Adversarial Graph Neural Network Benchmarks: Towards Practical and Fair Evaluation

# Adversarial Graph Neural Network Benchmarks: Towards Practical and Fair Evaluation
Source: [https://arxiv.org/html/2605.05534](https://arxiv.org/html/2605.05534)
Tran Gia Bao Ngo1Zulfikar Alom2Federico Errica3 Murat Kantarcioglu4Cuneyt Gurcan Akcora5 1Department of Computer Science, University of Manitoba,2University of Toledo, 3NEC Laboratories Europe,4Department of Computer Science, Virginia Tech, USA, 5AI Initiative \- University of Central Florida

###### Abstract

Adversarial learning and the robustness of Graph Neural Networks \(GNNs\) are topics of widespread interest in the machine learning community, as documented by the number of adversarial attacks and defenses designed for these purposes\. While a rigorous evaluation of these adversarial methods is necessary to understand the robustness of GNNs in real\-world applications, we posit that many works in the literature do not share the same experimental settings, leading to ambiguous and potentially contradictory scientific conclusions\. In this benchmark, we demonstrate the importance of adopting fair, robust, and standardized evaluation protocols in adversarial GNN research\. We perform a comprehensive re\-evaluation of seven widely used attacks and eight recent defenses under both poisoning and evasion scenarios, across six popular graph datasets\. Our study spans over 453,000 experiments conducted within a unified framework\. We observe substantial differences in adversarial attack performance when evaluated under a fair and robust procedure\. Our findings reveal that previously overlooked factors, such as target node selection and the training process of the attacked model, have a profound impact on attack effectiveness, to the extent of completely distorting performance insights\. These results underscore the urgent need for standardized evaluations in adversarial graph machine learning\.

## 1Introduction

Applying machine learning to graph\-structured data, such as financial transaction networks and social graphs, requires models that can effectively embed non\-Euclidean relationships\. Graph Neural Networks \(GNNs\), introduced byScarselli et al\. \[[49](https://arxiv.org/html/2605.05534#bib.bib49)\]andMicheli \[[43](https://arxiv.org/html/2605.05534#bib.bib43)\], have become foundational tools for this purpose\. Over the past decade, GNNs have achieved strong performance across domains, but their vulnerability to adversarial attacks has raised growing concerns\. A series of recent works\[[73](https://arxiv.org/html/2605.05534#bib.bib73),[37](https://arxiv.org/html/2605.05534#bib.bib37),[59](https://arxiv.org/html/2605.05534#bib.bib59),[22](https://arxiv.org/html/2605.05534#bib.bib22)\]demonstrate that even minor perturbations to the input graph can significantly degrade GNN performance\.

As attack strategies have proliferated, inconsistencies in evaluation protocols have emerged as a serious obstacle to scientific progress\. Many studies report substantial gains using differing experimental setups, making results difficult to compare and conclusions potentially misleading\. The reproducibility crisis in machine learning has highlighted the importance of standardized, rigorous empirical evaluations\[[39](https://arxiv.org/html/2605.05534#bib.bib39)\]\. In adversarial graph learning,Mujkanovic et al\. \[[44](https://arxiv.org/html/2605.05534#bib.bib44)\]warns that the graph community has yet to learn the“bitter lesson”from the vision community, where overlooking adaptive attacks and evaluation rigor once led to a flood of unreliable defense mechanisms evaluations\.

In this work, we identify several recurring issues in current evaluations\. First, GNNs are often trained using attack\-specific hyperparameters or fixed data splits, biasing results\. Second, new attack models are frequently tested under more favorable conditions than their baselines\. Third, evaluations commonly select target nodes in a way that underrepresents high\-degree nodes, which are typically more resistant to attacks \(see Figure[2](https://arxiv.org/html/2605.05534#S6.F2)\)\. As a result, reported improvements may reflect favorable setups rather than true advances in method design\. To further examine these issues, we re\-evaluate several widely used gray\-box attacks under a standardized, robust evaluation framework, demonstrating how variations in evaluation protocols can produce inconsistent or overstated findings\. While a comprehensive re\-evaluation of all attacks is infeasible, our focused effort aims to establish stronger evaluation practices for the community\.

To better contextualize performance claims, we also introducea naive yet surprisingly good baseline, L1D\-RND, which achieves competitive results at minimal computational cost\. Its success reinforces the need for basic sanity checks when proposing complex new methods\. By demonstrating the limited scalability of many existing attacks and their declining effectiveness on high\-degree nodes, our work highlights overlooked challenges in adversarial graph learning\. We hope to encourage the development of more robust and scalable attack and defense strategies\.

Disclaimer\.This work advocates for rigorous evaluation practices\. It is not intended to rank attacks or discredit prior contributions but to enable more reliable and reproducible comparisons across future studies\.

## 2Related Work

Adversarial Attacks\.Recent studies on adversarial attacks on graph data have developed optimal strategies to minimally perturb the graph under a budget constraint while achieving the highest impact on a GNN’s classification performance\. Among the first methods is Nettack\[[73](https://arxiv.org/html/2605.05534#bib.bib73)\], a gradient\-based adversarial attack strategy that generates perturbations on graph structure and node features\. Upon the success of Nettack, novel adversarial attack strategies have been proposed\[[6](https://arxiv.org/html/2605.05534#bib.bib6),[22](https://arxiv.org/html/2605.05534#bib.bib22)\]\. Most early adversarial attacks focus on small\-scale datasets with fewer than50005000nodes\. By only extracting a much smaller subgraph centered at the target nodes,Li et al\. \[[36](https://arxiv.org/html/2605.05534#bib.bib36)\]proposed SGA as a scalable adversarial strategy\. PR\-BCD, another adversarial attack at scale byGeisler et al\. \[[22](https://arxiv.org/html/2605.05534#bib.bib22)\], adopts the Randomized Block Coordinate Descent\[[45](https://arxiv.org/html/2605.05534#bib.bib45)\]for solving large\-scale optimization problems to find optimal perturbations\. Meanwhile, in a recent study, GOttack\[[2](https://arxiv.org/html/2605.05534#bib.bib2)\]uses graph structures by targeting topological equivalence groups and exploiting their influence in gradient\-based adversarial models\.

Evaluation procedures\.We follow the good practice of\[[18](https://arxiv.org/html/2605.05534#bib.bib18)\]and\[[50](https://arxiv.org/html/2605.05534#bib.bib50)\]\. Particularly, both works standardize the evaluation procedures and promote a reproducible experimental environment with a rigorousmodel selectionandassessment framework, but in two different contexts\.Errica et al\. \[[18](https://arxiv.org/html/2605.05534#bib.bib18)\]focuses on graph classification tasks whileShchur et al\. \[[50](https://arxiv.org/html/2605.05534#bib.bib50)\]’s work is primarily on node classification\. In addition,Shchur et al\. \[[50](https://arxiv.org/html/2605.05534#bib.bib50)\]have shown that the train/validation/test split of choice used in evaluation significantly impacts the performance ranking, thus drawing community attention to the necessity of using different splits in the evaluation procedure\. Differentiating from them, which focus on designing rigorous evaluation frameworks for GNN models, we propose a robust evaluation procedure to prevent over\-optimistic and biased estimates of the true performance of adversarial attack strategies\.

The Graph Robustness Benchmark \(GRB\)\[[69](https://arxiv.org/html/2605.05534#bib.bib69)\]was introduced years ago, and it mainly focuses on global evasion attacks\. However, the GRB does not consider three valuable scenarios: \(i\) targeted attacks, \(ii\) poisoning scenarios, and \(iii\) the distinction between homophilic and heterophilic graphs\. Our benchmark addresses these limitations by incorporating both targeted evasion and poisoning attacks, while explicitly evaluating performance on homophilic and heterophilic graphs, with victim models trained in each scenario\.

## 3Preliminaries

Let𝒢=\(𝒱,ℰ,𝐗\)\\mathcal\{G\}=\(\\mathcal\{V\},\\mathcal\{E\},\\mathbf\{X\}\)denote a graph, where𝒱\\mathcal\{V\}is the set ofNNnodes,ℰ⊆\{\(v,w\)∣v,w∈𝒱\}\\mathcal\{E\}\\subseteq\\\{\(v,w\)\\mid v,w\\in\\mathcal\{V\}\\\}is the set of directed edges, and𝐗=\{𝐱0,𝐱1,…,𝐱N−1\}\\mathbf\{X\}=\\\{\\mathbf\{x\}\_\{0\},\\mathbf\{x\}\_\{1\},\\dots,\\mathbf\{x\}\_\{N\-1\}\\\}is the set of node feature vectors\. Each𝐱i∈ℝM\\mathbf\{x\}\_\{i\}\\in\\mathbb\{R\}^\{M\}encodes theMM\-dimensional attributes of nodeviv\_\{i\}\. The graph structure is represented by an adjacency matrix𝐀∈\{0,1\}N×N\\mathbf\{A\}\\in\\\{0,1\\\}^\{N\\times N\}, where𝐀i​j=1\\mathbf\{A\}\_\{ij\}=1if\(vi,vj\)∈ℰ\(v\_\{i\},v\_\{j\}\)\\in\\mathcal\{E\}, and0otherwise\. Each nodeviv\_\{i\}has an associated label vector𝐲i∈\{0,1\}\|𝒞\|\\mathbf\{y\}\_\{i\}\\in\\\{0,1\\\}^\{\|\\mathcal\{C\}\|\}indicating its membership in one of\|𝒞\|\|\\mathcal\{C\}\|classes, forming the label matrix𝐘∈\{0,1\}N×\|𝒞\|\\mathbf\{Y\}\\in\\\{0,1\\\}^\{N\\times\|\\mathcal\{C\}\|\}\.

Semi\-supervised Node Classification\.We focus on node classification in a semi\-supervised setting, where labels are available only for a subset of nodes\. Let𝒱L⊂𝒱\\mathcal\{V\}\_\{L\}\\subset\\mathcal\{V\}denote the set of labeled nodes with known labels𝐘L\\mathbf\{Y\}^\{L\}, and𝒱U=𝒱∖𝒱L\\mathcal\{V\}\_\{U\}=\\mathcal\{V\}\\setminus\\mathcal\{V\}\_\{L\}the set of unlabeled nodes\. The goal is to learn a functiong:𝒢,𝐘L→𝐘Ug:\\mathcal\{G\},\\mathbf\{Y\}^\{L\}\\to\\mathbf\{Y\}^\{U\}that predicts a class probability distribution for each node in𝒱U\\mathcal\{V\}\_\{U\}\. The predicted labely^v\\hat\{y\}\_\{v\}for a nodev∈𝒱Uv\\in\\mathcal\{V\}\_\{U\}corresponds to the class with the highest predicted probability ing​\(v\)g\(v\)\.

Node Classification Margin\.For a nodevvwith ground truth labelyy, the classification marginMvM\_\{v\}measures the confidence of the model in the correct class\. It is defined as the difference between the model’s output score for the true class and the highest score assigned to any incorrect class\[[73](https://arxiv.org/html/2605.05534#bib.bib73)\]:

Mv=g​\(v\)y−maxc∈𝒞,c≠y⁡g​\(v\)cM\_\{v\}=g\(v\)\_\{y\}\-\\max\_\{c\\in\\mathcal\{C\},\\,c\\neq y\}g\(v\)\_\{c\}\(1\)A small or negative margin indicates that the prediction is uncertain or incorrect, making such nodes more susceptible to adversarial perturbation\.

Risk Assessment\.Risk assessment refers to the empirical evaluation of model performance across multiple random splits\[[18](https://arxiv.org/html/2605.05534#bib.bib18)\]\. GivenKKrandom splits of𝒱\\mathcal\{V\}into disjoint subsets𝒱train\\mathcal\{V\}\_\{\\text\{train\}\},𝒱valid\\mathcal\{V\}\_\{\\text\{valid\}\}, and𝒱test\\mathcal\{V\}\_\{\\text\{test\}\}, the model is trained on𝒱train\\mathcal\{V\}\_\{\\text\{train\}\}and tuned on𝒱valid\\mathcal\{V\}\_\{\\text\{valid\}\}\. For each splitkk, the best hyper\-parameter configuration is selected based solely on validation performance\. The empirical risk is then estimated by averaging the test performance across theKKsplits\.

Model Selection\.Model selection aims to identify the hyper\-parameter configuration that yields the highest validation accuracy\. However, validation accuracy is often a biased estimator of generalization performance\[[18](https://arxiv.org/html/2605.05534#bib.bib18),[5](https://arxiv.org/html/2605.05534#bib.bib5)\]\. Overreliance on validation performance can lead to overfitting and inflated expectations\. In adversarial GNN literature, model selection and final evaluation are often conflated, undermining fair comparisons across attack strategies\. Proper separation between model selection and risk assessment is essential to avoid misleading conclusions\.

## 4Graph Adversarial Attacks

Adversarial attacks on graphs aim to perturb either the structure or features of a graph𝒢=\(𝐀,𝐗\)\\mathcal\{G\}=\(\\mathbf\{A\},\\mathbf\{X\}\)to degrade the performance of a GNN\. We refer to the targeted model as thevictimmodel\. The attack modifies𝒢\\mathcal\{G\}into a perturbed version𝒢′=\(𝐀′,𝐗′\)\\mathcal\{G\}^\{\\prime\}=\(\\mathbf\{A\}^\{\\prime\},\\mathbf\{X\}^\{\\prime\}\), leading the victim to misclassify selected nodes\.

Attacker’s Capacity\.The adversarial attack can introduce perturbations to data either in the inference or training phases\. In theevasionsetting, the victim model trains on clean graph data𝒢\\mathcal\{G\}to perform inference on the perturbed data𝒢′\\mathcal\{G\}^\{\\prime\}\. In thepoisoningsetting, adversarial attacks create a modified graph𝒢′\\mathcal\{G\}^\{\\prime\}, which is then used to train a model\.

Perturbation Type\.We perturb𝒢\\mathcal\{G\}within a given budgetΔ\\Deltaby adding or removing edges fromℰ\\mathcal\{E\}or perturbing node features\. Formally, we can write

∑u∑v\|𝐗u​v−𝐗u​v′\|\+∑u<v\|𝐀u​v−𝐀u​v′\|≤Δ\\sum\_\{u\}\\sum\_\{v\}\\left\|\\mathbf\{X\}\_\{uv\}\-\\mathbf\{X\}^\{\\prime\}\_\{uv\}\\right\|\+\\sum\_\{u<v\}\\left\|\\mathbf\{A\}\_\{uv\}\-\\mathbf\{A\}^\{\\prime\}\_\{uv\}\\right\|\\leq\\Delta\(2\)
Attacker’s Knowledge\.Attacks differ in the information available to the adversary\. Inblack\-boxsettings, the attacker lacks access to model parameters and labels\.White\-boxattacks assume full access to both, a strong but often unrealistic assumption\. Ingray\-boxsettings, the attacker can access the training data and labels, allowing them to train asurrogatemodel that approximates the victim\. We adopt the gray\-box setting, as it balances realism with the ability to diagnose vulnerabilities\. Unlike prior work that uses fixed surrogates, we also evaluateadaptiveattacks where perturbations are directly optimized against defended victim models, simulating stronger adversaries\. Note that our evaluation pipeline is modular and extensible to all attack types\.

Attacker’s Target\.We focus ontargetedattacks, where a chosen subset of nodes𝒱T⊆𝒱t​e​s​t\\mathcal\{V\}\_\{T\}\\subseteq\\mathcal\{V\}\_\{test\}are perturbed to induce misclassification, as they are often harder to detect in real systems\.

Victim Models\.We define two classes of victim models:vanillaGNNs\[[3](https://arxiv.org/html/2605.05534#bib.bib3)\], which are not trained with adversarial robustness in mind, anddefendedGNNs, which incorporate explicit defense mechanisms\. Attacks against vanilla models define the baseline vulnerability, while defended scenarios test the effectiveness of robustness interventions\. We emphasize that defense approaches generally operate without any prior knowledge of specific attacks\.

### 4\.1Attack Models and Pitfalls of Evaluation

Many attack evaluations in the literature suffer from inconsistent experimental setups, limiting fair comparison\. Details of evaluation pitfalls for specific attacks are discussed in Appendix[F](https://arxiv.org/html/2605.05534#A6); here we formalize criteria for rigorous assessment\.

Target Node Selection\.Most prior works follow the Nettack\[[73](https://arxiv.org/html/2605.05534#bib.bib73)\]strategy, selecting \(i\) the 10 nodes with the highest margin of classification, indicating evident correctness; \(ii\) the 10 nodes with the lowest margin \(still correctly classified\); \(iii\) 20 additional nodes randomly chosen\. This strategy may underrepresent high\-degree nodes, which are harder to attack due to their richer neighborhood context \(Figure[2](https://arxiv.org/html/2605.05534#S6.F2)\)\. This bias inflates attack performance and skews conclusions\.

Evaluation Criteria\.A high\-quality evaluation should satisfy the following: \(i\) the victim model has undergone a model selection process, as it usually happens in real\-world scenarios; \(ii\) results are averaged overKKrandom splits with standard deviations and public splits; \(iii\) target nodes include diverse structural types; and \(iv\) evaluations include both vanilla and defended victims\. Our benchmark adheres to all of these conditions\.

Attack Models\.We benchmark seven widely cited attack methods, selected based on peer\-review status, architectural diversity, and citation count\. These are Nettack\[[73](https://arxiv.org/html/2605.05534#bib.bib73)\], FGA\[[6](https://arxiv.org/html/2605.05534#bib.bib6)\], SGA\[[36](https://arxiv.org/html/2605.05534#bib.bib36)\], GOttack\[[2](https://arxiv.org/html/2605.05534#bib.bib2)\], PR\-BCD\[[22](https://arxiv.org/html/2605.05534#bib.bib22)\], and PGD\[[59](https://arxiv.org/html/2605.05534#bib.bib59)\]\. Full summaries and surrogate configurations appear in Appendix Section[K](https://arxiv.org/html/2605.05534#A11)\.

Victim Models\.Vanilla victim models are three standard GNNs: GCN\[[35](https://arxiv.org/html/2605.05534#bib.bib35)\], GSAGE\[[24](https://arxiv.org/html/2605.05534#bib.bib24)\], and GIN\[[60](https://arxiv.org/html/2605.05534#bib.bib60)\], each using a single aggregation function, and a fourth vanilla model, PNA\[[10](https://arxiv.org/html/2605.05534#bib.bib10)\], which combines multiple aggregation operations\. We also evaluate nine defended victim models, selected according to the taxonomy in Appendix Table[13](https://arxiv.org/html/2605.05534#A8.T13), with selection criteria detailed in Appendix[H](https://arxiv.org/html/2605.05534#A8)\.

Adaptive Attacks\.Adaptive attacks are designed with full awareness of the defense, producing stronger and more targeted perturbations\. We evaluate PR\-BCD in both its fixed\-surrogate \(PR\-BCD \(NA\)\) and adaptive variants\. Though non\-adaptive PR\-BCD may underestimate its true capability, we include it due to its scalability, popularity, and baseline strength \(later results in Tables[27](https://arxiv.org/html/2605.05534#A11.T27)and[28](https://arxiv.org/html/2605.05534#A11.T28)will show marginal differences between the variants\)\. The scope of this work is to benchmark adversarial attacks and defenses in a practical setting, where neither attackers nor defenders have access to the opponent’s backbone model or strategy\. Consequently, evaluating defenses against fully adaptive attacks specifically crafted to circumvent their core mechanisms falls outside the focus of this study\.

Naïve Baseline\.We introduce L1D\-RND, a simple yet effective baseline attack\. Instead of using gradients or learned surrogates, L1D\-RND perturbs the graph by modifying edges connected to nodes selected using their degree and features\. Despite its simplicity and low computational cost, it achieves surprisingly strong results, underscoring the importance of including naïve baselines to contextualize claimed improvements\. Algorithm[3](https://arxiv.org/html/2605.05534#alg3)provides implementation details and in\-depth analysis on factors driving the effectiveness of L1D\-RND is discussed in Appendix[J](https://arxiv.org/html/2605.05534#A10)\.

### 4\.2Risk Assessment in Adversarial Evaluation

![Refer to caption](https://arxiv.org/html/2605.05534v1/x1.png)Figure 1:Overview of our risk assessment framework for adversarial GNN evaluation\.Unifying the good practices ofErrica et al\. \[[18](https://arxiv.org/html/2605.05534#bib.bib18)\]andShchur et al\. \[[50](https://arxiv.org/html/2605.05534#bib.bib50)\], the pseudo\-algorithm of our proposed adversarial attacks evaluation is provided in Algorithm[1](https://arxiv.org/html/2605.05534#alg1)\.

We first obtainKKdifferent random splits from datasets, \(Line[3](https://arxiv.org/html/2605.05534#alg1.l3)\)\. The victim model’s hyperparameters are first tuned on theii\-th split’s training set, and the best victim modelfor that splitis chosen based on the performance on the validation set \(Line[6](https://arxiv.org/html/2605.05534#alg1.l6)\)\.

The model selection process relies solely on the training and validation sets to ensure an unbiased risk estimation\. Notably, model selection of all models is performed on clean data \(data without perturbation\)\. Given the predictions of the best victim model, we sample a subset of target test nodes𝒱T\\mathcal\{V\}\_\{T\}that have been correctly classified \(Line[9](https://arxiv.org/html/2605.05534#alg1.l9)\)\. An adversarial example on a given target node is considered a successful attack if it causes the victim model to flip its prediction about the target node\.

The adversarial attack performance is evaluated based on the misclassification rate on a specific budgetΔ\\Delta, averaged overKKdifferent splits andRRrisk assessment runs for each split\. Figure[1](https://arxiv.org/html/2605.05534#S4.F1)visualizes the overall proposed evaluation pipeline\. As the hyper\-parameter configurations of victim models are carefully selected through the model selection process, we also perform model selection on surrogate models used in adversarial attacks to ensure that the process is realistic\. The model selection process on victim models and surrogate models is kept on the same hyper\-parameter grids\.

Algorithm 1Adversarial attack/defense evaluation1:Input:Dataset

𝒟\\mathcal\{D\}, Configs

𝚯\\mathbf\{\\Theta\}, Attack methodAttack, Budget

Δ\\Delta, Splits

KK, Runs

RR
2:Output:Avg\. misclassification rates in both evasion and poison settings

3:Create

KKtrain/val/test splits

F1,\.\.,FKF\_\{1\},\.\.,F\_\{K\}from

𝒟\\mathcal\{D\}
4:for

i=1,…,Ki=1,\.\.\.,Kdo

5:

𝒱t​r​a​i​ni\\mathcal\{V\}^\{i\}\_\{train\},

𝒱v​a​l​i​di\\mathcal\{V\}^\{i\}\_\{valid\},

𝒱t​e​s​ti\\mathcal\{V\}^\{i\}\_\{test\}=

FiF\_\{i\}
6:

θb​e​s​ti\\mathbf\{\\theta\}^\{i\}\_\{best\}= select\(

𝚯\\mathbf\{\\Theta\},

𝒱t​r​a​i​ni\\mathcal\{V\}^\{i\}\_\{train\},

𝒱v​a​l​i​di\\mathcal\{V\}^\{i\}\_\{valid\},

𝒟\\mathcal\{D\}\)//Alg\.[2](https://arxiv.org/html/2605.05534#alg2)

7:for

r=1,…,Rr=1,\.\.\.,Rdo

8:

ff= train\(

θb​e​s​ti\\mathbf\{\\theta\}\_\{best\}^\{i\},

𝒱t​r​a​i​ni\\mathcal\{V\}^\{i\}\_\{train\},

𝒱v​a​l​i​di\\mathcal\{V\}^\{i\}\_\{valid\},

𝒟\\mathcal\{D\}\)

9:

𝒱T\\mathcal\{V\}\_\{T\}= node\_select\(

ff,

𝒱t​e​s​ti\\mathcal\{V\}^\{i\}\_\{test\},

𝒟\\mathcal\{D\}\)

10:for

vvin

𝒱T\\mathcal\{V\}\_\{T\}do

11:

𝒟′\\mathcal\{D^\{\\prime\}\}=Attack\(

vv,

𝒟\\mathcal\{D\},

Δ\\Delta\)

12:

sv,ri\{s^\{i\}\_\{v,r\}\}= 1 if

f​\(v\)=yvf\(v\)=y\_\{v\}, else 0 otherwise//evasion

13:

f′f^\{\\prime\}= train\(

θb​e​s​ti\\mathbf\{\\theta\}\_\{best\}^\{i\},

𝒱t​r​a​i​ni\\mathcal\{V\}^\{i\}\_\{train\},

𝒱v​a​l​i​di\\mathcal\{V\}^\{i\}\_\{valid\},

𝒟′\\mathcal\{D^\{\\prime\}\}\)//retrain

14:

sv,r,′i\{s^\{\{\}^\{\\prime\},i\}\_\{v,r\}\}= 1 if

f′​\(v\)=yvf^\{\\prime\}\(v\)=y\_\{v\}, else 0//poison

15:resetAttack

16:success rate =

∑i=1K∑rR∑t𝒯st,riK×R×\|𝒯\|\\frac\{\\sum\_\{i=1\}^\{K\}\\sum\_\{r\}^\{R\}\\sum\_\{t\}^\{\\mathcal\{T\}\}s\_\{t,r\}^\{i\}\}\{K\\times R\\times\{\|\\mathcal\{T\}\|\}\}//evasion

17:success rate′=

∑i=1K∑rR∑t𝒯st,r,′iK×R×\|𝒯\|\\frac\{\\sum\_\{i=1\}^\{K\}\\sum\_\{r\}^\{R\}\\sum\_\{t\}^\{\\mathcal\{T\}\}\{s\_\{t,r\}^\{\{\}^\{\\prime\},i\}\}\}\{K\\times R\\times\{\|\\mathcal\{T\}\|\}\}//poison

18:Return:success rate, success rate′

## 5Experiments

We conduct extensive experiments to re\-evaluate adversarial attacks under the standardized framework described in Section[4\.2](https://arxiv.org/html/2605.05534#S4.SS2)\.

Experimental Setup\.We adopt a transductive, semi\-supervised node classification setting\. For the evaluation procedure defined in Section[4\.2](https://arxiv.org/html/2605.05534#S4.SS2), we setK=5K=5andR=3R=3\. Following common practice\[[73](https://arxiv.org/html/2605.05534#bib.bib73),[2](https://arxiv.org/html/2605.05534#bib.bib2)\], the𝒱t​r​a​i​n/𝒱v​a​l​i​d/𝒱t​e​s​t\\mathcal\{V\}\_\{train\}/\\mathcal\{V\}\_\{valid\}/\\mathcal\{V\}\_\{test\}ratio is set to 10/10/80\.

We implement early stopping with the patience parameternn, where training stops ifnnepochs have passed without improvement on the validation set\. Importantly, the same data splitFiF\_\{i\}\(Line[3](https://arxiv.org/html/2605.05534#alg1.l3)\) is shared across different models to ensure a fair comparison\.

We perform model selection for all victim and surrogate models, in both vanilla and defended scenarios, based on their performance on the validation sets\. For each split, we evaluate adversarial attacks equipped with surrogate models\. We report the average misclassification rate, percentage of nodes misclassified by the model, of adversarial attacks on vanilla and defended models across initialization seeds and splits\. We fixed the same model as a surrogate model for each adversarial method \(Table[16](https://arxiv.org/html/2605.05534#A11.T16)\) for all evaluation settings, regardless of the choice of victim models, as attackers may not always know the classifier’s architecture prior to performing the attack in practice\.

Hyper\-parameters\.Model selection varies hyperparameters, including the number of layers, embedding dimensions, learning rate, etc\., based on ranges provided in original publications\. Additional model\-specific parameters are included as needed\. Full details are in Appendix[D](https://arxiv.org/html/2605.05534#A4)\.

Target Node Selection\.For each experiment, we evaluate on 50 target nodes selected to ensure diversity in classification margin and structural role: i\)1010correctly classified nodes with the highest degree, ii\)1010correctly classified nodes with the lowest degree, iii\)1010correctly classified nodes with the highest margin, iv\)1010nodes with the lowest margin \(but still correctly classified\) and v\)1010randomly chosen nodes\.

Datasets\.We evaluate on six datasets: three homophilous graphs \(CORA, CITESEER, PUBMED\[[61](https://arxiv.org/html/2605.05534#bib.bib61)\]\), two heterophilous graphs \(SQUIRREL, CHAMELEON\[[48](https://arxiv.org/html/2605.05534#bib.bib48)\]\), and one large\-scale benchmark from OGB\[[27](https://arxiv.org/html/2605.05534#bib.bib27)\]\. Detailed description of these datasets can be found Appendix[E](https://arxiv.org/html/2605.05534#A5)\. Many adversarial and defense methods do not scale well to large graphs, and we highlight such limitations where relevant \(see Appendix[G\.3](https://arxiv.org/html/2605.05534#A7.SS3)\)\.

Table 1:Descriptive statistics of datasets\.TypeDatasetNodesEdgesFeaturesLabelsHomophilicCORA2,7082,7085,0695,0691,4321,43277CITESEER3,3273,3273,6683,6683,7033,70366PUBMED19,71719,71744,32544,32550050033HeterophilicCHAMELEON2,2772,27736,10136,1013,1323,13255SQUIRREL5,2015,201217,073217,0733,1483,14855Large scaleOGB\-ARXIV169,343169,3431,166,2431,166,2431284040Computational Environment\.Experiments were run using Python 3\.8\.19 and PyTorch 2\.3\.0 on a Linux cluster with Intel Xeon Gold 6338 CPUs, 251 GB RAM, and NVIDIA RTX A40 GPUs with 44 GB memory\. GNNs were implemented using PyTorch Geometric 2\.5\.3, and we reused code from DeepRobust\[[38](https://arxiv.org/html/2605.05534#bib.bib38)\], GreatX\[[53](https://arxiv.org/html/2605.05534#bib.bib53)\], and author\-provided repositories for additional defense methods\.

Reproducibility\.We release all code at[https://github\.com/FDataLab/GAB](https://github.com/FDataLab/GAB), including dataset splits and hyperparameters, for reproducible benchmarking with minimal overhead\.

## 6Results and Discussion

This section provides an in\-depth discussion of our results\. We discuss vanilla models’ attacks in Section[6\.1](https://arxiv.org/html/2605.05534#S6.SS1)and defense models’ attacks in Section[6\.2](https://arxiv.org/html/2605.05534#S6.SS2)\. Notably, higher misclassification rates reflect more effective attack models\. The comprehensive results are summarized in Figures[3](https://arxiv.org/html/2605.05534#A7.F3)and[4](https://arxiv.org/html/2605.05534#A7.F4)\. Time and GPU cost results are detailed in the Appendix[G\.3](https://arxiv.org/html/2605.05534#A7.SS3)and[G\.4](https://arxiv.org/html/2605.05534#A7.SS4)\.

Computational considerations\.Our experiments include up to 453,461 training runs \(see Appendix[G](https://arxiv.org/html/2605.05534#A7)for a breakdown\)\. In some cases, model selection or attacks on a single split exceeded 120 hours, making full experiments infeasible\. We capped training time at 120 hours; results exceeding this are marked as OOR \(Out of Resource\)\.

### 6\.1Vanilla Evasion and Poisoning Attacks

Table 2:Homophily Results\.Evaluating adversarial attacks with budgetΔ=1\\Delta=1in both evasion and poison settings on GCN \(vanilla attack\) and GNNGuard \(defended attack\)\. NA indicates a non\-adaptive variant\.Attack Model for EvasionAttack Model for PoisoningVictimL1D\-RNDFGANETTACKPGDPR\-BCD \(NA\)SGAGOttackL1D\-RNDFGANETTACKPGDPR\-BCD \(NA\)SGAGOttackCORAGCN13\.20±\\pm0\.0427\.87±\\pm0\.0429\.60±\\pm0\.0529\.33±\\pm0\.0432\.13±\\pm0\.0426\.27±\\pm0\.0428\.53±\\pm0\.0415\.47±\\pm0\.0430\.00±\\pm0\.0633\.47±\\pm0\.0431\.73±\\pm0\.0432\.80±\\pm0\.0629\.33±\\pm0\.0433\.33±\\pm0\.07GNNGuard6\.27 ± 4\.136\.67 ± 3\.446\.80 ± 4\.776\.80 ± 2\.608\.13 ± 3\.348\.40 ± 4\.298\.40 ± 4\.976\.93 ± 4\.407\.47 ± 3\.967\.47 ± 5\.376\.93 ± 3\.018\.93 ± 3\.999\.60 ± 3\.6410\.27 ± 6\.54CITESEERGCN15\.20±\\pm0\.0425\.47±\\pm0\.0428\.13±\\pm0\.0725\.47±\\pm0\.0534\.53±\\pm0\.0723\.47±\\pm0\.0325\.60±\\pm0\.0416\.27±\\pm0\.0431\.87±\\pm0\.0736\.40±\\pm0\.0730\.80±\\pm0\.0734\.27±\\pm0\.0625\.20±\\pm0\.0434\.27±\\pm0\.08GNNGuard4\.67 ± 3\.683\.33 ± 3\.184\.67 ± 2\.353\.07 ± 2\.493\.07 ± 2\.124\.00 ± 2\.734\.67 ± 2\.894\.80 ± 3\.844\.40 ± 3\.316\.00 ± 2\.933\.20 ± 2\.113\.20 ± 1\.974\.80 ± 3\.004\.80 ± 2\.70PUBMEDGCN10\.93±\\pm0\.0335\.60±\\pm0\.0333\.73±\\pm0\.0334\.13±\\pm0\.0429\.60±\\pm0\.0334\.27±\\pm0\.0435\.87±\\pm0\.039\.73±\\pm0\.0335\.33±\\pm0\.0334\.13±\\pm0\.0533\.60±\\pm0\.0329\.60±\\pm0\.0334\.13±\\pm0\.0435\.60±\\pm0\.03GNNGuard6\.53 ± 4\.633\.60 ± 1\.882\.93 ± 1\.672\.53 ± 1\.604\.27 ± 2\.253\.47 ± 1\.923\.07 ± 2\.256\.53 ± 4\.934\.80 ± 3\.194\.40 ± 2\.534\.27 ± 2\.125\.60 ± 4\.084\.93 ± 3\.204\.93 ± 3\.10 7\.87

Table 3:Heterophily Results\.Evaluating adversarial attacks with budgetΔ=1\\Delta=1in both evasion and poison settings on GCN \(vanilla attack\) and RUNG \(defended attack\)\. NA indicates a non\-adaptive variant\.Attack Model for EvasionAttack Model for PoisoningVictimL1D\-RNDFGANETTACKPGDPR\-BCD \(NA\)SGAGOttackL1D\-RNDFGANETTACKPGDPR\-BCD \(NA\)SGAGOttackSQUIRRELGCN24\.93±\\pm33\.0962\.40±\\pm14\.641\.87±\\pm3\.3447\.73±\\pm10\.2569\.87±\\pm10\.7652\.00±\\pm6\.1913\.33±\\pm4\.6434\.67±\\pm27\.3663\.87±\\pm12\.252\.80±\\pm2\.2452\.27±\\pm8\.2170\.27±\\pm11\.1653\.47±\\pm5\.9713\.60±\\pm3\.79RUNG2\.13±\\pm1\.771\.87±\\pm2\.880\.27±\\pm1\.032\.00±\\pm1\.851\.73±\\pm2\.492\.67±\\pm3\.680\.93±\\pm2\.2511\.33±\\pm8\.6420\.53±\\pm9\.696\.53±\\pm4\.4417\.33±\\pm7\.8115\.07±\\pm6\.1818\.40±\\pm9\.336\.27±\\pm5\.18CHAMELEONGCN21\.87±\\pm28\.8962\.40±\\pm7\.723\.07±\\pm2\.6044\.00±\\pm20\.9558\.00±\\pm18\.5345\.47±\\pm10\.3823\.47±\\pm8\.1635\.60±\\pm22\.3166\.40±\\pm8\.257\.87±\\pm4\.9853\.47±\\pm17\.9864\.80±\\pm14\.6951\.47±\\pm9\.1227\.07±\\pm8\.48RUNG2\.27±\\pm3\.280\.93±\\pm1\.830\.27±\\pm0\.701\.87±\\pm4\.690\.80±\\pm2\.242\.13±\\pm4\.310\.67±\\pm1\.2312\.00±\\pm8\.8816\.40±\\pm7\.537\.33±\\pm2\.8913\.73±\\pm6\.4111\.73±\\pm5\.9014\.27±\\pm6\.7610\.80±\\pm4\.89

We evaluate seven adversarial attack models under evasion and poisoning settings on vanilla GNNs across homophily and heterophily datasets\. Appendix Tables[18](https://arxiv.org/html/2605.05534#A11.T18),[20](https://arxiv.org/html/2605.05534#A11.T20), and[20](https://arxiv.org/html/2605.05534#A11.T20)report complete results\. For conciseness, we also provide reduced summaries in Tables[2](https://arxiv.org/html/2605.05534#S6.T2)and[3](https://arxiv.org/html/2605.05534#S6.T3)\.

Homophily datasets\.PR\-BCD \(NA\) has the highest misclassification rates \(i\.e\., best attack model\) in Table[18](https://arxiv.org/html/2605.05534#A11.T18)for a budget ofΔ=1\\Delta=1in44out of1212evasion scenarios \(spanning three datasets and four victim models\)\. The remaining cases are distributed among other methods, with L1D\-RND surprisingly yielding the highest misclassification rates in PUBMED and CITESEER when PNA is the victim model\. When the budget is increased \(Δ=2,…,5\\Delta=2,\\ldots,5\), Nettack demonstrates superior performance in3636out of4848cases in Table[18](https://arxiv.org/html/2605.05534#A11.T18)\. Unlike the low\-budget case, PR\-BCD \(NA\) achieves the best results only in CITESEER and CORA for GCN\. In scenarios where GCN is the victim model, PR\-BCD \(NA\), which uses GCN as the surrogate model, delivers competitive performance, surpassing Nettack in1010out of1515settings; these are theΔ=1,…,5\\Delta=1,\\ldots,5budgets in CORA and CITESEER in Table[18](https://arxiv.org/html/2605.05534#A11.T18)\. However, PR\-BCD \(NA\) shows limited adversarial effectiveness on victim models that differ significantly from the surrogate ones\. For example, PR\-BCD \(NA\) no longer outperforms FGA on GIN, GSAGE and PNA in evasion attacks\. In Table[18](https://arxiv.org/html/2605.05534#A11.T18), the baseline L1D\-RND exhibits the lowest performance based on average rank on homophily datasets \(i\.e\.,77out of77attack models\)\. Notably, unlike the attack models, the baseline does not achieve high misclassification rates with increasing budgets\.

As shown in the lower rows of Table[18](https://arxiv.org/html/2605.05534#A11.T18), poisoning attacks are significantly more effective than evasion attacks\. ForΔ=1\\Delta=1, the best\-attack model, Nettack, achieves a4\.72%4\.72\\%relative increase, rising from an average of27\.76%27\.76\\%in evasion to32\.48%32\.48\\%in poisoning across three datasets and four victim models\. Even the baseline, L1D\-RND, experiences a8\.9%8\.9\\%improvement in poisoning attacks\. Nettack remains the best\-performing model when ranks are averaged over all five budgets, with an overall rank of1\.651\.65across three datasets and four models\. FGA follows as the second\-best model, with an average rank of3\.233\.23\.

Among three homophily datasets, PUBMED has the lowest misclassification rates forΔ=5\\Delta=5, whereas attack models reach 70% in CORA and CITESEER in Table[18](https://arxiv.org/html/2605.05534#A11.T18)\. With CORA and CITESEER, even the L1D\-RND baseline makes considerable gains in misclassification with increasing budgets\.

In addition, attacks provide a critical lens to evaluate the robustness of victim models under adversarial conditions\. As Table[18](https://arxiv.org/html/2605.05534#A11.T18)shows,GraphSAGE is the most resilient victim model in both evasion and poisoning attacks\. In evasion, Nettack yields the lowest average misclassification rate of44\.8%44\.8\\%against GraphSAGE across1515budgets \(three datasets and five budgets\)\. GIN follows with an average misclassification rate of48\.5%48\.5\\%\. In poisoning, Nettack has an average of47\.97%47\.97\\%misclassification rate on GraphSAGE models in three datasets across all budgets; other victim models have misclassification rates in\[53\.4%,57\.4%\]\[53\.4\\%,57\.4\\%\]\.

Heterophily datasets\.As shown in Table[20](https://arxiv.org/html/2605.05534#A11.T20)and[20](https://arxiv.org/html/2605.05534#A11.T20), under budget 1, the average misclassification rate across seven attacks on four non\-defense models is33\.96%33\.96\\%for heterophily datasets and27\.78%27\.78\\%for homophily datasets, while the average misclassification rate is52\.21%52\.21\\%for homophily datasets and46\.86%46\.86\\%for heterophily datasets under budget 5\. This suggests that the firstperturbation has a greater adversarial impact in heterophily settings\. However,with increasing perturbation budgets, attacks tend to yield larger gains on homophily datasets\. Nettack demonstrates the highest effectiveness on homophily datasets with an average rank of1\.641\.64, but its performance significantly drops on heterophily datasets, where it ranks5\.485\.48, the second worst\. Interestingly, another evaluation shows that FGA achieves an average rank of3\.103\.10on homophily datasets \(second\-best\), but rises to1\.921\.92on heterophily datasets, making it the top\-performing attack in that setting\. Similarly, the naïve random attack L1D\-RND shows the opposite trend; it performs surprisingly well on heterophily datasets with an average rank of2\.332\.33, but performs the worst, with an average rank of6\.276\.27, on homophily datasets among the seven adversarial attack methods\.

Large\-scale dataset\.On the moderately sized OGB\-ARXIV dataset, which contains fewer than 200K nodes and is still considered small by industry standards, only three attack methods \(L1D\-RND, PR\-BCD \(NA\), and SGA\) and two victim models \(GCN and GSAGE\) could be fully evaluated within the 120\-hour compute limit\. As shown in Table[4](https://arxiv.org/html/2605.05534#S6.T4), SGA consistently achieves the highest misclassification rates across budgets 1 to 5 in both evasion and poisoning settings\.This result underscores a critical limitation: most existing adversarial attacks are not scalable enough to be applied even to modestly large graphs, raising concerns about their practicality in real\-world deployments\.Notably, this bottleneck is not due to limited computational resources: our experiments were conducted on a high\-performance cluster with multiple NVIDIA RTX A40 GPUs \(44 GB memory, high memory bandwidth\)\. To provide valuable lessons for designing future scalable attack algorithms, we provide a detailed analysis of each adversarial attack’s runtime by breaking down the algorithm in Section[G\.3](https://arxiv.org/html/2605.05534#A7.SS3)

Feature attack\.While focused on structural attacks, our experimental pipeline can be extended to feature\-based attacks\. We conduct and report the results on feature\-attack variants in Appendix[G\.5](https://arxiv.org/html/2605.05534#A7.SS5)\. Overall, feature attacks largely mirror the trends observed in structural attacks on homophily datasets, where NETTACK and FGA remain the best and the second\-best methods\.

Table 4:Misclassification rate \(↑\\uparrow\) on OGB\-ARXIV with budgetΔ=1\\Delta=1to55in both evasion and poison setting on GCN and GSAGE\.GCNGSAGEAttack1234512345EvasionL1D\-RND16\.00±\\pm2\.0030\.67±\\pm7\.0236\.00±\\pm2\.0038\.00±\\pm2\.0036\.67±\\pm3\.0616\.67±\\pm8\.0827\.33±\\pm7\.0233\.33±\\pm7\.5729\.33±\\pm9\.4534\.67±\\pm7\.02PR\-BCD \(NA\)23\.33±\\pm3\.0634\.00±\\pm3\.4638\.00±\\pm2\.0040\.67±\\pm3\.0639\.33±\\pm1\.1520\.67±\\pm1\.1524\.67±\\pm1\.1522\.00±\\pm3\.4624\.67±\\pm3\.0628\.00±\\pm2\.00SGA36\.67±\\pm5\.0348\.67±\\pm7\.0256\.00±\\pm2\.0057\.33±\\pm1\.1558\.67±\\pm1\.1540\.67±\\pm2\.3156\.00±\\pm10\.0063\.33±\\pm4\.1672\.00±\\pm7\.2171\.33±\\pm5\.77PoisonL1D\-RND17\.33±\\pm4\.1632\.00±\\pm6\.0038\.00±\\pm2\.0039\.33±\\pm1\.1538\.67±\\pm2\.3117\.33±\\pm5\.0326\.00±\\pm3\.4630\.00±\\pm14\.0031\.33±\\pm6\.4334\.67±\\pm7\.02PR\-BCD \(NA\)22\.00±\\pm5\.2934\.67±\\pm3\.0636\.67±\\pm1\.1540\.67±\\pm5\.0339\.33±\\pm1\.1517\.33±\\pm3\.0624\.00±\\pm2\.0019\.33±\\pm3\.0626\.00±\\pm2\.0026\.00±\\pm2\.00SGA36\.67±\\pm2\.3148\.67±\\pm8\.0856\.00±\\pm2\.0057\.33±\\pm1\.1558\.67±\\pm1\.1540\.00±\\pm3\.4660\.00±\\pm8\.0061\.33±\\pm5\.7770\.67±\\pm5\.0374\.67±\\pm8\.08

![Refer to caption](https://arxiv.org/html/2605.05534v1/x2.png)\(a\)High margin
![Refer to caption](https://arxiv.org/html/2605.05534v1/x3.png)\(b\)Low margin
![Refer to caption](https://arxiv.org/html/2605.05534v1/x4.png)\(c\)High degree
![Refer to caption](https://arxiv.org/html/2605.05534v1/x5.png)\(d\)Low degree
![Refer to caption](https://arxiv.org/html/2605.05534v1/x6.png)\(e\)Random

Figure 2:Average misclassification rate for different node categories of four non\-defense models caused by seven adversarial attacks on three homophily datasets in the poison setting\.
### 6\.2Defended Evasion and Poisoning Attacks

The results for evasion and poisoning attacks are shown in Appendix Tables[21](https://arxiv.org/html/2605.05534#A11.T21),[22](https://arxiv.org/html/2605.05534#A11.T22)and[23](https://arxiv.org/html/2605.05534#A11.T23)for homophily datasets and Tables[24](https://arxiv.org/html/2605.05534#A11.T24),[25](https://arxiv.org/html/2605.05534#A11.T25)and[26](https://arxiv.org/html/2605.05534#A11.T26)for heterophily datasets\. We also show reduced results in Table[2](https://arxiv.org/html/2605.05534#S6.T2)and Table[3](https://arxiv.org/html/2605.05534#S6.T3), lower rows\.

Homophily datasets\.Appendix Tables[21](https://arxiv.org/html/2605.05534#A11.T21),[22](https://arxiv.org/html/2605.05534#A11.T22)and[23](https://arxiv.org/html/2605.05534#A11.T23)demonstrate that defense models substantially reduce misclassification rates, with poisoning attacks being generally easier to defend against than evasion\. For example, Nettack’s average misclassification rate drops from49\.1%49\.1\\%to32\.2%32\.2\\%under evasion, and from53\.6%53\.6\\%to23\.56%23\.56\\%under poisoning when defenses are applied\. Nettack still ranks highest in 8 out of 15 defended poisoning scenarios\.

Among defense methods, GNNGuard is the most effective: atΔ=1\\Delta=1, it achieves an average misclassification rate \(i\.e\., best defense\) of just5\.01%5\.01\\%for evasion and5\.92%5\.92\\%for poisoning across three datasets and seven attacks\. GRAND consistently ranks as the second\-best defense\. In contrast, the FGA attack model, despite its strong performance in the vanilla setting, performs poorly against all defended models\.

The performance of the L1D\-RND baseline is noteworthy: this simple, naive attack achieves the highest misclassification rate in 19 out of 45 defended evasion settings and 18 out of 45 defended poisoning settings \(across three datasets, three victim models, and five budgets\)\.Its surprisingly strong performance, despite lacking any optimization or model\-specific tuning, calls into question the actual gains offered by several state\-of\-the\-art adversarial attack methods\.We provide factors driving the effectiveness of L1D\-RND in Appendix[J](https://arxiv.org/html/2605.05534#A10)\.

To highlight key trends, we focus on the best\-performing defense, GNNGuard, and its performance against vanilla attacks on the widely used GCN model, as summarized in Table[2](https://arxiv.org/html/2605.05534#S6.T2)\.

At lower budgets \(e\.g\.,Δ=1\\Delta=1\), which represent realistic perturbation scenarios such as the addition or removal of a single edge, Nettack does not outperform any other model in evasion attacks\. When defenses are applied, Nettack’s evasion effectiveness often falls below that of PR\-BCD \(NA\)\. However, in poisoning attacks, Nettack remains strong, with GOttack emerging as the second\-best method\.

Overall,Table[2](https://arxiv.org/html/2605.05534#S6.T2)highlights the robustness of GNNGuard, which substantially reduces the effectiveness of advanced attacks in both evasion and poisoning settings, often lowering their impact to the level of the naive L1D\-RND baseline\.

Heterophily datasets\.As shown in Tables[24](https://arxiv.org/html/2605.05534#A11.T24),[25](https://arxiv.org/html/2605.05534#A11.T25)and[26](https://arxiv.org/html/2605.05534#A11.T26), defenses are more effective on heterophily datasets than on homophily datasets\. Across budgetsΔ=1\\Delta=1to55, average misclassification rates on homophily datasets are\[20\.11%,40\.82%\]\[20\.11\\%,40\.82\\%\], while the corresponding rates on heterophily datasets are substantially lower:\[16\.08%,23\.33%\]\[16\.08\\%,23\.33\\%\]\. This discrepancy suggests thatheterophily graphs are more resistant to adversarial perturbations, likely due to weaker local homogeneity, which reduces the impact of structural changes\. Under defense, attack methods achieve abysmally low rates on heterophily datasets compared to homophily datasets\. Notably, FGA becomes the top\-performing attack on heterophily datasets \(rank1\.921\.92\), while Nettack’s performance degrades sharply, dropping from rank2\.082\.08to6\.106\.10, the worst among all methods\. The best defence model, RUNG\[[25](https://arxiv.org/html/2605.05534#bib.bib25)\], reduces most attack rates to 2%\. This underscores thatnovel approaches are needed in heterophily settings, marking this as an open and underexplored research area\.Additionally, despite its strong robustness on homophily datasets, GNNGuard becomes notably fragile under heterophily\. On the Chameleon dataset, it prunes all existing edges, resulting in uniformly zero misclassification rates \(0\.00\) across all attacks \(Table[24](https://arxiv.org/html/2605.05534#A11.T24)\)\.

The Impact of Target Node Selection\.Target node selection plays a critical role in evaluating adversarial attacks\. In the literature, Nettack’s strategy, selecting 10 high\-margin nodes, 10 low\-margin nodes, and 20 randomly chosen ones \(totaling 40\), has become a de facto standard\. However, this approach ignores structural properties such as node degree, which substantially influence attack success\. Appendix Table[29](https://arxiv.org/html/2605.05534#A11.T29)shows that using node degree as a selection criterion results in substantially lower attack success compared to margin\-based or random selection, even in vanilla \(undefended\) settings\. Figure[2](https://arxiv.org/html/2605.05534#S6.F2)shows that all attack methods perform poorly on these nodes, while low\-degree and low\-margin nodes remain vulnerable\. High\-degree nodes exhibit alarmingly low misclassification rates, ranging from only0\.050\.05to0\.280\.28, despite the absence of any defense\. Crucially, because most attacks were developed and benchmarked on small graphs with low average degree \(e\.g\., CORA\), this vulnerability remained undetected, largely due to scalability limitations that prevent testing on larger, high\-degree networks\. This suggests thatevaluations ignoring node degree systematically overstate both the effectiveness of attack models and the fragility of GNNs and raises serious concerns about the applicability of current attack models to real\-world networks, where average node degrees are much higher\[[46](https://arxiv.org/html/2605.05534#bib.bib46)\]\. Our results reveal that low\-degree nodes tend to be substantially more vulnerable, whereas high\-degree nodes exhibit stronger inherent robustness under adversarial attacks\. This suggests that future defense mechanisms may benefit from prioritizing protection for low\-degree nodes rather than applying a uniform strategy across the entire graph\.

The Impact of Victim Model Selection\.In practical deployments, victim models are selected based on performance over training and validation sets\. However, many adversarial GNN studies evaluate attacks on fixed, non\-optimized model configurations, ignoring this critical step\. Our results in Table[30](https://arxiv.org/html/2605.05534#A11.T30)show that incorporating model selection into evaluations can significantly alter attack outcomes\. On CORA and CITESEER, victim models chosen via model selection are generally more vulnerable: for example, SGA’s misclassification rate on GIN in the poisoning setting differs by an average of15\.27%15\.27\\%across budgets\. In contrast, on PUBMED, model selection sometimes leads to more robust victim models\. This is particularly evident for GraphSAGE, where attacks are less effective on tuned models than on fixed ones\.

These findings highlight a critical inconsistency: the perceived effectiveness ofadversarial attacks depends not only on the attack method but also on whether the victim model is realistically selected\. Evaluations that omit this step may either overstate or understate the vulnerability of GNNs, leading to misleading conclusions about attack strength\.

## 7Conclusion

We have conducted a large\-scale evaluation of adversarial attacks and defenses on GNNs, revealing that conclusions from prior work often do not hold under fair and rigorous settings\. While Nettack has remained a strong performer, the unexpectedly competitive results of our naive baseline, L1D\-RND, challenge assumptions about the progress made in adversarial graph learning\. PR\-BCD and FGA are scalable options\. Our analysis has shown that dataset properties, target node selection, and victim model configuration significantly affect attack success, yet have been inconsistently addressed in past evaluations\. Our findings highlight the need for standardized, practical benchmarks that reflect real\-world constraints and model selection practices\. By exposing gaps in current evaluation protocols, we have laid the groundwork for more reliable assessments of adversarial robustness in graph learning\. We hope this work prevents the repetition of past methodological pitfalls and encourages more transparent and scalable evaluations moving forward\.

## References

- Abbahaddou et al\. \[2024\]Y\. Abbahaddou, S\. Ennadir, J\. F\. Lutzeyer, M\. Vazirgiannis, and H\. Boström\.Bounding the expected robustness of graph neural networks subject to node feature attacks\.In*The Twelfth International Conference on Learning Representations, ICLR 2024, Vienna, Austria, May 7\-11, 2024*\. OpenReview\.net, 2024\.URL[https://openreview\.net/forum?id=DfPtC8uSot](https://openreview.net/forum?id=DfPtC8uSot)\.
- Alom et al\. \[2025\]Z\. Alom, T\. G\. B\. Ngo, M\. Kantarcioglu, and C\. G\. Akcora\.GOttack: Universal adversarial attacks on graph neural networks via graph orbits learning\.In*The Thirteenth International Conference on Learning Representations*, 2025\.URL[https://openreview\.net/forum?id=YbURbViE7l](https://openreview.net/forum?id=YbURbViE7l)\.
- Bacciu et al\. \[2020\]D\. Bacciu, F\. Errica, A\. Micheli, and M\. Podda\.A gentle introduction to deep learning for graphs\.*Neural Networks*, 129:203–221, 9 2020\.
- Cao et al\. \[2015\]S\. Cao, W\. Lu, and Q\. Xu\.Grarep: Learning graph representations with global structural information\.In J\. Bailey, A\. Moffat, C\. C\. Aggarwal, M\. de Rijke, R\. Kumar, V\. Murdock, T\. K\. Sellis, and J\. X\. Yu, editors,*Proceedings of the 24th ACM International Conference on Information and Knowledge Management, CIKM 2015, Melbourne, VIC, Australia, October 19 \- 23, 2015*, pages 891–900\. ACM, 2015\.doi:10\.1145/2806416\.2806512\.URL[https://doi\.org/10\.1145/2806416\.2806512](https://doi.org/10.1145/2806416.2806512)\.
- Cawley and Talbot \[2010\]G\. C\. Cawley and N\. L\. C\. Talbot\.On over\-fitting in model selection and subsequent selection bias in performance evaluation\.*J\. Mach\. Learn\. Res\.*, 11:2079–2107, 2010\.doi:10\.5555/1756006\.1859921\.URL[https://dl\.acm\.org/doi/10\.5555/1756006\.1859921](https://dl.acm.org/doi/10.5555/1756006.1859921)\.
- Chen et al\. \[2018\]J\. Chen, Y\. Wu, X\. Xu, Y\. Chen, H\. Zheng, and Q\. Xuan\.Fast gradient attack on network embedding\.*CoRR*, abs/1809\.02797, 2018\.URL[http://arxiv\.org/abs/1809\.02797](http://arxiv.org/abs/1809.02797)\.
- Chen et al\. \[2021a\]J\. Chen, X\. Lin, H\. Xiong, Y\. Wu, H\. Zheng, and Q\. Xuan\.Smoothing adversarial training for GNN\.*IEEE Trans\. Comput\. Soc\. Syst\.*, 8\(3\):618–629, 2021a\.doi:10\.1109/TCSS\.2020\.3042628\.URL[https://doi\.org/10\.1109/TCSS\.2020\.3042628](https://doi.org/10.1109/TCSS.2020.3042628)\.
- Chen et al\. \[2020\]L\. Chen, X\. Li, and D\. Wu\.Enhancing robustness of graph convolutional networks via dropping graph connections\.In F\. Hutter, K\. Kersting, J\. Lijffijt, and I\. Valera, editors,*Machine Learning and Knowledge Discovery in Databases \- European Conference, ECML PKDD 2020, Ghent, Belgium, September 14\-18, 2020, Proceedings, Part III*, volume 12459 of*Lecture Notes in Computer Science*, pages 412–428\. Springer, 2020\.doi:10\.1007/978\-3\-030\-67664\-3\\\_25\.URL[https://doi\.org/10\.1007/978\-3\-030\-67664\-3\_25](https://doi.org/10.1007/978-3-030-67664-3_25)\.
- Chen et al\. \[2021b\]L\. Chen, J\. Li, Q\. Peng, Y\. Liu, Z\. Zheng, and C\. Yang\.Understanding structural vulnerability in graph convolutional networks\.In Z\. Zhou, editor,*Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence, IJCAI 2021, Virtual Event / Montreal, Canada, 19\-27 August 2021*, pages 2249–2255\. ijcai\.org, 2021b\.doi:10\.24963/IJCAI\.2021/310\.URL[https://doi\.org/10\.24963/ijcai\.2021/310](https://doi.org/10.24963/ijcai.2021/310)\.
- Corso et al\. \[2020\]G\. Corso, L\. Cavalleri, D\. Beaini, P\. Liò, and P\. Velickovic\.Principal neighbourhood aggregation for graph nets\.In H\. Larochelle, M\. Ranzato, R\. Hadsell, M\. Balcan, and H\. Lin, editors,*Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, December 6\-12, 2020, virtual*, 2020\.
- Deng et al\. \[2022\]C\. Deng, X\. Li, Z\. Feng, and Z\. Zhang\.GARNET: reduced\-rank topology learning for robust and scalable graph neural networks\.In B\. Rieck and R\. Pascanu, editors,*Learning on Graphs Conference, LoG 2022, 9\-12 December 2022, Virtual Event*, volume 198 of*Proceedings of Machine Learning Research*, page 3\. PMLR, 2022\.URL[https://proceedings\.mlr\.press/v198/deng22a\.html](https://proceedings.mlr.press/v198/deng22a.html)\.
- Deng et al\. \[2023\]Z\. Deng, Y\. Dong, and J\. Zhu\.Batch virtual adversarial training for graph convolutional networks\.*AI Open*, 4:73–79, 2023\.doi:10\.1016/J\.AIOPEN\.2023\.08\.007\.URL[https://doi\.org/10\.1016/j\.aiopen\.2023\.08\.007](https://doi.org/10.1016/j.aiopen.2023.08.007)\.
- Duan et al\. \[2020\]D\. Duan, L\. Tong, Y\. Li, J\. Lu, L\. Shi, and C\. Zhang\.AANE: anomaly aware network embedding for anomalous link detection\.In C\. Plant, H\. Wang, A\. Cuzzocrea, C\. Zaniolo, and X\. Wu, editors,*20th IEEE International Conference on Data Mining, ICDM 2020, Sorrento, Italy, November 17\-20, 2020*, pages 1002–1007\. IEEE, 2020\.doi:10\.1109/ICDM50108\.2020\.00116\.URL[https://doi\.org/10\.1109/ICDM50108\.2020\.00116](https://doi.org/10.1109/ICDM50108.2020.00116)\.
- Elinas et al\. \[2020\]P\. Elinas, E\. V\. Bonilla, and L\. C\. Tiao\.Variational inference for graph convolutional networks in the absence of graph data and adversarial settings\.In H\. Larochelle, M\. Ranzato, R\. Hadsell, M\. Balcan, and H\. Lin, editors,*Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, December 6\-12, 2020, virtual*, 2020\.
- Ennadir et al\. \[2024a\]S\. Ennadir, Y\. Abbahaddou, J\. F\. Lutzeyer, M\. Vazirgiannis, and H\. Boström\.A simple and yet fairly effective defense for graph neural networks\.In M\. J\. Wooldridge, J\. G\. Dy, and S\. Natarajan, editors,*Thirty\-Eighth AAAI Conference on Artificial Intelligence, AAAI 2024, Thirty\-Sixth Conference on Innovative Applications of Artificial Intelligence, IAAI 2024, Fourteenth Symposium on Educational Advances in Artificial Intelligence, EAAI 2014, February 20\-27, 2024, Vancouver, Canada*, pages 21063–21071\. AAAI Press, 2024a\.doi:10\.1609/AAAI\.V38I19\.30098\.URL[https://doi\.org/10\.1609/aaai\.v38i19\.30098](https://doi.org/10.1609/aaai.v38i19.30098)\.
- Ennadir et al\. \[2024b\]S\. Ennadir, J\. F\. Lutzeyer, M\. Vazirgiannis, and E\. H\. Bergou\.If you want to be robust, be wary of initialization\.In A\. Globersons, L\. Mackey, D\. Belgrave, A\. Fan, U\. Paquet, J\. M\. Tomczak, and C\. Zhang, editors,*Advances in Neural Information Processing Systems 38: Annual Conference on Neural Information Processing Systems 2024, NeurIPS 2024, Vancouver, BC, Canada, December 10 \- 15, 2024*, 2024b\.URL[http://papers\.nips\.cc/paper\_files/paper/2024/hash/2a6fc6774932e7835349089b0287ed2c\-Abstract\-Conference\.html](http://papers.nips.cc/paper_files/paper/2024/hash/2a6fc6774932e7835349089b0287ed2c-Abstract-Conference.html)\.
- Entezari et al\. \[2020\]N\. Entezari, S\. A\. Al\-Sayouri, A\. Darvishzadeh, and E\. E\. Papalexakis\.All you need is low \(rank\): Defending against adversarial attacks on graphs\.In J\. Caverlee, X\. B\. Hu, M\. Lalmas, and W\. Wang, editors,*WSDM ’20: The Thirteenth ACM International Conference on Web Search and Data Mining, Houston, TX, USA, February 3\-7, 2020*, pages 169–177\. ACM, 2020\.doi:10\.1145/3336191\.3371789\.URL[https://doi\.org/10\.1145/3336191\.3371789](https://doi.org/10.1145/3336191.3371789)\.
- Errica et al\. \[2020\]F\. Errica, M\. Podda, D\. Bacciu, and A\. Micheli\.A fair comparison of graph neural networks for graph classification\.In*8th International Conference on Learning Representations, ICLR 2020, Addis Ababa, Ethiopia, April 26\-30, 2020*\. OpenReview\.net, 2020\.URL[https://openreview\.net/forum?id=HygDF6NFPB](https://openreview.net/forum?id=HygDF6NFPB)\.
- Feng et al\. \[2021a\]B\. Feng, Y\. Wang, and Y\. Ding\.UAG: uncertainty\-aware attention graph neural network for defending adversarial attacks\.In*Thirty\-Fifth AAAI Conference on Artificial Intelligence, AAAI 2021, Thirty\-Third Conference on Innovative Applications of Artificial Intelligence, IAAI 2021, The Eleventh Symposium on Educational Advances in Artificial Intelligence, EAAI 2021, Virtual Event, February 2\-9, 2021*, pages 7404–7412\. AAAI Press, 2021a\.doi:10\.1609/AAAI\.V35I8\.16908\.URL[https://doi\.org/10\.1609/aaai\.v35i8\.16908](https://doi.org/10.1609/aaai.v35i8.16908)\.
- Feng et al\. \[2021b\]F\. Feng, X\. He, J\. Tang, and T\. Chua\.Graph adversarial training: Dynamically regularizing based on graph structure\.*IEEE Trans\. Knowl\. Data Eng\.*, 33\(6\):2493–2504, 2021b\.doi:10\.1109/TKDE\.2019\.2957786\.URL[https://doi\.org/10\.1109/TKDE\.2019\.2957786](https://doi.org/10.1109/TKDE.2019.2957786)\.
- Feng et al\. \[2020\]W\. Feng, J\. Zhang, Y\. Dong, Y\. Han, H\. Luan, Q\. Xu, Q\. Yang, E\. Kharlamov, and J\. Tang\.Graph random neural networks for semi\-supervised learning on graphs\.In H\. Larochelle, M\. Ranzato, R\. Hadsell, M\. Balcan, and H\. Lin, editors,*Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, December 6\-12, 2020, virtual*, 2020\.
- Geisler et al\. \[2021\]S\. Geisler, T\. Schmidt, H\. Sirin, D\. Zügner, A\. Bojchevski, and S\. Günnemann\.Robustness of graph neural networks at scale\.In M\. Ranzato, A\. Beygelzimer, Y\. N\. Dauphin, P\. Liang, and J\. W\. Vaughan, editors,*Advances in Neural Information Processing Systems 34: Annual Conference on Neural Information Processing Systems 2021, NeurIPS 2021, December 6\-14, 2021, virtual*, pages 7637–7649, 2021\.
- Günnemann \[2022\]S\. Günnemann\.Graph neural networks: Adversarial robustness\.*Graph neural networks: foundations, frontiers, and applications*, pages 149–176, 2022\.
- Hamilton et al\. \[2017\]W\. L\. Hamilton, Z\. Ying, and J\. Leskovec\.Inductive representation learning on large graphs\.In I\. Guyon, U\. von Luxburg, S\. Bengio, H\. M\. Wallach, R\. Fergus, S\. V\. N\. Vishwanathan, and R\. Garnett, editors,*Advances in Neural Information Processing Systems 30: Annual Conference on Neural Information Processing Systems 2017, December 4\-9, 2017, Long Beach, CA, USA*, pages 1024–1034, 2017\.
- Hou et al\. \[2024\]Z\. Hou, R\. Feng, T\. Derr, and X\. Liu\.Robust graph neural networks via unbiased aggregation\.In*Advances in Neural Information Processing Systems 38: Annual Conference on Neural Information Processing Systems 2024, NeurIPS 2024, Vancouver, BC, Canada, December 10 \- 15, 2024*, 2024\.URL[http://papers\.nips\.cc/paper\_files/paper/2024/hash/c6e31f86c1eb8dfc05190cf15ed52064\-Abstract\-Conference\.html](http://papers.nips.cc/paper_files/paper/2024/hash/c6e31f86c1eb8dfc05190cf15ed52064-Abstract-Conference.html)\.
- Hu et al\. \[2020a\]W\. Hu, M\. Fey, M\. Zitnik, Y\. Dong, H\. Ren, B\. Liu, M\. Catasta, and J\. Leskovec\.Open graph benchmark: Datasets for machine learning on graphs\.In H\. Larochelle, M\. Ranzato, R\. Hadsell, M\. Balcan, and H\. Lin, editors,*Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, December 6\-12, 2020, virtual*, 2020a\.URL[https://proceedings\.neurips\.cc/paper/2020/hash/fb60d411a5c5b72b2e7d3527cfc84fd0\-Abstract\.html](https://proceedings.neurips.cc/paper/2020/hash/fb60d411a5c5b72b2e7d3527cfc84fd0-Abstract.html)\.
- Hu et al\. \[2020b\]W\. Hu, M\. Fey, M\. Zitnik, Y\. Dong, H\. Ren, B\. Liu, M\. Catasta, and J\. Leskovec\.Open graph benchmark: Datasets for machine learning on graphs\.In H\. Larochelle, M\. Ranzato, R\. Hadsell, M\. Balcan, and H\. Lin, editors,*Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, December 6\-12, 2020, virtual*, 2020b\.
- Hu et al\. \[2021\]W\. Hu, C\. Chen, Y\. Chang, Z\. Zheng, and Y\. Du\.Robust graph convolutional networks with directional graph adversarial training\.*Appl\. Intell\.*, 51\(11\):7812–7826, 2021\.doi:10\.1007/S10489\-021\-02272\-Y\.URL[https://doi\.org/10\.1007/s10489\-021\-02272\-y](https://doi.org/10.1007/s10489-021-02272-y)\.
- Ioannidis and Giannakis \[2019\]V\. N\. Ioannidis and G\. B\. Giannakis\.Edge dithering for robust adaptive graph convolutional networks\.*CoRR*, abs/1910\.09590, 2019\.URL[http://arxiv\.org/abs/1910\.09590](http://arxiv.org/abs/1910.09590)\.
- Ioannidis et al\. \[2020\]V\. N\. Ioannidis, A\. G\. Marques, and G\. B\. Giannakis\.Tensor graph convolutional networks for multi\-relational and robust learning\.*IEEE Trans\. Signal Process\.*, 68:6535–6546, 2020\.doi:10\.1109/TSP\.2020\.3028495\.URL[https://doi\.org/10\.1109/TSP\.2020\.3028495](https://doi.org/10.1109/TSP.2020.3028495)\.
- Jin et al\. \[2019\]M\. Jin, H\. Chang, W\. Zhu, and S\. Sojoudi\.Power up\! robust graph convolutional network against evasion attacks based on graph powering\.*CoRR*, abs/1905\.10029, 2019\.URL[http://arxiv\.org/abs/1905\.10029](http://arxiv.org/abs/1905.10029)\.
- Jin et al\. \[2020\]W\. Jin, Y\. Ma, X\. Liu, X\. Tang, S\. Wang, and J\. Tang\.Graph structure learning for robust graph neural networks\.In R\. Gupta, Y\. Liu, J\. Tang, and B\. A\. Prakash, editors,*KDD ’20: The 26th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, Virtual Event, CA, USA, August 23\-27, 2020*, pages 66–74\. ACM, 2020\.doi:10\.1145/3394486\.3403049\.URL[https://doi\.org/10\.1145/3394486\.3403049](https://doi.org/10.1145/3394486.3403049)\.
- Jin et al\. \[2021\]W\. Jin, T\. Derr, Y\. Wang, Y\. Ma, Z\. Liu, and J\. Tang\.Node similarity preserving graph convolutional networks\.In L\. Lewin\-Eytan, D\. Carmel, E\. Yom\-Tov, E\. Agichtein, and E\. Gabrilovich, editors,*WSDM ’21, The Fourteenth ACM International Conference on Web Search and Data Mining, Virtual Event, Israel, March 8\-12, 2021*, pages 148–156\. ACM, 2021\.doi:10\.1145/3437963\.3441735\.URL[https://doi\.org/10\.1145/3437963\.3441735](https://doi.org/10.1145/3437963.3441735)\.
- Jin et al\. \[2023\]W\. Jin, T\. Zhao, J\. Ding, Y\. Liu, J\. Tang, and N\. Shah\.Empowering graph representation learning with test\-time graph transformation\.In*The Eleventh International Conference on Learning Representations, ICLR 2023, Kigali, Rwanda, May 1\-5, 2023*\. OpenReview\.net, 2023\.URL[https://openreview\.net/forum?id=Lnxl5pr018](https://openreview.net/forum?id=Lnxl5pr018)\.
- Kipf and Welling \[2017\]T\. N\. Kipf and M\. Welling\.Semi\-supervised classification with graph convolutional networks\.In*5th International Conference on Learning Representations, ICLR 2017, Toulon, France, April 24\-26, 2017, Conference Track Proceedings*\. OpenReview\.net, 2017\.URL[https://openreview\.net/forum?id=SJU4ayYgl](https://openreview.net/forum?id=SJU4ayYgl)\.
- Li et al\. \[2020a\]J\. Li, T\. Xie, L\. Chen, F\. Xie, X\. He, and Z\. Zheng\.Adversarial attack on large scale graph\.*CoRR*, abs/2009\.03488, 2020a\.URL[https://arxiv\.org/abs/2009\.03488](https://arxiv.org/abs/2009.03488)\.
- Li et al\. \[2023\]J\. Li, T\. Xie, L\. Chen, F\. Xie, X\. He, and Z\. Zheng\.Adversarial attack on large scale graph\.*IEEE Trans\. Knowl\. Data Eng\.*, 35\(1\):82–95, 2023\.doi:10\.1109/TKDE\.2021\.3078755\.URL[https://doi\.org/10\.1109/TKDE\.2021\.3078755](https://doi.org/10.1109/TKDE.2021.3078755)\.
- Li et al\. \[2020b\]Y\. Li, W\. Jin, H\. Xu, and J\. Tang\.Deeprobust: A pytorch library for adversarial attacks and defenses\.*arXiv preprint arXiv:2005\.06149*, 2020b\.
- Lipton and Steinhardt \[2019\]Z\. C\. Lipton and J\. Steinhardt\.Troubling trends in machine learning scholarship\.*ACM Queue*, 17\(1\):80, 2019\.
- Liu et al\. \[2021a\]X\. Liu, J\. Ding, W\. Jin, H\. Xu, Y\. Ma, Z\. Liu, and J\. Tang\.Graph neural networks with adaptive residual\.In M\. Ranzato, A\. Beygelzimer, Y\. N\. Dauphin, P\. Liang, and J\. W\. Vaughan, editors,*Advances in Neural Information Processing Systems 34: Annual Conference on Neural Information Processing Systems 2021, NeurIPS 2021, December 6\-14, 2021, virtual*, pages 9720–9733, 2021a\.
- Liu et al\. \[2021b\]X\. Liu, W\. Jin, Y\. Ma, Y\. Li, H\. Liu, Y\. Wang, M\. Yan, and J\. Tang\.Elastic graph neural networks\.In M\. Meila and T\. Zhang, editors,*Proceedings of the 38th International Conference on Machine Learning, ICML 2021, 18\-24 July 2021, Virtual Event*, volume 139 of*Proceedings of Machine Learning Research*, pages 6837–6849\. PMLR, 2021b\.URL[http://proceedings\.mlr\.press/v139/liu21k\.html](http://proceedings.mlr.press/v139/liu21k.html)\.
- Luo et al\. \[2021\]D\. Luo, W\. Cheng, W\. Yu, B\. Zong, J\. Ni, H\. Chen, and X\. Zhang\.Learning to drop: Robust graph neural network via topological denoising\.In L\. Lewin\-Eytan, D\. Carmel, E\. Yom\-Tov, E\. Agichtein, and E\. Gabrilovich, editors,*WSDM ’21, The Fourteenth ACM International Conference on Web Search and Data Mining, Virtual Event, Israel, March 8\-12, 2021*, pages 779–787\. ACM, 2021\.doi:10\.1145/3437963\.3441734\.URL[https://doi\.org/10\.1145/3437963\.3441734](https://doi.org/10.1145/3437963.3441734)\.
- Micheli \[2009\]A\. Micheli\.Neural network for graphs: A contextual constructive approach\.*IEEE Trans\. Neural Networks*, 20\(3\):498–511, 2009\.doi:10\.1109/TNN\.2008\.2010350\.URL[https://doi\.org/10\.1109/TNN\.2008\.2010350](https://doi.org/10.1109/TNN.2008.2010350)\.
- Mujkanovic et al\. \[2022\]F\. Mujkanovic, S\. Geisler, S\. Günnemann, and A\. Bojchevski\.Are defenses for graph neural networks robust?In S\. Koyejo, S\. Mohamed, A\. Agarwal, D\. Belgrave, K\. Cho, and A\. Oh, editors,*Advances in Neural Information Processing Systems 35: Annual Conference on Neural Information Processing Systems 2022, NeurIPS 2022, New Orleans, LA, USA, November 28 \- December 9, 2022*, 2022\.
- Nesterov \[2012\]Y\. E\. Nesterov\.Efficiency of coordinate descent methods on huge\-scale optimization problems\.*SIAM J\. Optim\.*, 22\(2\):341–362, 2012\.doi:10\.1137/100802001\.URL[https://doi\.org/10\.1137/100802001](https://doi.org/10.1137/100802001)\.
- Rossi and Ahmed \[2025\]R\. Rossi and N\. Ahmed\.Network repository: A scientific network data repository with interactive visualization and mining tools, 2025\.URL[https://networkrepository\.com/network\-analytics\-graphlets\-log\.php](https://networkrepository.com/network-analytics-graphlets-log.php)\.
- Rozemberczki et al\. \[2019\]B\. Rozemberczki, C\. Allen, and R\. Sarkar\.Multi\-scale attributed node embedding\.In*IMA Journal of Complex Networks*, volume abs/1909\.13021, 2019\.URL[http://arxiv\.org/abs/1909\.13021](http://arxiv.org/abs/1909.13021)\.
- Rozemberczki et al\. \[2021\]B\. Rozemberczki, C\. Allen, and R\. Sarkar\.Multi\-scale attributed node embedding\.*J\. Complex Networks*, 9\(2\), 2021\.doi:10\.1093/COMNET/CNAB014\.URL[https://doi\.org/10\.1093/comnet/cnab014](https://doi.org/10.1093/comnet/cnab014)\.
- Scarselli et al\. \[2009\]F\. Scarselli, M\. Gori, A\. C\. Tsoi, M\. Hagenbuchner, and G\. Monfardini\.The graph neural network model\.*IEEE Trans\. Neural Networks*, 20\(1\):61–80, 2009\.doi:10\.1109/TNN\.2008\.2005605\.URL[https://doi\.org/10\.1109/TNN\.2008\.2005605](https://doi.org/10.1109/TNN.2008.2005605)\.
- Shchur et al\. \[2018\]O\. Shchur, M\. Mumme, A\. Bojchevski, and S\. Günnemann\.Pitfalls of graph neural network evaluation\.*CoRR*, abs/1811\.05868, 2018\.URL[http://arxiv\.org/abs/1811\.05868](http://arxiv.org/abs/1811.05868)\.
- Tao et al\. \[2021\]S\. Tao, H\. Shen, Q\. Cao, L\. Hou, and X\. Cheng\.Adversarial immunization for certifiable robustness on graphs\.In L\. Lewin\-Eytan, D\. Carmel, E\. Yom\-Tov, E\. Agichtein, and E\. Gabrilovich, editors,*WSDM ’21, The Fourteenth ACM International Conference on Web Search and Data Mining, Virtual Event, Israel, March 8\-12, 2021*, pages 698–706\. ACM, 2021\.doi:10\.1145/3437963\.3441782\.URL[https://doi\.org/10\.1145/3437963\.3441782](https://doi.org/10.1145/3437963.3441782)\.
- Wang et al\. \[2018\]H\. Wang, J\. Wang, J\. Wang, M\. Zhao, W\. Zhang, F\. Zhang, X\. Xie, and M\. Guo\.Graphgan: Graph representation learning with generative adversarial nets\.In S\. A\. McIlraith and K\. Q\. Weinberger, editors,*Proceedings of the Thirty\-Second AAAI Conference on Artificial Intelligence, \(AAAI\-18\), the 30th innovative Applications of Artificial Intelligence \(IAAI\-18\), and the 8th AAAI Symposium on Educational Advances in Artificial Intelligence \(EAAI\-18\), New Orleans, Louisiana, USA, February 2\-7, 2018*, pages 2508–2515\. AAAI Press, 2018\.doi:10\.1609/AAAI\.V32I1\.11872\.URL[https://doi\.org/10\.1609/aaai\.v32i1\.11872](https://doi.org/10.1609/aaai.v32i1.11872)\.
- Wu et al\. \[2022\]B\. Wu, Y\. Bian, H\. Zhang, J\. Li, J\. Yu, L\. Chen, C\. Chen, and J\. Huang\.Trustworthy graph learning: Reliability, explainability, and privacy protection\.In*Proceedings of the 28th ACM SIGKDD conference on knowledge discovery and data mining*, pages 4838–4839, 2022\.
- Wu et al\. \[2019a\]F\. Wu, A\. H\. S\. Jr\., T\. Zhang, C\. Fifty, T\. Yu, and K\. Q\. Weinberger\.Simplifying graph convolutional networks\.In K\. Chaudhuri and R\. Salakhutdinov, editors,*Proceedings of the 36th International Conference on Machine Learning, ICML 2019, 9\-15 June 2019, Long Beach, California, USA*, volume 97 of*Proceedings of Machine Learning Research*, pages 6861–6871\. PMLR, 2019a\.URL[http://proceedings\.mlr\.press/v97/wu19e\.html](http://proceedings.mlr.press/v97/wu19e.html)\.
- Wu et al\. \[2019b\]H\. Wu, C\. Wang, Y\. Tyshetskiy, A\. Docherty, K\. Lu, and L\. Zhu\.Adversarial examples for graph data: Deep insights into attack and defense\.In S\. Kraus, editor,*Proceedings of the Twenty\-Eighth International Joint Conference on Artificial Intelligence, IJCAI 2019, Macao, China, August 10\-16, 2019*, pages 4816–4823\. ijcai\.org, 2019b\.doi:10\.24963/IJCAI\.2019/669\.URL[https://doi\.org/10\.24963/ijcai\.2019/669](https://doi.org/10.24963/ijcai.2019/669)\.
- Xiao et al\. \[2021\]Y\. Xiao, J\. Li, and W\. Su\.A lightweight metric defence strategy for graph neural networks against poisoning attacks\.In D\. Gao, Q\. Li, X\. Guan, and X\. Liao, editors,*Information and Communications Security \- 23rd International Conference, ICICS 2021, Chongqing, China, November 19\-21, 2021, Proceedings, Part II*, volume 12919 of*Lecture Notes in Computer Science*, pages 55–72\. Springer, 2021\.doi:10\.1007/978\-3\-030\-88052\-1\\\_4\.URL[https://doi\.org/10\.1007/978\-3\-030\-88052\-1\_4](https://doi.org/10.1007/978-3-030-88052-1_4)\.
- Xu et al\. \[2021\]H\. Xu, L\. Xiang, J\. Yu, A\. Cao, and X\. Wang\.Speedup robust graph structure learning with low\-rank information\.In G\. Demartini, G\. Zuccon, J\. S\. Culpepper, Z\. Huang, and H\. Tong, editors,*CIKM ’21: The 30th ACM International Conference on Information and Knowledge Management, Virtual Event, Queensland, Australia, November 1 \- 5, 2021*, pages 2241–2250\. ACM, 2021\.doi:10\.1145/3459637\.3482299\.URL[https://doi\.org/10\.1145/3459637\.3482299](https://doi.org/10.1145/3459637.3482299)\.
- Xu et al\. \[2022\]J\. Xu, Y\. Yang, J\. Chen, X\. Jiang, C\. Wang, J\. Lu, and Y\. Sun\.Unsupervised adversarially robust representation learning on graphs\.In*Thirty\-Sixth AAAI Conference on Artificial Intelligence, AAAI 2022, Thirty\-Fourth Conference on Innovative Applications of Artificial Intelligence, IAAI 2022, The Twelveth Symposium on Educational Advances in Artificial Intelligence, EAAI 2022 Virtual Event, February 22 \- March 1, 2022*, pages 4290–4298\. AAAI Press, 2022\.doi:10\.1609/AAAI\.V36I4\.20349\.URL[https://doi\.org/10\.1609/aaai\.v36i4\.20349](https://doi.org/10.1609/aaai.v36i4.20349)\.
- Xu et al\. \[2019a\]K\. Xu, H\. Chen, S\. Liu, P\. Chen, T\. Weng, M\. Hong, and X\. Lin\.Topology attack and defense for graph neural networks: An optimization perspective\.In S\. Kraus, editor,*Proceedings of the Twenty\-Eighth International Joint Conference on Artificial Intelligence, IJCAI 2019, Macao, China, August 10\-16, 2019*, pages 3961–3967\. ijcai\.org, 2019a\.doi:10\.24963/IJCAI\.2019/550\.URL[https://doi\.org/10\.24963/ijcai\.2019/550](https://doi.org/10.24963/ijcai.2019/550)\.
- Xu et al\. \[2019b\]K\. Xu, W\. Hu, J\. Leskovec, and S\. Jegelka\.How powerful are graph neural networks?In*7th International Conference on Learning Representations, ICLR 2019, New Orleans, LA, USA, May 6\-9, 2019*\. OpenReview\.net, 2019b\.URL[https://openreview\.net/forum?id=ryGs6iA5Km](https://openreview.net/forum?id=ryGs6iA5Km)\.
- Yang et al\. \[2016\]Z\. Yang, W\. Cohen, and R\. Salakhudinov\.Revisiting semi\-supervised learning with graph embeddings\.In*International conference on machine learning*, pages 40–48\. PMLR, 2016\.
- You et al\. \[2020\]Y\. You, T\. Chen, Y\. Sui, T\. Chen, Z\. Wang, and Y\. Shen\.Graph contrastive learning with augmentations\.In H\. Larochelle, M\. Ranzato, R\. Hadsell, M\. Balcan, and H\. Lin, editors,*Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, December 6\-12, 2020, virtual*, 2020\.
- Zhang et al\. \[2022\]B\. Zhang, X\. Guo, Z\. Tu, and J\. Zhang\.Graph alternate learning for robust graph neural networks in node classification\.*Neural Comput\. Appl\.*, 34\(11\):8723–8735, 2022\.doi:10\.1007/S00521\-021\-06863\-1\.URL[https://doi\.org/10\.1007/s00521\-021\-06863\-1](https://doi.org/10.1007/s00521-021-06863-1)\.
- Zhang and Lu \[2020\]L\. Zhang and H\. Lu\.A feature\-importance\-aware and robust aggregator for GCN\.In M\. d’Aquin, S\. Dietze, C\. Hauff, E\. Curry, and P\. Cudré\-Mauroux, editors,*CIKM ’20: The 29th ACM International Conference on Information and Knowledge Management, Virtual Event, Ireland, October 19\-23, 2020*, pages 1813–1822\. ACM, 2020\.doi:10\.1145/3340531\.3411983\.URL[https://doi\.org/10\.1145/3340531\.3411983](https://doi.org/10.1145/3340531.3411983)\.
- Zhang and Zitnik \[2020\]X\. Zhang and M\. Zitnik\.Gnnguard: Defending graph neural networks against adversarial attacks\.In H\. Larochelle, M\. Ranzato, R\. Hadsell, M\. Balcan, and H\. Lin, editors,*Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, December 6\-12, 2020, virtual*, 2020\.
- Zhang et al\. \[2019\]Y\. Zhang, S\. Khan, and M\. Coates\.Comparing and detecting adversarial attacks for graph deep learning\.In*Proc\. representation learning on graphs and manifolds workshop, Int\. Conf\. learning representations, New Orleans, LA, USA*, 2019\.
- Zhang et al\. \[2021\]Y\. Zhang, F\. Regol, S\. Pal, S\. Khan, L\. Ma, and M\. Coates\.Detection and defense of topological adversarial attacks on graphs\.In A\. Banerjee and K\. Fukumizu, editors,*The 24th International Conference on Artificial Intelligence and Statistics, AISTATS 2021, April 13\-15, 2021, Virtual Event*, volume 130 of*Proceedings of Machine Learning Research*, pages 2989–2997\. PMLR, 2021\.URL[http://proceedings\.mlr\.press/v130/zhang21i\.html](http://proceedings.mlr.press/v130/zhang21i.html)\.
- Zheng et al\. \[2020\]C\. Zheng, B\. Zong, W\. Cheng, D\. Song, J\. Ni, W\. Yu, H\. Chen, and W\. Wang\.Robust graph representation learning via neural sparsification\.In*Proceedings of the 37th International Conference on Machine Learning, ICML 2020, 13\-18 July 2020, Virtual Event*, volume 119 of*Proceedings of Machine Learning Research*, pages 11458–11468\. PMLR, 2020\.URL[http://proceedings\.mlr\.press/v119/zheng20d\.html](http://proceedings.mlr.press/v119/zheng20d.html)\.
- Zheng et al\. \[2021\]Q\. Zheng, X\. Zou, Y\. Dong, Y\. Cen, D\. Yin, J\. Xu, Y\. Yang, and J\. Tang\.Graph robustness benchmark: Benchmarking the adversarial robustness of graph machine learning\.*arXiv preprint arXiv:2111\.04314*, 2021\.
- Zhu et al\. \[2019\]D\. Zhu, Z\. Zhang, P\. Cui, and W\. Zhu\.Robust graph convolutional networks against adversarial attacks\.In A\. Teredesai, V\. Kumar, Y\. Li, R\. Rosales, E\. Terzi, and G\. Karypis, editors,*Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, KDD 2019, Anchorage, AK, USA, August 4\-8, 2019*, pages 1399–1407\. ACM, 2019\.doi:10\.1145/3292500\.3330851\.URL[https://doi\.org/10\.1145/3292500\.3330851](https://doi.org/10.1145/3292500.3330851)\.
- Zhu et al\. \[2022\]J\. Zhu, J\. Jin, D\. Loveland, M\. T\. Schaub, and D\. Koutra\.How does heterophily impact the robustness of graph neural networks? theoretical connections and practical implications\.In*Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining*, pages 2637–2647, 2022\.
- Zhuang and Hasan \[2022\]J\. Zhuang and M\. A\. Hasan\.Defending graph convolutional networks against dynamic graph perturbations via bayesian self\-supervision\.In*Thirty\-Sixth AAAI Conference on Artificial Intelligence, AAAI 2022, Thirty\-Fourth Conference on Innovative Applications of Artificial Intelligence, IAAI 2022, The Twelveth Symposium on Educational Advances in Artificial Intelligence, EAAI 2022 Virtual Event, February 22 \- March 1, 2022*, pages 4405–4413\. AAAI Press, 2022\.doi:10\.1609/AAAI\.V36I4\.20362\.URL[https://doi\.org/10\.1609/aaai\.v36i4\.20362](https://doi.org/10.1609/aaai.v36i4.20362)\.
- Zügner et al\. \[2018\]D\. Zügner, A\. Akbarnejad, and S\. Günnemann\.Adversarial attacks on neural networks for graph data\.In Y\. Guo and F\. Farooq, editors,*Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, KDD 2018, London, UK, August 19\-23, 2018*, pages 2847–2856\. ACM, 2018\.doi:10\.1145/3219819\.3220078\.URL[https://doi\.org/10\.1145/3219819\.3220078](https://doi.org/10.1145/3219819.3220078)\.

Appendix

## Appendix ALLM Usage

We acknowledge the use of LLMs to aid or polish writing\. We confirm that research motivation, methodology, idea and content comes from us, the authors, while the LLM’s role was limited to refining clarity, grammar, style, and LaTeX formatting\.

## Appendix BReproducibility Statement

We release a complete anonymized codebase to ensure full reproducibility at[https://github\.com/FDataLab/GAB](https://github.com/FDataLab/GAB)\. All experiments are run with fixed random seeds, and model hyperparameters are obtained from performing model selection on set of all possible hyperparameters provided in Table[17](https://arxiv.org/html/2605.05534#A11.T17)\. Additional details on compute resources and experimental setup are described in Section[5](https://arxiv.org/html/2605.05534#S5)\.

## Appendix CBroader Impact & Limitation

This work addresses critical challenges in the evaluation of adversarial attacks and defenses for Graph Neural Networks\. By introducing a unified and rigorous benchmarking framework, our study ensures reproducibility, fairness, and robustness in assessing adversarial learning methods\. This initiative contributes to a more reliable understanding of GNN vulnerabilities and their mitigations, promoting trustworthy adoption of GNNs in high\-stakes domains such as finance, healthcare, and social networks\. Furthermore, our discovery of specific node properties, such as the higher resilience of high\-degree nodes, opens pathways for new research into graph robustness\. While our focus is primarily on methodological evaluation, the broader societal impact includes fostering ethical AI practices through improved transparency and standardization in machine learning research\.

While our benchmark explores a comprehensive range of hyper\-parameters, we acknowledge that model weight initialization can also influence robustness outcomes\. highlights that different initializations may lead to noticeably different robustness levels\. Due to the computational cost, over 446,000 additional experiments, our current benchmark utilized the initialization used by the original papers and does not perform hyper\-parameter tuning on initialization\. We therefore report the specific initialization scheme used for each model, leaving a full exploration of initialization robustness for future work\.

Our benchmark focuses on static graphs, which is the predominant setting in the adversarial GNN literature\. While attacks on dynamic graphs and continuous\-time embeddings are also important, they remain largely unexplored across existing benchmarks\. We view these as natural and valuable extensions of our work rather than omissions, and anticipate that our framework can provide the foundation for evaluating such scenarios in the future\.

Our benchmark does not include an evaluation of certified robustness\. While certification offers valuable theoretical guarantees, most defense methods in our study do not provide certification modules or compatible implementations, making it infeasible to run a fair and standardized certification comparison\. We therefore consider certification an important but orthogonal direction, and we leave a systematic benchmark of certified defenses to future work\.

## Appendix DHyper\-parameters

Table[17](https://arxiv.org/html/2605.05534#A11.T17)presents the hyperparameters for various models\. Model selections include the number of convolutional layers, the learning rate, and the early stopping criterion \(based on either validation accuracy or validation loss\) for all models\. In addition, model\-specific parameters such as regularization terms, dropout rates, and other configurations were chosen as appropriate for each model\.

Moreover, we outline the hyperparameters for the model’s specific parameters, as follows\.

RobustGCN: The hyperparameters for the RGCN model are configured as follows:γ=0\.5\\gamma=0\.5,β1=1\\beta\_\{1\}=1, andβ2=1\.5\\beta\_\{2\}=1\.5across all datasets\. The dropout rate∈\\in\{0\.5,0\.6\}\\\{0\.5,0\.6\\\}, while the Adam optimizer is used for optimization with a learning rate∈\\in\{0\.001,0\.01,0\.005\}\\\{0\.001,0\.01,0\.005\\\}\. The model is trained for a maximum of10001000epochs, with early stopping applied based on the performance on the validation set\.

GARNET: We set the hyperparameters as follows: the number of eigenpairs used for spectral embedding,r∈\{50,500\}r\\in\\\{50,500\\\}; the number of nearest neighbors used for base graph construction,k∈\{50,30,10\}k\\in\\\{50,30,10\\\}; and the edge pruning threshold,γ\\gamma, set to0\.00030\.0003\. Moreover, we explore GARNET configurations where node features are either included or excluded to understand the role of node attributes\. Similarly, for the construction of the nearest\-neighbor graph, we assess both weighted and unweighted approaches\. We evaluated the effect of normalizing versus not normalizing the adjacency matrix on stabilization and scaling in graph computations\.

GRAND: We set the hyperparameters for the GRAND model as follows: the node drop rate is set to0\.50\.5, the temperature parameter,T∈\{0\.1,0\.5,0\.3\}\\text\{T\}\\in\\\{0\.1,0\.5,0\.3\\\}, the regularization coefficient,λ∈\{1\.0,0\.5,0\.7\}\\lambda\\in\\\{1\.0,0\.5,0\.7\\\}, and the order of graph convolutions,order∈\{2,4,8\}\\text\{order\}\\in\\\{2,4,8\\\}\. Moreover, we explore GRAND configurations by adjusting the number of samples,sample∈\{2,3,4\}\\text\{sample\}\\in\\\{2,3,4\\\}, to examine the impact of sample size on learning\.

Given a model, all possible choices of all hyperparameters form a set of hyperparameter configurations\. We perform model selection using Algorithm[2](https://arxiv.org/html/2605.05534#alg2)to select the configuration having the best performance on the validation dataset,𝒱v​a​l​i​d\\mathcal\{V\}\_\{valid\}\.

Algorithm 2Model Selection \(select\)1:Input:Set of configurations

𝚯\\mathbf\{\\Theta\}, Dataset

𝒟\\mathcal\{D\},Train indexes

𝒱t​r​a​i​n\\mathcal\{V\}\_\{train\}, Validation indexes

𝒱v​a​l​i​d\\mathcal\{V\}\_\{valid\}
2:Output:

θb​e​s​t\\theta\_\{best\}: the best hyper\-parameter configuration

3:pθ=

∅\\emptyset
4:for

θ\\mathbf\{\\theta\}in

𝚯\\mathbf\{\\Theta\}do

5:

ff= train\(

θ\\theta,

𝒱t​r​a​i​n\\mathcal\{V\}\_\{train\},

𝒱t​e​s​t\\mathcal\{V\}\_\{test\},

𝒟\\mathcal\{D\}\)

6:performance = validate\(

θ\\theta,

𝒱v​a​l​i​d\\mathcal\{V\}\_\{valid\},

𝒟\\mathcal\{D\}\)

7:pθ= pθ

∪\\cupperformance

8:

θb​e​s​t\\theta\_\{best\}=

arg⁡maxθ\\mathop\{\\arg\\max\}\\limits\_\{\\theta\}pθ

9:Return:

θb​e​s​t\\theta\_\{best\}

Initializer\.Initialization plays a non\-trivial role in determining the stability and robustness of GNN models\. Consistent with findings in recent literature, different initializations may lead to different robustness levels, even under identical training settings\. While our benchmark uses commonly adopted default initializers for each architecture, we recognize that further investigation into initialization sensitivity may reveal additional insights into model and defense behavior\.

## Appendix EDatasets

We conducted experiments on six widely used node classification datasets, with their statistics provided in Table[1](https://arxiv.org/html/2605.05534#S5.T1)\. Specifically, we use three homophilic graphs: CORA\[[61](https://arxiv.org/html/2605.05534#bib.bib61)\], CITESEER\[[61](https://arxiv.org/html/2605.05534#bib.bib61)\], and PUBMED\[[61](https://arxiv.org/html/2605.05534#bib.bib61)\]datasets are citation networks characterized by undirected edges and binary features, where nodes represent publications and edges correspond to citation links\. We also include two heterophilic datasets CHAMELEON\[[47](https://arxiv.org/html/2605.05534#bib.bib47)\]and SQUIRREL\[[47](https://arxiv.org/html/2605.05534#bib.bib47)\]which are Wikipedia\-based page\-to\-page networks focused on specific topics\. In these datasets, nodes represent web pages, edges indicate mutual hyperlinks between pages, and node features are derived from several informative nouns found within the corresponding Wikipedia content\. Moreover, we also consider one large\-scale graph dataset OGB\-ARXIV\[[27](https://arxiv.org/html/2605.05534#bib.bib27)\], which is a directed graph representing the citation network among all Computer Science papers on arXiv\. In this dataset, each node corresponds to an arXiv paper, and each directed edge indicates that one paper cites another\.

## Appendix FAdversarial Attacks Evaluation Pitfalls

Nettack\.The adversarial impact on victim models was reported with an average of over five random initiations/splits\. However, the results do not include standard deviation, and different train/validation/test splits are not publicly available, which makes it difficult to re\-produce the evaluation experiments\. The evaluation of Nettack is limited to a single victim model, GCN, with fixed hyperparameters; hence, it is unclear if model selection has been performed\. In addition, the authors evaluate Nettack using a target node selection strategy that does not encompass all classes of nodes, particularly those with high degrees\. This limitation results in an incomplete assessment of Nettack’s impact on high\-degree target nodes\.

FGA\.The authors evaluate FGA on multiple victim models, such as GCN\[[35](https://arxiv.org/html/2605.05534#bib.bib35)\], GraRep\[[4](https://arxiv.org/html/2605.05534#bib.bib4)\], GraphCAN\[[52](https://arxiv.org/html/2605.05534#bib.bib52)\], trained and evaluated on at least a random train/validation/test split\. However, whether the averaged results are reported from different random splits and whether model selection is performed for each victim model is unclear\. The adversarial impact of FGA is assessed on target nodes selected randomly based on their labels\. Importantly, the evaluation code has not been released, making it difficult to reproduce the results\.

SGA\.SGA is evaluated on multiple victim models such as GCN\[[35](https://arxiv.org/html/2605.05534#bib.bib35)\], SGC\[[54](https://arxiv.org/html/2605.05534#bib.bib54)\], GraphSAGE\[[24](https://arxiv.org/html/2605.05534#bib.bib24)\], etc,\. However, similarly to FGA and Nettack, it is unclear whether the assessment and model selection are conducted over different random splits of training/validation/test sets\. Moreover, the adversarial effect of SGA is evaluated on randomly selected target nodes, which take neither high\-margin and low\-margin nodes as used in Nettack nor nodes with high degrees\.

PR\-BCD\.The article reports results obtained from the average over three random/splits and follows a target node selection strategy similar to Nettack according to the code\. The evaluation process omitted model selection for each split; hence, PR\-BCD is evaluated on different scalable victim models with fixed hyper\-parameters for all splits\. Importantly, the authors did not compare PR\-BCD performance with popular baselines such as Nettack and FGA, even on small datasets, as the authors focus on robustness and adversarial performance on large graphs\.

PGD\.Similar to Nettack, PGD’s performance is evaluated and reported with the mean and standard deviation of five different random splits on a single GCN classifier\. However, data splits are not publicly released, making it impossible to reproduce the result, and it is not clear if GCN hyper\-parameters are fixed in advance for every split or obtained from model selection for each split\.

GOttack\.GOttack is evaluated on three backbone GNNs \(GCN, GIN, and GraphSAGE\) and four defense models \(RGCN, GCN\-Jaccard, GCN\-SVD, and MedianGCN\), using fixed hyperparameters\. It follows Nettack’s target node selection strategy, which does not account for all classes of nodes, especially high\-degree nodes\. Additionally, the experiments were not conducted over different random splits of training/validation/test sets\. This limits the evaluation of GOttack’s effectiveness\.

### F\.1Addressing Common Questions on Pitfalls

Have attacks such as Nettack, FGA, PR\-BCD, and GOttack not already been studied extensively?

While these attacks have been evaluated in earlier work, prior studies were typically ad\-hoc and limited: using fixed hyperparameters, single data splits, or narrow subsets of target nodes\. Our benchmark corrects these shortcomings by conducting over 446,000 experiments across homophilic, heterophilic, and large\-scale datasets, while incorporating proper model selection and multiple random splits\. This provides the first systematic, large\-scale, and reproducible comparison of adversarial GNN attacks\.

Were structural node properties, such as margin or degree, not already analyzed before?

Some papers have presented anecdotal evidence on node properties, such as degree or margin, often restricted to small datasets like CORA\[[69](https://arxiv.org/html/2605.05534#bib.bib69),[71](https://arxiv.org/html/2605.05534#bib.bib71)\]\. These analyses were not comprehensive or reproducible, as they relied on binning or one\-off case studies\. In contrast, our benchmark systematically shows that node degree strongly influences attack success rates across multiple datasets\. Appendix Table[29](https://arxiv.org/html/2605.05534#A11.T29)further confirms that degree\-based target selection drastically reduces attack effectiveness, a pattern overlooked in prior work due to scalability and methodological limitations\.

Have victim model configurations and model selection not already been considered?

Most previous evaluations fixed hyperparameters and skipped model selection, a limitation also noted in earlier benchmarks\[[69](https://arxiv.org/html/2605.05534#bib.bib69)\]\. Our results demonstrate that incorporating realistic victim model selection can shift attack outcomes by more than 15% depending on the dataset and budget\. This shows that omitting model selection produces misleading conclusions about attack strength\. Our benchmark closes this gap by embedding model selection systematically into the evaluation\.

## Appendix GDetailed Results on Adversarial Attack Evaluation

Experiment breakdown\.Each instance involving training a victim model is counted as one experiment\. Specifically, a total of 354,501 experiments are conducted for model selection across 14 models, including surrogate, vanilla, and defense models, on homophily, heterophily, and large\-scale datasets\. In contrast, 98,960 experiments are required to evaluate seven attack methods on all vanilla and defense models across all datasets\. The breakdown of experiments for model selection and attack evaluation is presented in Table[5](https://arxiv.org/html/2605.05534#A7.T5)and Table[6](https://arxiv.org/html/2605.05534#A7.T6), respectively\. In total, this study involves 453,461 experiments\.

Table 5:Break up of the numbers of experiments required for performing model selection for surrogate models, vanilla and defense models on homophily, heterophily and large\-scale datasets\. There are three homophily datasets, each of which has five training/validation/test splits\. Each heterophily dataset, CHAMELEON and SQUIRREL, has also five training/validation/test splits\. Due to high time complexity, we only consider one training/validation/testing split for large\-scale dataset, OGB\-ARXIV, provided byHu et al\. \[[26](https://arxiv.org/html/2605.05534#bib.bib26)\]Model\# combinationshomophily datasets \(3×53\\times 5\)CHAMELEON \(×5\\times 5\)SQUIRREL \(×5\\times 5\)OGB\-ARXIV \(×1\\times 1\)TotalGCN21873280510935109352187GIN21873280510935NANAGSAGE21873280510935109352187PNA72910935NANANAGCN\-surrogate243364512151215243SGC243364512151215243GNNGuard48720240240NAGRAND4374656102187021870NAElasticGNN12961944064806480NARobustGCN324486016201620NAGCORN27405135135NARUNG216324010801080NAGCN\-GARNET48720240240NAGCN\-Jaccard690NANANANoisyGNN36540180180NATotal14,151212,26567,08056,1454,860354,501

Table 6:Break up of the number of experiments required for evaluating attacks on vanilla and defense models on homophily, heterophily and large\-scale datasetsTable index\# rows\# cols\# cellsExpected experimentsOOR\# Actual experimentsTable[4](https://arxiv.org/html/2605.05534#S6.T4)610601800180Table[18](https://arxiv.org/html/2605.05534#A11.T18)561584012,600012,600Table[20](https://arxiv.org/html/2605.05534#A11.T20)2851402,10002,100Table[20](https://arxiv.org/html/2605.05534#A11.T20)4252103,15003,150Table[21](https://arxiv.org/html/2605.05534#A11.T21)561584012,600012,600Table[22](https://arxiv.org/html/2605.05534#A11.T22)561584012,6007012,530Table[23](https://arxiv.org/html/2605.05534#A11.T23)14152103,15003,150Table[24](https://arxiv.org/html/2605.05534#A11.T24)28102804,20004,200Table[25](https://arxiv.org/html/2605.05534#A11.T25)56105608,40008,400Table[26](https://arxiv.org/html/2605.05534#A11.T26)14101402,10002,100Table[27](https://arxiv.org/html/2605.05534#A11.T27)415609000900Table[28](https://arxiv.org/html/2605.05534#A11.T28)410406000600Table[29](https://arxiv.org/html/2605.05534#A11.T29)561584012,600012,600Table[30](https://arxiv.org/html/2605.05534#A11.T30)561584012,600012,600Table[31](https://arxiv.org/html/2605.05534#A11.T31)145701,05001,050Table[32](https://arxiv.org/html/2605.05534#A11.T32)40156009,00002,250Table[33](https://arxiv.org/html/2605.05534#A11.T33)165801,20001,200Total:98,960

### G\.1Vanilla Evasion and Poisoning Attacks

Homophily datasets\.In this section, we present the experimental results\. Table[18](https://arxiv.org/html/2605.05534#A11.T18)illustrates the success rates of six adversarial attacks in four vanilla models \(GCN, GIN, GSAGE and PNA\) in three homophily datasets under evasion and poisoning attack settings\.

For the CORA dataset in the evasion attack setting, Nettack achieves the best performance in1212of the2020tasks, including44out of55tasks for each of the GIN, GSAGE and PNA models\. However, in the GCN model, Nettack delivers the second\-best results\. In contrast, PR\-BCD \(NA\) performs best in55of55tasks on the GCN model, although it only secures77of2020tasks overall in the evasion setting\. Interestingly, the proposed baseline L1D\-RND, achieves the highest score on the PNA model for budgetΔ=1\\Delta=1\. Likewise, in the poisoning attack setting for the same dataset, Nettack demonstrates the best performance, securing1414out of2020tasks\. Meanwhile, PR\-BCD \(NA\), GOttack, SGA, FGA and PGD achieve the best scores on at least one task out of2020\. For a budgetΔ=1\\Delta=1, the best\-performing model, Nettack, achieves a22\.13%22\.13\\%relative increase on the CORA dataset, rising from an average attack success rate of26\.65%26\.65\\%in evasion to32\.56%32\.56\\%in poisoning across four victim models\.

On the CITESEER dataset in the evasion attack setting, Nettack achieves the best performance in1313out of2020tasks\. Similarly to the CORA dataset, Nettack delivers the second\-best results on the GCN model and the proposed baseline, L1D\-RND, achieves the highest score in the PNA model for a budgetΔ=1\\Delta=1\. In contrast, PR\-BCD \(NA\) achieves the best performance in all tasks in the GCN model, although it secures only55of the total2020tasks in the evasion setting\. Likewise, in the poisoning attack setting, Nettack demonstrates the best performance, securing1414out of2020tasks\. Moreover, PR\-BCD \(NA\) and FGA each score the best on33out of2020tasks\. However, Nettack achieves a33\.48%33\.48\\%relative increase on the CITESEER dataset, rising from26\.06%26\.06\\%in evasion to34\.79%34\.79\\%in poisoning across four victim models for a budgetΔ=1\\Delta=1\.

Likewise, on the PUBMED dataset, Nettack achieves the best performance in1111out of2020tasks in both the evasion and poisoning attack settings\. In contrast, GOttack delivers the best performance in55out of2020tasks in the evasion setting and33out of2020tasks in the poisoning setting\. Notably, the proposed baseline, L1D\-RND, secures the highest score on the PNA model for a budget ofΔ=1\\Delta=1in both settings\. Additionally, FGA achieves the best scores on22out of2020tasks in the evasion setting and33out of2020tasks in the poisoning setting\. Furthermore, Nettack exhibits a3\.01%3\.01\\%relative decrease on the PUBMED dataset, dropping from31\.03%31\.03\\%in evasion to30\.09%30\.09\\%in poisoning across four victim models for a single budget\. On average, the misclassification rate of all attacks on GCN on the PUBMED dataset in both evasion and poison settings at budgetΔ=1\\Delta=1drops by22\.59%22\.59\\%when high\-degree nodes are selected as target nodes\. Still, on average, a node degree\-based selection of target nodes decreases the misclassification rate of adversarial attacks by9\.8%9\.8\\%\.

Heterophily datasets\.This section presents the experimental results\. Table[20](https://arxiv.org/html/2605.05534#A11.T20)and[20](https://arxiv.org/html/2605.05534#A11.T20)show the success rates of six adversarial attacks on three vanilla models \(GCN, GIN, and GSAGE\) across two heterophilic datasets under both evasion and poisoning attack settings\.

For the SQUIRREL dataset under the evasion attack setting, PR\-BCD \(NA\) achieves the highest performance in55out of1010tasks, including44out of55tasks for the GCN model\. FGA ranks second, performing best in44out of1010tasks, with44out of55for the GSAGE model, and also securing the second\-best results in44out of55tasks for the GCN model\. Under the poisoning attack setting for the same dataset, both PR\-BCD \(NA\) and FGA achieve top performance, each leading in44out of1010tasks\. In contrast, Nettack, GOttack, SGA, and PGD demonstrate the lowest success rates in both evasion and poisoning scenarios\. For a budgetΔ=1\\Delta=1, the best\-performing model, PR\-BCD \(NA\), achieves a4\.76%4\.76\\%relative increase on the SQUIRREL dataset, rising from an average attack success rate of53\.07%53\.07\\%in evasion to55\.6%55\.6\\%in poisoning across three victim models\.

Similarly, on the CHAMELEON dataset, the proposed naive L1D\-RND achieves the best performance in77out of1515tasks under the evasion attack setting\. In comparison, FGA and PR\-BCD \(NA\) both demonstrate the second\-best performance, each excelling in44out of1515tasks\. However, under the poisoning attack setting, FGA outperforms all other methods, achieving the best results in1010out of1515tasks, while PR\-BCD \(NA\) and the proposed L1D\-RND achieve top results in33and22tasks, respectively\. Consistent with observations on other heterophily datasets, Nettack, GOttack, SGA, and PGD show the lowest performance across both evasion and poisoning settings\. However, PR\-BCD \(NA\) demonstrates a37\.94%37\.94\\%relative improvement on the CHAMELEON dataset, increasing from35\.37%35\.37\\%in the evasion setting to48\.8%48\.8\\%in the poisoning setting across three victim models at a budget ofΔ=1\\Delta=1\.

Large\-scale datasets\.Table[4](https://arxiv.org/html/2605.05534#S6.T4)presents the success rates of three adversarial attacks on two vanilla models \(GCN and GSAGE\) using a large\-scale dataset under both evasion and poisoning attack settings\. On the OGB\-ARXIV dataset, SGA achieves the best performance, outperforming others in all1010out of1010tasks across both settings\. In comparison, PR\-BCD \(NA\) secures the second\-best performance in77out of1010tasks under the evasion setting\. Similarly, under the poisoning setting, both PR\-BCD \(NA\) and the proposed L1D\-RND model achieve the second\-best results in55out of1010tasks\.

### G\.2Defense Evasion and Poisoning Attacks

Homophily datasets\.In Tables[21](https://arxiv.org/html/2605.05534#A11.T21)and[22](https://arxiv.org/html/2605.05534#A11.T22), we present the results of six adversarial attacks on 8 defense models, across three homophily datasets in both evasion and poisoning attack settings\.

On ElasticGNN, the average performance of adversarial attacks is23\.35%23\.35\\%under a budget of 1 and43\.88%43\.88\\%under a budget of 5\. Among all evaluated attacks, FGA exhibits the highest adversarial impact on ElasticGNN, achieving an average rank of 2\.47 across both evasion and poisoning settings, followed closely by Nettack with an average rank of 2\.57\.

Conversely, while FGA performs best on ElasticGNN, it demonstrates surprisingly poor performance on GCN\-GARNET, with an average rank of 5\.27, ranking as the second\-worst among the seven evaluated attacks\. In contrast, L1D\-RND attains the second\-best average rank of 2\.47\. This result indicates that the relative effectiveness of adversarial attacks varies significantly depending on the target defense model, underscoring the necessity of evaluating attacks across diverse defense strategies\. On GCN\-GARNET, the average attack performance is18\.89%18\.89\\%for budget 1 and45\.15%45\.15\\%for budget 5\.

For GCN\-Jaccard, the average attack performance is24\.76%24\.76\\%under budget 1 and50\.89%50\.89\\%under budget 5\. Similar to ElasticGNN, GCN\-Jaccard effectively defense against the L1D\-RND baseline attack, which consistently ranks lowest \(average rank of 7\.00 in both evasion and poison scenarios\)\. In contrast, Nettack and GOttack emerge as the most effective attacks, with average ranks of 1\.96 and 2\.40, respectively\.

GNNGuard demonstrates exceptional robustness against all adversarial attacks, with average misclassification rate of5\.46%5\.46\\%,9\.31%9\.31\\%,12\.22%12\.22\\%,15\.19%15\.19\\%, and17\.61%17\.61\\%from budget 1 through 5, respectively\. Notably, attack effectiveness varies significantly across datasets\. In particular, SGA performs best in 6 out of 10 tasks on the CORA dataset, while Nettack dominates on CITESEER in 9 out of 10 tasks\), and PR\-BCD \(NA\) leads on PUBMED in 8 out of 10 tasks\. These observations further emphasize the importance of evaluating adversarial methods across varied datasets and defense models\.

On GRAND, the average attack performance is20\.33%20\.33\\%and40\.92%40\.92\\%for budgets 1 and 5, respectively\. Our simple baseline attack L1D\-RND achieves superior performance across all homophily datasets on GRAND, with an average rank of 1\.13 and best results in 26 out of 30 tasks, outperforming even gradient\-based attack methods and demonstrating significantly higher computational efficiency\. This raises concerns regarding the effectiveness on defense models, especially GRAND, of existing attack methods against simple baselines\. RobustGCN exhibits the weakest robustness among all defenses, with average adversarial performances of28\.76%28\.76\\%for budget 1 and55\.57%55\.57\\%on budget 5\. Nettack again proves most effective on this model, with an average rank of 2\.16 and top performance in 11 out of 30 tasks\.

Among recent defense models, GCORN shows average adversarial performance of21\.10%21\.10\\%for budget 1 and34\.88%34\.88\\%for budget 5, while RUNG achieves18\.75%18\.75\\%and33\.21%33\.21\\%, respectively, ranking as the second most robust model\. On both GCORN and RUNG, Nettack remains the top\-performing attack \(average rank 1\.90\), followed surprisingly by L1D\-RND\.

In summary, Nettack consistently ranks as the most effective adversarial attack across 8 defense models on homophily datasets, with an overall average rank of 2\.09\. GOttack follows as the second\-best method with an average rank of 3\.83\. Notably, our L1D\-RND performs on bar or even surpasses gradient\-based methods on GCN\-GARNET, GCORN, RUNG, and especially GRAND\.

Heterophily datasets\.Tables[24](https://arxiv.org/html/2605.05534#A11.T24)and[25](https://arxiv.org/html/2605.05534#A11.T25)present the success rates of seven adversarial attacks against six defense models in two heterophilic datasets, in both the evasion and poisoning attack settings\. In the setting of evasion attack, the FGA demonstrates the best performance, achieving success in1212and1111of the3030tasks on the SQUIRREL and CHAMELEON datasets, respectively\. Similarly, in the context of the poisoning attack, FGA continues to perform well, securing1717and1414of the tasks3030in the datasets SQUIRREL and CHAMELEON, respectively\. However, the best\-performing model, FGA, shows a significant performance gain in the SQUIRREL dataset, with a62\.61%62\.61\\%relative increase in the success rate that increases from18\.17%18\.17\\%under evasion to29\.55%29\.55\\%under poisoning attacks in all defense models\. Likewise, for a budget ofΔ=1\\Delta=1, FGA achieves a relative improvement48\.16%48\.16\\%on the data set CHAMELEON, increasing its average attack success rate from17\.75%17\.75\\%in the evasion setting to26\.04%26\.04\\%in the poisoning setting\. Interestingly, the proposed naive approach L1D\-RND achieves the second\-best results with99out of3030successful attacks on both datasets in the evasion setting\. In the poisoning setting, the proposed model L1D\-RND secures55and1111of the3030tasks in the SQUIRREL and CHAMELEON datasets, respectively\. On the other hand, SGA achieves moderate performance, scoring88and66in the evasion setting on the SQUIRREL dataset, and77and11on the CHAMELEON dataset in the evasion and poisoning settings, respectively\. Notably, similar to their performance on vanilla models, Nettack, GOttack, and PGD consistently exhibit lower success rates across both heterophilic datasets\. It is important to note that, in the CHAMELEON dataset under the GNNGuard defense, all attack models, including the best performing model, FGA, produced surprising results\. The misclassification rate remained at zero, even as the budget increased, with no observable changes\. This occurred because GNNGuard pruned all the edges in this dataset\.

We also present the misclassification rates of defense and vanilla models under different adversarial attacks across three homophily and two heterophily datasets, as shown in Figure[3](https://arxiv.org/html/2605.05534#A7.F3)and Figure[4](https://arxiv.org/html/2605.05534#A7.F4)for the evasion and poisoning settings, respectively\.

![Refer to caption](https://arxiv.org/html/2605.05534v1/x7.png)\(a\)CORA
![Refer to caption](https://arxiv.org/html/2605.05534v1/x8.png)\(b\)CORA
![Refer to caption](https://arxiv.org/html/2605.05534v1/x9.png)\(c\)CITESEER
![Refer to caption](https://arxiv.org/html/2605.05534v1/x10.png)\(d\)CITESEER
![Refer to caption](https://arxiv.org/html/2605.05534v1/x11.png)\(e\)PUBMED
![Refer to caption](https://arxiv.org/html/2605.05534v1/x12.png)\(f\)PUBMED

Figure 3:Misclassification rates of defense and non\-defense models under different adversarial attacks \(budget11\) across three homophily datasets\. Left column: evasion setting; Right column: poison setting\.![Refer to caption](https://arxiv.org/html/2605.05534v1/x13.png)\(a\)SQUIRREL
![Refer to caption](https://arxiv.org/html/2605.05534v1/x14.png)\(b\)SQUIRREL
![Refer to caption](https://arxiv.org/html/2605.05534v1/x15.png)\(c\)CHAMELEON
![Refer to caption](https://arxiv.org/html/2605.05534v1/x16.png)\(d\)CHAMELEON

Figure 4:Misclassification rates of defense and non\-defense models under different adversarial attacks \(budget11\) across two heterophily datasets and one large\-scale dataset\. Left column: evasion setting; Right column: poison setting\.Understanding defense success and failure across graph structures\.Tables[7](https://arxiv.org/html/2605.05534#A7.T7)and[8](https://arxiv.org/html/2605.05534#A7.T8)provide deeper insight into why certain defenses succeed or fail under different graph structures\. Similarity\-based pruning methods such as GCN\-Jaccard and GNNGuard collapse under heterophily because neighboring nodes are inherently dissimilar\. For instance, on CHAMELEON, all attack models produce a misclassification rate of0\.000\.00under GNNGuard as the attack budget increases, since GNNGuard prunes nearly all edges in heterophilous graphs \(refer Table[24](https://arxiv.org/html/2605.05534#A11.T24)\)\. Training\-based defenses that rely on feature smoothness, such as GRAND, also deteriorate sharply under heterophily\. In the evasion setting, GRAND drops from19\.05%19\.05\\%on homophily graphs to3\.33%3\.33\\%on heterophily graphs, a471\.40%471\.40\\%relative decrease\. In the poisoning setting, it falls from21\.63%21\.63\\%to7\.17%7\.17\\%, corresponding to a201\.56%201\.56\\%relative decrease, revealing its sensitivity to structure–feature mismatch\. Defenses like RUNG and GCORN also become unstable when homophily is low\. RUNG decreased from18\.63%18\.63\\%to1\.47%1\.47\\%in evasion \(1169\.72%1169\.72\\%decline\) and from18\.88%18\.88\\%to12\.98%12\.98\\%in poisoning \(45\.49%45\.49\\%decrease\)\. GCORN also drops from20\.88%20\.88\\%to16\.70%16\.70\\%in evasion \(25\.03%25\.03\\%decline\) and21\.32%21\.32\\%to18\.20%18\.20\\%in poisoning \(17\.16%17\.16\\%decrease\), highlighting their struggles to generalize beyond homophilous settings\. In contrast, defenses that make fewer homophily assumptions such as RobustGCN, ElasticGNN, and to some extent GARNET exhibit more stable behavior across diverse datasets\. In the poisoning setting, GARNET improves from19\.47%19\.47\\%to24\.02%24\.02\\%, yielding an18\.96%18\.96\\%gain\. RobustGCN remains steady, shifting only slightly from26\.71%26\.71\\%to25\.66%25\.66\\%in evasion and increasing from29\.52%29\.52\\%to32\.65%32\.65\\%in poisoning \(9\.59%9\.59\\%gain\)\. Meanwhile, ElasticGNN, although experiencing some degradation from21\.99%21\.99\\%to14\.27%14\.27\\%in evasion and24\.71%24\.71\\%to24\.02%24\.02\\%in poisoning \(2\.88%2\.88\\%decline\) still performs more reliably than heavily homophily\-dependent defenses\. These patterns collectively confirm that defenses grounded in rigid smoothing or homophily assumptions tend to fail on heterophily graphs, whereas structurally flexible defenses remain more resilient\.

Table 7:Selected defenses and their average success rates \(evasion setting\) under budget 1 across five datasets\. GCN\-Jaccard excluded for SQUIRREL and CHAMELEON because of an implementation error\. Higher is better\. Best performance inBold, second best isunderline\.TaxonomySelected DefenseCORACITESEERPUBMEDSQUIRRELCHAMELEONImprovinggraphUnsupervisedJaccard\-GCN20\.81±\\pm3\.9419\.58±\\pm3\.5328\.49±\\pm7\.30––SupervisedGARNET18\.91±\\pm2\.5020\.01±\\pm3\.8716\.03±\\pm1\.8212\.95±\\pm7\.0513\.73±\\pm5\.80Improving training16\.26±\\pm7\.3320\.47±\\pm10\.2920\.40±\\pm5\.304\.38±\\pm3\.002\.28±\\pm1\.0322\.26±\\pm2\.7619\.48±\\pm3\.30OOR18\.11±\\pm8\.1415\.27±\\pm9\.5823\.73±\\pm2\.4226\.97±\\pm4\.0516\.05±\\pm10\.8857\.38±\\pm17\.4045\.86±\\pm21\.98ImprovingarchitectureAdaptivelyweightingedgesRule\-basedGNNGuard7\.358±\\pm0\.843\.9±\\pm0\.703\.77±\\pm1\.2331\.36±\\pm6\.950\.00±\\pm0\.00ProbabilisticRobustGCN26\.76±\\pm4\.8821\.96±\\pm4\.8931\.40±\\pm9\.2026\.30±\\pm12\.2825\.00±\\pm10\.93Robust agg\.22\.47±\\pm4\.0221\.33±\\pm3\.0422\.17±\\pm4\.7715\.56±\\pm6\.2212\.97±\\pm4\.4418\.64±\\pm2\.2118\.61±\\pm2\.51OOR1\.65±\\pm0\.741\.27±\\pm0\.73

Table 8:Selected defenses and their average success rates \(poison setting\) under budget 1 across five datasets\. GCN\-Jaccard excluded for SQUIRREL and CHAMELEON because of an implementation error\. Higher is better\. Best performance inBold, second best isunderline\.TaxonomySelected DefenseCORACITESEERPUBMEDSQUIRRELCHAMELEONImprovinggraphUnsupervisedJaccard\-GCN∗24\.03±\\pm4\.2626\.72±\\pm6\.0628\.95±\\pm7\.30––SupervisedGARNET20\.51±\\pm2\.3221\.51±\\pm3\.6516\.45±\\pm1\.8321\.92±\\pm9\.5326\.11±\\pm9\.24Improving training20\.78±\\pm6\.6123\.54±\\pm9\.2620\.55±\\pm5\.829\.52±\\pm3\.594\.81±\\pm1\.5822\.66±\\pm2\.7119\.97±\\pm3\.08OOR19\.90±\\pm8\.7016\.49±\\pm9\.5926\.07±\\pm2\.0029\.46±\\pm3\.1815\.98±\\pm10\.8661\.77±\\pm17\.7949\.80±\\pm21\.90ImprovingarchitectureAdaptivelyweightingedgesRule\-basedGNNGuard8\.22±\\pm1\.254\.45±\\pm0\.915\.06±\\pm0\.7131\.36±\\pm6\.950\.00±\\pm0\.00ProbabilisticRobustGCN30\.15±\\pm5\.7627\.19±\\pm7\.1031\.19±\\pm9\.1033\.71±\\pm11\.9231\.58±\\pm10\.94Robust agg\.25\.67±\\pm4\.9127\.27±\\pm5\.0521\.18±\\pm4\.4625\.14±\\pm8\.8522\.89±\\pm7\.6418\.81±\\pm2\.2018\.95±\\pm2\.27OOR13\.63±\\pm5\.2912\.32±\\pm2\.67

### G\.3Computational Costs of Adversarial Attack

Although Nettack delivers the best performance, it is significantly more computationally expensive than GOttack, SGA, and PR\-BCD \(NA\)\. Table[9](https://arxiv.org/html/2605.05534#A7.T9)shows that GOttack is the fastest among gradient\-based adversarial attack methods on smaller datasets, such as CORA and CITESEER, while SGA outperforms others on the PUBMED dataset due to its focus on the local information of target nodes\. While PR\-BCD \(NA\) is not the fastest method on the datasets studied, its time complexity is independent of both the number of nodes and edges, making it advantageous for large\-scale datasets like OGB\-arxiv\[[27](https://arxiv.org/html/2605.05534#bib.bib27)\]\. In any case, thereliance on results from only three datasets, as is common among the studied models, presents a significant limitation and raises concerns about the robustness and generalizability of the field’s findings\. The authors are not aware of any other machine learning domain where the majority of results rely on such a limited number of datasets\.

Table 9:Average total attack time on 50 target nodes \(in Seconds\)\. Smaller is better\. Best time inBold, second best isunderline\.Δ→\\Delta\\rightarrow12345CORAGlobalL1D\-RND0\.17±\\pm0\.080\.29±\\pm0\.060\.49±\\pm0\.110\.65±\\pm0\.100\.92±\\pm0\.13FGA0\.36±\\pm0\.030\.67±\\pm0\.060\.98±\\pm0\.101\.30±\\pm0\.121\.57±\\pm0\.17NETTACK19\.72±\\pm1\.4629\.75±\\pm1\.0041\.01±\\pm2\.1150\.90±\\pm2\.5162\.80±\\pm2\.06PGD \(NA\)110\.86±\\pm7\.63104\.17±\\pm8\.6195\.58±\\pm10\.9395\.83±\\pm5\.9095\.09±\\pm14\.17PR\-BCD \(NA\)159\.17±\\pm26\.05158\.33±\\pm19\.49163\.96±\\pm20\.16164\.16±\\pm17\.39163\.26±\\pm21\.55GOttack8\.10±\\pm1\.0311\.09±\\pm0\.2814\.57±\\pm0\.3217\.73±\\pm0\.5521\.43±\\pm0\.83LocalSGA16\.90±\\pm0\.3717\.73±\\pm0\.4318\.44±\\pm0\.3918\.99±\\pm0\.4619\.23±\\pm0\.62CITESEERGlobalL1D\-RND0\.15±\\pm0\.040\.29±\\pm0\.120\.36±\\pm0\.090\.37±\\pm0\.090\.42±\\pm0\.07FGA0\.25±\\pm0\.040\.36±\\pm0\.080\.50±\\pm0\.060\.56±\\pm0\.030\.58±\\pm0\.04NETTACK22\.84±\\pm1\.3729\.27±\\pm0\.9135\.83±\\pm1\.2442\.80±\\pm1\.2749\.48±\\pm1\.62PGD \(NA\)134\.79±\\pm6\.95129\.90±\\pm8\.68126\.59±\\pm8\.77127\.51±\\pm9\.37121\.21±\\pm10\.59PR\-BCD \(NA\)209\.56±\\pm40\.58215\.76±\\pm45\.17224\.09±\\pm43\.40199\.46±\\pm36\.82195\.49±\\pm34\.81GOttack6\.39±\\pm1\.088\.18±\\pm0\.1710\.41±\\pm0\.2312\.50±\\pm0\.3414\.66±\\pm0\.36LocalSGA17\.39±\\pm0\.5617\.97±\\pm0\.4919\.02±\\pm0\.5219\.13±\\pm0\.6019\.46±\\pm0\.60PUBMEDGlobalL1D\-RND1\.81±\\pm0\.541\.72±\\pm0\.421\.77±\\pm0\.441\.75±\\pm0\.371\.64±\\pm0\.45FGA13\.68±\\pm0\.2927\.72±\\pm0\.4839\.25±\\pm3\.3747\.43±\\pm0\.7059\.28±\\pm0\.87NETTACK423\.84±\\pm18\.17765\.05±\\pm29\.301095\.95±\\pm31\.131426\.95±\\pm42\.031753\.58±\\pm67\.42PGD \(NA\)4114\.65±\\pm182\.273922\.62±\\pm159\.913814\.07±\\pm112\.163721\.93±\\pm108\.083689\.32±\\pm103\.25PR\-BCD \(NA\)173\.83±\\pm6\.62177\.46±\\pm7\.42173\.28±\\pm3\.54171\.80±\\pm8\.22173\.10±\\pm7\.56GOttack153\.77±\\pm3\.32252\.04±\\pm6\.47355\.97±\\pm10\.38452\.34±\\pm10\.73553\.61±\\pm13\.92LocalSGA18\.09±\\pm0\.4017\.71±\\pm0\.6319\.00±\\pm0\.6819\.85±\\pm0\.9319\.66±\\pm0\.99

Time complexity breakdown\.To better understand the computational cost of different adversarial attack methods, we break attack algorithms into three main stages according to their implementations provided by DeepRobust\[[38](https://arxiv.org/html/2605.05534#bib.bib38)\]:Surrogate,Pre\-attackandAttacks\.Surrogatestage includes the time required to train and set up the surrogate used in the attack\.Pre\-attackinvolves operations: computing logits of target nodes and normalizing the adjacency matrix in NETTACK and GOttack; performing project gradient descent training and projected randomized block coordinate descent in PGD and PR\-BCD, respectively; retrieving subgraphs in SGA\. Finally, inAttacksphases, attack algorithms find the best edges to flip according to surrogate loss of all potential edges in NETTACK and selected potential edges in GOttack, while PR\-BCD and PGD perform a Bernoulli sample to select the optimal edge to flip\.

Table[11](https://arxiv.org/html/2605.05534#A7.T11)shows the time complexity breakdown of three main stages of adversarial attacks for a budget of 1 across three datasets \(CORA, PUBMED, and OGB\-ARXIV\)\. Across all datasets, L1D\-RND is the fastest method, achieving close to zero seconds in all three stages\. Its efficiency is due to its simple random edge selection strategy, which avoids surrogate training and iterative optimization entirely\. Benefiting from fast gradient\-based updates, FGA spends significantly less time onPre\-attackandAttackstages on CORA and PUBMED datasets and achieves the second fastest on CORA and PUBMED\. However, FGA need to maintain a dense adjacency matrix to compute the gradient, which requires more than 100GiB on OGB\-ARXIV, causing Out\-Of\-Memory \(OOM\)\. On CORA, PUBMED and OGB\-ARXIV, SGA is established to be one of the most efficient attacks, as it limits the pre\-computation to small subgraphs, resulting in minimal inPre\-attakandAttackstages\. In contrast, PGD’s runtime on CORA and PUBMED is dominated by project gradient descent training inPre\-attackstage, accounting for 96% of total runtime on PUBMED\. In addition, PGD encounters the same memory constraints as FGA on OGB\-ARXIV\. Instead of project gradient descent, PR\-BCD utilize projected randomized block coordinate descent, which has been shown to reduce the dominant effect ofPre\-attackstage to 55% on PUBMED\. Methods such as NETTACK and GOttack are significantly slower, particularly on larger datasets\.Pre\-attackandAttackstages dominate the runtime in NETTACK due to performing optimization to select the best edge to flip over all potential edges\. GOttack’sPre\-attackandAttackstages’ runtime has shown improvements over NETTACK due to reducing the search space by wisely filtering potential edges\.

Table[10](https://arxiv.org/html/2605.05534#A7.T10)reports the GPU memory usage \(in MB\) of different attack methods under budget 1 across five benchmark datasets\. As expected, gradient\-based methods such as PGD \(NA\) and FGA consume substantially more memory, with peak usage above 400 MB on CiteSeer and PubMed\. PRBCD \(NA\) reduces the cost relative to PGD but still requires more than 130 MB across datasets\. In contrast, traditional structure\-based methods like NETTACK and GOttack are much lighter, staying around 60–66 MB, with GOttack consistently achieving the second lowest footprint\. The best efficiency is obtained by L1D\-RND, which uses less than 40 MB on all datasets\. These results confirm that L1D\-RND provides the most memory\-efficient attack, while GOttack is a competitive second choice\.

Table 10:GPU memory usage in MB of attacks on budget 1\. Smaller is better\. Best GPU memory usage is inbold, and the second best is inunderline\.MethodCHAMELEONCORACITESEERSQUIRRELPUBMEDSGA90\.824105\.61992\.14392\.31292\.537NETTACK65\.74764\.90966\.04164\.25862\.898FGA335\.235331\.022413\.564328\.964328\.773PGD \(NA\)421\.835417\.622499\.784415\.564415\.374PRBCD \(NA\)196\.014195\.169159\.254131\.659157\.704L1D\-RND39\.56839\.55338\.90137\.82538\.703GOttack64\.98463\.31565\.27562\.53662\.510Table 11:Time break down of adversarial attacks on budget 1 \(in Seconds\)\. Smaller is better\. Best time inBold, second best isunderline\.MethodSurrogatePre\-attackAttackCORAL1D\-RND0\.00000±\\pm0\.000000\.00006±\\pm0\.000000\.00213±\\pm0\.00245FGA0\.73066±\\pm0\.000010\.00011±\\pm0\.000000\.00531±\\pm0\.00013NETTACK1\.23075±\\pm0\.000110\.16365±\\pm0\.060420\.20430±\\pm0\.14573PGD \(NA\)0\.98343±\\pm0\.000033\.69364±\\pm0\.826240\.04686±\\pm0\.00793PRBCD \(NA\)1\.43114±\\pm0\.000004\.31843±\\pm0\.160300\.06399±\\pm0\.01213SGA1\.62636±\\pm0\.000050\.32616±\\pm0\.058270\.00323±\\pm0\.00016GOttack1\.16423±\\pm0\.000070\.08035±\\pm0\.051810\.07113±\\pm0\.04261PUBMEDL1D\-RND0\.00000±\\pm0\.000000\.00007±\\pm0\.000000\.00387±\\pm0\.00429FGA1\.86278±\\pm0\.000020\.00045±\\pm0\.000220\.27881±\\pm0\.00710NETTACK4\.45833±\\pm0\.000261\.43834±\\pm0\.048446\.53812±\\pm5\.08244PGD \(NA\)2\.75710±\\pm0\.00006155\.74790±\\pm32\.547142\.74592±\\pm0\.33127PRBCD \(NA\)2\.57097±\\pm0\.000003\.29684±\\pm0\.427440\.06547±\\pm0\.01111SGA10\.47330±\\pm0\.000070\.33145±\\pm0\.054690\.00329±\\pm0\.00013GOttack1\.91390±\\pm0\.000050\.91947±\\pm0\.052632\.03039±\\pm1\.37443OGB\-ARXIVL1D\-RND0\.00000±\\pm0\.000000\.00010±\\pm0\.000010\.13041±\\pm0\.23359FGAOOMOOMOOMNETTACK12\.54029±\\pm0\.28053362\.42469±\\pm39\.61532894\.00637±\\pm8\.04044PGD \(NA\)OOMOOMOOMPRBCD \(NA\)7\.86793±\\pm0\.0000012\.93282±\\pm0\.143480\.34241±\\pm0\.01064SGA3\.85193±\\pm0\.008700\.50283±\\pm0\.209650\.01772±\\pm0\.01850GOttack12\.80845±\\pm0\.87578326\.28377±\\pm27\.37981288\.88327±\\pm7\.75647

### G\.4Computational Costs of Defense

Table 12:Average total time to train defense models \(in Seconds\)\. Smaller is better\. Best time inBold, second best isunderline\.DefenseCORACITESEERPUBMEDSQUIRRELCHAMELEONElasticGNN5\.03±\\pm2\.783\.92±\\pm2\.038\.57±\\pm5\.2710\.67±\\pm2\.799\.72±\\pm5\.05GCN\-GARNET2\.56±\\pm2\.513\.87±\\pm3\.6625\.81±\\pm9\.393\.45±\\pm2\.143\.79±\\pm1\.56GCN\-Jaccard1\.24±\\pm0\.681\.58±\\pm0\.79\-\-\-GNNGuard1\.91±\\pm0\.471\.62±\\pm0\.594\.39±\\pm0\.845\.42±\\pm0\.632\.37±\\pm0\.54GRAND6\.46±\\pm3\.007\.50±\\pm2\.3993\.48±\\pm40\.4628\.94±\\pm23\.135\.42±\\pm6\.92RobustGCN3\.95±\\pm2\.990\.87±\\pm0\.125\.54±\\pm1\.672\.24±\\pm0\.561\.09±\\pm0\.22GCORN54\.99±\\pm8\.2429\.04±\\pm7\.894605\.11±\\pm727\.34130\.53±\\pm134\.0715\.40±\\pm5\.34RUNG130\.52±\\pm5\.34106\.62±\\pm10\.014265\.07±\\pm2279\.4546\.06±\\pm20\.677\.69±\\pm2\.78NoisyGNN0\.77±\\pm0\.281\.29±\\pm0\.492\.13±\\pm0\.501\.78±\\pm1\.351\.70±\\pm0\.68

Table[12](https://arxiv.org/html/2605.05534#A7.T12)reports the average total training time \(in seconds\) for various defense models across five benchmark datasets\. Overall, NoisyGNN consistently achieves the fastest training times on most datasets, with particularly low values on CORA, PUBMED, and SQUIRREL\. Its efficiency can be attributed to its lightweight architecture and minimal computational overhead, which allows it to scale well even on larger graphs\. The second fastest model is generally RobustGCN, which performs competitively on CITESEER, PUBMED, and CHAMELEON, likely due to its optimized graph convolution operations that reduce redundant computations\. In contrast, RUNG is the slowest model by a wide margin, especially on large datasets such as PUBMED and CITESEER\. This significant slowdown is likely caused by its complex training procedure and extensive use of robust aggregation mechanisms, which introduce high computational cost\. Other models such as GCORN and GRAND also show high training times on large graphs, highlighting the trade\-off between defense sophistication and training efficiency\.

### G\.5Feature attack results

We conduct feature\-attack variants of FGA, NETTACK, PGD, PR\-BCD, and SGA on vanilla models across homophily datasets\. Overall, the results, Table[32](https://arxiv.org/html/2605.05534#A11.T32)show that NETTACK and FGA consistently yield the highest misclassification rates in both evasion and poisoning settings, while SGA and PGD perform substantially worse\. We observe a similar trend to that in structural attacks: PR\-BCD outperforms the remaining feature\-attack methods on CORA and CITESEER for GCN, while PR\-BCD performs worse on PUBMED and other vanilla models; NETTACK remains a dominant attack method, with an average rank of1\.521\.52across all settings, whereas FGA remains the second best with the average rank of2\.562\.56; NETTACK achieves superior performance on PNA on all datasets and in both evasion and poison settings;high\-degree nodes remain significantly more robust \(11\.92% average success rate\) than low\-degree nodes \(94\.85%\)\.

Feature attacks largely mirror the trends observed in structural attacks, with consistent rankings and performance gaps across methods and settings\. Given this strong alignment, our study primarily focuses on structural attacks for evaluation and analysis, as they provide representative insights while reducing redundancy\. We leave a more in\-depth exploration of feature attacks, building upon our current framework, as future work\.

## Appendix HDefense Models

Selection criteria\.In addition to the vanilla attack scenario, we also consider evaluating adversarial attack methods against defense models \(defense attack scenario\)\. However, to avoid the significant number of experiences needed to evaluate each adversarial attack to all defense models existing in the literature, we select defense models used to evaluate adversarial attacks, we first select six defense models, one from each taxonomy described in Table[13](https://arxiv.org/html/2605.05534#A8.T13)to cover the entire spectrum of defense techniques\. In this work, we select defense models according to the following criteria: i\) highly cited defenses published at renowned venues; ii\) publicly available codes, recent; iii\) recently published\. Following[Mujkanovic et al\.](https://arxiv.org/html/2605.05534#bib.bib44)’s work, we exclude defense models from“Robust training”taxonomy from our study, since they require knowing clean graph𝒢\\mathcal\{G\}, which is typically not available in the poison attack setting\.

Table 13:Categorization of selected defenses, adopted and and extended fromGünnemann \[[23](https://arxiv.org/html/2605.05534#bib.bib23)\], Mujkanovic et al\. \[[44](https://arxiv.org/html/2605.05534#bib.bib44)\]\.TaxonomySelected DefensesOther DefensesImprovinggraphUnsupervisedSupervisedImproving trainingGRAND\[[21](https://arxiv.org/html/2605.05534#bib.bib21)\]GCORN\[[1](https://arxiv.org/html/2605.05534#bib.bib1)\]NoisyGNN\[[15](https://arxiv.org/html/2605.05534#bib.bib15)\]\[[21](https://arxiv.org/html/2605.05534#bib.bib21),[14](https://arxiv.org/html/2605.05534#bib.bib14),[31](https://arxiv.org/html/2605.05534#bib.bib31)\]\[[62](https://arxiv.org/html/2605.05534#bib.bib62),[68](https://arxiv.org/html/2605.05534#bib.bib68),[72](https://arxiv.org/html/2605.05534#bib.bib72)\]\[[7](https://arxiv.org/html/2605.05534#bib.bib7),[12](https://arxiv.org/html/2605.05534#bib.bib12),[20](https://arxiv.org/html/2605.05534#bib.bib20)\]\[[28](https://arxiv.org/html/2605.05534#bib.bib28),[58](https://arxiv.org/html/2605.05534#bib.bib58),[59](https://arxiv.org/html/2605.05534#bib.bib59)\]ImprovingarchitectureAdaptivelyweightingedgesRule\-basedGNNGuard\[[65](https://arxiv.org/html/2605.05534#bib.bib65)\]\[[33](https://arxiv.org/html/2605.05534#bib.bib33),[40](https://arxiv.org/html/2605.05534#bib.bib40),[64](https://arxiv.org/html/2605.05534#bib.bib64)\]ProbabilisticRobustGCN\[[70](https://arxiv.org/html/2605.05534#bib.bib70)\]Robust agg\.ElasticGNN\[[41](https://arxiv.org/html/2605.05534#bib.bib41)\]RUNG\[[25](https://arxiv.org/html/2605.05534#bib.bib25)\]\[[9](https://arxiv.org/html/2605.05534#bib.bib9),[22](https://arxiv.org/html/2605.05534#bib.bib22)\]

Jaccard\-GCN\.Prior to train GCN, adjacency matrix is first preprocessed by pruning edges of pairs of nodes that have Jaccard coefficient of the binarized featuresJi​j=𝐗i​𝐗jm​i​n​\{𝐗i\+𝐗j,1\}J\_\{ij\}=\\frac\{\\mathbf\{X\}\_\{i\}\\mathbf\{X\}\_\{j\}\}\{min\\\{\\mathbf\{X\}\_\{i\}\+\\mathbf\{X\}\_\{j\},1\\\}\}exceed a thresholdϵ\\epsilon\.

GARNET\.Similar to Jaccard\-GCN, GARNET is a spectral method that preprocesses data to enhance the robustness of GNN models\. GARNET first leverages weighted spectral embedding to construct a base graph that utilizes the top few dominant singular components of𝐀\\mathbf\{A\}to restore its important graph spectrum\. This is not only robust to adversarial attacks but also preserves important structural information for GNNs training\. Secondly, GARNEET refines the base graph by pruning uncritical edges according to a probabilistic graphical model\.

GRAND\.GRAND begins by introducing a random propagation strategy to augment the graph data\. Following that, GRAND leverages consistency regularization to optimize the prediction consistency of unlabeled nodes across different data augmentations\.

GCORN\.A theoretical concept of expected robustness in the context of attributed graphs and an upper bound of the expected robustness are first defined by[Abbahaddou et al\.](https://arxiv.org/html/2605.05534#bib.bib1)\. Leveraging the established upper bound on the expected robustness, GCORN utilizes the orthonormalization of weight matrices to control the robustness of GCNs against adversarial attacks\.

GNNGuard\.The robustness of GNNGUARD is attributed to two novel components: the neighbor importance estimation and the layer\-wise graph memory\. GNNGUARD estimates an importance weight for every edgeeu​ve\_\{uv\}to quantify how relevant nodeuuis to another nodevvaccording to the hypothesis that similar nodes are more likely to interact than dissimilar nodes\. Updating edges with low importance weights corresponds to pruning incritical edges, since those edges will likely be ignored by the GNN\. However, neighbor importance estimation and edge pruning change the graph structure between adjacent GNN layers, which could potentially destabilize GNN training\. To allow for robust estimation of importance weights and smooth evolution of edge pruning, GRAND utilizes layer\-wise graph memory at each GNN layer, keeping partial memory of the pruned graph structure from the previous layer\.

RobustGCN\.To improve GCN robustness, instead of representing nodes as vectors, RobustGCN utilizes Gaussian distributions as the hidden representations to absorb perturbations\. Moreover, it uses a variance\-based attention mechanism that assigns weights to the node neighbourhoods according to their variances when performing convolutions\.

ElasticGNN\.ElasticGNN utilizes a novel and general message passing scheme that works based onℒ1\\mathcal\{L\}\_\{1\}andℒ2\\mathcal\{L\}\_\{2\}\-based graph smoothing\. This message passing algorithm is not only friendly to back\-propagation training but also achieves the desired smoothing properties with a theoretical convergence guarantee\. Locally adaptive smoothness makes Elastic GNNs more robust to adversarial attacks on graph structure\. This is because the attack tends to connect nodes with different labels, which fuzzes the cluster structure in the graph\. But LeasticGNN can tolerate large node differences along these wrong edges, and maintain the smoothness along correct edges\.

RUNG\.RUNG improves robustness against adversarial attacks by introducing a robust and unbiased graph signal estimator that mitigates the estimation bias present in traditionalℒ1\\mathcal\{L\}\_\{1\}\-based methods\. It employs the Minimax Concave Penalty \(MCP\) to downweight or prune suspicious edges with large feature differences, reducing the impact of adversarial perturbations\. The Quasi\-Newton Iteratively Reweighted Least Squares \(QN\-IRLS\) algorithm efficiently solves the non\-convex optimization problem, ensuring stable convergence and enabling the model to maintain clean accuracy while defending against attacks\.

## Appendix IImportance of node degree as criteria to select target nodes and model selection in adversarial attack evaluation

In this section, we highlight the importance of node degree and model selection in evaluating adversarial attacks\. Table[30](https://arxiv.org/html/2605.05534#A11.T30)provides a comprehensive comparison of the differences in performance of adversarial attacks when evaluating with and without model selection, while Table[29](https://arxiv.org/html/2605.05534#A11.T29)shows complete differences caused by considering degree as target node selection\. A high level summary of Table[30](https://arxiv.org/html/2605.05534#A11.T30)and Table[29](https://arxiv.org/html/2605.05534#A11.T29)is provided by Figure[5](https://arxiv.org/html/2605.05534#A9.F5)\. In general, high\-degree nodes are more challenging to attack by existing adversarial methods, resulting in significant increases in the performance of all adversarial attacks when we exclude high\-degree nodes in evaluation, especially on the PUBMED dataset \(Figure[5\(c\)](https://arxiv.org/html/2605.05534#A9.F5.sf3)\)\. In addition, Figure[5](https://arxiv.org/html/2605.05534#A9.F5)also indicates that evaluating adversarial attacks without performing model selections on victim and surrogate models, which is typically done in practice, results in differences in adversarial attack performance\.

![Refer to caption](https://arxiv.org/html/2605.05534v1/x17.png)\(a\)CORA
![Refer to caption](https://arxiv.org/html/2605.05534v1/x18.png)\(b\)CITESEER
![Refer to caption](https://arxiv.org/html/2605.05534v1/x19.png)\(c\)PUBMED

Figure 5:Performance of seven adversarial attacks on GSAGE on CORA datasets in poison setting\. The figures show the comparison of adversarial attacks’ performance obtained from our proposed evaluation procedure, our evaluation without model selection and our evaluation without node degree as a criteria to select target nodes\.Table[14](https://arxiv.org/html/2605.05534#A9.T14)highlights a clear dependence of adversarial vulnerability on node degree\. For both Cora and Citeseer, nodes with lower degrees exhibit markedly higher average misclassification rates under the top three attacks, confirming that sparsely connected nodes are the most susceptible to perturbations\. In Cora, degree\-1 nodes reach nearly 0\.9 average misclassification, while nodes of degree 14 or 15 show negligible rates\. A similar pattern holds for Citeseer, where the rate drops from 0\.84 at degree 1 to almost zero by degree 14\. Interestingly, intermediate degrees \(such as 10–12\) show fluctuations rather than a strictly monotonic decline, suggesting that local structural context and model bias interact with degree in nontrivial ways\. Overall, these results reinforce the intuition that robustness is strongly linked to connectivity, with low\-degree nodes remaining a persistent weak point across models and datasets\.

Table 14:Top 15 node degrees and their average misclassification rates on vanilla models \(GCN, GIN, GraphSAGE, PNA\) under top\-3 adversarial attacks \(Nettack, FGA, PRBCD\) in the evasion setting\.Node DegreeCora \(Avg\. Misclassification %\)Citeseer \(Avg\. Misclassification %\)10\.88±\\pm0\.130\.84±\\pm0\.1320\.84±\\pm0\.150\.83±\\pm0\.0930\.79±\\pm0\.120\.71±\\pm0\.1440\.65±\\pm0\.200\.60±\\pm0\.0850\.61±\\pm0\.160\.47±\\pm0\.1560\.58±\\pm0\.190\.51±\\pm0\.1170\.50±\\pm0\.280\.31±\\pm0\.1480\.50±\\pm0\.140\.26±\\pm0\.1890\.29±\\pm0\.270\.12±\\pm0\.14100\.31±\\pm0\.290\.35±\\pm0\.30110\.42±\\pm0\.470\.19±\\pm0\.30120\.47±\\pm0\.410\.19±\\pm0\.21130\.33±\\pm0\.440\.08±\\pm0\.29140\.06±\\pm0\.160\.00±\\pm0\.00150\.18±\\pm0\.240\.01±\\pm0\.04Model Selection\.Model selection is an important step performed prior to deploying GNNs in real\-world application\. Table[30](https://arxiv.org/html/2605.05534#A11.T30)indicates that failing to perform model selection in adversarial attacks could prevent adversarial GNN practitioners from exploring the impact of them in practice\. The difference between evaluating adversarial attacks with and without model selections ranges from−16\.40%\-16\.40\\%to19\.07%19\.07\\%with5\.19%5\.19\\%average absolute difference across adversarial attacks\. Performing model selection in evaluation could potentially change the average rank of adversarial attacks\. Especially in the setting of GIN and GSAGE, in both evasion and poison settings, the performance of L1D\-RND attacks significantly drops by9\.15%9\.15\\%on average; thus increasing the average rank of L1D\-RND by2\.742\.74on average\.

Node degree\.Table[29](https://arxiv.org/html/2605.05534#A11.T29)shows that considering node degree as a target node selection criterion instead of randomly selecting results in a significant drop in adversarial attack performance in most of the cases, with9\.80%9\.80\\%average decrease\. Especially in the setting of GCN on PUBMED dataset on budget 3 in both settings, the difference in PR\-BCD \(NA\) performance between evaluating with and without degree as target node selection criteria is notably significant,26\.3%26\.3\\%in evasion and25\.97%25\.97\\%\. Furthermore, the difference of adversarial attack performances in the PUBMED dataset is−14\.969%\-14\.969\\%on average, while that of those in CORA and CITESEER is−6\.93%\-6\.93\\%and−7\.51%\-7\.51\\%on average, respectively\.

## Appendix JL1D\-RND: A simple yet effective baseline for adversarial attacks

This section provides further information about the naive baseline L1D\-RND\. The algorithm and intuition behind L1D\-RND are discussed in Section[J](https://arxiv.org/html/2605.05534#A10), while Section[4](https://arxiv.org/html/2605.05534#alg4)highlights the improvement of L1D\-RND over random attack \(RND\)\.

Attack strategy and motivation\.L1D\-RND attack follow the strategy described in Algorithm[3](https://arxiv.org/html/2605.05534#alg3)\. Given a target nodevtv\_\{t\}, the adjacency matrix𝐀\\mathbf\{A\}, and node features𝐗\\mathbf\{X\}, L1D\-RND randomly decides to add or to remove an edge \(Line[7](https://arxiv.org/html/2605.05534#alg3.l7)\)\. In the case of adding an edge, L1D\-RND first randomly sampled a set of vertices𝒱candidate′\\mathcal\{V\}\_\{\\text\{candidate\}\}^\{\\prime\}that are not neighbours of the target nodevtv\_\{t\}\(Line[10](https://arxiv.org/html/2605.05534#alg3.l10)\)\. L1D\-RND then adds an edge between the target nodevtv\_\{t\}anduu, whereuuis the node with the highest degree in𝒱candidate′\\mathcal\{V\}\_\{\\text\{candidate\}\}^\{\\prime\}\(Line[13](https://arxiv.org/html/2605.05534#alg3.l13)\)\. We select the highest node from the node’s sample𝒱candidate′\\mathcal\{V\}\_\{\\text\{candidate\}\}^\{\\prime\}to avoid always selecting a node with the highest degree from the whole graph\. The adversarial impact of edges added by L1D\-RND is attributed to two features: stochasticity and node degree\. In particular, sampling a subset of nodes enables stochastic noise to be introduced to the target nodevtv\_\{t\}, and selecting nodes with the highest degree enables the node that can aggregate the most messages from its neighbours\. In the case of removing an edge, L1D\-RND considers removing an edge between target nodevtv\_\{t\}and its neighbours, excluding new neighbours added by L1D\-RND \(Line[18](https://arxiv.org/html/2605.05534#alg3.l18)\)\. Similar to the case of adding an edge, L1D\-RND then sampled a set of vertices𝒱candidate′\\mathcal\{V\}\_\{\\text\{candidate\}\}^\{\\prime\}from its neighbours\. Finally, L1D\-RND removes an edge between target nodevtv\_\{t\}anduu, whereuuhas the highest influence score that is computed in Algorithm[4](https://arxiv.org/html/2605.05534#alg4)\. For each node,uu, the influence score is defined by computing theℒ1\\mathcal\{L\}\_\{1\}norm ofuuand its neighbour node features\. This influence score provides an approximation of the contribution of messages of nodeuuto the representation ofuu’s neighbour in the message aggregation stage\.

Algorithm 3L1D\-RND \(vtv\_\{t\},Δ\\Delta,𝒢\\mathcal\{G\},rr\)1:Input:Target node

vtv\_\{t\}, modified budget

Δ\\Delta, Graph

𝒢=\(𝐀,𝐗\)\\mathcal\{G\}=\(\\mathbf\{A\},\\mathbf\{X\}\), sample ratio

rr
2:Output:Modified graph

𝒢′=\(𝐀′,𝐗\)\\mathcal\{G^\{\\prime\}\}=\(\\mathbf\{A\}^\{\\prime\},\\mathbf\{X\}\)
3:

𝐀′=𝐀\\mathbf\{A\}^\{\\prime\}=\\mathbf\{A\}
4:

𝒩vtnew=\[\]\\mathcal\{N\}\_\{v\_\{t\}\}^\{\\text\{new\}\}=\[\]
5:while

\|𝐀−𝐀′\|<Δ\|\\mathbf\{A\}\-\\mathbf\{A\}^\{\\prime\}\|<\\Deltado

6:

𝒩vt=\\mathcal\{N\}\_\{v\_\{t\}\}=neighbor\(

vtv\_\{t\},

𝐀′\\mathbf\{A\}^\{\\prime\}\)

7:

x←rand\(\)x\\leftarrow\\text\{rand\(\)\}//Random number between 0 and 1

8:if

x\>0\.5x\>0\.5then

9://Add an edge

10:

𝒱candidate\\mathcal\{V\}\_\{\\text\{candidate\}\}=

\[0,1,2,…,len​\(𝐀\)\]−𝒩vt\[0,1,2,\\dots,\\text\{len\}\(\\mathbf\{A\}\)\]\-\\mathcal\{N\}\_\{v\_\{t\}\}//Exclude neighbours nodes

11:

k=⌊r×\|𝒱candidate\|⌋k=\\lfloor r\\times\|\\mathcal\{V\}\_\{\\text\{candidate\}\}\|\\rfloor
12:

𝒱candidate′∼Uniform​\(𝒱candidate,k\)\\mathcal\{V\}\_\{\\text\{candidate\}\}^\{\\prime\}\\sim\\text\{Uniform\}\(\\mathcal\{V\}\_\{\\text\{candidate\}\},k\)
13:

e∗=\(vt,u\)←arg⁡maxu∈𝒱candidate′degree​\(u,𝐀′\)e^\{\*\}=\(v\_\{t\},u\)\\leftarrow\\mathop\{\\arg\\max\}\\limits\_\{u\\in\\mathcal\{V\}\_\{\\text\{candidate\}\}^\{\\prime\}\}\\text\{degree\}\(u,\\mathbf\{A^\{\\prime\}\}\)
14:

𝐀′=𝐀′\+e∗\\mathbf\{A^\{\\prime\}\}=\\mathbf\{A^\{\\prime\}\}\+e^\{\*\}
15:

𝒩vtnew\\mathcal\{N\}\_\{v\_\{t\}\}^\{\\text\{new\}\}\.append\(

uu\)

16:else

17://Remove an edge

18:

𝒩vt−=𝒩vt−𝒩vtnew\\mathcal\{N\}\_\{v\_\{t\}\}^\{\-\}=\\mathcal\{N\}\_\{v\_\{t\}\}\-\\mathcal\{N\}\_\{v\_\{t\}\}^\{\\text\{new\}\}
19:

k=⌊r×\|𝒩vt−\|⌋k=\\lfloor r\\times\|\\mathcal\{N\}\_\{v\_\{t\}\}^\{\-\}\|\\rfloor
20:

𝒱candidate∼Uniform​\(𝒩vt−,k\)\\mathcal\{V\}\_\{\\text\{candidate\}\}\\sim\\text\{Uniform\}\(\\mathcal\{N\}\_\{v\_\{t\}\}^\{\-\},k\)
21:

e∗=\(vt,u\)←arg⁡maxu∈𝒱candidatesinfluence​\(u,𝐀′,𝐗\)e^\{\*\}=\(v\_\{t\},u\)\\leftarrow\\mathop\{\\arg\\max\}\\limits\_\{u\\in\\mathcal\{V\}\_\{\\text\{candidate\}\}\}s\_\{\\text\{influence\}\}\(u,\\mathbf\{A^\{\\prime\}\},\\mathbf\{X\}\)
22:

𝐀′=𝐀′−e∗\\mathbf\{A^\{\\prime\}\}=\\mathbf\{A^\{\\prime\}\}\-e^\{\*\}

Algorithm 4sinfluences\_\{\\text\{influence\}\}\(uu,𝐀\\mathbf\{A\},𝐗\\mathbf\{X\}\)1:Input:Node

uu, Adjacency matrix

𝐀\\mathbf\{A\}, Node feature

𝐗\\mathbf\{X\}
2:Output:Influence score

sinfluences\_\{\\text\{influence\}\}
3:

𝒩u=neighbor​\(u,𝐀\)\+u\\mathcal\{N\}\_\{u\}=\\text\{neighbor\}\(u,\\mathbf\{A\}\)\+u
4:

sinfluence=L1​norm​\(𝐗​\[𝒩u,:\]\)s\_\{\\text\{influence\}\}=L\_\{1\}\\text\{norm\}\(\\mathbf\{X\}\[\\mathcal\{N\}\_\{u\},:\]\)

Improvement over random attack \(RND\)\.This section highlights the improvement ofℒ1\\mathcal\{L\}\_\{1\}norm and node degree in L1D\-RND over random attack \(RND\)\. Table[31](https://arxiv.org/html/2605.05534#A11.T31)shows that L1D\-RND outperforms RND by an average of5\.15%5\.15\\%in84%84\\%settings\. Especially, L1D\-RND performs significantly better by an average of13\.4%13\.4\\%than RND in all settings on GRAND\.

While many benchmark datasets use sparse, bag\-of\-words\-like node features \(e\.g\., Cora, Citeseer, Pubmed\), we test the generality of L1D\-RND by evaluating it on OGB\-Arxiv, a large\-scale graph with continuous node embeddings derived from raw text\. Even in this setting, L1D\-RND outperforms PR\-BCD \(NA\) in 8 out of 10 cases on GraphSAGE and remains competitive on GCN \(Tables 16–19, Support results\)\. These results suggest that even basic perturbation strategies can be effective under practical constraints, especially when stronger attacks lose efficacy due to defense adaptations or poor transferability\. We advocate including simple baselines like L1D\-RND in future evaluations to ensure that observed robustness is not overstated by comparisons limited only to complex attacks\.

Time cost\.Table[9](https://arxiv.org/html/2605.05534#A7.T9)has shown superior speed of our simple L1D\-RND attacks compared to iterative or gradient\-based methods\. 1RND demonstrates remarkable efficiency in adversarial attacks, as evidenced by its consistently low and stable execution times across budgets\. With execution times ranging from just16\.90±0\.3716\.90\\pm 0\.37seconds to19\.23±0\.6219\.23\\pm 0\.62seconds, L1D\-RND orders of magnitude faster than remaining gradient\-based attacks, especially PGD\.

Factors Driving the Effectiveness of L1D\-RND\.Our hypothesis is that the success of L1D\-RND attack, especially against defended models, arises from two main factors\.

First is bias toward high\-degree nodes\. Even though L1D\-RND is simple, its edge selection is not purely random\. On the addition side, it connects the target node to a high\-degree node \(line 13 in Alg\.3\)\. On the removal side, it prunes based on anL1L\_\{1\}\-norm\-based influence measure \(Alg\.4\), which correlates with local feature aggregation\. This introduces a structure\-aware perturbation mechanism, despite the absence of gradient\-based optimization\. Our ablation shows that both components, when used independently, are sufficient to create harmful structural noise\.

The second factor is the mismatch between attack complexity and defense generalization\. Existing defenses often assume strong adversarial priors \(e\.g\., feature gradients, link importance\)\. These may fail to generalize against structurally simple, diverse attacks\. L1D\-RND \(because it doesn’t follow conventional optimization\) creates perturbations that may fall outside the expected adversarial space, allowing it to bypass some defenses\.

The ablation table supports this: L1D\-RND\-Add Only and L1D\-RND\-Remove Only consistently outperform the fully randomized baseline and sometimes even the full L1D\-RND\. In particular, Add Only is dominant in many settings, suggesting that the influence of hub\-attachment alone can severely distort message\-passing dynamics\.

![Refer to caption](https://arxiv.org/html/2605.05534v1/x20.png)\(a\)PNA
![Refer to caption](https://arxiv.org/html/2605.05534v1/x21.png)\(b\)GRAND

Figure 6:Ablation study on L1D\-RND\. The effect of other two variants of L1D\-RND: L1D\-RND that add edge only \(degree affect\) and L1D\-RND that remove edge only \(L1L^\{1\}norm affect\) on different class of target nodes: High/low margin, High/low degree and random on budget55of evasion setting\.
## Appendix KAdversarial Attack Methods

In this section, we summarize the state\-of\-the\-art adversarial attack techniques considered in our benchmark\. These attacks vary in their use of surrogate models, optimization strategies, and access assumptions, offering a diverse testbed for evaluating GNN robustness\.

Table 15:Adversarial attacks and victim models used to evaluate the attack method in the corresponding paper\.Adversarial attacksVictim modelsNETTACKGCN, DeepWalk, CLNFGAGCN, GraRep, GraphGAN, DeepWalk, Node2vec, LINEPGDGCNPR\-BCDGCN, Soft Median GDC, Soft Median PPRGo, Soft Medoid GDC, GDC, PPRGo, RGCN, GCN\-Jaccard, GCN\-SVDSGAGCN, SGC, GAT, GraphSAGE, Cluster\-GCNGOttackGCN, GIN, GraphSAGE, RGCN, GCN\-Jaccard, GCN\-SVD, MedianGCNNettack\.One of the earliest comprehensive attack frameworks on graph data\. Nettack perturbs both graph structure and node features using surrogate gradient information from a trained GCN\. Specifically, it applies discrete combinatorial search to structure perturbations, while using gradient\-based optimization for feature perturbations\. Nettack operates in a targeted, transfer\-based setting and has been widely adopted as a baseline for local attacks\.

FGA\.The Fast Gradient Attack generates adversarial examples by computing gradients with respect to the adjacency matrix and feature matrix of a GCN surrogate\. Although originally proposed for unsupervised embeddings \(e\.g\., DeepWalk, LINE\), it is also used in GNN contexts\. FGA operates in a white\-box setting with access to model gradients\.

PGD\.Projected Gradient Descent \(PGD\) attacks optimize graph perturbations using first\-order methods and have been proposed both for attack and for adversarial training\. In our benchmark, we use PGD in a transfer setting via a GCN surrogate\. However, it is important to note that PGD can also be deployed adaptively in white\-box settings, where its full strength is realized by directly attacking the defense model\. Adaptive variants are left for future expansion of our benchmark\.

PR\-BCD\.This scalable attack framework employs a block coordinate descent \(BCD\) strategy to optimize perturbations efficiently\. It supports both targeted and global settings and introduces custom surrogate losses\. In contrast to prior work that evaluated PR\-BCD in a transfer setting, we evaluate it both as a transfer\-based attack using a fixed GCN surrogate, and in an adaptive, white\-box setting where it directly attacks the defended model\. This inclusion addresses recent calls for adaptive robustness evaluation\.

Table 16:Adversarial attacks and corresponding surrogate models\.Adversarial attacksSurrogate modelNETTACKGCNFGAGCNPGDGCNPR\-BCDGCNSGASGCGOttackGCN

SGA\.The Simplified Gradient\-based Attack reduces computational overhead by restricting optimization to smaller subgraphs\. It uses SGC \(a simplified GCN variant\) as its surrogate and targets structural vulnerabilities efficiently\. While not adaptive to defenses, SGA offers a lightweight attack option for benchmarking\.

GOttack\.GOttack introduces a topological approach to adversarial attacks using graph orbits\. Instead of relying on gradients, it learns structural patterns to perturb, making it model\-agnostic and efficient\. GOttack demonstrates strong performance in transfer\-based settings, especially on graph datasets where symmetry\-based features are predictive\.

Table[15](https://arxiv.org/html/2605.05534#A11.T15)summarizes the original victim models used in each attack’s evaluation\. Table[16](https://arxiv.org/html/2605.05534#A11.T16)lists the surrogate models employed during attack generation\. While many attacks rely on GCNs as surrogates, we highlight the distinction between transfer\-based attacks \(e\.g\., Nettack, FGA, GOttack\) and our inclusion of adaptive PR\-BCD as a white\-box method directly targeting defended models\. This allows our benchmark to more realistically assess model robustness under both practical and worst\-case threat assumptions\.

Table 17:Hyper\-parameters used for model selection\.ModelsLayersEpochsPatienceOptimizerSchedulerInitializerGCN \(victim\)5×10−45\\times 10^\{\-4\}10−310^\{\-3\}0\.01100050ADAM\-Glorot \(Xavier\)GCN \(surrogate\)\-5×10−45\\times 10^\{\-4\}10−310^\{\-3\}0\.01100050ADAM\-sumGlorot \(Xavier\)GIN1×10−41\\times 10^\{\-4\}5×10−45\\times 10^\{\-4\}10−310^\{\-3\}100050ADAMStep\-LR\(step: 50,gamma: 0\.5\)Kaiming \(He\)GSAGE1×10−41\\times 10^\{\-4\}5×10−45\\times 10^\{\-4\}10−310^\{\-3\}100050ADAM\-Kaiming \(He\)PNA5×10−45\\times 10^\{\-4\}1×10−41\\times 10^\{\-4\}10−310^\{\-3\}100001000ADAM\-Kaiming \(He\)GNNGuard\-5×10−45\\times 10^\{\-4\}10−310^\{\-3\}100050ADAM\-Glorot \(Xavier\)GRAND\-5×10−45\\times 10^\{\-4\}1×10−41\\times 10^\{\-4\}10−310^\{\-3\}100050ADAM\-Kaiming \(He\)ElasticGNN5×10−45\\times 10^\{\-4\}5×10−55\\times 10^\{\-5\}5×10−65\\times 10^\{\-6\}100050ADAM\-Kaiming \(He\)RobustGCN5×10−45\\times 10^\{\-4\}1×10−41\\times 10^\{\-4\}10−310^\{\-3\}100050ADAM\-Glorot \(Xavier\)SGC5×10−45\\times 10^\{\-4\}10−310^\{\-3\}0\.01100050ADAMGlorot \(Xavier\)GCORN2\-\-100050ADAM\-\-Orthogonal InitializationRUNG\-\-100050ADAM\-\-Kaiming \(He\)NoisyGNN\-\-30050ADAM\-\-Glorot \(Xavier\)

Table 18:Vanilla Homophily Results\.Evaluating six adversarial attacks on four vanilla attack victim models \- Miss\-classification rate \(%\)\. Higher is better\. Best performance inbold, second bestunderlined\.DatasetCORACITESEERPUBMEDΔ→\\Delta\\rightarrow123451234512345Avg\. RankEvasionGCNL1D\-RND13\.20±\\pm4\.3322\.53±\\pm6\.9529\.20±\\pm5\.6032\.93±\\pm6\.6732\.13±\\pm5\.0415\.20±\\pm4\.2028\.67±\\pm12\.3936\.53±\\pm9\.0937\.73±\\pm9\.4442\.13±\\pm7\.1110\.93±\\pm3\.0115\.47±\\pm4\.8717\.20±\\pm6\.5818\.80±\\pm5\.2823\.60±\\pm9\.637\.00FGA27\.87±\\pm3\.7446\.13±\\pm7\.0355\.73±\\pm4\.3360\.93±\\pm5\.0664\.67±\\pm4\.7625\.47±\\pm4\.1036\.00±\\pm8\.1850\.27±\\pm5\.9056\.53±\\pm2\.9758\.27±\\pm4\.2735\.60±\\pm3\.1447\.60±\\pm5\.7755\.33±\\pm4\.1258\.40±\\pm2\.2958\.00±\\pm3\.023\.40NETTACK29\.60±\\pm5\.1949\.60±\\pm5\.7756\.80±\\pm4\.5262\.13±\\pm4\.1763\.73±\\pm3\.9928\.13±\\pm7\.1545\.33±\\pm9\.0649\.87±\\pm9\.6158\.93±\\pm5\.8559\.73±\\pm3\.9233\.73±\\pm3\.3755\.73±\\pm4\.3357\.47±\\pm2\.2058\.67±\\pm2\.0958\.67±\\pm2\.232\.20PGD29\.33±\\pm4\.1248\.00±\\pm5\.2454\.93±\\pm3\.2859\.60±\\pm4\.3659\.20±\\pm5\.4925\.47±\\pm4\.8740\.27±\\pm7\.5548\.13±\\pm7\.2352\.27±\\pm7\.2855\.47±\\pm5\.1534\.13±\\pm3\.6640\.67±\\pm3\.9840\.93±\\pm5\.1844\.80±\\pm5\.7544\.93±\\pm6\.274\.93PR\-BCD \(NA\)32\.13±\\pm3\.5053\.87±\\pm4\.4459\.20±\\pm2\.8163\.20±\\pm3\.3665\.73±\\pm3\.9234\.53±\\pm6\.8254\.67±\\pm5\.0560\.40±\\pm4\.4264\.67±\\pm5\.1665\.87±\\pm4\.1729\.60±\\pm3\.0436\.53±\\pm3\.2545\.73±\\pm3\.9251\.47±\\pm4\.5654\.13±\\pm3\.252\.47SGA26\.27±\\pm3\.6944\.67±\\pm7\.5855\.33±\\pm4\.8858\.13±\\pm3\.8160\.67±\\pm5\.0023\.47±\\pm2\.7735\.87±\\pm6\.0747\.47±\\pm4\.3151\.07±\\pm4\.9553\.73±\\pm3\.9934\.27±\\pm4\.2742\.13±\\pm6\.3051\.33±\\pm7\.0854\.27±\\pm6\.7154\.80±\\pm4\.465\.13GOttack28\.53±\\pm4\.3749\.33±\\pm6\.8356\.13±\\pm5\.2660\.53±\\pm6\.1262\.13±\\pm4\.8725\.60±\\pm4\.2239\.33±\\pm9\.0351\.60±\\pm6\.1057\.33±\\pm4\.8256\.80±\\pm7\.4035\.87±\\pm3\.4248\.00±\\pm6\.4656\.13±\\pm3\.5858\.13±\\pm2\.7759\.60±\\pm2\.162\.87GINL1D\-RND20\.13±\\pm7\.3537\.07±\\pm15\.2742\.67±\\pm8\.8043\.20±\\pm10\.0543\.73±\\pm12\.0216\.80±\\pm10\.8733\.47±\\pm15\.7635\.73±\\pm14\.9438\.53±\\pm13\.1743\.33±\\pm12\.5713\.33±\\pm5\.6423\.07±\\pm12\.8926\.67±\\pm12\.7522\.40±\\pm10\.2622\.27±\\pm11\.546\.60FGA23\.47±\\pm4\.6331\.07±\\pm7\.0942\.40±\\pm9\.7750\.67±\\pm9\.7655\.47±\\pm7\.3117\.07±\\pm7\.7034\.27±\\pm10\.3342\.13±\\pm10\.2948\.53±\\pm9\.9655\.33±\\pm9\.9932\.53±\\pm21\.8944\.53±\\pm22\.5445\.33±\\pm23\.3154\.67±\\pm24\.8655\.47±\\pm27\.603\.60NETTACK26\.53±\\pm6\.9145\.20±\\pm7\.0453\.87±\\pm7\.0359\.20±\\pm6\.4565\.20±\\pm6\.8821\.07±\\pm8\.3842\.13±\\pm8\.3051\.60±\\pm11\.1160\.27±\\pm10\.6162\.53±\\pm10\.9133\.60±\\pm22\.8145\.47±\\pm21\.9751\.07±\\pm24\.9253\.60±\\pm25\.3855\.87±\\pm26\.731\.27PGD25\.07±\\pm4\.6536\.27±\\pm9\.0741\.60±\\pm11\.0943\.60±\\pm10\.9947\.60±\\pm10\.2020\.53±\\pm7\.8736\.13±\\pm10\.2938\.93±\\pm12\.7841\.87±\\pm13\.3445\.60±\\pm15\.2728\.13±\\pm16\.9437\.33±\\pm18\.7936\.80±\\pm17\.6640\.00±\\pm18\.0239\.87±\\pm20\.544\.93PR\-BCD \(NA\)27\.47±\\pm5\.3240\.53±\\pm7\.7348\.27±\\pm11\.6152\.80±\\pm11\.5154\.13±\\pm10\.4119\.20±\\pm7\.0837\.07±\\pm9\.3542\.93±\\pm6\.9249\.07±\\pm9\.5049\.60±\\pm13\.1825\.73±\\pm13\.3530\.00±\\pm13\.7529\.87±\\pm13\.6034\.00±\\pm16\.1436\.13±\\pm17\.673\.73SGA22\.40±\\pm4\.6734\.67±\\pm6\.6238\.93±\\pm9\.6544\.40±\\pm11\.8151\.20±\\pm13\.5018\.93±\\pm8\.7134\.53±\\pm8\.7738\.40±\\pm10\.4046\.40±\\pm10\.2947\.60±\\pm9\.9835\.87±\\pm23\.9039\.33±\\pm22\.6244\.13±\\pm24\.8148\.00±\\pm23\.8250\.27±\\pm26\.334\.60GOttack25\.33±\\pm4\.7637\.73±\\pm9\.8544\.80±\\pm8\.0648\.67±\\pm12\.0951\.73±\\pm11\.9020\.13±\\pm9\.0934\.13±\\pm9\.5843\.47±\\pm12\.2949\.20±\\pm12\.8951\.33±\\pm12\.7531\.87±\\pm23\.0045\.73±\\pm24\.8544\.53±\\pm24\.9148\.00±\\pm24\.7246\.80±\\pm24\.843\.27GSAGEL1D\-RND15\.87±\\pm6\.2534\.00±\\pm10\.9538\.93±\\pm7\.4840\.93±\\pm5\.7041\.87±\\pm7\.1919\.07±\\pm7\.2838\.27±\\pm11\.5640\.40±\\pm10\.3242\.67±\\pm13\.6245\.20±\\pm10\.9810\.00±\\pm3\.7018\.00±\\pm5\.0716\.40±\\pm8\.0414\.27±\\pm5\.6513\.33±\\pm7\.396\.27FGA22\.93±\\pm6\.8031\.07±\\pm6\.8839\.20±\\pm9\.9149\.47±\\pm8\.5755\.33±\\pm7\.6623\.87±\\pm4\.3737\.60±\\pm13\.2542\.27±\\pm11\.5651\.47±\\pm12\.0157\.87±\\pm7\.2723\.73±\\pm7\.8533\.20±\\pm7\.0836\.13±\\pm7\.8439\.47±\\pm11\.7742\.40±\\pm13\.613\.00NETTACK22\.00±\\pm3\.9341\.87±\\pm6\.7455\.60±\\pm6\.7360\.93±\\pm6\.1863\.73±\\pm4\.8922\.27±\\pm4\.2749\.07±\\pm10\.7754\.93±\\pm9\.1662\.27±\\pm8\.1458\.53±\\pm11\.8024\.40±\\pm7\.8331\.73±\\pm6\.8439\.87±\\pm12\.0642\.93±\\pm11\.3942\.53±\\pm14\.761\.53PGD24\.00±\\pm4\.8433\.47±\\pm7\.3140\.27±\\pm9\.1343\.20±\\pm10\.4446\.13±\\pm9\.4022\.53±\\pm3\.9637\.07±\\pm8\.1036\.67±\\pm11\.2842\.40±\\pm10\.1245\.33±\\pm10\.0523\.47±\\pm7\.9529\.33±\\pm5\.8929\.47±\\pm5\.4230\.13±\\pm6\.4832\.00±\\pm6\.005\.00PR\-BCD \(NA\)25\.07±\\pm4\.6535\.47±\\pm9\.3343\.07±\\pm9\.4745\.73±\\pm7\.6751\.07±\\pm9\.6222\.13±\\pm3\.9641\.20±\\pm8\.8147\.60±\\pm7\.6849\.73±\\pm12\.4453\.60±\\pm11\.3921\.73±\\pm6\.7625\.73±\\pm6\.0927\.20±\\pm6\.7528\.13±\\pm7\.1128\.80±\\pm6\.363\.93SGA21\.47±\\pm2\.9733\.47±\\pm9\.0243\.20±\\pm12\.0446\.67±\\pm12\.7849\.47±\\pm13\.8219\.60±\\pm4\.0833\.33±\\pm9\.8538\.13±\\pm6\.2544\.00±\\pm8\.4245\.20±\\pm8\.8724\.40±\\pm8\.4231\.07±\\pm5\.1832\.53±\\pm6\.9136\.13±\\pm7\.5036\.53±\\pm7\.074\.60GOttack23\.20±\\pm4\.3335\.33±\\pm10\.7140\.40±\\pm9\.3648\.27±\\pm10\.9251\.73±\\pm12\.6221\.33±\\pm3\.2735\.33±\\pm9\.5547\.33±\\pm13\.7747\.87±\\pm15\.1752\.27±\\pm11\.9724\.80±\\pm8\.1330\.53±\\pm7\.9831\.20±\\pm8\.8434\.13±\\pm7\.5033\.60±\\pm9\.083\.67PNAL1D\-RND33\.20±\\pm8\.8141\.60±\\pm12\.8647\.20±\\pm9\.4445\.20±\\pm12\.1453\.07±\\pm15\.3639\.33±\\pm11\.8246\.13±\\pm9\.8446\.27±\\pm10\.0552\.13±\\pm10\.7855\.47±\\pm11\.1239\.33±\\pm26\.1618\.27±\\pm8\.4119\.20±\\pm8\.3420\.27±\\pm8\.3424\.27±\\pm12\.803\.73FGA26\.13±\\pm7\.8440\.40±\\pm7\.8343\.20±\\pm9\.9955\.33±\\pm7\.6662\.80±\\pm8\.7426\.93±\\pm7\.4035\.07±\\pm8\.2443\.20±\\pm13\.8750\.40±\\pm12\.6156\.13±\\pm13\.1030\.27±\\pm9\.6539\.87±\\pm17\.3842\.13±\\pm18\.2448\.67±\\pm18\.8350\.80±\\pm18\.043\.87NETTACK28\.53±\\pm6\.9949\.87±\\pm9\.4959\.60±\\pm7\.9766\.00±\\pm7\.0968\.80±\\pm9\.1332\.80±\\pm8\.8751\.60±\\pm9\.9566\.80±\\pm9\.3468\.40±\\pm7\.9469\.60±\\pm7\.6030\.53±\\pm10\.3839\.33±\\pm16\.4546\.80±\\pm19\.2150\.80±\\pm18\.2852\.80±\\pm17\.771\.53PGD26\.80±\\pm5\.1240\.27±\\pm10\.6139\.47±\\pm8\.1245\.47±\\pm6\.8648\.40±\\pm11\.0928\.53±\\pm5\.6333\.20±\\pm9\.0639\.47±\\pm9\.3643\.20±\\pm7\.5942\.53±\\pm10\.4628\.53±\\pm6\.7428\.27±\\pm10\.3630\.53±\\pm10\.8630\.93±\\pm10\.3930\.93±\\pm10\.365\.93PR\-BCD \(NA\)26\.80±\\pm7\.6343\.07±\\pm5\.4447\.20±\\pm6\.4148\.13±\\pm9\.2452\.13±\\pm10\.5130\.93±\\pm7\.7842\.53±\\pm7\.1548\.27±\\pm10\.5847\.60±\\pm4\.4253\.07±\\pm8\.5120\.27±\\pm11\.9323\.73±\\pm10\.3124\.93±\\pm10\.3125\.87±\\pm12\.0328\.53±\\pm9\.154\.60SGA31\.73±\\pm7\.0940\.27±\\pm10\.0546\.67±\\pm9\.7644\.40±\\pm6\.8150\.53±\\pm8\.9630\.27±\\pm7\.1736\.27±\\pm8\.3144\.93±\\pm11\.0048\.00±\\pm7\.7148\.13±\\pm7\.8430\.93±\\pm10\.9835\.07±\\pm14\.1036\.80±\\pm17\.0743\.47±\\pm17\.3144\.93±\\pm19\.854\.27GOttack31\.60±\\pm7\.5741\.47±\\pm11\.6249\.33±\\pm13\.8752\.13±\\pm9\.6450\.53±\\pm12\.2527\.87±\\pm11\.3042\.67±\\pm12\.5543\.73±\\pm10\.2245\.60±\\pm9\.7745\.07±\\pm12\.0928\.93±\\pm13\.1140\.53±\\pm16\.6937\.60±\\pm13\.7239\.20±\\pm14\.3440\.40±\\pm14\.334\.07PoisonGCNL1D\-RND15\.47±\\pm4\.0323\.33±\\pm6\.7930\.27±\\pm6\.1833\.47±\\pm7\.0334\.67±\\pm6\.8716\.27±\\pm4\.3329\.87±\\pm12\.7737\.73±\\pm9\.5640\.13±\\pm9\.1242\.93±\\pm6\.049\.73±\\pm3\.1015\.47±\\pm4\.8117\.33±\\pm5\.6419\.33±\\pm5\.4923\.20±\\pm9\.917\.00FGA30\.00±\\pm5\.6150\.00±\\pm4\.7856\.27±\\pm4\.1360\.53±\\pm4\.3765\.07±\\pm4\.7731\.87±\\pm7\.3949\.87±\\pm3\.8156\.67±\\pm5\.4360\.13±\\pm5\.8363\.73±\\pm5\.3935\.33±\\pm3\.0947\.47±\\pm4\.9355\.33±\\pm4\.5858\.53±\\pm1\.7758\.00±\\pm2\.622\.93NETTACK33\.47±\\pm3\.5851\.87±\\pm4\.5658\.67±\\pm2\.6962\.13±\\pm3\.6663\.07±\\pm3\.1036\.40±\\pm6\.5151\.73±\\pm7\.5255\.87±\\pm10\.3862\.27±\\pm5\.6563\.33±\\pm5\.4334\.13±\\pm4\.6954\.80±\\pm3\.3657\.47±\\pm1\.9258\.40±\\pm2\.0358\.40±\\pm1\.882\.07PGD31\.73±\\pm3\.6948\.80±\\pm4\.5955\.60±\\pm2\.9559\.33±\\pm2\.8958\.53±\\pm4\.8730\.80±\\pm6\.7945\.87±\\pm5\.8351\.73±\\pm9\.5656\.27±\\pm3\.5357\.73±\\pm5\.5033\.60±\\pm3\.4840\.67±\\pm4\.4540\.93±\\pm5\.1245\.07±\\pm5\.5045\.47±\\pm6\.445\.47PR\-BCD \(NA\)32\.80±\\pm6\.0453\.87±\\pm3\.6657\.60±\\pm3\.3160\.67±\\pm3\.5263\.73±\\pm3\.2834\.27±\\pm6\.3252\.40±\\pm3\.6457\.87±\\pm5\.4262\.40±\\pm4\.7363\.73±\\pm3\.8429\.60±\\pm3\.1436\.53±\\pm3\.0745\.47±\\pm3\.4250\.13±\\pm4\.5054\.40±\\pm2\.853\.00SGA29\.33±\\pm3\.8348\.13±\\pm6\.4855\.87±\\pm3\.8160\.00±\\pm2\.7363\.73±\\pm4\.4625\.20±\\pm3\.6144\.13±\\pm4\.9353\.20±\\pm4\.5254\.53±\\pm4\.1060\.27±\\pm4\.7734\.13±\\pm4\.0341\.60±\\pm5\.4150\.93±\\pm7\.4854\.00±\\pm6\.0554\.40±\\pm4\.914\.93GOttack33\.33±\\pm7\.2051\.47±\\pm6\.6557\.73±\\pm5\.1861\.07±\\pm3\.9263\.20±\\pm3\.8434\.27±\\pm8\.3848\.40±\\pm6\.7757\.87±\\pm4\.6359\.33±\\pm4\.8262\.00±\\pm6\.0935\.60±\\pm3\.4047\.60±\\pm5\.5155\.73±\\pm4\.5358\.13±\\pm2\.6759\.20±\\pm1\.972\.60GINL1D\-RND23\.07±\\pm8\.0738\.00±\\pm13\.5042\.40±\\pm8\.5343\.73±\\pm11\.5445\.33±\\pm12\.3920\.40±\\pm9\.3936\.13±\\pm13\.1338\.40±\\pm11\.8640\.13±\\pm11\.5543\.87±\\pm10\.5414\.67±\\pm6\.7927\.07±\\pm14\.1029\.07±\\pm13\.7523\.33±\\pm12\.1124\.27±\\pm12\.697\.00FGA31\.87±\\pm6\.3946\.27±\\pm12\.4458\.40±\\pm8\.9266\.13±\\pm7\.6972\.27±\\pm6\.5030\.67±\\pm10\.2444\.80±\\pm10\.5854\.80±\\pm8\.6163\.87±\\pm7\.8468\.00±\\pm11\.3632\.93±\\pm20\.1844\.67±\\pm23\.1745\.47±\\pm22\.5155\.60±\\pm24\.1855\.73±\\pm26\.432\.73NETTACK34\.13±\\pm6\.6155\.07±\\pm7\.6764\.93±\\pm9\.3569\.60±\\pm6\.4771\.87±\\pm6\.2534\.93±\\pm10\.1754\.13±\\pm7\.5064\.93±\\pm11\.1870\.93±\\pm6\.7673\.60±\\pm9\.5132\.00±\\pm21\.4645\.20±\\pm21\.2050\.80±\\pm24\.5354\.67±\\pm25\.2356\.53±\\pm25\.571\.47PGD29\.07±\\pm4\.1343\.60±\\pm9\.3648\.93±\\pm8\.6553\.60±\\pm8\.1554\.80±\\pm9\.9728\.67±\\pm8\.1646\.27±\\pm10\.4249\.33±\\pm9\.4051\.47±\\pm12\.5556\.27±\\pm10\.2828\.40±\\pm17\.3738\.00±\\pm18\.5336\.80±\\pm18\.3141\.73±\\pm19\.5640\.80±\\pm20\.515\.53PR\-BCD \(NA\)33\.87±\\pm6\.5750\.67±\\pm7\.2057\.07±\\pm7\.1761\.07±\\pm7\.4866\.80±\\pm5\.9928\.27±\\pm11\.3450\.53±\\pm10\.7358\.00±\\pm7\.8959\.87±\\pm9\.6465\.87±\\pm9\.7225\.07±\\pm12\.4930\.40±\\pm14\.3531\.47±\\pm16\.7935\.47±\\pm17\.5636\.40±\\pm18\.934\.33SGA31\.33±\\pm8\.0645\.33±\\pm9\.3154\.00±\\pm8\.4262\.40±\\pm6\.7769\.33±\\pm7\.7730\.40±\\pm7\.5746\.93±\\pm6\.6753\.33±\\pm10\.0562\.00±\\pm8\.3264\.27±\\pm6\.7134\.40±\\pm22\.1341\.60±\\pm24\.9844\.00±\\pm23\.2047\.73±\\pm23\.0449\.20±\\pm25\.373\.87GOttack34\.93±\\pm10\.9046\.40±\\pm16\.1654\.13±\\pm11\.9957\.87±\\pm15\.7766\.67±\\pm12\.6633\.07±\\pm12\.3347\.87±\\pm7\.8760\.93±\\pm7\.7062\.93±\\pm9\.8565\.47±\\pm10\.5433\.87±\\pm23\.8146\.67±\\pm24\.5645\.20±\\pm24\.1947\.20±\\pm24\.6847\.20±\\pm24\.273\.07GSAGEL1D\-RND18\.13±\\pm6\.5733\.73±\\pm9\.7140\.40±\\pm7\.4542\.67±\\pm7\.4344\.40±\\pm7\.0621\.33±\\pm9\.0940\.13±\\pm10\.4342\.27±\\pm9\.7643\.47±\\pm11\.8445\.33±\\pm8\.2710\.13±\\pm4\.4417\.73±\\pm4\.9518\.00±\\pm8\.4514\.27±\\pm5\.5014\.80±\\pm6\.966\.93FGA26\.67±\\pm7\.5538\.13±\\pm10\.4148\.67±\\pm14\.4959\.07±\\pm10\.2563\.87±\\pm8\.1925\.60±\\pm5\.4146\.80±\\pm13\.6052\.00±\\pm13\.9259\.20±\\pm10\.2265\.20±\\pm9\.9723\.33±\\pm8\.5131\.87±\\pm6\.3535\.73±\\pm7\.5239\.20±\\pm10\.6942\.40±\\pm13\.512\.67NETTACK27\.07±\\pm8\.7148\.27±\\pm8\.9159\.60±\\pm9\.5165\.33±\\pm7\.0870\.93±\\pm7\.5224\.93±\\pm6\.0954\.80±\\pm7\.8858\.27±\\pm10\.6666\.53±\\pm8\.0563\.20±\\pm11\.7523\.73±\\pm7\.6732\.53±\\pm6\.3039\.60±\\pm11\.3442\.53±\\pm11\.8242\.27±\\pm14\.941\.53PGD28\.80±\\pm8\.3838\.93±\\pm10\.0544\.67±\\pm9\.5848\.80±\\pm11\.0853\.60±\\pm11\.5723\.07±\\pm4\.1340\.93±\\pm8\.5547\.07±\\pm10\.0848\.67±\\pm10\.3851\.73±\\pm10\.0823\.33±\\pm7\.9528\.80±\\pm5\.7528\.93±\\pm6\.5429\.87±\\pm6\.7831\.87±\\pm7\.505\.00PR\-BCD \(NA\)28\.80±\\pm7\.6342\.53±\\pm11\.8450\.13±\\pm12\.2954\.00±\\pm9\.8661\.47±\\pm11\.1023\.47±\\pm4\.9345\.87±\\pm8\.4053\.33±\\pm8\.0655\.73±\\pm12\.7160\.67±\\pm9\.5819\.87±\\pm6\.3925\.07±\\pm5\.8525\.47±\\pm7\.3128\.00±\\pm7\.2928\.40±\\pm5\.914\.07SGA22\.67±\\pm3\.1840\.93±\\pm11\.9551\.07±\\pm13\.9857\.07±\\pm14\.5660\.53±\\pm15\.7222\.00±\\pm4\.9637\.60±\\pm10\.2646\.13±\\pm6\.9949\.47±\\pm10\.1353\.73±\\pm10\.2225\.20±\\pm8\.8729\.87±\\pm5\.2632\.13±\\pm5\.7836\.27±\\pm6\.9635\.47±\\pm6\.444\.13GOttack27\.47±\\pm9\.5543\.87±\\pm16\.2751\.20±\\pm12\.1853\.47±\\pm13\.5759\.73±\\pm13\.9823\.73±\\pm6\.5440\.80±\\pm9\.4751\.87±\\pm13\.7654\.53±\\pm14\.2360\.13±\\pm13\.9124\.13±\\pm8\.9029\.87±\\pm7\.5829\.33±\\pm9\.0633\.20±\\pm6\.6233\.20±\\pm8\.553\.67PNAL1D\-RND37\.47±\\pm7\.8044\.00±\\pm13\.6548\.13±\\pm11\.8250\.40±\\pm13\.2757\.20±\\pm13\.2642\.27±\\pm12\.6251\.07±\\pm10\.9852\.13±\\pm9\.9652\.53±\\pm6\.7059\.60±\\pm9\.4239\.33±\\pm26\.3719\.60±\\pm10\.8320\.67±\\pm8\.7420\.40±\\pm8\.6923\.47±\\pm10\.895\.67FGA36\.67±\\pm8\.6746\.93±\\pm7\.6758\.80±\\pm7\.5964\.67±\\pm9\.2271\.20±\\pm8\.9740\.53±\\pm9\.5552\.00±\\pm12\.1962\.53±\\pm10\.1866\.27±\\pm12\.0071\.20±\\pm12\.9431\.33±\\pm11\.9437\.87±\\pm14\.8241\.73±\\pm15\.7546\.13±\\pm18\.8048\.13±\\pm18\.602\.60NETTACK35\.60±\\pm8\.1159\.60±\\pm9\.7764\.67±\\pm7\.6673\.33±\\pm5\.8474\.93±\\pm6\.2742\.93±\\pm9\.0062\.40±\\pm9\.0173\.73±\\pm5\.0677\.73±\\pm6\.2379\.87±\\pm5\.4830\.53±\\pm11\.4838\.80±\\pm18\.2345\.87±\\pm18\.2949\.33±\\pm19\.2253\.33±\\pm19\.471\.53PGD31\.47±\\pm7\.2743\.60±\\pm8\.2949\.07±\\pm6\.7153\.87±\\pm7\.1157\.47±\\pm6\.9939\.87±\\pm9\.3043\.73±\\pm10\.6650\.00±\\pm7\.6056\.40±\\pm6\.7755\.73±\\pm7\.5529\.07±\\pm6\.9629\.07±\\pm11\.5431\.33±\\pm10\.8932\.53±\\pm11\.3830\.93±\\pm10\.006\.00PR\-BCD \(NA\)36\.13±\\pm7\.1950\.80±\\pm6\.3656\.00±\\pm6\.5559\.47±\\pm6\.9959\.33±\\pm6\.4038\.40±\\pm8\.9555\.47±\\pm7\.8759\.73±\\pm7\.4462\.13±\\pm8\.6765\.20±\\pm5\.7519\.07±\\pm10\.3624\.13±\\pm9\.1824\.93±\\pm10\.3126\.13±\\pm11\.6029\.20±\\pm9\.004\.93SGA41\.47±\\pm9\.6150\.27±\\pm10\.5056\.53±\\pm12\.9760\.53±\\pm10\.8468\.00±\\pm9\.4739\.20±\\pm9\.5351\.07±\\pm8\.1760\.80±\\pm10\.5863\.33±\\pm8\.7465\.07±\\pm8\.1031\.20±\\pm10\.6637\.60±\\pm13\.1436\.93±\\pm16\.0943\.87±\\pm17\.8843\.07±\\pm17\.023\.67GOttack38\.67±\\pm7\.1652\.93±\\pm15\.5359\.87±\\pm11\.8263\.33±\\pm10\.8764\.53±\\pm11\.7240\.13±\\pm10\.0155\.07±\\pm11\.9755\.73±\\pm7\.9661\.33±\\pm9\.7964\.13±\\pm7\.1129\.47±\\pm12\.6637\.87±\\pm14\.5137\.73±\\pm12\.0940\.93±\\pm15\.5639\.73±\\pm15\.273\.60

Table 19:Vanilla Heterophily Results \- 1/2\.Evaluating six adversarial attacks on four vanilla attack victim models on SQUIRREL\- Miss\-classification rate \(%\)\. Higher is better\. Best performance inbold, second bestunderlined\. GIN and PNA are excluded from this table due to OOR\.DatasetSQUIRRELΔ→\\Delta\\rightarrow12345Avg\. RankEvasionGCNL1D\-RND24\.93±\\pm33\.0964\.53±\\pm6\.9172\.80±\\pm7\.3671\.60±\\pm5\.6771\.47±\\pm4\.562\.80FGA62\.40±\\pm14\.6465\.87±\\pm15\.4571\.07±\\pm7\.4071\.07±\\pm5\.8071\.60±\\pm4\.362\.20NETTACK1\.87±\\pm3\.341\.47±\\pm2\.771\.33±\\pm1\.631\.60±\\pm2\.292\.13±\\pm2\.207\.00PGD47\.73±\\pm10\.2558\.93±\\pm12\.2865\.87±\\pm10\.0462\.80±\\pm11\.7364\.80±\\pm13\.544\.60PR\-BCD \(NA\)69\.87±\\pm10\.7669\.73±\\pm6\.4169\.60±\\pm6\.5671\.87±\\pm4\.6373\.07±\\pm5\.121\.40SGA52\.00±\\pm6\.1959\.20±\\pm4\.4660\.53±\\pm8\.8365\.07±\\pm8\.2466\.80±\\pm7\.044\.00GOttack13\.33±\\pm4\.6410\.93±\\pm5\.5514\.00±\\pm6\.0511\.20±\\pm5\.8513\.60±\\pm5\.466\.00GSAGEL1D\-RND13\.60±\\pm16\.2333\.87±\\pm11\.7737\.87±\\pm9\.3644\.67±\\pm11\.0549\.47±\\pm12\.434\.80FGA30\.80±\\pm14\.8944\.00±\\pm19\.2049\.33±\\pm21\.9049\.73±\\pm19\.3653\.47±\\pm19\.521\.40NETTACK19\.07±\\pm7\.4020\.40±\\pm10\.0621\.73±\\pm9\.0724\.80±\\pm6\.4921\.60±\\pm7\.416\.80PGD30\.27±\\pm12\.7139\.07±\\pm14\.5443\.73±\\pm14\.0648\.40±\\pm15\.9549\.47±\\pm16\.893\.20PR\-BCD \(NA\)36\.27±\\pm11\.6342\.80±\\pm9\.3441\.33±\\pm7\.2042\.93±\\pm10\.1745\.87±\\pm11\.173\.40SGA34\.00±\\pm9\.4740\.80±\\pm8\.0641\.60±\\pm7\.7548\.27±\\pm12\.2850\.53±\\pm8\.192\.60GOttack24\.00±\\pm9\.7427\.33±\\pm8\.8728\.13±\\pm7\.4628\.27±\\pm8\.5830\.80±\\pm9\.415\.80PoisonGCNL1D\-RND34\.67±\\pm27\.3666\.80±\\pm7\.0073\.87±\\pm7\.1171\.47±\\pm5\.6871\.47±\\pm4\.562\.80FGA63\.87±\\pm12\.2567\.20±\\pm12\.8571\.73±\\pm6\.2371\.47±\\pm6\.0272\.40±\\pm4\.012\.20NETTACK2\.80±\\pm2\.241\.87±\\pm2\.882\.00±\\pm2\.142\.00±\\pm2\.512\.27±\\pm2\.377\.00PGD52\.27±\\pm8\.2162\.00±\\pm10\.2568\.00±\\pm7\.8264\.80±\\pm9\.8565\.73±\\pm12\.214\.20PR\-BCD \(NA\)70\.27±\\pm11\.1670\.67±\\pm6\.7570\.67±\\pm5\.8972\.67±\\pm4\.0574\.27±\\pm4\.771\.40SGA53\.47±\\pm5\.9759\.87±\\pm4\.9861\.87±\\pm8\.5364\.80±\\pm8\.5566\.40±\\pm7\.144\.40GOttack13\.60±\\pm3\.7912\.13±\\pm5\.4813\.47±\\pm5\.7812\.00±\\pm5\.5013\.60±\\pm4\.916\.00GSAGEL1D\-RND24\.53±\\pm16\.6239\.33±\\pm11\.5644\.53±\\pm9\.4348\.40±\\pm8\.9253\.07±\\pm8\.685\.00FGA37\.20±\\pm10\.3948\.93±\\pm15\.6252\.13±\\pm18\.0554\.00±\\pm18\.0657\.33±\\pm18\.091\.40NETTACK20\.27±\\pm7\.0023\.20±\\pm10\.1623\.60±\\pm8\.8525\.47±\\pm5\.3727\.20±\\pm4\.337\.00PGD36\.67±\\pm9\.5243\.60±\\pm11\.0946\.93±\\pm12\.1452\.80±\\pm14\.5655\.60±\\pm12\.993\.20PR\-BCD \(NA\)40\.93±\\pm10\.2547\.60±\\pm10\.1550\.80±\\pm7\.6350\.93±\\pm9\.0750\.13±\\pm7\.232\.80SGA39\.20±\\pm7\.4847\.47±\\pm6\.7048\.40±\\pm9\.1151\.47±\\pm11\.2055\.33±\\pm8\.872\.80GOttack27\.20±\\pm8\.4426\.80±\\pm8\.2730\.53±\\pm6\.7430\.13±\\pm9\.0534\.80±\\pm5\.285\.80

Table 20:Vanilla Heterophily Results \- 2/2\.Evaluating six adversarial attacks on four vanilla attack victim models on CHAMELEON\- Miss\-classification rate \(%\)\. Higher is better\. Best performance inbold, second bestunderlined\. PNA is excluded from this table due to OOR\.DatasetCHAMELEONΔ→\\Delta\\rightarrow12345Avg\. RankEvasionGCNL1D\-RND21\.87±\\pm28\.8950\.93±\\pm9\.7162\.00±\\pm6\.0566\.67±\\pm7\.1266\.53±\\pm7\.073\.00FGA62\.40±\\pm7\.7258\.00±\\pm12\.7259\.87±\\pm15\.9756\.40±\\pm12\.5461\.07±\\pm12\.303\.00NETTACK3\.07±\\pm2\.605\.47±\\pm3\.964\.93±\\pm4\.336\.27±\\pm4\.206\.27±\\pm4\.837\.00PGD44\.00±\\pm20\.9550\.53±\\pm18\.1061\.07±\\pm14\.6457\.73±\\pm15\.4759\.47±\\pm14\.053\.60PR\-BCD \(NA\)58\.00±\\pm18\.5367\.87±\\pm20\.4670\.27±\\pm8\.8867\.07±\\pm10\.6673\.47±\\pm8\.771\.20SGA45\.47±\\pm10\.3849\.07±\\pm9\.8255\.60±\\pm7\.6457\.33±\\pm9\.3755\.33±\\pm6\.704\.40GOttack23\.47±\\pm8\.1619\.20±\\pm5\.7522\.53±\\pm7\.2717\.33±\\pm6\.6222\.80±\\pm9\.135\.80GINL1D\-RND18\.13±\\pm22\.6356\.00±\\pm11\.1655\.60±\\pm16\.1664\.13±\\pm13\.7062\.93±\\pm13\.812\.00FGA40\.93±\\pm15\.4246\.40±\\pm10\.7553\.07±\\pm15\.0858\.80±\\pm15\.9154\.93±\\pm16\.181\.80NETTACK4\.00±\\pm4\.667\.33±\\pm7\.436\.67±\\pm7\.009\.87±\\pm9\.6412\.00±\\pm11\.597\.00PGD35\.07±\\pm16\.4941\.73±\\pm12\.9847\.47±\\pm15\.5450\.67±\\pm14\.8649\.33±\\pm8\.712\.80PR\-BCD \(NA\)27\.73±\\pm12\.6725\.87±\\pm12\.3438\.67±\\pm15\.3638\.53±\\pm13\.5338\.80±\\pm11\.484\.80SGA28\.00±\\pm8\.6235\.07±\\pm12\.6039\.07±\\pm16\.6639\.47±\\pm14\.5542\.40±\\pm15\.503\.80GOttack20\.40±\\pm7\.9715\.20±\\pm13\.4523\.20±\\pm11\.1814\.53±\\pm8\.6022\.93±\\pm9\.355\.80GSAGEL1D\-RND13\.47±\\pm18\.1334\.00±\\pm13\.3343\.07±\\pm10\.5544\.93±\\pm11\.2149\.47±\\pm12\.112\.20FGA28\.93±\\pm8\.2134\.40±\\pm9\.5435\.20±\\pm10\.6339\.20±\\pm9\.3740\.80±\\pm7\.321\.60NETTACK8\.80±\\pm6\.5410\.13±\\pm6\.0712\.27±\\pm6\.0411\.47±\\pm6\.2115\.73±\\pm4\.837\.00PGD24\.80±\\pm7\.9227\.60±\\pm6\.7730\.27±\\pm9\.5633\.07±\\pm9\.3537\.20±\\pm11\.053\.80PR\-BCD \(NA\)20\.40±\\pm8\.1125\.60±\\pm12\.2932\.00±\\pm16\.4230\.13±\\pm13\.2131\.07±\\pm15\.214\.60SGA27\.60±\\pm11\.1430\.53±\\pm13\.5732\.00±\\pm13\.0534\.13±\\pm14\.8832\.80±\\pm10\.393\.20GOttack24\.67±\\pm10\.2421\.20±\\pm8\.6527\.87±\\pm8\.6321\.33±\\pm10\.6829\.07±\\pm8\.415\.60PoisonGCNL1D\-RND35\.60±\\pm22\.3156\.27±\\pm9\.8565\.20±\\pm5\.8969\.07±\\pm7\.4468\.13±\\pm5\.882\.80FGA66\.40±\\pm8\.2561\.47±\\pm12\.7062\.13±\\pm13\.7060\.53±\\pm11\.7563\.07±\\pm10\.693\.00NETTACK7\.87±\\pm4\.988\.13±\\pm2\.567\.33±\\pm5\.497\.73±\\pm3\.778\.40±\\pm5\.727\.00PGD53\.47±\\pm17\.9856\.80±\\pm15\.8364\.13±\\pm12\.6461\.87±\\pm14\.6760\.53±\\pm14\.233\.20PR\-BCD \(NA\)64\.80±\\pm14\.6970\.80±\\pm14\.8970\.67±\\pm8\.5467\.60±\\pm7\.5774\.93±\\pm6\.631\.40SGA51\.47±\\pm9\.1254\.67±\\pm8\.5760\.13±\\pm7\.6561\.87±\\pm9\.4959\.07±\\pm7\.744\.60GOttack27\.07±\\pm8\.4823\.73±\\pm5\.6523\.33±\\pm7\.1624\.80±\\pm7\.0424\.67±\\pm7\.816\.00GINL1D\-RND37\.33±\\pm18\.2961\.07±\\pm12\.1665\.20±\\pm8\.8469\.20±\\pm10\.7168\.67±\\pm10\.492\.60FGA61\.20±\\pm12\.3267\.33±\\pm14\.3470\.27±\\pm12\.2371\.07±\\pm11\.8568\.40±\\pm16\.621\.20NETTACK20\.40±\\pm11\.2722\.27±\\pm11\.6623\.60±\\pm12\.5625\.47±\\pm12\.9727\.87±\\pm11\.387\.00PGD49\.33±\\pm15\.2859\.07±\\pm13\.1364\.93±\\pm17\.0570\.27±\\pm8\.8867\.47±\\pm8\.672\.80PR\-BCD \(NA\)50\.00±\\pm12\.5848\.40±\\pm10\.0658\.93±\\pm9\.5059\.07±\\pm9\.1958\.40±\\pm10\.324\.00SGA46\.27±\\pm10\.9050\.80±\\pm11\.8357\.73±\\pm15\.3256\.13±\\pm13\.8761\.60±\\pm12\.924\.40GOttack35\.73±\\pm9\.5032\.40±\\pm15\.3337\.33±\\pm12\.0931\.73±\\pm12\.4637\.87±\\pm13\.236\.00GSAGEL1D\-RND22\.93±\\pm17\.6340\.27±\\pm9\.5044\.40±\\pm11\.6250\.27±\\pm11\.6652\.53±\\pm13\.263\.40FGA42\.67±\\pm14\.2045\.47±\\pm15\.1355\.20±\\pm13\.7556\.40±\\pm14\.6858\.67±\\pm16\.641\.00NETTACK12\.40±\\pm7\.6012\.40±\\pm6\.0116\.13±\\pm8\.1916\.13±\\pm8\.3320\.00±\\pm6\.467\.00PGD36\.27±\\pm13\.2441\.60±\\pm13\.7441\.33±\\pm14\.5347\.60±\\pm14\.9952\.67±\\pm15\.742\.80PR\-BCD \(NA\)31\.60±\\pm10\.2938\.53±\\pm12\.6444\.67±\\pm15\.3943\.87±\\pm12\.1544\.27±\\pm15\.513\.80SGA35\.60±\\pm10\.9336\.53±\\pm12\.1842\.00±\\pm13\.3744\.53±\\pm15\.9740\.67±\\pm14\.404\.20GOttack31\.07±\\pm10\.6623\.07±\\pm9\.7430\.80±\\pm7\.5526\.67±\\pm10\.6533\.87±\\pm8\.995\.80

Table 21:Defended Homophily Results \- 1/3\.Evaluating six adversarial attacks on four defense victim models \(GNNGuard, GCN\-Jaccard, GCN\-GARNET ElasticGNN\) \- Miss\-classification rate \(%\)\. Higher is better\. Best performance inbold, second bestunderlined\.DatasetCORACITESEERPUBMEDΔ→\\Delta\\rightarrow123451234512345Avg\. RankEvasionElasticGNNL1D\-RND12\.67±\\pm2\.4714\.80±\\pm4\.1319\.33±\\pm3\.8320\.93±\\pm5\.5524\.40±\\pm5\.3614\.00±\\pm5\.4019\.07±\\pm5\.5024\.53±\\pm8\.8027\.33±\\pm9\.2232\.27±\\pm10\.1410\.67±\\pm3\.7510\.67±\\pm4\.3212\.27±\\pm4\.7113\.87±\\pm3\.9613\.73±\\pm4\.337\.00FGA24\.67±\\pm3\.8332\.40±\\pm4\.9137\.73±\\pm6\.9644\.00±\\pm8\.5550\.93±\\pm6\.6322\.00±\\pm3\.3030\.13±\\pm6\.1641\.20±\\pm9\.7046\.80±\\pm12\.6051\.07±\\pm12\.0224\.67±\\pm6\.8726\.27±\\pm5\.4430\.80±\\pm7\.8533\.47±\\pm8\.5035\.73±\\pm9\.132\.60NETTACK23\.47±\\pm3\.1630\.27±\\pm5\.9943\.20±\\pm5\.6049\.87±\\pm6\.0754\.80±\\pm5\.1722\.80±\\pm4\.2633\.87±\\pm9\.4642\.80±\\pm11\.8546\.67±\\pm12\.7149\.87±\\pm11\.8223\.87±\\pm5\.6326\.00±\\pm6\.2829\.87±\\pm7\.8433\.73±\\pm9\.9434\.67±\\pm10\.132\.87PGD24\.00±\\pm4\.3430\.40±\\pm2\.7538\.67±\\pm6\.4444\.00±\\pm7\.5647\.33±\\pm8\.0922\.93±\\pm4\.6530\.27±\\pm7\.0937\.60±\\pm9\.0142\.53±\\pm9\.4645\.60±\\pm9\.7524\.80±\\pm5\.8928\.00±\\pm5\.9530\.00±\\pm5\.7130\.53±\\pm5\.2632\.27±\\pm5\.184\.07PR\-BCD \(NA\)24\.67±\\pm3\.7532\.00±\\pm5\.7641\.60±\\pm6\.8544\.80±\\pm7\.2850\.40±\\pm9\.0523\.33±\\pm4\.7630\.93±\\pm7\.4438\.40±\\pm9\.6645\.47±\\pm11\.1251\.33±\\pm11\.8722\.13±\\pm3\.1625\.60±\\pm4\.4228\.00±\\pm4\.2830\.53±\\pm5\.5330\.53±\\pm3\.893\.67SGA24\.27±\\pm4\.2730\.93±\\pm6\.3237\.87±\\pm7\.8445\.47±\\pm9\.6649\.47±\\pm8\.4321\.60±\\pm5\.1425\.47±\\pm4\.9832\.67±\\pm6\.4039\.47±\\pm8\.0242\.53±\\pm8\.4324\.67±\\pm5\.9827\.60±\\pm7\.3030\.13±\\pm7\.0333\.33±\\pm8\.3733\.20±\\pm5\.994\.33GOttack23\.60±\\pm2\.7532\.13±\\pm4\.2437\.73±\\pm6\.1846\.27±\\pm7\.3250\.00±\\pm5\.6122\.67±\\pm6\.5832\.53±\\pm8\.3336\.80±\\pm12\.4443\.07±\\pm12\.9446\.40±\\pm13\.9624\.40±\\pm5\.2528\.27±\\pm4\.7730\.53±\\pm5\.9332\.53±\\pm6\.3533\.60±\\pm5\.723\.47GCN\-GARNETL1D\-RND16\.53±\\pm11\.7537\.60±\\pm13\.8643\.73±\\pm13\.6746\.40±\\pm16\.2951\.07±\\pm19\.2021\.33±\\pm13\.9546\.40±\\pm15\.3549\.73±\\pm12\.0256\.67±\\pm14\.4657\.33±\\pm15\.8718\.93±\\pm17\.8434\.27±\\pm19\.0233\.33±\\pm21\.9337\.20±\\pm20\.0736\.00±\\pm20\.062\.47FGA18\.27±\\pm5\.5522\.80±\\pm5\.5430\.00±\\pm10\.1738\.93±\\pm13\.0045\.33±\\pm14\.3816\.13±\\pm4\.1719\.73±\\pm8\.9727\.20±\\pm10\.1438\.00±\\pm10\.7447\.87±\\pm8\.0215\.47±\\pm8\.5717\.60±\\pm11\.2920\.93±\\pm9\.5333\.60±\\pm14\.0438\.53±\\pm12\.085\.20NETTACK20\.67±\\pm5\.5934\.13±\\pm11\.7746\.80±\\pm9\.6256\.27±\\pm10\.8762\.93±\\pm9\.7921\.87±\\pm6\.3540\.93±\\pm11\.3654\.93±\\pm9\.9458\.13±\\pm13\.2161\.73±\\pm11\.3417\.60±\\pm7\.7533\.20±\\pm13\.5051\.33±\\pm12\.5354\.93±\\pm11\.0061\.60±\\pm12\.121\.47PGD20\.93±\\pm6\.2730\.93±\\pm7\.4036\.53±\\pm9\.6142\.67±\\pm10\.2749\.47±\\pm13\.2120\.93±\\pm5\.0630\.67±\\pm6\.7031\.20±\\pm9\.1641\.73±\\pm10\.2239\.07±\\pm11\.7114\.53±\\pm5\.8319\.07±\\pm6\.8020\.93±\\pm9\.4121\.20±\\pm9\.6523\.87±\\pm11\.725\.00PR\-BCD \(NA\)21\.73±\\pm5\.9032\.67±\\pm7\.2443\.73±\\pm7\.2550\.40±\\pm13\.0152\.27±\\pm11\.1825\.73±\\pm8\.0334\.93±\\pm9\.0443\.60±\\pm9\.2650\.00±\\pm9\.9750\.13±\\pm15\.5017\.33±\\pm8\.3424\.93±\\pm11\.8529\.33±\\pm12\.5529\.47±\\pm10\.1332\.93±\\pm8\.243\.00SGA14\.27±\\pm4\.4620\.40±\\pm5\.0823\.73±\\pm6\.5827\.07±\\pm7\.9629\.73±\\pm8\.4812\.93±\\pm6\.2720\.67±\\pm8\.8025\.87±\\pm8\.8632\.00±\\pm12\.8735\.33±\\pm13\.9113\.33±\\pm5\.6913\.87±\\pm6\.0216\.00±\\pm5\.1318\.13±\\pm9\.4321\.33±\\pm8\.096\.93GOttack20\.00±\\pm6\.9331\.47±\\pm9\.8742\.93±\\pm13\.2252\.40±\\pm15\.1255\.87±\\pm11\.6521\.20±\\pm8\.9126\.80±\\pm7\.0834\.67±\\pm13\.0634\.67±\\pm15\.3044\.27±\\pm13\.2415\.07±\\pm9\.7623\.87±\\pm10\.3826\.93±\\pm12\.5334\.53±\\pm13\.3236\.80±\\pm15\.763\.93GCN\-JaccardL1D\-RND12\.00±\\pm3\.7818\.40±\\pm5\.6724\.67±\\pm6\.7928\.53±\\pm6\.8230\.80±\\pm6\.1311\.47±\\pm3\.6623\.33±\\pm8\.4733\.07±\\pm5\.5534\.40±\\pm6\.7340\.67±\\pm6\.2610\.67±\\pm2\.7913\.20±\\pm4\.0616\.27±\\pm4\.0621\.73±\\pm4\.5325\.47±\\pm6\.077\.00FGA20\.00±\\pm4\.2835\.20±\\pm6\.7543\.47±\\pm6\.2548\.93±\\pm4\.5356\.27±\\pm6\.1821\.33±\\pm5\.0033\.07±\\pm4\.2039\.20±\\pm7\.5546\.93±\\pm6\.0452\.40±\\pm4\.9131\.07±\\pm2\.4942\.13±\\pm3\.9650\.40±\\pm4\.7354\.13±\\pm2\.8855\.60±\\pm2\.953\.73NETTACK23\.47±\\pm3\.5037\.87±\\pm4\.9346\.53±\\pm7\.6151\.33±\\pm8\.0955\.87±\\pm3\.6621\.20±\\pm4\.4640\.13±\\pm8\.8045\.60±\\pm6\.1051\.87±\\pm7\.6956\.53±\\pm5\.7830\.67±\\pm3\.1850\.40±\\pm2\.9553\.87±\\pm3\.0756\.13±\\pm2\.6758\.93±\\pm2\.372\.07PGD24\.80±\\pm4\.5935\.20±\\pm6\.0441\.07±\\pm5\.7544\.53±\\pm8\.1647\.60±\\pm5\.1421\.47±\\pm5\.1032\.93±\\pm5\.9042\.67±\\pm4\.8848\.27±\\pm4\.8349\.47±\\pm5\.8831\.07±\\pm3\.5336\.40±\\pm2\.2942\.53±\\pm5\.4244\.13±\\pm6\.0245\.20±\\pm3\.614\.80PR\-BCD \(NA\)20\.93±\\pm5\.0133\.07±\\pm6\.7641\.47±\\pm5\.0446\.67±\\pm4\.7649\.33±\\pm5\.7422\.53±\\pm3\.8937\.73±\\pm4\.9547\.60±\\pm5\.9650\.93±\\pm3\.3754\.80±\\pm3\.3632\.80±\\pm3\.6936\.93±\\pm3\.8441\.47±\\pm3\.3445\.20±\\pm3\.8449\.73±\\pm3\.453\.67SGA20\.93±\\pm6\.0935\.60±\\pm5\.4143\.60±\\pm4\.3649\.60±\\pm4\.2254\.93±\\pm6\.4518\.13±\\pm5\.2628\.13±\\pm4\.5039\.87±\\pm7\.7345\.07±\\pm6\.3651\.20±\\pm6\.0431\.33±\\pm4\.7040\.00±\\pm4\.0747\.60±\\pm4\.7951\.07±\\pm4\.7152\.53±\\pm7\.194\.27GOttack23\.60±\\pm4\.9139\.73±\\pm6\.0446\.93±\\pm6\.3652\.27±\\pm7\.2554\.67±\\pm6\.4020\.93±\\pm5\.0633\.73±\\pm8\.0043\.60±\\pm10\.0647\.20±\\pm7\.9953\.20±\\pm8\.8731\.87±\\pm4\.5040\.80±\\pm4\.8350\.93±\\pm4\.2756\.53±\\pm2\.6756\.00±\\pm2\.622\.47GNNGuardL1D\-RND6\.27±\\pm4\.139\.73±\\pm5\.6011\.73±\\pm4\.8317\.20±\\pm5\.4418\.67±\\pm6\.134\.67±\\pm3\.687\.60±\\pm5\.469\.60±\\pm5\.3010\.53±\\pm5\.1011\.07±\\pm5\.186\.53±\\pm4\.638\.27±\\pm4\.209\.73±\\pm4\.5310\.13±\\pm5\.6812\.40±\\pm5\.464\.80FGA6\.67±\\pm3\.4411\.87±\\pm4\.3714\.93±\\pm4\.7117\.20±\\pm4\.7122\.13±\\pm6\.213\.33±\\pm3\.186\.93±\\pm3\.699\.07±\\pm4\.0613\.33±\\pm5\.1613\.07±\\pm6\.043\.60±\\pm1\.884\.67±\\pm2\.357\.47±\\pm2\.9710\.27±\\pm2\.8112\.40±\\pm3\.565\.00NETTACK6\.80±\\pm4\.7713\.07±\\pm5\.0116\.93±\\pm6\.5420\.40±\\pm6\.6825\.07±\\pm6\.454\.67±\\pm2\.359\.73±\\pm4\.2713\.47±\\pm5\.9317\.07±\\pm5\.1220\.53±\\pm5\.782\.93±\\pm1\.677\.33±\\pm3\.7510\.13±\\pm3\.5013\.73±\\pm4\.8915\.87±\\pm3\.892\.27PGD6\.80±\\pm2\.6011\.33±\\pm4\.8216\.80±\\pm5\.2820\.40±\\pm5\.0821\.07±\\pm4\.953\.07±\\pm2\.495\.33±\\pm3\.278\.80±\\pm4\.7711\.60±\\pm3\.7213\.07±\\pm4\.462\.53±\\pm1\.605\.47±\\pm2\.076\.80±\\pm3\.2810\.40±\\pm2\.9511\.33±\\pm4\.055\.73PR\-BCD \(NA\)8\.13±\\pm3\.3413\.33±\\pm3\.9815\.60±\\pm4\.6717\.47±\\pm3\.8122\.80±\\pm6\.133\.07±\\pm2\.126\.53±\\pm2\.338\.93±\\pm3\.2011\.07±\\pm4\.4015\.07±\\pm5\.234\.27±\\pm2\.258\.53±\\pm3\.7412\.40±\\pm4\.0115\.33±\\pm4\.1917\.33±\\pm3\.523\.40SGA8\.40±\\pm4\.2912\.80±\\pm3\.2818\.53±\\pm5\.0421\.07±\\pm4\.5322\.53±\\pm5\.534\.00±\\pm2\.738\.00±\\pm5\.8110\.13±\\pm4\.5613\.20±\\pm5\.0614\.40±\\pm4\.083\.47±\\pm1\.926\.13±\\pm3\.077\.33±\\pm2\.359\.87±\\pm4\.0311\.73±\\pm4\.273\.60GOttack8\.40±\\pm4\.9713\.20±\\pm4\.3317\.20±\\pm4\.5919\.20±\\pm4\.8923\.20±\\pm5\.894\.67±\\pm2\.896\.80±\\pm4\.7710\.13±\\pm4\.5613\.20±\\pm5\.1715\.87±\\pm3\.813\.07±\\pm2\.256\.80±\\pm3\.109\.20±\\pm3\.0011\.20±\\pm3\.0013\.87±\\pm3\.423\.20PoisonElasticGNNL1D\-RND14\.00±\\pm3\.7016\.40±\\pm3\.7921\.07±\\pm4\.2023\.33±\\pm5\.4928\.00±\\pm5\.9015\.33±\\pm4\.5821\.47±\\pm6\.4827\.20±\\pm8\.5131\.87±\\pm9\.6636\.27±\\pm9\.3810\.53±\\pm3\.4211\.20±\\pm4\.4612\.67±\\pm5\.0514\.13±\\pm3\.5813\.60±\\pm4\.487\.00FGA28\.67±\\pm6\.5840\.93±\\pm11\.7650\.93±\\pm11\.6856\.53±\\pm7\.1161\.73±\\pm4\.5328\.80±\\pm8\.5143\.60±\\pm9\.2651\.87±\\pm7\.2757\.47±\\pm9\.9059\.60±\\pm6\.8523\.60±\\pm7\.4526\.53±\\pm6\.3030\.13±\\pm8\.1934\.27±\\pm9\.5036\.67±\\pm9\.882\.33NETTACK29\.20±\\pm7\.1639\.47±\\pm6\.3051\.47±\\pm5\.7357\.47±\\pm5\.4862\.93±\\pm6\.6730\.27±\\pm8\.5145\.87±\\pm11\.1054\.40±\\pm7\.6854\.67±\\pm8\.2059\.60±\\pm6\.2423\.33±\\pm5\.8426\.67±\\pm6\.9129\.60±\\pm8\.1834\.27±\\pm11\.3136\.13±\\pm10\.242\.27PGD26\.53±\\pm3\.5838\.53±\\pm6\.7044\.27±\\pm6\.1351\.07±\\pm5\.6554\.00±\\pm7\.1729\.73±\\pm6\.8041\.20±\\pm8\.0346\.13±\\pm6\.3550\.80±\\pm6\.7154\.27±\\pm6\.1323\.73±\\pm5\.9527\.07±\\pm5\.9930\.27±\\pm6\.3631\.33±\\pm5\.7932\.27±\\pm5\.754\.47PR\-BCD \(NA\)25\.60±\\pm4\.1536\.53±\\pm5\.9347\.47±\\pm6\.2555\.33±\\pm3\.8359\.47±\\pm5\.0429\.47±\\pm9\.2138\.93±\\pm11\.2950\.93±\\pm11\.7153\.73±\\pm10\.2257\.73±\\pm10\.0020\.53±\\pm3\.0725\.60±\\pm3\.9427\.07±\\pm4\.8330\.80±\\pm6\.1330\.80±\\pm4\.064\.93SGA27\.07±\\pm4\.1340\.40±\\pm7\.1850\.40±\\pm5\.7757\.47±\\pm6\.5760\.27±\\pm8\.0026\.40±\\pm4\.2936\.40±\\pm5\.1447\.47±\\pm6\.1650\.80±\\pm6\.0957\.20±\\pm5\.3923\.47±\\pm6\.5228\.40±\\pm7\.1830\.80±\\pm8\.0632\.67±\\pm8\.4434\.27±\\pm8\.683\.47GOttack28\.67±\\pm5\.9439\.87±\\pm8\.6347\.73±\\pm9\.1354\.40±\\pm5\.6758\.27±\\pm5\.5530\.93±\\pm7\.2144\.27±\\pm8\.9749\.60±\\pm7\.6455\.33±\\pm6\.6656\.27±\\pm5\.8023\.07±\\pm6\.6726\.80±\\pm4\.8330\.27±\\pm6\.8432\.13±\\pm6\.8233\.60±\\pm5\.413\.53GCN\-GARNETL1D\-RND18\.67±\\pm9\.9638\.27±\\pm13\.8944\.80±\\pm14\.3446\.13±\\pm16\.6652\.00±\\pm18\.5520\.27±\\pm13\.8949\.47±\\pm14\.0551\.33±\\pm11\.4858\.00±\\pm13\.8258\.27±\\pm15\.2118\.67±\\pm18\.4634\.53±\\pm18\.6334\.67±\\pm21\.0936\.67±\\pm19\.4238\.67±\\pm18\.362\.47FGA20\.13±\\pm4\.5623\.60±\\pm7\.1031\.20±\\pm10\.6038\.40±\\pm12\.8145\.73±\\pm15\.4218\.80±\\pm5\.3321\.60±\\pm8\.2930\.67±\\pm11\.1341\.20±\\pm13\.5449\.60±\\pm8\.5916\.80±\\pm10\.7916\.80±\\pm9\.9719\.33±\\pm8\.0932\.40±\\pm14\.3536\.40±\\pm12\.655\.33NETTACK22\.80±\\pm6\.4135\.60±\\pm11\.0646\.00±\\pm10\.4756\.67±\\pm10\.7364\.40±\\pm8\.6323\.33±\\pm6\.5843\.07±\\pm10\.2255\.20±\\pm9\.3459\.47±\\pm11\.9664\.67±\\pm8\.5117\.47±\\pm6\.7032\.80±\\pm13\.9150\.13±\\pm12\.1554\.27±\\pm13\.1661\.20±\\pm11\.851\.47PGD21\.87±\\pm5\.7330\.53±\\pm7\.8737\.07±\\pm10\.1942\.93±\\pm10\.6949\.47±\\pm13\.7424\.80±\\pm6\.2732\.27±\\pm9\.0735\.20±\\pm9\.7941\.33±\\pm9\.7943\.87±\\pm12\.7314\.80±\\pm5\.3918\.93±\\pm9\.4122\.40±\\pm10\.0622\.13±\\pm11\.6524\.67±\\pm11\.484\.80PR\-BCD \(NA\)22\.53±\\pm6\.0233\.60±\\pm9\.2642\.53±\\pm9\.8150\.27±\\pm13\.5252\.67±\\pm12\.4127\.07±\\pm8\.5537\.60±\\pm7\.9046\.67±\\pm11\.0053\.20±\\pm10\.5852\.27±\\pm13\.6218\.00±\\pm9\.6222\.40±\\pm10\.0929\.73±\\pm14\.4829\.73±\\pm10\.2535\.33±\\pm9\.763\.13SGA15\.87±\\pm4\.2421\.73±\\pm5\.5025\.47±\\pm7\.1128\.67±\\pm8\.0630\.67±\\pm10\.9215\.33±\\pm4\.3224\.93±\\pm8\.7129\.07±\\pm10\.7136\.53±\\pm12\.8239\.20±\\pm14\.8512\.93±\\pm3\.9913\.87±\\pm4\.9815\.73±\\pm7\.0915\.87±\\pm7\.7622\.00±\\pm9\.536\.93GOttack21\.73±\\pm7\.1732\.13±\\pm9\.4042\.93±\\pm13\.2253\.07±\\pm14\.5656\.27±\\pm12\.5820\.40±\\pm8\.1531\.33±\\pm9\.1539\.07±\\pm12\.6038\.13±\\pm15\.2049\.60±\\pm13\.9416\.53±\\pm9\.8423\.73±\\pm10\.2526\.13±\\pm11\.2235\.07±\\pm14\.8136\.00±\\pm15\.623\.87GCN\-JaccardL1D\-RND14\.40±\\pm5\.7719\.20±\\pm5\.9926\.40±\\pm7\.8630\.13±\\pm7\.8030\.00±\\pm5\.3513\.20±\\pm4\.8925\.87±\\pm10\.6834\.00±\\pm4\.6036\.27±\\pm6\.6741\.33±\\pm6\.8711\.07±\\pm3\.6114\.13±\\pm4\.2416\.00±\\pm4\.1422\.13±\\pm5\.1525\.20±\\pm6\.187\.00FGA23\.73±\\pm5\.8038\.13±\\pm6\.7045\.47±\\pm4\.9853\.47±\\pm6\.1656\.13±\\pm4\.3728\.67±\\pm7\.4741\.07±\\pm6\.1346\.13±\\pm6\.6554\.80±\\pm7\.3256\.67±\\pm4\.6432\.00±\\pm2\.0042\.00±\\pm4\.0050\.27±\\pm4\.1353\.20±\\pm3\.1055\.47±\\pm2\.563\.47NETTACK26\.67±\\pm5\.7939\.47±\\pm3\.4248\.27±\\pm6\.5453\.20±\\pm6\.2258\.40±\\pm4\.7931\.73±\\pm8\.0343\.20±\\pm6\.5453\.07±\\pm7\.0556\.67±\\pm6\.4459\.87±\\pm5\.1531\.60±\\pm2\.8549\.47±\\pm3\.5854\.00±\\pm2\.8356\.13±\\pm2\.6759\.07±\\pm2\.121\.87PGD26\.13±\\pm4\.1738\.53±\\pm5\.4243\.47±\\pm4\.9346\.27±\\pm6\.6349\.73±\\pm6\.3628\.00±\\pm7\.6039\.33±\\pm7\.0447\.60±\\pm5\.4151\.33±\\pm5\.5453\.20±\\pm5\.2832\.13±\\pm3\.7438\.00±\\pm2\.0042\.93±\\pm4\.9544\.80±\\pm5\.9945\.33±\\pm4\.515\.00PR\-BCD \(NA\)22\.80±\\pm5\.1236\.13±\\pm4\.1042\.53±\\pm5\.2648\.67±\\pm4\.3250\.67±\\pm5\.1129\.60±\\pm5\.2544\.00±\\pm5\.6652\.13±\\pm4\.8154\.13±\\pm4\.3158\.93±\\pm4\.2031\.60±\\pm3\.1437\.20±\\pm3\.5341\.73±\\pm3\.4546\.13±\\pm3\.3450\.67±\\pm3\.524\.47SGA26\.80±\\pm7\.6338\.93±\\pm4\.4047\.07±\\pm4\.9553\.47±\\pm5\.1056\.80±\\pm6\.4523\.87±\\pm4\.5038\.80±\\pm5\.8046\.93±\\pm6\.3251\.87±\\pm4\.4457\.60±\\pm4\.6732\.00±\\pm5\.7140\.13±\\pm4\.2447\.73±\\pm3\.9951\.07±\\pm5\.2853\.07±\\pm6\.543\.87GOttack27\.73±\\pm6\.9642\.00±\\pm5\.1848\.40±\\pm4\.5554\.53±\\pm5\.5855\.07±\\pm5\.2832\.00±\\pm7\.5640\.40±\\pm6\.1550\.67±\\pm10\.7652\.93±\\pm6\.5056\.53±\\pm8\.6332\.27±\\pm4\.8341\.33±\\pm3\.9051\.07±\\pm4\.2055\.60±\\pm2\.5356\.67±\\pm2\.232\.33GNNGuardL1D\-RND6\.93±\\pm4\.4010\.40±\\pm5\.1412\.80±\\pm3\.7618\.00±\\pm4\.9019\.47±\\pm5\.884\.80±\\pm3\.847\.87±\\pm5\.539\.87±\\pm5\.2110\.53±\\pm4\.9311\.47±\\pm4\.696\.53±\\pm4\.938\.00±\\pm4\.219\.33±\\pm3\.9010\.40±\\pm5\.9612\.53±\\pm5\.485\.33FGA7\.47±\\pm3\.9612\.53±\\pm4\.5016\.80±\\pm4\.8919\.20±\\pm4\.6524\.80±\\pm5\.604\.40±\\pm3\.319\.07±\\pm3\.7710\.93±\\pm3\.6114\.40±\\pm4\.6114\.27±\\pm6\.134\.80±\\pm3\.195\.73±\\pm3\.108\.93±\\pm3\.0111\.60±\\pm2\.4113\.20±\\pm4\.264\.53NETTACK7\.47±\\pm5\.3714\.93±\\pm5\.5519\.20±\\pm6\.6722\.13±\\pm6\.3028\.40±\\pm5\.876\.00±\\pm2\.9310\.53±\\pm4\.2414\.67±\\pm6\.0319\.33±\\pm6\.6222\.53±\\pm5\.834\.40±\\pm2\.538\.67±\\pm3\.7510\.53±\\pm4\.1713\.87±\\pm4\.6915\.73±\\pm3\.692\.20PGD6\.93±\\pm3\.0112\.40±\\pm5\.0817\.47±\\pm5\.1021\.07±\\pm5\.3922\.00±\\pm5\.813\.20±\\pm2\.116\.80±\\pm3\.289\.87±\\pm4\.9813\.20±\\pm3\.1914\.67±\\pm4\.514\.27±\\pm2\.126\.53±\\pm3\.257\.87±\\pm3\.1612\.00±\\pm3\.0211\.87±\\pm4\.175\.80PR\-BCD \(NA\)8\.93±\\pm3\.9914\.00±\\pm4\.0717\.07±\\pm5\.7519\.07±\\pm3\.9923\.87±\\pm7\.273\.20±\\pm1\.977\.47±\\pm2\.6710\.27±\\pm3\.5312\.53±\\pm5\.4817\.87±\\pm5\.975\.60±\\pm4\.089\.60±\\pm4\.6713\.33±\\pm4\.1916\.67±\\pm3\.7518\.40±\\pm3\.313\.67SGA9\.60±\\pm3\.6415\.33±\\pm3\.7520\.80±\\pm5\.8925\.07±\\pm5\.9528\.13±\\pm7\.114\.80±\\pm3\.008\.93±\\pm6\.0410\.67±\\pm4\.8815\.33±\\pm5\.6416\.93±\\pm4\.834\.93±\\pm3\.208\.00±\\pm3\.858\.27±\\pm2\.4911\.33±\\pm3\.7512\.53±\\pm3\.813\.20GOttack10\.27±\\pm6\.5415\.07±\\pm5\.0119\.07±\\pm4\.2722\.27±\\pm6\.1826\.13±\\pm5\.784\.80±\\pm2\.707\.87±\\pm4\.4410\.80±\\pm4\.7114\.27±\\pm5\.0117\.20±\\pm4\.524\.93±\\pm3\.107\.87±\\pm3\.669\.87±\\pm3\.6612\.00±\\pm3\.2114\.40±\\pm3\.643\.27

Table 22:Defended Homophily Results \- 2/3\.Evaluating six adversarial attacks on four defense victim models \(GRAND, RobustGCN, GCORN, RUNG\) \- Miss\-classification rate \(%\)\. Higher is better\. Best performance inbold, second bestunderlined\. OOR entries are omitted in average rank calculation\.DatasetCORACITESEERPUBMEDΔ→\\Delta\\rightarrow123451234512345Avg\. RankEvasionGRANDL1D\-RND34\.13±\\pm14\.9963\.47±\\pm7\.5471\.07±\\pm6\.5471\.07±\\pm7\.7072\.00±\\pm8\.7245\.47±\\pm11\.8060\.67±\\pm8\.6463\.33±\\pm9\.4366\.00±\\pm8\.4966\.40±\\pm8\.7233\.20±\\pm15\.6239\.07±\\pm17\.0744\.53±\\pm16\.4144\.93±\\pm16\.7844\.67±\\pm17\.221\.13FGA11\.87±\\pm4\.8714\.40±\\pm4\.8516\.67±\\pm5\.7930\.40±\\pm8\.9236\.80±\\pm5\.1713\.87±\\pm4\.9318\.80±\\pm4\.3924\.27±\\pm5\.9534\.93±\\pm10\.4445\.73±\\pm8\.0317\.20±\\pm5\.9420\.13±\\pm3\.2520\.40±\\pm3\.5630\.13±\\pm8\.4039\.33±\\pm8\.675\.13NETTACK12\.67±\\pm5\.6430\.00±\\pm6\.1439\.87±\\pm5\.1048\.13±\\pm5\.1551\.73±\\pm4\.5316\.00±\\pm4\.2134\.13±\\pm7\.4647\.33±\\pm9\.7054\.53±\\pm9\.8157\.73±\\pm8\.8419\.20±\\pm5\.6524\.00±\\pm8\.5944\.00±\\pm5\.7647\.87±\\pm7\.6949\.87±\\pm9\.152\.40PGD13\.73±\\pm4\.8317\.73±\\pm5\.3420\.40±\\pm5\.9624\.80±\\pm7\.3229\.33±\\pm5\.8916\.40±\\pm5\.5124\.40±\\pm5\.6228\.13±\\pm5\.3729\.73±\\pm5\.2833\.33±\\pm5\.9417\.20±\\pm3\.2820\.00±\\pm3\.7022\.13±\\pm3\.1624\.67±\\pm3\.6026\.00±\\pm3\.305\.20PR\-BCD \(NA\)14\.40±\\pm4\.3621\.73±\\pm5\.1227\.20±\\pm6\.0930\.00±\\pm6\.9733\.87±\\pm7\.4217\.20±\\pm5\.7528\.80±\\pm5\.0634\.40±\\pm6\.3339\.60±\\pm6\.6441\.33±\\pm5\.4919\.87±\\pm3\.6623\.87±\\pm2\.2026\.00±\\pm4\.0027\.87±\\pm4\.1730\.40±\\pm4\.733\.27SGA14\.13±\\pm4\.9817\.47±\\pm5\.5819\.60±\\pm5\.5121\.20±\\pm6\.9624\.27±\\pm6\.6318\.67±\\pm5\.6927\.47±\\pm9\.9029\.47±\\pm7\.4634\.80±\\pm7\.0842\.67±\\pm8\.3418\.27±\\pm5\.3421\.87±\\pm3\.5824\.27±\\pm4\.5926\.40±\\pm5\.3029\.87±\\pm7\.544\.40GOttack12\.93±\\pm5\.7014\.93±\\pm5\.6017\.60±\\pm4\.7319\.20±\\pm4\.4621\.07±\\pm5\.7015\.73±\\pm4\.2018\.80±\\pm5\.6525\.20±\\pm3\.9126\.27±\\pm4\.7128\.53±\\pm5\.9717\.87±\\pm6\.0220\.00±\\pm4\.0719\.60±\\pm3\.8722\.27±\\pm3\.5322\.13±\\pm4\.636\.47RobustGCNL1D\-RND15\.60±\\pm4\.1529\.60±\\pm9\.4832\.80±\\pm3\.9133\.87±\\pm5\.4835\.07±\\pm4\.7710\.67±\\pm3\.9829\.73±\\pm11\.0532\.53±\\pm7\.8734\.40±\\pm9\.3342\.27±\\pm5\.909\.20±\\pm4\.8920\.67±\\pm3\.6823\.60±\\pm7\.4526\.67±\\pm6\.0827\.33±\\pm5\.847\.00FGA27\.07±\\pm3\.7745\.87±\\pm7\.1554\.13±\\pm5\.6360\.40±\\pm4\.7363\.20±\\pm4\.7723\.87±\\pm3\.0741\.33±\\pm7\.7751\.47±\\pm3\.9656\.80±\\pm3\.6957\.73±\\pm3\.2036\.80±\\pm4\.7147\.73±\\pm6\.1854\.80±\\pm5\.0058\.00±\\pm2\.0058\.67±\\pm1\.453\.00NETTACK28\.40±\\pm5\.2552\.13±\\pm4\.4457\.73±\\pm2\.9160\.13±\\pm3\.5061\.33±\\pm3\.6025\.73±\\pm6\.9645\.60±\\pm8\.1854\.27±\\pm2\.8156\.27±\\pm4\.1358\.13±\\pm3\.8136\.00±\\pm2\.2753\.20±\\pm3\.8457\.60±\\pm2\.0358\.80±\\pm1\.4757\.73±\\pm1\.672\.07PGD29\.47±\\pm3\.1646\.80±\\pm3\.8454\.93±\\pm4\.0657\.73±\\pm4\.8360\.40±\\pm3\.7224\.40±\\pm4\.6140\.27±\\pm7\.6349\.33±\\pm5\.7952\.40±\\pm7\.8355\.87±\\pm4\.4435\.33±\\pm4\.1941\.60±\\pm4\.7344\.67±\\pm5\.6445\.87±\\pm6\.1247\.60±\\pm5\.414\.73PR\-BCD \(NA\)32\.40±\\pm4\.7958\.00±\\pm3\.8562\.00±\\pm3\.9364\.67±\\pm3\.4464\.93±\\pm2\.4923\.87±\\pm3\.7442\.67±\\pm5\.9853\.20±\\pm4\.8955\.87±\\pm3\.2558\.27±\\pm3\.5331\.47±\\pm2\.0738\.40±\\pm4\.6148\.53±\\pm3\.4254\.00±\\pm3\.1257\.07±\\pm2\.253\.20SGA26\.93±\\pm3\.8443\.07±\\pm10\.5855\.20±\\pm6\.0959\.47±\\pm5\.2160\.00±\\pm5\.9020\.13±\\pm5\.2132\.00±\\pm6\.6339\.47±\\pm9\.6648\.27±\\pm6\.4152\.80±\\pm5\.3934\.93±\\pm3\.4542\.67±\\pm5\.2750\.53±\\pm6\.9154\.80±\\pm3\.6157\.20±\\pm3\.105\.13GOttack27\.47±\\pm4\.7550\.00±\\pm3\.7856\.40±\\pm4\.4857\.73±\\pm3\.3761\.47±\\pm3\.3425\.07±\\pm4\.1343\.47±\\pm12\.4849\.60±\\pm8\.6956\.67±\\pm4\.4558\.40±\\pm2\.6436\.13±\\pm5\.0446\.00±\\pm7\.7156\.13±\\pm2\.8857\.33±\\pm1\.8057\.73±\\pm1\.832\.87GCORNL1D\-RND28\.53±\\pm11\.2232\.67±\\pm11\.4334\.27±\\pm8\.6131\.33±\\pm7\.4730\.80±\\pm7\.3626\.67±\\pm6\.5328\.00±\\pm8\.8826\.80±\\pm7\.0029\.33±\\pm5\.1633\.47±\\pm6\.70OOROOROOROOROOR2\.27FGA19\.47±\\pm4\.5023\.20±\\pm4\.6526\.53±\\pm3\.4229\.60±\\pm6\.2031\.60±\\pm6\.5115\.87±\\pm4\.3121\.47±\\pm4\.6923\.20±\\pm5\.8528\.67±\\pm7\.2031\.33±\\pm7\.32OOROOROOROOROOR4\.53NETTACK22\.53±\\pm5\.3231\.60±\\pm6\.3335\.20±\\pm7\.9638\.40±\\pm8\.3647\.20±\\pm11\.4818\.53±\\pm5\.4229\.07±\\pm8\.8131\.33±\\pm9\.9633\.20±\\pm10\.5238\.27±\\pm13\.11OOROOROOROOROOR2\.00PGD21\.33±\\pm5\.6924\.93±\\pm5\.9524\.67±\\pm4\.4526\.67±\\pm5\.5433\.47±\\pm7\.4216\.80±\\pm3\.3623\.73±\\pm5\.2323\.87±\\pm6\.4426\.13±\\pm5\.9726\.67±\\pm6\.31OOROOROOROOROOR4\.93PR\-BCD \(NA\)21\.33±\\pm5\.0029\.60±\\pm4\.4228\.27±\\pm6\.1832\.00±\\pm7\.1740\.27±\\pm8\.3418\.40±\\pm5\.8726\.67±\\pm5\.4927\.60±\\pm5\.9632\.67±\\pm6\.4435\.33±\\pm5\.59OOROOROOROOROOR4\.00SGA20\.13±\\pm5\.9722\.80±\\pm4\.6523\.07±\\pm5\.1823\.87±\\pm5\.2126\.67±\\pm5\.3321\.07±\\pm5\.2321\.33±\\pm4\.8824\.13±\\pm5\.3224\.40±\\pm6\.3823\.73±\\pm4\.83OOROOROOROOROOR6\.13GOttack22\.53±\\pm5\.2628\.67±\\pm6\.7032\.93±\\pm10\.5334\.80±\\pm8\.2045\.47±\\pm10\.5419\.07±\\pm6\.3227\.87±\\pm6\.2527\.87±\\pm6\.6532\.67±\\pm8\.2035\.87±\\pm9\.12OOROOROOROOROOR4\.13RUNGL1D\-RND22\.80±\\pm8\.3125\.87±\\pm5\.9732\.53±\\pm8\.5731\.33±\\pm7\.4730\.40±\\pm7\.3423\.33±\\pm4\.3923\.07±\\pm4\.3325\.87±\\pm4\.5029\.33±\\pm5\.1633\.47±\\pm6\.70OOROOROOROOROOR2\.13FGA18\.40±\\pm4\.7321\.73±\\pm5\.1824\.93±\\pm4\.0629\.20±\\pm6\.6233\.20±\\pm7\.8116\.27±\\pm3\.7718\.67±\\pm5\.1124\.53±\\pm7\.8029\.07±\\pm5\.9532\.53±\\pm5\.93OOROOROOROOROOR3\.80NETTACK19\.20±\\pm5\.2328\.40±\\pm5\.1434\.13±\\pm8\.0540\.13±\\pm6\.0742\.67±\\pm8\.9021\.20±\\pm6\.5422\.80±\\pm7\.9930\.67±\\pm7\.0032\.40±\\pm9\.7538\.93±\\pm8\.78OOROOROOROOROOR2\.00PGD17\.33±\\pm4\.8819\.33±\\pm3\.7523\.87±\\pm4\.2425\.87±\\pm5\.5329\.73±\\pm6\.6717\.20±\\pm4\.6520\.53±\\pm4\.3722\.13±\\pm5\.0424\.40±\\pm4\.6725\.47±\\pm6\.44OOROOROOROOROOR5\.00PR\-BCD \(NA\)18\.27±\\pm3\.3724\.53±\\pm5\.1028\.80±\\pm7\.5531\.87±\\pm7\.6933\.20±\\pm7\.5918\.93±\\pm3\.6124\.80±\\pm3\.3626\.67±\\pm5\.9429\.73±\\pm6\.5033\.60±\\pm4\.55OOROOROOROOROOR3\.67SGA14\.93±\\pm4\.2017\.60±\\pm3\.1421\.33±\\pm5\.2222\.13±\\pm6\.2124\.40±\\pm4\.7316\.27±\\pm4\.5319\.20±\\pm4\.3920\.40±\\pm5\.5121\.87±\\pm5\.4222\.27±\\pm5\.12OOROOROOROOROOR6\.47GOttack19\.60±\\pm6\.6426\.80±\\pm5\.3330\.00±\\pm8\.0735\.07±\\pm8\.0039\.33±\\pm8\.3317\.07±\\pm6\.5422\.67±\\pm7\.3924\.40±\\pm7\.9731\.20±\\pm8\.2436\.13±\\pm7\.03OOROOROOROOROOR4\.93PoisonGRANDL1D\-RND36\.80±\\pm10\.8464\.00±\\pm9\.9769\.87±\\pm7\.2767\.33±\\pm7\.0466\.13±\\pm8\.4746\.13±\\pm11\.4561\.47±\\pm7\.4664\.27±\\pm8\.3164\.13±\\pm7\.9164\.67±\\pm8\.1634\.27±\\pm13\.9240\.40±\\pm16\.7946\.27±\\pm13\.3545\.73±\\pm14\.1245\.20±\\pm12\.301\.13FGA16\.93±\\pm4\.7119\.33±\\pm6\.2623\.07±\\pm7\.4436\.40±\\pm8\.2942\.00±\\pm5\.6117\.87±\\pm3\.3425\.07±\\pm4\.1330\.53±\\pm5\.5843\.73±\\pm10\.4452\.53±\\pm8\.7017\.33±\\pm5\.7919\.73±\\pm5\.1220\.53±\\pm4\.6928\.40±\\pm9\.3938\.80±\\pm9\.255\.07NETTACK18\.93±\\pm5\.3933\.60±\\pm6\.7744\.00±\\pm8\.0049\.47±\\pm6\.2554\.27±\\pm7\.2120\.67±\\pm4\.8236\.93±\\pm6\.5851\.47±\\pm10\.5160\.53±\\pm8\.9063\.60±\\pm8\.6618\.27±\\pm5\.5522\.53±\\pm9\.1841\.20±\\pm10\.9848\.27±\\pm8\.0349\.60±\\pm8\.042\.20PGD18\.67±\\pm5\.2722\.00±\\pm6\.5526\.40±\\pm8\.0132\.13±\\pm8\.1635\.73±\\pm8\.5819\.20±\\pm3\.9927\.07±\\pm5\.2332\.27±\\pm4\.8935\.07±\\pm6\.5039\.20±\\pm6\.3615\.87±\\pm4\.0318\.93±\\pm3\.9920\.93±\\pm6\.5821\.87±\\pm5\.8823\.73±\\pm5\.605\.53PR\-BCD \(NA\)19\.07±\\pm4\.8925\.20±\\pm5\.8933\.47±\\pm5\.8837\.33±\\pm7\.4341\.60±\\pm9\.2320\.67±\\pm4\.9432\.67±\\pm5\.5939\.47±\\pm5\.5344\.80±\\pm7\.6650\.00±\\pm6\.3221\.60±\\pm7\.6823\.60±\\pm5\.1425\.73±\\pm5\.5527\.33±\\pm7\.2430\.00±\\pm6\.143\.07SGA18\.80±\\pm5\.1221\.07±\\pm9\.5923\.47±\\pm5\.1528\.13±\\pm5\.8331\.20±\\pm8\.2020\.53±\\pm5\.4827\.73±\\pm7\.8134\.53±\\pm8\.1639\.47±\\pm8\.4048\.13±\\pm9\.3318\.67±\\pm7\.4723\.07±\\pm6\.3624\.93±\\pm6\.3226\.93±\\pm6\.5429\.33±\\pm8\.844\.53GOttack16\.27±\\pm4\.5320\.40±\\pm4\.4823\.07±\\pm6\.2325\.33±\\pm6\.7028\.40±\\pm5\.8219\.73±\\pm4\.8923\.33±\\pm5\.3326\.93±\\pm5\.1231\.47±\\pm4\.8734\.53±\\pm6\.2117\.87±\\pm6\.9118\.80±\\pm5\.2821\.73±\\pm6\.6323\.20±\\pm6\.4922\.93±\\pm5\.856\.47RobustGCNL1D\-RND16\.40±\\pm3\.4830\.80±\\pm9\.9132\.93±\\pm4\.2033\.33±\\pm5\.6936\.00±\\pm4\.5411\.33±\\pm3\.9029\.73±\\pm11\.7833\.20±\\pm7\.9935\.47±\\pm8\.8342\.93±\\pm5\.609\.20±\\pm4\.8920\.67±\\pm3\.8324\.13±\\pm6\.8226\.80±\\pm6\.2727\.20±\\pm5\.807\.00FGA30\.93±\\pm4\.7747\.07±\\pm7\.2855\.47±\\pm4\.8760\.93±\\pm3\.3763\.20±\\pm3\.1031\.73±\\pm6\.1351\.47±\\pm5\.2158\.67±\\pm2\.3559\.73±\\pm2\.7161\.07±\\pm4\.3336\.80±\\pm4\.5947\.87±\\pm5\.5355\.20±\\pm4\.4657\.87±\\pm2\.0758\.53±\\pm1\.602\.53NETTACK32\.93±\\pm5\.7054\.40±\\pm4\.1558\.93±\\pm3\.2860\.80±\\pm3\.8462\.00±\\pm4\.0032\.53±\\pm7\.5052\.67±\\pm4\.3256\.67±\\pm2\.7959\.07±\\pm3\.2861\.07±\\pm2\.9135\.47±\\pm3\.1653\.47±\\pm3\.5857\.33±\\pm2\.0958\.67±\\pm1\.4557\.60±\\pm1\.882\.27PGD32\.93±\\pm4\.4048\.53±\\pm5\.3255\.33±\\pm2\.9958\.40±\\pm3\.8760\.27±\\pm3\.7731\.33±\\pm6\.4450\.27±\\pm6\.0953\.47±\\pm6\.0256\.13±\\pm4\.9359\.20±\\pm3\.9935\.33±\\pm4\.1942\.27±\\pm5\.1245\.33±\\pm5\.1146\.40±\\pm6\.6447\.33±\\pm5\.225\.07PR\-BCD \(NA\)34\.40±\\pm4\.0857\.20±\\pm3\.1961\.73±\\pm3\.3764\.13±\\pm2\.9765\.33±\\pm2\.9928\.67±\\pm5\.4949\.60±\\pm6\.5656\.00±\\pm4\.4757\.47±\\pm4\.3760\.00±\\pm4\.0731\.33±\\pm2\.5838\.93±\\pm4\.8949\.47±\\pm3\.5054\.27±\\pm2\.1256\.93±\\pm2\.123\.53SGA30\.27±\\pm5\.5047\.73±\\pm7\.7057\.07±\\pm4\.5960\.67±\\pm4\.1962\.13±\\pm5\.6323\.33±\\pm6\.2642\.67±\\pm7\.8849\.33±\\pm7\.5154\.00±\\pm5\.4058\.53±\\pm5\.3234\.53±\\pm3\.7443\.20±\\pm4\.4651\.60±\\pm6\.9455\.20±\\pm3\.7657\.33±\\pm2\.234\.93GOttack33\.20±\\pm5\.8950\.27±\\pm4\.5358\.00±\\pm3\.3858\.80±\\pm2\.9162\.27±\\pm3\.9231\.47±\\pm9\.0250\.93±\\pm8\.5854\.67±\\pm5\.8460\.00±\\pm3\.6361\.33±\\pm2\.3535\.73±\\pm4\.6546\.27±\\pm7\.0956\.00±\\pm3\.0257\.47±\\pm1\.6057\.87±\\pm1\.922\.67GCORNL1D\-RND28\.93±\\pm11\.1132\.80±\\pm11\.3134\.27±\\pm8\.6131\.47±\\pm7\.3930\.67±\\pm7\.2826\.80±\\pm6\.7528\.53±\\pm8\.9627\.07±\\pm6\.9229\.47±\\pm4\.9833\.47±\\pm6\.70OOROOROOROOROOR2\.47FGA19\.87±\\pm3\.9623\.87±\\pm4\.5626\.93±\\pm3\.5330\.27±\\pm5\.9932\.27±\\pm6\.5817\.20±\\pm4\.2022\.80±\\pm4\.2025\.33±\\pm6\.5830\.40±\\pm6\.7734\.80±\\pm6\.88OOROOROOROOROOR4\.33NETTACK22\.80±\\pm5\.2832\.80±\\pm5\.6035\.87±\\pm7\.3539\.20±\\pm8\.0648\.27±\\pm11\.3118\.53±\\pm5\.7830\.00±\\pm8\.7232\.40±\\pm9\.9535\.20±\\pm10\.8240\.00±\\pm12\.60OOROOROOROOROOR2\.07PGD21\.60±\\pm5\.0825\.47±\\pm4\.9825\.07±\\pm4\.7127\.33±\\pm5\.2733\.60±\\pm7\.4917\.73±\\pm3\.8424\.27±\\pm5\.7024\.93±\\pm5\.9527\.73±\\pm5\.4428\.80±\\pm5\.99OOROOROOROOROOR5\.00PR\-BCD \(NA\)21\.73±\\pm5\.3930\.00±\\pm4\.8428\.80±\\pm6\.1332\.53±\\pm6\.8640\.53±\\pm8\.3718\.93±\\pm5\.5027\.33±\\pm5\.4929\.73±\\pm5\.9533\.33±\\pm5\.9436\.40±\\pm4\.97OOROOROOROOROOR3\.80SGA21\.07±\\pm6\.4124\.00±\\pm4\.1424\.00±\\pm5\.1824\.67±\\pm5\.6428\.00±\\pm4\.7221\.73±\\pm5\.2321\.87±\\pm4\.9824\.80±\\pm5\.1225\.47±\\pm6\.8226\.00±\\pm5\.45OOROOROOROOROOR6\.20GOttack22\.67±\\pm5\.3830\.27±\\pm6\.3233\.73±\\pm10\.7735\.33±\\pm8\.1646\.40±\\pm10\.1218\.93±\\pm6\.0929\.33±\\pm7\.5128\.00±\\pm6\.5933\.33±\\pm8\.3737\.33±\\pm9\.40OOROOROOROOROOR4\.13RUNGL1D\-RND22\.80±\\pm8\.3826\.27±\\pm5\.9532\.53±\\pm8\.1631\.47±\\pm7\.3930\.40±\\pm7\.2223\.33±\\pm4\.3923\.33±\\pm4\.1926\.00±\\pm4\.5429\.47±\\pm4\.9833\.47±\\pm6\.70OOROOROOROOROOR2\.47FGA19\.33±\\pm4\.3922\.00±\\pm5\.5024\.93±\\pm4\.4029\.73±\\pm6\.6334\.13±\\pm7\.6916\.80±\\pm4\.0620\.80±\\pm5\.3325\.47±\\pm7\.0330\.40±\\pm5\.3034\.93±\\pm6\.04OOROOROOROOROOR3\.67NETTACK19\.33±\\pm4\.5128\.80±\\pm4\.7135\.20±\\pm7\.7041\.33±\\pm5\.6443\.73±\\pm9\.1321\.07±\\pm6\.7624\.13±\\pm8\.0532\.00±\\pm7\.6033\.73±\\pm9\.5640\.80±\\pm9\.13OOROOROOROOROOR1\.93PGD17\.33±\\pm4\.6419\.73±\\pm3\.8424\.27±\\pm4\.0626\.27±\\pm5\.7530\.80±\\pm6\.8417\.73±\\pm5\.1221\.33±\\pm4\.2523\.73±\\pm4\.0625\.87±\\pm4\.2427\.60±\\pm5\.96OOROOROOROOROOR4\.93PR\-BCD \(NA\)18\.67±\\pm3\.6025\.07±\\pm5\.4428\.80±\\pm7\.4832\.13±\\pm7\.4234\.40±\\pm7\.1819\.33±\\pm3\.6825\.33±\\pm3\.1828\.00±\\pm6\.0931\.33±\\pm5\.8935\.33±\\pm4\.76OOROOROOROOROOR3\.60SGA14\.93±\\pm4\.5918\.27±\\pm3\.2021\.73±\\pm5\.3923\.20±\\pm6\.9626\.13±\\pm4\.4416\.93±\\pm4\.4620\.53±\\pm4\.0321\.60±\\pm4\.9123\.20±\\pm5\.8024\.53±\\pm5\.21OOROOROOROOROOR6\.47GOttack19\.33±\\pm6\.7927\.07±\\pm5\.3430\.40±\\pm8\.2935\.87±\\pm7\.5041\.07±\\pm8\.3817\.47±\\pm6\.7023\.33±\\pm7\.3927\.60±\\pm7\.2632\.93±\\pm8\.3137\.47±\\pm7\.03OOROOROOROOROOR4\.93

Table 23:Defended Homophily Results \- 3/3\.Evaluating six adversarial attacks on four defense NoisyGNN \- Miss\-classification rate \(%\)\. Higher is better\. Best performance inbold, second bestunderlined\.DatasetCORACITESEERPUBMEDΔ→\\Delta\\rightarrow123451234512345Avg\. RankEvasionNoisyGNNL1D\-RND28\.40±\\pm10\.5631\.60±\\pm12\.0538\.80±\\pm7\.8840\.80±\\pm8\.6141\.20±\\pm9\.0635\.60±\\pm11\.9636\.00±\\pm11\.8140\.27±\\pm8\.5842\.93±\\pm6\.3645\.20±\\pm5\.3331\.07±\\pm15\.4329\.20±\\pm11\.1328\.80±\\pm8\.1325\.73±\\pm6\.3626\.40±\\pm6\.383\.73FGA20\.93±\\pm4\.0625\.07±\\pm6\.8432\.00±\\pm5\.0138\.67±\\pm6\.0342\.00±\\pm8\.4222\.13±\\pm3\.4225\.87±\\pm5\.7834\.00±\\pm9\.2342\.80±\\pm11\.7546\.93±\\pm11\.630\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.005\.93NETTACK23\.33±\\pm5\.0035\.87±\\pm8\.4050\.27±\\pm8\.5560\.27±\\pm9\.5969\.07±\\pm9\.8826\.93±\\pm6\.9640\.67±\\pm11\.7849\.87±\\pm10\.1353\.20±\\pm13\.7960\.67±\\pm11\.8221\.20±\\pm5\.1234\.53±\\pm4\.7546\.27±\\pm7\.2852\.53±\\pm7\.4260\.53±\\pm3\.071\.60PGD24\.67±\\pm4\.8831\.47±\\pm4\.7540\.67±\\pm8\.5744\.93±\\pm8\.9449\.47±\\pm8\.2324\.93±\\pm4\.0634\.00±\\pm7\.4840\.67±\\pm8\.0944\.80±\\pm9\.1948\.93±\\pm8\.580\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.005\.13PR\-BCD25\.07±\\pm3\.7736\.13±\\pm6\.5747\.73±\\pm6\.6752\.53±\\pm6\.7059\.73±\\pm9\.1326\.27±\\pm3\.6938\.00±\\pm4\.7248\.27±\\pm8\.0354\.13±\\pm6\.1657\.73±\\pm6\.0918\.40±\\pm3\.6425\.73±\\pm3\.2829\.87±\\pm3\.5833\.07±\\pm3\.5336\.53±\\pm4\.032\.73SGA20\.93±\\pm5\.6022\.27±\\pm5\.0125\.47±\\pm4\.4430\.27±\\pm4\.3333\.33±\\pm6\.2228\.93±\\pm7\.0922\.67±\\pm2\.8925\.47±\\pm4\.0327\.87±\\pm4\.3130\.40±\\pm5\.4618\.67±\\pm3\.4421\.47±\\pm3\.9623\.33±\\pm3\.3524\.67±\\pm5\.5425\.87±\\pm4\.105\.93GOttack22\.80±\\pm6\.2231\.60±\\pm7\.3042\.13±\\pm12\.6152\.93±\\pm12\.2861\.47±\\pm10\.8424\.00±\\pm5\.9035\.73±\\pm9\.0448\.53±\\pm10\.6852\.40±\\pm10\.7851\.60±\\pm9\.5123\.07±\\pm3\.6930\.00±\\pm5\.1836\.80±\\pm7\.5541\.87±\\pm7\.8448\.13±\\pm9\.492\.93PoisonNoisyGNNL1D\-RND29\.07±\\pm10\.6932\.27±\\pm11\.5841\.33±\\pm8\.6143\.07±\\pm8\.9442\.93±\\pm9\.0035\.33±\\pm11\.4637\.60±\\pm12\.2241\.47±\\pm8\.4044\.13±\\pm6\.3946\.00±\\pm5\.7131\.07±\\pm15\.1029\.07±\\pm11\.1129\.07±\\pm8\.2125\.73±\\pm6\.3626\.00±\\pm6\.464\.20FGA23\.20±\\pm5\.2330\.67±\\pm9\.1538\.13±\\pm7\.9146\.67±\\pm10\.0251\.60±\\pm11\.8124\.00±\\pm4\.2132\.40±\\pm8\.3942\.93±\\pm8\.6151\.47±\\pm10\.0756\.40±\\pm9\.800\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.005\.73NETTACK27\.60±\\pm4\.6744\.27±\\pm7\.0557\.47±\\pm7\.3964\.67±\\pm9\.2573\.60±\\pm7\.3430\.27±\\pm6\.5450\.40±\\pm10\.7057\.33±\\pm7\.3560\.67±\\pm10\.3865\.47±\\pm8\.3721\.20±\\pm5\.0034\.27±\\pm4\.8346\.80±\\pm7\.2052\.93±\\pm6\.8060\.53±\\pm2\.881\.33PGD27\.07±\\pm4\.7135\.47±\\pm5\.4846\.27±\\pm9\.3250\.40±\\pm9\.4856\.67±\\pm8\.5128\.80±\\pm6\.7540\.13±\\pm7\.5448\.53±\\pm9\.1252\.00±\\pm7\.8255\.47±\\pm7\.460\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.005\.00PR\-BCD26\.27±\\pm3\.2040\.27±\\pm8\.0352\.13±\\pm6\.6560\.67±\\pm7\.2464\.80±\\pm7\.6629\.60±\\pm4\.9144\.67±\\pm7\.1654\.67±\\pm6\.4059\.87±\\pm7\.3561\.60±\\pm6\.9818\.27±\\pm3\.7725\.87±\\pm3\.0730\.40±\\pm3\.5633\.60±\\pm3\.7937\.07±\\pm5\.122\.80SGA23\.33±\\pm4\.8227\.73±\\pm6\.0430\.40±\\pm7\.7238\.53±\\pm7\.7341\.73±\\pm7\.0530\.80±\\pm6\.4528\.93±\\pm4\.7734\.80±\\pm9\.1937\.07±\\pm6\.3240\.53±\\pm8\.6318\.27±\\pm3\.3721\.47±\\pm4\.1722\.93±\\pm3\.6924\.67±\\pm5\.2725\.60±\\pm4\.615\.93GOttack26\.00±\\pm6\.7636\.53±\\pm9\.3646\.27±\\pm11\.3660\.00±\\pm10\.8066\.93±\\pm9\.2827\.47±\\pm4\.6341\.47±\\pm9\.6954\.53±\\pm10\.0758\.67±\\pm7\.2859\.33±\\pm9\.3123\.07±\\pm3\.8430\.27±\\pm5\.1237\.20±\\pm7\.6642\.27±\\pm8\.3149\.20±\\pm9\.063\.00

Table 24:Defended Heterophily Results \- 1/3\.Evaluating six adversarial attacks on two defense victim models \(GCN\-GARNET, ElasticGNN, GNNGuard\) \- Miss\-classification rate \(%\)\. Higher is better\. Best performance inbold, second bestunderlined\. GCN\-Jaccard is excluded from this table due to an error caused by GCN\-Jaccard’s implementation\.DatasetSQUIRRELCHAMELEONΔ→\\Delta\\rightarrow1234512345Avg\. RankEvasionElasticGNNL1D\-RND7\.87±\\pm4\.569\.33±\\pm4\.3215\.33±\\pm4\.3918\.40±\\pm4\.0119\.87±\\pm4\.3710\.53±\\pm9\.7816\.67±\\pm8\.9722\.00±\\pm11\.1125\.60±\\pm12\.5231\.73±\\pm10\.775\.40FGA23\.47±\\pm11\.4532\.93±\\pm8\.7535\.73±\\pm9\.4740\.53±\\pm8\.5342\.67±\\pm10\.4115\.07±\\pm10\.0221\.20±\\pm9\.7025\.33±\\pm9\.3128\.13±\\pm7\.6130\.13±\\pm7\.581\.70NETTACK7\.87±\\pm3\.9612\.00±\\pm4\.7216\.53±\\pm5\.3720\.40±\\pm4\.7322\.80±\\pm5\.064\.00±\\pm3\.555\.33±\\pm3\.447\.33±\\pm3\.358\.13±\\pm3\.588\.67±\\pm4\.256\.40PGD18\.93±\\pm9\.8825\.07±\\pm10\.7429\.60±\\pm9\.4828\.93±\\pm10\.7131\.60±\\pm11\.7214\.93±\\pm8\.0319\.07±\\pm7\.4822\.13±\\pm7\.2727\.20±\\pm5\.1227\.87±\\pm6\.703\.10PR\-BCD \(NA\)12\.13±\\pm3\.8115\.73±\\pm5\.7018\.13±\\pm5\.8319\.33±\\pm6\.1320\.13±\\pm6\.2112\.27±\\pm7\.5914\.40±\\pm8\.8516\.67±\\pm8\.8017\.20±\\pm7\.5518\.40±\\pm8\.325\.40SGA23\.73±\\pm4\.5329\.33±\\pm8\.1335\.20±\\pm6\.3639\.20±\\pm7\.6641\.07±\\pm8\.2819\.33±\\pm6\.9125\.60±\\pm9\.2628\.40±\\pm10\.0332\.67±\\pm10\.0534\.13±\\pm9\.331\.40GOttack14\.93±\\pm5\.1217\.60±\\pm7\.7924\.40±\\pm6\.8124\.93±\\pm7\.6330\.67±\\pm8\.6414\.67±\\pm9\.1513\.60±\\pm8\.7218\.40±\\pm8\.9216\.13±\\pm8\.3320\.80±\\pm7\.404\.60GCN\-GARNETL1D\-RND20\.00±\\pm12\.4730\.40±\\pm13\.5735\.47±\\pm16\.7139\.87±\\pm14\.2136\.67±\\pm13\.7319\.87±\\pm9\.6123\.20±\\pm10\.3327\.07±\\pm10\.8725\.07±\\pm11\.7635\.60±\\pm10\.151\.30FGA15\.87±\\pm12\.7317\.87±\\pm11\.2722\.13±\\pm11\.2022\.27±\\pm10\.8724\.53±\\pm10\.4917\.07±\\pm10\.5816\.80±\\pm11\.8822\.00±\\pm10\.2026\.40±\\pm12\.0521\.87±\\pm9\.723\.20NETTACK2\.13±\\pm1\.411\.73±\\pm1\.492\.67±\\pm2\.092\.27±\\pm2\.601\.73±\\pm1\.493\.07±\\pm2\.713\.60±\\pm2\.753\.33±\\pm2\.474\.13±\\pm2\.334\.40±\\pm2\.647\.00PGD10\.40±\\pm5\.2516\.00±\\pm7\.8619\.47±\\pm7\.8020\.00±\\pm8\.3821\.47±\\pm9\.9812\.27±\\pm7\.2815\.33±\\pm8\.8422\.53±\\pm8\.9622\.93±\\pm6\.6322\.00±\\pm8\.454\.50PR\-BCD \(NA\)23\.33±\\pm10\.8127\.07±\\pm9\.6227\.47±\\pm13\.2630\.80±\\pm13\.3929\.47±\\pm11\.7215\.73±\\pm9\.3224\.40±\\pm8\.4925\.20±\\pm5\.4922\.40±\\pm5\.0824\.00±\\pm8\.652\.20SGA13\.60±\\pm7\.7517\.20±\\pm7\.4419\.73±\\pm10\.0021\.47±\\pm9\.0223\.20±\\pm7\.9219\.87±\\pm9\.7521\.20±\\pm9\.5319\.73±\\pm8\.6121\.33±\\pm10\.6822\.80±\\pm10\.603\.80GOttack5\.33±\\pm4\.643\.73±\\pm2\.714\.27±\\pm3\.015\.33±\\pm2\.795\.60±\\pm3\.048\.27±\\pm4\.276\.67±\\pm3\.3510\.27±\\pm4\.8312\.00±\\pm8\.189\.33±\\pm4\.396\.00GNNGuardL1D\-RND35\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.310\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.001\.00FGA35\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.3135\.47±\\pm28\.0434\.80±\\pm27\.210\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.002\.60NETTACK18\.80±\\pm15\.4718\.80±\\pm15\.4718\.80±\\pm15\.4718\.80±\\pm15\.4718\.80±\\pm15\.470\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.005\.00PGD35\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.310\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.003\.30PR\-BCD \(NA\)35\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.310\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.004\.30SGA35\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.310\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.005\.30GOttack22\.13±\\pm17\.5422\.13±\\pm17\.5422\.13±\\pm17\.5422\.13±\\pm17\.5422\.13±\\pm17\.540\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.006\.50PoisonElasticGNNL1D\-RND16\.67±\\pm7\.9221\.07±\\pm5\.2324\.67±\\pm7\.1226\.67±\\pm6\.6227\.33±\\pm8\.5719\.07±\\pm9\.0725\.60±\\pm7\.7531\.73±\\pm9\.8534\.80±\\pm10\.6342\.67±\\pm9\.525\.50FGA38\.80±\\pm13\.1547\.73±\\pm11\.4147\.73±\\pm11\.1853\.33±\\pm11\.7054\.53±\\pm13\.8029\.73±\\pm11\.6640\.27±\\pm8\.9744\.13±\\pm11\.4349\.60±\\pm12\.3649\.60±\\pm13\.461\.40NETTACK12\.80±\\pm4\.9516\.80±\\pm6\.4519\.33±\\pm4\.7622\.13±\\pm4\.4424\.00±\\pm4\.907\.60±\\pm4\.488\.40±\\pm3\.0410\.13±\\pm5\.1012\.27±\\pm5\.1811\.60±\\pm5\.467\.00PGD28\.40±\\pm10\.9335\.33±\\pm14\.4039\.87±\\pm8\.9642\.67±\\pm13\.1746\.80±\\pm13\.6428\.40±\\pm12\.3135\.87±\\pm10\.7340\.13±\\pm14\.4344\.00±\\pm10\.1145\.73±\\pm12\.493\.00PR\-BCD \(NA\)24\.00±\\pm8\.4224\.27±\\pm7\.9227\.47±\\pm9\.4629\.87±\\pm8\.7732\.40±\\pm9\.6924\.40±\\pm7\.5730\.67±\\pm9\.5532\.00±\\pm11\.3437\.33±\\pm12\.1137\.60±\\pm9\.454\.40SGA35\.20±\\pm9\.9745\.60±\\pm12\.7449\.60±\\pm11\.4254\.80±\\pm10\.7456\.67±\\pm11\.7331\.33±\\pm6\.4038\.53±\\pm10\.0742\.40±\\pm8\.5348\.67±\\pm10\.7348\.67±\\pm10\.381\.60GOttack20\.13±\\pm7\.0323\.20±\\pm7\.0428\.93±\\pm6\.4130\.00±\\pm9\.1333\.60±\\pm8\.3919\.73±\\pm9\.2217\.47±\\pm7\.0723\.73±\\pm8\.5521\.07±\\pm8\.6527\.73±\\pm6\.545\.10GCN\-GARNETL1D\-RND31\.07±\\pm8\.7837\.60±\\pm11\.3939\.20±\\pm13\.3344\.13±\\pm12\.6442\.00±\\pm11\.5435\.07±\\pm10\.1730\.80±\\pm9\.9938\.67±\\pm10\.0839\.73±\\pm15\.6544\.40±\\pm12\.471\.30FGA28\.13±\\pm8\.1628\.67±\\pm8\.5731\.47±\\pm8\.3730\.00±\\pm8\.2533\.87±\\pm11\.5330\.53±\\pm7\.4630\.13±\\pm11\.5534\.13±\\pm10\.1036\.53±\\pm9\.6431\.07±\\pm9\.743\.60NETTACK6\.13±\\pm3\.813\.73±\\pm2\.495\.07±\\pm2\.606\.00±\\pm3\.464\.53±\\pm2\.457\.20±\\pm5\.949\.20±\\pm5\.127\.20±\\pm4\.7111\.47±\\pm7\.399\.33±\\pm6\.137\.00PGD21\.87±\\pm6\.6126\.93±\\pm5\.7030\.53±\\pm7\.9530\.00±\\pm9\.2330\.13±\\pm7\.8028\.67±\\pm9\.2230\.40±\\pm7\.1836\.53±\\pm9\.5236\.13±\\pm7\.6136\.00±\\pm9\.324\.10PR\-BCD \(NA\)32\.27±\\pm9\.8534\.93±\\pm10\.0037\.60±\\pm13\.4436\.67±\\pm12\.0936\.27±\\pm9\.8529\.87±\\pm10\.1837\.07±\\pm8\.6137\.20±\\pm7\.5539\.20±\\pm10\.1435\.20±\\pm8\.612\.10SGA24\.40±\\pm5\.8226\.13±\\pm5\.3729\.20±\\pm8\.0330\.67±\\pm8\.5432\.80±\\pm4\.9533\.47±\\pm10\.6833\.87±\\pm6\.4832\.40±\\pm9\.6334\.67±\\pm13\.8734\.93±\\pm8\.283\.90GOttack9\.60±\\pm4\.017\.73±\\pm4\.898\.27±\\pm2\.818\.93±\\pm3\.5310\.27±\\pm3\.1018\.00±\\pm6\.5916\.40±\\pm6\.7722\.00±\\pm8\.5522\.00±\\pm11\.4620\.93±\\pm7\.966\.00GNNGuardL1D\-RND35\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.310\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.001\.00FGA35\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.3135\.47±\\pm28\.0434\.80±\\pm27\.210\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.002\.60NETTACK18\.80±\\pm15\.4718\.80±\\pm15\.4718\.80±\\pm15\.4718\.80±\\pm15\.4718\.80±\\pm15\.470\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.005\.00PGD35\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.310\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.003\.30PR\-BCD \(NA\)35\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.310\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.004\.30SGA35\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.3135\.73±\\pm28\.310\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.005\.30GOttack22\.13±\\pm17\.5422\.13±\\pm17\.5422\.13±\\pm17\.5422\.13±\\pm17\.5422\.13±\\pm17\.540\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.000\.00±\\pm0\.006\.50

Table 25:Defended Heterophily Results \- 2/3\.Evaluating six adversarial attacks on four vanilla attack victim models \(GRAND, RobustGCN, GCORN RUNG\) \- Miss\-classification rate \(%\)\. Higher is better\. Best performance inbold, second bestunderlined\.DatasetSQUIRRELCHAMELEONΔ→\\Delta\\rightarrow1234512345Avg\. RankEvasionGRANDL1D\-RND10\.93±\\pm10\.748\.13±\\pm9\.788\.80±\\pm10\.589\.33±\\pm12\.348\.93±\\pm11\.262\.67±\\pm5\.496\.00±\\pm10\.586\.93±\\pm12\.287\.73±\\pm14\.367\.60±\\pm14\.211\.30FGA2\.00±\\pm3\.462\.00±\\pm2\.832\.53±\\pm3\.745\.20±\\pm7\.513\.60±\\pm4\.550\.13±\\pm0\.521\.20±\\pm2\.241\.73±\\pm4\.132\.53±\\pm5\.582\.93±\\pm6\.716\.10NETTACK2\.00±\\pm2\.732\.53±\\pm3\.162\.53±\\pm3\.163\.07±\\pm3\.693\.07±\\pm3\.692\.13±\\pm4\.172\.67±\\pm5\.592\.27±\\pm4\.532\.27±\\pm4\.532\.27±\\pm4\.536\.00PGD2\.40±\\pm3\.792\.53±\\pm3\.163\.73±\\pm4\.063\.73±\\pm4\.273\.60±\\pm3\.793\.20±\\pm7\.552\.27±\\pm4\.135\.47±\\pm9\.987\.20±\\pm13\.916\.27±\\pm11\.214\.20PR\-BCD \(NA\)6\.27±\\pm7\.366\.80±\\pm8\.036\.40±\\pm7\.186\.27±\\pm7\.136\.53±\\pm7\.543\.47±\\pm6\.166\.53±\\pm13\.106\.80±\\pm13\.566\.80±\\pm13\.027\.07±\\pm13\.561\.90SGA3\.47±\\pm3\.344\.53±\\pm4\.174\.67±\\pm4\.324\.80±\\pm4\.775\.33±\\pm5\.161\.73±\\pm3\.532\.40±\\pm4\.614\.80±\\pm8\.172\.80±\\pm5\.234\.27±\\pm8\.944\.10GOttack3\.60±\\pm4\.792\.67±\\pm2\.994\.13±\\pm4\.812\.93±\\pm3\.284\.13±\\pm4\.442\.67±\\pm5\.272\.67±\\pm6\.314\.13±\\pm9\.363\.47±\\pm9\.274\.27±\\pm9\.824\.40RobustGCNL1D\-RND9\.73±\\pm14\.3825\.33±\\pm9\.0940\.40±\\pm5\.0341\.73±\\pm6\.5846\.40±\\pm7\.0211\.07±\\pm13\.4331\.47±\\pm7\.3941\.60±\\pm9\.3647\.60±\\pm9\.3646\.67±\\pm8\.164\.40FGA35\.47±\\pm12\.5246\.27±\\pm12\.3350\.27±\\pm9\.8549\.33±\\pm12\.0652\.00±\\pm11\.4438\.13±\\pm9\.5245\.87±\\pm10\.1845\.33±\\pm11\.6551\.73±\\pm11\.6649\.73±\\pm11\.631\.10NETTACK9\.60±\\pm4\.4813\.33±\\pm4\.7015\.60±\\pm6\.4717\.47±\\pm6\.7820\.27±\\pm6\.806\.27±\\pm3\.537\.20±\\pm3\.107\.07±\\pm4\.408\.40±\\pm5\.5710\.13±\\pm6\.307\.00PGD35\.47±\\pm11\.6741\.20±\\pm13\.0241\.07±\\pm13\.3744\.80±\\pm16\.9042\.93±\\pm12\.4632\.13±\\pm7\.0740\.67±\\pm10\.5241\.20±\\pm10\.6348\.27±\\pm11\.0848\.40±\\pm12\.403\.00PR\-BCD \(NA\)35\.47±\\pm7\.5041\.47±\\pm7\.9545\.20±\\pm6\.3644\.80±\\pm5\.5449\.07±\\pm7\.2828\.93±\\pm7\.0933\.33±\\pm9\.7040\.13±\\pm10\.6039\.33±\\pm10\.2738\.67±\\pm10\.893\.70SGA40\.00±\\pm5\.8644\.80±\\pm8\.6544\.67±\\pm8\.0948\.13±\\pm7\.7348\.67±\\pm7\.4332\.13±\\pm9\.1836\.53±\\pm9\.9837\.60±\\pm10\.4043\.60±\\pm12\.1943\.73±\\pm11\.233\.00GOttack18\.40±\\pm6\.9817\.20±\\pm8\.1021\.47±\\pm7\.5422\.13±\\pm9\.8427\.60±\\pm8\.0826\.40±\\pm7\.9026\.00±\\pm8\.9430\.93±\\pm10\.0224\.53±\\pm9\.3630\.27±\\pm6\.715\.80GCORNL1D\-RND18\.67±\\pm15\.7226\.13±\\pm17\.0029\.20±\\pm18\.1532\.27±\\pm16\.9734\.53±\\pm17\.3916\.53±\\pm15\.9432\.53±\\pm12\.3438\.13±\\pm14\.6541\.47±\\pm18\.6045\.73±\\pm20\.603\.10FGA31\.07±\\pm21\.0233\.47±\\pm16\.5436\.27±\\pm18\.7936\.67±\\pm19\.0037\.60±\\pm19\.1434\.13±\\pm19\.2336\.53±\\pm15\.9948\.67±\\pm17\.0348\.67±\\pm18\.4048\.67±\\pm19\.031\.10NETTACK6\.67±\\pm5\.388\.53±\\pm5\.739\.60±\\pm5\.1410\.27±\\pm5\.8511\.07±\\pm6\.503\.47±\\pm3\.585\.33±\\pm3\.756\.67±\\pm4\.398\.13±\\pm3\.749\.20±\\pm4\.066\.90PGD23\.47±\\pm10\.5731\.20±\\pm10\.5031\.60±\\pm11\.9334\.00±\\pm13\.3335\.60±\\pm13\.1221\.07±\\pm13\.6932\.13±\\pm16\.8931\.73±\\pm17\.1936\.00±\\pm17\.4437\.20±\\pm18\.252\.90PR\-BCD \(NA\)13\.20±\\pm13\.1817\.07±\\pm11\.1817\.33±\\pm9\.9319\.20±\\pm10\.5522\.67±\\pm10\.0210\.13±\\pm7\.8715\.20±\\pm9\.4717\.07±\\pm11\.0520\.27±\\pm12\.4622\.93±\\pm14\.915\.00SGA24\.27±\\pm12\.1431\.87±\\pm13\.1035\.73±\\pm13\.3134\.67±\\pm10\.4937\.73±\\pm11\.3615\.60±\\pm7\.8621\.33±\\pm8\.5722\.93±\\pm6\.8427\.87±\\pm10\.3829\.33±\\pm9\.612\.90GOttack9\.47±\\pm6\.7410\.40±\\pm7\.7512\.93±\\pm5\.9912\.93±\\pm6\.1314\.27±\\pm6\.806\.00±\\pm4\.145\.07±\\pm3\.929\.73±\\pm5\.7010\.13±\\pm5\.8810\.27±\\pm5\.186\.10RUNGL1D\-RND2\.13±\\pm1\.772\.13±\\pm2\.772\.13±\\pm2\.202\.67±\\pm2\.582\.80±\\pm2\.482\.27±\\pm3\.282\.27±\\pm5\.183\.47±\\pm6\.614\.53±\\pm6\.655\.07±\\pm7\.172\.70FGA1\.87±\\pm2\.881\.87±\\pm2\.203\.20±\\pm3\.362\.93±\\pm2\.253\.60±\\pm2\.530\.93±\\pm1\.832\.27±\\pm3\.692\.53±\\pm3\.583\.33±\\pm5\.224\.13±\\pm5\.373\.40NETTACK0\.27±\\pm1\.030\.80±\\pm1\.471\.33±\\pm1\.631\.47±\\pm1\.771\.60±\\pm1\.720\.27±\\pm0\.700\.67±\\pm1\.230\.53±\\pm1\.190\.93±\\pm1\.831\.33±\\pm2\.236\.90PGD2\.00±\\pm1\.852\.67±\\pm2\.894\.40±\\pm2\.854\.67±\\pm2\.994\.93±\\pm3\.101\.87±\\pm4\.692\.00±\\pm3\.021\.60±\\pm2\.033\.20±\\pm4\.713\.47±\\pm5\.933\.10PR\-BCD \(NA\)1\.73±\\pm2\.492\.67±\\pm2\.473\.20±\\pm2\.602\.27±\\pm2\.123\.33±\\pm3\.090\.80±\\pm2\.241\.87±\\pm3\.581\.87±\\pm3\.962\.40±\\pm3\.873\.20±\\pm5\.654\.60SGA2\.67±\\pm3\.683\.47±\\pm4\.175\.07±\\pm4\.775\.07±\\pm4\.595\.60±\\pm4\.152\.13±\\pm4\.312\.93±\\pm4\.953\.20±\\pm3\.615\.60±\\pm7\.384\.40±\\pm6\.471\.30GOttack0\.93±\\pm2\.250\.93±\\pm1\.831\.73±\\pm2\.711\.47±\\pm2\.072\.00±\\pm2\.830\.67±\\pm1\.231\.33±\\pm2\.091\.60±\\pm2\.161\.87±\\pm3\.253\.47±\\pm5\.046\.00PoisonGRANDL1D\-RND16\.00±\\pm13\.5614\.00±\\pm13\.1616\.80±\\pm15\.8919\.07±\\pm17\.8119\.07±\\pm17\.634\.00±\\pm5\.959\.33±\\pm13\.7512\.67±\\pm19\.5012\.40±\\pm20\.3813\.07±\\pm21\.932\.10FGA12\.13±\\pm21\.7116\.53±\\pm26\.5719\.33±\\pm26\.0821\.33±\\pm26\.1517\.07±\\pm17\.562\.00±\\pm3\.125\.87±\\pm9\.665\.07±\\pm8\.0011\.20±\\pm24\.698\.93±\\pm15\.873\.30NETTACK4\.40±\\pm7\.535\.47±\\pm6\.916\.27±\\pm8\.348\.13±\\pm10\.327\.47±\\pm10\.274\.00±\\pm7\.095\.20±\\pm7\.924\.93±\\pm7\.895\.20±\\pm7\.554\.00±\\pm5\.556\.60PGD11\.07±\\pm11\.6612\.93±\\pm11\.0818\.53±\\pm16\.1521\.20±\\pm18\.0321\.07±\\pm17\.555\.33±\\pm8\.028\.13±\\pm11\.8012\.40±\\pm18\.6411\.33±\\pm17\.1312\.13±\\pm16\.592\.30PR\-BCD \(NA\)9\.07±\\pm9\.4712\.13±\\pm12\.3911\.07±\\pm10\.6912\.13±\\pm12\.3911\.33±\\pm12\.877\.07±\\pm9\.079\.47±\\pm14\.1711\.07±\\pm16\.1811\.07±\\pm15\.4711\.60±\\pm16\.873\.40SGA7\.07±\\pm6\.9211\.87±\\pm11\.7510\.40±\\pm8\.2214\.93±\\pm14\.8314\.40±\\pm13\.146\.53±\\pm11\.046\.00±\\pm9\.137\.87±\\pm10\.896\.80±\\pm9\.738\.27±\\pm11\.614\.30GOttack6\.93±\\pm9\.446\.13±\\pm10\.996\.80±\\pm6\.965\.20±\\pm5\.286\.13±\\pm6\.214\.80±\\pm7\.164\.00±\\pm6\.855\.47±\\pm9\.616\.40±\\pm12\.296\.67±\\pm10\.816\.00RobustGCNL1D\-RND26\.00±\\pm14\.8933\.33±\\pm10\.1345\.60±\\pm6\.9845\.33±\\pm8\.1348\.93±\\pm8\.1023\.07±\\pm11\.8336\.13±\\pm9\.6944\.27±\\pm10\.1749\.60±\\pm9\.9848\.80±\\pm8\.484\.80FGA43\.47±\\pm13\.6451\.73±\\pm12\.3356\.67±\\pm11\.0554\.93±\\pm12\.0957\.33±\\pm12\.6943\.07±\\pm11\.0853\.07±\\pm11\.4652\.67±\\pm13\.5856\.80±\\pm12\.7853\.33±\\pm11\.991\.30NETTACK14\.67±\\pm7\.5818\.67±\\pm8\.5121\.60±\\pm9\.3021\.60±\\pm7\.7224\.53±\\pm8\.339\.73±\\pm5\.289\.73±\\pm3\.6910\.27±\\pm5\.5012\.93±\\pm6\.9212\.27±\\pm8\.007\.00PGD44\.00±\\pm14\.4446\.93±\\pm14\.6646\.53±\\pm16\.2050\.13±\\pm18\.5150\.27±\\pm14\.2837\.20±\\pm8\.4446\.40±\\pm8\.7648\.13±\\pm11\.1054\.13±\\pm9\.6654\.27±\\pm12\.332\.80PR\-BCD \(NA\)41\.07±\\pm7\.8948\.00±\\pm11\.5652\.27±\\pm7\.1751\.33±\\pm8\.1349\.73±\\pm9\.2837\.73±\\pm8\.1041\.33±\\pm11\.8244\.53±\\pm10\.2148\.40±\\pm9\.5144\.40±\\pm10\.533\.50SGA46\.00±\\pm8\.9448\.80±\\pm8\.8150\.40±\\pm10\.4850\.67±\\pm8\.8053\.07±\\pm9\.2840\.67±\\pm10\.0546\.27±\\pm10\.4744\.13±\\pm9\.8151\.07±\\pm12\.6550\.53±\\pm12\.012\.70GOttack20\.80±\\pm6\.9224\.13±\\pm11\.4825\.07±\\pm8\.9427\.33±\\pm11\.5831\.87±\\pm10\.7829\.60±\\pm5\.9628\.80±\\pm9\.5036\.80±\\pm7\.2431\.87±\\pm10\.3235\.33±\\pm6\.265\.90GCORNL1D\-RND20\.00±\\pm16\.3026\.67±\\pm17\.3530\.93±\\pm19\.7133\.60±\\pm17\.8836\.13±\\pm17\.3817\.33±\\pm16\.7433\.47±\\pm13\.0638\.80±\\pm15\.0842\.67±\\pm18\.0746\.27±\\pm20\.413\.30FGA34\.27±\\pm22\.6834\.40±\\pm16\.6737\.33±\\pm16\.2640\.80±\\pm18\.8037\.73±\\pm17\.4334\.53±\\pm17\.9336\.80±\\pm15\.2548\.13±\\pm17\.0649\.87±\\pm18\.2948\.40±\\pm18\.661\.20NETTACK8\.13±\\pm6\.619\.20±\\pm7\.4810\.40±\\pm5\.9612\.13±\\pm6\.2113\.07±\\pm6\.964\.27±\\pm3\.455\.87±\\pm4\.447\.60±\\pm4\.229\.47±\\pm3\.9611\.47±\\pm5\.687\.00PGD25\.60±\\pm12\.0333\.47±\\pm11\.0734\.53±\\pm11\.9237\.33±\\pm13\.0437\.60±\\pm11\.6922\.67±\\pm13\.8134\.00±\\pm16\.8233\.33±\\pm16\.0837\.87±\\pm16\.5437\.73±\\pm17\.322\.80PR\-BCD \(NA\)14\.53±\\pm13\.6818\.13±\\pm10\.8119\.07±\\pm9\.9421\.33±\\pm7\.8424\.40±\\pm9\.8011\.33±\\pm7\.2416\.13±\\pm8\.6718\.13±\\pm10\.7021\.60±\\pm11\.9625\.20±\\pm14\.485\.00SGA26\.13±\\pm13\.8934\.40±\\pm13\.3837\.60±\\pm13\.8037\.60±\\pm10\.9639\.33±\\pm9\.6718\.80±\\pm8\.2024\.80±\\pm8\.8725\.73±\\pm7\.2529\.07±\\pm10\.5532\.53±\\pm10\.322\.70GOttack10\.67±\\pm8\.6111\.47±\\pm9\.5214\.67±\\pm7\.2414\.53±\\pm7\.5815\.73±\\pm8\.486\.53±\\pm3\.666\.40±\\pm4\.4211\.47±\\pm5\.4212\.00±\\pm5\.5512\.00±\\pm5\.506\.00RUNGL1D\-RND11\.33±\\pm8\.6416\.13±\\pm8\.2617\.07±\\pm8\.9418\.67±\\pm8\.0219\.33±\\pm8\.0912\.00±\\pm8\.8821\.33±\\pm12\.3024\.00±\\pm10\.6128\.00±\\pm13\.9632\.40±\\pm14\.353\.30FGA20\.53±\\pm9\.6924\.67±\\pm10\.2729\.47±\\pm7\.2328\.53±\\pm9\.2128\.67±\\pm10\.6316\.40±\\pm7\.5317\.47±\\pm12\.0617\.20±\\pm7\.7018\.80±\\pm10\.7719\.20±\\pm11\.182\.00NETTACK6\.53±\\pm4\.446\.93±\\pm5\.186\.53±\\pm4\.816\.93±\\pm4\.836\.80±\\pm4\.267\.33±\\pm2\.896\.67±\\pm2\.897\.07±\\pm3\.616\.93±\\pm4\.067\.47±\\pm3\.346\.80PGD17\.33±\\pm7\.8123\.20±\\pm9\.9126\.40±\\pm9\.0527\.07±\\pm6\.2327\.87±\\pm8\.6313\.73±\\pm6\.4118\.40±\\pm7\.6419\.20±\\pm8\.9420\.00±\\pm9\.8019\.60±\\pm11\.762\.30PR\-BCD \(NA\)15\.07±\\pm6\.1819\.47±\\pm7\.3119\.20±\\pm6\.8420\.67±\\pm7\.7320\.53±\\pm6\.9911\.73±\\pm5\.9014\.40±\\pm6\.1513\.87±\\pm7\.8714\.53±\\pm5\.4215\.73±\\pm6\.454\.50SGA18\.40±\\pm9\.3322\.27±\\pm8\.7826\.27±\\pm8\.6126\.93±\\pm10\.6327\.73±\\pm10\.1114\.27±\\pm6\.7615\.07±\\pm5\.2320\.40±\\pm7\.4119\.60±\\pm7\.9718\.00±\\pm6\.462\.90GOttack6\.27±\\pm5\.186\.93±\\pm6\.238\.00±\\pm5\.667\.60±\\pm5\.629\.20±\\pm6\.5810\.80±\\pm4\.898\.27±\\pm5\.809\.20±\\pm3\.6910\.53±\\pm3\.4212\.53±\\pm6\.356\.20

Table 26:Defended Heterophily Results \- 3/3\.Evaluating six adversarial attacks on four vanilla attack victim models \(NoisyGNN\) \- Miss\-classification rate \(%\)\. Higher is better\. Best performance inbold, second bestunderlined\.DatasetSQUIRRELCHAMELEONΔ→\\Delta\\rightarrow1234512345Avg\. RankEvasionNoisyGNNL1D\-RND68\.93±\\pm7\.0567\.47±\\pm7\.8767\.47±\\pm7\.8767\.47±\\pm7\.8767\.60±\\pm7\.8363\.73±\\pm5\.9964\.67±\\pm7\.9564\.93±\\pm6\.6763\.73±\\pm6\.1365\.87±\\pm5\.322\.70FGA66\.80±\\pm11\.1366\.93±\\pm10\.8266\.53±\\pm12\.7067\.07±\\pm13\.3364\.93±\\pm17\.0962\.27±\\pm11\.4964\.93±\\pm14\.2470\.00±\\pm13\.3162\.67±\\pm15\.5067\.20±\\pm14\.543\.40NETTACK26\.13±\\pm4\.9326\.00±\\pm5\.0126\.00±\\pm5\.0126\.00±\\pm5\.0126\.00±\\pm5\.014\.80±\\pm8\.514\.80±\\pm8\.555\.47±\\pm8\.266\.13±\\pm8\.025\.73±\\pm8\.177\.00PGD66\.93±\\pm8\.5868\.40±\\pm7\.9067\.33±\\pm9\.0067\.73±\\pm9\.4769\.47±\\pm8\.8357\.60±\\pm8\.0862\.53±\\pm8\.7063\.47±\\pm6\.9563\.60±\\pm7\.6868\.53±\\pm6\.253\.00PR\-BCD69\.73±\\pm6\.5469\.87±\\pm6\.4469\.47±\\pm7\.0769\.20±\\pm7\.7870\.40±\\pm6\.3853\.33±\\pm7\.7054\.80±\\pm7\.5953\.87±\\pm7\.7353\.20±\\pm8\.2053\.47±\\pm8\.903\.30SGA69\.07±\\pm6\.8869\.73±\\pm7\.4869\.73±\\pm7\.7470\.53±\\pm7\.3571\.47±\\pm6\.9560\.13±\\pm7\.6960\.13±\\pm6\.5260\.80±\\pm7\.5560\.00±\\pm7\.1361\.60±\\pm8\.722\.60GOttack34\.13±\\pm4\.8734\.27±\\pm4\.8934\.40±\\pm5\.0334\.00±\\pm4\.7234\.40±\\pm4\.6719\.20±\\pm8\.6821\.47±\\pm9\.8720\.27±\\pm8\.5521\.20±\\pm9\.2520\.80±\\pm9\.476\.00PoisonNoisyGNNL1D\-RND71\.87±\\pm6\.2571\.87±\\pm6\.2572\.27±\\pm6\.5071\.60±\\pm6\.3872\.27±\\pm6\.0464\.93±\\pm5\.8066\.40±\\pm7\.1465\.87±\\pm8\.5065\.73±\\pm4\.7167\.73±\\pm6\.094\.10FGA72\.53±\\pm9\.8174\.13±\\pm7\.3170\.40±\\pm9\.0571\.87±\\pm8\.8672\.67±\\pm10\.7968\.00±\\pm9\.4174\.53±\\pm13\.7876\.67±\\pm13\.0674\.00±\\pm19\.6180\.40±\\pm16\.652\.50NETTACK29\.87±\\pm4\.3729\.60±\\pm5\.1430\.53±\\pm5\.1031\.33±\\pm4\.8231\.47±\\pm3\.898\.40±\\pm9\.839\.47±\\pm9\.1510\.13±\\pm10\.329\.47±\\pm9\.3610\.13±\\pm8\.607\.00PGD72\.67±\\pm7\.3974\.40±\\pm7\.1474\.27±\\pm8\.1474\.40±\\pm8\.1876\.40±\\pm8\.8261\.73±\\pm7\.7068\.27±\\pm9\.3871\.87±\\pm5\.4873\.47±\\pm7\.5877\.73±\\pm6\.762\.30PR\-BCD72\.93±\\pm5\.2873\.47±\\pm5\.0474\.27±\\pm5\.0174\.53±\\pm4\.8773\.87±\\pm6\.1259\.33±\\pm7\.1260\.53±\\pm6\.7060\.93±\\pm6\.5062\.00±\\pm7\.2560\.53±\\pm6\.993\.90SGA74\.67±\\pm6\.6274\.80±\\pm5\.8574\.93±\\pm6\.4575\.47±\\pm5\.8375\.07±\\pm5\.6062\.67±\\pm7\.8865\.47±\\pm6\.9969\.47±\\pm7\.0768\.40±\\pm8\.3269\.60±\\pm9\.392\.20GOttack37\.87±\\pm4\.7538\.13±\\pm5\.5839\.87±\\pm6\.0738\.27±\\pm6\.3240\.00±\\pm5\.7623\.60±\\pm8\.2926\.13±\\pm9\.1524\.80±\\pm10\.6327\.20±\\pm8\.4826\.27±\\pm9\.686\.00

Table 27:Defended PRBCD on Homophily Datasets\.Evaluating PRBCD and adaptive version of PRBCD \(PR\-BCD \(NA\)\) adversarial attacks on two defense victim models \(ElasticGNN, RobustGCN\) \- Miss\-classification rate \(%\)\. Higher is better\. Best performance inbold, second bestunderlinedDatasetCORACITESEERPUBMEDΔ→\\Delta\\rightarrow123451234512345Avg\. RankEvasionElasticGNNPR\-BCD24\.80±\\pm2\.8130\.67±\\pm4\.8837\.87±\\pm7\.2745\.47±\\pm7\.7650\.13±\\pm8\.1623\.60±\\pm7\.5331\.87±\\pm8\.7339\.20±\\pm10\.7145\.47±\\pm10\.7649\.73±\\pm13\.5222\.93±\\pm3\.8425\.60±\\pm4\.1527\.33±\\pm4\.9429\.60±\\pm5\.2531\.73±\\pm5\.011\.40PR\-BCD \(NA\)24\.67±\\pm3\.7532\.00±\\pm5\.7641\.60±\\pm6\.8544\.80±\\pm7\.2850\.40±\\pm9\.0523\.33±\\pm4\.7630\.93±\\pm7\.4438\.40±\\pm9\.6645\.47±\\pm11\.1251\.33±\\pm11\.8722\.13±\\pm3\.1625\.60±\\pm4\.4228\.00±\\pm4\.2830\.53±\\pm5\.5330\.53±\\pm3\.891\.60RobustGCNPR\-BCD27\.73±\\pm5\.4449\.33±\\pm5\.9456\.13±\\pm4\.3160\.53±\\pm3\.5862\.93±\\pm4\.2024\.27±\\pm4\.1340\.80±\\pm5\.0053\.07±\\pm3\.2056\.53±\\pm2\.7758\.67±\\pm2\.7929\.60±\\pm3\.7940\.40±\\pm5\.3648\.53±\\pm3\.5855\.20±\\pm2\.3756\.27±\\pm1\.831\.60PR\-BCD \(NA\)32\.40±\\pm4\.7958\.00±\\pm3\.8562\.00±\\pm3\.9364\.67±\\pm3\.4464\.93±\\pm2\.4923\.87±\\pm3\.7442\.67±\\pm5\.9853\.20±\\pm4\.8955\.87±\\pm3\.2558\.27±\\pm3\.5331\.47±\\pm2\.0738\.40±\\pm4\.6148\.53±\\pm3\.4254\.00±\\pm3\.1257\.07±\\pm2\.251\.40PoisonElasticGNNPR\-BCD27\.33±\\pm3\.1838\.00±\\pm7\.2947\.47±\\pm5\.3253\.20±\\pm4\.8360\.53±\\pm5\.1527\.20±\\pm9\.0041\.20±\\pm10\.0848\.27±\\pm12\.4054\.67±\\pm11\.9756\.93±\\pm12\.1621\.87±\\pm4\.8724\.53±\\pm3\.9626\.80±\\pm4\.5229\.47±\\pm5\.0431\.47±\\pm4\.631\.47PR\-BCD \(NA\)25\.60±\\pm4\.1536\.53±\\pm5\.9347\.47±\\pm6\.2555\.33±\\pm3\.8359\.47±\\pm5\.0429\.47±\\pm9\.2138\.93±\\pm11\.2950\.93±\\pm11\.7153\.73±\\pm10\.2257\.73±\\pm10\.0020\.53±\\pm3\.0725\.60±\\pm3\.9427\.07±\\pm4\.8330\.80±\\pm6\.1330\.80±\\pm4\.061\.53RobustGCNPR\-BCD30\.93±\\pm4\.4050\.00±\\pm4\.4758\.00±\\pm3\.7860\.13±\\pm2\.9762\.40±\\pm4\.6129\.47±\\pm4\.1048\.13±\\pm4\.9855\.60±\\pm2\.5358\.27±\\pm3\.3759\.60±\\pm3\.9429\.47±\\pm3\.3440\.53±\\pm4\.5650\.27±\\pm3\.4555\.60±\\pm2\.9556\.27±\\pm1\.981\.67PR\-BCD \(NA\)34\.40±\\pm4\.0857\.20±\\pm3\.1961\.73±\\pm3\.3764\.13±\\pm2\.9765\.33±\\pm2\.9928\.67±\\pm5\.4949\.60±\\pm6\.5656\.00±\\pm4\.4757\.47±\\pm4\.3760\.00±\\pm4\.0731\.33±\\pm2\.5838\.93±\\pm4\.8949\.47±\\pm3\.5054\.27±\\pm2\.1256\.93±\\pm2\.121\.33

Table 28:Defended PRBCD on Heterophily Datasets\.Evaluating non adaptive PR\-BCD \(PR\-BCD \(NA\)\), and adaptive version of PR\-BCD adversarial attacks on two defense victim models \(ElasticGNN, RobustGCN\) \- Miss\-classification rate \(%\)\. Higher is better\. Best performance inbold, second bestunderlinedDatasetSQUIRRELCHAMELEONΔ→\\Delta\\rightarrow1234512345Avg\. RankEvasionElasticGNNPR\-BCD12\.93±\\pm4\.5916\.13±\\pm5\.2617\.33±\\pm4\.5119\.47±\\pm4\.5619\.07±\\pm6\.7611\.73±\\pm9\.1313\.33±\\pm5\.1116\.93±\\pm7\.5219\.47±\\pm10\.1819\.60±\\pm10\.181\.40PR\-BCD \(NA\)12\.13±\\pm3\.8115\.73±\\pm5\.7018\.13±\\pm5\.8319\.33±\\pm6\.1320\.13±\\pm6\.2112\.27±\\pm7\.5914\.40±\\pm8\.8516\.67±\\pm8\.8017\.20±\\pm7\.5518\.40±\\pm8\.321\.60RobustGCNPR\-BCD37\.73±\\pm7\.0046\.40±\\pm6\.1046\.27±\\pm8\.1744\.13±\\pm6\.2547\.73±\\pm8\.3431\.33±\\pm8\.4733\.07±\\pm8\.4836\.67±\\pm8\.7738\.53±\\pm11\.0737\.47±\\pm7\.761\.60PR\-BCD \(NA\)35\.47±\\pm7\.5041\.47±\\pm7\.9545\.20±\\pm6\.3644\.80±\\pm5\.5449\.07±\\pm7\.2828\.93±\\pm7\.0933\.33±\\pm9\.7040\.13±\\pm10\.6039\.33±\\pm10\.2738\.67±\\pm10\.891\.40PoisonElasticGNNPR\-BCD28\.00±\\pm6\.3728\.00±\\pm8\.0429\.20±\\pm6\.9232\.53±\\pm8\.5729\.07±\\pm8\.4826\.40±\\pm9\.8628\.80±\\pm5\.9934\.13±\\pm11\.4836\.27±\\pm13\.5436\.53±\\pm12\.861\.40PR\-BCD \(NA\)24\.00±\\pm8\.4224\.27±\\pm7\.9227\.47±\\pm9\.4629\.87±\\pm8\.7732\.40±\\pm9\.6924\.40±\\pm7\.5730\.67±\\pm9\.5532\.00±\\pm11\.3437\.33±\\pm12\.1137\.60±\\pm9\.451\.60RobustGCNPR\-BCD44\.27±\\pm10\.3651\.20±\\pm8\.4848\.27±\\pm8\.5148\.27±\\pm9\.2852\.00±\\pm10\.3936\.53±\\pm8\.6338\.93±\\pm7\.9642\.80±\\pm7\.0044\.27±\\pm12\.1642\.93±\\pm9\.441\.70PR\-BCD \(NA\)41\.07±\\pm7\.8948\.00±\\pm11\.5652\.27±\\pm7\.1751\.33±\\pm8\.1349\.73±\\pm9\.2837\.73±\\pm8\.1041\.33±\\pm11\.8244\.53±\\pm10\.2148\.40±\\pm9\.5144\.40±\\pm10\.531\.30

Table 29:Effect of including node degree as criteria to select the target node on adversarial evaluation results\. When evaluating adversarial attacks on target nodes, including node degree as selection criteria, is lower than evaluating those on target nodes without node degree as selection criteria, the results are shown in red; otherwise, the results are shown in blue\.DatasetCORACITESEERPUBMEDΔ→\\Delta\\rightarrow123451234512345Avg\. Rank DifferenceEvasionGCNL1D\-RND\-3\.30\-3\.63\-1\.630\.10\-5\.87\-5\.13\-1\.505\.37\-2\.600\.13\-5\.07\-9\.20\-11\.13\-10\.03\-10\.230\.00FGA\-11\.88\-7\.37\-7\.27\-6\.07\-5\.83\-16\.78\-19\.25\-10\.23\-6\.47\-9\.98\-21\.57\-19\.57\-13\.83\-13\.43\-13\.831\.00NETTACK\-7\.150\.60\-2\.45\-2\.62\-3\.02\-12\.12\-5\.67\-10\.13\-6\.32\-8\.52\-23\.93\-10\.43\-10\.70\-10\.50\-13\.83\-1\.20PGD\-11\.67\-5\.50\-5\.07\-4\.65\-6\.80\-18\.53\-13\.23\-11\.87\-10\.98\-10\.53\-22\.70\-22\.50\-26\.90\-24\.20\-25\.901\.00PR\-BCD \(NA\)\-10\.87\-5\.97\-6\.80\-7\.30\-7\.27\-12\.47\-2\.33\-2\.10\-3\.08\-3\.88\-22\.90\-26\.30\-20\.10\-16\.20\-13\.53\-0\.20SGA\-9\.98\-2\.83\-0\.42\-1\.87\-4\.08\-10\.28\-10\.38\-5\.28\-8\.18\-8\.52\-22\.90\-20\.87\-17\.50\-14\.73\-16\.03\-0\.27GOttack\-10\.97\-7\.50\-8\.70\-6\.80\-7\.70\-11\.90\-12\.00\-6\.90\-5\.83\-10\.87\-22\.47\-16\.33\-12\.70\-11\.03\-12\.07\-0\.33GINL1D\-RND\-2\.03\-1\.93\-3\.67\-4\.47\-5\.100\.631\.30\-3\.77\-5\.13\-6\.67\-3\.67\-8\.77\-2\.50\-8\.93\-9\.57\-0\.33FGA\-12\.03\-10\.18\-6\.85\-3\.33\-4\.53\-4\.18\-4\.98\-1\.12\-8\.22\-2\.67\-16\.47\-11\.13\-15\.00\-6\.17\-12\.530\.07NETTACK\-5\.97\-2\.80\-3\.63\-6\.80\-4\.80\-1\.43\-2\.37\-5\.65\-7\.98\-11\.72\-11\.40\-13\.37\-11\.27\-11\.73\-9\.97\-0\.40PGD\-6\.68\-5\.98\-6\.90\-9\.40\-9\.15\-2\.22\-2\.87\-6\.82\-6\.88\-5\.65\-13\.37\-15\.67\-18\.70\-15\.67\-18\.300\.00PR\-BCD \(NA\)\-8\.28\-5\.72\-6\.73\-11\.45\-10\.37\-6\.05\-1\.43\-7\.07\-7\.68\-10\.65\-10\.27\-18\.67\-20\.97\-17\.83\-17\.700\.00SGA\-8\.85\-5\.83\-12\.57\-9\.85\-10\.80\-0\.321\.53\-7\.60\-3\.85\-0\.65\-9\.47\-16\.33\-13\.70\-14\.50\-11\.570\.13GOttack\-8\.00\-4\.43\-6\.70\-10\.67\-10\.93\-5\.70\-5\.53\-7\.37\-11\.63\-11\.17\-16\.97\-9\.43\-14\.47\-14\.17\-16\.700\.53GSAGEL1D\-RND\-3\.63\-1\.00\-2\.07\-1\.73\-4\.30\-3\.77\-5\.23\-4\.93\-4\.83\-6\.30\-4\.00\-8\.83\-8\.93\-8\.73\-10\.00\-0\.67FGA\-8\.07\-13\.68\-9\.05\-4\.03\-6\.17\-6\.88\-6\.40\-10\.73\-10\.03\-6\.38\-13\.43\-17\.63\-17\.70\-16\.03\-14\.27\-0\.60NETTACK\-10\.75\-6\.38\-4\.40\-6\.57\-9\.02\-9\.48\-3\.18\-3\.57\-7\.98\-6\.22\-13\.10\-20\.43\-12\.13\-14\.07\-16\.470\.20PGD\-11\.50\-8\.78\-12\.48\-12\.80\-14\.87\-7\.22\-8\.93\-14\.08\-8\.60\-10\.92\-12\.03\-18\.17\-19\.87\-22\.53\-20\.670\.67PR\-BCD \(NA\)\-8\.18\-9\.53\-9\.18\-15\.02\-13\.18\-8\.37\-6\.55\-5\.90\-12\.52\-13\.65\-10\.27\-17\.43\-14\.47\-17\.03\-18\.870\.27SGA\-10\.28\-9\.78\-5\.80\-13\.08\-15\.28\-9\.65\-5\.17\-7\.37\-12\.75\-13\.05\-12\.27\-20\.27\-18\.80\-21\.87\-19\.130\.47GOttack\-8\.80\-11\.00\-11\.93\-11\.07\-8\.77\-10\.00\-10\.83\-2\.17\-12\.80\-10\.23\-10\.53\-16\.13\-15\.80\-18\.53\-22\.40\-0\.33PNAL1D\-RND2\.530\.10\-4\.30\-9\.47\-5\.27\-0\.33\-8\.37\-9\.23\-10\.37\-7\.870\.67\-5\.73\-7\.30\-11\.07\-10\.07\-1\.33FGA\-6\.62\-5\.10\-8\.05\-4\.67\-0\.95\-11\.07\-17\.93\-6\.55\-10\.60\-8\.37\-16\.23\-15\.30\-18\.20\-16\.00\-16\.700\.67NETTACK\-4\.973\.37\-1\.15\-2\.00\-3\.70\-11\.45\-9\.90\-7\.45\-7\.85\-12\.15\-11\.47\-12\.50\-15\.70\-11\.87\-10\.20\-0\.33PGD\-9\.20\-3\.48\-12\.78\-7\.03\-4\.35\-8\.22\-13\.55\-9\.78\-11\.80\-12\.22\-9\.63\-19\.40\-19\.80\-19\.23\-22\.900\.13PR\-BCD \(NA\)\-12\.70\-6\.68\-10\.55\-11\.62\-8\.37\-7\.32\-7\.22\-3\.23\-11\.65\-6\.43\-9\.90\-14\.10\-19\.73\-16\.80\-17\.300\.40SGA\-6\.02\-6\.23\-7\.08\-15\.85\-7\.72\-3\.73\-13\.23\-6\.32\-8\.00\-8\.12\-13\.23\-16\.77\-21\.37\-17\.37\-17\.900\.13GOttack\-7\.07\-6\.53\-7\.33\-7\.53\-8\.13\-17\.47\-2\.50\-9\.60\-6\.57\-15\.43\-11\.23\-13\.13\-19\.57\-16\.13\-20\.600\.33PoisonGCNL1D\-RND\-2\.20\-3\.17\-0\.570\.13\-3\.33\-4\.90\-0\.636\.070\.97\-1\.40\-6\.43\-9\.20\-11\.17\-10\.17\-10\.800\.00FGA\-10\.00\-7\.00\-8\.23\-7\.22\-8\.43\-15\.88\-10\.63\-9\.58\-8\.37\-7\.02\-21\.17\-19\.70\-13\.83\-13\.13\-13\.830\.67NETTACK\-6\.780\.37\-1\.08\-4\.87\-4\.18\-10\.60\-4\.52\-7\.38\-5\.98\-8\.17\-22\.03\-11\.53\-10\.70\-10\.77\-14\.10\-1\.67PGD\-10\.52\-6\.70\-3\.90\-5\.17\-7\.22\-17\.20\-11\.63\-12\.27\-10\.48\-11\.27\-22\.90\-22\.33\-26\.57\-24\.10\-25\.531\.47PR\-BCD \(NA\)\-10\.20\-5\.13\-7\.23\-9\.33\-8\.10\-11\.98\-7\.10\-8\.88\-10\.35\-9\.77\-22\.57\-25\.97\-20\.03\-17\.20\-13\.100\.00SGA\-8\.67\-2\.87\-3\.63\-4\.25\-4\.77\-14\.55\-6\.37\-5\.80\-7\.22\-4\.98\-23\.20\-21\.07\-17\.90\-14\.83\-16\.43\-0\.20GOttack\-7\.83\-5\.37\-6\.93\-7\.10\-7\.47\-5\.57\-8\.60\-4\.63\-11\.17\-10\.00\-22\.73\-16\.57\-12\.77\-11\.20\-11\.97\-0\.27GINL1D\-RND0\.23\-2\.50\-4\.93\-5\.10\-7\.672\.23\-0\.87\-2\.93\-6\.20\-7\.13\-3\.83\-6\.60\-3\.10\-10\.17\-12\.230\.00FGA\-7\.38\-9\.48\-9\.10\-7\.12\-5\.73\-9\.08\-9\.45\-8\.20\-6\.13\-5\.50\-15\.23\-11\.33\-16\.53\-6\.57\-11\.430\.40NETTACK\-6\.87\-1\.93\-7\.57\-8\.90\-11\.13\-0\.82\-2\.12\-2\.57\-3\.57\-9\.40\-11\.67\-12\.63\-10\.87\-11\.00\-9\.970\.00PGD\-9\.93\-1\.90\-9\.57\-7\.65\-12\.20\-3\.83\-2\.73\-7\.42\-12\.28\-11\.98\-13\.60\-15\.50\-17\.70\-14\.93\-20\.700\.07PR\-BCD \(NA\)\-3\.88\-2\.58\-3\.18\-7\.68\-7\.70\-9\.231\.28\-3\.50\-8\.13\-7\.63\-11\.10\-19\.43\-20\.53\-18\.70\-17\.43\-0\.60SGA\-7\.92\-8\.17\-14\.75\-14\.85\-12\.17\-4\.85\-7\.07\-9\.42\-6\.75\-6\.98\-10\.60\-11\.90\-14\.17\-13\.60\-12\.300\.20GOttack\-4\.73\-1\.60\-9\.37\-8\.80\-6\.67\-2\.27\-7\.47\-4\.23\-6\.57\-8\.87\-14\.97\-9\.50\-13\.97\-13\.13\-17\.47\-0\.07GSAGEL1D\-RND\-1\.53\-1\.93\-1\.60\-1\.67\-2\.43\-4\.33\-3\.70\-2\.07\-4\.87\-7\.00\-3\.53\-9\.10\-7\.17\-9\.73\-10\.53\-0\.07FGA\-10\.83\-8\.87\-12\.33\-6\.93\-12\.13\-6\.15\-5\.45\-6\.50\-10\.80\-7\.30\-11\.50\-19\.13\-16\.60\-16\.13\-15\.600\.13NETTACK\-10\.68\-7\.23\-12\.15\-7\.92\-6\.82\-7\.57\-0\.70\-7\.73\-9\.22\-9\.05\-11\.77\-18\.47\-11\.23\-15\.30\-16\.400\.13PGD\-8\.70\-7\.32\-12\.08\-12\.70\-16\.90\-9\.18\-8\.32\-10\.93\-9\.58\-11\.02\-11\.33\-18\.20\-19\.23\-21\.63\-19\.970\.33PR\-BCD \(NA\)\-6\.70\-7\.22\-9\.87\-14\.50\-13\.53\-8\.78\-6\.63\-4\.17\-11\.02\-10\.58\-9\.63\-16\.93\-14\.70\-17\.00\-18\.77\-0\.13SGA\-9\.33\-8\.07\-7\.68\-15\.18\-16\.47\-9\.25\-10\.65\-5\.87\-14\.03\-10\.52\-8\.80\-20\.47\-19\.37\-22\.07\-20\.200\.07GOttack\-7\.53\-7\.97\-8\.80\-12\.53\-12\.10\-9\.27\-9\.37\-4\.97\-11\.80\-9\.53\-9\.37\-15\.47\-18\.17\-17\.97\-22\.97\-0\.47PNAL1D\-RND3\.63\-1\.17\-9\.53\-5\.93\-4\.471\.60\-5\.10\-7\.70\-11\.47\-7\.730\.50\-3\.23\-5\.33\-9\.27\-9\.03\-1\.07FGA\-2\.08\-5\.32\-3\.70\-4\.33\-3\.30\-5\.22\-12\.00\-6\.72\-5\.23\-5\.55\-13\.67\-16\.63\-20\.10\-18\.53\-19\.87\-0\.20NETTACK\-3\.651\.60\-1\.83\-0\.42\-5\.32\-12\.57\-6\.85\-12\.02\-5\.02\-7\.13\-13\.63\-11\.53\-15\.97\-13\.00\-10\.83\-0\.40PGD\-8\.03\-13\.15\-8\.18\-5\.38\-7\.78\-4\.13\-16\.52\-6\.75\-9\.10\-9\.52\-10\.10\-18\.43\-18\.83\-19\.13\-24\.570\.60PR\-BCD \(NA\)\-10\.62\-2\.45\-11\.50\-7\.78\-11\.67\-8\.85\-3\.28\-4\.52\-8\.37\-8\.55\-10\.93\-14\.53\-19\.73\-18\.70\-17\.470\.33SGA\-3\.53\-5\.73\-5\.72\-14\.22\-7\.00\-6\.80\-11\.18\-4\.45\-10\.42\-13\.68\-12\.47\-14\.90\-22\.40\-16\.13\-19\.930\.87GOttack\-6\.83\-1\.73\-7\.13\-4\.67\-5\.63\-12\.87\-5\.93\-9\.27\-5\.00\-8\.37\-10\.20\-13\.97\-20\.10\-14\.23\-19\.43\-0\.13

Table 30:Effect of model selection on adversarial evaluation results\. When evaluating adversarial attacks on victim models with a configuration obtained from model selection, which is higher than evaluating on victim models with a fixed configuration, the results are shown in blue; the results are shown in red otherwise\.DatasetCORACITESEERPUBMEDΔ→\\Delta\\rightarrow123451234512345Avg\. Rank DifferenceEvasionGCNL1D\-RND\-2\.672\.800\.00\-0\.27\-2\.404\.006\.932\.271\.87\-1\.070\.000\.13\-4\.27\-9\.20\-5\.730\.00FGA0\.670\.80\-0\.930\.272\.13\-1\.33\-7\.20\-3\.47\-1\.07\-0\.67\-1\.07\-0\.27\-0\.530\.40\-0\.670\.00NETTACK0\.27\-3\.07\-2\.27\-0\.270\.53\-1\.87\-8\.80\-8\.13\-0\.53\-1\.20\-2\.802\.93\-0\.400\.27\-0\.130\.33PGD1\.6011\.4713\.6015\.3313\.87\-2\.00\-0\.27\-0\.800\.802\.13\-2\.00\-2\.13\-4\.80\-3\.73\-4\.40\-0\.13PR\-BCD \(NA\)0\.40\-3\.33\-3\.33\-2\.00\-1\.073\.070\.002\.274\.274\.00\-1\.60\-0\.531\.870\.67\-0\.670\.00SGA1\.879\.208\.132\.133\.332\.404\.808\.676\.408\.00\-1\.202\.135\.332\.672\.13\-0\.20GOttack\-0\.93\-3\.20\-2\.53\-1\.07\-0\.67\-3\.47\-10\.80\-4\.53\-0\.67\-2\.93\-0\.800\.800\.530\.671\.330\.00GINL1D\-RND\-8\.53\-7\.87\-9\.87\-13\.33\-16\.27\-8\.67\-9\.60\-9\.33\-9\.73\-9\.87\-4\.40\-10\.00\-6\.13\-10\.93\-10\.672\.40FGA\-0\.53\-1\.470\.671\.071\.60\-6\.933\.071\.20\-4\.27\-0\.67\-0\.538\.403\.603\.73\-1\.60\-0\.27NETTACK\-3\.07\-3\.07\-2\.40\-1\.471\.60\-7\.07\-7\.20\-5\.600\.130\.000\.405\.73\-4\.67\-6\.27\-5\.200\.20PGD0\.003\.475\.874\.134\.67\-5\.200\.80\-2\.27\-2\.530\.53\-2\.402\.931\.074\.534\.40\-0\.47PR\-BCD \(NA\)2\.133\.605\.204\.932\.67\-8\.000\.27\-2\.93\-0\.93\-1\.47\-1\.87\-2\.00\-4\.80\-2\.00\-0\.53\-0\.67SGA3\.478\.006\.936\.537\.07\-0\.278\.005\.079\.338\.404\.804\.537\.337\.077\.07\-1\.20GOttack\-4\.67\-0\.67\-1\.07\-1\.20\-2\.27\-6\.930\.671\.470\.00\-1\.47\-0\.538\.806\.679\.738\.670\.00GSAGEL1D\-RND\-11\.07\-5\.60\-9\.47\-12\.93\-14\.53\-9\.33\-3\.60\-3\.73\-4\.67\-3\.87\-6\.00\-9\.47\-11\.60\-9\.87\-16\.932\.67FGA0\.801\.331\.873\.074\.532\.138\.937\.209\.878\.13\-7\.33\-3\.73\-5\.60\-12\.40\-15\.33\-0\.67NETTACK\-2\.00\-0\.802\.804\.403\.87\-2\.934\.401\.605\.47\-1\.47\-6\.13\-5\.73\-14\.00\-15\.73\-18\.130\.20PGD1\.332\.135\.875\.075\.600\.007\.873\.607\.478\.53\-7\.60\-5\.60\-8\.13\-7\.73\-6\.130\.00PR\-BCD \(NA\)2\.802\.532\.001\.201\.20\-2\.406\.676\.533\.735\.07\-4\.67\-6\.27\-8\.67\-8\.27\-8\.27\-0\.67SGA0\.939\.8711\.8710\.279\.203\.0711\.206\.9311\.337\.87\-4\.80\-3\.73\-5\.60\-6\.80\-6\.13\-1\.33GOttack\-1\.470\.80\-1\.872\.000\.40\-1\.876\.8012\.6710\.6713\.20\-5\.20\-5\.87\-7\.07\-5\.07\-7\.20\-0\.20PNAL1D\-RND\-9\.47\-7\.07\-6\.67\-15\.60\-9\.33\-2\.13\-1\.47\-1\.601\.872\.809\.60\-6\.27\-3\.07\-3\.33\-1\.470\.20FGA1\.207\.203\.876\.134\.002\.934\.675\.330\.40\-0\.93\-4\.53\-0\.53\-3\.33\-6\.00\-6\.670\.33NETTACK1\.87\-3\.87\-5\.33\-4\.67\-2\.933\.60\-4\.801\.470\.530\.53\-1\.60\-5\.07\-9\.33\-7\.33\-6\.000\.07PGD3\.8710\.536\.4012\.6714\.273\.600\.135\.335\.733\.87\-1\.47\-4\.53\-2\.93\-3\.07\-4\.000\.07PR\-BCD \(NA\)0\.536\.936\.404\.278\.133\.471\.331\.200\.403\.07\-8\.00\-4\.53\-5\.20\-4\.53\-2\.13\-0\.27SGA2\.407\.737\.332\.273\.4711\.079\.3311\.8713\.7311\.20\-1\.60\-1\.73\-2\.93\-0\.40\-1\.07\-0\.80GOttack4\.132\.133\.735\.07\-1\.20\-1\.207\.335\.733\.473\.73\-4\.400\.80\-1\.73\-0\.670\.930\.40PoisonGCNL1D\-RND\-0\.932\.530\.40\-0\.270\.134\.534\.133\.203\.87\-0\.53\-1\.470\.13\-4\.13\-8\.80\-6\.000\.00FGA\-1\.202\.27\-0\.93\-0\.800\.93\-4\.27\-3\.20\-0\.800\.001\.87\-1\.33\-0\.27\-0\.670\.67\-0\.670\.00NETTACK1\.47\-3\.33\-0\.93\-0\.40\-0\.400\.80\-3\.47\-3\.471\.730\.67\-2\.272\.00\-0\.400\.00\-0\.400\.07PGD3\.2011\.3314\.0014\.4013\.20\-1\.20\-0\.530\.273\.474\.00\-2\.53\-2\.13\-5\.07\-3\.87\-4\.000\.07PR\-BCD \(NA\)\-2\.27\-3\.47\-4\.80\-4\.13\-2\.13\-3\.87\-4\.40\-2\.400\.13\-0\.27\-1\.60\-0\.401\.07\-0\.80\-0\.930\.53SGA\-0\.273\.603\.201\.874\.00\-3\.475\.076\.802\.535\.33\-0\.931\.604\.402\.271\.87\-0\.20GOttack1\.87\-2\.00\-0\.93\-0\.800\.13\-2\.13\-5\.87\-0\.67\-0\.531\.07\-1\.070\.270\.130\.670\.93\-0\.47GINL1D\-RND\-8\.27\-9\.07\-12\.40\-13\.20\-14\.67\-6\.13\-6\.40\-8\.67\-8\.93\-12\.13\-3\.47\-3\.60\-3\.07\-12\.00\-11\.872\.67FGA4\.1310\.2711\.7310\.6713\.873\.208\.408\.676\.537\.331\.078\.673\.474\.27\-1\.47\-0\.80NETTACK0\.933\.205\.877\.605\.733\.070\.274\.677\.606\.53\-1\.334\.93\-6\.00\-5\.07\-4\.800\.47PGD1\.337\.7310\.9311\.339\.871\.078\.675\.474\.808\.40\-1\.203\.731\.336\.134\.53\-0\.27PR\-BCD \(NA\)5\.209\.338\.2710\.4010\.67\-3\.608\.008\.136\.4010\.53\-2\.67\-1\.20\-3\.47\-0\.93\-0\.130\.13SGA9\.2015\.0714\.2718\.4020\.806\.6714\.5315\.6019\.0719\.073\.737\.077\.736\.936\.27\-1\.80GOttack2\.804\.135\.735\.608\.673\.736\.9314\.2711\.4710\.531\.8710\.277\.738\.808\.13\-0\.40GSAGEL1D\-RND\-10\.67\-8\.40\-9\.87\-12\.53\-13\.87\-8\.13\-3\.07\-3\.20\-3\.33\-3\.47\-6\.13\-10\.80\-11\.07\-14\.80\-17\.873\.20FGA0\.673\.876\.679\.079\.200\.8014\.0013\.7313\.7313\.47\-7\.60\-5\.60\-6\.13\-12\.40\-15\.33\-0\.73NETTACK0\.402\.534\.406\.409\.33\-2\.277\.733\.477\.200\.67\-7\.07\-5\.73\-14\.53\-16\.40\-18\.530\.13PGD4\.406\.537\.4710\.2711\.47\-3\.209\.6011\.0710\.9314\.00\-7\.60\-5\.87\-8\.40\-7\.87\-6\.27\-0\.53PR\-BCD \(NA\)3\.203\.204\.133\.606\.13\-4\.276\.808\.536\.409\.33\-6\.13\-7\.20\-10\.27\-8\.67\-9\.070\.00SGA\-1\.4713\.2014\.2716\.0016\.001\.0710\.9310\.2712\.5311\.60\-4\.27\-5\.07\-6\.40\-6\.40\-7\.60\-1\.53GOttack0\.274\.405\.873\.476\.13\-2\.009\.0713\.6012\.2716\.13\-5\.87\-6\.67\-9\.07\-6\.53\-7\.73\-0\.53PNAL1D\-RND\-5\.87\-5\.07\-7\.60\-10\.53\-5\.60\-1\.600\.272\.272\.534\.6710\.00\-5\.60\-1\.47\-3\.60\-1\.731\.33FGA7\.737\.338\.272\.002\.009\.078\.9310\.935\.601\.60\-3\.87\-1\.07\-1\.87\-6\.93\-7\.60\-0\.67NETTACK2\.27\-2\.13\-4\.93\-2\.40\-1\.338\.402\.804\.405\.334\.80\-1\.47\-4\.80\-11\.20\-10\.67\-6\.130\.13PGD5\.607\.7311\.3313\.6012\.5310\.405\.338\.4010\.008\.67\-0\.67\-3\.47\-1\.87\-0\.80\-3\.07\-0\.33PR\-BCD \(NA\)6\.136\.936\.138\.274\.534\.006\.802\.932\.273\.20\-8\.80\-4\.13\-5\.60\-4\.27\-2\.000\.13SGA7\.737\.204\.271\.6010\.277\.208\.4012\.679\.7314\.40\-0\.931\.47\-2\.670\.27\-2\.13\-0\.53GOttack5\.733\.074\.803\.47\-0\.276\.139\.608\.008\.677\.07\-3\.47\-1\.20\-1\.331\.470\.80\-0\.07

Table 31:Performance of RND attack and our proposed random\-based baseline, L1D\-RND, on defense and non\-defense victim models used in evaluating adversarial attacks on three datasets\.DatasetCORACITESEERPUBMEDΔ→\\Delta\\rightarrow123451234512345EvasionGCNL1D\-RND13\.20±\\pm4\.3322\.53±\\pm6\.9529\.20±\\pm5\.6032\.93±\\pm6\.6732\.13±\\pm5\.0415\.20±\\pm4\.2028\.67±\\pm12\.3936\.53±\\pm9\.0937\.73±\\pm9\.4442\.13±\\pm7\.1110\.93±\\pm3\.0115\.47±\\pm4\.8717\.20±\\pm6\.5818\.80±\\pm5\.2823\.60±\\pm9\.63Random13\.20±\\pm4\.8920\.13±\\pm5\.0424\.27±\\pm4\.9529\.47±\\pm5\.7830\.40±\\pm6\.9014\.00±\\pm4\.3428\.27±\\pm8\.2435\.33±\\pm7\.8437\.47±\\pm7\.0336\.00±\\pm8\.2510\.27±\\pm3\.6914\.40±\\pm5\.7716\.27±\\pm3\.6117\.73±\\pm5\.5515\.07±\\pm4\.77GINL1D\-RND20\.13±\\pm7\.3537\.07±\\pm15\.2742\.67±\\pm8\.8043\.20±\\pm10\.0543\.73±\\pm12\.0216\.80±\\pm10\.8733\.47±\\pm15\.7635\.73±\\pm14\.9438\.53±\\pm13\.1743\.33±\\pm12\.5713\.33±\\pm5\.6423\.07±\\pm12\.8926\.67±\\pm12\.7522\.40±\\pm10\.2622\.27±\\pm11\.54Random17\.87±\\pm5\.9736\.27±\\pm7\.4035\.33±\\pm5\.3334\.53±\\pm7\.4637\.73±\\pm7\.5516\.40±\\pm7\.9432\.80±\\pm11\.1634\.93±\\pm12\.4037\.07±\\pm11\.9737\.47±\\pm12\.7011\.47±\\pm7\.0319\.87±\\pm12\.5218\.13±\\pm9\.0917\.07±\\pm9\.4719\.33±\\pm9\.37GSAGEL1D\-RND15\.87±\\pm6\.2534\.00±\\pm10\.9538\.93±\\pm7\.4840\.93±\\pm5\.7041\.87±\\pm7\.1919\.07±\\pm7\.2838\.27±\\pm11\.5640\.40±\\pm10\.3242\.67±\\pm13\.6245\.20±\\pm10\.9810\.00±\\pm3\.7018\.00±\\pm5\.0716\.40±\\pm8\.0414\.27±\\pm5\.6513\.33±\\pm7\.39Random16\.00±\\pm6\.5034\.40±\\pm4\.4833\.60±\\pm9\.1434\.93±\\pm6\.2337\.60±\\pm6\.6018\.80±\\pm7\.5536\.53±\\pm7\.0337\.47±\\pm9\.6640\.13±\\pm9\.6135\.07±\\pm11\.168\.53±\\pm3\.3414\.13±\\pm4\.1015\.73±\\pm4\.1313\.60±\\pm5\.5713\.07±\\pm4\.27PNAL1D\-RND33\.20±\\pm8\.8141\.60±\\pm12\.8647\.20±\\pm9\.4445\.20±\\pm12\.1453\.07±\\pm15\.3639\.33±\\pm11\.8246\.13±\\pm9\.8446\.27±\\pm10\.0552\.13±\\pm10\.7855\.47±\\pm11\.1239\.33±\\pm26\.1618\.27±\\pm8\.4119\.20±\\pm8\.3420\.27±\\pm8\.3424\.27±\\pm12\.80Random29\.47±\\pm11\.7235\.33±\\pm9\.9031\.87±\\pm11\.1737\.20±\\pm12\.8739\.07±\\pm10\.4732\.27±\\pm15\.5638\.00±\\pm8\.3243\.20±\\pm6\.6244\.27±\\pm9\.1646\.40±\\pm9\.8033\.73±\\pm25\.6913\.47±\\pm7\.2714\.27±\\pm7\.1712\.93±\\pm6\.9612\.93±\\pm6\.67GCN\-GARNETL1D\-RND16\.53±\\pm11\.7537\.60±\\pm13\.8643\.73±\\pm13\.6746\.40±\\pm16\.2951\.07±\\pm19\.2021\.33±\\pm13\.9546\.40±\\pm15\.3549\.73±\\pm12\.0256\.67±\\pm14\.4657\.33±\\pm15\.8718\.93±\\pm17\.8434\.27±\\pm19\.0233\.33±\\pm21\.9337\.20±\\pm20\.0736\.00±\\pm20\.06Random13\.73±\\pm4\.3327\.87±\\pm9\.5234\.40±\\pm7\.8639\.33±\\pm7\.2040\.13±\\pm9\.0215\.33±\\pm5\.9837\.87±\\pm6\.2544\.93±\\pm9\.5945\.73±\\pm9\.2545\.33±\\pm8\.2011\.47±\\pm3\.6622\.13±\\pm11\.5828\.13±\\pm10\.8426\.93±\\pm10\.9026\.13±\\pm10\.84GNNGuardL1D\-RND6\.27±\\pm4\.139\.73±\\pm5\.6011\.73±\\pm4\.8317\.20±\\pm5\.4418\.67±\\pm6\.134\.67±\\pm3\.687\.60±\\pm5\.469\.60±\\pm5\.3010\.53±\\pm5\.1011\.07±\\pm5\.186\.53±\\pm4\.638\.27±\\pm4\.209\.73±\\pm4\.5310\.13±\\pm5\.6812\.40±\\pm5\.46Random5\.07±\\pm3\.8410\.27±\\pm4\.4612\.40±\\pm3\.7216\.00±\\pm5\.2917\.33±\\pm4\.125\.60±\\pm4\.1510\.00±\\pm2\.8311\.07±\\pm2\.4911\.33±\\pm2\.6912\.67±\\pm2\.997\.20±\\pm4\.3310\.40±\\pm3\.6410\.00±\\pm3\.6310\.93±\\pm2\.4911\.47±\\pm3\.34GRANDL1D\-RND34\.13±\\pm14\.9963\.47±\\pm7\.5471\.07±\\pm6\.5471\.07±\\pm7\.7072\.00±\\pm8\.7245\.47±\\pm11\.8060\.67±\\pm8\.6463\.33±\\pm9\.4366\.00±\\pm8\.4966\.40±\\pm8\.7233\.20±\\pm15\.6239\.07±\\pm17\.0744\.53±\\pm16\.4144\.93±\\pm16\.7844\.67±\\pm17\.22Random27\.33±\\pm7\.9941\.87±\\pm7\.4240\.67±\\pm11\.4842\.93±\\pm9\.4745\.47±\\pm9\.6634\.67±\\pm7\.2045\.47±\\pm6\.0251\.73±\\pm4\.9553\.20±\\pm7\.0056\.13±\\pm6\.2128\.80±\\pm13\.0434\.67±\\pm9\.9931\.33±\\pm13\.7334\.13±\\pm13\.3034\.67±\\pm15\.81PoisonGCNL1D\-RND15\.47±\\pm4\.0323\.33±\\pm6\.7930\.27±\\pm6\.1833\.47±\\pm7\.0334\.67±\\pm6\.8716\.27±\\pm4\.3329\.87±\\pm12\.7737\.73±\\pm9\.5640\.13±\\pm9\.1242\.93±\\pm6\.049\.73±\\pm3\.1015\.47±\\pm4\.8117\.33±\\pm5\.6419\.33±\\pm5\.4923\.20±\\pm9\.91Random15\.33±\\pm3\.4425\.33±\\pm7\.2028\.27±\\pm5\.2831\.47±\\pm6\.3530\.80±\\pm5\.8016\.00±\\pm4\.0730\.80±\\pm6\.7938\.00±\\pm6\.5938\.80±\\pm5\.0637\.33±\\pm9\.1910\.00±\\pm4\.1414\.13±\\pm5\.6316\.53±\\pm3\.7419\.07±\\pm4\.9515\.60±\\pm5\.46GINL1D\-RND23\.07±\\pm8\.0738\.00±\\pm13\.5042\.40±\\pm8\.5343\.73±\\pm11\.5445\.33±\\pm12\.3920\.40±\\pm9\.3936\.13±\\pm13\.1338\.40±\\pm11\.8640\.13±\\pm11\.5543\.87±\\pm10\.5414\.67±\\pm6\.7927\.07±\\pm14\.1029\.07±\\pm13\.7523\.33±\\pm12\.1124\.27±\\pm12\.69Random20\.00±\\pm6\.7637\.73±\\pm7\.6337\.87±\\pm7\.1539\.73±\\pm10\.3942\.67±\\pm9\.3421\.07±\\pm10\.0236\.67±\\pm8\.5438\.13±\\pm10\.6542\.93±\\pm10\.0844\.80±\\pm13\.4112\.13±\\pm6\.1220\.13±\\pm13\.2118\.00±\\pm9\.4718\.00±\\pm10\.7720\.27±\\pm9\.50GSAGEL1D\-RND18\.13±\\pm6\.5733\.73±\\pm9\.7140\.40±\\pm7\.4542\.67±\\pm7\.4344\.40±\\pm7\.0621\.33±\\pm9\.0940\.13±\\pm10\.4342\.27±\\pm9\.7643\.47±\\pm11\.8445\.33±\\pm8\.2710\.13±\\pm4\.4417\.73±\\pm4\.9518\.00±\\pm8\.4514\.27±\\pm5\.5014\.80±\\pm6\.96Random17\.07±\\pm5\.0636\.13±\\pm5\.9737\.20±\\pm7\.7038\.67±\\pm8\.8439\.87±\\pm6\.0219\.33±\\pm7\.4337\.73±\\pm7\.1739\.33±\\pm9\.1542\.00±\\pm9\.5038\.67±\\pm12\.828\.93±\\pm3\.6914\.53±\\pm4\.1014\.00±\\pm4\.8412\.80±\\pm4\.2012\.40±\\pm5\.14PNAL1D\-RND37\.47±\\pm7\.8044\.00±\\pm13\.6548\.13±\\pm11\.8250\.40±\\pm13\.2757\.20±\\pm13\.2642\.27±\\pm12\.6251\.07±\\pm10\.9852\.13±\\pm9\.9652\.53±\\pm6\.7059\.60±\\pm9\.4239\.33±\\pm26\.3719\.60±\\pm10\.8320\.67±\\pm8\.7420\.40±\\pm8\.6923\.47±\\pm10\.89Random36\.40±\\pm12\.6340\.27±\\pm8\.8138\.13±\\pm7\.9141\.07±\\pm9\.8545\.87±\\pm9\.6436\.53±\\pm15\.5242\.13±\\pm8\.0945\.87±\\pm10\.0446\.67±\\pm10\.3049\.47±\\pm6\.9535\.60±\\pm25\.3213\.73±\\pm6\.3614\.00±\\pm7\.4513\.33±\\pm8\.2713\.87±\\pm6\.95GCN\-GARNETL1D\-RND18\.67±\\pm9\.9638\.27±\\pm13\.8944\.80±\\pm14\.3446\.13±\\pm16\.6652\.00±\\pm18\.5520\.27±\\pm13\.8949\.47±\\pm14\.0551\.33±\\pm11\.4858\.00±\\pm13\.8258\.27±\\pm15\.2118\.67±\\pm18\.4634\.53±\\pm18\.6334\.67±\\pm21\.0936\.67±\\pm19\.4238\.67±\\pm18\.36Random17\.20±\\pm4\.9531\.07±\\pm9\.9434\.27±\\pm8\.1739\.73±\\pm7\.4840\.40±\\pm10\.4316\.27±\\pm5\.0137\.60±\\pm7\.7546\.80±\\pm8\.3147\.07±\\pm7\.2547\.33±\\pm8\.4412\.27±\\pm3\.2022\.27±\\pm9\.5628\.40±\\pm11\.1727\.73±\\pm10\.9826\.13±\\pm9\.66GNNGuardL1D\-RND6\.93±\\pm4\.4010\.40±\\pm5\.1412\.80±\\pm3\.7618\.00±\\pm4\.9019\.47±\\pm5\.884\.80±\\pm3\.847\.87±\\pm5\.539\.87±\\pm5\.2110\.53±\\pm4\.9311\.47±\\pm4\.696\.53±\\pm4\.938\.00±\\pm4\.219\.33±\\pm3\.9010\.40±\\pm5\.9612\.53±\\pm5\.48Random5\.87±\\pm4\.3112\.00±\\pm3\.9314\.13±\\pm3\.8917\.47±\\pm5\.6820\.27±\\pm4\.955\.60±\\pm4\.1510\.40±\\pm2\.8511\.73±\\pm2\.2512\.00±\\pm2\.9314\.00±\\pm3\.217\.20±\\pm4\.1311\.07±\\pm3\.6910\.93±\\pm3\.5311\.33±\\pm2\.8911\.73±\\pm3\.20GRANDL1D\-RND36\.80±\\pm10\.8464\.00±\\pm9\.9769\.87±\\pm7\.2767\.33±\\pm7\.0466\.13±\\pm8\.4746\.13±\\pm11\.4561\.47±\\pm7\.4664\.27±\\pm8\.3164\.13±\\pm7\.9164\.67±\\pm8\.1634\.27±\\pm13\.9240\.40±\\pm16\.7946\.27±\\pm13\.3545\.73±\\pm14\.1245\.20±\\pm12\.30Random32\.40±\\pm7\.7947\.33±\\pm6\.5845\.87±\\pm9\.0246\.67±\\pm10\.6050\.00±\\pm9\.2936\.27±\\pm7\.6346\.67±\\pm6\.5851\.47±\\pm5\.1052\.13±\\pm6\.4855\.87±\\pm6\.0229\.87±\\pm10\.4337\.07±\\pm9\.6832\.53±\\pm13\.1333\.07±\\pm13\.1334\.40±\\pm16\.20

Table 32:Vanilla Homophily Results\.Evaluating six adversarial attacks\(features attack variants\) on four vanilla attack victim models \- Miss\-classification rate \(%\)\. Higher is better\. Best performance inbold, second bestunderlined\.DatasetCORACITESEERPUBMEDΔ→\\Delta\\rightarrow123451234512345Avg\. RankEvasionGCNFGA27\.20±\\pm4\.1346\.80±\\pm6\.2756\.40±\\pm3\.8761\.87±\\pm3\.8164\.13±\\pm4\.5024\.00±\\pm2\.7334\.27±\\pm6\.2351\.20±\\pm7\.5152\.80±\\pm9\.2260\.67±\\pm3\.1836\.80±\\pm3\.5349\.33±\\pm7\.2456\.00±\\pm3\.7057\.07±\\pm2\.8159\.20±\\pm1\.262\.80NETTACK29\.33±\\pm4\.9449\.87±\\pm5\.6857\.07±\\pm5\.4462\.13±\\pm4\.7563\.33±\\pm4\.5125\.07±\\pm6\.0445\.73±\\pm8\.2854\.13±\\pm5\.3757\.73±\\pm3\.8459\.20±\\pm8\.8435\.20±\\pm2\.6054\.27±\\pm2\.7158\.27±\\pm1\.8359\.07±\\pm1\.9858\.93±\\pm1\.832\.00PGD29\.60±\\pm4\.4247\.07±\\pm4\.2055\.87±\\pm4\.5657\.20±\\pm4\.4659\.07±\\pm4\.0627\.73±\\pm5\.1240\.53±\\pm8\.2346\.13±\\pm7\.1152\.93±\\pm5\.7054\.93±\\pm6\.2735\.07±\\pm2\.3738\.80±\\pm4\.3343\.20±\\pm4\.5245\.47±\\pm6\.5746\.27±\\pm5\.343\.87PR\-BCD31\.07±\\pm3\.2050\.93±\\pm6\.2758\.80±\\pm2\.6061\.60±\\pm3\.1466\.00±\\pm3\.3027\.87±\\pm4\.8747\.60±\\pm5\.2554\.53±\\pm5\.9759\.20±\\pm4\.8963\.20±\\pm3\.3630\.13±\\pm2\.5635\.73±\\pm3\.6142\.93±\\pm4\.5349\.60±\\pm4\.1553\.33±\\pm4\.392\.33SGA28\.53±\\pm4\.9844\.53±\\pm7\.1554\.67±\\pm4\.9458\.27±\\pm3\.9261\.60±\\pm4\.3622\.67±\\pm2\.7934\.93±\\pm4\.8946\.53±\\pm4\.5050\.67±\\pm6\.7057\.20±\\pm4\.7735\.07±\\pm2\.7140\.13±\\pm7\.1949\.87±\\pm7\.5454\.67±\\pm5\.0056\.00±\\pm4\.964\.00GINFGA23\.20±\\pm5\.0632\.80±\\pm8\.4844\.13±\\pm8\.4049\.07±\\pm11\.4155\.07±\\pm8\.5523\.60±\\pm10\.5936\.80±\\pm14\.3846\.80±\\pm14\.6355\.47±\\pm10\.7359\.33±\\pm11\.2522\.53±\\pm21\.0237\.87±\\pm28\.3838\.00±\\pm30\.2041\.47±\\pm30\.6245\.07±\\pm32\.302\.53NETTACK24\.40±\\pm9\.6041\.47±\\pm9\.4652\.67±\\pm9\.2259\.20±\\pm7\.5961\.87±\\pm7\.2720\.80±\\pm14\.7944\.00±\\pm16\.7350\.40±\\pm9\.8652\.80±\\pm12\.5860\.00±\\pm11\.3121\.20±\\pm20\.7437\.73±\\pm27\.2546\.67±\\pm30\.5650\.40±\\pm32\.6649\.60±\\pm33\.141\.67PGD25\.87±\\pm6\.5736\.80±\\pm6\.7543\.73±\\pm10\.5846\.13±\\pm10\.4649\.20±\\pm9\.9423\.87±\\pm9\.0535\.47±\\pm12\.5245\.07±\\pm12\.5348\.13±\\pm15\.0546\.13±\\pm12\.4121\.20±\\pm15\.4726\.27±\\pm19\.5930\.00±\\pm22\.6932\.53±\\pm24\.0136\.00±\\pm25\.373\.93PR\-BCD27\.87±\\pm6\.8241\.47±\\pm10\.6547\.33±\\pm10\.8154\.13±\\pm11\.0758\.27±\\pm13\.2921\.60±\\pm10\.9639\.07±\\pm9\.9445\.47±\\pm12\.9548\.40±\\pm13\.3855\.33±\\pm13\.6216\.40±\\pm11\.3727\.47±\\pm19\.0729\.33±\\pm19\.2734\.80±\\pm23\.4734\.93±\\pm23\.543\.07SGA23\.20±\\pm4\.6532\.53±\\pm8\.9042\.00±\\pm11\.2944\.13±\\pm14\.7450\.67±\\pm14\.1620\.80±\\pm6\.8437\.20±\\pm8\.6542\.13±\\pm8\.7045\.07±\\pm12\.4048\.67±\\pm10\.4423\.60±\\pm20\.6932\.00±\\pm24\.5235\.73±\\pm27\.9441\.07±\\pm30\.7543\.20±\\pm31\.063\.80GSAGEFGA22\.40±\\pm3\.4829\.07±\\pm6\.2337\.87±\\pm7\.3150\.27±\\pm8\.2855\.33±\\pm7\.0820\.93±\\pm5\.6032\.27±\\pm8\.1434\.13±\\pm4\.9346\.40±\\pm8\.4952\.40±\\pm8\.9825\.07±\\pm7\.9232\.13±\\pm6\.7036\.80±\\pm8\.3442\.80±\\pm14\.0846\.53±\\pm14\.573\.00NETTACK24\.40±\\pm2\.9547\.33±\\pm6\.4956\.80±\\pm4\.4661\.87±\\pm6\.8664\.80±\\pm7\.2421\.20±\\pm6\.5847\.73±\\pm10\.0256\.93±\\pm11\.9358\.27±\\pm14\.9662\.67±\\pm11\.7822\.40±\\pm7\.3435\.07±\\pm5\.3440\.67±\\pm12\.5144\.53±\\pm13\.9545\.87±\\pm14\.551\.47PGD24\.93±\\pm5\.1834\.93±\\pm5\.8540\.67±\\pm6\.4943\.33±\\pm8\.4748\.13±\\pm10\.2721\.07±\\pm4\.6534\.80±\\pm10\.0537\.47±\\pm8\.3344\.53±\\pm5\.7843\.60±\\pm7\.6424\.67±\\pm7\.6229\.33±\\pm5\.0029\.47±\\pm6\.2532\.40±\\pm6\.5131\.07±\\pm6\.673\.60PR\-BCD25\.47±\\pm2\.7736\.80±\\pm7\.4444\.93±\\pm7\.3651\.60±\\pm8\.1851\.87±\\pm10\.0720\.67±\\pm5\.3341\.47±\\pm11\.0244\.13±\\pm9\.3052\.00±\\pm10\.8850\.93±\\pm11\.0322\.67±\\pm4\.5825\.33±\\pm5\.6927\.07±\\pm6\.8027\.60±\\pm6\.4229\.87±\\pm5\.833\.13SGA22\.53±\\pm5\.1535\.20±\\pm8\.6841\.73±\\pm12\.7447\.87±\\pm13\.1748\.13±\\pm13\.3219\.33±\\pm4\.7629\.07±\\pm8\.6537\.33±\\pm9\.1244\.80±\\pm7\.5943\.60±\\pm11\.2424\.27±\\pm6\.9230\.53±\\pm4\.2434\.53±\\pm7\.9138\.53±\\pm8\.7338\.40±\\pm8\.723\.80PNAFGA28\.67±\\pm5\.9840\.80±\\pm10\.3941\.87±\\pm11\.5852\.80±\\pm7\.7461\.73±\\pm7\.6730\.00±\\pm14\.2638\.00±\\pm15\.6840\.80±\\pm10\.5052\.00±\\pm13\.1154\.13±\\pm13\.2636\.27±\\pm3\.9949\.33±\\pm13\.1752\.80±\\pm13\.0959\.20±\\pm15\.0062\.53±\\pm13\.432\.67NETTACK33\.87±\\pm9\.4655\.07±\\pm10\.1459\.73±\\pm8\.4862\.27±\\pm9\.0764\.13±\\pm7\.7331\.60±\\pm12\.9950\.80±\\pm9\.7961\.20±\\pm11\.1859\.33±\\pm11\.1563\.60±\\pm15\.8832\.00±\\pm6\.9344\.40±\\pm10\.7055\.87±\\pm12\.8860\.13±\\pm13\.5763\.47±\\pm16\.261\.20PGD31\.60±\\pm7\.5738\.13±\\pm8\.6045\.60±\\pm7\.4546\.93±\\pm8\.3446\.80±\\pm10\.9827\.47±\\pm6\.2535\.73±\\pm9\.4140\.67±\\pm10\.3338\.93±\\pm10\.0536\.93±\\pm10\.7128\.93±\\pm4\.7133\.20±\\pm6\.5836\.00±\\pm7\.2137\.60±\\pm5\.0836\.40±\\pm9\.114\.33PR\-BCD29\.20±\\pm7\.4039\.73±\\pm7\.2848\.27±\\pm6\.6353\.33±\\pm9\.3755\.07±\\pm10\.5029\.73±\\pm9\.0038\.93±\\pm4\.5945\.47±\\pm8\.3349\.47±\\pm10\.0446\.93±\\pm8\.8824\.27±\\pm7\.9627\.73±\\pm5\.0631\.07±\\pm7\.0529\.20±\\pm9\.3432\.00±\\pm5\.953\.73SGA31\.73±\\pm6\.5841\.20±\\pm9\.6743\.60±\\pm8\.7649\.33±\\pm9\.5257\.87±\\pm9\.1826\.27±\\pm5\.2340\.27±\\pm8\.8443\.87±\\pm10\.8144\.13±\\pm9\.6649\.07±\\pm11\.2334\.40±\\pm4\.9140\.40±\\pm10\.3446\.80±\\pm9\.8551\.73±\\pm11\.6653\.20±\\pm13\.333\.07PoisonGCNFGA29\.20±\\pm4\.3949\.07±\\pm5\.3957\.47±\\pm3\.5862\.13±\\pm3\.5864\.00±\\pm4\.7231\.73±\\pm6\.2749\.87±\\pm6\.3555\.87±\\pm3\.4261\.73±\\pm4\.8362\.80±\\pm3\.7637\.20±\\pm3\.6949\.33±\\pm6\.5856\.80±\\pm2\.9156\.80±\\pm2\.7059\.07±\\pm1\.672\.53NETTACK33\.47±\\pm4\.6952\.40±\\pm4\.3658\.93±\\pm2\.9162\.00±\\pm3\.7063\.33±\\pm3\.3534\.13±\\pm6\.9552\.40±\\pm5\.0858\.13±\\pm5\.7861\.73±\\pm5\.9063\.20±\\pm6\.0434\.93±\\pm2\.9153\.87±\\pm3\.9658\.27±\\pm1\.8358\.93±\\pm1\.6758\.80±\\pm1\.821\.67PGD30\.27±\\pm3\.9250\.00±\\pm4\.0756\.13±\\pm4\.6358\.13±\\pm4\.6959\.47±\\pm3\.4233\.07±\\pm6\.7646\.40±\\pm8\.0451\.47±\\pm6\.1256\.27±\\pm5\.0659\.33±\\pm5\.3334\.80±\\pm3\.1938\.80±\\pm4\.2642\.93±\\pm4\.1346\.13±\\pm6\.5745\.73±\\pm5\.344\.27PR\-BCD34\.13±\\pm5\.2652\.40±\\pm5\.3058\.00±\\pm3\.7060\.93±\\pm3\.0164\.40±\\pm2\.9533\.20±\\pm4\.9551\.87±\\pm4\.3159\.20±\\pm4\.2660\.80±\\pm4\.3364\.67±\\pm5\.5430\.67±\\pm2\.7936\.67±\\pm3\.6843\.33±\\pm4\.5848\.93±\\pm3\.6153\.20±\\pm5\.122\.67SGA29\.87±\\pm5\.3750\.53±\\pm6\.2555\.87±\\pm4\.4460\.80±\\pm3\.1062\.40±\\pm4\.6727\.47±\\pm4\.6343\.20±\\pm3\.5351\.20±\\pm3\.5353\.47±\\pm6\.2560\.67±\\pm5\.1135\.07±\\pm2\.9140\.67±\\pm7\.7049\.60±\\pm7\.6055\.33±\\pm5\.0055\.87±\\pm4\.633\.87GINFGA30\.00±\\pm5\.8148\.27±\\pm10\.1759\.47±\\pm7\.8769\.47±\\pm8\.4771\.60±\\pm6\.6442\.00±\\pm14\.5052\.53±\\pm15\.5761\.20±\\pm14\.3867\.60±\\pm12\.4570\.27±\\pm10\.1423\.87±\\pm19\.8937\.33±\\pm26\.5338\.80±\\pm29\.3141\.07±\\pm29\.4444\.27±\\pm30\.992\.00NETTACK38\.93±\\pm9\.4753\.33±\\pm6\.7562\.00±\\pm7\.8267\.87±\\pm7\.4670\.80±\\pm4\.1329\.60±\\pm11\.7252\.93±\\pm12\.0962\.93±\\pm9\.1967\.87±\\pm6\.8270\.40±\\pm7\.1821\.60±\\pm19\.9938\.00±\\pm26\.8946\.27±\\pm30\.6449\.60±\\pm32\.4149\.33±\\pm32\.281\.53PGD30\.80±\\pm8\.2746\.00±\\pm7\.0151\.47±\\pm8\.1955\.47±\\pm10\.5159\.20±\\pm9\.8533\.20±\\pm12\.5343\.60±\\pm9\.8650\.00±\\pm9\.7158\.00±\\pm10\.3457\.60±\\pm9\.7721\.73±\\pm15\.7827\.07±\\pm19\.3731\.20±\\pm22\.7833\.47±\\pm24\.4937\.73±\\pm26\.094\.40PR\-BCD34\.67±\\pm8\.2049\.73±\\pm9\.2859\.20±\\pm6\.6763\.20±\\pm5\.8969\.33±\\pm5\.2729\.07±\\pm10\.7749\.73±\\pm9\.4458\.40±\\pm8\.6662\.40±\\pm8\.2966\.40±\\pm8\.7615\.33±\\pm11\.2327\.20±\\pm19\.4629\.73±\\pm20\.0434\.67±\\pm23\.3036\.27±\\pm25\.053\.67SGA28\.00±\\pm6\.9750\.67±\\pm9\.3455\.60±\\pm8\.0157\.73±\\pm12\.2668\.53±\\pm8\.4732\.27±\\pm7\.3650\.40±\\pm11\.0157\.87±\\pm10\.6260\.80±\\pm11\.7563\.07±\\pm9\.1023\.33±\\pm20\.2131\.60±\\pm24\.3236\.93±\\pm27\.6440\.40±\\pm29\.4742\.80±\\pm30\.533\.40GSAGEFGA26\.27±\\pm8\.6540\.13±\\pm10\.6247\.73±\\pm9\.7159\.73±\\pm8\.8166\.67±\\pm9\.3126\.00±\\pm8\.1843\.20±\\pm12\.1648\.93±\\pm13\.9458\.13±\\pm14\.8261\.47±\\pm14\.3723\.73±\\pm8\.6531\.47±\\pm5\.8837\.07±\\pm8\.7543\.33±\\pm13\.1345\.73±\\pm14\.912\.80NETTACK29\.20±\\pm9\.0652\.40±\\pm8\.2560\.27±\\pm7\.3666\.67±\\pm7\.6270\.67±\\pm7\.9526\.40±\\pm9\.6953\.07±\\pm8\.6860\.40±\\pm9\.0562\.93±\\pm12\.0767\.87±\\pm10\.7622\.00±\\pm7\.5234\.13±\\pm4\.9840\.27±\\pm12\.4944\.13±\\pm14\.5544\.93±\\pm14\.041\.40PGD29\.87±\\pm7\.6142\.00±\\pm8\.7249\.07±\\pm8\.2155\.47±\\pm9\.2457\.20±\\pm9\.3725\.20±\\pm9\.7642\.67±\\pm8\.2047\.47±\\pm9\.5252\.13±\\pm8\.2651\.33±\\pm10\.2224\.13±\\pm8\.5729\.87±\\pm5\.4829\.07±\\pm6\.1332\.67±\\pm6\.9131\.60±\\pm7\.833\.93PR\-BCD31\.20±\\pm8\.7844\.00±\\pm7\.9652\.93±\\pm9\.2260\.53±\\pm9\.7562\.93±\\pm8\.7524\.40±\\pm7\.4949\.33±\\pm8\.7152\.67±\\pm13\.5259\.33±\\pm11\.1358\.00±\\pm12\.0021\.47±\\pm5\.5824\.27±\\pm6\.5826\.40±\\pm6\.6827\.60±\\pm6\.7328\.80±\\pm6\.183\.20SGA24\.13±\\pm4\.4442\.67±\\pm6\.7950\.93±\\pm10\.5358\.80±\\pm13\.2062\.67±\\pm14\.0122\.53±\\pm5\.5838\.40±\\pm14\.9949\.07±\\pm10\.6355\.47±\\pm10\.3555\.07±\\pm12\.8022\.40±\\pm7\.1431\.07±\\pm4\.7734\.13±\\pm8\.7738\.93±\\pm9\.4137\.87±\\pm10\.133\.67PNAFGA40\.67±\\pm7\.7052\.27±\\pm10\.3152\.67±\\pm13\.0665\.07±\\pm8\.0769\.20±\\pm7\.9640\.53±\\pm13\.1353\.60±\\pm14\.9960\.67±\\pm9\.7965\.60±\\pm15\.2068\.53±\\pm15\.6536\.53±\\pm6\.4450\.53±\\pm13\.2353\.60±\\pm11\.8158\.53±\\pm14\.8659\.20±\\pm15\.912\.13NETTACK40\.27±\\pm10\.3360\.40±\\pm7\.1866\.80±\\pm5\.3368\.53±\\pm8\.4073\.07±\\pm4\.9545\.47±\\pm8\.7363\.87±\\pm10\.6072\.40±\\pm8\.9573\.47±\\pm7\.0778\.27±\\pm8\.4534\.53±\\pm7\.6144\.80±\\pm10\.6956\.67±\\pm12\.0959\.47±\\pm13\.1562\.67±\\pm14\.491\.20PGD35\.47±\\pm8\.7346\.00±\\pm9\.0451\.73±\\pm7\.9254\.53±\\pm8\.1656\.00±\\pm10\.1440\.67±\\pm9\.4646\.27±\\pm9\.1347\.33±\\pm8\.4751\.07±\\pm7\.8153\.07±\\pm11\.7329\.07±\\pm4\.8334\.67±\\pm6\.3536\.53±\\pm6\.5238\.27±\\pm6\.6337\.47±\\pm10\.494\.47PR\-BCD37\.60±\\pm8\.7950\.00±\\pm7\.4554\.53±\\pm7\.4663\.07±\\pm8\.5163\.20±\\pm8\.6139\.33±\\pm7\.8854\.00±\\pm5\.8658\.80±\\pm4\.9563\.47±\\pm6\.3562\.53±\\pm9\.4923\.87±\\pm7\.3927\.73±\\pm4\.7130\.53±\\pm7\.4229\.33±\\pm6\.2631\.33±\\pm6\.914\.07SGA39\.07±\\pm5\.2849\.73±\\pm8\.3455\.33±\\pm10\.2260\.40±\\pm12\.8868\.13±\\pm8\.0938\.53±\\pm5\.9357\.73±\\pm7\.6359\.73±\\pm8\.4165\.33±\\pm6\.8767\.20±\\pm10\.9834\.13±\\pm4\.1042\.00±\\pm9\.3846\.27±\\pm10\.6652\.00±\\pm10\.2854\.27±\\pm14\.623\.13

Table 33:Ablation study\.Evaluating two variants of L1D\-RND: L1D\-RND\- Add only \( Degree effect\) and L1D\-RND\- Remove only \(ℒ1\\mathcal\{L\}\_\{1\}effect\) on PNA and GRAND uner CORA dataset\. Best performance inbold, second bestunderlinedDatasetCORAΔ→\\Delta\\rightarrow12345Avg\. RankEvasionPNARandom29\.47±\\pm11\.7235\.33±\\pm9\.9031\.87±\\pm11\.1737\.20±\\pm12\.8739\.07±\\pm10\.474\.00L1D\-RND\- Add only31\.73±\\pm11\.0046\.27±\\pm18\.0051\.07±\\pm15\.6949\.07±\\pm15\.3453\.60±\\pm11\.891\.80L1D\-RND\- Remove only32\.40±\\pm12\.4946\.80±\\pm17\.6453\.87±\\pm16\.3447\.20±\\pm14\.1651\.87±\\pm10\.991\.80L1D\-RND33\.20±\\pm8\.8141\.60±\\pm12\.8647\.20±\\pm9\.4445\.20±\\pm12\.1453\.07±\\pm15\.362\.40GRANDRandom27\.33±\\pm7\.9941\.87±\\pm7\.4240\.67±\\pm11\.4842\.93±\\pm9\.4745\.47±\\pm9\.664\.00L1D\-RND\- Add only62\.80±\\pm7\.9270\.53±\\pm8\.0569\.60±\\pm10\.2668\.27±\\pm12\.1464\.93±\\pm13\.691\.60L1D\-RND\- Remove only62\.80±\\pm7\.9270\.53±\\pm8\.0569\.60±\\pm10\.2668\.27±\\pm12\.1464\.93±\\pm13\.692\.60L1D\-RND34\.13±\\pm14\.9963\.47±\\pm7\.5471\.07±\\pm6\.5471\.07±\\pm7\.7072\.00±\\pm8\.721\.80PoisonPNARandom36\.40±\\pm12\.6340\.27±\\pm8\.8138\.13±\\pm7\.9141\.07±\\pm9\.8545\.87±\\pm9\.643\.80L1D\-RND\- Add only39\.20±\\pm12\.2349\.60±\\pm14\.6852\.93±\\pm12\.1254\.40±\\pm12\.2654\.93±\\pm13\.581\.40L1D\-RND\- Remove only34\.27±\\pm12\.5848\.80±\\pm14\.9249\.33±\\pm15\.1756\.00±\\pm14\.7054\.67±\\pm10\.302\.40L1D\-RND37\.47±\\pm7\.8044\.00±\\pm13\.6548\.13±\\pm11\.8250\.40±\\pm13\.2757\.20±\\pm13\.262\.40GRANDRandom32\.40±\\pm7\.7947\.33±\\pm6\.5845\.87±\\pm9\.0246\.67±\\pm10\.6050\.00±\\pm9\.294\.00L1D\-RND\- Add only64\.93±\\pm7\.3668\.00±\\pm7\.4866\.67±\\pm10\.5269\.20±\\pm10\.6666\.93±\\pm12\.141\.20L1D\-RND\- Remove only64\.93±\\pm7\.3668\.00±\\pm7\.4866\.67±\\pm10\.5269\.20±\\pm10\.6666\.93±\\pm12\.142\.20L1D\-RND36\.80±\\pm10\.8464\.00±\\pm9\.9769\.87±\\pm7\.2767\.33±\\pm7\.0466\.13±\\pm8\.472\.60