A curated list of adversarial attacks and defenses papers on graph-structured data.
Papers are sorted by their uploaded dates in descending order.
This weekly-updated list serves as a complement of the survey below.
Adversarial Attack and Defense on Graph Data: A Survey (Updated in April 2020. 35 attack papers and 30 defense papers).
@article{sun2018adversarial,
title={Adversarial Attack and Defense on Graph Data: A Survey},
author={Sun, Lichao and Dou, Yingtong and Yang, Carl and Wang, Ji and Yu, Philip S. and Li, Bo},
journal={arXiv preprint arXiv:1812.10528},
year={2018}
}If you feel this repo is helpful, please cite the survey above.
| Year | Title | Type | Target Task | Target Model | Venue | Paper | Code |
|---|---|---|---|---|---|---|---|
| 2020 | Graph Backdoor | Attack | Graph/Node Classification | GNNs | Arxiv | Link | |
| 2020 | Backdoor Attacks to Graph Neural Networks | Attack | Graph Classification | GNNs | Arxiv | Link | |
| 2020 | Robust Spammer Detection by Nash Reinforcement Learning | Attack | Fraud Detection | Graph-based Fraud Detector | KDD 2020 | Link | Link |
| 2020 | Adversarial Attacks on Graph Neural Networks: Perturbations and their Patterns | Attack | Node Classification | GNN | TKDD | ||
| 2020 | Adversarial Attack on Hierarchical Graph Pooling Neural Networks | Attack | Graph Classification | GNN | Arxiv | Link | |
| 2020 | Stealing Links from Graph Neural Networks | Attack | Inferring Link | GNN | Arxiv | Link | |
| 2020 | Scalable Attack on Graph Data by Injecting Vicious Nodes | Attack | Node Classification | GCN | Arxiv | Link | |
| 2020 | Network disruption: maximizing disagreement and polarization in social networks | Attack | Manipulating Opinion | Graph Model, Social Network | Arxiv | Link | |
| 2020 | Adversarial Perturbations of Opinion Dynamics in Networks | Attack | Manipulating Opinion | Graph Model | Arxiv | Link | |
| 2020 | Non-target-specific Node Injection Attacks on Graph Neural Networks: A Hierarchical Reinforcement Learning Approach | Attack | Node Classification | GCN | WWW 2020 | Link | |
| 2020 | MGA: Momentum Gradient Attack on Network | Attack | Node Classification, Community Detection | GCN, DeepWalk, node2vec | Arxiv | Link | |
| 2020 | Indirect Adversarial Attacks via Poisoning Neighbors for Graph Convolutional Networks | Attack | Node Classification | GCN | BigData 2019 | Link | |
| 2020 | Graph Universal Adversarial Attacks: A Few Bad Actors Ruin Graph Learning Models | Attack | Node Classification | GCN | Arxiv | Link | Link |
| 2020 | Adversarial Attacks to Scale-Free Networks: Testing the Robustness of Physical Criteria | Attack | Network Structure | Physical Criteria | Arxiv | Link | |
| 2020 | Adversarial Attack on Community Detection by Hiding Individuals | Attack | Community Detection | GCN | WWW 2020 | Link | Link |
| 2019 | How Robust Are Graph Neural Networks to Structural Noise? | Attack | Node Structural Identity Prediction | GIN | Arxiv | Link | |
| 2019 | Time-aware Gradient Attack on Dynamic Network Link Prediction | Attack | Link Prediction | Dynamic Network Embedding Algs | Arxiv | Link | |
| 2019 | All You Need is Low (Rank): Defending Against Adversarial Attacks on Graphs | Attack | Node Classification | GCN, Tensor Embedding | WSDM 2020 | Link | Link |
| 2019 | αCyber: Enhancing Robustness of Android Malware Detection System against Adversarial Attacks on Heterogeneous Graph based Model | Attack | Malware Detection | HIN | CIKM 2019 | Link | |
| 2019 | A Unified Framework for Data Poisoning Attack to Graph-based Semi-supervised Learning | Attack | Semi-supervised Learning | Label Propagation | NeurIPS 2019 | Link | |
| 2019 | Manipulating Node Similarity Measures in Networks | Attack | Node Similarity | Node Similarity Measures | AAMAS 2020 | Link | |
| 2019 | Multiscale Evolutionary Perturbation Attack on Community Detection | Attack | Community Detection | Community Metrics | Arxiv | Link | |
| 2019 | Attacking Graph Convolutional Networks via Rewiring | Attack | Node Classification | GCN | Openreview | Link | |
| 2019 | Node Injection Attacks on Graphs via Reinforcement Learning | Attack | Node Classification | GCN | Arxiv | Link | |
| 2019 | A Restricted Black-box Adversarial Framework Towards Attacking Graph Embedding Models | Attack | Node Classification | GCN, SGC | AAAI 2020 | Link | Link |
| 2019 | Topology Attack and Defense for Graph Neural Networks: An Optimization Perspective | Attack | Node Classification | GNN | IJCAI 2019 | Link | Link |
| 2019 | Unsupervised Euclidean Distance Attack on Network Embedding | Attack | Node Embedding | GCN | Arxiv | Link | |
| 2019 | Generalizable Adversarial Attacks Using Generative Models | Attack | Node Classification | GCN | Arxiv | Link | |
| 2019 | Vertex Nomination, Consistent Estimation, and Adversarial Modification | Attack | Vertex Nomination | VN Scheme | Arxiv | Link | |
| 2019 | Data Poisoning Attack against Knowledge Graph Embedding | Attack | Fact Plausibility Prediction | TransE, TransR | IJCAI 2019 | Link | |
| 2019 | Adversarial Examples on Graph Data: Deep Insights into Attack and Defense | Attack | Node Classification | GCN | IJCAI 2019 | Link | Link |
| 2019 | Adversarial Attacks on Node Embeddings via Graph Poisoning | Attack | Node Classification, Community Detection | node2vec, DeepWalk, GCN, Spectral Embedding, Label Propagation | ICML 2019 | Link | Link |
| 2019 | Attacking Graph-based Classification via Manipulating the Graph Structure | Attack | Node Classification | Belief Propagation, GCN | CCS 2019 | Link | |
| 2019 | Adversarial Attacks on Graph Neural Networks via Meta Learning | Attack | Node Classification | GCN, CLN, DeepWalk | ICLR 2019 | Link | Link |
| 2018 | Poisoning Attacks to Graph-Based Recommender Systems | Attack | Recommender System | Graph-based Recommendation Algs | ACSAC 2018 | Link | |
| 2018 | GA Based Q-Attack on Community Detection | Attack | Community Detection | Modularity, Community Detection Alg | IEEE TCSS | Link | |
| 2018 | Data Poisoning Attack against Unsupervised Node Embedding Methods | Attack | Link Prediction | LINE, DeepWalk | Arxiv | Link | |
| 2018 | Attack Graph Convolutional Networks by Adding Fake Nodes | Attack | Node Classification | GCN | Arxiv | Link | |
| 2018 | Link Prediction Adversarial Attack | Attack | Link Prediction | GAE, GCN | Arxiv | Link | |
| 2018 | Attack Tolerance of Link Prediction Algorithms: How to Hide Your Relations in a Social Network | Attack | Link Prediction | Traditional Link Prediction Algs | Scientific Reports | Link | |
| 2018 | Attacking Similarity-Based Link Prediction in Social Networks | Attack | Link Prediction | local&global similarity metrics | AAMAS 2019 | Link | |
| 2018 | Fast Gradient Attack on Network Embedding | Attack | Node Classification | GCN | Arxiv | Link | |
| 2018 | Adversarial Attack on Graph Structured Data | Attack | Node/Graph Classification | GNN, GCN | ICML 2018 | Link | Link |
| 2018 | Adversarial Attacks on Neural Networks for Graph Data | Attack | Node Classification | GCN | KDD 2018 | Link | Link |
| 2018 | Hiding individuals and communities in a social network | Attack | Community Detection | Community Detection Algs | Nature Human Behavior | Link | Link |
| 2017 | Practical Attacks Against Graph-based Clustering | Attack | Graph Clustering | SVD, node2vec, Community Detection Alg | CCS 2017 | Link | |
| 2017 | Adversarial Sets for Regularising Neural Link Predictors | Attack | Link Prediction | Knowledge Graph Embeddings | UAI 2017 | Link | Link |
| Year | Title | Type | Target Task | Target Model | Venue | Paper | Code |
|---|---|---|---|---|---|---|---|
| 2020 | DefenseVGAE: Defending against Adversarial Attacks on Graph Data via a Variational Graph Autoencoder | Defense | Node Classification | GNNs | Arxiv | Link | Link |
| 2020 | GNNGuard: Defending Graph Neural Networks against Adversarial Attacks | Defense | Node Classification | GNNs | Arxiv | Link | |
| 2020 | Robust Spammer Detection by Nash Reinforcement Learning | Defense | Fraud Detection | Graph-based Fraud Detector | KDD 2020 | Link | Link |
| 2020 | Certifiable Robustness of Graph Convolutional Networks under Structure Perturbations | Defense | Node Classification | GCN | KDD 2020 | ||
| 2020 | Efficient Robustness Certificates for Graph Neural Networks via Sparsity-Aware Randomized Smoothing | Defense | Node Classification | GNN | ICML 2020 | ||
| 2020 | Robust Graph Representation Learning via Neural Sparsification | Defense | Node Classification | GCN | ICML 2020 | ||
| 2020 | EDoG: Adversarial Edge Detection For Graph Neural Networks | Defense | Edge Detection | GCN | S&P 2020 | Link | |
| 2020 | Graph Structure Learning for Robust Graph Neural Networks | Defense | Node Classification | GCN | KDD 2020 | Link | Link |
| 2020 | A Robust Hierarchical Graph Convolutional Network Model for Collaborative Filtering | Defense | Recommender System | GCN | Arxiv | Link | |
| 2020 | On The Stability of Polynomial Spectral Graph Filters | Defense | Graph Property | Spectral Graph Filter | ICASSP 2020 | Link | Link |
| 2020 | On the Robustness of Cascade Diffusion under Node Attacks | Defense | Influence Maximization | IC Model | WWW 2020 Workshop | Link | Link |
| 2020 | Friend or Faux: Graph-Based Early Detection of Fake Accounts on Social Networks | Defense | Fraud Detection | Graph-based Fraud Detectors | WWW 2020 | Link | |
| 2020 | Tensor Graph Convolutional Networks for Multi-relational and Robust Learning | Defense | Node Classification | GCN | Arxiv | Link | |
| 2020 | Adversarial Perturbations of Opinion Dynamics in Networks | Defense | Manipulating Opinion | Graph Model | Arxiv | Link | |
| 2020 | Topological Effects on Attacks Against Vertex Classification | Defense | Node Classification | GCN | Arxiv | Link | |
| 2020 | Towards an Efficient and General Framework of Robust Training for Graph Neural Networks | Defense | Node Classification | GCN | ICASSP 2020 | Link | |
| 2020 | Certified Robustness of Community Detection against Adversarial Structural Perturbation via Randomized Smoothing | Defense | Community Detection | Community Detection Algs | WWW 2020 | Link | |
| 2019 | How Robust Are Graph Neural Networks to Structural Noise? | Defense | Node Structural Identity Prediction | GIN | Arxiv | Link | |
| 2019 | GraphDefense: Towards Robust Graph Convolutional Networks | Defense | Node Classification | GCN | Arxiv | Link | |
| 2019 | All You Need is Low (Rank): Defending Against Adversarial Attacks on Graphs | Defense | Node Classification | GCN, Tensor Embedding | WSDM 2020 | Link | Link |
| 2019 | αCyber: Enhancing Robustness of Android Malware Detection System against Adversarial Attacks on Heterogeneous Graph based Model | Defense | Malware Detection | HIN | CIKM 2019 | Link | |
| 2019 | Edge Dithering for Robust Adaptive Graph Convolutional Networks | Defense | Node Classification | GCN | Arxiv | Link | |
| 2019 | GraphSAC: Detecting anomalies in large-scale graphs | Defense | Anomaly Detection | Anomaly Detection Algs | Arxiv | Link | |
| 2019 | Certifiable Robustness to Graph Perturbations | Defense | Node Classification | GNN | NeurIPS 2019 | Link | Link |
| 2019 | Power up! Robust Graph Convolutional Network based on Graph Powering | Defense | Node Classification | GCN | Openreview | Link | Link |
| 2019 | Adversarial Robustness of Similarity-Based Link Prediction | Defense | Link Prediction | Local Similarity Metrics | ICDM 2019 | Link | |
| 2019 | Adversarial Training Methods for Network Embedding | Defense | Node Classification | DeepWalk | WWW 2019 | Link | Link |
| 2019 | Transferring Robustness for Graph Neural Network Against Poisoning Attacks | Defense | Node Classification | GNN | WSDM 2020 | Link | Link |
| 2019 | Improving Robustness to Attacks Against Vertex Classification | Defense | Node Classification | GCN | KDD Workshop 2019 | Link | |
| 2019 | Latent Adversarial Training of Graph Convolution Networks | Defense | Node Classification | GCN | LRGSD@ICML | Link | |
| 2019 | Certifiable Robustness and Robust Training for Graph Convolutional Networks | Defense | Node Classification | GCN | KDD 2019 | Link | Link |
| 2019 | Topology Attack and Defense for Graph Neural Networks: An Optimization Perspective | Defense | Node Classification | GNN | IJCAI 2019 | Link | Link |
| 2019 | Adversarial Examples on Graph Data: Deep Insights into Attack and Defense | Defense | Node Classification | GCN | IJCAI 2019 | Link | Link |
| 2019 | Adversarial Defense Framework for Graph Neural Network | Defense | Node Classification | GCN, GraphSAGE | Arxiv | Link | |
| 2019 | Investigating Robustness and Interpretability of Link Prediction via Adversarial Modifications | Defense | Link Prediction | Knowledge Graph Embedding | NAACL 2019 | Link | |
| 2019 | Robust Graph Convolutional Networks Against Adversarial Attacks | Defense | Node Classification | GCN | KDD 2019 | Link | Link |
| 2019 | Can Adversarial Network Attack be Defended? | Defense | Node Classification | GNN | Arxiv | Link | |
| 2019 | Virtual Adversarial Training on Graph Convolutional Networks in Node Classification | Defense | Node Classification | GCN | PRCV 2019 | Link | |
| 2019 | Batch Virtual Adversarial Training for Graph Convolutional Networks | Defense | Node Classification | GCN | LRGSD@ICML | Link | |
| 2019 | Comparing and Detecting Adversarial Attacks for Graph Deep Learning | Defense | Node Classification | GCN, GAT, Nettack | RLGM@ICLR 2019 | Link | |
| 2019 | Graph Adversarial Training: Dynamically Regularizing Based on Graph Structure | Defense | Node Classification | GCN | TKDE | Link | Link |
| 2018 | Characterizing Malicious Edges targeting on Graph Neural Networks | Defense | Detected Added Edges | GNN, GCN | OpenReview | Link | |
| 2017 | Adversarial Sets for Regularising Neural Link Predictors | Attack | Link Prediction | Knowledge Graph Embeddings | UAI 2017 | Link | Link |