arxiv: 2605.05534 · v1 · submitted 2026-05-07 · 💻 cs.LG

Recognition: unknown

Adversarial Graph Neural Network Benchmarks: Towards Practical and Fair Evaluation

Cuneyt Gurcan Akcora, Federico Errica, Murat Kantarcioglu, Tran Gia Bao Ngo, Zulfikar Alom

Authors on Pith no claims yet

Pith reviewed 2026-05-09 15:54 UTC · model grok-4.3

classification 💻 cs.LG

keywords adversarial robustnessgraph neural networksbenchmarkingevaluation protocolsGNN attacksGNN defensespoisoning attacksevasion attacks

0 comments

The pith

Inconsistent choices in target node selection and model training can completely reverse which adversarial attacks appear most effective against graph neural networks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that many published comparisons of attacks and defenses on GNNs use incompatible experimental settings, producing contradictory claims about which methods work best. Through a unified re-run of seven attacks and eight defenses on six datasets, totaling over 453,000 experiments, the authors isolate two previously under-reported factors: how the target nodes for an attack are chosen and exactly how the model under attack is trained. These choices alone can flip performance rankings and make some attacks look far stronger or weaker than they are under standardized conditions. The result matters because real-world GNN robustness cannot be assessed reliably when every paper uses its own protocol.

Core claim

Adopting fair, robust, and standardized evaluation protocols is necessary in adversarial GNN research. A comprehensive re-evaluation of seven widely used attacks and eight recent defenses under both poisoning and evasion scenarios across six popular graph datasets, spanning over 453,000 experiments in a single framework, reveals that overlooked factors such as target node selection and the training process of the attacked model have a profound impact on attack effectiveness, to the extent of completely distorting performance insights.

What carries the argument

The authors' unified experimental protocol that enforces consistent choices for target node selection, model training, poisoning versus evasion scenarios, and performance measurement across all attacks and defenses.

If this is right

Attack performance rankings change substantially once target node selection and training procedures are held fixed.
Some attacks reported as strong in prior work become noticeably weaker under the standardized protocol.
Defenses must be tested against attacks whose effectiveness has been measured without protocol bias.
Without standardized evaluations, progress on GNN robustness remains unreliable for practical applications.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

New attack or defense papers could use the same unified protocol as a required baseline for direct comparison.
Extending the benchmark to larger or more heterogeneous real-world graphs could expose additional hidden sensitivities.
Reporting exact target node sampling methods and training details should become standard in future GNN adversarial studies.

Load-bearing premise

The selected seven attacks, eight defenses, six datasets, and the authors' single unified protocol together form a fair and representative sample of real-world GNN usage and adversarial settings.

What would settle it

Repeating the full set of 453,000 experiments with a second, independently designed but still consistent protocol that yields the same attack and defense rankings would falsify the claim that the overlooked factors distort insights.

Figures

Figures reproduced from arXiv: 2605.05534 by Cuneyt Gurcan Akcora, Federico Errica, Murat Kantarcioglu, Tran Gia Bao Ngo, Zulfikar Alom.

**Figure 1.** Figure 1: Overview of our risk assessment framework for adversarial GNN evaluation. view at source ↗

**Figure 2.** Figure 2: Average misclassification rate for different node categories of four non-defense models view at source ↗

**Figure 3.** Figure 3: Misclassification rates of defense and non-defense models under different adversarial view at source ↗

**Figure 4.** Figure 4: Misclassification rates of defense and non-defense models under different adversarial view at source ↗

**Figure 5.** Figure 5: Performance of seven adversarial attacks on GSAGE on CORA datasets in poison setting. view at source ↗

**Figure 6.** Figure 6: Ablation study on L1D-RND. The effect of other two variants of L1D-RND: L1D-RND that add edge only (degree affect) and L1D-RND that remove edge only (L 1 norm affect) on different class of target nodes: High/low margin, High/low degree and random on budget 5 of evasion setting. K Adversarial Attack Methods In this section, we summarize the state-of-the-art adversarial attack techniques considered in our be… view at source ↗

read the original abstract

Adversarial learning and the robustness of Graph Neural Networks (GNNs) are topics of widespread interest in the machine learning community, as documented by the number of adversarial attacks and defenses designed for these purposes. While a rigorous evaluation of these adversarial methods is necessary to understand the robustness of GNNs in real-world applications, we posit that many works in the literature do not share the same experimental settings, leading to ambiguous and potentially contradictory scientific conclusions. In this benchmark, we demonstrate the importance of adopting fair, robust, and standardized evaluation protocols in adversarial GNN research. We perform a comprehensive re-evaluation of seven widely used attacks and eight recent defenses under both poisoning and evasion scenarios, across six popular graph datasets. Our study spans over 453,000 experiments conducted within a unified framework. We observe substantial differences in adversarial attack performance when evaluated under a fair and robust procedure. Our findings reveal that previously overlooked factors, such as target node selection and the training process of the attacked model, have a profound impact on attack effectiveness, to the extent of completely distorting performance insights. These results underscore the urgent need for standardized evaluations in adversarial graph machine learning.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Target node selection and attacked-model training can reverse attack rankings in GNN robustness tests, shown here through a large unified re-evaluation.

read the letter

The paper re-runs seven attacks and eight defenses on six datasets inside one controlled framework, for a total of 453,000 experiments. It finds that two factors often ignored in prior work—how target nodes are picked and how the model being attacked is trained—can flip which attack appears strongest. This is the concrete new piece: a single setup that makes the inconsistency visible and shows rankings are not stable under fair conditions. The scale and the controlled comparison are what the work does well. It gives a practical demonstration that many existing robustness claims rest on non-comparable settings, which explains contradictory results in the literature. Anyone who has tried to compare attack papers will recognize the problem the authors are pointing at. The soft spots are proportionate. The six datasets are the usual small-to-medium citation and social graphs; the sensitivity to target choice and training might shrink or disappear on larger, heterogeneous, or domain-specific graphs such as molecular or knowledge graphs. The abstract also gives no numbers on hyperparameter search, number of random seeds, or statistical tests, so it is hard to judge how large or consistent the reversals really are. The claim of “complete distortion” therefore rests on whether the chosen sample is representative enough. This paper is for researchers who design or evaluate adversarial methods on graphs and who need to know the evaluation pitfalls before claiming superiority. It is worth bringing to a reading group on graph ML or adversarial robustness. I would cite it when discussing why standardized protocols matter. It deserves peer review because the empirical observation is specific and checkable, even if the authors will need to add more datasets and protocol details in revision.

Referee Report

3 major / 2 minor

Summary. The paper conducts a large-scale re-evaluation of seven adversarial attacks and eight defenses for Graph Neural Networks (GNNs) under poisoning and evasion scenarios across six popular graph datasets, reporting over 453,000 experiments within a unified framework. It claims that previously overlooked factors such as target node selection and the training process of the attacked model have a profound impact on attack effectiveness, to the extent of completely distorting performance insights from prior work, and concludes that standardized evaluation protocols are urgently needed in adversarial GNN research.

Significance. If the central empirical findings hold under scrutiny, this benchmark would be a valuable contribution by demonstrating the sensitivity of GNN adversarial evaluations to experimental design choices, thereby improving the reliability of robustness claims in the field. The scale of the study (453,000 experiments) is a clear strength, providing broad empirical coverage that goes beyond typical single-paper evaluations. However, the restriction to six small-to-medium citation and social graphs limits the assessed generalizability.

major comments (3)

[§4 (Experimental Setup)] §4 (Experimental Setup): The manuscript provides no details on hyperparameter selection, random seed management, or statistical controls for the 453,000 experiments. This is load-bearing for the central claim, as the reported 'profound impact' and 'complete distortion' of insights from target node selection and attacked-model training cannot be verified as robust without these controls.
[§5 (Results and Discussion)] §5 (Results and Discussion): The claim that variations in target node selection and model training 'completely distort' prior performance insights requires explicit quantitative demonstrations (e.g., ranking reversals with effect sizes) for at least two cited prior works; the current presentation does not include such direct comparisons, weakening the distortion argument.
[§3 and §4] §3 and §4: The six datasets are limited to small-to-medium citation and social graphs. No experiments on larger, heterogeneous, or domain-specific graphs (e.g., molecular or knowledge graphs) are reported, so it remains unclear whether the observed sensitivities to target node selection and training process are general or protocol-specific artifacts of the chosen sample.

minor comments (2)

[Figures] Figure captions and axis labels in the results figures should explicitly state the exact protocol variants being compared to improve readability.
[Abstract] The abstract states 'over 453,000 experiments' without a breakdown; a short table or paragraph in §4 clarifying the counting method (e.g., how attack/defense variants and seeds are tallied) would aid transparency.

Simulated Author's Rebuttal

3 responses · 1 unresolved

We thank the referee for their constructive and detailed feedback on our manuscript. We address each major comment point by point below, clarifying our experimental design, strengthening the quantitative support for our claims, and acknowledging scope limitations while outlining planned revisions.

read point-by-point responses

Referee: [§4 (Experimental Setup)] The manuscript provides no details on hyperparameter selection, random seed management, or statistical controls for the 453,000 experiments. This is load-bearing for the central claim, as the reported 'profound impact' and 'complete distortion' of insights from target node selection and attacked-model training cannot be verified as robust without these controls.

Authors: We agree that additional details on these aspects will improve reproducibility and verifiability. Section 4 describes the unified framework used to ensure consistent evaluation across attacks and defenses, but we will expand the revised manuscript with a new appendix subsection explicitly documenting: (i) hyperparameter selection procedures, including the ranges and selection criteria for learning rates, hidden dimensions, dropout, and other model parameters; (ii) random seed management, with all experiments using fixed seeds for reproducibility across runs; and (iii) statistical controls, including the number of independent repetitions, reporting of means and standard deviations, and any significance testing applied. These additions will directly support the robustness of our findings on the effects of target node selection and attacked-model training. revision: yes
Referee: [§5 (Results and Discussion)] The claim that variations in target node selection and model training 'completely distort' prior performance insights requires explicit quantitative demonstrations (e.g., ranking reversals with effect sizes) for at least two cited prior works; the current presentation does not include such direct comparisons, weakening the distortion argument.

Authors: We appreciate the request for more explicit quantification. Section 5 already illustrates how different target node selection strategies and training protocols lead to substantial changes in attack success rates, including cases where the relative ordering of attack effectiveness reverses compared to common evaluation practices. To directly address the referee's concern, we will revise Section 5 to include targeted comparisons with at least two representative prior works cited in the paper. These will feature quantitative metrics such as changes in attack performance rankings, absolute and relative effect sizes (e.g., percentage point differences in attack success rate), and, where feasible, statistical effect size measures. This will make the 'distortion' argument more concrete and evidence-based. revision: yes
Referee: [§3 and §4] The six datasets are limited to small-to-medium citation and social graphs. No experiments on larger, heterogeneous, or domain-specific graphs (e.g., molecular or knowledge graphs) are reported, so it remains unclear whether the observed sensitivities to target node selection and training process are general or protocol-specific artifacts of the chosen sample.

Authors: We acknowledge this as a valid limitation of scope. The six datasets were selected because they represent the standard benchmarks repeatedly used in prior adversarial GNN studies, which enables direct and fair re-evaluation of existing claims. While the sensitivities we report may indeed manifest differently on larger or heterogeneous graphs, the core finding—that overlooked protocol choices can distort performance insights—applies directly to the evaluation settings prevalent in the literature. In the revision, we will expand the discussion sections to explicitly note this limitation, discuss potential implications for other graph domains, and outline directions for future work on larger-scale graphs. However, scaling the full experimental suite to such graphs would require prohibitive additional compute and is outside the scope of the current study. revision: partial

standing simulated objections not resolved

The restriction to six small-to-medium citation and social graphs; expanding the benchmark to larger, heterogeneous, or domain-specific graphs would require a new, computationally intensive set of experiments that cannot be completed within the scope of this revision.

Circularity Check

0 steps flagged

No circularity: empirical benchmark of existing methods

full rationale

The paper performs a large-scale empirical re-evaluation of seven attacks and eight defenses across six datasets under a unified protocol, reporting observations from 453,000 experiments. No mathematical derivations, predictions, or first-principles results are present that could reduce to fitted parameters or self-referential definitions. Claims about the impact of target node selection and attacked-model training are grounded directly in the experimental outcomes rather than any self-citation chain or ansatz. Self-citations to prior attack/defense papers serve only as references to the methods being re-tested and carry no load-bearing justification for the benchmark's own conclusions.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 0 invented entities

The paper is an empirical benchmarking study with no mathematical derivations or new theoretical entities. It rests on the domain assumption that the selected attacks, defenses, and datasets are representative.

free parameters (1)

Selection of six popular graph datasets
Dataset choice is a modeling decision that can influence measured attack success; no justification for the exact set is given in the abstract.

axioms (1)

domain assumption The seven attacks and eight defenses are representative of current literature
The abstract states they are 'widely used' and 'recent' but does not demonstrate coverage of the full space of methods.

pith-pipeline@v0.9.0 · 5518 in / 1264 out tokens · 56607 ms · 2026-05-09T15:54:39.781425+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

75 extracted references · 41 canonical work pages

[1]

Abbahaddou, S

Y . Abbahaddou, S. Ennadir, J. F. Lutzeyer, M. Vazirgiannis, and H. Boström. Bounding the expected robustness of graph neural networks subject to node feature attacks. InThe Twelfth International Conference on Learning Representations, ICLR 2024, Vienna, Austria, May 7-11,

2024
[2]

URLhttps://openreview.net/forum?id=DfPtC8uSot

OpenReview.net, 2024. URLhttps://openreview.net/forum?id=DfPtC8uSot

2024
[3]

Z. Alom, T. G. B. Ngo, M. Kantarcioglu, and C. G. Akcora. GOttack: Universal adversarial attacks on graph neural networks via graph orbits learning. InThe Thirteenth International Conference on Learning Representations, 2025. URL https://openreview.net/forum? id=YbURbViE7l

2025
[4]

Bacciu, F

D. Bacciu, F. Errica, A. Micheli, and M. Podda. A gentle introduction to deep learning for graphs.Neural Networks, 129:203–221, 9 2020

2020
[5]

S. Cao, W. Lu, and Q. Xu. Grarep: Learning graph representations with global structural information. In J. Bailey, A. Moffat, C. C. Aggarwal, M. de Rijke, R. Kumar, V . Murdock, T. K. Sellis, and J. X. Yu, editors,Proceedings of the 24th ACM International Conference on Information and Knowledge Management, CIKM 2015, Melbourne, VIC, Australia, October 19 ...

work page doi:10.1145/2806416.2806512 2015
[6]

G. C. Cawley and N. L. C. Talbot. On over-fitting in model selection and subsequent selection bias in performance evaluation.J. Mach. Learn. Res., 11:2079–2107, 2010. doi: 10.5555/ 1756006.1859921. URLhttps://dl.acm.org/doi/10.5555/1756006.1859921

work page doi:10.5555/1756006.1859921 2079
[7]

J. Chen, Y . Wu, X. Xu, Y . Chen, H. Zheng, and Q. Xuan. Fast gradient attack on network embedding.CoRR, abs/1809.02797, 2018. URLhttp://arxiv.org/abs/1809.02797

work page arXiv 2018
[8]

J. Chen, X. Lin, H. Xiong, Y . Wu, H. Zheng, and Q. Xuan. Smoothing adversarial training for GNN.IEEE Trans. Comput. Soc. Syst., 8(3):618–629, 2021. doi: 10.1109/TCSS.2020.3042628. URLhttps://doi.org/10.1109/TCSS.2020.3042628

work page doi:10.1109/tcss.2020.3042628 2021
[9]

L. Chen, X. Li, and D. Wu. Enhancing robustness of graph convolutional networks via dropping graph connections. In F. Hutter, K. Kersting, J. Lijffijt, and I. Valera, editors,Machine Learning and Knowledge Discovery in Databases - European Conference, ECML PKDD 2020, Ghent, Belgium, September 14-18, 2020, Proceedings, Part III, volume 12459 ofLecture Note...

work page doi:10.1007/978-3-030-67664-3 2020
[10]

L. Chen, J. Li, Q. Peng, Y . Liu, Z. Zheng, and C. Yang. Understanding structural vulnerability in graph convolutional networks. In Z. Zhou, editor,Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence, IJCAI 2021, Virtual Event / Montreal, Canada, 19-27 August 2021, pages 2249–2255. ijcai.org, 2021. doi: 10.24963/IJCAI.20...

work page doi:10.24963/ijcai.2021/310 2021
[11]

Corso, L

G. Corso, L. Cavalleri, D. Beaini, P. Liò, and P. Velickovic. Principal neighbourhood ag- gregation for graph nets. In H. Larochelle, M. Ranzato, R. Hadsell, M. Balcan, and H. Lin, editors,Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, December 6-12, 2020, virtual, 2020

2020
[12]

C. Deng, X. Li, Z. Feng, and Z. Zhang. GARNET: reduced-rank topology learning for robust and scalable graph neural networks. In B. Rieck and R. Pascanu, editors,Learning on Graphs Conference, LoG 2022, 9-12 December 2022, Virtual Event, volume 198 ofProceedings of Machine Learning Research, page 3. PMLR, 2022. URL https://proceedings.mlr. press/v198/deng22a.html

2022
[13]

Z. Deng, Y . Dong, and J. Zhu. Batch virtual adversarial training for graph convolutional networks.AI Open, 4:73–79, 2023. doi: 10.1016/J.AIOPEN.2023.08.007. URL https: //doi.org/10.1016/j.aiopen.2023.08.007. 10

work page doi:10.1016/j.aiopen.2023.08.007 2023
[14]

D. Duan, L. Tong, Y . Li, J. Lu, L. Shi, and C. Zhang. AANE: anomaly aware network embedding for anomalous link detection. In C. Plant, H. Wang, A. Cuzzocrea, C. Zaniolo, and X. Wu, editors,20th IEEE International Conference on Data Mining, ICDM 2020, Sorrento, Italy, November 17-20, 2020, pages 1002–1007. IEEE, 2020. doi: 10.1109/ICDM50108.2020.00116. UR...

work page doi:10.1109/icdm50108.2020.00116 2020
[15]

Elinas, E

P. Elinas, E. V . Bonilla, and L. C. Tiao. Variational inference for graph convolutional networks in the absence of graph data and adversarial settings. In H. Larochelle, M. Ranzato, R. Hadsell, M. Balcan, and H. Lin, editors,Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020...

2020
[16]

Longllada: Unlocking long context capabilities in diffusion llms

S. Ennadir, Y . Abbahaddou, J. F. Lutzeyer, M. Vazirgiannis, and H. Boström. A simple and yet fairly effective defense for graph neural networks. In M. J. Wooldridge, J. G. Dy, and S. Natarajan, editors,Thirty-Eighth AAAI Conference on Artificial Intelligence, AAAI 2024, Thirty-Sixth Conference on Innovative Applications of Artificial Intelligence, IAAI 2...

work page doi:10.1609/aaai 2024
[17]

Ennadir, J

S. Ennadir, J. F. Lutzeyer, M. Vazirgiannis, and E. H. Bergou. If you want to be robust, be wary of initialization. In A. Globersons, L. Mackey, D. Belgrave, A. Fan, U. Paquet, J. M. Tomczak, and C. Zhang, editors,Advances in Neural Information Processing Systems 38: Annual Conference on Neural Information Processing Systems 2024, NeurIPS 2024, Vancouver,...

2024
[18]

Why do people buy seemingly irrelevant items in voice product search?: On the relation between product relevance and customer satisfaction in ecommerce,

N. Entezari, S. A. Al-Sayouri, A. Darvishzadeh, and E. E. Papalexakis. All you need is low (rank): Defending against adversarial attacks on graphs. In J. Caverlee, X. B. Hu, M. Lalmas, and W. Wang, editors,WSDM ’20: The Thirteenth ACM International Conference on Web Search and Data Mining, Houston, TX, USA, February 3-7, 2020, pages 169–177. ACM, 2020. do...

work page doi:10.1145/3336191.3371789 2020
[19]

Errica, M

F. Errica, M. Podda, D. Bacciu, and A. Micheli. A fair comparison of graph neural networks for graph classification. In8th International Conference on Learning Representations, ICLR 2020, Addis Ababa, Ethiopia, April 26-30, 2020. OpenReview.net, 2020. URL https:// openreview.net/forum?id=HygDF6NFPB

2020
[20]

B. Feng, Y . Wang, and Y . Ding. UAG: uncertainty-aware attention graph neural network for defending adversarial attacks. InThirty-Fifth AAAI Conference on Artificial Intelligence, AAAI 2021, Thirty-Third Conference on Innovative Applications of Artificial Intelligence, IAAI 2021, The Eleventh Symposium on Educational Advances in Artificial Intelligence, ...

work page doi:10.1609/aaai.v35i8 2021
[21]

F. Feng, X. He, J. Tang, and T. Chua. Graph adversarial training: Dynamically regularizing based on graph structure.IEEE Trans. Knowl. Data Eng., 33(6):2493–2504, 2021. doi: 10.1109/TKDE.2019.2957786. URLhttps://doi.org/10.1109/TKDE.2019.2957786

work page doi:10.1109/tkde.2019.2957786 2021
[22]

W. Feng, J. Zhang, Y . Dong, Y . Han, H. Luan, Q. Xu, Q. Yang, E. Kharlamov, and J. Tang. Graph random neural networks for semi-supervised learning on graphs. In H. Larochelle, M. Ranzato, R. Hadsell, M. Balcan, and H. Lin, editors,Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIP...

2020
[23]

Geisler, T

S. Geisler, T. Schmidt, H. Sirin, D. Zügner, A. Bojchevski, and S. Günnemann. Robustness of graph neural networks at scale. In M. Ranzato, A. Beygelzimer, Y . N. Dauphin, P. Liang, and J. W. Vaughan, editors,Advances in Neural Information Processing Systems 34: Annual Conference on Neural Information Processing Systems 2021, NeurIPS 2021, December 6-14, 2...

2021
[24]

Günnemann

S. Günnemann. Graph neural networks: Adversarial robustness.Graph neural networks: foundations, frontiers, and applications, pages 149–176, 2022. 11

2022
[25]

W. L. Hamilton, Z. Ying, and J. Leskovec. Inductive representation learning on large graphs. In I. Guyon, U. von Luxburg, S. Bengio, H. M. Wallach, R. Fergus, S. V . N. Vishwanathan, and R. Garnett, editors,Advances in Neural Information Processing Systems 30: Annual Conference on Neural Information Processing Systems 2017, December 4-9, 2017, Long Beach,...

2017
[26]

Z. Hou, R. Feng, T. Derr, and X. Liu. Robust graph neural networks via unbiased aggregation. InAdvances in Neural Information Processing Systems 38: Annual Conference on Neural Information Processing Systems 2024, NeurIPS 2024, Vancouver, BC, Canada, December 10 - 15, 2024, 2024. URL http://papers.nips.cc/paper_files/paper/2024/hash/ c6e31f86c1eb8dfc05190...

2024
[27]

W. Hu, M. Fey, M. Zitnik, Y . Dong, H. Ren, B. Liu, M. Catasta, and J. Leskovec. Open graph benchmark: Datasets for machine learning on graphs. In H. Larochelle, M. Ranzato, R. Hadsell, M. Balcan, and H. Lin, editors,Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, Decembe...

2020
[28]

W. Hu, M. Fey, M. Zitnik, Y . Dong, H. Ren, B. Liu, M. Catasta, and J. Leskovec. Open graph benchmark: Datasets for machine learning on graphs. In H. Larochelle, M. Ranzato, R. Hadsell, M. Balcan, and H. Lin, editors,Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, Decembe...

2020
[29]

W. Hu, C. Chen, Y . Chang, Z. Zheng, and Y . Du. Robust graph convolutional networks with directional graph adversarial training.Appl. Intell., 51(11):7812–7826, 2021. doi: 10.1007/ S10489-021-02272-Y. URLhttps://doi.org/10.1007/s10489-021-02272-y

work page doi:10.1007/s10489-021-02272-y 2021
[30]

V . N. Ioannidis and G. B. Giannakis. Edge dithering for robust adaptive graph convolutional networks.CoRR, abs/1910.09590, 2019. URLhttp://arxiv.org/abs/1910.09590

work page arXiv 1910
[31]

V . N. Ioannidis, A. G. Marques, and G. B. Giannakis. Tensor graph convolutional networks for multi-relational and robust learning.IEEE Trans. Signal Process., 68:6535–6546, 2020. doi: 10.1109/TSP.2020.3028495. URLhttps://doi.org/10.1109/TSP.2020.3028495

work page doi:10.1109/tsp.2020.3028495 2020
[32]

M. Jin, H. Chang, W. Zhu, and S. Sojoudi. Power up! robust graph convolutional network against evasion attacks based on graph powering.CoRR, abs/1905.10029, 2019. URL http: //arxiv.org/abs/1905.10029

work page arXiv 1905
[33]

W. Jin, Y . Ma, X. Liu, X. Tang, S. Wang, and J. Tang. Graph structure learning for robust graph neural networks. In R. Gupta, Y . Liu, J. Tang, and B. A. Prakash, editors,KDD ’20: The 26th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, Virtual Event, CA, USA, August 23-27, 2020, pages 66–74. ACM, 2020. doi: 10.1145/3394486.3403049. URL htt...

work page doi:10.1145/3394486.3403049 2020
[34]

W. Jin, T. Derr, Y . Wang, Y . Ma, Z. Liu, and J. Tang. Node similarity preserving graph convolutional networks. In L. Lewin-Eytan, D. Carmel, E. Yom-Tov, E. Agichtein, and E. Gabrilovich, editors,WSDM ’21, The Fourteenth ACM International Conference on Web Search and Data Mining, Virtual Event, Israel, March 8-12, 2021, pages 148–156. ACM, 2021. doi: 10....

work page doi:10.1145/3437963.3441735 2021
[35]

W. Jin, T. Zhao, J. Ding, Y . Liu, J. Tang, and N. Shah. Empowering graph representation learning with test-time graph transformation. InThe Eleventh International Conference on Learning Representations, ICLR 2023, Kigali, Rwanda, May 1-5, 2023. OpenReview.net, 2023. URLhttps://openreview.net/forum?id=Lnxl5pr018

2023
[36]

T. N. Kipf and M. Welling. Semi-supervised classification with graph convolutional networks. In5th International Conference on Learning Representations, ICLR 2017, Toulon, France, April 24-26, 2017, Conference Track Proceedings. OpenReview.net, 2017. URL https:// openreview.net/forum?id=SJU4ayYgl. 12

2017
[37]

J. Li, T. Xie, L. Chen, F. Xie, X. He, and Z. Zheng. Adversarial attack on large scale graph. CoRR, abs/2009.03488, 2020. URLhttps://arxiv.org/abs/2009.03488

work page arXiv 2009
[38]

J. Li, T. Xie, L. Chen, F. Xie, X. He, and Z. Zheng. Adversarial attack on large scale graph. IEEE Trans. Knowl. Data Eng., 35(1):82–95, 2023. doi: 10.1109/TKDE.2021.3078755. URL https://doi.org/10.1109/TKDE.2021.3078755

work page doi:10.1109/tkde.2021.3078755 2023
[39]

Y . Li, W. Jin, H. Xu, and J. Tang. Deeprobust: A pytorch library for adversarial attacks and defenses.arXiv preprint arXiv:2005.06149, 2020

work page arXiv 2005
[40]

Z. C. Lipton and J. Steinhardt. Troubling trends in machine learning scholarship.ACM Queue, 17(1):80, 2019

2019
[41]

X. Liu, J. Ding, W. Jin, H. Xu, Y . Ma, Z. Liu, and J. Tang. Graph neural networks with adaptive residual. In M. Ranzato, A. Beygelzimer, Y . N. Dauphin, P. Liang, and J. W. Vaughan, editors,Advances in Neural Information Processing Systems 34: Annual Conference on Neural Information Processing Systems 2021, NeurIPS 2021, December 6-14, 2021, virtual, pag...

2021
[42]

X. Liu, W. Jin, Y . Ma, Y . Li, H. Liu, Y . Wang, M. Yan, and J. Tang. Elastic graph neural networks. In M. Meila and T. Zhang, editors,Proceedings of the 38th International Conference on Machine Learning, ICML 2021, 18-24 July 2021, Virtual Event, volume 139 ofProceedings of Machine Learning Research, pages 6837–6849. PMLR, 2021. URL http://proceedings. ...

2021
[43]

D. Luo, W. Cheng, W. Yu, B. Zong, J. Ni, H. Chen, and X. Zhang. Learning to drop: Robust graph neural network via topological denoising. In L. Lewin-Eytan, D. Carmel, E. Yom-Tov, E. Agichtein, and E. Gabrilovich, editors,WSDM ’21, The Fourteenth ACM International Conference on Web Search and Data Mining, Virtual Event, Israel, March 8-12, 2021, pages 779–...

work page doi:10.1145/3437963.3441734 2021
[44]

A. Micheli. Neural network for graphs: A contextual constructive approach.IEEE Trans. Neural Networks, 20(3):498–511, 2009. doi: 10.1109/TNN.2008.2010350. URL https: //doi.org/10.1109/TNN.2008.2010350

work page doi:10.1109/tnn.2008.2010350 2009
[45]

Mujkanovic, S

F. Mujkanovic, S. Geisler, S. Günnemann, and A. Bojchevski. Are defenses for graph neural networks robust? In S. Koyejo, S. Mohamed, A. Agarwal, D. Belgrave, K. Cho, and A. Oh, editors,Advances in Neural Information Processing Systems 35: Annual Conference on Neural Information Processing Systems 2022, NeurIPS 2022, New Orleans, LA, USA, November 28 - Dec...

2022
[46]

Y . E. Nesterov. Efficiency of coordinate descent methods on huge-scale optimization problems. SIAM J. Optim., 22(2):341–362, 2012. doi: 10.1137/100802001. URL https://doi.org/10. 1137/100802001

work page doi:10.1137/100802001 2012
[47]

Rossi and N

R. Rossi and N. Ahmed. Network repository: A scientific network data repository with interactive visualization and mining tools, 2025. URL https://networkrepository.com/ network-analytics-graphlets-log.php

2025
[48]

arXiv:1909.13021 [cs, stat] , author =

B. Rozemberczki, C. Allen, and R. Sarkar. Multi-scale attributed node embedding. InIMA Journal of Complex Networks, volume abs/1909.13021, 2019. URL http://arxiv.org/abs/ 1909.13021

work page arXiv 1909
[49]

Rozemberczki, C

B. Rozemberczki, C. Allen, and R. Sarkar. Multi-scale attributed node embedding.J. Complex Networks, 9(2), 2021. doi: 10.1093/COMNET/CNAB014. URL https://doi.org/10. 1093/comnet/cnab014

work page doi:10.1093/comnet/cnab014 2021
[50]

Ma, L., Lin, C., Lim, D., Romero-Soriano, A., Dokania, P

F. Scarselli, M. Gori, A. C. Tsoi, M. Hagenbuchner, and G. Monfardini. The graph neural network model.IEEE Trans. Neural Networks, 20(1):61–80, 2009. doi: 10.1109/TNN.2008. 2005605. URLhttps://doi.org/10.1109/TNN.2008.2005605

work page doi:10.1109/tnn.2008 2009
[51]

Pitfalls of Graph Neural Network Evaluation

O. Shchur, M. Mumme, A. Bojchevski, and S. Günnemann. Pitfalls of graph neural network evaluation.CoRR, abs/1811.05868, 2018. URLhttp://arxiv.org/abs/1811.05868. 13

work page Pith review arXiv 2018
[52]

S. Tao, H. Shen, Q. Cao, L. Hou, and X. Cheng. Adversarial immunization for certifi- able robustness on graphs. In L. Lewin-Eytan, D. Carmel, E. Yom-Tov, E. Agichtein, and E. Gabrilovich, editors,WSDM ’21, The Fourteenth ACM International Conference on Web Search and Data Mining, Virtual Event, Israel, March 8-12, 2021, pages 698–706. ACM, 2021. doi: 10.1...

work page doi:10.1145/3437963.3441782 2021
[53]

H. Wang, J. Wang, J. Wang, M. Zhao, W. Zhang, F. Zhang, X. Xie, and M. Guo. Graphgan: Graph representation learning with generative adversarial nets. In S. A. McIlraith and K. Q. Weinberger, editors,Proceedings of the Thirty-Second AAAI Conference on Artificial Intelli- gence, (AAAI-18), the 30th innovative Applications of Artificial Intelligence (IAAI-18...

work page doi:10.1609/aaai.v32i1.11872 2018
[54]

B. Wu, Y . Bian, H. Zhang, J. Li, J. Yu, L. Chen, C. Chen, and J. Huang. Trustworthy graph learning: Reliability, explainability, and privacy protection. InProceedings of the 28th ACM SIGKDD conference on knowledge discovery and data mining, pages 4838–4839, 2022

2022
[55]

F. Wu, A. H. S. Jr., T. Zhang, C. Fifty, T. Yu, and K. Q. Weinberger. Simplifying graph convolutional networks. In K. Chaudhuri and R. Salakhutdinov, editors,Proceedings of the 36th International Conference on Machine Learning, ICML 2019, 9-15 June 2019, Long Beach, California, USA, volume 97 ofProceedings of Machine Learning Research, pages 6861–6871. PM...

2019
[56]

H. Wu, C. Wang, Y . Tyshetskiy, A. Docherty, K. Lu, and L. Zhu. Adversarial examples for graph data: Deep insights into attack and defense. In S. Kraus, editor,Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence, IJCAI 2019, Macao, China, August 10-16, 2019, pages 4816–4823. ijcai.org, 2019. doi: 10.24963/IJCAI.2019/...

work page doi:10.24963/ijcai.2019/669 2019
[57]

Y . Xiao, J. Li, and W. Su. A lightweight metric defence strategy for graph neural networks against poisoning attacks. In D. Gao, Q. Li, X. Guan, and X. Liao, editors,Information and Communications Security - 23rd International Conference, ICICS 2021, Chongqing, China, November 19-21, 2021, Proceedings, Part II, volume 12919 ofLecture Notes in Computer Sc...

work page doi:10.1007/978-3-030-88052-1 2021
[58]

H. Xu, L. Xiang, J. Yu, A. Cao, and X. Wang. Speedup robust graph structure learning with low-rank information. In G. Demartini, G. Zuccon, J. S. Culpepper, Z. Huang, and H. Tong, editors,CIKM ’21: The 30th ACM International Conference on Information and Knowledge Management, Virtual Event, Queensland, Australia, November 1 - 5, 2021, pages 2241–2250. ACM...

work page doi:10.1145/3459637.3482299 2021
[59]

J. Xu, Y . Yang, J. Chen, X. Jiang, C. Wang, J. Lu, and Y . Sun. Unsupervised adversarially robust representation learning on graphs. InThirty-Sixth AAAI Conference on Artificial Intelligence, AAAI 2022, Thirty-Fourth Conference on Innovative Applications of Artificial Intelligence, IAAI 2022, The Twelveth Symposium on Educational Advances in Artificial I...

work page doi:10.1609/aaai.v36i4.20349 2022
[60]

K. Xu, H. Chen, S. Liu, P. Chen, T. Weng, M. Hong, and X. Lin. Topology attack and defense for graph neural networks: An optimization perspective. In S. Kraus, editor,Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence, IJCAI 2019, Macao, China, August 10-16, 2019, pages 3961–3967. ijcai.org, 2019. doi: 10.24963/IJCA...

work page doi:10.24963/ijcai.2019/550 2019
[61]

K. Xu, W. Hu, J. Leskovec, and S. Jegelka. How powerful are graph neural networks? In 7th International Conference on Learning Representations, ICLR 2019, New Orleans, LA, USA, May 6-9, 2019. OpenReview.net, 2019. URL https://openreview.net/forum?id= ryGs6iA5Km. 14

2019
[62]

Z. Yang, W. Cohen, and R. Salakhudinov. Revisiting semi-supervised learning with graph embeddings. InInternational conference on machine learning, pages 40–48. PMLR, 2016

2016
[63]

Y . You, T. Chen, Y . Sui, T. Chen, Z. Wang, and Y . Shen. Graph contrastive learning with aug- mentations. In H. Larochelle, M. Ranzato, R. Hadsell, M. Balcan, and H. Lin, editors,Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, December 6-12, 2020, virtual, 2020

2020
[64]

Zhang, X

B. Zhang, X. Guo, Z. Tu, and J. Zhang. Graph alternate learning for robust graph neural networks in node classification.Neural Comput. Appl., 34(11):8723–8735, 2022. doi: 10.1007/ S00521-021-06863-1. URLhttps://doi.org/10.1007/s00521-021-06863-1

work page doi:10.1007/s00521-021-06863-1 2022
[65]

1715–1724

L. Zhang and H. Lu. A feature-importance-aware and robust aggregator for GCN. In M. d’Aquin, S. Dietze, C. Hauff, E. Curry, and P. Cudré-Mauroux, editors,CIKM ’20: The 29th ACM International Conference on Information and Knowledge Management, Virtual Event, Ireland, October 19-23, 2020, pages 1813–1822. ACM, 2020. doi: 10.1145/3340531.3411983. URL https:/...

work page doi:10.1145/3340531.3411983 2020
[66]

Zhang and M

X. Zhang and M. Zitnik. Gnnguard: Defending graph neural networks against adversarial attacks. In H. Larochelle, M. Ranzato, R. Hadsell, M. Balcan, and H. Lin, editors,Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, December 6-12, 2020, virtual, 2020

2020
[67]

Zhang, S

Y . Zhang, S. Khan, and M. Coates. Comparing and detecting adversarial attacks for graph deep learning. InProc. representation learning on graphs and manifolds workshop, Int. Conf. learning representations, New Orleans, LA, USA, 2019

2019
[68]

Zhang, F

Y . Zhang, F. Regol, S. Pal, S. Khan, L. Ma, and M. Coates. Detection and defense of topological adversarial attacks on graphs. In A. Banerjee and K. Fukumizu, editors,The 24th International Conference on Artificial Intelligence and Statistics, AISTATS 2021, April 13-15, 2021, Virtual Event, volume 130 ofProceedings of Machine Learning Research, pages 298...

2021
[69]

URLhttp://proceedings.mlr.press/v130/zhang21i.html
[70]

Zheng, B

C. Zheng, B. Zong, W. Cheng, D. Song, J. Ni, W. Yu, H. Chen, and W. Wang. Robust graph representation learning via neural sparsification. InProceedings of the 37th International Conference on Machine Learning, ICML 2020, 13-18 July 2020, Virtual Event, volume 119 ofProceedings of Machine Learning Research, pages 11458–11468. PMLR, 2020. URL http://proceed...

2020
[71]

Zheng, X

Q. Zheng, X. Zou, Y . Dong, Y . Cen, D. Yin, J. Xu, Y . Yang, and J. Tang. Graph robustness benchmark: Benchmarking the adversarial robustness of graph machine learning.arXiv preprint arXiv:2111.04314, 2021

work page arXiv 2021
[72]

D. Zhu, Z. Zhang, P. Cui, and W. Zhu. Robust graph convolutional networks against adversarial attacks. In A. Teredesai, V . Kumar, Y . Li, R. Rosales, E. Terzi, and G. Karypis, editors,Pro- ceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, KDD 2019, Anchorage, AK, USA, August 4-8, 2019, pages 1399–1407. ACM, 20...

work page doi:10.1145/3292500.3330851 2019
[73]

J. Zhu, J. Jin, D. Loveland, M. T. Schaub, and D. Koutra. How does heterophily impact the robustness of graph neural networks? theoretical connections and practical implications. In Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, pages 2637–2647, 2022

2022
[74]

Zhuang and M

J. Zhuang and M. A. Hasan. Defending graph convolutional networks against dynamic graph perturbations via bayesian self-supervision. InThirty-Sixth AAAI Conference on Artificial Intelligence, AAAI 2022, Thirty-Fourth Conference on Innovative Applications of Artificial Intel- ligence, IAAI 2022, The Twelveth Symposium on Educational Advances in Artificial ...

work page doi:10.1609/aaai.v36i4.20362 2022
[75]

Xu, J., Yang, Y ., Chen, J., Jiang, X., Wang, C., Lu, J., and Sun, Y

D. Zügner, A. Akbarnejad, and S. Günnemann. Adversarial attacks on neural networks for graph data. In Y . Guo and F. Farooq, editors,Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, KDD 2018, London, UK, August 19- 23, 2018, pages 2847–2856. ACM, 2018. doi: 10.1145/3219819.3220078. URL https: //doi.org/10.1...

work page doi:10.1145/3219819.3220078 2018