Deep Graph Learning (DGL) has emerged as a crucial technique across various domains. However, recent studies have exposed vulnerabilities in DGL models, such as susceptibility to evasion and poisoning attacks. While empirical and provable robustness techniques have been developed to defend against graph modification attacks (GMAs), the problem of certified robustness against graph injection attacks (GIAs) remains largely unexplored. To bridge this gap, we introduce the node-aware bi-smoothing framework, which is the first certifiably robust approach for general node classification tasks against GIAs. Notably, the proposed node-aware bi-smoothing scheme is model-agnostic and is applicable for both evasion and poisoning attacks. Through rigorous theoretical analysis, we establish the certifiable conditions of our smoothing scheme. We also explore the practical implications of our node-aware bi-smoothing schemes in two contexts: as an empirical defense approach against real-world GIAs and in the context of recommendation systems. Furthermore, we extend two state-of-the-art certified robustness frameworks to address node injection attacks and compare our approach against them. Extensive evaluations demonstrate the effectiveness of our proposed certificates.

翻译：深度图学习（Deep Graph Learning, DGL）已成为多个领域的关键技术。然而，近期研究揭示了DGL模型的脆弱性，例如易受规避攻击和中毒攻击的影响。尽管已开发出经验性和可证明的鲁棒性技术来防御图修改攻击（Graph Modification Attacks, GMAs），但针对图注入攻击（Graph Injection Attacks, GIAs）的可证鲁棒性问题仍鲜有探索。为填补这一空白，我们提出了节点感知双平滑框架，这是针对GIAs实现通用节点分类任务的第一个可证明鲁棒方法。值得注意的是，所提出的节点感知双平滑方案与模型无关，且适用于规避攻击和中毒攻击。通过严谨的理论分析，我们建立了该平滑方案的可证条件。此外，我们探讨了节点感知双平滑方案在两种场景中的实际应用：作为针对真实世界GIAs的经验性防御方法，以及在推荐系统中的应用。最后，我们将两种最先进的可证鲁棒性框架扩展到节点注入攻击场景，并将我们的方法与它们进行比较。大量评估证明了所提出证书的有效性。