1 Introduction
Recent years have witnessed several success brought by deep neural networks (DNNs) in various domains. Such high expressive models outperform other models in fields, including image recognition he2016deep
devlin2018bert , as well as the advanced applications such as healthcare analysis miotto2017deep , brain circuits analysis litjens2017a , and functionality of mutations in DNA lee2015the .Given the outstanding performance, deep learning has been applied in some safety and security critical tasks such as self driving
bojarski2016end , malware detection sun2016sigpid , identification sun2017sequential erfani2016high . However, the lack of interpretability and robustness of deep neural networks makes them vulnerable to adversarial attack. Szegedy et al. szegedy2014intriguing pointed out the susceptibility of deep neural networks in image classification. The performance of a welltrained deep neural network can be significantly degraded by adversarial examples, which are carefully crafted inputs with small magnitude of perturbation added. Goodfellow et al. goodfellow2014explaining analyzed this phenomenon and proposed a gradientbased method (FGSM) to generate adversarial image samples. Different adversarial attack strategies are then proposed to demonstrate the vulnerabilities of DNNs in various settings biggio2013evasion ; carlini2017towards ; xiao2018spatially . For instance, blackbox adversarial attack are later explored based on either transferability liu2016delving ; papernot2017practical or query feedback from the DNN model bhagoji2017exploring ; brendel2017decision . Several defense and detection methods have also followed up to mitigate such adversarial behaviors madry2017towards ; samangouei2018defense , while various adaptive attacks are proposed showing that detection/defense is hard in general athalye2018obfuscated ; carlini2017adversarial .Study  Task  Graph Type  Attack Category  Attacker Knowledge  Attack Strategy  Perturbation Evaluation  

Dai et al. dai2018adversarial 


Evasion 

Add/Delete edges  Equivalency indicator  
Zugner et al. zugner2018adversarial  Node classification 


Train/Test Data; Model parameters 



Chen et al. chen2018link  Link prediction  Dynamic  Poisoning  Gradient information  Add/Delete edges  #edge  
Chen and Sun et al.chen2018fast ; sun2018data  Node embedding  Dynamic  Poisoning  Gradient information  Add/Delete edges  #edge  
ICLR191  Node embedding  Dynamic  Poisoning 

Add/Delete edges  #edge  
ICLR192  Node classification  Dynamic  Poisoning  Train/Test Data  Add/Delete edges  Degree distribution  
ICLR193  Node classification  Dynamic  Evasion  Train/Test Data  Add fake nodes  Discriminator 
Although there are increasing number of studies on adversarial attack and defense, such adversarial analysis mainly focuses on image, natural language, and speech domains. Related studies on graph data are just at the beginning despite the importance of graph data in many realworld applications. For example, in the credit prediction application, an adversary can easily disguise himself by adding friendship connection with others, which may cause severe consequences dai2018adversarial . Compared with previous adversarial analysis in nongraph data, the study on graph data raises several new challenges: 1) Unlike images consisting of continuous features, the graph structure and the nodes’ features are discrete. It is difficult to design efficient algorithms that are able to generate adversarial examples in the discrete domain. 2) Adversarial perturbations are designed to be imperceptible to human in image domain, so one can force certain distance function, such as norm distance to be small between adversarial and benign instances. While in graph, how to define “imperceptible" or “subtle perturbation" requires further analysis, measurement and study.
Given the importance of graphrelated applications and the successful applicability of graph neural networks (GNNs), both academia and industry are interested in the robustness of GNNs. In recent several months, some researchers begin to focus on adversarial attack for a set of GNN models. In this paper, we contribute the first study on summarizing different attacks on graph data and providing taxonomies for them according to various criteria. We briefly summarize current adversarial attacks in Table 1. Basically, first according to timechanging perspective and node/edge features, we categorize graph types into static or dynamic/attributed or nonattributed graph. We consider different learning tasks on graph, including node classification, graph classification, link prediction and node embedding. Based on the goal of the attacker, such as whether he/her aims to fool the training or testing process, we draw the attack category as evasion attack or poisoning attack. We also characterize the attacks based on the knowledge required for performing attacks, e.g. training/testing data information, model parameter and gradient. In addition, adversary can take several attack strategies in different studies. Most works perform the attack by changing structural information, e.g. adding/deleting edge, while Zugner et al.zugner2018adversarial modify the features of nodes as well. Finally, in order to demonstrate imperceptible modification for human, each paper proposes its perturbation evaluation strategies, including modification budgets on edge, node degree distribution and discriminators.
There are couple of works focusing on evasion attacks. Dai et al. dai2018adversarial allow strategies as adding/deleting edge. Zugner et al. zugner2018adversarial adopt the similar strategy but argue that node degree distribution should be preserved to avoid detection. Similarly aiming to achieve poisoning attack, Chen et al. chen2018link ; chen2018fast apply adding/deleting edge strategies. ICLR2 requires the similar node degree distribution after modification. Compared with other works, Dai et al. dai2018adversarial are the only group which designs the blackbox attack. In this case, the attacker is asked to create adversarial modifications of new samples by doing blackbox queries on some of the samples. Table 1 summarizes the main characteristics of the existing papers.
In summary, this survey makes the following contributions:

We perform the first throughout study to summarize currently released studies about adversarial attack on graph data with the discussion about their contributions and limitations.

We give an unified problem formulation to illustrate the common leaning tasks on graph and the corresponding adversarial attack.

Given diverse definitions of current perturbation measurement metrics, we make several principles for choosing perturbation metrics in different scenarios.

We point out the potential research opportunities and directions in the future study.
The rest of this survey is organized as follows. Section 2 provides the necessary background information of graph and its relevant applications. Section 3 provides the unified problem formulation and discusses the existing adversarial attack studies on graph data. Section 4 summaries the contributions and limitations of excising work and discusses the potential research opportunities in the future. The last section concludes this survey.
2 Graph
In this section, we first give the notations of graph data, and then introduce the preliminaries about the graph types, the learning settings, and the application tasks on graph data.
2.1 Notations
We use to represent a set of graphs, where is the number of graphs. Each graph is generally denoted by a set of nodes and edges , where is the edge between the nodes and
. Optionally, the nodes and the edges can have other features such as node features, edge weights, and edge direction. According to these features, graph data can be classified into different types.
2.2 Type of Graph Data
From a timechanging perspective, graphs can be grouped into static graphs and dynamic graphs.
Definition 2.1.
(Static Graph). A static graph, denoted as , consists of a fixed set of nodes and edges that does not change over time.
Definition 2.2.
(Dynamic Graph). A graph is a dynamic graph, denoted as , if any of its nodes, edges, node features, or edges features changes over time.
A typical example of static graph is the molecular structure of drugs duvenaud2015 . Once a drug is developed, its molecular structure does not change overtime. We can convert the molecular structure to a static graph. Social network perozzi2014deepwalk is a good example of dynamic graphs. As people often add or remove friendship to their social network, the graph extracted from the social network changes over time. In most existing attack works, the researchers study the attack on one dynamic graph.
In addition adding or deleting edge, the attacker also can change the features on the graph. Based on the edge features, we can classify graphs into attributed/unattributed graphs on edge or node.
Definition 2.3.
(Attributed Graph on edge). An attributed graph on edge, denoted as , having some features associated with each edge, which is denoted by .
The weighted graph where each edge has a weight, , is a special case of attributed graph on edges. A traffic flow graph li2018diffusion is a typical example of weighted graph where roads are modeled as edges and road conditions are represented by weights of edges.
The directed graph is a special case of attributed graph on edge, which exists in different applications widely. In this case, we can change the direction of edges in attacks.
Definition 2.4.
(Directed Graph). An directed graph, denoted as , having a directed information associated with each edge, where any directed edge .
Twitter, an online social network, is one typical example, where the directed edge represents the following information between two people. If there is a directed edge connecting from person to person , it means that person follows person . The graphs extracted from these online social networks are directed graphs.
Considering the node features, graphs can be grouped into attributed/unattributed graphs on nodes.
Definition 2.5.
(Attributed Graph on node). A attributed graph on node, denoted as , having some features associated with each node, which is denoted by .
The ecommerce network eswaran2017zoobp with different users can be regarded as an example of attributed graph on node where each user are modeled as nodes with some features.
Other potential attack on diverse types of graph
Most existing works study the adversarial attack on dynamic and nonattributed graph. However, many other types of graph are not completed studied yet. For example, unlike homogeneous information graph, many complex relations would be represented as a heterogeneous information graph, and the attacker can choose to change the type of edge or node. Comparing to add or delete an edge on graph in most existing works, slightly modifying the node/edge features can be harder to detect by the defender, e.g. weight modification and altering direction. In addition, static graph has been not well studied yet, but it is frequently used in reality. In summary, the adversarial attack on graph data can modify more information in various settings, which brings more research opportunities.
2.3 Learning Settings on Graph Data
This section introduces the different machine learning settings used on graph data. Before introducing the learning settings, let’s provide the notations for mathematical formulation first. We associate the target component within a graph with a corresponding ground truth label . Here , represents the number of the total target components, and is the number of classes being predicted. The dataset is represented by the target graph component, graph containing , and the corresponding ground truth label of . For instance, in a node classification task, represents the node to be classified, and denotes its label within . Based on the features of training and testing processes, the learning settings can be classified as inductive and transductive learning.
Inductive Learning
is the most common traditional machine learning setting where the model is trained by labeled examples, and then predicts the labels of examples never seen during training.
Under the supervised inductive learning setting, the classifier is optimized:
where is the cross entropy by default, and can be node, link or graph of its associated graph . Note that, two or more different instances, can be associated the same graph .
Transductive Learning
Different from inductive learning, the testing graphs have been seen during training in the transductive learning.
In this case, the classifier is optimized:
In short, transductive learning predicts the label of seen instances, but inductive learning predicts the label of unseen instances.
Unified Formulation of Learning on Graph Data
We give an uniform formula to represent both supervised inductive and transductive learning as below:
(1) 
where is inductive learning and is transductive learning.
In the unsupervised learning setting, we can use the unlabelled dataset
and replace the unsupervised loss and function of the Equation 1.In this survey, we mainly focus on the supervised learning setting. It should be noted that the supervised learning can be easily transferred to unsupervised learning setting as what we do above.
2.4 Application
In this section, we will introduce the main tasks on graph data, including nodelevel application, graphlevel application and linklevel application.
NodeLevel Application
The nodelevel application is the most popular one in both academia and industry. A classic example is labelling the nodes in webs and social network graphs, which may contain millions of nodes, such as Facebook and Twitter.
Most existing papers bojcheski2018adversarial ; dai2018adversarial ; zugner2018adversarial focus on the nodelevel applications. All of these papers study node classification in the transductive learning setting whose objective function can be formulated by modifying Eq.1:
(2) 
where , currently is the representation of node target and its associated graph is set as a single graph .
Few existing works have discussed the nodelevel applications in the inductive leaning setting. However, these applications frequently appear in the real life. For example, the first party only has several large and public network information, such as Facebook and Twitter. The second party has private unlabeled graph data in which the nodes can be predicted by using the information from the first party. In this case, the nodelevel classification task is no longer transductive learning, but inductive learning. It can be easily formulated by modifying Eq.1:
(3) 
where and currently is the representation of node target.
LinkLevel Application
Link prediction on dynamic graphs is one of the most common linklevel applications. The link prediction tries to predict missing links in current networks, and new or dissolution links in future networks. The corresponding attacks have been discussed in chen2018link .
GraphLevel Application
Graphlevel applications are frequently used in the chemistry or medical area, such as drug molecule graphs and brain graphs. In dai2018adversarial , the whole graph is used as the sample instance. Different from this setting, some other graphlevel applications use the subgraphs information of a large graph for several special tasks.
Compared with the existing works on node classification and link predication, graph classification use the graphstructure representation as the features to classify the unlabelled graph instances. Therefore, we can formulate the graph classification task by slightly changing the Eq.2 and 3, by setting as the representation of graph target.
Other potential attacks on different tasks under diverse settings
Several works study the adversarial attack on node classification under transductive learning. Chen et al. chen2018link study link predication tasks with same setting. Different from other works, Dai et al. dai2018adversarial study the attack on classification tasks under the inductive learning. Many different settings of various graph applications have not been discussed and studied. For example, we can study the node classification/link prediction tasks under inductive learning, and graph classification under transductive learning.
3 Adversarial Attacks on Graph Data
In this section, we will give a general definition of the adversarial attack on graph data, and then introduce the imperceptibility metrics, attack types, attack tasks and levels of attack knowledge.
Definition 3.1.
(General Adversarial Attack on Graph Data) Given a dataset , after slightly modifying the denoted as , the adversarial samples and should be similar under the imperceptibility metrics, but the performance of graph task becomes much worse than before.
Next, we will talk about an unified problem formulation for general adversarial attack on graph data.
3.1 An Unified Formulation
Existing papers bojcheski2018adversarial ; chen2018link ; dai2018adversarial ; sun2018data ; zugner2018adversarial current studies considering adversarial behaviors on graph data usually focus on specific types of attacks with certain assumptions. In addition, each work proposes its own mathematical formulation which makes the comparison among different methods difficult. In order to help candidate understand the relations between different problems earlier, we propose provide an unified problem formulation which can cover all current existing work.
Definition 3.2.
(Adversarial Attack on Graph Data: A Unified Formulation) can be any learning task function on graph data, e.g. link prediction, nodelevel embedding, nodelevel classification, graphlevel embedding and graphlevel classification. denote the space of perturbation on the original graph , and dataset = denote the attacked instances. The attack can be depicted as,
(4)  
s.t. 
When equals to , Equation 4 represents the poisoning attack; while when is the original without modification, Equation 4 denotes the evasion attack. represents inductive learning and transductive learning.
Note that, while , can represent node manipulation, edge manipulation, or both. For any , is required to be similar or close to the original graph , and such similarity measurement can be defined by the general distance function below:
(5)  
s.t. 
where represents the distance function, and is a parameter denoting the distance/cost budget for each sample.
Discussion: Graph Distance Function
Graph distance functions can be defined in many ways, a lot of which have been discussed on graph privacypreserving related work koutra2011algorithms
. Such distance functions include the number of common neighbours of given nodes, cosine similarity, Jaccard similarity and so on. However, few of them are discussed in depth regarding to adversarial behaviors (adversarial cost in game theory). In general, an attacker aims to make “minimal" perturbation on the existing graph and therefore such distance measurement is important to measure the quality of attacks. How to design and choose proper distance function to quantify the attack ability under different attack scenarios is also critical towards developing defensive approaches regarding to specific threat model. We will discuss potential perturbation evaluation metrics in details in Sec
3.2.In addition to unique properties of each graph distance function, it would also be interesting to analyze the “equivalence" among them. For instance, an attacker aiming to attack one node by adding/removing one edge in the graph can encounter similar “adversarial cost" as adding/removing edges. It is not hard to see that by using a graph distance function, only few targets would be the optimal choices for the attacker (with different distance), so this can also help to optimize the adversarial targets. In summary, due to the complexity and diversity of graph representation and adversarial behaviors, perturbation evaluation or graph similarity measurement will depend on various factors such as different learning tasks, adversarial strategies, and adversarial cost types.
3.2 Evaluation Metric for Perturbation on Graph
To generate adversarial samples on graph data, we can modified the nodes or edges from the original graph. However, the modified graph need to be “similar” with the original graph based on certain perturbation evaluation metrics and remain “imperceptible". The following metrics are discussed to help understand how to define “imperceptible perturbation".
Graphlevel Perturbation
In most current papers, the attacker is capable of adding/removing (flipping) edges in the whole original graph within a given budget. In this case, the number of modified edges is usually used to evaluate the magnitude of perturbation.
Nodelevel Perturbation
The attacker is also capable of adding/removing nodes, or manipulating the features of target nodes. The evaluation metric in this case can be calculated based on the number of nodes modified or the distance between the benign and adversarial feature vectors.
Structure Preserving Perturbation
Similar to graphlevel perturbation, an attacker can modify edges in the graph within a given budget in terms of graph structure. For instance, in zugner2018adversarial , the attacker is required to preserve the key structural features of a graph such as the degree distribution. Therefore, the perturbation here can be measured by the graph structure drift.
Attribute Preserving Perturbation
In the attributed graphs, each node or edge has its own features. In addition to manipulating the graph structure, the attacker can choose to modify the features of nodes or edges to generate adversarial samples on graph data. Various measurements based on graphattribute properties can be analyzed to characterize the perturbation magnitude. For instance, in zugner2018adversarial
, the authors argue adding a feature is imperceptible if a probabilistic random walker on the cooccurrence graph can reach it with high probability by starting from existing features.
Principles of imperceptible perturbation evaluation
Given various graph distance discussion, there is no clear discussion in existing research about how to set the adversarial cost for attacks on graph data so far. Therefore, we summarize some principles of defining the perturbation evaluation metrics as below for future research.

For static graph, both the number of modified edges and the distance between the benign and adversarial feature vectors should be small.

For dynamic graph, we can set the distance or adversarial cost based on the intrinsic changing information over time. For example, by using statistic analysis, we can get the upper bound of the information manipulated in practice, and use this information to set an imperceptible bound.

For various learning tasks on graph data, e.g. node or graph classification, we need to use an suitable graph distance function to calculate the similarity between the benign and its adversarial sample. For example, we can use the number of common neighbours to evaluate the similarity of two nodes, but not applicable for two individual graphs.
Other potential perturbation evaluation metrics
Many potential perturbation evaluation metrics can be further studied. For example, by using homomorphism graph generation, we can generate new adversarial samples on graph data by preserving structure properties, which would be hard to be detected in practice. Such new graph distance measurements would shed light on new types of attacks on graph and also provide fruitful directions for further defense studies.
3.3 Attack Type
In this section, we introduce two basic adversarial attack scenarios: evasion and poisoning attacks. Evasion attack means that the parameters of the trained model are assumed to be fixed. The attacker tries to generate the adversarial samples of the trained model. Poisoning attack tries to affect the performance of the model by adding adversarial samples into the training dataset.
Poisoning Attack
Most existing works are poisoning attacks, since their node classification tasks are performed in transductive learning setting. In this case, once the attacker changes the data, the model is retrained. Mathematically, by setting in Eq.4, we have a general formula for adversarial attack on graph data under poisoning attacks.
Evasion Attack
Dai at el. dai2018adversarial designed evasion attacks under inductive learning setting on graph classification task. ICLR193 studied the evasion attack with transductivelearning node classification task. Evasion attack only changes the testing data, which is not required to retrain the model. Mathematically, by setting to original in the Eq.4, we have a general formula for adversarial attack on graph data under evasion attacks.
3.4 Attacking Graph Learning Task
Corresponding to various tasks on graph data, we show how to attack each task and explain the general idea with modified uniformed formulations.
Noderelevant Task
As mentioned before, most attack papers focus on nodelevel task, including node classification dai2018adversarial ; zugner2018adversarial and node embedding bojcheski2018adversarial . The main difference is that the node embedding uses the low dimensional representations of each node for adversarial attack. Mathematically, by setting as representation of node target in Eq.4, we have a general formula for adversarial attack on noderelevant tasks.
Linkrelevant Task
Other several existing works bojcheski2018adversarial ; chen2018link ; sun2018data study the node embedding and used the node embedding information for link prediction. Compared with nodelevel classification, the link predication requires to use the different input data, that representation of link target, i.e. the information of a pair of nodes. By setting as representation of link target and in Eq.4, we have a general formula for adversarial attack on linkrelevant tasks.
Graphrelevant Task
Only one existing paper studies graph classification dai2018adversarial . Compared with node classification, graph classification need the graph representation instead of the node representation. By setting as representation of graph target in Eq.4, we have a general formula for adversarial attack on graphrelevant tasks.
3.5 Attack Knowledge
The attacker would receive different information to attack the system. Based on this, we can characterize the dangerous levels of existing attacks.
Whilebox Attack
In this case, an attacker can get every information and use them to attack the system, such as the prediction result, gradient information, etc.. The effective or efficient attack may not work if the attacker does not break the system first.
Greybox Attack
An attacker gets limited information to attack the system. Comparing to whilebox attack, it is more dangerous to the system, since the attacker only need partial information.
Blackbox Attack
Under this setting,an attacker can only do blackbox queries on some of the samples. Thus, the attacker generally can not do poisoning attack on the trained model. However, if blackbox attack can work, it would be the most dangerous attack comparing the other two, because the attacker can attack the model with limited acknowledge.
Most existing papers only studies the whitebox attack on graph, and there are lots of opportunities to study other attacks with different level of knowledge.
3.6 Attack Goal
Generally, an attacker wants to destroy the performance of the whole system, but sometimes they prefer to attack few important target instances in the system. Based on the goal of attack, we have:
Availability Attack
The adversarial goal of availability attack is to reduce the total performance of the system. For example, by given a modification budget, we want the performance of the system decreasing the most as the optimal attack strategy.
Integrity Attack
The adversarial goal of integrity attack is to reduce the performance of target instances. For example, in the recommendation system, we want the model can not successfully predict the hidden relation between two target people. However, the total performance of the system are same or similar to the original system.
4 Summaries: Attack on graph
In this section, we compare eight existing relevant papers in Table 2. Then, we talk about the contributions and limitations of these works. Finally, we will discuss the potential research opportunities in this area.
Semisupervised  Unsupervised  Graph Classification  Node Classification  Link Prediction  Transferable  
Dai et al.  ✓  ✓  ✓  ✓  
Zugner et al.  ✓  ✓  ✓  
Chen et al.  ✓  ✓  ✓  
Chen and Sun et al.  ✓  ✓  ✓  ✓  
ICLR 191  ✓  ✓  ✓  ✓  
ICLR 192  ✓  ✓  ✓  
ICLR 193  ✓  ✓ 
Contributions
We summarize the unique contributions of each works in this part. Dai et al. dai2018adversarial
use the reinforcement learning approach to discover the adversarial attack, which is the only approach that support blackbox attack comparing to other works. Zugner et al.
zugner2018adversarial study adversarial graph samples with traditional machine learning and deep learning. Meanwhile, they are the first and only group to discuss the adversarial attack on the attribute graph. Chen et al. and Sun et al. chen2018link ; sun2018data mainly attack the link predication task with deep graph convolutional embedding model. ICLR 191 tries to attack the node embedding which is used for different tasks, such as link predication and node classification. ICLR 192 attacks the node classification by using metalearning which solve the bilevel problem underlying trainingtime attacks. This work shows that by using small graph perturbations consistently lead to a strong decrease in performance for GCN. ICLR 193 proposes a greedy algorithm to find the edges and use GAN to generate the close feature space to attack the model. It is one of most efficient way to find the good quality adversarial samples.Limitations
The limitations of most current works are summarized below. Most existing works didn’t give very clear strategies about the setting of the budget and distance with reasonable explanations in real applications. Different with other adversarial attacks, most modifications on graph are hardly tell by the human in real life. To solve this problem, we give a more detailed discussion on perturbation and evaluation metrics in the paper. Meanwhile, about graph imperceptible evaluation metrics, most papers bojcheski2018adversarial ; chen2018link ; dai2018adversarial use one metric for attack, but these adversarial samples could be found by other existing imperceptible evaluation metrics. In this work, we list all existing evaluation metrics, and recommend future adversarial samples imperceptible with most existing evaluation metrics. Another main issue is that different problem formulations. To solve this problem, we give the unified problem formulation for all existing works discussed in this survey.
Future Direction
Adversarial attack on graph data is a new and hot area, and many research opportunities are summarized below: 1) Most graphs are attributed graph on node and edge in the real life. Currently, very few existing works well studied adversarial attack on attributed graph, e.g. heterogeneous information graph. 2) Some advanced ideas can be applied for generating the adversarial samples, e.g. homomorphism graph. 3) Various learning settings are not attacked yet, such as inductive learning on node classification task. 4) There is none defense system proposed for adversarial attack on graph data. 5) The main limitation of existing attacks are not consider various imperceptibility metrics into their attack model. Concise imperceptibility metrics are necessary in different tasks. Good and explainable evaluation metric may can discover the more existing adversarial samples created by current methods. 6) Last but not the least, the distance of high quality adversarial samples are not well studied in this area.
5 Conclusion
In this work, we cover the most released papers about adversarial attack on graph data as we know. We analyze the contributions and limitations of the released works. We also provide an unified problem formulation for all existing attacks on graph data. We summary most existing imperceptible perturbations evaluation metrics, and discuss several principles about imperceptibility metric. Finally, we point out the potential research opportunities and directions in future studies.
Currently, there is not much defense work against adversarial attacks on graph data yet, and we will keep updating when any of them is released.
References
 [1] Anish Athalye, Nicholas Carlini, and David Wagner. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. arXiv preprint arXiv:1802.00420, 2018.
 [2] Arjun Nitin Bhagoji, Warren He, Bo Li, and Dawn Song. Exploring the space of blackbox attacks on deep neural networks. arXiv:1712.09491v1, 2017.
 [3] Battista Biggio, Igino Corona, Davide Maiorca, Blaine Nelson, Nedim Šrndić, Pavel Laskov, Giorgio Giacinto, and Fabio Roli. Evasion attacks against machine learning at test time. In Joint European conference on machine learning and knowledge discovery in databases, pages 387–402. Springer, 2013.
 [4] Mariusz Bojarski, Davide Del Testa, Daniel Dworakowski, Bernhard Firner, Beat Flepp, Prasoon Goyal, Lawrence D Jackel, Mathew Monfort, Urs Muller, Jiakai Zhang, et al. End to end learning for selfdriving cars. arXiv preprint arXiv:1604.07316, 2016.
 [5] Aleksandar Bojcheski and Stephan Günnemann. Adversarial attacks on node embeddings. arXiv preprint arXiv:1809.01093, 2018.
 [6] Wieland Brendel, Jonas Rauber, and Matthias Bethge. Decisionbased adversarial attacks: Reliable attacks against blackbox machine learning models. arXiv preprint arXiv:1712.04248, 2017.

[7]
Nicholas Carlini and David Wagner.
Adversarial examples are not easily detected: Bypassing ten detection
methods.
In
Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security
, pages 3–14. ACM, 2017.  [8] Nicholas Carlini and David Wagner. Towards evaluating the robustness of neural networks. In 2017 IEEE Symposium on Security and Privacy (SP), pages 39–57. IEEE, 2017.
 [9] Jinyin Chen, Ziqiang Shi, Yangyang Wu, Xuanheng Xu, and Haibin Zheng. Link prediction adversarial attack. arXiv preprint arXiv:1810.01110, 2018.
 [10] Jinyin Chen, Yangyang Wu, Xuanheng Xu, Yixian Chen, Haibin Zheng, and Qi Xuan. Fast gradient attack on network embedding. arXiv preprint arXiv:1809.02797, 2018.
 [11] Hanjun Dai, Hui Li, Tian Tian, Xin Huang, Lin Wang, Jun Zhu, and Le Song. Adversarial attack on graph structured data. arXiv preprint arXiv:1806.02371, 2018.
 [12] Jacob Devlin, MingWei Chang, Kenton Lee, and Kristina Toutanova. Bert: Pretraining of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805, 2018.
 [13] David Duvenaud, Dougal Maclaurin, Jorge AguileraIparraguirre, Rafael GómezBombarelli, Timothy Hirzel, Alán AspuruGuzik, and Ryan P. Adams. Convolutional networks on graphs for learning molecular fingerprints. In Proceedings of the 28th International Conference on Neural Information Processing Systems, NIPS’15, pages 2224–2232, 2015.
 [14] Sarah M. Erfani, Sutharshan Rajasegarar, Shanika Karunasekera, and Christopher Leckie. Highdimensional and largescale anomaly detection using a linear oneclass svm with deep learning. Pattern Recognition, 58:121 – 134, 2016.
 [15] Dhivya Eswaran, Stephan Günnemann, Christos Faloutsos, Disha Makhija, and Mohit Kumar. Zoobp: Belief propagation for heterogeneous networks. Proceedings of the VLDB Endowment, 10(5):625–636, 2017.
 [16] Ian Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples. arXiv:1412.6572v3, 2015.

[17]
Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun.
Deep residual learning for image recognition.
In
Proceedings of the IEEE conference on computer vision and pattern recognition
, pages 770–778, 2016.  [18] Danai Koutra, Ankur Parikh, Aaditya Ramdas, and Jing Xiang. Algorithms for graph similarity and subgraph matching. In Proc. Ecol. Inference Conf., 2011.
 [19] Yaguang Li, Rose Yu, Cyrus Shahabi, and Yan Liu. Diffusion convolutional recurrent neural network: Datadriven traffic forecasting. arXiv preprint arXiv:1707.01926v3, 2018.
 [20] Geert Litjens, Thijs Kooi, Babak Ehteshami Bejnordi, Arnaud Arindra Adiyoso Setio, Francesco Ciompi, Mohsen Ghafoorian, Jeroen A.W.M. van der Laak, Bram van Ginneken, and Clara I. Sanchez. A survey on deep learning in medical image analysis. Medical Image Analysis, 42:60 – 88, 2017.
 [21] Yanpei Liu, Xinyun Chen, Chang Liu, and Dawn Song. Delving into transferable adversarial examples and blackbox attacks. arXiv preprint arXiv:1611.02770, 2016.
 [22] Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.
 [23] Riccardo Miotto, Fei Wang, Shuang Wang, Xiaoqian Jiang, and Joel T Dudley. Deep learning for healthcare: review, opportunities and challenges. Briefings in bioinformatics, 2017.
 [24] Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z Berkay Celik, and Ananthram Swami. Practical blackbox attacks against machine learning. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pages 506–519. ACM, 2017.
 [25] Bryan Perozzi, Rami AlRfou, and Steven Skiena. Deepwalk: Online learning of social representations. arXiv preprint arXiv:1403.6652v2, 2014.
 [26] Pouya Samangouei, Maya Kabkab, and Rama Chellappa. Defensegan: Protecting classifiers against adversarial attacks using generative models. arXiv preprint arXiv:1805.06605, 2018.
 [27] Lichao Sun, Zhiqiang Li, Qiben Yan, Witawas Srisaan, and Yu Pan. Sigpid: significant permission identification for android malware detection. In Malicious and Unwanted Software (MALWARE), 2016 11th International Conference on, pages 1–8. IEEE, 2016.
 [28] Lichao Sun, Yuqi Wang, Bokai Cao, S Yu Philip, Witawas SrisaAn, and Alex D Leow. Sequential keystroke behavioral biometrics for mobile user identification via multiview deep learning. In Joint European Conference on Machine Learning and Knowledge Discovery in Databases, pages 228–240. Springer, 2017.
 [29] Mingjie Sun, Jian Tang, Huichen Li, Bo Li, Chaowei Xiao, Yao Chen, and Dawn Song. Data poisoning attack against unsupervised node embedding methods. arXiv preprint arXiv:1810.12881, 2018.
 [30] Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. Intriguing properties of neural networks. arXiv:1312.6199v4, 2014.
 [31] Chaowei Xiao, JunYan Zhu, Bo Li, Warren He, Mingyan Liu, and Dawn Song. Spatially transformed adversarial examples. arXiv preprint arXiv:1801.02612, 2018.
 [32] Hui Y. Xiong, Babak Alipanahi, Leo J. Lee, Hannes Bretschneider, Daniele Merico, Ryan K. C. Yuen, Yimin Hua, Serge Gueroussov, Hamed S. Najafabadi, Timothy R. Hughes, Quaid Morris, Yoseph Barash, Adrian R. Krainer, Nebojsa Jojic, Stephen W. Scherer, Benjamin J. Blencowe, and Brendan J. Frey. The human splicing code reveals new insights into the genetic determinants of disease. Science, 347(6218), 2015.
 [33] Daniel Zügner, Amir Akbarnejad, and Stephan Günnemann. Adversarial attacks on classification models for graphs. arXiv preprint arXiv:1805.07984, 2018.
Comments
There are no comments yet.