Graph Defense Diffusion Model
Xin He, Wenqi Fan, Yili Wang, Chengyi Liu, Rui Miao, Xin Juan, Xin Wang
TL;DR
The paper addresses the vulnerability of graph neural networks to adversarial attacks by introducing Graph Defense Diffusion Model (GDDM), a diffusion-based purification framework augmented with a Graph Structure-Driven Refiner and a Node Feature-Constrained Regularizer, plus Tailored Attack-Specific Denoising Strategies for targeted defenses. GDDM trains on clean graphs with a simplified diffusion process and performs attack-aware denoising during inference, achieving high fidelity to the attacked graph while removing adversarial perturbations. Empirical results on three real datasets show that GDDM substantially improves robustness against both targeted and non-targeted attacks, outperforming state-of-the-art purification and defense methods and generalizing across downstream GNN backbones. The work advances robust graph learning by enabling localized, fidelity-preserving purification through diffusion-based denoising and carefully designed structural and feature-guided components.
Abstract
Graph Neural Networks (GNNs) demonstrate significant potential in various applications but remain highly vulnerable to adversarial attacks, which can greatly degrade their performance. Existing graph purification methods attempt to address this issue by filtering attacked graphs; however, they struggle to effectively defend against multiple types of adversarial attacks simultaneously due to their limited flexibility, and they lack comprehensive modeling of graph data due to their heavy reliance on heuristic prior knowledge. To overcome these challenges, we propose a more versatile approach for defending against adversarial attacks on graphs. In this work, we introduce the Graph Defense Diffusion Model (GDDM), a flexible purification method that leverages the denoising and modeling capabilities of diffusion models. The iterative nature of diffusion models aligns well with the stepwise process of adversarial attacks, making them particularly suitable for defense. By iteratively adding and removing noise, GDDM effectively purifies attacked graphs, restoring their original structure and features. Our GDDM consists of two key components: (1) Graph Structure-Driven Refiner, which preserves the basic fidelity of the graph during the denoising process, and ensures that the generated graph remains consistent with the original scope; and (2) Node Feature-Constrained Regularizer, which removes residual impurities from the denoised graph, further enhances the purification effect. Additionally, we design tailored denoising strategies to handle different types of adversarial attacks, improving the model's adaptability to various attack scenarios. Extensive experiments conducted on three real-world datasets demonstrate that GDDM outperforms state-of-the-art methods in defending against a wide range of adversarial attacks, showcasing its robustness and effectiveness.