Graph Neural Networks (GNNs) exhibit insufficient robustness against adversarial attacks, hindering their deployment in safety-critical applications. To diagnose this vulnerability, we systematically investigate its roots across three dimensions: graph structural patterns, model architecture, and adversarial transferability. Methodologically, we integrate diverse adversarial attack strategies, neuron-wise sensitivity analysis, cross-model transfer evaluation, graph statistical modeling, and model capacity control. Our empirical study identifies three interpretable robustness principles: (i) training on structurally diverse graphs enhances robustness over regular graphs; (ii) larger-capacity GNNs demonstrate superior adversarial robustness; and (iii) adversarial examples generated by smaller models exhibit higher transferability. Crucially, we find that only a small subset of critical neurons dominates vulnerability. Based on these findings, we derive actionable guidelines for improving GNN robustness, providing both theoretical foundations and empirical evidence for trustworthy GNN design.

Graph neural networks (GNNs) have achieved tremendous success, but recent studies have shown that GNNs are vulnerable to adversarial attacks, which significantly hinders their use in safety-critical scenarios. Therefore, the design of robust GNNs has attracted increasing attention. However, existing research has mainly been conducted via experimental trial and error, and thus far, there remains a lack of a comprehensive understanding of the vulnerability of GNNs. To address this limitation, we systematically investigate the adversarial robustness of GNNs by considering graph data patterns, model-specific factors, and the transferability of adversarial examples. Through extensive experiments, a set of principled guidelines is obtained for improving the adversarial robustness of GNNs, for example: (i) rather than highly regular graphs, the training graph data with diverse structural patterns is crucial for model robustness, which is consistent with the concept of adversarial training; (ii) the large model capacity of GNNs with sufficient training data has a positive effect on model robustness, and only a small percentage of neurons in GNNs are affected by adversarial attacks; (iii) adversarial transfer is not symmetric and the adversarial examples produced by the small-capacity model have stronger adversarial transferability. This work illuminates the vulnerabilities of GNNs and opens many promising avenues for designing robust GNNs.