Are Defenses for Graph Neural Networks Robust?

Felix Mujkanovic, Simon Geisler, Stephan Günnemann, Aleksandar Bojchevski

Publikation: Beitrag in Buch/Bericht/KonferenzbandKonferenzbeitragBegutachtung

32 Zitate (Scopus)


A cursory reading of the literature suggests that we have made a lot of progress in designing effective adversarial defenses for Graph Neural Networks (GNNs). Yet, the standard methodology has a serious flaw - virtually all of the defenses are evaluated against non-adaptive attacks leading to overly optimistic robustness estimates. We perform a thorough robustness analysis of 7 of the most popular defenses spanning the entire spectrum of strategies, i.e., aimed at improving the graph, the architecture, or the training. The results are sobering - most defenses show no or only marginal improvement compared to an undefended baseline. We advocate using custom adaptive attacks as a gold standard and we outline the lessons we learned from successfully designing such attacks. Moreover, our diverse collection of perturbed graphs forms a (black-box) unit test offering a first glance at a model's robustness.

TitelAdvances in Neural Information Processing Systems 35 - 36th Conference on Neural Information Processing Systems, NeurIPS 2022
Redakteure/-innenS. Koyejo, S. Mohamed, A. Agarwal, D. Belgrave, K. Cho, A. Oh
Herausgeber (Verlag)Neural information processing systems foundation
ISBN (elektronisch)9781713871088
PublikationsstatusVeröffentlicht - 2022
Veranstaltung36th Conference on Neural Information Processing Systems, NeurIPS 2022 - New Orleans, USA/Vereinigte Staaten
Dauer: 28 Nov. 20229 Dez. 2022


NameAdvances in Neural Information Processing Systems
ISSN (Print)1049-5258


Konferenz36th Conference on Neural Information Processing Systems, NeurIPS 2022
Land/GebietUSA/Vereinigte Staaten
OrtNew Orleans


Untersuchen Sie die Forschungsthemen von „Are Defenses for Graph Neural Networks Robust?“. Zusammen bilden sie einen einzigartigen Fingerprint.

Dieses zitieren