Despite achieving great success, graph neural networks (GNNs) are vulnerable to adversarial attacks. Existing defenses focus on developing adversarial training or model modification. In this paper, we propose and formulate graph adversarial immunization, i.e., vaccinating part of graph structure to improve certifiable robustness of graph against any admissible adversarial attack. We first propose edge-level immunization to vaccinate node pairs. Unfortunately, such edge-level immunization cannot defend against emerging node injection attacks, since it only immunizes existing node pairs. To this end, we further propose node-level immunization. To avoid computationally intensive combinatorial optimization associated with adversarial immunization, we develop AdvImmune-Edge and AdvImmune-Node algorithms to effectively obtain the immune node pairs or nodes. Extensive experiments demonstrate the superiority of AdvImmune methods. In particular, AdvImmune-Node remarkably improves the ratio of robust nodes by 79%, 294%, and 100%, after immunizing only 5% of nodes. Furthermore, AdvImmune methods show excellent defensive performance against various attacks, outperforming state-of-the-art defenses. To the best of our knowledge, this is the first attempt to improve certifiable robustness from graph data perspective without losing performance on clean graphs, providing new insights into graph adversarial learning.

翻译：尽管图神经网络（GNNs）取得了巨大成功，但其易受对抗攻击影响。现有防御方法主要集中于开发对抗训练或模型修改。本文提出并形式化了图对抗免疫，即对部分图结构进行"疫苗接种"，以提升图对任意可接受对抗攻击的可认证鲁棒性。我们首先提出边级免疫策略，对节点对进行免疫。但该策略因仅免疫现有节点对而无法抵御新兴的节点注入攻击。为此，我们进一步提出节点级免疫。为避免对抗免疫中计算密集的组合优化问题，我们开发了AdvImmune-Edge和AdvImmune-Node算法，以高效获取免疫节点对或节点。大量实验证明了AdvImmune方法的优越性：在仅免疫5%节点的情况下，AdvImmune-Node将鲁棒节点比例分别提升79%、294%和100%。此外，AdvImmune方法在抵御多种攻击时展现出卓越的防御性能，显著优于现有最优防御方案。据我们所知，这是首次从图数据视角提升可认证鲁棒性且不损失干净图性能的尝试，为图对抗学习提供了新见解。