kth.sePublications KTH
EnglishSvenskaNorsk
34567896 of 17
CiteExportLink to record
Permanent link

Direct link
<<Back to result list
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
On the Adversarial Robustness of Graph Neural Networks
KTH, School of Electrical Engineering and Computer Science (EECS), Computing and Learning Systems.ORCID iD: 0000-0001-9969-4660
2026 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Graph Neural Networks (GNNs) have emerged as the standard paradigm for machine learning on graph-structured data, demonstrating remarkable success in diverse applications such as molecular design, anomaly detection within networks, and recommendation systems. However, despite their effectiveness in learning meaningful representations for nodes and graphs, GNNs remain vulnerable to adversarial attacks. These attacks, which are small strategically crafted perturbations to the input graph, can result in unreliable predictions. This specific vulnerability raises serious concerns regarding the deployment of GNNs in safety-critical domains like finance and healthcare, where ensuring robustness is crucial. Consequently, understanding and enhancing the adversarial robustness of GNNs has become a critical research focus, involving both the design of potent attack strategies and the development of resilient defense mechanisms.

Many existing defense methods rely on pre-processing techniques or modifications to the message-passing framework to mitigate attacks, often by discarding or re-weighting parts of the input graph. Although these defenses have shown great results, they are frequently based on heuristic reasoning and lack strong theoretical guarantees. Specifically, given the input graphs' rich topological aspect, a deeper understanding of their vulnerabilities and internal behaviors is essential, especially regarding how an attack can propagate through the network. Moreover, current defense methodologies are typically evaluated only against the state-of-the-art attacks available at the evaluation time; in the absence of theoretical guarantees, these defenses remain susceptible to more advanced or previously unseen attack strategies. This gap underscores the need for mechanisms that not only exhibit robust empirical performance but also provide certifiable robustness for long-term effectiveness. Furthermore, most current approaches entail high computational overhead, limiting their practical feasibility in real-world applications.

In this thesis, we address key challenges in GNN adversarial robustness, focusing on the aforementioned drawbacks. First, we introduce defense mechanisms that are both empirically effective and grounded in solid theoretical analysis, thereby offering provable robustness against evolving attacks. Second, we investigate how to reconcile strong defense performance with computational efficiency, which is an essential requirement in multiple domains such as applications in the mobile and online platforms. Achieving this balance is critical for broadening the deployment of robust GNNs in practical settings. Finally, we explore often overlooked factors related to the training dynamics, such as weight initialization and the number of training epochs, that can substantially influence a model’s underlying robustness, illustrating how effective parameter selection can bolster resilience with very limited costs.

The contributions of this thesis are organized around four core pillars. In the first, we propose an adaptation of Graph Convolutional Networks (GCNs) using orthogonal weight matrices, showing both theoretically and empirically that this design can significantly enhance model robustness. In the second contribution, we present a simple yet powerful technique for injecting noise into hidden representations during training, which substantially improves robustness with minimal additional computational cost, consequently offering a more lightweight alternative to many existing, high-complexity defense methods. The third work examines the neglected interplay between training dynamics (e.g., number of epochs, initialization strategies) and model vulnerability, demonstrating how careful tuning of these parameters can enhance a model's underlying robustness. Finally, we propose a novel adversarial attack approach that generates adversarial graphs from scratch via a learnable generator, rather than merely perturbing existing graphs, thereby introducing new perspectives on attack methodologies.

Through these contributions, the current thesis aims to provide theoretical insights and tools that could help advance the current understanding of adversarial attacks in the context of GNNs. These contributions and insights can advance the development of robust GNNs, paving the way for safer and more reliable graph-based machine learning systems.
Abstract [sv]

Graph Neural Networks (GNNs) har etablerat sig som ett standardparadigm för maskininlärning på grafstrukturerad data och har visat stor framgång inom tillämpningar som molekyldesign, anomalidetektion i nätverk och rekommendationssystem. Trots deras förmåga att lära sig meningsfulla representationer för noder och grafer är GNNs sårbara för adversarial attacks, det vill säga små, strategiskt utformade perturbationer i indata som kan leda till opålitliga prediktioner. Denna sårbarhet väcker allvarliga farhågor vid användning i säkerhetskritiska domäner såsom finans och sjukvård, där robusthet är avgörande. Följaktligen har förståelsen och förbättringen av GNNs adversarial robustness blivit ett centralt forskningsområde, innefattande både utveckling av effektiva attackstrategier och motståndskraftiga försvarsmekanismer.

Många befintliga defense methods bygger på preprocessing-tekniker eller modifieringar av message passing-ramverket, ofta genom att filtrera eller omvikta delar av grafen. Trots god empirisk prestanda baseras dessa metoder ofta på heuristik och saknar starka teoretiska garantier. Givet grafernas rika topologiskastruktur krävs en djupare förståelse av deras sårbarheter och interna dynamik,särskilt hur en attack kan spridas genom nätverket. Dessutom utvärderas försvar vanligtvis endast mot state-of-the-art attacks vid utvärderingstillfället, vilket gör dem sårbara för mer avancerade eller tidigare okända strategier. Detta belyser behovet av metoder som kombinerar god empirisk prestanda med certifierbar robusthet. Samtidigt innebär många nuvarande angreppssätt hög computational overhead, vilket begränsar deras praktiska användbarhet.

Denna avhandling adresserar centrala utmaningar inom adversarial robustness för GNNs. För det första introduceras defense mechanisms som är både empiriskt effektiva och teoretiskt grundade, med provable robustness mot föränderliga attacker. För det andra undersöks hur stark defense performance kan förenas med computational efficiency, vilket är avgörande för tillämpningar i exempelvis mobila och onlinebaserade system. För det tredje analyseras ofta förbisedda faktorer i training dynamics, såsom weight initialization och antal training epochs,och hur dessa påverkar modellens robusthet, där noggrant parameterurval kan ge betydande förbätringar till låg kostnad.

Avhandlingens bidrag organiseras kring fyra huvudområden. För det första föreslås en modifiering av Graph Convolutional Networks (GCNs) med orthogonal weightmatrices som teoretiskt och empiriskt förbättrar robustheten. För det andra presenteras en enkel men effektiv metod för att injicera noise i hidden representations under träning, vilket ger ökad robusthet med låg computational cost. För det tredje analyseras samspelet mellan training dynamics och sårbarhet,vilket visar hur parametrisering påverkar robustheten. Slutligen introduceras en ny adversarial attackmetod där grafer genereras från grunden via en learnable generator, snarare än att enbart perturb befintliga grafer. Sammanfattningsvis bidrar avhandlingen med teoretiska insikter och praktiskaverktyg som fördjupar förståelsen av adversarial attacks i GNNs och främjar utvecklingen av mer robusta och tillförlitliga grafbaserade maskininlärningssystem.
Place, publisher, year, edition, pages
Stockholm: KTH Royal Institute of Technology, 2026. , p. 54
Series
TRITA-EECS-AVL ; 2026:29
Keywords [en]
Graph Neural Networks, Adversarial Robustness
National Category
Computer and Information Sciences
Research subject
Information and Communication Technology
Identifiers
URN: urn:nbn:se:kth:diva-378915ISBN: 978-91-8106-573-2 (print)OAI: oai:DiVA.org:kth-378915DiVA, id: diva2:2049659
Public defence
2026-04-23, Kollegiesalen, Brinellvagen 8, Stockholm, 14:00 (English)
Opponent
Supervisors
Funder
Wallenberg AI, Autonomous Systems and Software Program (WASP)
Note

QC 20260331

Available from: 2026-03-31 Created: 2026-03-30 Last updated: 2026-03-31Bibliographically approved
List of papers
1. If You Want to Be Robust, Be Wary of Initialization
Open this publication in new window or tab >>If You Want to Be Robust, Be Wary of Initialization
2024 (English)In: Advances in Neural Information Processing Systems 37 - 38th Conference on Neural Information Processing Systems, NeurIPS 2024, Neural information processing systems foundation , 2024Conference paper, Published paper (Refereed)
Abstract [en]

Graph Neural Networks (GNNs) have demonstrated remarkable performance across a spectrum of graph-related tasks, however concerns persist regarding their vulnerability to adversarial perturbations. While prevailing defense strategies focus primarily on pre-processing techniques and adaptive message-passing schemes, this study delves into an under-explored dimension: the impact of weight initialization and associated hyper-parameters, such as training epochs, on a model's robustness. We introduce a theoretical framework bridging the connection between initialization strategies and a network's resilience to adversarial perturbations. Our analysis reveals a direct relationship between initial weights, number of training epochs and the model's vulnerability, offering new insights into adversarial robustness beyond conventional defense mechanisms. While our primary focus is on GNNs, we extend our theoretical framework, providing a general upper-bound applicable to Deep Neural Networks. Extensive experiments, spanning diverse models and real-world datasets subjected to various adversarial attacks, validate our findings. We illustrate that selecting appropriate initialization not only ensures performance on clean datasets but also enhances model robustness against adversarial perturbations, with observed gaps of up to 50% compared to alternative initialization approaches.
Place, publisher, year, edition, pages
Neural information processing systems foundation, 2024
National Category
Computer Sciences
Identifiers
urn:nbn:se:kth:diva-361997 (URN)2-s2.0-105000557354 (Scopus ID)
Conference
38th Conference on Neural Information Processing Systems, NeurIPS 2024, Vancouver, Canada, Dec 9 2024 - Dec 15 2024
Note

QC 20250409

Available from: 2025-04-03 Created: 2025-04-03 Last updated: 2026-03-30Bibliographically approved
2. Expressivity of Representation Learning on Continuous-Time Dynamic Graphs: An Information-Flow Centric Review
Open this publication in new window or tab >>Expressivity of Representation Learning on Continuous-Time Dynamic Graphs: An Information-Flow Centric Review
Show others...
2025 (English)In: Transactions on Machine Learning Research, E-ISSN 2835-8856, Vol. 2025-AprilArticle in journal (Refereed) Published
Abstract [en]

Graphs are ubiquitous in real-world applications, ranging from social networks to biological systems, and have inspired the development of Graph Neural Networks (GNNs) for learning expressive representations. While most research has centered on static graphs, many real-world scenarios involve dynamic, temporally evolving graphs, motivating the need for Continuous-Time Dynamic Graph (CTDG) models. This paper provides a comprehensive review of Graph Representation Learning (GRL) on CTDGs with a focus on Self-Supervised Representation Learning (SSRL). We introduce a novel theoretical framework that analyzes the expressivity of CTDG models through an Information-Flow (IF) lens, quantifying their ability to propagate and encode temporal and structural information. Leveraging this frame-work, we categorize existing CTDG methods based on their suitability for different graph types and application scenarios. Within the same scope, we examine the design of SSRL methods tailored to CTDGs, such as predictive and contrastive approaches, highlighting their potential to mitigate the reliance on labeled data. Empirical evaluations on synthetic and real-world datasets validate our theoretical insights, demonstrating the strengths and limitations of various methods across long-range, bi-partite and community-based graphs. This work offers both a theoretical foundation and practical guidance for selecting and developing CTDG models, advancing the understanding of GRL in dynamic settings.
Place, publisher, year, edition, pages
Transactions on Machine Learning Research, 2025
National Category
Computer Sciences
Identifiers
urn:nbn:se:kth:diva-363405 (URN)2-s2.0-105004389835 (Scopus ID)
Note

QC 20250519

Available from: 2025-05-15 Created: 2025-05-15 Last updated: 2026-03-31Bibliographically approved
3. UnboundAttack: Generating Unbounded Adversarial Attacks to Graph Neural Networks
Open this publication in new window or tab >>UnboundAttack: Generating Unbounded Adversarial Attacks to Graph Neural Networks
Show others...
2024 (English)In: Complex Networks and Their Applications XII - Proceedings of The 12th International Conference on Complex Networks and their Applications: COMPLEX NETWORKS 2023 Volume 1, Springer Nature , 2024, Vol. 1141, p. 100-111Conference paper, Published paper (Refereed)
Abstract [en]

Graph Neural Networks (GNNs) have demonstrated state-of-the-art performance in various graph representation learning tasks. Recently, studies revealed their vulnerability to adversarial attacks. While the available attack strategies are based on applying perturbations on existing graphs within a specific budget, proposed defense mechanisms successfully guard against this type of attack. This paper proposes a new perspective founded on unrestricted adversarial examples. We propose to produce adversarial attacks by generating completely new data points instead of perturbing existing ones. We introduce a framework, so-called UnboundAttack, leveraging the advancements in graph generation to produce graphs preserving the semantics of the available training data while misleading the targeted classifier. Importantly, our method does not assume any knowledge about the underlying architecture. Finally, we validate the effectiveness of our proposed method in a realistic setting related to molecular graphs.
Place, publisher, year, edition, pages
Springer Nature, 2024
Series
Studies in Computational Intelligence, ISSN 1860-949X ; 1141
Keywords
Adversarial Attacks, Graph Neural Networks
National Category
Computer Sciences
Identifiers
urn:nbn:se:kth:diva-344817 (URN)10.1007/978-3-031-53468-3_9 (DOI)001264435300009 ()2-s2.0-85187647290 (Scopus ID)
Conference
12th International Conference on Complex Networks and their Applications, COMPLEX NETWORKS 2023, Menton, France, Nov 28 2023 - Nov 30 2023
Note

QC 20240402

 Part of ISBN 9783031534676

Available from: 2024-03-28 Created: 2024-03-28 Last updated: 2026-03-30Bibliographically approved
4. Conformalized Adversarial Attack Detection for Graph Neural Networks
Open this publication in new window or tab >>Conformalized Adversarial Attack Detection for Graph Neural Networks
2023 (English)In: Proceedings of the 12th Symposium on Conformal and Probabilistic Prediction with Applications, COPA 2023, ML Research Press , 2023, p. 311-323Conference paper, Published paper (Refereed)
Abstract [en]

Graph Neural Networks (GNNs) have achieved remarkable performance on diverse graph representation learning tasks. However, recent studies have unveiled their susceptibility to adversarial attacks, leading to the development of various defense techniques to enhance their robustness. In this work, instead of improving the robustness, we propose a framework to detect adversarial attacks and provide an adversarial certainty score in the prediction. Our framework evaluates whether an input graph significantly deviates from the original data and provides a well-calibrated p-value based on this score through the conformal paradigm, therby controlling the false alarm rate. We demonstrate the effectiveness of our approach on various benchmark datasets. Although we focus on graph classification, the proposed framework can be readily adapted for other graph-related tasks, such as node classification.
Place, publisher, year, edition, pages
ML Research Press, 2023
Keywords
Adversarial Attacks, Conformal Prediction, Graph Neural Networks
National Category
Computer Sciences
Identifiers
urn:nbn:se:kth:diva-340788 (URN)001221733900021 ()2-s2.0-85178660782 (Scopus ID)
Conference
12th Symposium on Conformal and Probabilistic Prediction with Applications, COPA 2023, Limassol, Cyprus, Sep 13 2023 - Sep 15 2023
Note

QC 20231215

Available from: 2023-12-15 Created: 2023-12-15 Last updated: 2026-03-30Bibliographically approved
5. A Simple and Yet Fairly Effective Defense for Graph Neural Networks
Open this publication in new window or tab >>A Simple and Yet Fairly Effective Defense for Graph Neural Networks
Show others...
2024 (English)In: AAAI Technical Track on Safe, Robust and Responsible AI Track, Association for the Advancement of Artificial Intelligence (AAAI) , 2024, Vol. 38, p. 21063-21071, article id 19Conference paper, Published paper (Refereed)
Abstract [en]

Graph Neural Networks (GNNs) have emerged as the dominant approach for machine learning on graph-structured data. However, concerns have arisen regarding the vulnerability of GNNs to small adversarial perturbations. Existing defense methods against such perturbations suffer from high time complexity and can negatively impact the model's performance on clean graphs. To address these challenges, this paper introduces NoisyGNNs, a novel defense method that incorporates noise into the underlying model's architecture. We establish a theoretical connection between noise injection and the enhancement of GNN robustness, highlighting the effectiveness of our approach. We further conduct extensive empirical evaluations on the node classification task to validate our theoretical findings, focusing on two popular GNNs: the GCN and GIN. The results demonstrate that NoisyGNN achieves superior or comparable defense performance to existing methods while minimizing added time complexity. The NoisyGNN approach is model-agnostic, allowing it to be integrated with different GNN architectures. Successful combinations of our NoisyGNN approach with existing defense techniques demonstrate even further improved adversarial defense results. Our code is publicly available at: https://github.com/Sennadir/NoisyGNN.
Place, publisher, year, edition, pages
Association for the Advancement of Artificial Intelligence (AAAI), 2024
Series
Proceedings of the AAAI Conference on Artificial Intelligence, ISSN 2159-5399 ; 38
National Category
Computer Sciences
Identifiers
urn:nbn:se:kth:diva-345725 (URN)10.1609/aaai.v38i19.30098 (DOI)001239984900019 ()2-s2.0-85189621980 (Scopus ID)
Conference
38th AAAI Conference on Artificial Intelligence, AAAI 2024, Vancouver, Canada, Feb 20 2024 - Feb 27 2024
Note

QC 20241030

Available from: 2024-04-18 Created: 2024-04-18 Last updated: 2026-03-30Bibliographically approved
6. Bounding The Expected Robustness Of Graph Neural Networks Subject To Node Feature Attacks
Open this publication in new window or tab >>Bounding The Expected Robustness Of Graph Neural Networks Subject To Node Feature Attacks
Show others...
2024 (English)In: 12th International Conference on Learning Representations, ICLR 2024, International Conference on Learning Representations, ICLR , 2024Conference paper, Published paper (Refereed)
Abstract [en]

Graph Neural Networks (GNNs) have demonstrated state-of-the-art performance in various graph representation learning tasks. Recently, studies revealed their vulnerability to adversarial attacks. In this work, we theoretically define the concept of expected robustness in the context of attributed graphs and relate it to the classical definition of adversarial robustness in the graph representation learning literature. Our definition allows us to derive an upper bound of the expected robustness of Graph Convolutional Networks (GCNs) and Graph Isomorphism Networks subject to node feature attacks. Building on these findings, we connect the expected robustness of GNNs to the orthonormality of their weight matrices and consequently propose an attack-independent, more robust variant of the GCN, called the Graph Convolutional Orthonormal Robust Networks (GCORNs). We further introduce a probabilistic method to estimate the expected robustness, which allows us to evaluate the effectiveness of GCORN on several real-world datasets. Experimental experiments showed that GCORN outperforms available defense methods. Our code is publicly available at: https://github.com/Sennadir/GCORN.
Place, publisher, year, edition, pages
International Conference on Learning Representations, ICLR, 2024
National Category
Computer Sciences
Identifiers
urn:nbn:se:kth:diva-351935 (URN)2-s2.0-85200561556 (Scopus ID)
Conference
12th International Conference on Learning Representations, ICLR 2024, Hybrid, Vienna, Austria, May 7 2024 - May 11 2024
Note

QC 20240823

Available from: 2024-08-19 Created: 2024-08-19 Last updated: 2026-03-30Bibliographically approved

Open Access in DiVA

Kappa(1584 kB)68 downloads
File information
File name FULLTEXT01.pdfFile size 1584 kBChecksum SHA-512
87f67cd198f1bca9c49a1be8fe55979f953a6fdab23c2240119e573be50d191bccbfa94dc14bfd4c17c54d109ea80e368d6afdd8310e52c76f1e5023fe079bda
Type fulltextMimetype application/pdf

Authority records

Ennadir, Sofiane

Search in DiVA

By author/editor
Ennadir, Sofiane
By organisation
Computing and Learning Systems
Computer and Information Sciences

Search outside of DiVA

GoogleGoogle Scholar
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 1044 hits
34567896 of 17
CiteExportLink to record
Permanent link

Direct link
<<Back to result list
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
KTH Library
|
DiVA support
|
Register in DiVA
|
Posting your thesis
|
SwePub
|
About Open Access