) | |
| 2022 | **Interpretable and Effective Reinforcement Learning for Attacking against Graph-based Rumor Detection** | Attack | Rumor Detection | RGCN | Arxiv | [Link](https://arxiv.org/abs/2201.05819) | |
### Attack Papers 2021 [[Back to Top](#graph-adversarial-learning-literature)]
| Year | Title | Type | Target Task | Target Model | Venue | Paper | Code |
| ---- | ------------------------------------------------------------ | ------ | ---------------------------------------------------------- | ------------------------------------ | ----------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
| 2021 | **Task and Model Agnostic Adversarial Attack on Graph Neural Networks** | Attack | Node Classification | GNNs | Arxiv | [Link](https://arxiv.org/abs/2112.13267) | |
| 2021 | **Model Stealing Attacks Against Inductive Graph Neural Networks** | Attack | Node Classification, Model Stealing | GNNs | IEEE S&P 2022 | [Link](https://arxiv.org/abs/2112.08331) | [Link](https://github.com/xinleihe/GNNStealing) |
| 2021 | **How Members of Covert Networks Conceal the Identities of Their Leaders** | Attack | Covert Network Leader Detection | Centrality Measures | ACM TIST 2021 | [Link](https://dl.acm.org/doi/full/10.1145/3490462) | |
| 2021 | **Adapting Membership Inference Attacks to GNN for Graph Classification: Approaches and Implications** | Attack | Graph Classification | GNNs | ICDM 2021 | [Link](https://arxiv.org/abs/2110.08760) | [Link](https://github.com/TrustworthyGNN/MIA-GNN/) |
| 2021 | **Graph Structural Attack by Spectral Distance** | Attack | Node Classification | GCN | Arxiv | [Link](https://arxiv.org/abs/2111.00684) | |
| 2021 | **Structural Attack against Graph Based Android Malware Detection** | Attack | Malware Detection | Graph Based Android Malware Detector | CCS 2021 | [Link](https://dl.acm.org/doi/abs/10.1145/3460120.3485387) | |
| 2021 | **Adversarial Attacks on Knowledge Graph Embeddings via Instance Attribution Methods** | Attack | Knowledge Graph Embeddings | Knowledge Graph Embedding Models | EMNLP 2021 | [Link](https://arxiv.org/abs/2111.03120) | [Link](https://github.com/PeruBhardwaj/AttributionAttack) |
| 2021 | **Adversarial Attack against Cross-lingual Knowledge Graph Alignment** | Attack | Knowledge Graph Alignment | Knowledge Graph Embedding Models | EMNLP 2021 | [Link](https://aclanthology.org/2021.emnlp-main.432/) | |
| 2021 | **Graph Robustness Benchmark: Benchmarking the Adversarial Robustness of Graph Machine Learning** | Attack | Node Classification | GNNs | NeurIPS 2021 | [Link](https://arxiv.org/abs/2111.04314) | [Link](https://github.com/thudm/grb) |
| 2021 | **Adversarial Attacks on Graph Classification via Bayesian Optimisation** | Attack | Graph Classification | GNNs | NeurIPS 2021 | [Link](https://arxiv.org/abs/2111.02842) | [Link](https://github.com/xingchenwan/grabnel) |
| 2021 | **Robustness of Graph Neural Networks at Scale** | Attack | Node Classification | GNNs | NeurIPS 2021 | [Link](https://arxiv.org/abs/2110.14038) | [Link](https://github.com/sigeisler/robustness_of_gnns_at_scale) |
| 2021 | **Large-Scale Adversarial Attacks on Graph Neural Networks via Graph Coarsening** | Attack | Node Classification | GNNs | ICLR 2022 OpenReview | [Link](https://openreview.net/forum?id=NUzrPpDjWp) | |
| 2021 | **Mind Your Solver! On Adversarial Attack and Defense for Combinatorial Optimization** | Attack | Combinatorial Optimization | Combinatorial Optimization Solvers | ICLR 2022 OpenReview | [Link](https://openreview.net/forum?id=nKZvpGRdJlG) | |
| 2021 | **Bandits for Black-box Attacks to Graph Neural Networks with Structure Perturbation** | Attack | Node Classification | GNNs | ICLR 2022 OpenReview | [Link](https://openreview.net/forum?id=6MFWE6u2b6R) | |
| 2021 | **Poisoning Attacks against Knowledge Graph-based Recommendation Systems Using Deep Reinforcement Learning** | Attack | Knowledge Graph-based Recommender Systems | GNNs | Neural Computing and Applications | [Link](https://link.springer.com/article/10.1007/s00521-021-06573-8) | |
| 2021 | **FHA: Fast Heuristic Attack Against Graph Convolutional Networks** | Attack | Node Classification | GNNs | ICDS 2021 | [Link](https://link.springer.com/chapter/10.1007/978-3-030-88942-5_12) | |
| 2021 | **Inference Attacks Against Graph Neural Networks** | Attack | Graph/Property Inference | GNNs | USENIX Security 2022 | [Link](https://arxiv.org/abs/2110.02631) | [Link](https://github.com/Zhangzhk0819/GNN-Embedding-Leaks) |
| 2021 | **Graph-Fraudster: Adversarial Attacks on Graph Neural Network Based Vertical Federated Learning** | Attack | Node Classification, Federated Learning | GNNs | Arxiv | [Link](https://arxiv.org/abs/2110.06468) | |
| 2021 | **Query-based Adversarial Attacks on Graph with Fake Nodes** | Attack | Node Classification | GCN | Arxiv | [Link](https://arxiv.org/abs/2109.13069) | |
| 2021 | **Single Node Injection Attack against Graph Neural Networks** | Attack | Node Classification | GNNs | CIKM 2021 | [Link](https://arxiv.org/abs/2108.13049) | [Link](https://github.com/taoshuchang/g-nia) |
| 2021 | **Projective Ranking: A Transferable Evasion Attack Method on Graph Neural Networks** | Attack | Graph Classification | GCN | CIKM 2021 | [Link](https://shiruipan.github.io/publication/cikm-21-zhang/cikm-21-zhang.pdf) | |
| 2021 | **Spatially Focused Attack against Spatiotemporal Graph Neural Networks** | Attack | Spatiotemporal Forecasting | GNNs | Arxiv | [Link](https://arxiv.org/abs/2109.04608) | |
| 2021 | **Derivative-free optimization adversarial attacks for graph convolutional networks** | Attack | Node Classification | GCN | PeerJ Computer Science | [Link](https://peerj.com/articles/cs-693/) | |
| 2021 | **A Hard Label Black-box Adversarial Attack Against Graph Neural Networks** | Attack | Graph Classification | GNNs | CCS 2021 | [Link](https://arxiv.org/abs/2108.09513) | |
| 2021 | **Single-Node Attack for Fooling Graph Neural Networks** | Attack | Node Classification | GNNs | KDD 2021 Workshop | [Link](https://drive.google.com/file/d/12arm9w6UmvSIzGmaoocdH70czx7RVzGr/view) | [Link](https://github.com/gnnattack/SINGLE) |
| 2021 | **Jointly Attacking Graph Neural Network and its Explanations** | Attack | GNN Explanation | GNNEXPLAINER, PGExplainer | Arxiv | [Link](https://arxiv.org/abs/2108.03388) | |
| 2021 | **The Robustness of Graph k-shell Structure under Adversarial Attacks** | Attack | K-shell Value | K-shell Decomposition | Arxiv | [Link](https://arxiv.org/abs/2107.13962) | |
| 2021 | **Poisoning Knowledge Graph Embeddings via Relation Inference Patterns** | Attack | Knowledge Graph Embedding | Knowledge Graph Embedding Models | ACL 2021 | [Link](https://aclanthology.org/2021.acl-long.147/) | [Link](https://github.com/PeruBhardwaj/InferenceAttack) |
| 2021 | **Structack: Structure-based Adversarial Attacks on Graph Neural Networks** | Attack | Node Classification | GCN | ACM Hypertext | [Link](https://arxiv.org/abs/2107.11327) | [Link](https://github.com/sqrhussain/structack) |
| 2021 | **Optimal Edge Weight Perturbations to Attack Shortest Paths** | Attack | Shortest Path | Shortest Path Algs | Arxiv | [Link](https://arxiv.org/pdf/2107.03347.pdf) | |
| 2021 | **Adversarial Attack on Graph Neural Networks as An Influence Maximization Problem** | Attack | Node Classification | GNNs | Arxiv | [Link](https://arxiv.org/abs/2106.10785) | |
| 2021 | **BinarizedAttack: Structural Poisoning Attacks to Graph-based Anomaly Detection** | Attack | Anomaly Detection | Graph Anomaly Detection Algs | Arxiv | [Link](https://arxiv.org/abs/2106.09989) | |
| 2021 | **TDGIA: Effective Injection Attacks on Graph Neural Networks** | Attack | Node Classification | GNNs | KDD 2021 | [Link](https://arxiv.org/abs/2106.06663) | |
| 2021 | **Graph Adversarial Attack via Rewiring** | Attack | Node Classification | GCN | KDD 2021 | [Link](https://arxiv.org/abs/1906.03750) | |
| 2021 | **Evaluating Graph Vulnerability and Robustness using TIGER** | Attack | Robustness Measure | Robustness Measure | Arxiv | [Link](https://arxiv.org/abs/2006.05648) | [Link](https://github.com/safreita1/TIGER) |
| 2021 | **Adversarial Attack Framework on Graph Embedding Models with Limited Knowledge** | Attack | Node Classification | Graph Embedding Models | Arxiv | [Link](https://arxiv.org/abs/2105.12419) | |
| 2021 | **Attacking Graph Neural Networks at Scale** | Attack | Node Classification | GCN | AAAI 2021 Workshop | [Link](https://www.dropbox.com/s/ddrwoswpz3wwx40/Robust_GNNs_at_Scale__AAAI_Workshop_2020_CameraReady.pdf?dl=0) | |
| 2021 | **Black-box Gradient Attack on Graph Neural Networks: Deeper Insights in Graph-based Attack and Defense** | Attack | Node Classification | GNNs | Arxiv | [Link](https://arxiv.org/abs/2104.15061) | |
| 2021 | **Enhancing Robustness and Resilience of Multiplex Networks Against Node-Community Cascading Failures** | Attack | Complex Networks Robustness | Complex Networks | IEEE TSMC | [Link](https://ieeexplore.ieee.org/abstract/document/9415463/authors#authors) | |
| 2021 | **PATHATTACK: Attacking Shortest Paths in Complex Networks** | Attack | Shortest Path | Shortest Path | Arxiv | [Link](https://arxiv.org/abs/2104.03761) | |
| 2021 | **Universal Spectral Adversarial Attacks for Deformable Shapes** | Attack | Shape Classification | ChebyNet, PointNet | CVPR 2021 | [Link](https://arxiv.org/abs/2104.03356) | |
| 2021 | **Preserve, Promote, or Attack? GNN Explanation via Topology Perturbation** | Attack | Object Detection | GNNs | Arxiv | [Link](https://arxiv.org/abs/2103.13944) | |
| 2021 | **Towards Revealing Parallel Adversarial Attack on Politician Socialnet of Graph Structure** | Attack | Node Classification | GCN | Security and Communication Networks | [Link](https://www.hindawi.com/journals/scn/2021/6631247/) | |
| 2021 | **Network Embedding Attack: An Euclidean Distance Based Method** | Attack | Node Classification, Community Detection | Network Embedding Methods | MDATA | [Link](https://link.springer.com/chapter/10.1007%2F978-3-030-71590-8_8) | |
| 2021 | **Adversarial Attack on Network Embeddings via Supervised Network Poisoning** | Attack | Node Classification, Link Prediction | DeepWalk, Node2vec, LINE, GCN | PAKDD 2021 | [Link](https://arxiv.org/abs/2102.07164) | [Link](https://github.com/virresh/viking) |
| 2021 | **GraphAttacker: A General Multi-Task Graph Attack Framework** | Attack | Node Classification, Graph Classification, Link Prediction | GNNs | Arxiv | [Link](https://arxiv.org/abs/2101.06855) | |
| 2021 | **Membership Inference Attack on Graph Neural Networks** | Attack | Membership Inference | GNNs | Arxiv | [Link](https://arxiv.org/abs/2101.06570) | |
### Attack Papers 2020 [[Back to Top](#graph-adversarial-learning-literature)]
| Year | Title | Type | Target Task | Target Model | Venue | Paper | Code |
| ---- | ------------------------------------------------------------ | ------ | ---------------------------------------- | ----------------------------------------- | -------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
| 2020 | **Adversarial Label-Flipping Attack and Defense for Graph Neural Networks** | Attack | Node Classification | GNNs | ICDM 2020 | [Link](http://shichuan.org/doc/97.pdf) | [Link](https://github.com/MengmeiZ/LafAK) |
| 2020 | **Exploratory Adversarial Attacks on Graph Neural Networks** | Attack | Node Classification | GCN | ICDM 2020 | [Link](https://ieeexplore.ieee.org/document/9338329) | [Link](https://github.com/EpoAtk/EpoAtk) |
| 2020 | **A Targeted Universal Attack on Graph Convolutional Network** | Attack | Node Classification | GCN | Arxiv | [Link](https://arxiv.org/abs/2011.14365) | [Link](https://github.com/Nanyuu/TUA) |
| 2020 | **Attacking Graph-Based Classification without Changing Existing Connections** | Attack | Node Classification | Collective Classification Models | ACSAC 2020 | [Link](https://cse.sc.edu/~zeng1/papers/2020-acsac-graph.pdf) | |
| 2020 | **Learning to Deceive Knowledge Graph Augmented Models via Targeted Perturbation** | Attack | Commonsense Reasoning Recommender System | Knowledge Graph | ICLR 2021 | [Link](https://arxiv.org/abs/2010.12872) | [Link](https://github.com/INK-USC/deceive-KG-models) |
| 2020 | **One Vertex Attack on Graph Neural Networks-based Spatiotemporal Forecasting** | Attack | Spatiotemporal Forecasting | GNNs | ICLR 2021 OpenReview | [Link](https://openreview.net/forum?id=W0MKrbVOxtd) | |
| 2020 | **Single-Node Attack for Fooling Graph Neural Networks** | Attack | Node Classification | GNNs | ICLR 2021 OpenReview | [Link](https://openreview.net/forum?id=u4WfreuXxnk) | |
| 2020 | **Black-Box Adversarial Attacks on Graph Neural Networks as An Influence Maximization Problem** | Attack | Node Classification | GNNs | ICLR 2021 OpenReview | [Link](https://openreview.net/forum?id=sbyjwhxxT8K) | |
| 2020 | **Adversarial Attacks on Deep Graph Matching** | Attack | Graph Matching | Deep Graph Matching Models | NeurIPS 2020 | [Link](https://papers.nips.cc/paper/2020/file/ef126722e64e98d1c33933783e52eafc-Paper.pdf) | |
| 2020 | **Towards More Practical Adversarial Attacks on Graph Neural Networks** | Attack | Node Classification | GNNs | NeurIPS 2020 | [Link](https://arxiv.org/abs/2006.05057) | [Link](https://github.com/Mark12Ding/GNN-Practical-Attack) |
| 2020 | **A Graph Matching Attack on Privacy-Preserving Record Linkage** | Attack | Record Linkage | Rrivacy-preserving Record Linkage Methods | CIKM 2020 | [Link](https://dl.acm.org/doi/abs/10.1145/3340531.3411931) | |
| 2020 | **Adaptive Adversarial Attack on Graph Embedding via GAN** | Attack | Node Classification | GCN, DeepWalk, LINE | SocialSec | [Link](https://link.springer.com/chapter/10.1007/978-981-15-9031-3_7) | |
| 2020 | **Scalable Adversarial Attack on Graph Neural Networks with Alternating Direction Method of Multipliers** | Attack | Node Classification | GNNs | Arxiv | [Link](https://arxiv.org/abs/2009.10233) | |
| 2020 | **Semantic-preserving Reinforcement Learning Attack Against Graph Neural Networks for Malware Detection** | Attack | Malware Detection | GCN | Arxiv | [Link](https://arxiv.org/abs/2009.05602) | |
| 2020 | **Adversarial Attack on Large Scale Graph** | Attack | Node Classification | GNN | Arxiv | [Link](https://arxiv.org/abs/2009.03488) | |
| 2020 | **Efficient Evasion Attacks to Graph Neural Networks via Influence Function** | Attack | Node Classification | GNN | Arxiv | [Link](https://arxiv.org/abs/2009.00203) | |
| 2020 | **Reinforcement Learning-based Black-Box Evasion Attacks to Link Prediction in Dynamic Graphs** | Attack | Link Prediction | DyGCN | Arxiv | [Link](https://arxiv.org/abs/2009.00163) | |
| 2020 | **Adversarial attack on BC classification for scale-free networks** | Attack | Broido and Clauset classification | scale-free network | AIP Chaos | [Link](https://aip.scitation.org/doi/full/10.1063/5.0003707) | |
| 2020 | **Adversarial Attacks on Link Prediction Algorithms Based on Graph Neural Networks** | Attack | Link Prediction | GNN | Asia CCS 2020 | [Link](https://iqua.ece.toronto.edu/papers/wlin-asiaccs20.pdf) | |
| 2020 | **Practical Adversarial Attacks on Graph Neural Networks** | Attack | Node Classification | GNN | ICML 2020 Workshop | [Link](https://grlplus.github.io/papers/8.pdf) | |
| 2020 | **Link Prediction Adversarial Attack Via Iterative Gradient Attack** | Attack | Link Prediction | GAE | IEEE TCSS | [Link](https://ieeexplore.ieee.org/abstract/document/9141291?casa_token=JY86mKguq68AAAAA:GNbeDZJNuMzzcHFPGOTACf9ihXxgQyAOSjVUnbWhiON6vVG7ap7k8Ey4DCNyJTO0qlSxMyJWSY4B) | |
| 2020 | **An Efficient Adversarial Attack on Graph Structured Data** | Attack | Node Classification | GCN | IJCAI 2020 Workshop | [Link](https://www.aisafetyw.org/programme) | |
| 2020 | **Graph Backdoor** | Attack | Node Classification Graph Classification | GNNs | USENIX Security 2021 | [Link](https://arxiv.org/abs/2006.11890) | |
| 2020 | **Backdoor Attacks to Graph Neural Networks** | Attack | Graph Classification | GNNs | Arxiv | [Link](https://arxiv.org/abs/2006.11165) | |
| 2020 | **Robust Spammer Detection by Nash Reinforcement Learning** | Attack | Fraud Detection | Graph-based Fraud Detector | KDD 2020 | [Link](https://arxiv.org/abs/2006.06069) | [Link](https://github.com/YingtongDou/Nash-Detect) |
| 2020 | **Adversarial Attacks on Graph Neural Networks: Perturbations and their Patterns** | Attack | Node Classification | GNN | TKDD | [Link](https://dl.acm.org/doi/10.1145/3394520) | |
| 2020 | **Adversarial Attack on Hierarchical Graph Pooling Neural Networks** | Attack | Graph Classification | GNN | Arxiv | [Link](https://arxiv.org/abs/2005.11560) | |
| 2020 | **Stealing Links from Graph Neural Networks** | Attack | Inferring Link | GNNs | USENIX Security 2021 | [Link](https://www.usenix.org/system/files/sec21summer_he.pdf) | |
| 2020 | **Scalable Attack on Graph Data by Injecting Vicious Nodes** | Attack | Node Classification | GCN | ECML-PKDD 2020 | [Link](https://arxiv.org/abs/2004.13825) | |
| 2020 | **Network disruption: maximizing disagreement and polarization in social networks** | Attack | Manipulating Opinion | Graph Model, Social Network | Arxiv | [Link](https://arxiv.org/abs/2003.08377) | |
| 2020 | **Adversarial Perturbations of Opinion Dynamics in Networks** | Attack | Manipulating Opinion | Graph Model | Arxiv | [Link](https://arxiv.org/abs/2003.07010) | |
| 2020 | **Non-target-specific Node Injection Attacks on Graph Neural Networks: A Hierarchical Reinforcement Learning Approach** | Attack | Node Classification | GCN | WWW 2020 | [Link](https://faculty.ist.psu.edu/vhonavar/Papers/www20.pdf) | |
| 2020 | **MGA: Momentum Gradient Attack on Network** | Attack | Node Classification, Community Detection | GCN, DeepWalk, node2vec | Arxiv | [Link](https://arxiv.org/abs/2002.11320) | |
| 2020 | **Indirect Adversarial Attacks via Poisoning Neighbors for Graph Convolutional Networks** | Attack | Node Classification | GCN | BigData 2019 | [Link](https://arxiv.org/abs/2002.08012) | |
| 2020 | **Graph Universal Adversarial Attacks: A Few Bad Actors Ruin Graph Learning Models** | Attack | Node Classification | GCN | Arxiv | [Link](https://arxiv.org/abs/2002.04784) | [Link](https://github.com/chisam0217/Graph-Universal-Attack) |
| 2020 | **Adversarial Attacks to Scale-Free Networks: Testing the Robustness of Physical Criteria** | Attack | Network Structure | Physical Criteria | Arxiv | [Link](https://arxiv.org/abs/2002.01249) | |
| 2020 | **Adversarial Attack on Community Detection by Hiding Individuals** | Attack | Community Detection | GCN | WWW 2020 | [Link](https://arxiv.org/abs/2001.07933) | [Link](https://github.com/halimiqi/CD-ATTACK) |
### Attack Papers 2019 [[Back to Top](#graph-adversarial-learning-literature)]
| Year | Title | Type | Target Task | Target Model | Venue | Paper | Code |
| ---- | ------------------------------------------------------------ | ------ | ---------------------------------------- | ------------------------------------------------------------ | ------------ | ---------------------------------------------------------- | ------------------------------------------------------------ |
| 2019 | **How Robust Are Graph Neural Networks to Structural Noise?** | Attack | Node Structural Identity Prediction | GIN | Arxiv | [Link](https://arxiv.org/abs/1912.10206) | |
| 2019 | **Time-aware Gradient Attack on Dynamic Network Link Prediction** | Attack | Link Prediction | Dynamic Network Embedding Algs | Arxiv | [Link](https://arxiv.org/abs/1911.10561) | |
| 2019 | **All You Need is Low (Rank): Defending Against Adversarial Attacks on Graphs** | Attack | Node Classification | GCN, Tensor Embedding | WSDM 2020 | [Link](https://dl.acm.org/doi/abs/10.1145/3336191.3371789) | [Link](https://github.com/DSE-MSU/DeepRobust) |
| 2019 | **αCyber: Enhancing Robustness of Android Malware Detection System against Adversarial Attacks on Heterogeneous Graph based Model** | Attack | Malware Detection | HIN | CIKM 2019 | [Link](https://dl.acm.org/citation.cfm?id=3357875) | |
| 2019 | **A Unified Framework for Data Poisoning Attack to Graph-based Semi-supervised Learning** | Attack | Semi-supervised Learning | Label Propagation | NeurIPS 2019 | [Link](https://arxiv.org/abs/1910.14147) | |
| 2019 | **Manipulating Node Similarity Measures in Networks** | Attack | Node Similarity | Node Similarity Measures | AAMAS 2020 | [Link](https://arxiv.org/abs/1910.11529) | |
| 2019 | **Multiscale Evolutionary Perturbation Attack on Community Detection** | Attack | Community Detection | Community Metrics | Arxiv | [Link](https://arxiv.org/abs/1910.09741) | |
| 2019 | **Attacking Graph Convolutional Networks via Rewiring** | Attack | Node Classification | GCN | Openreview | [Link](https://openreview.net/pdf?id=B1eXygBFPH) | |
| 2019 | **Node Injection Attacks on Graphs via Reinforcement Learning** | Attack | Node Classification | GCN | Arxiv | [Link](https://arxiv.org/abs/1909.06543) | |
| 2019 | **A Restricted Black-box Adversarial Framework Towards Attacking Graph Embedding Models** | Attack | Node Classification | GCN, SGC | AAAI 2020 | [Link](https://arxiv.org/abs/1908.01297) | [Link](https://github.com/SwiftieH/GFAttack) |
| 2019 | **Topology Attack and Defense for Graph Neural Networks: An Optimization Perspective** | Attack | Node Classification | GNN | IJCAI 2019 | [Link](https://arxiv.org/abs/1906.04214) | [Link](https://github.com/KaidiXu/GCN_ADV_Train) |
| 2019 | **Unsupervised Euclidean Distance Attack on Network Embedding** | Attack | Node Embedding | GCN | Arxiv | [Link](https://arxiv.org/abs/1905.11015) | |
| 2019 | **Generalizable Adversarial Attacks Using Generative Models** | Attack | Node Classification | GCN | Arxiv | [Link](https://arxiv.org/abs/1905.10864) | |
| 2019 | **Vertex Nomination, Consistent Estimation, and Adversarial Modification** | Attack | Vertex Nomination | VN Scheme | Arxiv | [Link](https://arxiv.org/abs/1905.01776) | |
| 2019 | **Data Poisoning Attack against Knowledge Graph Embedding** | Attack | Fact Plausibility Prediction | TransE, TransR | IJCAI 2019 | [Link](https://arxiv.org/abs/1904.12052) | |
| 2019 | **Adversarial Examples on Graph Data: Deep Insights into Attack and Defense** | Attack | Node Classification | GCN | IJCAI 2019 | [Link](https://arxiv.org/abs/1903.01610) | [Link](https://github.com/DSE-MSU/DeepRobust) |
| 2019 | **Adversarial Attacks on Node Embeddings via Graph Poisoning** | Attack | Node Classification, Community Detection | node2vec, DeepWalk, GCN, Spectral Embedding, Label Propagation | ICML 2019 | [Link](https://arxiv.org/abs/1809.01093#) | [Link](https://github.com/abojchevski/node_embedding_attack) |
| 2019 | **Attacking Graph-based Classification via Manipulating the Graph Structure** | Attack | Node Classification | Belief Propagation, GCN | CCS 2019 | [Link](https://arxiv.org/abs/1903.00553) | |
| 2019 | **Adversarial Attacks on Graph Neural Networks via Meta Learning** | Attack | Node Classification | GCN, CLN, DeepWalk | ICLR 2019 | [Link](https://arxiv.org/abs/1902.08412) | [Link](https://github.com/danielzuegner/gnn-meta-attack) |
### Attack Papers 2018 [[Back to Top](#graph-adversarial-learning-literature)]
| Year | Title | Type | Target Task | Target Model | Venue | Paper | Code |
| ---- | ------------------------------------------------------------ | ------ | ----------------------------------------- | ----------------------------------- | --------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
| 2018 | **Poisoning Attacks to Graph-Based Recommender Systems** | Attack | Recommender System | Graph-based Recommendation Algs | ACSAC 2018 | [Link](https://arxiv.org/abs/1809.04127) | |
| 2018 | **GA Based Q-Attack on Community Detection** | Attack | Community Detection | Modularity, Community Detection Alg | IEEE TCSS | [Link](https://ieeexplore.ieee.org/abstract/document/8714065) | |
| 2018 | **Data Poisoning Attack against Unsupervised Node Embedding Methods** | Attack | Link Prediction | LINE, DeepWalk | Arxiv | [Link](https://arxiv.org/abs/1810.12881) | |
| 2018 | **Attack Graph Convolutional Networks by Adding Fake Nodes** | Attack | Node Classification | GCN | Arxiv | [Link](https://arxiv.org/abs/1810.10751) | |
| 2018 | **Link Prediction Adversarial Attack** | Attack | Link Prediction | GAE, GCN | Arxiv | [Link](https://arxiv.org/abs/1810.01110) | |
| 2018 | **Attack Tolerance of Link Prediction Algorithms: How to Hide Your Relations in a Social Network** | Attack | Link Prediction | Traditional Link Prediction Algs | Scientific Reports | [Link](https://arxiv.org/abs/1809.00152) | |
| 2018 | **Attacking Similarity-Based Link Prediction in Social Networks** | Attack | Link Prediction | local&global similarity metrics | AAMAS 2019 | [Link](https://dl.acm.org/citation.cfm?id=3306127.3331707) | |
| 2018 | **Fast Gradient Attack on Network Embedding** | Attack | Node Classification | GCN | Arxiv | [Link](https://arxiv.org/abs/1809.02797) | |
| 2018 | **Adversarial Attack on Graph Structured Data** | Attack | Node Classification, Graph Classification | GNN, GCN | ICML 2018 | [Link](https://arxiv.org/abs/1806.02371) | [Link](https://github.com/Hanjun-Dai/graph_adversarial_attack) |
| 2018 | **Adversarial Attacks on Neural Networks for Graph Data** | Attack | Node Classification | GCN | KDD 2018 | [Link](https://arxiv.org/abs/1805.07984) | [Link](https://github.com/danielzuegner/nettack) |
| 2018 | **Hiding individuals and communities in a social network** | Attack | Community Detection | Community Detection Algs | Nature Human Behavior | [Link](https://arxiv.org/abs/1608.00375) | [Link](https://github.com/DSE-MSU/DeepRobust) |
### Attack Papers 2017 [[Back to Top](#graph-adversarial-learning-literature)]
| Year | Title | Type | Target Task | Target Model | Venue | Paper | Code |
| ---- | ------------------------------------------------------------ | ------ | ---------------- | -------------------------------------- | -------- | ---------------------------------------- | ---------------------------------------------- |
| 2017 | **Practical Attacks Against Graph-based Clustering** | Attack | Graph Clustering | SVD, node2vec, Community Detection Alg | CCS 2017 | [Link](https://arxiv.org/abs/1708.09056) | |
| 2017 | **Adversarial Sets for Regularising Neural Link Predictors** | Attack | Link Prediction | Knowledge Graph Embeddings | UAI 2017 | [Link](https://arxiv.org/abs/1707.07596) | [Link](https://github.com/uclmr/inferbeddings) |
## Defense
### Defense Papers 2023 [[Back to Top](#graph-adversarial-learning-literature)]
| Year | Title | Type | Target Task | Target Model | Venue | Paper | Code |
| ---- | ------------------------------------------------------------ | ------- | --------------------------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
| 2023 | **Revisiting Robustness in Graph Machine Learning**| Defense | Node Classification | GCN, SGC, APPNP, GAT, GATv2, GraphSAGE, LP | ICLR'23 | [Link](https://arxiv.org/pdf/2305.00851.pdf) | [Link](https://github.com/saper0/revisiting_robustness)|
| 2023 | **Empowering Graph Representation Learning with Test-Time Graph Transformation** | Defense | Node Classification | GCN | ICLR | [Link](https://openreview.net/forum?id=Lnxl5pr018) | [Link](https://github.com/ChandlerBang/GTrans)|
| 2023 | **Adversarial Danger Identification on Temporally Dynamic Graph** | Defense | Temporally Dynamic Graphs | Hybrid GNN-based time series classifier | IEEE Transactions on Neural Networks and Learning Systems | [Link](https://ieeexplore.ieee.org/abstract/document/10068359) |
### Defense Papers 2022 [[Back to Top](#graph-adversarial-learning-literature)]
| Year | Title | Type | Target Task | Target Model | Venue | Paper | Code |
| ---- | ------------------------------------------------------------ | ------- | --------------------------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
| 2022 | **Privacy Protection for Marginal-Sensitive Community Individuals Against Adversarial Community Detection Attacks** | Defense | Community Detection | DICE, Random Target Attack (RTA) | IEEE Transactions on Computational Social Systems | [Link](https://ieeexplore.ieee.org/abstract/document/9997230/) | |
| 2022 | **DeepInsight: Topology Changes Assisting Detection of Adversarial Samples on Graphs** | Defense | Node Classification | Two-layer GCNs | IEEE Transactions on Computational Social Systems | [Link](https://ieeexplore.ieee.org/abstract/document/9931416) | |
| 2022 | **ERGCN: Data enhancement-based robust graph convolutional network against adversarial attacks** | Defense | Information Sciences | Node Classification | GCN/GCN-Jaccard/RGGCN/Pro-GNN/SimP-GCN/EGCN | [Link](https://www.sciencedirect.com/science/article/pii/S0020025522012415) | [Link](https://github.com/star4455/ERGCN) |
| 2022 | **On the Vulnerability of Graph Learning based Collaborative Filtering** | Defense | Graph Learning based Collaborative Filtering | NGCF/LightGCN | ACM Transactions on Information Systems | [Link](https://dl.acm.org/doi/abs/10.1145/3572834) | |
| 2022 | **FocusedCleaner: Sanitizing Poisoned Graphs for Robust GNN-based Node Classification** | Defense | Node Classification | GNN-Jaccard/ProGNN/RGCN/MedianGNN/SimPGCN/GNNGUARD/ElasticGNN/AirGNNGASOLINE/maskGVAE | Arxiv | [Link](https://arxiv.org/abs/2210.13815) | |
| 2022 | **Robust cross-network node classification via constrained graph mutual information** | Defense | cross-network node classification | GNNs | Knowledge-Based Systems | [Link](https://www.sciencedirect.com/science/article/pii/S0950705122009455) | |
| 2022 | **On the Robustness of Graph Neural Diffusion to Topology Perturbations** | Defense | Node Classification | GAT, GraphSAGE, GIN, APPNP | arXiv preprint | [Link](https://arxiv.org/abs/2209.07754) | [Link](https://github.com/zknus/Robustness-of-Graph-Neural-Diffusion) |
| 2022 | **Defending Against Backdoor Attack on Graph Nerual Network by Explainability** | Defense | graph classification task | GraphConv, GIN | arXiv | [Link](https://arxiv.org/abs/2209.02902) | |
| 2022 | **Adversarial for Social Privacy: A Poisoning Strategy to Degrade User Identity Linkage** | Defense | user identity linkage | GCNs | arXiv | [Link](https://arxiv.org/abs/2209.00269) | |
| 2022 | **Towards an Optimal Asymmetric Graph Structure for Robust Semi-supervised Node Classification** | Defense | semi-supervised node classification | GCN | KDD 2022 | [Link](https://dl.acm.org/doi/abs/10.1145/3534678.3539332) | |
| 2022 | **Reliable Representations Make A Stronger Defender: Unsupervised Structure Refinement for Robust GNN** | Defense | Node Classification | GNNs | KDD 2022 | [Link](https://ponderly.github.io/pub/STABLE_KDD2022.pdf) | |
| 2022 | **Robust Graph Representation Learning for Local Corruption Recovery** | Defense | Node Attribute Recovery | GNNs | ICML 2022 Workshop | [Link](https://yuguangwang.github.io/papers/L_p_graph_regularizer_ICML%20TAG%202022.pdf) | |
| 2022 | **Appearance and Structure Aware Robust Deep Visual Graph Matching: Attack, Defense and Beyond** | Defense | Graph Matching | Graph Matching Algs | CVPR 2022 | [Link](https://openaccess.thecvf.com/content/CVPR2022/html/Ren_Appearance_and_Structure_Aware_Robust_Deep_Visual_Graph_Matching_Attack_CVPR_2022_paper.html) | [Link](https://github.com/Thinklab-SJTU/RobustMatch) |
| 2022 | **Large-Scale Privacy-Preserving Network Embedding against Private Link Inference Attacks** | Defense | Privacy Protection | Network Embedding Algs | Arxiv | [Link](https://arxiv.org/abs/2205.14440) | |
| 2022 | **Detecting Topology Attacks against Graph Neural Networks** | Defense | Node Classification | GNNs | Arxiv | [Link](https://arxiv.org/abs/2204.10072) | |
| 2022 | **GUARD: Graph Universal Adversarial Defense** | Defense | Node Classification | GNNs | Arxiv | [Link](https://arxiv.org/abs/2204.09803) | [Link](https://github.com/EdisonLeeeee/GUARD) |
| 2022 | **Robust Graph Neural Networks via Ensemble Learning** | Defense | Node Classification | GNNs | Mathematics | [Link](https://www.mdpi.com/2227-7390/10/8/1300/htm) | |
| 2022 | **AN-GCN: An Anonymous Graph Convolutional Network Against Edge-Perturbing Attacks** | Defense | Node Classification | GNNs | IEEE TNNLS | [Link](https://ieeexplore.ieee.org/abstract/document/9775013) | |
| 2022 | **Exploring High-Order Structure for Robust Graph Structure Learning** | Defense | Node Classification | GNNs | Arxiv | [Link](https://arxiv.org/abs/2203.11492) | |
| 2022 | **Defending Graph Convolutional Networks against Dynamic Graph Perturbations via Bayesian Self-supervision** | Defense | Node Classification | GNNs | AAAI 2022 | [Link](https://arxiv.org/abs/2203.03762) | [Link](https://github.com/junzhuang-code/GraphSS) |
| 2022 | **Graph alternate learning for robust graph neural networks in node classification** | Defense | Node Classification | GNNs | Neural Computing and Applications | [Link](https://link.springer.com/article/10.1007/s00521-021-06863-1) | |
| 2022 | **Robust Heterogeneous Graph Neural Networks against Adversarial Attacks** | Defense | Node Classification | Heterogeneous GNNs | AAAI 2022 | [Link](http://shichuan.org/doc/132.pdf) | |
| 2022 | **How Does Bayesian Noisy Self-Supervision Defend Graph Convolutional Networks?** | Defense | Node Classification | GNNs | Neural Processing Letters | [Link](https://link.springer.com/article/10.1007/s11063-022-10750-8) | |
| 2022 | **GARNET: Reduced-Rank Topology Learning for Robust and Scalable Graph Neural Networks** | Defense | Node Classification | GNNs | Arxiv | [Link](https://arxiv.org/abs/2201.12741) | |
| 2022 | **Mind Your Solver! On Adversarial Attack and Defense for Combinatorial Optimization** | Defense | Combinatorial Optimization | Combinatorial Optimization Methods | Arxiv | [Link](https://arxiv.org/abs/2201.00402) | |
| 2022 | **Unsupervised Adversarially Robust Representation Learning on Graphs** | Defense | Node Classification, Link Prediction, Community Detection | GNNs | AAAI 2022 | [Link](https://arxiv.org/abs/2012.02486) | |
### Defense Papers 2021 [[Back to Top](#graph-adversarial-learning-literature)]
| Year | Title | Type | Target Task | Target Model | Venue | Paper | Code |
| ---- | ------------------------------------------------------------ | ------- | ------------------------------------------------------ | --------------------------------------- | -------------------- | ------------------------------------------------------------ | ------------------------------------------------- |
| 2021 | **Mind Your Solver! On Adversarial Attack and Defense for Combinatorial Optimization** | Defense | Combinatorial Optimization | Combinatorial Optimization Methods | Arxiv | [Link](https://arxiv.org/abs/2201.00402) | |
| 2021 | **Robust Graph Neural Networks via Probabilistic Lipschitz Constraints** | Defense | Decentralized Control | GNNs | Arxiv | [Link](https://arxiv.org/abs/2112.07575) | |
| 2021 | **Graph-based Adversarial Online Kernel Learning with Adaptive Embedding** | Defense | Node Classification | Kernel Learning Models | ICDM 2021 | | |
| 2021 | **Not All Low-Pass Filters are Robust in Graph Convolutional Networks** | Defense | Node Classification | GCN | NeurIPS 2021 | [Link](https://openreview.net/forum?id=bDdfxLQITtu) | |
| 2021 | **Graph Neural Networks with Adaptive Residual** | Defense | Node Classification, Abnormal Features | GNNs | NeurIPS 2021 | [Link](https://openreview.net/pdf?id=hfkER_KJiNw) | |
| 2021 | **Generalization of Neural Combinatorial Solvers Through the Lens of Adversarial Robustness** | Defense | Combinatorial Optimization | Combinatorial Solvers | NeurIPS 2021 | [Link](https://arxiv.org/abs/2110.10942) | |
| 2021 | **Defending Graph Neural Networks via Tensor-Based Robust Graph Aggregation** | Defense | Node Classification | GNNs | ICLR 2022 OpenReview | [Link](https://openreview.net/forum?id=BrfHcL-99sy) | |
| 2021 | **Robust Graph Data Learning with Latent Graph Convolutional Representation** | Defense | Node Classification, Node Clustering | GNNs | ICLR 2022 OpenReview | [Link](https://openreview.net/forum?id=krQLTdel74N) | |
| 2021 | **Edge Rewiring Goes Neural: Boosting Network Resilience via Policy Gradient** | Defense | Graph Resilience | GNNs | ICLR 2022 OpenReview | [Link](https://openreview.net/forum?id=eVzy-BWKY6Z) | |
| 2021 | **On the Relationship between Heterophily and Robustness of Graph Neural Networks** | Defense | Node Classification | GNNs | ICLR 2022 OpenReview | [Link](https://openreview.net/forum?id=Nus6fOfh1HW) | |
| 2021 | **A General Unified Graph Neural Network Framework Against Adversarial Attacks** | Defense | Node Classification | GNNs | ICLR 2022 OpenReview | [Link](https://openreview.net/forum?id=bpUHBc9HCU8) | |
| 2021 | **Node Copying: A Random Graph Model for Effective Graph Sampling** | Defense | Node Classification | GNNs | Signal Processing | [Link](https://www.sciencedirect.com/science/article/pii/S0165168421003728) | |
| 2021 | **Node Feature Kernels Increase Graph Convolutional Robustness** | Defense | Node Classification | GNNs | Arxiv | [Link](https://arxiv.org/abs/2109.01785) | [Link](https://github.com/ChangminWu/RobustGCN) |
| 2021 | **Speedup Robust Graph Structure Learning with Low-Rank Information** | Defense | Node Classification | GNNs | CIKM 2021 | [Link](http://xiangliyao.cn/papers/cikm21-hui.pdf) | |
| 2021 | **A Lightweight Metric Defence Strategy for Graph Neural Networks Against Poisoning Attacks** | Defense | Node Classification | GNNs | ICICS 2021 | [Link](https://link.springer.com/chapter/10.1007/978-3-030-88052-1_4) | [Link](https://github.com/lizi-learner/MD-GNN) |
| 2021 | **CoG: a Two-View Co-training Framework for Defending Adversarial Attacks on Graph** | Defense | Node Classification | GCN | Arxiv | [Link](https://arxiv.org/abs/2109.05558) | |
| 2021 | **Robust Counterfactual Explanations on Graph Neural Networks** | Defense | Link Prediction | Probabilistic Network Embedding Models | Arxiv | [Link](https://arxiv.org/abs/2107.01936) | |
| 2021 | **Elastic Graph Neural Networks** | Defense | Node classification | GNNs | ICML 2021 | [Link](http://proceedings.mlr.press/v139/liu21k/liu21k.pdf) | [Link](https://github.com/lxiaorui/ElasticGNN) |
| 2021 | **Expressive 1-Lipschitz Neural Networks for Robust Multiple Graph Learning against Adversarial Attacks** | Defense | Graph Classification, Graph Matching | GNNs | ICML 2021 | [Link](http://proceedings.mlr.press/v139/zhao21e.html) | |
| 2021 | **Integrated Defense for Resilient Graph Matching** | Defense | Graph Matching | Graph Matching Algs | ICML 2021 | [Link](http://proceedings.mlr.press/v139/ren21c/ren21c.pdf) | |
| 2021 | **NetFense: Adversarial Defenses against Privacy Attacks on Neural Networks for Graph Data** | Defense | Privacy Protection | GNNs | TKDE | [Link](https://ieeexplore.ieee.org/abstract/document/9448513) | |
| 2021 | **Stability of graph convolutional neural networks to stochastic perturbations** | Defense | Robustness Certification | GNNs | Signal Processing | [Link](https://www.sciencedirect.com/science/article/abs/pii/S0165168421002541) | |
| 2021 | **DeepInsight: Interpretability Assisting Detection of Adversarial Samples on Graphs** | Defense | Node Classification | GNNs | Arxiv | [Link](https://arxiv.org/abs/2106.09501) | |
| 2021 | **Improving Robustness of Graph Neural Networks with Heterophily-Inspired Designs** | Defense | Node Classification | GNNs | Arxiv | [Link](https://arxiv.org/abs/2106.07767) | |
| 2021 | **Understanding Structural Vulnerability in Graph Convolutional Networks** | Defense | Node Classification | GNNs | IJCAI 2021 | [Link](cs.emory.edu/~jyang71/files/rpgcn.pdf) | [Link](https://github.com/EdisonLeeeee/MedianGCN) |
| 2021 | **Certified Robustness of Graph Neural Networks against Adversarial Structural Perturbation** | Defense | Robustness Certification | GNNs | KDD 2021 | [Link](https://arxiv.org/abs/2008.10715) | |
| 2021 | **Unveiling Anomalous Nodes Via Random Sampling and Consensus on Graphs** | Defense | Anomaly Detection | Anomaly Detection Algs | ICASSP 2021 | [Link](https://ieeexplore.ieee.org/abstract/document/9414953) | |
| 2021 | **Graph Sanitation with Application to Node Classification** | Defense | Node Classification | GNNs | Arxiv | [Link](https://arxiv.org/pdf/2105.09384.pdf) | |
| 2021 | **Robust Network Alignment via Attack Signal Scaling and Adversarial Perturbation Elimination** | Defense | Network Alignment | Network Alignment Algorithms | WWW 2021 | [Link](http://eng.auburn.edu/users/yangzhou/papers/RNA.pdf) | |
| 2021 | **Information Obfuscation of Graph Neural Networks** | Defense | Recommender System, Knowledge Graph, Quantum Chemistry | GNNs | ICML 2021 | [Link](https://arxiv.org/pdf/2009.13504.pdf) | [Link](https://github.com/liaopeiyuan/GAL) |
| 2021 | **Graph Embedding for Recommendation against Attribute Inference Attacks** | Defense | Recommender System | GCN | WWW 2021 | [Link](https://arxiv.org/pdf/2101.12549.pdf) | |
| 2021 | **Spatio-Temporal Sparsification for General Robust Graph Convolution Networks** | Defense | Node Classification | GCN | Arxiv | [Link](https://arxiv.org/abs/2103.12256) | |
| 2021 | **Detection and Defense of Topological Adversarial Attacks on Graphs** | Defense | Node Classification | GCN | AISTATS 2021 | [Link](http://proceedings.mlr.press/v130/zhang21i.html) | |
| 2021 | **Robust graph convolutional networks with directional graph adversarial training** | Defense | Node Classification | GCN | Applied Intelligence | [Link](https://link.springer.com/article/10.1007/s10489-021-02272-y) | |
| 2021 | **Interpretable Stability Bounds for Spectral Graph Filters** | Defense | Robustness Certification | Spectral Graph Filter | Arxiv | [Link](https://arxiv.org/abs/2102.09587) | |
| 2021 | **Personalized privacy protection in social networks through adversarial modeling** | Defense | Privacy Protection | GCN | AAAI 2021 | [Link](https://www.cs.uic.edu/~elena/pubs/biradar-ppai21.pdf) | |
| 2021 | **Node Similarity Preserving Graph Convolutional Networks** | Defense | Node Classification | GNNs | WSDM 2021 | [Link](https://arxiv.org/abs/2011.09643) | [Link](https://github.com/ChandlerBang/SimP-GCN) |
### Defense Papers 2020 [[Back to Top](#graph-adversarial-learning-literature)]
| Year | Title | Type | Target Task | Target Model | Venue | Paper | Code |
| ---- | ------------------------------------------------------------ | ------- | ---------------------------------------- | ------------------------------------------- | -------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
| 2020 | **Graph Stochastic Neural Networks for Semi-supervised Learning** | Defense | Node Classification | GNNs | NeurIPS 2020 | [Link](https://papers.nips.cc/paper/2020/file/e586a4f55fb43a540c2e9dab45e00f53-Paper.pdf) | [Link](https://github.com/GSNN/GSNN) |
| 2020 | **Smoothing Adversarial Training for GNN** | Defense | Node Classification, Community Detection | GCN | IEEE TCSS | [Link](https://ieeexplore.ieee.org/abstract/document/9305289?casa_token=fTXIL3hT1yIAAAAA:I4fn-GlF0PIwzPRC87SayRi5_pi2ZDDuSancEsY96A4O4bUBEsp0hSYMNJVGVzMgBWxycYN9qu6D) | |
| 2020 | **Unsupervised Adversarially-Robust Representation Learning on Graphs** | Defense | Node Classification | GNNs | Arxiv | [Link](https://arxiv.org/abs/2012.02486) | |
| 2020 | **AANE: Anomaly Aware Network Embedding For Anomalous Link Detection** | Defense | Node Classification | GNNs | ICDM 2020 | [Link](https://ieeexplore.ieee.org/document/9338406) | |
| 2020 | **Provably Robust Node Classification via Low-Pass Message Passing** | Defense | Anomaly Detection | GNNs | ICDM 2020 | [Link](https://shenghua-liu.github.io/papers/icdm2020-provablerobust.pdf) | |
| 2020 | **Learning to Drop: Robust Graph Neural Network via Topological Denoising** | Defense | Node Classification | GNNs | WSDM 2021 | [Link](https://arxiv.org/abs/2011.07057) | [Link](https://github.com/flyingdoog/PTDNet) |
| 2020 | **Robust Android Malware Detection Based on Attributed Heterogenous Graph Embedding** | Defense | Malware Detection | Heterogeneous Information Network Embedding | FCS 2020 | [Link](https://link.springer.com/chapter/10.1007/978-981-15-9739-8_33) | |
| 2020 | **Adversarial Detection on Graph Structured Data** | Defense | Graph Classification | GNNs | PPMLP 2020 | [Link](https://dl.acm.org/doi/abs/10.1145/3411501.3419424) | |
| 2020 | **On the Stability of Graph Convolutional Neural Networks under Edge Rewiring** | Defense | Robustness Certification | GNNs | Arxiv | [Link](https://arxiv.org/abs/2010.13747) | |
| 2020 | **Collective Robustness Certificates** | Defense | Robustness Certification | GNNs | ICLR 2021 | [Link](https://openreview.net/forum?id=ULQdiUTHe3y) | |
| 2020 | **Towards Robust Graph Neural Networks against Label Noise** | Defense | Node Classification | GNNs | ICLR 2021 OpenReview | [Link](https://openreview.net/forum?id=H38f_9b90BO) | |
| 2020 | **Certifying Robustness of Graph Laplacian Based Semi-Supervised Learning** | Defense | Robustness Certification | GNNs | ICLR 2021 OpenReview | [Link](https://openreview.net/forum?id=cQyybLUoXxc) | |
| 2020 | **Graph Adversarial Networks: Protecting Information against Adversarial Attacks** | Defense | Node Attribute Inference | GNNs | ICLR 2021 OpenReview | [Link](https://openreview.net/forum?id=Q8ZdJahesWe) | |
| 2020 | **Ricci-GNN: Defending Against Structural Attacks Through a Geometric Approach** | Defense | Node Classification | GNNs | ICLR 2021 OpenReview | [Link](https://openreview.net/forum?id=_qoQkWNEhS) | |
| 2020 | **Graph Contrastive Learning with Augmentations** | Defense | Node Classification | GNNs | NeurIPS 2020 | [Link](https://arxiv.org/abs/2010.13902) | [Link](https://github.com/Shen-Lab/GraphCL) |
| 2020 | **Graph Information Bottleneck** | Defense | Node Classification | GNNs | NeurIPS 2020 | [Link](https://arxiv.org/abs/2010.12811) | [Link](https://github.com/snap-stanford/GIB) |
| 2020 | **Certified Robustness of Graph Convolution Networks for Graph Classification under Topological Attacks** | Defense | Graph Classification | GCN | NeurIPS 2020 | [Link](https://www.cs.uic.edu/~zhangx/papers/Jinetal20.pdf) | [Link](https://github.com/RobustGraph/RoboGraph) |
| 2020 | **Reliable Graph Neural Networks via Robust Aggregation** | Defense | Node Classification | GNNs | NeurIPS 2020 | [Link](https://arxiv.org/abs/2010.15651) | [Link](https://github.com/sigeisler/reliable_gnn_via_robust_aggregation) |
| 2020 | **Graph Random Neural Networks for Semi-Supervised Learning on Graphs** | Defense | Node Classification | GCN | NeurIPS 2020 | [Link](https://arxiv.org/abs/2005.11079) | [Link](https://github.com/Grand20/grand) |
| 2020 | **Variational Inference for Graph Convolutional Networks in the Absence of Graph Data and Adversarial Settings** | Defense | Node Classification | GCN | NeurIPS 2020 | [Link](https://arxiv.org/abs/1906.01852) | [Link](https://github.com/ebonilla/VGCN) |
| 2020 | **GNNGuard: Defending Graph Neural Networks against Adversarial Attacks** | Defense | Node Classification | GNNs | NeurIPS 2020 | [Link](https://arxiv.org/abs/2006.08149) | [Link](https://github.com/mims-harvard/GNNGuard) |
| 2020 | **A Feature-Importance-Aware and Robust Aggregator for GCN** | Defense | Node Classification Graph Classification | GNNs | CIKM 2020 | [Link](https://dl.acm.org/doi/abs/10.1145/3340531.3411983) | [Link](https://github.com/LiZhang-github/LA-GCN) |
| 2020 | **Uncertainty-Matching Graph Neural Networks to Defend Against Poisoning Attacks** | Defense | Node Classification | GNNs | AAAI 2021 | [Link](https://arxiv.org/abs/2009.14455) | |
| 2020 | **Cross Entropy Attack on Deep Graph Infomax** | Defense | Node Classification | DGI | IEEE ISCAS | [Link](https://ieeexplore.ieee.org/document/9180817) | |
| 2020 | **RoGAT: a robust GNN combined revised GAT with adjusted graphs** | Defense | Node Classification | GNNs | Arxiv | [Link](https://arxiv.org/abs/2009.13038) | |
| 2020 | **A Novel Defending Scheme for Graph-Based Classification Against Graph Structure Manipulating Attack** | Defense | Node Classification | MRF | SocialSec | [Link](https://link.springer.com/chapter/10.1007/978-981-15-9031-3_26) | |
| 2020 | **Uncertainty-aware Attention Graph Neural Network for Defending Adversarial Attacks** | Defense | Node Classification | GNNs | AAAI 2021 | [Link](https://arxiv.org/abs/2009.10235) | |
| 2020 | **Certified Robustness of Graph Classification against Topology Attack with Randomized Smoothing** | Defense | Graph Classification | GCB | IEEE GLOBECOM 2020 | [Link](https://arxiv.org/abs/2009.05872) | |
| 2020 | **Adversarial Immunization for Improving Certifiable Robustness on Graphs** | Defense | Node Classification | GNNs | WSDM 2021 | [Link](https://arxiv.org/abs/2007.09647) | |
| 2020 | **Robust Collective Classification against Structural Attacks** | Defense | Node Classification | Associative Markov Networks | UAI 2020 | [Link](http://www.auai.org/uai2020/proceedings/119_main_paper.pdf) | |
| 2020 | **Enhancing Robustness of Graph Convolutional Networks via Dropping Graph Connections** | Defense | Node Classification | GCN | Preprint | [Link](https://faculty.ist.psu.edu/wu/papers/DropCONN.pdf) | |
| 2020 | **Robust Training of Graph Convolutional Networks via Latent Perturbation** | Defense | Node Classification | GCN | ECML-PKDD 2020 | [Link](https://www.cs.uic.edu/~zhangx/papers/JinZha20.pdf) | |
| 2020 | **Backdoor Attacks to Graph Neural Networks** | Defense | Graph Classification | GNNs | Arxiv | [Link](https://arxiv.org/abs/2006.11165) | |
| 2020 | **DefenseVGAE: Defending against Adversarial Attacks on Graph Data via a Variational Graph Autoencoder** | Defense | Node Classification | GNNs | Arxiv | [Link](https://arxiv.org/abs/2006.08900) | [Link](https://github.com/zhangao520/defense-vgae) |
| 2020 | **Robust Spammer Detection by Nash Reinforcement Learning** | Defense | Fraud Detection | Graph-based Fraud Detector | KDD 2020 | [Link](https://arxiv.org/abs/2006.06069) | [Link](https://github.com/YingtongDou/Nash-Detect) |
| 2020 | **Certifiable Robustness of Graph Convolutional Networks under Structure Perturbations** | Defense | Robustness Certification | GCN | KDD 2020 | [Link](https://dl.acm.org/doi/abs/10.1145/3394486.3403217) | [Link](https://github.com/danielzuegner/robust-gcn-structure) |
| 2020 | **Efficient Robustness Certificates for Discrete Data: Sparsity-Aware Randomized Smoothing for Graphs, Images and More** | Defense | Robustness Certification | GNN | ICML 2020 | [Link](https://arxiv.org/abs/2008.12952) | [Link](https://github.com/abojchevski/sparse_smoothing) |
| 2020 | **Robust Graph Representation Learning via Neural Sparsification** | Defense | Node Classification | GNN | ICML 2020 | [Link](https://proceedings.icml.cc/static/paper_files/icml/2020/2611-Paper.pdf) | |
| 2020 | **Graph Structure Learning for Robust Graph Neural Networks** | Defense | Node Classification | GCN | KDD 2020 | [Link](https://arxiv.org/abs/2005.10203) | [Link](https://github.com/DSE-MSU/DeepRobust) |
| 2020 | **GCN-Based User Representation Learning for Unifying Robust Recommendation and Fraudster Detection** | Defense | Recommender System | GCN | SIGIR 2020 | [Link](https://arxiv.org/abs/2005.10150) | |
| 2020 | **Anonymized GCN: A Novel Robust Graph Embedding Method via Hiding Node Position in Noise** | Defense | Node Classification | GCN | Arxiv | [Link](https://arxiv.org/abs/2005.03482) | |
| 2020 | **A Robust Hierarchical Graph Convolutional Network Model for Collaborative Filtering** | Defense | Recommender System | GCN | Arxiv | [Link](https://arxiv.org/abs/2004.14734) | |
| 2020 | **On The Stability of Polynomial Spectral Graph Filters** | Defense | Graph Property | Spectral Graph Filter | ICASSP 2020 | [Link](https://ieeexplore.ieee.org/abstract/document/9054072) | [Link](https://github.com/henrykenlay/spgf) |
| 2020 | **On the Robustness of Cascade Diffusion under Node Attacks** | Defense | Influence Maximization | IC Model | WWW 2020 Workshop | [Link](https://www.cs.au.dk/~karras/robustIC.pdf) | [Link](https://github.com/allogn/robustness) |
| 2020 | **Friend or Faux: Graph-Based Early Detection of Fake Accounts on Social Networks** | Defense | Fraud Detection | Graph-based Fraud Detectors | WWW 2020 | [Link](https://arxiv.org/abs/2004.04834) | |
| 2020 | **Tensor Graph Convolutional Networks for Multi-relational and Robust Learning** | Defense | Node Classification | GCN | Arxiv | [Link](https://arxiv.org/abs/2003.07729) | |
| 2020 | **Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks** | Defense | Node Classification | Privacy Protection | AAAI 2020 | [Link](https://ojs.aaai.org//index.php/AAAI/article/view/6791) | |
| 2020 | **Improving the Robustness of Wasserstein Embedding by Adversarial PAC-Bayesian Learning** | Defense | Robustness Certification | Wasserstein Embedding | AAAI 2020 | [Link](http://staff.ustc.edu.cn/~hexn/papers/aaai20-adversarial-embedding.pdf) | |
| 2020 | **Adversarial Perturbations of Opinion Dynamics in Networks** | Defense | Manipulating Opinion | Graph Model | Arxiv | [Link](https://arxiv.org/abs/2003.07010) | |
| 2020 | **Topological Effects on Attacks Against Vertex Classification** | Defense | Node Classification | GCN | Arxiv | [Link](https://arxiv.org/abs/2003.05822) | |
| 2020 | **Towards an Efficient and General Framework of Robust Training for Graph Neural Networks** | Defense | Node Classification | GCN | ICASSP 2020 | [Link](https://arxiv.org/abs/2002.10947) | |
| 2020 | **Certified Robustness of Community Detection against Adversarial Structural Perturbation via Randomized Smoothing** | Defense | Community Detection | Community Detection Algs | WWW 2020 | [Link](https://arxiv.org/abs/2002.03421) | |
| 2020 | **Data Poisoning Attacks on Graph Convolutional Matrix Completion** | Defense | Recommender System | GCMC | ICA3PP 2019 | [Link](https://link.springer.com/chapter/10.1007/978-3-030-38961-1_38) | |
### Defense Papers 2019 [[Back to Top](#graph-adversarial-learning-literature)]
| Year | Title | Type | Target Task | Target Model | Venue | Paper | Code |
| ---- | ------------------------------------------------------------ | ------- | ----------------------------------- | ------------------------- | ----------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
| 2019 | **How Robust Are Graph Neural Networks to Structural Noise?** | Defense | Node Structural Identity Prediction | GIN | Arxiv | [Link](https://arxiv.org/abs/1912.10206) | |
| 2019 | **GraphDefense: Towards Robust Graph Convolutional Networks** | Defense | Node Classification | GCN | Arxiv | [Link](https://arxiv.org/abs/1911.04429) | |
| 2019 | **All You Need is Low (Rank): Defending Against Adversarial Attacks on Graphs** | Defense | Node Classification | GCN, Tensor Embedding | WSDM 2020 | [Link](https://dl.acm.org/doi/abs/10.1145/3336191.3371789) | [Link](https://github.com/DSE-MSU/DeepRobust) |
| 2019 | **αCyber: Enhancing Robustness of Android Malware Detection System against Adversarial Attacks on Heterogeneous Graph based Model** | Defense | Malware Detection | HIN | CIKM 2019 | [Link](https://dl.acm.org/citation.cfm?id=3357875) | |
| 2019 | **Edge Dithering for Robust Adaptive Graph Convolutional Networks** | Defense | Node Classification | GCN | Arxiv | [Link](https://arxiv.org/abs/1910.09590) | |
| 2019 | **GraphSAC: Detecting anomalies in large-scale graphs** | Defense | Anomaly Detection | Anomaly Detection Algs | Arxiv | [Link](https://arxiv.org/abs/1910.09589) | |
| 2019 | **Certifiable Robustness to Graph Perturbations** | Defense | Robustness Certification | GNN | NeurIPS 2019 | [Link](https://papers.nips.cc/paper/9041-certifiable-robustness-to-graph-perturbations.pdf) | [Link](https://github.com/abojchevski/graph_cert) |
| 2019 | **Power up! Robust Graph Convolutional Network based on Graph Powering** | Defense | Node Classification | GCN | Openreview | [Link](https://openreview.net/pdf?id=BkxDxJHFDr) | [Link](https://www.dropbox.com/sh/p36pzx1ock2iamo/AABEr7FtM5nqwC4i9nICLIsta?dl=0) |
| 2019 | **Adversarial Robustness of Similarity-Based Link Prediction** | Defense | Link Prediction | Local Similarity Metrics | ICDM 2019 | [Link](https://arxiv.org/abs/1909.01432) | |
| 2019 | **Adversarial Training Methods for Network Embedding** | Defense | Node Classification | DeepWalk | WWW 2019 | [Link](https://arxiv.org/abs/1908.11514) | [Link](https://github.com/wonniu/AdvT4NE_WWW2019) |
| 2019 | **Transferring Robustness for Graph Neural Network Against Poisoning Attacks** | Defense | Node Classification | GNN | WSDM 2020 | [Link](https://arxiv.org/abs/1908.07558) | [Link](https://github.com/tangxianfeng/PA-GNN) |
| 2019 | **Improving Robustness to Attacks Against Vertex Classification** | Defense | Node Classification | GCN | KDD Workshop 2019 | [Link](http://eliassi.org/papers/benmiller-mlg2019.pdf) | |
| 2019 | **Target Defense Against Link-Prediction-Based Attacks via Evolutionary Perturbations** | Defense | Link Prediction | Link Prediction Algs | TKDE | [Link](https://arxiv.org/abs/1809.05912) | |
| 2019 | **Latent Adversarial Training of Graph Convolution Networks** | Defense | Node Classification | GCN | LRGSD@ICML | [Link](https://graphreason.github.io/papers/35.pdf) | |
| 2019 | **Certifiable Robustness and Robust Training for Graph Convolutional Networks** | Defense | Robustness Certification | GCN | KDD 2019 | [Link](https://arxiv.org/abs/1906.12269) | [Link](https://github.com/danielzuegner/robust-gcn) |
| 2019 | **Topology Attack and Defense for Graph Neural Networks: An Optimization Perspective** | Defense | Node Classification | GNN | IJCAI 2019 | [Link](https://arxiv.org/abs/1906.04214) | [Link](https://github.com/KaidiXu/GCN_ADV_Train) |
| 2019 | **Adversarial Examples on Graph Data: Deep Insights into Attack and Defense** | Defense | Node Classification | GCN | IJCAI 2019 | [Link](https://arxiv.org/abs/1903.01610) | [Link](https://github.com/DSE-MSU/DeepRobust) |
| 2019 | **Adversarial Defense Framework for Graph Neural Network** | Defense | Node Classification | GCN, GraphSAGE | Arxiv | [Link](https://arxiv.org/abs/1905.03679) | |
| 2019 | **Investigating Robustness and Interpretability of Link Prediction via Adversarial Modifications** | Defense | Link Prediction | Knowledge Graph Embedding | NAACL 2019 | [Link](https://arxiv.org/abs/1905.00563) | |
| 2019 | **Robust Graph Convolutional Networks Against Adversarial Attacks** | Defense | Node Classification | GCN | KDD 2019 | [Link](http://pengcui.thumedialab.com/papers/RGCN.pdf) | [Link](https://github.com/DSE-MSU/DeepRobust) |
| 2019 | **Can Adversarial Network Attack be Defended?** | Defense | Node Classification | GNN | Arxiv | [Link](https://arxiv.org/abs/1903.05994) | |
| 2019 | **Virtual Adversarial Training on Graph Convolutional Networks in Node Classification** | Defense | Node Classification | GCN | PRCV 2019 | [Link](https://arxiv.org/abs/1902.11045) | |
| 2019 | **Batch Virtual Adversarial Training for Graph Convolutional Networks** | Defense | Node Classification | GCN | LRGSD@ICML | [Link](https://arxiv.org/abs/1902.09192) | |
| 2019 | **Comparing and Detecting Adversarial Attacks for Graph Deep Learning** | Defense | Node Classification | GCN, GAT, Nettack | RLGM@ICLR 2019 | [Link](https://rlgm.github.io/papers/57.pdf) | |
| 2019 | **Graph Adversarial Training: Dynamically Regularizing Based on Graph Structure** | Defense | Node Classification | GCN | TKDE | [Link](https://arxiv.org/abs/1902.08226) | [Link](https://github.com/fulifeng/GraphAT) |
### Defense Papers 2018 [[Back to Top](#graph-adversarial-learning-literature)]
| Year | Title | Type | Target Task | Target Model | Venue | Paper | Code |
| ---- | ------------------------------------------------------------ | ------- | -------------------- | ------------- | ---------- | -------------------------------------------------- | ---- |
| 2018 | **Characterizing Malicious Edges targeting on Graph Neural Networks** | Defense | Detected Added Edges | GNN, GCN | OpenReview | [Link](https://openreview.net/forum?id=HJxdAoCcYX) | |
| 2018 | **PeerNets: Exploiting Peer Wisdom Against Adversarial Attacks** | Defense | Image Classification | LeNet, ResNet | ICLR 2019 | [Link](https://arxiv.org/abs/1806.00088) | |