def main(): target_gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5, device=device) target_gcn = target_gcn.to(device) target_gcn.fit(features, adj, labels, idx_train, idx_val, patience=30) print('=== testing GCN on clean graph ===') test(adj, target_gcn) print('=== testing GCN on Evasion attack ===') model.attack(features, adj, labels, idx_train, perturbations, epochs=args.epochs) modified_adj = model.modified_adj test(modified_adj, target_gcn) # modified_features = model.modified_features print('=== testing GCN on Poisoning attack ===') test(modified_adj)
def multi_test_evasion(): # test on 40 nodes on evasion attack target_gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5, device=device) target_gcn = target_gcn.to(device) target_gcn.fit(features, adj, labels, idx_train, idx_val, patience=30) cnt = 0 degrees = adj.sum(0).A1 node_list = select_nodes(target_gcn) num = len(node_list) print('=== [Evasion] Attacking %s nodes respectively ===' % num) for target_node in tqdm(node_list): n_perturbations = int(degrees[target_node]) model = SGAttack(surrogate, attack_structure=True, attack_features=False, device=device) model = model.to(device) model.attack(features, adj, labels, target_node, n_perturbations, direct=True, verbose=False) modified_adj = model.modified_adj modified_features = model.modified_features acc = single_test(modified_adj, modified_features, target_node, gcn=target_gcn) if acc == 0: cnt += 1 print('misclassification rate : %s' % (cnt / num))
def test(data, adj): ''' test on GCN ''' _, features, labels = data.adj, data.features, data.labels idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test idx_unlabeled = np.union1d(idx_val, idx_test) adj, features, labels = preprocess(adj, features, labels, preprocess_adj=False) # adj = normalize_adj_tensor(adj) gcn = GCN(nfeat=features.shape[1], nhid=args.hidden, nclass=labels.max().item() + 1, dropout=args.dropout, device=device) gcn = gcn.to(device) gcn.fit(features, adj, labels, idx_train) # train without model picking # gcn.fit(features, adj, labels, idx_train, idx_val) # train with validation model picking output = gcn.output.cpu() loss_test = F.nll_loss(output[idx_test], labels[idx_test]) acc_test = accuracy(output[idx_test], labels[idx_test]) # print("Test set results:", # "loss= {:.4f}".format(loss_test.item()), # "accuracy= {:.4f}".format(acc_test.item())) return acc_test.item()
def multi_test(): # Setup Surrogate model surrogate = GCN(nfeat=features.shape[1], nclass=labels.max().item()+1, nhid=16, dropout=0, with_relu=False, with_bias=False, device=device) surrogate = surrogate.to(device) surrogate.fit(features, adj, labels, idx_train) attack_cnt = 0 defense_cnt = 0 degrees = adj.sum(0).A1 node_list = select_nodes() num = len(node_list) print('=== Attacking %s nodes one after another ===' % num) for target_node in node_list: #n_perturbations = min(15, int(degrees[target_node])) n_perturbations = int(degrees[target_node]) model = Nettack(surrogate, nnodes=adj.shape[0], attack_structure=True, attack_features=True, device=device) model = model.to(device) model.attack(features, adj, labels, target_node, n_perturbations, verbose=False) modified_adj = model.modified_adj modified_features = model.modified_features attack_acc = test_attack(modified_adj, modified_features, target_node) if attack_acc == 0: attack_cnt += 1 defense_acc = test_defense(modified_adj, modified_features, target_node) if defense_acc == 1: defense_cnt += 1 print("Attacking node :", target_node, "Details :", degrees[target_node], modified_adj.sum(0).A1[target_node], attack_acc, defense_acc) print('Pure attack accuracy rate : %s' % ((num - attack_cnt)/num), flush=True) print('With Jaccard defense accuracy rate : %s' % (defense_cnt/num), flush=True) print("GCNJaccard threshold used :", args.threshold)
def build_mettack(adj=None, features=None, labels=None, idx_train=None, device=None): lambda_ = 0 # Setup Surrogate Model surrogate = GCN(nfeat=features.shape[1], nclass=labels.max().item() + 1, nhid=16, dropout=0.5, with_relu=False, with_bias=True, weight_decay=5e-4, device=device) surrogate = surrogate.to(device) surrogate.fit(features, adj, labels, idx_train) # print(torch.cuda.current_device()) print(f'{torch.cuda.device_count()} GPUs available') print('built surrogate') model = Metattack(model=surrogate, nnodes=adj.shape[0], feature_shape=features.shape, attack_structure=True, attack_features=False, device=device, lambda_=lambda_) print('built model') # if adj.shape[0] > 12000: # model = nn.DataParallel(model) model = model.to(device) print('to device') return model
def build_mettack(adj=None, features=None, labels=None, idx_train=None, device=None): lambda_ = 0 # Setup Surrogate Model surrogate = GCN(nfeat=features.shape[1], nclass=labels.max().item() + 1, nhid=16, dropout=0.5, with_relu=False, with_bias=True, weight_decay=5e-4, device=device) surrogate = surrogate.to(device) surrogate.fit(features, adj, labels, idx_train) model = Metattack(model=surrogate, nnodes=adj.shape[0], feature_shape=features.shape, attack_structure=True, attack_features=False, device=device, lambda_=lambda_) model = model.to(device) return model
def load_victim_model(data, model_name='gcn', device='cpu', file_path=None): assert model_name == 'gcn', 'Currently only support gcn as victim model...' if file_path is None: # file_path = f'results/saved_models/{data.name}/{model_name}_checkpoint' file_path = 'results/saved_models/{0}/{1}_checkpoint'.format( data.name, model_name) else: file_path = osp.join(file_path, '{}_checkpoint'.format(model_name)) # Setup victim model if osp.exists(file_path): victim_model = GCN(nfeat=data.features.shape[1], nclass=data.labels.max().item() + 1, nhid=16, dropout=0.5, weight_decay=5e-4, device=device) victim_model.load_state_dict(torch.load(file_path, map_location=device)) victim_model.to(device) victim_model.eval() return victim_model victim_model = train_victim_model(data=data, model_name=model_name, device=device, file_path=osp.dirname(file_path)) return victim_model
def select_nodes(target_gcn=None): ''' selecting nodes as reported in Nettack paper: (i) the 10 nodes with highest margin of classification, i.e. they are clearly correctly classified, (ii) the 10 nodes with lowest margin (but still correctly classified) and (iii) 20 more nodes randomly ''' if target_gcn is None: target_gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5, device=device) target_gcn = target_gcn.to(device) target_gcn.fit(features, adj, labels, idx_train, idx_val, patience=30) target_gcn.eval() output = target_gcn.predict() margin_dict = {} for idx in idx_test: margin = classification_margin(output[idx], labels[idx]) if margin < 0: # only keep the nodes correctly classified continue margin_dict[idx] = margin sorted_margins = sorted(margin_dict.items(), key=lambda x: x[1], reverse=True) high = [x for x, y in sorted_margins[: 10]] low = [x for x, y in sorted_margins[-10:]] other = [x for x, y in sorted_margins[10: -10]] other = np.random.choice(other, 20, replace=False).tolist() return high + low + other
def train_victim_model(data, model_name='gcn', file_path=None, device='cpu'): """Train the victim model (target classifer) and save the model Note that the attacker can only do black query to this model. """ if file_path is None: file_path = 'results/saved_models/%s/' % data.name adj, features, labels = data.adj, data.features, data.labels idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test nfeat = features.shape[1] adj, features, labels = preprocess(adj, features, labels, preprocess_adj=False) # Setup victim model victim_model = GCN(nfeat=features.shape[1], nclass=labels.max().item()+1, nhid=16, dropout=0.5, weight_decay=5e-4, device=device) adj = adj.to(device) features = features.to(device) labels = labels.to(device) victim_model = victim_model.to(device) victim_model.fit(features, adj, labels, idx_train, idx_val) # save the model if not osp.exists(file_path): os.system('mkdir -p %s' % file_path) torch.save(victim_model.state_dict(), osp.join(file_path, model_name + '_checkpoint')) victim_model.eval() return victim_model
def test(adj): ''' test on GCN ''' gcn = GCN(nfeat=features.shape[1], nhid=args.hidden, nclass=labels.max().item() + 1, dropout=args.dropout, device=device) gcn = gcn.to(device) gcn.fit(features, adj, labels, idx_train) # train without model picking output = gcn.output.cpu() loss_test = F.nll_loss(output[idx_test], labels[idx_test]) acc_test = accuracy(output[idx_test], labels[idx_test]) print("Test set results:", "loss= {:.4f}".format(loss_test.item()), "accuracy= {:.4f}".format(acc_test.item())) return acc_test.item()
def test(features, adj, target_node): ''' test on GCN ''' gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5) if args.cuda: gcn = gcn.to(device) gcn.fit(features, adj, labels, idx_train) gcn.eval() try: adj = normalize_adj_tensor(adj, sparse=True) except: adj = normalize_adj_tensor(adj) output = gcn(features, adj) probs = torch.exp(output[[target_node]])[0] print('probs: {}'.format(probs)) loss_test = F.nll_loss(output[idx_test], labels[idx_test]) acc_test = accuracy(output[idx_test], labels[idx_test]) print("Test set results:", "loss= {:.4f}".format(loss_test.item()), "accuracy= {:.4f}".format(acc_test.item())) return acc_test.item()
def test(adj, features, target_node): ''' test on GCN ''' gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5, device=device) if args.cuda: gcn = gcn.to(device) gcn.fit(features, adj, labels, idx_train) gcn.eval() output = gcn(gcn.features, gcn.adj_norm) probs = torch.exp(output[[target_node]])[0] print(f'probs: {probs.detach().cpu().numpy()}') loss_test = F.nll_loss(output[idx_test], labels[idx_test]) acc_test = accuracy(output[idx_test], labels[idx_test]) print("Test set results:", "loss= {:.4f}".format(loss_test.item()), "accuracy= {:.4f}".format(acc_test.item())) return acc_test.item()
def build_minmax(adj=None, features=None, labels=None, idx_train=None, device=None): # Setup Victim Model victim_model = GCN(nfeat=features.shape[1], nclass=labels.max().item() + 1, nhid=8, dropout=0.5, weight_decay=5e-4, device=device) victim_model = victim_model.to(device) victim_model.fit(features, adj, labels, idx_train) return MinMax(model=victim_model, nnodes=adj.shape[0], loss_type='CE', device=device)
def test_attack(adj, features, target_node): ''' test on GCN after NETTACK poisoning attack''' gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5, device=device) gcn = gcn.to(device) gcn.fit(features, adj, labels, idx_train) gcn.eval() output = gcn.predict() probs = torch.exp(output[[target_node]]) acc_test = accuracy(output[[target_node]], [labels[target_node]]) return acc_test.item()
def test_given_adj(p_adj: sp.csr_matrix, p_feat: np.ndarray, p_label: np.ndarray, p_train_idx, p_val_idx, p_test_idx): """ Parameters: p_adj : csr_matrix """ use_gpu = t.cuda.is_available() adj = p_adj.A features = p_feat labels = p_label # surrogate model surrogate = GCN(nfeat=features.shape[1], nclass=labels.max().item() + 1, nhid=16, dropout=0, with_relu=True, with_bias=True, device='cuda:0').cuda() # train model surrogate.fit(features, adj, labels, p_train_idx, p_val_idx, patience=30) # test_model surrogate.test(p_test_idx) return surrogate
def single_test(adj, features, target_node): ''' test on GCN (poisoning attack)''' gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5, device=device) gcn = gcn.to(device) gcn.fit(features, adj, labels, idx_train) gcn.eval() output = gcn.predict() probs = torch.exp(output[[target_node]]) acc_test = accuracy(output[[target_node]], labels[target_node]) # print("Test set results:", "accuracy= {:.4f}".format(acc_test.item())) return acc_test.item()
def single_test(adj, features, target_node, gcn=None): if gcn is None: # test on GCN (poisoning attack) gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5, device=device) gcn = gcn.to(device) gcn.fit(features, adj, labels, idx_train, idx_val, patience=30) gcn.eval() output = gcn.predict() else: # test on GCN (evasion attack) output = gcn.predict(features, adj) probs = torch.exp(output[[target_node]]) # acc_test = accuracy(output[[target_node]], labels[target_node]) acc_test = (output.argmax(1)[target_node] == labels[target_node]) return acc_test.item()
def test_GCN(): ''' test on GCN ''' gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5, device=device) gcn = gcn.to(device) gcn.fit(features, adj, labels, idx_train) gcn.eval() output = gcn.predict() acc_test = accuracy(output[idx_test], labels[idx_test]) print("GCN Test set results:", "accuracy= {:.4f}".format(acc_test.item())) return acc_test.item()
def test(adj, features, target_node): ''' test on GCN ''' gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5, device=device) gcn = gcn.to(device) gcn.fit(features, adj, labels, idx_train, idx_val, patience=30) gcn.eval() output = gcn.predict() probs = torch.exp(output[[target_node]])[0] print('Target node probs: {}'.format(probs.detach().cpu().numpy())) acc_test = accuracy(output[idx_test], labels[idx_test]) print("Overall test set results:", "accuracy= {:.4f}".format(acc_test.item())) return acc_test.item()
def main(): target_gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5, device=device, lr=0.01) target_gcn = target_gcn.to(device) target_gcn.fit(features, adj, labels, idx_train, idx_val, patience=30) # target_gcn.fit(features, adj, labels, idx_train) print('=== testing GCN on clean graph ===') test(adj, target_gcn) # Setup Attack Model print('=== setup attack model ===') model = PGDAttack(model=target_gcn, nnodes=adj.shape[0], loss_type='CE', device=device) model = model.to(device) # model.attack(features, adj, labels, idx_train, perturbations, epochs=args.epochs) # Here for the labels we need to replace it with predicted ones fake_labels = target_gcn.predict(features.to(device), adj.to(device)) fake_labels = torch.argmax(fake_labels, 1).cpu() # Besides, we need to add the idx into the whole process idx_fake = np.concatenate([idx_train, idx_test]) idx_others = list(set(np.arange(len(labels))) - set(idx_train)) fake_labels = torch.cat([labels[idx_train], fake_labels[idx_others]]) model.attack(features, adj, fake_labels, idx_fake, perturbations, epochs=args.epochs) print('=== testing GCN on Evasion attack ===') modified_adj = model.modified_adj test(modified_adj, target_gcn) # modified_features = model.modified_features print('=== testing GCN on Poisoning attack ===') test(modified_adj)
def load_victim_model(data, model_name='gcn', device='cpu', file_path=None): """load_victim_model. Parameters ---------- data : deeprobust.graph.Dataset graph data model_name : str victime model name, e.g. ('gcn', 'deepwalk') But currently it only supports gcn as victim model. device : str 'cpu' or 'cuda' file_path : if given, the victim model will be loaded from this path. """ assert model_name == 'gcn', 'Currently only support gcn as victim model...' if file_path is None: # file_path = f'results/saved_models/{data.name}/{model_name}_checkpoint' file_path = 'results/saved_models/{0}/{1}_checkpoint'.format(data.name, model_name) else: file_path = osp.join(file_path, '{}_checkpoint'.format(model_name)) # Setup victim model if osp.exists(file_path): victim_model = GCN(nfeat=data.features.shape[1], nclass=data.labels.max().item()+1, nhid=16, dropout=0.5, weight_decay=5e-4, device=device) victim_model.load_state_dict(torch.load(file_path, map_location=device)) victim_model.to(device) victim_model.eval() return victim_model victim_model = train_victim_model(data=data, model_name=model_name, device=device, file_path=osp.dirname(file_path)) return victim_model
def test(adj): ''' test on GCN ''' # adj = normalize_adj_tensor(adj) gcn = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max().item() + 1, dropout=0.5, device=device) gcn = gcn.to(device) optimizer = optim.Adam(gcn.parameters(), lr=0.01, weight_decay=5e-4) gcn.fit(features, adj, labels, idx_train) # train without model picking # gcn.fit(features, adj, labels, idx_train, idx_val) # train with validation model picking output = gcn.output loss_test = F.nll_loss(output[idx_test], labels[idx_test]) acc_test = accuracy(output[idx_test], labels[idx_test]) print("Test set results:", "loss= {:.4f}".format(loss_test.item()), "accuracy= {:.4f}".format(acc_test.item())) return acc_test.item()
def test_gcn(adj, data, cuda, data_prep, nhid=16): ''' test on GCN ''' device = torch.device("cuda" if cuda else "cpu") features, labels, idx_train, idx_val, idx_test = data_prep(data, device) gcn = GCN(nfeat=features.shape[1], nhid=nhid, nclass=labels.max().item() + 1, dropout=0.5, device=device) gcn = gcn.to(device) optimizer = optim.Adam(gcn.parameters(), lr=0.01, weight_decay=5e-4) gcn.fit(features, adj, labels, idx_train) # train without model picking # gcn.fit(features, adj, labels, idx_train, idx_val) # train with validation model picking output = gcn.output loss_test = F.nll_loss(output[idx_test], labels[idx_test]) acc_test = accuracy(output[idx_test], labels[idx_test]) return acc_test.item()
# make sure you use the same data splits as you generated attacks np.random.seed(args.seed) if args.cuda: torch.cuda.manual_seed(args.seed) # load original dataset (to get clean features and labels) data = Dataset(root='/tmp/', name=args.dataset) adj, features, labels = data.adj, data.features, data.labels idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test # Setup Target Model model = GCN(nfeat=features.shape[1], nclass=labels.max() + 1, nhid=16, dropout=0, with_relu=False, with_bias=True, device=device) model = model.to(device) # test on original adj print('=== test on original adj ===') model.fit(features, adj, labels, idx_train) output = model.output acc_test = accuracy(output[idx_test], labels[idx_test]) print("Test set results:", "accuracy= {:.4f}".format(acc_test.item())) print('=== Adversarial Training for Evasion Attack===') adversary = Random()
print('==================') print('=== load graph perturbed by Zugner metattack (under seed 15) ===') perturbed_data = PrePtbDataset(root='/tmp/', name=args.dataset, attack_method='meta', ptb_rate=args.ptb_rate) perturbed_adj = perturbed_data.adj np.random.seed(args.seed) torch.manual_seed(args.seed) if args.cuda: torch.cuda.manual_seed(args.seed) # Setup GCN Model model = GCN(nfeat=features.shape[1], nhid=16, nclass=labels.max() + 1, device=device) model = model.to(device) model.fit(features, perturbed_adj, labels, idx_train, train_iters=200, verbose=True) # # using validation to pick model # model.fit(features, perturbed_adj, labels, idx_train, idx_val, train_iters=200, verbose=True) model.eval() # You can use the inner function of model to test model.test(idx_test)
np.random.seed(args.seed) torch.manual_seed(args.seed) if args.cuda: torch.cuda.manual_seed(args.seed) data = Dataset(root='/tmp/', name=args.dataset) adj, features, labels = data.adj, data.features, data.labels idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test idx_unlabeled = np.union1d(idx_val, idx_test) # Setup Surrogate model surrogate = GCN(nfeat=features.shape[1], nclass=labels.max().item() + 1, nhid=16, dropout=0, with_relu=False, with_bias=False, device=device) surrogate = surrogate.to(device) surrogate.fit(features, adj, labels, idx_train) # Setup Attack Model target_node = 0 assert target_node in idx_unlabeled model = IGAttack(surrogate, nnodes=adj.shape[0], attack_structure=True, attack_features=True,
print('cuda: %s' % args.cuda) device = torch.device("cuda:0" if torch.cuda.is_available() else "cpu") np.random.seed(args.seed) torch.manual_seed(args.seed) if args.cuda: torch.cuda.manual_seed(args.seed) data = Dataset(root='/tmp/', name=args.dataset) adj, features, labels = data.adj, data.features, data.labels idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test idx_unlabeled = np.union1d(idx_val, idx_test) # Setup Surrogate model surrogate = GCN(nfeat=features.shape[1], nclass=labels.max().item()+1, nhid=16, device=device) surrogate = surrogate.to(device) surrogate.fit(features, adj, labels, idx_train, idx_val) # Setup Attack Model target_node = 0 assert target_node in idx_unlabeled model = IGAttack(surrogate, nnodes=adj.shape[0], attack_structure=True, attack_features=True, device=device) model = model.to(device) def main(): degrees = adj.sum(0).A1 # How many perturbations to perform. Default: Degree of the node n_perturbations = int(degrees[target_node])
if args.attack == 'meta' or args.attack == 'nettack': perturbed_data = PrePtbDataset(root='/tmp/', name=args.dataset, attack_method=args.attack, ptb_rate=args.ptb_rate) perturbed_adj = perturbed_data.adj if args.attack == 'nettack': idx_test = perturbed_data.target_nodes np.random.seed(args.seed) torch.manual_seed(args.seed) model = GCN(nfeat=features.shape[1], nhid=args.hidden, nclass=labels.max().item() + 1, dropout=args.dropout, device=device) if args.only_gcn: perturbed_adj, features, labels = preprocess(perturbed_adj, features, labels, preprocess_adj=False, sparse=True, device=device) model.fit(features, perturbed_adj, labels, idx_train, idx_val,
attacker = Random() n_perturbations = int(args.ptb_rate * (adj.sum() // 2)) perturbed_adj = attacker.attack(adj, n_perturbations, type='add') if args.attack == 'meta' or args.attack == 'nettack': perturbed_data = PrePtbDataset(root='/tmp/', name=args.dataset, attack_method=args.attack, ptb_rate=args.ptb_rate) perturbed_adj = perturbed_data.adj if args.attack == 'nettack': idx_test = perturbed_data.target_nodes np.random.seed(args.seed) torch.manual_seed(args.seed) model = GCN(nfeat=features.shape[1], nhid=args.hidden, nclass=labels.max().item() + 1, dropout=args.dropout, device=device) perturbed_adj, features, labels = preprocess(perturbed_adj, features, labels, preprocess_adj=False, device=device) prognn = ProGNN(model, args, device) prognn.fit(features, perturbed_adj, labels, idx_train, idx_val) prognn.test(features, labels, idx_test)
data = Dataset(root='/tmp/', name=args.dataset, setting='nettack') adj, features, labels = data.adj, data.features, data.labels # features = normalize_feature(features) idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test idx_unlabeled = np.union1d(idx_val, idx_test) perturbations = int(args.ptb_rate * (adj.sum() // 2)) adj, features, labels = preprocess(adj, features, labels, preprocess_adj=False) # Setup Victim Model victim_model = GCN(nfeat=features.shape[1], nclass=labels.max().item() + 1, nhid=16, dropout=0.5, weight_decay=5e-4, device=device) victim_model = victim_model.to(device) victim_model.fit(features, adj, labels, idx_train) # Setup Attack Model model = PGDAttack(model=victim_model, nnodes=adj.shape[0], loss_type='CE', device=device) model = model.to(device)