Ejemplo n.º 1
0
def attackTrainerContinuous(attack, attacked_nodes: torch.Tensor,
                            y_targets: torch.Tensor,
                            malicious_nodes: torch.Tensor,
                            node_num: int) -> torch.Tensor:
    """
        a trainer function that attacks our model by changing the input attributes
        a successful attack is when we attack successfully AND embed the attributes

        Parameters
        ----------
        attack: oneGNNAttack
        attacked_nodes: torch.Tensor - the victim nodes
        y_targets: torch.Tensor - the target labels of the attack
        malicious_nodes: torch.Tensor - the attacker/malicious node
        node_num: int - the index of the attacked/victim node (out of the train/val/test-set)

        Returns
        -------
        attack_results: torch.Tensor - 2d-tensor that includes
                                       1st-col - the defence
                                       2nd-col - the number of attributes used
        if the number of attributes is 0 the node is misclassified to begin with
    """
    # initialize
    model = attack.model_wrapper.model
    attack_epochs = attack.attack_epochs
    lr = attack.lr
    print_answer = attack.print_answer
    dataset = attack.getDataset()
    data = dataset.data

    num_attributes = data.x.shape[1]
    max_attributes = num_attributes * malicious_nodes.shape[0]

    log_template = createLogTemplate(attack=attack, dataset=dataset)

    # changing the parameters which require grads and setting adversarial optimizer
    optimizer_params = setRequiresGrad(model=model,
                                       malicious_nodes=malicious_nodes)
    optimizer = torch.optim.Adam(params=optimizer_params, lr=lr)

    # find best_attributes
    model0 = copy.deepcopy(model)
    prev_changed_attributes = 0
    for epoch in range(0, attack_epochs):
        # train
        train(model=model,
              targeted=attack.targeted,
              attacked_nodes=attacked_nodes,
              y_targets=y_targets,
              optimizer=optimizer)

        # test correctness
        changed_attributes = (model.getInput() !=
                              model0.getInput())[malicious_nodes].sum().item()
        test_discrete(model=model,
                      model0=model0,
                      malicious_nodes=malicious_nodes,
                      changed_attributes=changed_attributes,
                      max_attributes=max_attributes)

        # test
        results = test(data=data,
                       model=model,
                       targeted=attack.targeted,
                       attacked_nodes=attacked_nodes,
                       y_targets=y_targets)

        # breaks
        if results[3]:
            # embed
            embeded_model = copy.deepcopy(model)
            for malicious_idx, malicious_node in enumerate(malicious_nodes):
                embedRowContinuous(model=embeded_model,
                                   malicious_node=malicious_node,
                                   model0=model0,
                                   l_inf=attack.l_inf)

            # test correctness
            changed_attributes = (
                embeded_model.getInput() !=
                model0.getInput())[malicious_nodes].sum().item()
            test_continuous(model=embeded_model,
                            model0=model0,
                            malicious_nodes=malicious_nodes,
                            changed_attributes=changed_attributes,
                            max_attributes=max_attributes,
                            l_inf=attack.l_inf)
            # test
            results = test(data=data,
                           model=embeded_model,
                           targeted=attack.targeted,
                           attacked_nodes=attacked_nodes,
                           y_targets=y_targets)
            if results[3]:
                if print_answer is Print.YES:
                    print(log_template.format(node_num, epoch + 1,
                                              *results[:-1]),
                          flush=True,
                          end='')
                break
        # prints
        if print_answer is Print.YES:
            print(log_template.format(node_num, epoch + 1, *results[:-1]),
                  flush=True,
                  end='')
        if changed_attributes == prev_changed_attributes:
            break
        prev_changed_attributes = changed_attributes

        if epoch != attack_epochs - 1 and print_answer is not Print.NO:
            print()

    if print_answer is Print.YES:
        print(', Attack Success: {}\n'.format(results[-1]), flush=True)
    if not results[3]:
        changed_attributes = max_attributes
    return torch.tensor([[results[3], changed_attributes]]).type(torch.long)
Ejemplo n.º 2
0
def attackTrainerDiscrete(attack, attacked_nodes: torch.Tensor,
                          y_targets: torch.Tensor,
                          malicious_nodes: torch.Tensor, node_num: int,
                          discrete_stop_after_1iter: bool) -> torch.Tensor:
    """
        a trainer function that attacks our model by changing the input attribute for a limited number of attributes
        1.attack the model with i attributes
        2.backprop
        3.add the attribute with the largest gradient as the i+1 attribute

        Parameters
        ----------
        attack: oneGNNAttack
        attacked_nodes: torch.Tensor - the victim nodes
        y_targets: torch.Tensor - the target labels of the attack
        malicious_nodes: torch.Tensor - the attacker/malicious node
        node_num: int - the index of the attacked/victim node (out of the train/val/test-set)
        discrete_stop_after_1iter: bool - whether or not to stop the discrete after 1 iteration
                                          this is a specific flag for the GRAD_CHOICE Approach

        Returns
        -------
        attack_results: torch.Tensor - 2d-tensor that includes
                                       1st-col - the defence
                                       2nd-col - the number of attributes used
        if the number of attributes is 0 the node is misclassified to begin with
    """
    # initialize
    model = attack.model_wrapper.model
    lr = attack.lr
    print_answer = attack.print_answer
    dataset = attack.getDataset()
    data = dataset.data
    num_attributes = data.x.shape[1]
    max_attributes_per_malicious = int(num_attributes * attack.l_0)
    max_attributes = max_attributes_per_malicious * malicious_nodes.shape[0]

    changed_attributes_all_malicious, epoch = 0, 0
    log_template = createLogTemplate(attack=attack, dataset=dataset)

    # changing the parameters which require grads and setting adversarial optimizer
    optimizer_params = setRequiresGrad(model=model,
                                       malicious_nodes=malicious_nodes)
    optimizer = torch.optim.Adam(params=optimizer_params, lr=lr)
    optimizer.zero_grad()

    # zero attributes
    with torch.no_grad():
        changed_attributes = 0
        for malicious_node in malicious_nodes:
            changed_attributes += model.node_attribute_list[malicious_node][
                0].sum().item()
            model.setNodesAttributes(idx_node=malicious_node,
                                     values=torch.zeros(num_attributes))

    # flip the attribute with the largest gradient
    model0 = copy.deepcopy(model)
    changed_attributes, prev_changed_attributes = 0, 0
    num_attributes_left = max_attributes_per_malicious * torch.ones_like(
        malicious_nodes).to(attack.device)
    while True:
        epoch += 1
        prev_model = copy.deepcopy(model)
        # train
        train(model=model,
              targeted=attack.targeted,
              attacked_nodes=attacked_nodes,
              y_targets=y_targets,
              optimizer=optimizer)
        num_attributes_left = flipUpBestNewAttributes(
            model=model,
            model0=prev_model,
            malicious_nodes=malicious_nodes,
            num_attributes_left=num_attributes_left)
        changed_attributes = max_attributes - num_attributes_left.sum().item()

        # test correctness
        test_discrete(model=model,
                      model0=model0,
                      malicious_nodes=malicious_nodes,
                      changed_attributes=changed_attributes,
                      max_attributes=max_attributes)

        # test
        results = test(data=data,
                       model=model,
                       targeted=attack.targeted,
                       attacked_nodes=attacked_nodes,
                       y_targets=y_targets)

        # prints
        if print_answer is not Print.NO and epoch != 1:
            print()
        if print_answer is Print.YES:
            print(log_template.format(node_num, epoch, changed_attributes,
                                      *results[:-1]),
                  flush=True,
                  end='')
        # breaks
        if results[
                3] or changed_attributes == max_attributes or changed_attributes == prev_changed_attributes:
            break
        prev_changed_attributes = changed_attributes
        if discrete_stop_after_1iter:
            break

    if print_answer is Print.YES:
        print(', Attack Success: {}\n'.format(results[-1]), flush=True)
    if changed_attributes > max_attributes:
        return torch.tensor([[results[3], max_attributes]]).type(torch.long)
    else:
        return torch.tensor([[results[3],
                              changed_attributes]]).type(torch.long)
Ejemplo n.º 3
0
def attackVictim(attack, approach: Approach, attacked_node: torch.Tensor, y_target: torch.Tensor, node_num: int)\
        -> torch.Tensor:
    """
        chooses the node we attack with (the malicious node) from our BFS environment
        this BFS environments is also calculated according to our selected approach
        lastly, we attack using attackTrainer
        important note: the victim node is already known (attacked node)

        Parameters
        ----------
        attack: oneGNNAttack
        approach: Approach
        attacked_node: torch.Tensor - the victim node
        y_target: torch.Tensor - the target label of the attack
        node_num: int - the index of the attacked/victim node (out of the train/val/test-set)

        Returns
        -------
        attack_results: torch.Tensor - 2d-tensor that includes
                                       1st-col - the defence
                                       2nd-col - the number of attributes used
        if the number of attributes is 0 the node is misclassified to begin with
    """
    device = attack.device
    dataset = attack.getDataset()
    print_answer = attack.print_answer

    neighbours_and_dist = kBFS(root=attacked_node, device=device, reversed_arr_list=dataset.reversed_arr_list,
                               K=attack.num_layers)
    if neighbours_and_dist.nelement():
        neighbours_and_dist = manipulateNeighborhood(attack=attack, approach=approach, attacked_node=attacked_node,
                                                     neighbours_and_dist=neighbours_and_dist, device=device)
        attack_log = 'Attack: {:03d}, Node: {}, BFS clique: {}'.format(node_num, attacked_node.item(),
                                                                       neighbours_and_dist.shape[0] + 1)
    else:
        attack_log = 'Attack: {:03d}, Node: {} is a solo node'.format(node_num, attacked_node.item())
    # in adversarial mode add #Epoch
    if attack.mode.isAdversarial():
        attack_log = 'Adv Epoch: {:03d}, '.format(attack.idx) + attack_log

    # special cases of solo node and duo node for double
    BFS_size = neighbours_and_dist.shape[0]
    if not neighbours_and_dist.nelement():
        if print_answer is Print.YES:
            print(attack_log, flush=True)
        return None

    if print_answer is Print.YES:
        print(attack_log, end='', flush=True)
        if approach is not NodeApproach.MULTIPLE_ATTACKERS:
            print()
    malicious_node, attack = approach.getMaliciousNode(attack=attack, attacked_node=attacked_node, y_target=y_target,
                                                       node_num=node_num, neighbours_and_dist=neighbours_and_dist,
                                                       BFS_size=BFS_size)
    # calculates the malicious node for the irregular approaches
    if approach is NodeApproach.AGREE:
        print()
        malicious_node_heuristic = heuristicApproach(reversed_arr_list=dataset.reversed_arr_list,
                                                     neighbours_and_dist=neighbours_and_dist,
                                                     device=attack.device)
        malicious_node_gradient = gradientApproach(attack=attack, attacked_node=attacked_node, y_target=y_target,
                                                   node_num=node_num, neighbours_and_dist=neighbours_and_dist)
        attack_results = torch.zeros(1, 2)
        attack_results[0][0] = malicious_node_heuristic == malicious_node_gradient  # in attackSet we change to equal
        return attack_results

    if approach is NodeApproach.ZERO_FEATURES:
        model = attack.model_wrapper.model
        data = dataset.data
        zero_model = copy.deepcopy(model)
        # train
        zero_model.node_attribute_list[malicious_node][:] = 0

        # test correctness
        changed_attributes = (zero_model.getInput() != model.getInput())[malicious_node].sum().item()

        # test
        results = test(data=data, model=zero_model, targeted=attack.targeted,
                       attacked_nodes=attacked_node, y_targets=y_target)

        log_template = createLogTemplate(attack=attack, dataset=dataset) + ', Attack Success: {}\n'
        if dataset.type is DatasetType.DISCRETE:
            print(log_template.format(node_num, 1, changed_attributes, *results), flush=True)
        if dataset.type is DatasetType.CONTINUOUS:
            print(log_template.format(node_num, 1, *results), flush=True)
        attack_results = torch.tensor([[results[3], changed_attributes]])
        return attack_results

    if approach is NodeApproach.MULTIPLE_ATTACKERS:
        if malicious_node is None:
            if print_answer is Print.YES:
                print(f': Too small for {attack.num_of_attackers} attackers\n', flush=True)
            return None
        else:
            print()

    if approach is NodeApproach.INJECTION:
        dataset = attack.getDataset()
        classified_to_target = checkNodeClassification(attack=attack, dataset=dataset,
                                                       attacked_node=attacked_node, y_target=y_target,
                                                       print_answer=Print.NO, attack_num=node_num + 1)
        if not classified_to_target:
            print("misclassified right after injection!\n", flush=True)
            attack.model_wrapper.model.removeInjectedNode(attack=attack)
            return torch.tensor([[1, 0]])

    attack_results = attackTrainer(attack=attack, attacked_nodes=attacked_node, y_targets=y_target,
                                   malicious_nodes=malicious_node, node_num=node_num)

    if approach is NodeApproach.INJECTION:
        attack.model_wrapper.model.removeInjectedNode(attack=attack)
    return attack_results