Recent Advances in Reliable Deep Graph Learning: Inherent Noise, Distribution Shift, and Adversarial Attack

Recent Advances in Reliable Deep Graph Learning:
 Inherent Noise, Distribution Shift, and Adversarial Attack
 Jintang Li1 , Bingzhe Wu2∗ , Chengbin Hou2 , Guoji Fu2 ,
 Yatao Bian2 , Liang Chen1 , Junzhou Huang3 , Zibin Zheng1
 1
 Sun Yat-sen University
 2
 Tencent AI Lab
 3
 University of Texas at Arlington
 {bingzhewu,chengbinhou,guojifu,yataobian}@tencent.com,
 lijt55@mail2.sysu.edu.cn, {chenliang6,zhzibin}@mail.sysu.edu.cn
arXiv:2202.07114v1 [cs.LG] 15 Feb 2022

 jzhuang@uta.edu

 Abstract carefully-designed patterns or perturbations on the original
 data Typical examples include adversarial samples [Zügner
 Deep graph learning (DGL) has achieved remark- et al., 2018] and backdoor triggers [Xi et al., 2021].
 able progress in both business and scientific areas Figure 1 visualizes how different threats occur throughout
 ranging from finance and e-commerce to drug and a typical pipeline of deep graph learning. As a comparison,
 advanced material discovery. Despite the progress, inherent noise or distribution shift typically happens in the
 applying DGL to real-world applications faces a se- data generation process due to sampling bias or environment
 ries of reliability threats including inherent noise, noise without deliberate human design while adversarial at-
 distribution shift, and adversarial attacks. This sur- tacks are intentionally designed by malicious attackers after
 vey aims to provide a comprehensive review of re- the data generation phase (see more differences in Section 5).
 cent advances for improving the reliability of DGL Table 1 further provides formal descriptions of each threat,
 algorithms against the above threats. In contrast and summarizes some typical related work.
 to prior related surveys which mainly focus on ad- Numerous work emerges to improve the reliability of DGL
 versarial attacks and defense, our survey covers algorithms against the above threats from different perspec-
 more reliability-related aspects of DGL, i.e., inher- tives such as optimization policy design and uncertainty
 ent noise and distribution shift. Additionally, we quantification. In this survey, we explore recent advance-
 discuss the relationships among above aspects and ments in this research direction. Specifically, this survey is
 highlight some important issues to be explored in organized as follows: we first review recent work from three
 future research. aspects, namely inherent noise, distribution shift, and adver-
 sarial attack. For each aspect, we first summarize existing
 1 Introduction threats (e.g., various adversarial attacks). We then introduce
 typical reliability-enhancing techniques for DGL and discuss
 Recent few years have seen deep graph learning (DGL) their limitations. Lastly, we discuss the relationships among
 based on graph neural networks (GNNs) making remark- the above three aspects and describe some important open re-
 able progress in a variety of important areas, ranging from search problems yet to be addressed.
 business scenarios such as finance (e.g., fraud detection and
 Relation to existing surveys. There are several surveys re-
 credit modeling) [Dou et al., 2020; Yang et al., 2020] and e-
 lated to our paper. [Sun et al., 2018] and [Chen et al., 2020a]
 commerce (e.g., recommendation system) [Wu et al., 2021a],
 both comprehensively review adversarial attacks on graphs.
 to scientific domains such as drug discovery and advanced [Jin et al., 2020a] provide an empirical study specifically
 material discovery [Guo et al., 2021; Wu et al., 2017]. De-
 on the adversarial robustness of DGL methods. [Xu et al.,
 spite the progress, applying various DGL algorithms to real-
 2021a] summarize robust learning models against adversar-
 world applications faces a series of reliability threats. At
 ial attacks on graphs. [Zhu et al., 2021] focus on the robust
 a high level, we categorize these threats into three aspects,
 representations of graph structure learning, and also briefly
 namely, inherent noise, distribution shift, and adversarial at-
 present an overview of the recent progress. These works
 tack. Specifically, inherent noise refers to irreducible noises
 mainly focus on the vulnerability of DGL methods against
 in graph structures, node attributes, and node/graph labels.
 adversarial attacks. Despite the adversarial attack, a recent
 Distribution shift refers to the shift between training and test-
 work [Zhang and Pei, 2021] performs extensive studies on the
 ing distribution which includes both domain generalization
 reliability of previous GNN models to structure noise. Com-
 and sub-population shift. Adversarial attack is a manipula-
 paratively to the aforementioned surveys, we present a sys-
 tive human action that aims to cause model misbehavior with
 tematic and comprehensive review of the current advances,
 ∗
 Corresponding author and trends in reliable graph learning in relation to the inher-

(a)Inherent Noise 
 ❕ Label noise
 (c) Adversarial
 Data train Data Attack Deep Graph
 ̂ ̂
 Annotation Sampling max ≈ ̂ )
 ̂ ℒ( , Learning
 Class blue Class red
 ❕
 Misclassified

 train , ≠ test ( , ) Adversarial Sample Model Prediction

 Data Generation (b) Distribution Shift

Figure 1: An illustrative example on deep graph learning against (a) inherent noise, (b) distribution shift, and (c) adversarial attack. From
left to right: the inherent noise (i.e., label noise) is inevitably introduced during data annotation, where a red “circle” node is mislabeled with
the “cross” class (marked with red color). Then, the sampling bias leads to the discrepancy between training (color-filled nodes) and testing
datasets (color-unfilled nodes), thus introducing any possible kind of distribution shift. After the data generation process, adversarial attacks
are performed on the graph to mislead the model prediction (e.g., misclassification on a node).

Table 1: Summary of recent advances in reliable deep graph learning. Oracle graph data G = (A, X) with its adjacency matrix A and node
features X; Y the labels of graphs/nodes; a , x , y denote structure, attribute, and label noises respectively; Dtrain is the training dataset; L
denotes the loss function and Ĝ is the perturbed graph.

 Threats Description Selected References
 [Zheng et al., 2020],[Luo et al., 2021],[NT et al., 2019],
 Inherent Noise Dtrain = (A + a , X + x , Y + y ) [Patrini et al., 2017],[Li et al., 2021b],[Dai et al., 2021]
 [Rong et al., 2019], [Verma et al., 2021]
 [Bevilacqua et al., 2021], [Wu et al., 2022], [Hong et al., 2019],
 [Wu et al., 2021b], [Kose and Shen, 2022], [Kong et al., 2020],
 Distribution shift Ptrain (G, Y ) 6= Ptest (G, Y ) [Wu et al., 2020], [Han et al., 2021], [Wang et al., 2021b]
 [Wu et al., 2019], [Entezari et al., 2020], [Jin et al., 2020b],
 Adversarial Attack maxĜ≈G L(Ĝ, Y ) [Liu et al., 2021b], [Geisler et al., 2021], [Chen et al., 2021],
 [Xu et al., 2019], [Feng et al., 2021], [Tang et al., 2020]

ent noise, distribution shift, and adversarial attack. be always relevant to a specific downstream task [Zheng et
 al., 2020]. Since most existing DGL algorithms rely on the
2 Reliability against Inherent Noise input structure to propagate information, the structure noise
 presents negative effects on the propagating process and con-
The inherent noise refers to the noise that inherently exists sequently the final model performance.
in graph data. It is unavoidable that real-world graph data
would include some inherent noises, which might stem from Attribute noise. There are two kinds of inherent attribute
error-prone data measurement or collection, information loss noise. On the one hand, the raw attributes of nodes may be
during data preprocessing, sub-optimal graph structure w.r.t. incomplete or incorrect [Wang et al., 2019]. For example,
downstream tasks, and so on. This section first discusses how users may intentionally provide fake profiles due to privacy
inherent noises can affect DGL algorithms, and then sum- concerns in social networks. On the other hand, another sub-
marizes the recent typical techniques that can explicitly or tle source is information loss when transforming raw node
implicitly alleviate the effects caused by inherent noises oc- attributes into node embeddings, e.g., using the word embed-
curring in the pipeline of DGL. ding technique to encode textual data of nodes. During the
 training phase of message-passing based GNNs, the attribute
2.1 Inherent Noise noise in each node can be passed to its neighbors, which
Inherent noises in graph data may exist in graph structure, would gradually affect the final node/graph embeddings.
node attributes, and node/graph labels, which draws out three Label noise. The erroneous annotations in node or graph
types of inherent noises, i.e., structure noise, attribute noise, labels lead to the inherent label noise. Similarly to image
and label noise. They are detailed as follows. classification, unavoidable erroneous annotations can occur
Structure noise. The inherent structure noise may inevitably in node classification. But comparing to images, it might be
be introduced due to error-prone data measurement or collec- harder to annotate labels for nodes due to node dependency in
tion [Chen et al., 2020b; Wang et al., 2019], e.g., protein- graphs, which results in more noises or label sparsity issues
protein interaction networks [Fionda, 2019]. And it could [Li et al., 2021b; NT et al., 2019]. In graph classification, an-
also come from sub-optimal graph construction with task- notating labels for graphs becomes more expensive because
irrelevant edges [Chen et al., 2020b; Luo et al., 2021], as of requiring more domain expertise. For instance, to anno-
the underlying motivation of establishing edges might not tate a drug-related property of a molecular graph, it needs to

conduct experiments for measurement or extract the property [Verma et al., 2021]. On the other hand, there are some stud-
from literature, which are both likely to introduce graph label ies trying to explicitly impose regularization to the hypothesis
noise [Ji et al., 2022]. It is worth noting that, the previous space, i.e., building GNN models with some predefined con-
study has shown that deep learning models tend to overfit la- strains or inductive bias, which share the similar idea with
bel noise, which is also likely to happen in DGL models [Li approaches demonstrated in Section 4.2. Moreover, from the
et al., 2021b; Dai et al., 2021]. Bayesian perspective, prior ensemble approach for DGL can
 also be seen as an implicit regularization, which indepen-
2.2 Enhancing Techniques dently trains multiple graph learning models with different
 input data transformations, then aggregates outputs from mul-
A number of methods have been presented for enhancing the tiple models as the final output [Papp et al., 2021].
robustness of DGL algorithms against above inherent noises.
Although some of these methods are not originally designed
for mitigating inherent noises, their behind ideas are useful 3 Reliability against Distribution Shift
for building robustness enhancing techniques, and are thus Distribution shift in machine learning occurs when the train-
also covered in this survey. In this subsection, we review ing data and test data are generated by the different under-
these methods from data and regularization perspectives. lying distributions, which exists in a lot of real-world ap-
Data denoising. From the data perspective, data denoising is plications. Distribution shift on classic data format (e.g.
a straightforward way for reducing the noise effects in DGL vision or texts) have been comprehensively investigated in
algorithms. For structure noise, one natural idea is to assign some recent surveys (e.g., [Wang et al., 2021a; Zhou et al.,
learnable weights for each node when perform node informa- 2021]).However, there are inadequate discussions on graph
tion aggregation in GNNs, so that the weight can hopefully data. Here we provide a review of distribution shift literature
reflect the tasks-desired graph structures. One of well-known with a focus on graph-structured data. This section first pro-
techniques is incorporating self-attention modules into the vides a categorization for typical distribution shift on graph
original GNNs [Chen et al., 2020b]. As a more explicit way data then introduce recent work for improving the reliability
to denoise graph data, [Zheng et al., 2020] and [Luo et al., of DGL methods against distribution shift.
2021] propose to prune task-irrelevant edges using a multi-
layer neural network to draw a subgraph from a learned dis- 3.1 Distribution shift on graphs
tribution. The reparameterization trick [Jang et al., 2017] is Motivated by prior work focusing on distribution shift in
applied to make this process differentiable, which can thus general machine learning, we categorize distribution shift on
be jointly trained with its subsequent GNNs for a specific graph-structured data into two types, domain generalization
task. Regarding label noise, [NT et al., 2019] first observe and sub-population shift. Domain generalization refers to the
label noise can lead to significant performance drops in the training and testing distributions consist of distinct domains.
DGL setting. Motivated by prior methods for non-graph ma- Some typical examples include covariate shift and open-set
chine learning, this work directly applies the backward loss recognition. While sub-population shift refers to training and
label correction [Patrini et al., 2017] to train GNNs without testing distributions consist of the same group of domains but
considering graph structure. More recently, some work in- differ in the frequencies of each domain.
corporates the structure information into the design. [Li et Domain generalization on graphs. One typical example
al., 2021b] conduct sample reweighting and label correction of domain generalization on graph-related tasks is covariate
by using random walks over graph structure for label aggre- shift, which assumes that the conditioned label distribution
gation to estimate node-level class probability distributions. is the same for both training and test domains but differs in
[Dai et al., 2021] propose to generate accurate pseudo labels, the data marginal distribution [Bevilacqua et al., 2021]. For
and assign high-quality edges between unlabeled nodes and examples, in drug discovery, the scaffolds of drug molecules
(pseudo) labelled nodes to reduce label noise. Despite the ex- often differ at inference and in social networks and financial
istence of attribute noise, to our best knowledge, there is cur- networks, the graph structures may significantly change with
rently no methods specially designed for denoising attribute time [Wu et al., 2022].
noise, which can be a promising future direction. Sub-population shift on graphs. Sub-population shift
DGL with regularization. From the regularization perspec- on graphs raises when the frequencies of data/label sub-
tive, previous studies attempt to reduce overfitting to inher- populations change [Kose and Shen, 2022], which widely ex-
ent noises by decreasing the complexity of the hypothesis ists in many graph learning tasks, such as algorithmic fairness
space implicitly or explicitly. On the one hand, various reg- and label shift. Specifically, fairness issues of DGL could
ularization techniques specially for GNNs are presented for be caused by societal bias contained in graph data [Kose
reducing overfitting of DGL algorithms. The core idea be- and Shen, 2022]. Label shift refers to the cases where the
hind these techniques is to randomly drop edges [Rong et al., marginal label distribution changes for two domains but the
2019], nodes [Hamilton et al., 2017], or hidden representa- conditional distributions of the input given label stay the
tions of GNNs [Chen et al., 2018]. [Hasanzadeh et al., 2020] same across domains [Wu et al., 2021b]. In addition, class-
take a further step to unify these approaches into a Bayesian imbalance problem on graphs is a specific form of label
graph learning framework. Besides, an advanced data aug- shift [Wu et al., 2021b]. For instance, the label distribution is
mentation strategy namely Mixup is recently applied to DGL uniform for the testing distribution but is not for the training
and is proved to be effective for several graph-related tasks distribution.

3.2 Enhancing techniques cally under-confident, thus the confidence cannot precisely
 reflect the predictive uncertainty [Wang et al., 2021b]. There
Recently, there have been some methods proposed to tackle
 are two ways to solve this problem. First, recent work intro-
the challenges raised by distribution shift on graphs, which
 duces probabilistic blocks into original GNNs for modeling
could mainly be classified into three categories: invariant
 the posterior weight distribution, which can provide more ac-
graph representation learning, graph robust training, and un-
 curate uncertainty estimation than deterministic GNN archi-
certainty quantification.
 tectures. For example, [Han et al., 2021] propose to replace
Invariant graph representation learning. Invariant graph the Softmax decision layer with a Gaussian process block,
representation learning aims to learn invariant graph repre- which provides accurate uncertainty estimations. Unlike this
sentations across different domains. The idea of invariant work, Bayesian GNNs [Hasanzadeh et al., 2020] aggressively
representation learning proposed recently has been adapted transforms whole GNN layers into Bayesian counterparts.
in some DGL models. [Bevilacqua et al., 2021] use a Concretely, it treats both model weights and sampling process
causal model to learn approximately invariant graph repre- as probabilistic distributions and adopts variational inference
sentations that well extrapolate between the training and test- to estimate the parameters of these distributions. Second, a
ing domains. [Wu et al., 2022] inherit the spirit of invari- more direct way is to perform confidence calibration in a post-
ant risk minimization [Arjovsky et al., 2019] to develop an hoc fashion without modifying the GNN architectures. One
explore-to-extrapolate risk minimization framework that fa- typical calibration method is temperature scaling. However,
cilitates GNNs to leverage invariant graph features for node- it is originally designed for DNNs and is proved to have poor
level prediction. [Hong et al., 2019] design an adversarial performance in the DGL setting. [Wang et al., 2021b] modify
domain classifier to learn the domain-invariant representa- temperature scaling for GNNs by using an additional GNNs
tion for network alignment, which is optimized by simulta- to predict a unique temperature for each node. Since the tem-
neously minimizing its loss and maximizing a posterior prob- peratures are produced by considering both node features and
ability distribution of the observed anchors. [Cai et al., 2021] graph topology, this method achieves better calibration per-
present a disentanglement-based unsupervised domain adap- formance compared to the original method.
tation method which applies variational graph auto-encoders
to recover three types of defined latent variables (semantic,
domain, and random latent variables). 4 Reliability against Adversarial Attack
Graph robust training. Graph robust training proposes to Adversarial attacks aim to cause a model to make mistakes
enhance the model robustness against distribution shift ei- with carefully-crafted unnoticeable perturbations (adversar-
ther by data augmentation or modifying the training frame- ial samples) or predefined patterns (backdoor triggers). Al-
work. On the one hand, some methods generalize advanced though promising results have been achieved, recent stud-
data augmentation techniques for general data format (e.g., ies have shown that GNNs are vulnerable to adversarial at-
mixup) to graph-structured data. [Wu et al., 2021b] present tacks, posing significant security risks to several application
a mixup-based framework for improving class-imbalanced domains [Sun et al., 2018]. Therefore, the adversarial reli-
node classification on graphs, which performs feature mixup ability of GNNs is highly desired for many real-world sys-
on a constructed semantic relation space and edge mixup. tems, especially in security-critical fields. In this section, we
[Kose and Shen, 2022] propose a fairness-aware data aug- provide an overview of adversarial attacks to GNNs and sub-
mentation framework on node features and graph structure sequently review recent works that mitigate such threats.
to reduce the intrinsic bias of the obtained node representa-
tion by GNNs. On the other hand, some methods propose 4.1 Threats overview
to integrate adversarial training techniques in DGL models. Literature has categorized adversarial attacks into several typ-
[Kong et al., 2020] present a method that iteratively augments ical dimensions [Sun et al., 2018; Chen et al., 2020a]. Specif-
node features with adversarial perturbations during training ically, adversarial attacks can be performed in the training
and helps the model generalize to out-of-distribution (OOD) phase (poisoning attack) and the inference phase (evasion at-
samples by making it invariant to small fluctuations in input tack), to mislead the prediction of the model on specific im-
data. [Wu et al., 2020] utilize the attention mechanism to portant instances such as nodes (targeted attack), or degrade
integrate global and local consistency and the gradient rever- the overall performance of the model (non-targeted attack).
sal layer [Ganin and Lempitsky, 2015] to learn cross-domain As shown in Table 1, the goal of adversarial attacks is to
node embeddings. maximize the loss of DGL models with imperceptible pertur-
Uncertainty quantification. Apart from the above two direc- bations on the original graph. Based on the way employed by
tions that aim to improve model robustness, uncertainty quan- attackers to perturb the graph data or learning model, this sur-
tification can be seen as a complementary way to enhance the vey reviews prior work from three dimensions: manipulation
reliability of DGL algorithms, since the estimated uncertainty attacks, injection attacks and backdoor attacks. Specifically,
can be used for rejecting unreliable decisions with high model manipulation and injection attacks can be performed in the
predictive uncertainties. Here we introduce some recent work inference phase while the backdoor attacks always happen in
of uncertainty quantification for DGL algorithms. A natural the training phase.
uncertainty measure can be the prediction confidence, i.e., the Manipulation attacks. In manipulation attacks, attackers
maximum value of the Softmax output. However, recent work generate adversarial samples by modifying either the graph
observes that GNNs with Softmax prediction layer are typi- structure or node attributes. For instance, attackers can add,

remove or rewire an edge in the graph to generate legitimate Graph processing. From data perspective, a natural idea
perturbations. As a pioneering work, [Zügner et al., 2018] is to process the training/testing graph to remove adversarial
craft adversarial samples by manipulating both edges and at- noises thus mitigating its negative effects. Currently, enhanc-
tributes of the graph with a greedy search algorithm. Fol- ing approaches in this direction is mainly supported by empir-
lowed by this work, the gradient-based approach becomes ical observations on specific adversarial attacks. For example,
a prominent way to craft adversarial samples. By exploit- [Wu et al., 2019] prune the perturbed edges based on Jaccard
ing the gradient information of the victim model or a locally similarity of node attributes with the assumption that adver-
trained surrogate model, attackers can easily approximate the sarially perturbed nodes have low similarity to some of their
worst-case perturbations to perform attacks [Li et al., 2021a; neighbors. Another work [Entezari et al., 2020] observes that
Xu et al., 2019; Wu et al., 2019]. While current research the adjacent matrix of adversarially perturbed graphs are al-
heavily relies on supervised signals such as labels to guide ways with high rank. Based on this observation, they employ
the attacks and are targeted at certain downstream tasks, SVD decomposition to form a low-rank approximation for
[Zhang et al., 2022] propose an unsupervised adversarial the adjacent matrix thus can reduce the effects of adversarial
attack where gradients are calculated based on graph con- attacks to a certain degree. Further, the clean graph structure
trastive loss. In addition to gradient information, [Chang et can be learned simultaneously by preserving graph properties
al., 2020] approximate the graph spectrum to perform attacks of sparsity, low rank, and feature smoothness during train-
in a black-box fashion. ing [Jin et al., 2020b]. Graph processing based methods are
Injection attacks. The manipulation attack requires the at- cheap to implement while significantly improving the adver-
tacker to have a high privilege to modify the original graph, sarial robustness of GNNs. However, empirical observation
which is impractical for many real-world scenarios. Alterna- based on specific attacks makes such methods difficult to re-
tively, injection attacks has recently emerged as a more practi- sist unseen attacks. In addition, there is a particular trade-off
cal way that injects a few malicious nodes into the graph. The between performance and robustness since they often hold the
goal of the injection attack is to spread malicious information assumption that data has already been perturbed.
to the proper nodes along with the graph structure by several
injected nodes. In the poisoning attack setting, [Sun et al., Model robustification. Refining the model to prepare itself
2020] first study the node injection attack and propose a re- against potential adversarial threats is a prominent enhancing
inforcement learning based framework to poison the graph. technique and we term it as model robustification. Specif-
[Wang et al., 2020] further derive an approximate closed- ically, the robustification of GNNs can be achieved by im-
from solution to linearize the attack model and inject new proving the model architecture or aggregation scheme. There
vicious nodes efficiently. In the evasion attack setting, [Zou are several efforts that aim to improve the architecture by em-
et al., 2021] consider the attributes and structure of injected ploying different regularizations or constraints on the model
nodes simultaneously to achieves better attack performance. itself, such as 1-Lipschitz constraint [Zhao et al., 2021], `1 -
However, a recent work [Chen et al., 2022] shows that the based graph smoothing [Liu et al., 2021b] and adaptive resid-
success of injection attacks is built upon the severe damage ual [Liu et al., 2021a]. As recently shown in [Geisler et al.,
to the homophily of the original graph. Therefore, the au- 2021; Chen et al., 2021], the way that GNNs aggregate neigh-
thors present to optimize a harmonious adversarial objective borhood information for representation learning makes them
to preserve the homophily of graphs. vulnerable to adversarial attacks. To address this issue, they
Backdoor attacks. In contrast to prior two attacks, back- derive a robust median function instead of a mean function to
door attacks aim to poison the learned model by injecting improve the aggregation scheme. Overall, a robustified model
backdoor triggers into the graph at the training stage. As a is resistant to adversarial attacks without compromising on
consequence, a backdoored model would produce attacker- performance in benign situations.
desired behaviors on trigger-embedded inputs (e.g., misclas-
sify a node as an attacker-chosen target label) while perform- Robust training. Another enhancing technique successfully
ing normally on other benign inputs. Typically, a backdoor applied to the GNN model is based on the robust training
trigger can be a node or a (sub)graph designed by attackers. paradigms. Adversarial training is a widely used practical
[Xi et al., 2021] and [Zhang et al., 2021] propose to use sub- solution to resist adversarial attacks, which builds models on
graphs as trigger patterns to launch backdoor attacks. [Xu a training set augmented with handcrafted adversarial sam-
et al., 2021b] select the optimal trigger for GNNs based on ples. Essentially, the adversarial samples can be crafted via
explainability approaches. Backdoor attacks are a relatively specific perturbations on the graph structure [Xu et al., 2019],
unexplored threat in the literature. However, they are more node attributes [Feng et al., 2021] and even hidden represen-
realistic and dangerous in many security-critical domains as tations [Jin and Zhang, 2019]. Although adversarial train-
the backdoor trigger is hard to notice even by human beings. ing can improve the generalization capability and robustness
 of a model against unseen attacks, there is a risk of overfit-
4.2 Enhancing techniques ting to adversarial samples. In addition, adversarial training
 is only able to resist evasion attacks. To this end, [Tang et al.,
Efforts have been made to mitigate adversarial attacks in dif- 2020] propose to enhance the model robustness against poi-
ferent ways. In this subsection, we review recent robust- soning attacks through transferring knowledge from similar
ness enhancing techniques of DGL against adversarial attacks graph domains. However, it requires a large number of clean
from data, model and optimization perspectives. graphs from other domains to successfully train the model.

5 Overall Discussion three aspects: adversarial attack, inherent noise, and distribu-
Given the above comprehensive summary of recent advances tion shift. For each type of threat, we provide a systematical
in reliable DGL research, we further provide overall discus- view to inspect previous robustness-enhancing techniques for
sions among the above topics including their relations, differ- DGL. Our survey can help researchers to better understand
ences, and applications. the relationship between different threats and to choose ap-
 propriate techniques for their purposes. Despite the above
Difference to general reliable machine learning. Tremen-
 progress, there still exist several interesting future directions
dous efforts have been made to improve the reliability of deep
 as summarized below.
learning on non-graph data such as images and texts. In con-
trast to these methods, improving the reliability of GNNs Theoretical framework. Despite algorithmic advances for
on graph data poses unique challenges. For the message- reliable DGL, there is still a lack of theoretical frameworks
passing-based models used by most DGL algorithms, the ad- to formally analyze the effectiveness of these methods. For
versarial perturbation, inherent noise and distribution shift of example, how to analyze out-of-distribution generalization
one node can be transmitted to its neighbors and further hin- bound in the DGL setting remains an open problem.
der the model performance. Therefore, previous general re- Unified solution. Section 5 shows relations among three
liable machine learning algorithms need to be modified by threats. In a real-world setting, these threats may happen
considering the relationship between different nodes. simultaneously. Therefore a unified solution to mitigate the
A unified view. The uncertainty modeling framework allows effects caused by these threats is desired.
us to examine the three types of threats in a unified manner. Connection to learning stability. As pointed out by prior
There are two typical types of uncertainties, aleatoric and work for general ML, there is a strong connection between
epistemic uncertainties. Specifically, we can treat inherent robustness and learning stability. Thus, from the optimization
noise as the main source of aleatoric uncertainty, since these perspective, how to build robust learning algorithm for DGL
noises are irreducible even given access to infinite samples. In is also an interesting direction. Prior work [Wu et al., 2022]
addition, we can treat adversarial attack and distribution shift mentioned in Section 3.2 can be seen as an initial attempt,
as two sources of epistemic uncertainty, as we can reduce which applies invariant risk minimization to DGL settings to
these uncertainties by introducing data samples on different learn a stable graph representation.
domains/sub-populations through advancing data augmenta-
tion. For example, to combat with adversarial noises, robust Scalability and adversarial robustness. Existing studies of
training [Xu et al., 2019] involves adversarial samples into the reliability to adversarial attacks mainly focus on relatively
the training process to enhance the adversarial robustness of small graphs How to transfer these methods to real-world
GNN models. Under this unified view, we can leverage prior large-scale graph remains unexplored.
uncertainty estimation methods to detect adversarial samples Fairness and adversarial robustness. Existing work prefers
(adversarial attack), out-of-distribution samples (distribution to utilize standard performance metrics, such as accuracy,
shift), and outliers (inherent noises), which provides further to measure the robustness of a DGL model, which is, how-
information for enhancing model’s reliability. ever, apparently insufficient for evaluating the overall reli-
Difference among above threats. In general, the above three ability performance. A DGL algorithm with high accuracy
types of threats can all be seen as the “mismatch” between may not be fair to different attribute groups, which results in
training and testing samples. Here, we highlight subtle dif- severe disparities of accuracy and robustness between differ-
ferences among them. The inherent noise or distribution shift ent groups of data. This calls for future work to explore fair
happens in the training data generation process due to sam- and robust DGL algorithms and develop principled evaluation
pling bias and environment noise without deliberate human metrics beyond accuracy.
design, while adversarial attacks are deliberately designed by Counterfactual explanations and adversarial samples.
malicious attackers after the training/testing sample genera- One problem of DGL algorithms is the lack of interpretabil-
tion phase. Furthermore, the inherent noise is typically ir- ity. To address this issue, counterfactual explanations are pro-
reducible, while the other two types of threats can be alle- posed as a powerful means for understanding how decisions
viated by sampling more data with expertise. Despite the made by algorithms. While prior research in vision tasks
differences, some general techniques can be used for pre- [Pawelczyk et al., 2021] has shown that counterfactual ex-
venting the three types of threats. For example, one can planations and adversarial samples are strongly related ap-
inject probabilistic decision module into GNNs to provide proaches with many similarities, there is currently little work
predictions and its uncertainty estimation [Han et al., 2021; on systematically exploring their connections in DGL.
Hasanzadeh et al., 2020]. Uncertainty estimation can be fur- Reliability benchmarks. Along with the fast development
ther enhanced by introducing OOD and adversarial samples of reliable DGL algorithms, real-world benchmarks are de-
into the training phase. Thus, the estimation can be used to sired for the research community. Some early benchmarks for
detect the above threats, improving the decision reliability of specific settings have been established, e.g., [Ji et al., 2022]
various DGL algorithms. present an OOD dataset curator and benchmark for AI-aided
 drug discovery designed specifically for the distribution shift
6 Conclusion and Future Directions problem with data noise. It is promising to build a general
This survey gives an overview of recent advances for improv- benchmark platform to cover more reliability aspects men-
ing the reliability of DGL algorithms in terms of the following tioned in this survey.

References Voronov, Atanas Patronov, Ola Engkvist, and Christian Margre-
[Arjovsky et al., 2019] Martı́n Arjovsky, Léon Bottou, Ishaan Gul- itter. Dockstream: a docking wrapper to enhance de novo molec-
 ular design. Journal of Cheminformatics, 2021.
 rajani, and David Lopez-Paz. Invariant risk minimization. CoRR,
 abs/1907.02893, 2019. [Hamilton et al., 2017] Will Hamilton, Zhitao Ying, and Jure
 Leskovec. Inductive representation learning on large graphs. In
[Bevilacqua et al., 2021] Beatrice Bevilacqua, Yangze Zhou, and NeurIPS, 2017.
 Bruno Ribeiro. Size-invariant graph representations for graph
 classification extrapolations. In ICML, 2021. [Han et al., 2021] Kehang Han, Balaji Lakshminarayanan, and
 Jeremiah Zhe Liu. Reliable graph neural networks for drug dis-
[Cai et al., 2021] Ruichu Cai, Fengzhu Wu, Zijian Li, Pengfei Wei, covery under distributional shift. In NeurIPS Workshop on Dis-
 Lingling Yi, and Kun Zhang. Graph domain adaptation: A gen- tribution Shifts: Connecting Methods and Applications, 2021.
 erative view. CoRR, abs/2106.07482, 2021. [Hasanzadeh et al., 2020] Arman Hasanzadeh, Ehsan Haji-
[Chang et al., 2020] Heng Chang, Yu Rong, Tingyang Xu, Wen- ramezanali, Shahin Boluki, Mingyuan Zhou, Nick Duffield,
 bing Huang, Honglei Zhang, Peng Cui, Wenwu Zhu, and Junzhou Krishna Narayanan, and Xiaoning Qian. Bayesian graph neural
 Huang. A restricted black-box adversarial framework towards at- networks with adaptive connection sampling. In ICML, 2020.
 tacking graph embedding models. In AAAI, 2020. [Hong et al., 2019] Huiting Hong, Xin Li, Yuangang Pan, and
[Chen et al., 2018] Jie Chen, Tengfei Ma, and Cao Xiao. Fastgcn: Ivor W. Tsang. Domain-adversarial network alignment. CoRR,
 Fast learning with graph convolutional networks via importance abs/1908.05429, 2019.
 sampling. In ICLR, 2018. [Jang et al., 2017] Eric Jang, Shixiang Gu, and Ben Poole. Cate-
[Chen et al., 2020a] Liang Chen, Jintang Li, Jiaying Peng, Tao Xie, gorical reparameterization with gumbel-softmax. In ICLR, 2017.
 Zengxu Cao, Kun Xu, Xiangnan He, and Zibin Zheng. A survey [Ji et al., 2022] Yuanfeng Ji, Lu Zhang, Jiaxiang Wu, Bingzhe Wu,
 of adversarial learning on graphs. CoRR, abs/2003.05730, 2020. Long-Kai Huang, Tingyang Xu, Yu Rong, Lanqing Li, Jie Ren,
[Chen et al., 2020b] Yu Chen, Lingfei Wu, and Mohammed Zaki. Ding Xue, Houtim Lai, Shaoyong Xu, Jing Feng, Wei Liu, Ping
 Iterative deep graph learning for graph neural networks: Better Luo, Shuigeng Zhou, Junzhou Huang, Peilin Zhao, and Yatao
 and robust node embeddings. In NeurIPS, 2020. Bian. Drugood: Out-of-distribution (OOD) dataset curator and
 benchmark for ai-aided drug discovery - A focus on affinity pre-
[Chen et al., 2021] Liang Chen, Jintang Li, Qibiao Peng, Yang Liu, diction problems with noise annotations. CoRR, abs/2201.09637,
 Zibin Zheng, and Carl Yang. Understanding structural vulnera- 2022.
 bility in graph convolutional networks. In IJCAI, 2021. [Jin and Zhang, 2019] Hongwei Jin and Xinhua Zhang. Latent ad-
[Chen et al., 2022] Yongqiang Chen, Han Yang, Yonggang Zhang, versarial training of graph convolution networks. In ICML Work-
 MA KAILI, Tongliang Liu, Bo Han, and James Cheng. Under- shop on Learning and Reasoning with Graph-Structured Repre-
 standing and improving graph injection attack by promoting un- sentations, 2019.
 noticeability. In ICLR, 2022. [Jin et al., 2020a] Wei Jin, Yaxin Li, Han Xu, Yiqi Wang, and Jil-
[Dai et al., 2021] Enyan Dai, Charu Aggarwal, and Suhang Wang. iang Tang. Adversarial attacks and defenses on graphs: A review
 Nrgnn: Learning a label noise-resistant graph neural network on and empirical study. CoRR, abs/2003.00653, 2020.
 sparsely and noisily labeled graphs. In KDD, 2021. [Jin et al., 2020b] Wei Jin, Yao Ma, Xiaorui Liu, Xianfeng Tang,
[Dou et al., 2020] Yingtong Dou, Zhiwei Liu, Li Sun, Yutong Suhang Wang, and Jiliang Tang. Graph structure learning for
 Deng, Hao Peng, and Philip S. Yu. Enhancing graph neural robust graph neural networks. In KDD, 2020.
 network-based fraud detectors against camouflaged fraudsters. In [Kong et al., 2020] Kezhi Kong, Guohao Li, Mucong Ding, Zux-
 CIKM, 2020. uan Wu, Chen Zhu, Bernard Ghanem, Gavin Taylor, and Tom
 Goldstein. FLAG: adversarial data augmentation for graph neu-
[Entezari et al., 2020] Negin Entezari, Saba A. Al-Sayouri, Amirali
 ral networks. CoRR, abs/2010.09891, 2020.
 Darvishzadeh, and Evangelos E. Papalexakis. All you need is
 low (rank): Defending against adversarial attacks on graphs. In [Kose and Shen, 2022] Öykü Deniz Kose and Yanning Shen. Fair
 WSDM, 2020. node representation learning via adaptive data augmentation.
 CoRR, abs/2201.08549, 2022.
[Feng et al., 2021] Fuli Feng, Xiangnan He, Jie Tang, and Tat-Seng
 [Li et al., 2021a] Jintang Li, Tao Xie, Chen Liang, Fenfang Xie, Xi-
 Chua. Graph adversarial training: Dynamically regularizing
 based on graph structure. IEEE TKDE, 33(6):2493–2504, 2021. angnan He, and Zibin Zheng. Adversarial attack on large scale
 graph. IEEE TKDE, pages 1–1, 2021.
[Fionda, 2019] Valeria Fionda. Networks in biology. In Shoba
 [Li et al., 2021b] Yayong Li, Jie Yin, and Ling Chen. Unified ro-
 Ranganathan, Michael Gribskov, Kenta Nakai, and Christian
 bust training for graph neural networks against label noise. In
 Schönbach, editors, Encyclopedia of Bioinformatics and Compu-
 PAKDD. Springer, 2021.
 tational Biology, pages 915–921. Academic Press, Oxford, 2019.
 [Liu et al., 2021a] Xiaorui Liu, Jiayuan Ding, Wei Jin, Han Xu, Yao
[Ganin and Lempitsky, 2015] Yaroslav Ganin and Victor S. Lem- Ma, Zitao Liu, and Jiliang Tang. Graph neural networks with
 pitsky. Unsupervised domain adaptation by backpropagation. In adaptive residual. In NeurIPS, 2021.
 ICML, 2015.
 [Liu et al., 2021b] Xiaorui Liu, Wei Jin, Yao Ma, Yaxin Li, Hua
[Geisler et al., 2021] Simon Geisler, Tobias Schmidt, Hakan Liu, Yiqi Wang, Ming Yan, and Jiliang Tang. Elastic graph neural
 Şirin, Daniel Zügner, Aleksandar Bojchevski, and Stephan networks. In ICML, 2021.
 Günnemann. Robustness of graph neural networks at scale. In [Luo et al., 2021] Dongsheng Luo, Wei Cheng, Wenchao Yu,
 NeurIPS, 2021.
 Bo Zong, Jingchao Ni, Haifeng Chen, and Xiang Zhang. Learn-
[Guo et al., 2021] Jeff Guo, Jon Paul Janet, Matthias Bauer, ing to drop: Robust graph neural network via topological denois-
 Eva Nittinger, Kathryn Giblin, Kostas Papadopoulos, Alexey ing. In WSDM, 2021.

[NT et al., 2019] Hoang NT, Choong Jun Jin, and Tsuyoshi Mu- [Wu et al., 2021a] Chuhan Wu, Fangzhao Wu, Yang Cao, Yongfeng
 rata. Learning graph neural networks with noisy labels. CoRR, Huang, and Xing Xie. Fedgnn: Federated graph neural network
 abs/1905.01591, 2019. for privacy-preserving recommendation. CoRR, abs/2102.04925,
[Papp et al., 2021] Pál András Papp, Karolis Martinkus, Lukas 2021.
 Faber, and Roger Wattenhofer. Dropgnn: random dropouts in- [Wu et al., 2021b] Lirong Wu, Haitao Lin, Zhangyang Gao, Cheng
 crease the expressiveness of graph neural networks. In NeurIPS, Tan, and Stan Z. Li. Graphmixup: Improving class-imbalanced
 2021. node classification on graphs by self-supervised context predic-
 tion. CoRR, abs/2106.11133, 2021.
[Patrini et al., 2017] Giorgio Patrini, Alessandro Rozza, Aditya Kr-
 ishna Menon, Richard Nock, and Lizhen Qu. Making deep neu- [Wu et al., 2022] Qitian Wu, Hengrui Zhang, Junchi Yan, and
 ral networks robust to label noise: A loss correction approach. In David Wipf. Towards distribution shift of node-level prediction
 CVPR, 2017. on graphs: An invariance perspective. In ICLR, 2022.
[Pawelczyk et al., 2021] Martin Pawelczyk, Shalmali Joshi, Chirag [Xi et al., 2021] Zhaohan Xi, Ren Pang, Shouling Ji, and Ting
 Agarwal, Sohini Upadhyay, and Himabindu Lakkaraju. On the Wang. Graph backdoor. In USENIX Security Symposium, 2021.
 connections between counterfactual explanations and adversarial [Xu et al., 2019] Kaidi Xu, Hongge Chen, Sijia Liu, Pin-Yu Chen,
 examples. CoRR, abs/2106.09992, 2021. Tsui-Wei Weng, Mingyi Hong, and Xue Lin. Topology attack and
[Rong et al., 2019] Yu Rong, Wenbing Huang, Tingyang Xu, and defense for graph neural networks: An optimization perspective.
 Junzhou Huang. Dropedge: Towards deep graph convolutional In IJCAI, 2019.
 networks on node classification. In ICLR, 2019. [Xu et al., 2021a] Jiarong Xu, Junru Chen, Siqi You, Zhiqing Xiao,
[Sun et al., 2018] Lichao Sun, Ji Wang, Philip S. Yu, and Bo Li. Yang Yang, and Jiangang Lu. Robustness of deep learning mod-
 Adversarial attack and defense on graph data: A survey. CoRR, els on graphs: A survey. AI Open, 2:69–78, 2021.
 abs/1812.10528, 2018. [Xu et al., 2021b] Jing Xu, Minhui Xue, and Stjepan Picek.
[Sun et al., 2020] Yiwei Sun, Suhang Wang, Xianfeng Tang, Explainability-based backdoor attacks against graph neural net-
 Tsung-Yu Hsieh, and Vasant G. Honavar. Adversarial attacks on works. In WiseML@WiSec, pages 31–36. ACM, 2021.
 graph neural networks via node injections: A hierarchical rein- [Yang et al., 2020] Shuo Yang, Zhiqiang Zhang, Jun Zhou, Yang
 forcement learning approach. In WWW, 2020. Wang, Wang Sun, Xingyu Zhong, Yanming Fang, Quan Yu, and
[Tang et al., 2020] Xianfeng Tang, Yandong Li, Yiwei Sun, Huaxiu Yuan Qi. Financial risk analysis for smes with graph-based sup-
 ply chain mining. In IJCAI, 2020.
 Yao, Prasenjit Mitra, and Suhang Wang. Transferring robustness
 for graph neural network against poisoning attacks. In WSDM, [Zhang and Pei, 2021] Zeyu Zhang and Yulong Pei. A comparative
 2020. study on robust graph neural networks to structural noises. CoRR,
 abs/2112.06070, 2021.
[Verma et al., 2021] Vikas Verma, Meng Qu, Kenji Kawaguchi,
 Alex Lamb, Yoshua Bengio, Juho Kannala, and Jian Tang. [Zhang et al., 2021] Zaixi Zhang, Jinyuan Jia, Binghui Wang, and
 Graphmix: Improved training of gnns for semi-supervised learn- Neil Zhenqiang Gong. Backdoor attacks to graph neural net-
 ing. In AAAI, 2021. works. In SACMAT, pages 15–26. ACM, 2021.
[Wang et al., 2019] Lu Wang, Wenchao Yu, Wei Wang, Wei Cheng, [Zhang et al., 2022] Sixiao Zhang, Hongxu Chen, Xiangguo Sun,
 Wei Zhang, Hongyuan Zha, Xiaofeng He, and Haifeng Chen. Yicong Li, and Guandong Xu. Unsupervised graph poisoning
 Learning robust representations with graph denoising policy net- attack via contrastive loss back-propagation. In WWW, 2022.
 work. In ICDM, 2019. [Zhao et al., 2021] Xin Zhao, Zeru Zhang, Zijie Zhang, Lingfei
[Wang et al., 2020] Jihong Wang, Minnan Luo, Fnu Suya, Jundong Wu, Jiayin Jin, Yang Zhou, Ruoming Jin, Dejing Dou, and
 Li, Zijiang Yang, and Qinghua Zheng. Scalable attack on graph Da Yan. Expressive 1-lipschitz neural networks for robust multi-
 data by injecting vicious nodes. Data Min. Knowl. Discov., ple graph learning against adversarial attacks. In ICML, 2021.
 34(5):1363–1389, 2020. [Zheng et al., 2020] Cheng Zheng, Bo Zong, Wei Cheng, Dongjin
[Wang et al., 2021a] Jindong Wang, Cuiling Lan, Chang Liu, Yi- Song, Jingchao Ni, Wenchao Yu, Haifeng Chen, and Wei Wang.
 dong Ouyang, and Tao Qin. Generalizing to unseen domains: A Robust graph representation learning via neural sparsification. In
 survey on domain generalization. In IJCAI, 2021. ICML, 2020.
[Wang et al., 2021b] Xiao Wang, Hongrui Liu, Chuan Shi, and [Zhou et al., 2021] Kaiyang Zhou, Ziwei Liu, Yu Qiao, Tao Xiang,
 Cheng Yang. Be confident! towards trustworthy graph neural and Chen Change Loy. Domain generalization: A survey. CoRR,
 networks via confidence calibration. In NeurIPS, 2021. abs/2103.02503, 2021.
 [Zhu et al., 2021] Yanqiao Zhu, Weizhi Xu, Jinghao Zhang, Qiang
[Wu et al., 2017] Zhenqin Wu, Bharath Ramsundar, Evan N. Fein-
 Liu, Shu Wu, and Liang Wang. Deep graph structure learning for
 berg, Joseph Gomes, Caleb Geniesse, Aneesh S. Pappu, Karl
 robust representations: A survey. CoRR, abs/2103.03036, 2021.
 Leswing, and Vijay S. Pande. Moleculenet: A benchmark for
 molecular machine learning. CoRR, abs/1703.00564, 2017. [Zou et al., 2021] Xu Zou, Qinkai Zheng, Yuxiao Dong, Xinyu
 Guan, Evgeny Kharlamov, Jialiang Lu, and Jie Tang. TDGIA:
[Wu et al., 2019] Huijun Wu, Chen Wang, Yuriy Tyshetskiy, An-
 effective injection attacks on graph neural networks. In KDD,
 drew Docherty, Kai Lu, and Liming Zhu. Adversarial examples 2021.
 for graph data: Deep insights into attack and defense. In IJCAI,
 2019. [Zügner et al., 2018] Daniel Zügner, Amir Akbarnejad, and
 Stephan Günnemann. Adversarial attacks on neural networks for
[Wu et al., 2020] Man Wu, Shirui Pan, Chuan Zhou, Xiaojun graph data. In KDD, 2018.
 Chang, and Xingquan Zhu. Unsupervised domain adaptive graph
 convolutional networks. In WWW, 2020.