Graph neural networks (GNNs) have achieved remarkable success in various tasks, however, their vulnerability to adversarial attacks raises concerns for the real-world applications. Existing defense methods can resist some attacks, but suffer unbearable performance degradation under other unknown attacks. This is due to their reliance on either limited observed adversarial examples to optimize (adversarial training) or specific heuristics to alter graph or model structures (graph purification or robust aggregation). In this paper, we propose an Invariant causal DEfense method against adversarial Attacks (IDEA), providing a new perspective to address this issue. The method aims to learn causal features that possess strong predictability for labels and invariant predictability across attacks, to achieve graph adversarial robustness. Through modeling and analyzing the causal relationships in graph adversarial attacks, we design two invariance objectives to learn the causal features. Extensive experiments demonstrate that our IDEA significantly outperforms all the baselines under both poisoning and evasion attacks on five benchmark datasets, highlighting the strong and invariant predictability of IDEA. The implementation of IDEA is available at https://anonymous.4open.science/r/IDEA_repo-666B.

翻译：图神经网络（GNNs）在各类任务中取得了显著成功，但其对对抗攻击的脆弱性引发了实际应用中的担忧。现有防御方法能够抵抗部分攻击，但在其他未知攻击下会出现难以承受的性能下降。这是由于这些方法要么依赖有限的观测对抗样本来优化（对抗训练），要么依赖特定启发式规则来修改图或模型结构（图净化或鲁棒聚合）。本文提出了一种面向对抗攻击的不变因果防御方法（IDEA），为解决该问题提供了新视角。该方法旨在学习具有强标签可预测性且攻击间可预测性不变的因果特征，以实现图对抗鲁棒性。通过建模与分析图对抗攻击中的因果关系，我们设计了两个不变性目标来学习因果特征。大量实验表明，在五个基准数据集上的投毒攻击和逃逸攻击场景下，我们的IDEA方法显著优于所有基线方法，凸显了其强大且不变的可预测性。IDEA的实现代码可通过 https://anonymous.4open.science/r/IDEA_repo-666B 获取。