Adversarial Attack and Defense on Graph Data: A Survey

12/26/2018 ∙ by Lichao Sun, et al. ∙ University of Illinois at Urbana-Champaign University of Illinois at Chicago 0

Deep neural networks (DNNs) have been widely applied in various applications involving image, text, audio, and graph data. However, recent studies have shown that DNNs are vulnerable to adversarial attack. Though there are several works studying adversarial attack and defense on domains such as images and text processing, it is difficult to directly transfer the learned knowledge to graph data due to its representation challenge. Given the importance of graph analysis, increasing number of works start to analyze the robustness of machine learning models on graph. Nevertheless, current studies considering adversarial behaviors on graph data usually focus on specific types of attacks with certain assumptions. In addition, each work proposes its own mathematical formulation which makes the comparison among different methods difficult. Therefore, in this paper, we aim to survey existing adversarial attack strategies on graph data and provide an unified problem formulation which can cover all current adversarial learning studies on graph. We also compare different attacks on graph data and discuss their corresponding contributions and limitations. Finally, we discuss several future research directions in this area.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Recent years have witnessed several success brought by deep neural networks (DNNs) in various domains. Such high expressive models outperform other models in fields, including image recognition he2016deep

, natural language processing 

devlin2018bert , as well as the advanced applications such as healthcare analysis miotto2017deep , brain circuits analysis litjens2017a , and functionality of mutations in DNA lee2015the .

Given the outstanding performance, deep learning has been applied in some safety and security critical tasks such as self driving

bojarski2016end , malware detection sun2016sigpid , identification sun2017sequential

and anomaly detection

erfani2016high . However, the lack of interpretability and robustness of deep neural networks makes them vulnerable to adversarial attack. Szegedy et al. szegedy2014intriguing pointed out the susceptibility of deep neural networks in image classification. The performance of a well-trained deep neural network can be significantly degraded by adversarial examples, which are carefully crafted inputs with small magnitude of perturbation added. Goodfellow et al. goodfellow2014explaining analyzed this phenomenon and proposed a gradient-based method (FGSM) to generate adversarial image samples. Different adversarial attack strategies are then proposed to demonstrate the vulnerabilities of DNNs in various settings  biggio2013evasion ; carlini2017towards ; xiao2018spatially . For instance, black-box adversarial attack are later explored based on either transferability liu2016delving ; papernot2017practical or query feedback from the DNN model bhagoji2017exploring ; brendel2017decision . Several defense and detection methods have also followed up to mitigate such adversarial behaviors madry2017towards ; samangouei2018defense , while various adaptive attacks are proposed showing that detection/defense is hard in general athalye2018obfuscated ; carlini2017adversarial .

Study Task Graph Type Attack Category Attacker Knowledge Attack Strategy Perturbation Evaluation
Dai et al. dai2018adversarial
Graph classification
Node classification
Gradient information
Return labels
Add/Delete edges Equivalency indicator
Zugner et al. zugner2018adversarial Node classification
Train/Test Data; Model parameters
Add/Delete edges
Change node features
Degree distribution
Feature co-occurrence
Chen et al. chen2018link Link prediction Dynamic Poisoning Gradient information Add/Delete edges #edge
Chen and Sun et al.chen2018fast ; sun2018data Node embedding Dynamic Poisoning Gradient information Add/Delete edges #edge
ICLR19-1 Node embedding Dynamic Poisoning
Train/Test Data; Model parameters
Gradient information
Add/Delete edges #edge
ICLR19-2 Node classification Dynamic Poisoning Train/Test Data Add/Delete edges Degree distribution
ICLR19-3 Node classification Dynamic Evasion Train/Test Data Add fake nodes Discriminator
Table 1: Summary of existing work on adversarial attack on graph data

Although there are increasing number of studies on adversarial attack and defense, such adversarial analysis mainly focuses on image, natural language, and speech domains. Related studies on graph data are just at the beginning despite the importance of graph data in many real-world applications. For example, in the credit prediction application, an adversary can easily disguise himself by adding friendship connection with others, which may cause severe consequences dai2018adversarial . Compared with previous adversarial analysis in non-graph data, the study on graph data raises several new challenges: 1) Unlike images consisting of continuous features, the graph structure and the nodes’ features are discrete. It is difficult to design efficient algorithms that are able to generate adversarial examples in the discrete domain. 2) Adversarial perturbations are designed to be imperceptible to human in image domain, so one can force certain distance function, such as norm distance to be small between adversarial and benign instances. While in graph, how to define “imperceptible" or “subtle perturbation" requires further analysis, measurement and study.

Given the importance of graph-related applications and the successful applicability of graph neural networks (GNNs), both academia and industry are interested in the robustness of GNNs. In recent several months, some researchers begin to focus on adversarial attack for a set of GNN models. In this paper, we contribute the first study on summarizing different attacks on graph data and providing taxonomies for them according to various criteria. We briefly summarize current adversarial attacks in Table 1. Basically, first according to time-changing perspective and node/edge features, we categorize graph types into static or dynamic/attributed or non-attributed graph. We consider different learning tasks on graph, including node classification, graph classification, link prediction and node embedding. Based on the goal of the attacker, such as whether he/her aims to fool the training or testing process, we draw the attack category as evasion attack or poisoning attack. We also characterize the attacks based on the knowledge required for performing attacks, e.g. training/testing data information, model parameter and gradient. In addition, adversary can take several attack strategies in different studies. Most works perform the attack by changing structural information, e.g. adding/deleting edge, while Zugner et al.zugner2018adversarial modify the features of nodes as well. Finally, in order to demonstrate imperceptible modification for human, each paper proposes its perturbation evaluation strategies, including modification budgets on edge, node degree distribution and discriminators.

There are couple of works focusing on evasion attacks. Dai et al. dai2018adversarial allow strategies as adding/deleting edge. Zugner et al. zugner2018adversarial adopt the similar strategy but argue that node degree distribution should be preserved to avoid detection. Similarly aiming to achieve poisoning attack, Chen et al. chen2018link ; chen2018fast apply adding/deleting edge strategies. ICLR-2 requires the similar node degree distribution after modification. Compared with other works, Dai et al. dai2018adversarial are the only group which designs the black-box attack. In this case, the attacker is asked to create adversarial modifications of new samples by doing black-box queries on some of the samples. Table 1 summarizes the main characteristics of the existing papers.

In summary, this survey makes the following contributions:

  • We perform the first throughout study to summarize currently released studies about adversarial attack on graph data with the discussion about their contributions and limitations.

  • We give an unified problem formulation to illustrate the common leaning tasks on graph and the corresponding adversarial attack.

  • Given diverse definitions of current perturbation measurement metrics, we make several principles for choosing perturbation metrics in different scenarios.

  • We point out the potential research opportunities and directions in the future study.

The rest of this survey is organized as follows. Section 2 provides the necessary background information of graph and its relevant applications. Section 3 provides the unified problem formulation and discusses the existing adversarial attack studies on graph data. Section 4 summaries the contributions and limitations of excising work and discusses the potential research opportunities in the future. The last section concludes this survey.

2 Graph

In this section, we first give the notations of graph data, and then introduce the preliminaries about the graph types, the learning settings, and the application tasks on graph data.

2.1 Notations

We use to represent a set of graphs, where is the number of graphs. Each graph is generally denoted by a set of nodes and edges , where is the edge between the nodes and

. Optionally, the nodes and the edges can have other features such as node features, edge weights, and edge direction. According to these features, graph data can be classified into different types.

2.2 Type of Graph Data

From a time-changing perspective, graphs can be grouped into static graphs and dynamic graphs.

Definition 2.1.

(Static Graph). A static graph, denoted as , consists of a fixed set of nodes and edges that does not change over time.

Definition 2.2.

(Dynamic Graph). A graph is a dynamic graph, denoted as , if any of its nodes, edges, node features, or edges features changes over time.

A typical example of static graph is the molecular structure of drugs duvenaud2015 . Once a drug is developed, its molecular structure does not change overtime. We can convert the molecular structure to a static graph. Social network perozzi2014deepwalk is a good example of dynamic graphs. As people often add or remove friendship to their social network, the graph extracted from the social network changes over time. In most existing attack works, the researchers study the attack on one dynamic graph.

In addition adding or deleting edge, the attacker also can change the features on the graph. Based on the edge features, we can classify graphs into attributed/unattributed graphs on edge or node.

Definition 2.3.

(Attributed Graph on edge). An attributed graph on edge, denoted as , having some features associated with each edge, which is denoted by .

The weighted graph where each edge has a weight, , is a special case of attributed graph on edges. A traffic flow graph li2018diffusion is a typical example of weighted graph where roads are modeled as edges and road conditions are represented by weights of edges.

The directed graph is a special case of attributed graph on edge, which exists in different applications widely. In this case, we can change the direction of edges in attacks.

Definition 2.4.

(Directed Graph). An directed graph, denoted as , having a directed information associated with each edge, where any directed edge .

Twitter, an online social network, is one typical example, where the directed edge represents the following information between two people. If there is a directed edge connecting from person to person , it means that person follows person . The graphs extracted from these online social networks are directed graphs.

Considering the node features, graphs can be grouped into attributed/unattributed graphs on nodes.

Definition 2.5.

(Attributed Graph on node). A attributed graph on node, denoted as , having some features associated with each node, which is denoted by .

The e-commerce network eswaran2017zoobp with different users can be regarded as an example of attributed graph on node where each user are modeled as nodes with some features.

Other potential attack on diverse types of graph

Most existing works study the adversarial attack on dynamic and non-attributed graph. However, many other types of graph are not completed studied yet. For example, unlike homogeneous information graph, many complex relations would be represented as a heterogeneous information graph, and the attacker can choose to change the type of edge or node. Comparing to add or delete an edge on graph in most existing works, slightly modifying the node/edge features can be harder to detect by the defender, e.g. weight modification and altering direction. In addition, static graph has been not well studied yet, but it is frequently used in reality. In summary, the adversarial attack on graph data can modify more information in various settings, which brings more research opportunities.

2.3 Learning Settings on Graph Data

This section introduces the different machine learning settings used on graph data. Before introducing the learning settings, let’s provide the notations for mathematical formulation first. We associate the target component within a graph with a corresponding ground truth label . Here , represents the number of the total target components, and is the number of classes being predicted. The dataset is represented by the target graph component, graph containing , and the corresponding ground truth label of . For instance, in a node classification task, represents the node to be classified, and denotes its label within . Based on the features of training and testing processes, the learning settings can be classified as inductive and transductive learning.

Inductive Learning

is the most common traditional machine learning setting where the model is trained by labeled examples, and then predicts the labels of examples never seen during training.

Under the supervised inductive learning setting, the classifier is optimized:

where is the cross entropy by default, and can be node, link or graph of its associated graph . Note that, two or more different instances, can be associated the same graph .

Transductive Learning

Different from inductive learning, the testing graphs have been seen during training in the transductive learning.

In this case, the classifier is optimized:

In short, transductive learning predicts the label of seen instances, but inductive learning predicts the label of unseen instances.

Unified Formulation of Learning on Graph Data

We give an uniform formula to represent both supervised inductive and transductive learning as below:


where is inductive learning and is transductive learning.

In the unsupervised learning setting, we can use the unlabelled dataset

and replace the unsupervised loss and function of the Equation 1.

In this survey, we mainly focus on the supervised learning setting. It should be noted that the supervised learning can be easily transferred to unsupervised learning setting as what we do above.

2.4 Application

In this section, we will introduce the main tasks on graph data, including node-level application, graph-level application and link-level application.

Node-Level Application

The node-level application is the most popular one in both academia and industry. A classic example is labelling the nodes in webs and social network graphs, which may contain millions of nodes, such as Facebook and Twitter.

Most existing papers bojcheski2018adversarial ; dai2018adversarial ; zugner2018adversarial focus on the node-level applications. All of these papers study node classification in the transductive learning setting whose objective function can be formulated by modifying Eq.1:


where , currently is the representation of node target and its associated graph is set as a single graph .

Few existing works have discussed the node-level applications in the inductive leaning setting. However, these applications frequently appear in the real life. For example, the first party only has several large and public network information, such as Facebook and Twitter. The second party has private unlabeled graph data in which the nodes can be predicted by using the information from the first party. In this case, the node-level classification task is no longer transductive learning, but inductive learning. It can be easily formulated by modifying Eq.1:


where and currently is the representation of node target.

Link-Level Application

Link prediction on dynamic graphs is one of the most common link-level applications. The link prediction tries to predict missing links in current networks, and new or dissolution links in future networks. The corresponding attacks have been discussed in chen2018link .

Compared with node classification tasks, link predication tasks still use node features, but target at the missing or unlabelled links in the graph. Therefore, we can formulate the link predication task by slightly changing the Eq.2 and 3, where is the representation of link target, and .

Graph-Level Application

Graph-level applications are frequently used in the chemistry or medical area, such as drug molecule graphs and brain graphs. In dai2018adversarial , the whole graph is used as the sample instance. Different from this setting, some other graph-level applications use the sub-graphs information of a large graph for several special tasks.

Compared with the existing works on node classification and link predication, graph classification use the graph-structure representation as the features to classify the unlabelled graph instances. Therefore, we can formulate the graph classification task by slightly changing the Eq.2 and 3, by setting as the representation of graph target.

Other potential attacks on different tasks under diverse settings

Several works study the adversarial attack on node classification under transductive learning. Chen et al. chen2018link study link predication tasks with same setting. Different from other works, Dai et al. dai2018adversarial study the attack on classification tasks under the inductive learning. Many different settings of various graph applications have not been discussed and studied. For example, we can study the node classification/link prediction tasks under inductive learning, and graph classification under transductive learning.

3 Adversarial Attacks on Graph Data

In this section, we will give a general definition of the adversarial attack on graph data, and then introduce the imperceptibility metrics, attack types, attack tasks and levels of attack knowledge.

Definition 3.1.

(General Adversarial Attack on Graph Data) Given a dataset , after slightly modifying the denoted as , the adversarial samples and should be similar under the imperceptibility metrics, but the performance of graph task becomes much worse than before.

Next, we will talk about an unified problem formulation for general adversarial attack on graph data.

3.1 An Unified Formulation

Existing papers bojcheski2018adversarial ; chen2018link ; dai2018adversarial ; sun2018data ; zugner2018adversarial current studies considering adversarial behaviors on graph data usually focus on specific types of attacks with certain assumptions. In addition, each work proposes its own mathematical formulation which makes the comparison among different methods difficult. In order to help candidate understand the relations between different problems earlier, we propose provide an unified problem formulation which can cover all current existing work.

Definition 3.2.

(Adversarial Attack on Graph Data: A Unified Formulation) can be any learning task function on graph data, e.g. link prediction, node-level embedding, node-level classification, graph-level embedding and graph-level classification. denote the space of perturbation on the original graph , and dataset = denote the attacked instances. The attack can be depicted as,


When equals to , Equation 4 represents the poisoning attack; while when is the original without modification, Equation 4 denotes the evasion attack. represents inductive learning and transductive learning.

Note that, while , can represent node manipulation, edge manipulation, or both. For any , is required to be similar or close to the original graph , and such similarity measurement can be defined by the general distance function below:


where represents the distance function, and is a parameter denoting the distance/cost budget for each sample.

Discussion: Graph Distance Function

Graph distance functions can be defined in many ways, a lot of which have been discussed on graph privacy-preserving related work koutra2011algorithms

. Such distance functions include the number of common neighbours of given nodes, cosine similarity, Jaccard similarity and so on. However, few of them are discussed in depth regarding to adversarial behaviors (adversarial cost in game theory). In general, an attacker aims to make “minimal" perturbation on the existing graph and therefore such distance measurement is important to measure the quality of attacks. How to design and choose proper distance function to quantify the attack ability under different attack scenarios is also critical towards developing defensive approaches regarding to specific threat model. We will discuss potential perturbation evaluation metrics in details in Sec 


In addition to unique properties of each graph distance function, it would also be interesting to analyze the “equivalence" among them. For instance, an attacker aiming to attack one node by adding/removing one edge in the graph can encounter similar “adversarial cost" as adding/removing edges. It is not hard to see that by using a graph distance function, only few targets would be the optimal choices for the attacker (with different distance), so this can also help to optimize the adversarial targets. In summary, due to the complexity and diversity of graph representation and adversarial behaviors, perturbation evaluation or graph similarity measurement will depend on various factors such as different learning tasks, adversarial strategies, and adversarial cost types.

3.2 Evaluation Metric for Perturbation on Graph

To generate adversarial samples on graph data, we can modified the nodes or edges from the original graph. However, the modified graph need to be “similar” with the original graph based on certain perturbation evaluation metrics and remain “imperceptible". The following metrics are discussed to help understand how to define “imperceptible perturbation".

Graph-level Perturbation

In most current papers, the attacker is capable of adding/removing (flipping) edges in the whole original graph within a given budget. In this case, the number of modified edges is usually used to evaluate the magnitude of perturbation.

Node-level Perturbation

The attacker is also capable of adding/removing nodes, or manipulating the features of target nodes. The evaluation metric in this case can be calculated based on the number of nodes modified or the distance between the benign and adversarial feature vectors.

Structure Preserving Perturbation

Similar to graph-level perturbation, an attacker can modify edges in the graph within a given budget in terms of graph structure. For instance, in zugner2018adversarial , the attacker is required to preserve the key structural features of a graph such as the degree distribution. Therefore, the perturbation here can be measured by the graph structure drift.

Attribute Preserving Perturbation

In the attributed graphs, each node or edge has its own features. In addition to manipulating the graph structure, the attacker can choose to modify the features of nodes or edges to generate adversarial samples on graph data. Various measurements based on graph-attribute properties can be analyzed to characterize the perturbation magnitude. For instance, in zugner2018adversarial

, the authors argue adding a feature is imperceptible if a probabilistic random walker on the co-occurrence graph can reach it with high probability by starting from existing features.

Principles of imperceptible perturbation evaluation

Given various graph distance discussion, there is no clear discussion in existing research about how to set the adversarial cost for attacks on graph data so far. Therefore, we summarize some principles of defining the perturbation evaluation metrics as below for future research.

  • For static graph, both the number of modified edges and the distance between the benign and adversarial feature vectors should be small.

  • For dynamic graph, we can set the distance or adversarial cost based on the intrinsic changing information over time. For example, by using statistic analysis, we can get the upper bound of the information manipulated in practice, and use this information to set an imperceptible bound.

  • For various learning tasks on graph data, e.g. node or graph classification, we need to use an suitable graph distance function to calculate the similarity between the benign and its adversarial sample. For example, we can use the number of common neighbours to evaluate the similarity of two nodes, but not applicable for two individual graphs.

Other potential perturbation evaluation metrics

Many potential perturbation evaluation metrics can be further studied. For example, by using homomorphism graph generation, we can generate new adversarial samples on graph data by preserving structure properties, which would be hard to be detected in practice. Such new graph distance measurements would shed light on new types of attacks on graph and also provide fruitful directions for further defense studies.

3.3 Attack Type

In this section, we introduce two basic adversarial attack scenarios: evasion and poisoning attacks. Evasion attack means that the parameters of the trained model are assumed to be fixed. The attacker tries to generate the adversarial samples of the trained model. Poisoning attack tries to affect the performance of the model by adding adversarial samples into the training dataset.

Poisoning Attack

Most existing works are poisoning attacks, since their node classification tasks are performed in transductive learning setting. In this case, once the attacker changes the data, the model is retrained. Mathematically, by setting in Eq.4, we have a general formula for adversarial attack on graph data under poisoning attacks.

Evasion Attack

Dai at el. dai2018adversarial designed evasion attacks under inductive learning setting on graph classification task. ICLR19-3 studied the evasion attack with transductive-learning node classification task. Evasion attack only changes the testing data, which is not required to retrain the model. Mathematically, by setting to original in the Eq.4, we have a general formula for adversarial attack on graph data under evasion attacks.

3.4 Attacking Graph Learning Task

Corresponding to various tasks on graph data, we show how to attack each task and explain the general idea with modified uniformed formulations.

Node-relevant Task

As mentioned before, most attack papers focus on node-level task, including node classification dai2018adversarial ; zugner2018adversarial and node embedding bojcheski2018adversarial . The main difference is that the node embedding uses the low dimensional representations of each node for adversarial attack. Mathematically, by setting as representation of node target in Eq.4, we have a general formula for adversarial attack on node-relevant tasks.

Link-relevant Task

Other several existing works bojcheski2018adversarial ; chen2018link ; sun2018data study the node embedding and used the node embedding information for link prediction. Compared with node-level classification, the link predication requires to use the different input data, that representation of link target, i.e. the information of a pair of nodes. By setting as representation of link target and in Eq.4, we have a general formula for adversarial attack on link-relevant tasks.

Graph-relevant Task

Only one existing paper studies graph classification dai2018adversarial . Compared with node classification, graph classification need the graph representation instead of the node representation. By setting as representation of graph target in Eq.4, we have a general formula for adversarial attack on graph-relevant tasks.

3.5 Attack Knowledge

The attacker would receive different information to attack the system. Based on this, we can characterize the dangerous levels of existing attacks.

While-box Attack

In this case, an attacker can get every information and use them to attack the system, such as the prediction result, gradient information, etc.. The effective or efficient attack may not work if the attacker does not break the system first.

Grey-box Attack

An attacker gets limited information to attack the system. Comparing to while-box attack, it is more dangerous to the system, since the attacker only need partial information.

Black-box Attack

Under this setting,an attacker can only do black-box queries on some of the samples. Thus, the attacker generally can not do poisoning attack on the trained model. However, if black-box attack can work, it would be the most dangerous attack comparing the other two, because the attacker can attack the model with limited acknowledge.

Most existing papers only studies the white-box attack on graph, and there are lots of opportunities to study other attacks with different level of knowledge.

3.6 Attack Goal

Generally, an attacker wants to destroy the performance of the whole system, but sometimes they prefer to attack few important target instances in the system. Based on the goal of attack, we have:

Availability Attack

The adversarial goal of availability attack is to reduce the total performance of the system. For example, by given a modification budget, we want the performance of the system decreasing the most as the optimal attack strategy.

Integrity Attack

The adversarial goal of integrity attack is to reduce the performance of target instances. For example, in the recommendation system, we want the model can not successfully predict the hidden relation between two target people. However, the total performance of the system are same or similar to the original system.

4 Summaries: Attack on graph

In this section, we compare eight existing relevant papers in Table 2. Then, we talk about the contributions and limitations of these works. Finally, we will discuss the potential research opportunities in this area.

Semi-supervised Un-supervised Graph Classification Node Classification Link Prediction Transferable
Dai et al.
Zugner et al.
Chen et al.
Chen and Sun et al.
ICLR 19-1
ICLR 19-2
ICLR 19-3
Table 2: Comparisons between existing papers


We summarize the unique contributions of each works in this part. Dai et al. dai2018adversarial

use the reinforcement learning approach to discover the adversarial attack, which is the only approach that support black-box attack comparing to other works. Zugner et al.

zugner2018adversarial study adversarial graph samples with traditional machine learning and deep learning. Meanwhile, they are the first and only group to discuss the adversarial attack on the attribute graph. Chen et al. and Sun et al. chen2018link ; sun2018data mainly attack the link predication task with deep graph convolutional embedding model. ICLR 19-1 tries to attack the node embedding which is used for different tasks, such as link predication and node classification. ICLR 19-2 attacks the node classification by using meta-learning which solve the bi-level problem underlying training-time attacks. This work shows that by using small graph perturbations consistently lead to a strong decrease in performance for GCN. ICLR 19-3 proposes a greedy algorithm to find the edges and use GAN to generate the close feature space to attack the model. It is one of most efficient way to find the good quality adversarial samples.


The limitations of most current works are summarized below. Most existing works didn’t give very clear strategies about the setting of the budget and distance with reasonable explanations in real applications. Different with other adversarial attacks, most modifications on graph are hardly tell by the human in real life. To solve this problem, we give a more detailed discussion on perturbation and evaluation metrics in the paper. Meanwhile, about graph imperceptible evaluation metrics, most papers bojcheski2018adversarial ; chen2018link ; dai2018adversarial use one metric for attack, but these adversarial samples could be found by other existing imperceptible evaluation metrics. In this work, we list all existing evaluation metrics, and recommend future adversarial samples imperceptible with most existing evaluation metrics. Another main issue is that different problem formulations. To solve this problem, we give the unified problem formulation for all existing works discussed in this survey.

Future Direction

Adversarial attack on graph data is a new and hot area, and many research opportunities are summarized below: 1) Most graphs are attributed graph on node and edge in the real life. Currently, very few existing works well studied adversarial attack on attributed graph, e.g. heterogeneous information graph. 2) Some advanced ideas can be applied for generating the adversarial samples, e.g. homomorphism graph. 3) Various learning settings are not attacked yet, such as inductive learning on node classification task. 4) There is none defense system proposed for adversarial attack on graph data. 5) The main limitation of existing attacks are not consider various imperceptibility metrics into their attack model. Concise imperceptibility metrics are necessary in different tasks. Good and explainable evaluation metric may can discover the more existing adversarial samples created by current methods. 6) Last but not the least, the distance of high quality adversarial samples are not well studied in this area.

5 Conclusion

In this work, we cover the most released papers about adversarial attack on graph data as we know. We analyze the contributions and limitations of the released works. We also provide an unified problem formulation for all existing attacks on graph data. We summary most existing imperceptible perturbations evaluation metrics, and discuss several principles about imperceptibility metric. Finally, we point out the potential research opportunities and directions in future studies.

Currently, there is not much defense work against adversarial attacks on graph data yet, and we will keep updating when any of them is released.