Lingshuo Meng,Yijie Bai,Yanjiao Chen,Yutong Hu,Wenyuan Xu,Haiqin Weng

DOI: https://doi.org/10.1145/3576915.3623173

2023-01-01

Abstract:Graph neural networks (GNNs) have been developed to mine useful information from graph data of various applications, e.g., health-care, fraud detection, and social recommendation. However, GNNs open up new attack surfaces for privacy attacks on graph data. In this paper, we propose Infiltrator, a privacy attack that is able to pry node-level private information based on black-box access to GNNs. Different from existing works that require prior information of the victim node, we explore the possibility of conducting the attack without any information of the victim node. Our idea is to infiltrate the graph with attacker-created nodes to befriend the victim node. More specifically, we design infiltration schemes that enable the adversary to infer the label, neighboring links, and sensitive attributes of a victim node. We evaluate Infiltrator with extensive experiments on three representative GNN models and six real-world datasets. The results demonstrate that Infiltrator can achieve an attack performance of more than 98% in all three attacks, outperforming baseline approaches. We further evaluate the defense resistance of Infiltrator against the graph homophily defender and the differentially private model.

Guanghui He,Yanli Ren,Gang He,Guorui Feng,Xinpeng Zhang

DOI: https://doi.org/10.1109/tsc.2024.3399648

IF: 11.019

2024-01-01

IEEE Transactions on Services Computing

Abstract:Outsourced inference services have greatly promoted the popularization of deep learning, and neural network models can help users customize a series of personalized applications, e.g., face recognition, image classification, etc. However, untrustworthy service providers also bring a variety of security issues, such as data privacy, network model privacy, etc. Meanwhile, the malicious example will result in the output of model incorrectly. For the above concerns, this paper proposes a privacy-reserving neural network inference against adversarial example attack (PPNNI) under two non-colluding cloud servers, where a series of efficient security protocols are designed to realize private prediction based on the additive secret sharing protocol. In the semi-honest model, the servers implement the neural network's private inference in the context of an unknown input and network model. Moreover, in order to prevent malicious examples from affecting the model accuracy, we produce a method of kernel density estimation and uncertainty value in the last layer of the hidden layer to determine whether the input is adversarial examples in the domain of ciphertext. The proposed PPNNI protocol is the first effort to efficiently detect adversarial attack behaviors under the ciphertexts. The theoretical analysis illustrate that the protocol can guarantee the privacy of input data, model parameters and the inference result. The results of the experiments demonstrate that the model accuracy are about 89% and 83% respectively with malicious examples on MNIST and CIFAR10 in the domain of ciphertext and they are nearly same as 91% and 85% in the domain of plaintext, which shows the effectiveness of our protocol.

Yanjun Liu,Hongwei Li,Meng Hao

DOI: https://doi.org/10.3389/fphy.2024.1383276

IF: 3.718

2024-04-27

Frontiers in Physics

Abstract:High-performance GNN obtains dependencies within a graph by capturing the mechanism of message passing and aggregation between neighboring nodes in the graph, and successfully updates node embeddings. However, in practical applications, the inherent model structure of the graph is highly susceptible to privacy attacks, and the heterogeneity of external data can lead to a decrease in model performance. Motivated by this challenge, this work proposes a novel framework called Personalized Federated Graph Neural Network for Privacy-Preserving (PFGNN). Specifically, firstly, this work introduces a graph similarity strategy. Based on the principle that clients with similar features exhibit stronger homophily, this work divides all participating clients into multiple clusters for collaborative training. Furthermore, within each group, this work employs an attention mechanism to design a federated aggregation weighting scheme. This scheme is used to construct a global model on the server, which helps mitigate the difficulty of model generalization resulting from data heterogeneity collected from different clients. Lastly, to ensure the privacy of model parameters during the training process and prevent malicious adversaries from stealing them, this work implements privacy-enhancing technology by introducing an optimized function-hiding multi-input function encryption scheme. This ensures the security of both model data and user privacy. Experiments on real datasets show that our scheme outperforms FedAvg in accuracy, and the communication overhead is linearly related to the number of clients. Through this framework, PFGNN can handle all kinds of non-Euclidean structured data, multiple clients collaborate to train high-quality and highly secure global models. This work provides the foundation for designing efficient and privacy-preserving personalized federated graph neural networks.

physics, multidisciplinary

Mengyuan Lee,Guanding Yu,Huaiyu Dai

DOI: https://doi.org/10.1109/twc.2023.3279442

IF: 10.4

2024-01-01

IEEE Transactions on Wireless Communications

Abstract:As an efficient neural network model for graph data, graph neural networks (GNNs) recently find successful applications for various wireless optimization problems. Given that the inference stage of GNNs can be naturally implemented in a decentralized manner, GNN is a potential enabler for decentralized control/management in the next-generation wireless communications. Privacy leakage, however, may occur due to the information exchanges among neighbors during decentralized inference with GNNs. To deal with this issue, in this paper, we analyze and enhance the privacy of decentralized inference with GNNs in wireless networks. Specifically, we adopt local differential privacy as the metric, and design novel privacy-preserving signals as well as privacy-guaranteed training algorithms to achieve privacy-preserving inference. We also define the SNR-privacy trade-off function to analyze the performance upper bound of decentralized inference with GNNs in wireless networks. To further enhance the communication and computation efficiency, we adopt the over-the-air computation technique and theoretically demonstrate its advantage in privacy preservation. Through extensive simulations on the synthetic graph data, we validate our theoretical analysis, verify the effectiveness of proposed privacy-preserving wireless signaling and privacy-guaranteed training algorithm, and offer some guidance on practical implementation.

Xinjun Pei,Xiaoheng Deng,Shengwei Tian,Jianqing Liu,Kaiping Xue

DOI: https://doi.org/10.1109/tifs.2023.3329971

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:With the ever-growing interest in modeling complex graph structures, graph neural networks (GNN) provide a generalized form of exploiting non-Euclidean space data. However, the global graph may be distributed across multiple data centers, which makes conventional graph-based models incapable of modeling a complete graph structure. This also brings an unprecedented challenge to user privacy protection in distributed graph learning. Due to privacy requirements of legal policies, existing graph-based solutions are difficult to deploy in practice. In this paper, we propose a privacy-preserving graph neural network based on local graph augmentation, named LGA-PGNN, which preserves user privacy by enforcing local differential privacy (LDP) noise into the decentralized local graphs held by different data holders. Moreover, we perform local neighborhood augmentation on low-degree vertices to enhance the expressiveness of the learned model. Specifically, we propose two graph privacy attacks, namely attribute inference attack and link stealing attack, which aim at compromising user privacy. The experimental results demonstrate that LGA-PGNN can effectively mitigate these two attacks and provably avoid potential privacy leakage while ensuring the utility of the learning model.

Zhikun Zhang,Min Chen,Michael Backes,Yun Shen,Yang Zhang

DOI: https://doi.org/10.48550/arXiv.2110.02631

2021-10-06

Abstract:Graph is an important data representation ubiquitously existing in the real world. However, analyzing the graph data is computationally difficult due to its non-Euclidean nature. Graph embedding is a powerful tool to solve the graph analytics problem by transforming the graph data into low-dimensional vectors. These vectors could also be shared with third parties to gain additional insights of what is behind the data. While sharing graph embedding is intriguing, the associated privacy risks are unexplored. In this paper, we systematically investigate the information leakage of the graph embedding by mounting three inference attacks. First, we can successfully infer basic graph properties, such as the number of nodes, the number of edges, and graph density, of the target graph with up to 0.89 accuracy. Second, given a subgraph of interest and the graph embedding, we can determine with high confidence that whether the subgraph is contained in the target graph. For instance, we achieve 0.98 attack AUC on the DD dataset. Third, we propose a novel graph reconstruction attack that can reconstruct a graph that has similar graph structural statistics to the target graph. We further propose an effective defense mechanism based on graph embedding perturbation to mitigate the inference attacks without noticeable performance degradation for graph classification tasks. Our code is available at <a class="link-external link-https" href="https://github.com/Zhangzhk0819/GNN-Embedding-Leaks" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Machine Learning

Chaochao Chen,Jun Zhou,Longfei Zheng,Huiwen Wu,Lingjuan Lyu,Jia Wu,Bingzhe Wu,Ziqi Liu,Li Wang,Xiaolin Zheng

DOI: https://doi.org/10.24963/ijcai.2022/272

2020-01-01

Abstract:Recently, Graph Neural Network (GNN) has achieved remarkable progresses invarious real-world tasks on graph data, consisting of node features and theadjacent information between different nodes. High-performance GNN modelsalways depend on both rich features and complete edge information in graph.However, such information could possibly be isolated by different data holdersin practice, which is the so-called data isolation problem. To solve thisproblem, in this paper, we propose VFGNN, a federated GNN learning paradigm forprivacy-preserving node classification task under data vertically partitionedsetting, which can be generalized to existing GNN models. Specifically, wesplit the computation graph into two parts. We leave the private data (i.e.,features, edges, and labels) related computations on data holders, and delegatethe rest of computations to a semi-honest server. We also propose to applydifferential privacy to prevent potential information leakage from the server.We conduct experiments on three benchmarks and the results demonstrate theeffectiveness of VFGNN.

Zaixi Zhang,Qi Liu,Zhenya Huang,Hao Wang,Chee-Kong Lee,Enhong Chen

DOI: https://doi.org/10.1109/tkde.2022.3207915

IF: 9.235

2022-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Many data mining tasks rely on graphs to model relational structures among individuals (nodes). Since relational data are often sensitive, there is an urgent need to evaluate the privacy risks in graph data. One famous privacy attack against data analysis models is the model inversion attack, which aims to infer sensitive data in the training dataset and leads to great privacy concerns. Despite its success in grid-like domains, directly applying model inversion attacks on non-grid domains such as graph leads to poor attack performance. This is mainly due to the failure to consider the unique properties of graphs. To bridge this gap, we conduct a systematic study on model inversion attacks against Graph Neural Networks (GNNs), one of the state-of-the-art graph analysis tools in this paper. First, in the white-box setting where the attacker has full access to the target GNN model, we present GraphMI to infer the private training graph data. Specifically in GraphMI, a projected gradient module is proposed to tackle the discreteness of graph edges and preserve the sparsity and smoothness of graph features; a graph auto-encoder module is used to efficiently exploit graph topology, node attributes, and target model parameters for edge inference; a random sampling module can finally sample discrete edges. Furthermore, in the hard-label black-box setting where the attacker can only query the GNN API and receive the classification results, we propose two methods based on gradient estimation and reinforcement learning (RL-GraphMI). With the proposed methods, we study the connection between model inversion risk and edge influence and show that edges with greater influence are more likely to be recovered. Extensive experiments over several public datasets demonstrate the effectiveness of our methods. We also evaluate our attacks under two defenses: one is the well-designed differential private training, and the other is graph preprocessing. Our experimental results show that such defenses are not sufficiently effective and call for more advanced defenses against privacy attacks.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Divya Anand Sinha,Yezi Liu,Ruijie Du,Yanning Shen

2024-11-29

Abstract:Graph federated learning is of essential importance for training over large graph datasets while protecting data privacy, where each client stores a subset of local graph data, while the server collects the local gradients and broadcasts only the aggregated gradients. Recent studies reveal that a malicious attacker can steal private image data from gradient exchanging of neural networks during federated learning. However, none of the existing works have studied the vulnerability of graph data and graph neural networks under such attack. To answer this question, the present paper studies the problem of whether private data can be recovered from leaked gradients in both node classification and graph classification tasks and { proposes a novel attack named Graph Leakage from Gradients (GLG)}. Two widely-used GNN frameworks are analyzed, namely GCN and GraphSAGE. The effects of different model settings on recovery are extensively discussed. Through theoretical analysis and empirical validation, it is shown that parts of the graph data can be leaked from the gradients.

Machine Learning,Artificial Intelligence

Hanyang Yuan,Jiarong Xu,Renhong Huang,Mingli Song,Chunping Wang,Yang Yang

2024-11-06

Abstract:Graph neural networks (GNNs) have attracted considerable attention due to their diverse applications. However, the scarcity and quality limitations of graph data present challenges to their training process in practical settings. To facilitate the development of effective GNNs, companies and researchers often seek external collaboration. Yet, directly sharing data raises privacy concerns, motivating data owners to train GNNs on their private graphs and share the trained models. Unfortunately, these models may still inadvertently disclose sensitive properties of their training graphs (e.g., average default rate in a transaction network), leading to severe consequences for data owners. In this work, we study graph property inference attack to identify the risk of sensitive property information leakage from shared models. Existing approaches typically train numerous shadow models for developing such attack, which is computationally intensive and impractical. To address this issue, we propose an efficient graph property inference attack by leveraging model approximation techniques. Our method only requires training a small set of models on graphs, while generating a sufficient number of approximated shadow models for attacks. To enhance diversity while reducing errors in the approximated models, we apply edit distance to quantify the diversity within a group of approximated models and introduce a theoretically guaranteed criterion to evaluate each model's error. Subsequently, we propose a novel selection mechanism to ensure that the retained approximated models achieve high diversity and low error. Extensive experiments across six real-world scenarios demonstrate our method's substantial improvement, with average increases of 2.7% in attack accuracy and 4.1% in ROC-AUC, while being 6.5$\times$ faster compared to the best baseline.

Machine Learning,Cryptography and Security

Yanli Yuan,Dian Lei,Qing Fan,Keli Zhao,Liehuang Zhu,Chuan Zhang

DOI: https://doi.org/10.1109/icicn62625.2024.10761771

2024-01-01

Abstract:With the widespread adoption of Graph Neural Network (GNN) technology in industry, concerns regarding graph data privacy have become increasingly prominent. Differential privacy has been demonstrated as an effective method to ensure privacy in graph learning. However, existing differential privacy-based GNN methods often overlook the individual privacy protection needs of users, offering uniform privacy guarantees to all. This approach can result in either over-protection or insufficient protection for certain users. To address this issue, we propose an adaptive privacy-preserving GNN training method that accommodates the varying privacy requirements of nodes while achieving high model training accuracy. Specifically, APPGNN allocates adaptive privacy budgets based on individual user privacy needs. Additionally, to mitigate the impact of noise on data utility, APPGNN incorporates a weighted neighborhood aggregation mechanism to enhance GNN model accuracy. Theoretical analysis indicates that APPGNN provides adaptive privacy protection while ensuring ε-differential privacy on node data. Experimental evaluations on four real-world graph datasets validate the effectiveness of APPGNN.

Xinjun Pei,Xiaoheng Deng,Shengwei Tian,Kaiping Xue

DOI: https://doi.org/10.1109/icassp49357.2023.10096911

2023-01-01

Abstract:Graph Neural Networks (GNNs) as an emerging technique have shown excellent performance in a variety of fields, such as social networks and recommendation systems. However, GNNs may have to overcome privacy concerns as large amounts of information about their training datasets may be compromised. In this paper, we develop a privacy-preserving GNN to enforce privacy preservation, which utilizes a private Functional Mechanism (FM) to train the learning model. This mechanism perturbs the polynomial approximation of the objective function to enforce Differential Privacy (DP) in the GNN model. We show that our method can maximize the accuracy of the results with comparable prediction power to the unperturbed results while satisfying the privacy guarantees.

Xupeng Miao,Wentao Zhang,Yuezihan Jiang,Fangcheng Fu,Yingxia Shao,Lei Chen,Yangyu Tao,Gang Cao,Bin Cui

DOI: https://doi.org/10.1007/s00778-022-00768-8

2022-01-01

Abstract:Graph neural networks (GNNs) and their variants have generalized deep learning methods into non-Euclidean graph data, bringing substantial improvement in many graph mining tasks. In practice, the large graph could be isolated by different databases. Recently, user privacy protection has become a crucial concern in practical machine learning, which motivates us to explore a GNN framework with data sharing and without violating user privacy leakage in the meanwhile. However, it is challenging to scale GNN training to edge partitioned distributed graph databases while preserving data privacy and model quality. In this paper, we propose a privacy preserving collaborative GNN training framework, P ^2 CG, aiming to obtain competitive model performance as the centralized setting. We present the clustering-based differential privacy algorithm to reduce the model degradation caused by the noisy edges generation. Moreover, we propose a novel interaction-based secure multi-layer graph convolution algorithm to alleviate the noise diffusion problem. Experimental results on the benchmark datasets and the production dataset in Tencent Inc. show that P ^2 CG can significantly increase the model performance and obtain competitive results as a centralized setting.

Junze Yang,Hongwei Li,Wenshu Fan,Xilin Zhang,Meng Hao

DOI: https://doi.org/10.1109/globecom54140.2023.10437279

2023-01-01

Abstract:Recently, there has been increasing interest in extending deep learning approaches to graph data. Graph representation learning has become an important way to fully utilize the information contained in graph data. Graph Neural Networks (GNNs) have demonstrated significant efficacy in various fields. Previous studies have shown that traditional machine learning models may lead to disclosure of private data, but the privacy risks of GNNs have not received enough attention. In this paper, we propose two attack methods based on the ground-truth label. Our attack approach covers two mainstream attack patterns, including training attack models based on neural networks and setting thresholds. To improve the effectiveness of attacks, we consider incorporating label information of the samples. Since the samples' distributions of different classes are different, the possibility of privacy leakage cannot be treated equally. In neural network-based attacks, we concatenate the label information into the input vector of the attack model. In threshold-based attacks, we set separate thresholds for each label category. We systematically evaluate the performance of membership inference attacks against graph-level classification. Our evaluation on three GNN structures and four benchmark datasets shows that GNNs for graph classification are more vulnerable to the improved attacks. On the DD dataset, our attack achieved an accuracy of 79%. Furthermore, we proposed two defense mechanisms to mitigate the privacy leakage caused by membership inference attacks.

Zaixi Zhang,Qi Liu,Zhenya Huang,Hao Wang,Chengqiang Lu,Chuanren Liu,Enhong Chen

DOI: https://doi.org/10.24963/ijcai.2021/516

2021-08-01

Abstract:As machine learning becomes more widely used for critical applications, the need to study its implications in privacy becomes urgent. Given access to the target model and auxiliary information, model inversion attack aims to infer sensitive features of the training dataset, which leads to great privacy concerns. Despite its success in the grid domain, directly applying model inversion techniques on non grid domains such as graph achieves poor attack performance due to the difficulty to fully exploit the intrinsic properties of graphs and attributes of graph nodes used in GNN models. To bridge this gap, we present Graph Model Inversion attack, which aims to infer edges of the training graph by inverting Graph Neural Networks, one of the most popular graph analysis tools. Specifically, the projected gradient module in our method can tackle the discreteness of graph edges while preserving the sparsity and smoothness of graph features. Moreover, a well designed graph autoencoder module can efficiently exploit graph topology, node attributes, and target model parameters. With the proposed method, we study the connection between model inversion risk and edge influence and show that edges with greater influence are more likely to be recovered. Extensive experiments over several public datasets demonstrate the effectiveness of our method. We also show that differential privacy in its canonical form can hardly defend our attack while preserving decent utility.

Kaiyang Li,Guangchun Luo,Yang Ye,Wei Li,Shihao Ji,Zhipeng Cai

DOI: https://doi.org/10.1109/jiot.2020.3036583

IF: 10.6

2021-04-15

IEEE Internet of Things Journal

Abstract:Recently, the surge in popularity of the Internet of Things (IoT), mobile devices, social media, etc., has opened up a large source for graph data. Graph embedding has been proved extremely useful to learn low-dimensional feature representations from graph-structured data. These feature representations can be used for a variety of prediction tasks from node classification to link prediction. However, the existing graph embedding methods do not consider users' privacy to prevent inference attacks. That is, adversaries can infer users' sensitive information by analyzing node representations learned from graph embedding algorithms. In this article, we propose adversarial privacy graph embedding (APGE), a graph adversarial training framework that integrates the disentangling and purging mechanisms to remove users' private information from learned node representations. The proposed method preserves the structural information and utility attributes of a graph while concealing users' private attributes from inference attacks. Extensive experiments on real-world graph data sets demonstrate the superior performance of APGE compared to the state-of-the-arts. Our source code can be found at https://github.com/KaiyangLi1992/Privacy-Preserving-Social-Network-Embedding.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jirui Yang,Peng Chen,Zhihui Lu,Ruijun Deng,Qiang Duan,Jianping Zeng

2024-10-15

Abstract:Federated Graph Neural Network (FedGNN) is a privacy-preserving machine learning technology that combines federated learning (FL) and graph neural networks (GNNs). It offers a privacy-preserving solution for training GNNs using isolated graph data. Vertical Federated Graph Neural Network (VFGNN) is an important branch of FedGNN, where data features and labels are distributed among participants, and each participant has the same sample space. Due to the difficulty of accessing and modifying distributed data and labels, the vulnerability of VFGNN to backdoor attacks remains largely unexplored. In this context, we propose BVG, the first method for backdoor attacks in VFGNN. Without accessing or modifying labels, BVG uses multi-hop triggers and requires only four target class nodes for an effective backdoor attack. Experiments show that BVG achieves high attack success rates (ASR) across three datasets and three different GNN models, with minimal impact on main task accuracy (MTA). We also evaluate several defense methods, further validating the robustness and effectiveness of BVG. This finding also highlights the need for advanced defense mechanisms to counter sophisticated backdoor attacks in practical VFGNN applications.

Machine Learning,Artificial Intelligence,Cryptography and Security

Xinjun Pei,Xiaoheng Deng,Shengwei Tian,Ping Jiang,Yunlong Zhao,Kaiping Xue

DOI: https://doi.org/10.1109/tdsc.2024.3417853

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:With the ever-growing attention on communication security, machine learning-based network intrusion detection system (NIDS) is widely utilized to meet different security requirements. However, most of the existing methods manually extract or learn features from raw traffic, which is usually expensive, complicated, and time-consuming. Moreover, this also brings unprecedented challenges for preserving users' privacy in the communication process, making it difficult for existing solutions to be deployed in practice due to the privacy requirements from legal policies. This paper proposes a privacypreserving graph neural network (named NIGNN) for NIDS, which can encode the local structure and traffic features. To address the privacy issues pertaining to the application of graph representation learning, we design a privacy message-passing mechanism with formal privacy guarantees, in which sensitive information potentially contained in graph vertices will be kept private. Specifically, we design a privacy-enhancement graph representation that introduces a degree-sensitive item in vertexbased aggregation to reduce noise. Our theoretical analysis shows that NIGNN can provide a provable privacy guarantee. Extensive experiments demonstrate NIGNN's performance in maintaining a sound privacy-accuracy trade-off.

Tianyi Zhao,Hui Hu,Lu Cheng

2023-08-26

Abstract:Graph Neural Networks (GNNs) are powerful tools for learning representations on graphs, such as social networks. However, their vulnerability to privacy inference attacks restricts their practicality, especially in high-stake domains. To address this issue, privacy-preserving GNNs have been proposed, focusing on preserving node and/or link privacy. This work takes a step back and investigates how GNNs contribute to privacy leakage. Through theoretical analysis and simulations, we identify message passing under structural bias as the core component that allows GNNs to \textit{propagate} and \textit{amplify} privacy leakage. Building upon these findings, we propose a principled privacy-preserving GNN framework that effectively safeguards both node and link privacy, referred to as dual-privacy preservation. The framework comprises three major modules: a Sensitive Information Obfuscation Module that removes sensitive information from node embeddings, a Dynamic Structure Debiasing Module that dynamically corrects the structural bias, and an Adversarial Learning Module that optimizes the privacy-utility trade-off. Experimental results on four benchmark datasets validate the effectiveness of the proposed model in protecting both node and link privacy while preserving high utility for downstream tasks, such as node classification.

Machine Learning,Cryptography and Security,Social and Information Networks

Jinyin Chen,Huiling Xu,Jinhuan Wang,Qi Xuan,Xuhong Zhang

DOI: https://doi.org/10.1145/3411501.3419424

2020-01-01

Abstract:Graph Neural Networks (GNNs) has achieved tremendous development on perceptual tasks in recent years, such as node classification, graph classification, link prediction, etc. However, recent studies show that deep learning models of GNNs are incredibly vulnerable to adversarial attacks, so enhancing the robustness of such models remains a significant challenge. In this paper, we propose a subgraph based adversarial sample detection against adversarial perturbations. To the best of our knowledge, this is the first work on the adversarial detection in the deep-learning graph classification models, using the Subgraph Networks (SGN) to restructure the graph's features. Moreover, we develop the joint adversarial detector to cope with the more complicated and unknown attacks. Specifically, we first explain how adversarial attacks can easily fool the models and then show that the SGN can facilitate the distinction of adversarial examples generated by state-of-the-art attacks. We experiment on five real-world graph datasets using three different kinds of attack strategies on graph classification. Our empirical results show the effectiveness of our detection method and further explain the SGN's capacity to tell apart malicious graphs.