Despite its success in the image domain, adversarial training does not (yet) stand out as an effective defense for Graph Neural Networks (GNNs) against graph structure perturbations. In the pursuit of fixing adversarial training (1) we show and overcome fundamental theoretical as well as practical limitations of the adopted graph learning setting in prior work; (2) we reveal that more flexible GNNs based on learnable graph diffusion are able to adjust to adversarial perturbations, while the learned message passing scheme is naturally interpretable; (3) we introduce the first attack for structure perturbations that, while targeting multiple nodes at once, is capable of handling global (graph-level) as well as local (node-level) constraints. Including these contributions, we demonstrate that adversarial training is a state-of-the-art defense against adversarial structure perturbations.

翻译：尽管对抗训练在图像领域取得了成功，但它（尚未）成为图神经网络（GNNs）针对图结构扰动的有效防御手段。在改进对抗训练的过程中：（1）我们揭示并克服了先前工作中所采用的图学习场景在理论及实践上的根本局限性；（2）我们发现基于可学习图扩散的更具灵活性的GNN能够适应对抗性扰动，同时其学习到的消息传递机制具有天然的可解释性；（3）我们首次提出了一种针对结构扰动的攻击方法，该方法在同时攻击多个节点的同时，能够处理全局（图级）以及局部（节点级）约束。基于这些贡献，我们证明对抗训练是一种针对对抗性结构扰动的先进防御方法。