def test(adj, features, target_node): ''' test on GCN ''' gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5, device=device) if args.cuda: gcn = gcn.to(device) gcn.fit(features, adj, labels, idx_train) gcn.eval() output = gcn(gcn.features, gcn.adj_norm) probs = torch.exp(output[[target_node]])[0] print(f'probs: {probs.detach().cpu().numpy()}') loss_test = F.nll_loss(output[idx_test], labels[idx_test]) acc_test = accuracy(output[idx_test], labels[idx_test]) print("Test set results:", "loss= {:.4f}".format(loss_test.item()), "accuracy= {:.4f}".format(acc_test.item())) return acc_test.item()
def select_nodes(target_gcn=None): ''' selecting nodes as reported in Nettack paper: (i) the 10 nodes with highest margin of classification, i.e. they are clearly correctly classified, (ii) the 10 nodes with lowest margin (but still correctly classified) and (iii) 20 more nodes randomly ''' if target_gcn is None: target_gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5, device=device) target_gcn = target_gcn.to(device) target_gcn.fit(features, adj, labels, idx_train, idx_val, patience=30) target_gcn.eval() output = target_gcn.predict() margin_dict = {} for idx in idx_test: margin = classification_margin(output[idx], labels[idx]) if margin < 0: # only keep the nodes correctly classified continue margin_dict[idx] = margin sorted_margins = sorted(margin_dict.items(), key=lambda x: x[1], reverse=True) high = [x for x, y in sorted_margins[: 10]] low = [x for x, y in sorted_margins[-10:]] other = [x for x, y in sorted_margins[10: -10]] other = np.random.choice(other, 20, replace=False).tolist() return high + low + other
def load_victim_model(data, model_name='gcn', device='cpu', file_path=None): assert model_name == 'gcn', 'Currently only support gcn as victim model...' if file_path is None: # file_path = f'results/saved_models/{data.name}/{model_name}_checkpoint' file_path = 'results/saved_models/{0}/{1}_checkpoint'.format( data.name, model_name) else: file_path = osp.join(file_path, '{}_checkpoint'.format(model_name)) # Setup victim model if osp.exists(file_path): victim_model = GCN(nfeat=data.features.shape[1], nclass=data.labels.max().item() + 1, nhid=16, dropout=0.5, weight_decay=5e-4, device=device) victim_model.load_state_dict(torch.load(file_path, map_location=device)) victim_model.to(device) victim_model.eval() return victim_model victim_model = train_victim_model(data=data, model_name=model_name, device=device, file_path=osp.dirname(file_path)) return victim_model
def test(features, adj, target_node): ''' test on GCN ''' gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5) if args.cuda: gcn = gcn.to(device) gcn.fit(features, adj, labels, idx_train) gcn.eval() try: adj = normalize_adj_tensor(adj, sparse=True) except: adj = normalize_adj_tensor(adj) output = gcn(features, adj) probs = torch.exp(output[[target_node]])[0] print('probs: {}'.format(probs)) loss_test = F.nll_loss(output[idx_test], labels[idx_test]) acc_test = accuracy(output[idx_test], labels[idx_test]) print("Test set results:", "loss= {:.4f}".format(loss_test.item()), "accuracy= {:.4f}".format(acc_test.item())) return acc_test.item()
def test(adj, gcn=None): ''' test on GCN ''' if gcn is None: # adj = normalize_adj_tensor(adj) gcn = GCN(nfeat=features.shape[1], nhid=args.hidden, nclass=labels.max().item() + 1, dropout=args.dropout, device=device) gcn = gcn.to(device) gcn.fit(features, adj, labels, idx_train) # train without model picking gcn.fit(features, adj, labels, idx_train, idx_val, patience=30) # train with validation model picking gcn.eval() output = gcn.predict().cpu() else: gcn.eval() output = gcn.predict().cpu() loss_test = F.nll_loss(output[idx_test], labels[idx_test]) acc_test = accuracy(output[idx_test], labels[idx_test]) print("Test set results:", "loss= {:.4f}".format(loss_test.item()), "accuracy= {:.4f}".format(acc_test.item())) return acc_test.item()
def train_victim_model(data, model_name='gcn', file_path=None, device='cpu'): """Train the victim model (target classifer) and save the model Note that the attacker can only do black query to this model. """ if file_path is None: file_path = 'results/saved_models/%s/' % data.name adj, features, labels = data.adj, data.features, data.labels idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test nfeat = features.shape[1] adj, features, labels = preprocess(adj, features, labels, preprocess_adj=False) # Setup victim model victim_model = GCN(nfeat=features.shape[1], nclass=labels.max().item()+1, nhid=16, dropout=0.5, weight_decay=5e-4, device=device) adj = adj.to(device) features = features.to(device) labels = labels.to(device) victim_model = victim_model.to(device) victim_model.fit(features, adj, labels, idx_train, idx_val) # save the model if not osp.exists(file_path): os.system('mkdir -p %s' % file_path) torch.save(victim_model.state_dict(), osp.join(file_path, model_name + '_checkpoint')) victim_model.eval() return victim_model
def test_attack(adj, features, target_node): ''' test on GCN after NETTACK poisoning attack''' gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5, device=device) gcn = gcn.to(device) gcn.fit(features, adj, labels, idx_train) gcn.eval() output = gcn.predict() probs = torch.exp(output[[target_node]]) acc_test = accuracy(output[[target_node]], [labels[target_node]]) return acc_test.item()
def single_test(adj, features, target_node): ''' test on GCN (poisoning attack)''' gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5, device=device) gcn = gcn.to(device) gcn.fit(features, adj, labels, idx_train) gcn.eval() output = gcn.predict() probs = torch.exp(output[[target_node]]) acc_test = accuracy(output[[target_node]], labels[target_node]) # print("Test set results:", "accuracy= {:.4f}".format(acc_test.item())) return acc_test.item()
def test_GCN(): ''' test on GCN ''' gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5, device=device) gcn = gcn.to(device) gcn.fit(features, adj, labels, idx_train) gcn.eval() output = gcn.predict() acc_test = accuracy(output[idx_test], labels[idx_test]) print("GCN Test set results:", "accuracy= {:.4f}".format(acc_test.item())) return acc_test.item()
def test(adj, features, target_node): ''' test on GCN ''' gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5, device=device) gcn = gcn.to(device) gcn.fit(features, adj, labels, idx_train, idx_val, patience=30) gcn.eval() output = gcn.predict() probs = torch.exp(output[[target_node]])[0] print('Target node probs: {}'.format(probs.detach().cpu().numpy())) acc_test = accuracy(output[idx_test], labels[idx_test]) print("Overall test set results:", "accuracy= {:.4f}".format(acc_test.item())) return acc_test.item()
def single_test(adj, features, target_node, gcn=None): if gcn is None: # test on GCN (poisoning attack) gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5, device=device) gcn = gcn.to(device) gcn.fit(features, adj, labels, idx_train, idx_val, patience=30) gcn.eval() output = gcn.predict() else: # test on GCN (evasion attack) output = gcn.predict(features, adj) probs = torch.exp(output[[target_node]]) # acc_test = accuracy(output[[target_node]], labels[target_node]) acc_test = (output.argmax(1)[target_node] == labels[target_node]) return acc_test.item()
def load_victim_model(data, model_name='gcn', device='cpu', file_path=None): """load_victim_model. Parameters ---------- data : deeprobust.graph.Dataset graph data model_name : str victime model name, e.g. ('gcn', 'deepwalk') But currently it only supports gcn as victim model. device : str 'cpu' or 'cuda' file_path : if given, the victim model will be loaded from this path. """ assert model_name == 'gcn', 'Currently only support gcn as victim model...' if file_path is None: # file_path = f'results/saved_models/{data.name}/{model_name}_checkpoint' file_path = 'results/saved_models/{0}/{1}_checkpoint'.format(data.name, model_name) else: file_path = osp.join(file_path, '{}_checkpoint'.format(model_name)) # Setup victim model if osp.exists(file_path): victim_model = GCN(nfeat=data.features.shape[1], nclass=data.labels.max().item()+1, nhid=16, dropout=0.5, weight_decay=5e-4, device=device) victim_model.load_state_dict(torch.load(file_path, map_location=device)) victim_model.to(device) victim_model.eval() return victim_model victim_model = train_victim_model(data=data, model_name=model_name, device=device, file_path=osp.dirname(file_path)) return victim_model
adv_train_model.initialize() n_perturbations = int(0.01 * (adj.sum() // 2)) for i in tqdm(range(100)): # modified_adj = adversary.attack(features, adj) modified_adj = adversary.attack(adj, n_perturbations=n_perturbations, type='add') adv_train_model.fit(features, modified_adj, labels, idx_train, train_iters=50, initialize=False) adv_train_model.eval() # test directly or fine tune print('=== test on perturbed adj ===') output = adv_train_model.predict() acc_test = accuracy(output[idx_test], labels[idx_test]) print("Test set results:", "accuracy= {:.4f}".format(acc_test.item())) # set up Surrogate & Nettack to attack the graph import random target_nodes = random.sample(idx_test.tolist(), 20) # Setup Surrogate model surrogate = GCN(nfeat=features.shape[1], nclass=labels.max().item() + 1, nhid=16, dropout=0,
model.fit(features, perturbed_adj, labels, idx_train) output = model.output acc_test = accuracy(output[idx_test], labels[idx_test]) print("Test set results:", "accuracy= {:.4f}".format(acc_test.item())) # For poisoning attack, the adjacency matrix you have # is alreay perturbed print('=== Adversarial Training for Poisoning Attack===') model.initialize() n_perturbations = int(0.01 * (adj.sum() // 2)) for i in range(100): # modified_adj = adversary.attack(features, adj) adversary.attack(perturbed_adj, n_perturbations=n_perturbations, type='remove') modified_adj = adversary.modified_adj model.fit(features, modified_adj, labels, idx_train, train_iters=50, initialize=False) model.eval() # test directly or fine tune print('=== test on perturbed adj ===') output = model.predict(features, perturbed_adj) acc_test = accuracy(output[idx_test], labels[idx_test]) print("Test set results:", "accuracy= {:.4f}".format(acc_test.item()))
if args.cuda: torch.cuda.manual_seed(args.seed) vgae = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max() + 1, device=device) vgae = vgae.to(device) vgae.fit(features, adj_rec_norm, labels, idx_train, idx_val, train_iters=200, verbose=False, normalize=False) vgae.eval() output = vgae.test(idx_val) res.append(output.item()) print("retraining") bst = np.argmax(res) + 1 percentile = (1 - perturbed_adj.sum() / adj.shape[0]**2 * bst) * 100 adj_rec = reconstructor.sparse(percentile) adj_rec_norm = utils.preprocess_graph(adj_rec) torch.manual_seed(args.seed) if args.cuda: torch.cuda.manual_seed(args.seed) vgae = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max() + 1,