Review for NeurIPS paper: GNNGuard: Defending Graph Neural Networks against Adversarial Attacks

Weaknesses: * The proposed approach is heuristic. The main downside of heuristic defenses (unlike certified defenses) is that they are often easily broken by an adaptive attacker. With this in mind a proper evaluation of a heuristic defense warrants a strong attempt to break it (by the authors) by proposing an attack that's tailored specifically for it. Without such evidence it is not clear whether this defense would be useful in practice. For example, it is relatively straightforward to add an additional term in Mettack's loss that encourages adversarial edges between nodes with similar representations.