def test(adj, features, target_node):
''' test on GCN '''
gcn = GCN(nfeat=features.shape[1],
nhid=16,
nclass=labels.max().item() + 1,
dropout=0.5, device=device)
gcn = gcn.to(device)
gcn.fit(features, adj, labels, idx_train, idx_val, patience=30)
gcn.eval()
output = gcn.predict()
probs = torch.exp(output[[target_node]])[0]
print('Target node probs: {}'.format(probs.detach().cpu().numpy()))
acc_test = accuracy(output[idx_test], labels[idx_test])
print("Overall test set results:",
"accuracy= {:.4f}".format(acc_test.item()))
return acc_test.item()
def single_test(adj, features, target_node, gcn=None):
if gcn is None:
# test on GCN (poisoning attack)
gcn = GCN(nfeat=features.shape[1],
nhid=16,
nclass=labels.max().item() + 1,
dropout=0.5, device=device)
gcn = gcn.to(device)
gcn.fit(features, adj, labels, idx_train, idx_val, patience=30)
gcn.eval()
output = gcn.predict()
else:
# test on GCN (evasion attack)
output = gcn.predict(features, adj)
probs = torch.exp(output[[target_node]])
# acc_test = accuracy(output[[target_node]], labels[target_node])
acc_test = (output.argmax(1)[target_node] == labels[target_node])
return acc_test.item()
def test(adj):
''' test on GCN '''
# adj = normalize_adj_tensor(adj)
gcn = GCN(nfeat=features.shape[1],
nhid=16,
nclass=labels.max().item() + 1,
dropout=0.5,
device=device)
gcn = gcn.to(device)
optimizer = optim.Adam(gcn.parameters(), lr=0.01, weight_decay=5e-4)
gcn.fit(features, adj, labels, idx_train) # train without model picking
# gcn.fit(features, adj, labels, idx_train, idx_val) # train with validation model picking
output = gcn.output
loss_test = F.nll_loss(output[idx_test], labels[idx_test])
acc_test = accuracy(output[idx_test], labels[idx_test])
print("Test set results:", "loss= {:.4f}".format(loss_test.item()),
"accuracy= {:.4f}".format(acc_test.item()))
return acc_test.item()
def test_gcn(adj, data, cuda, data_prep, nhid=16):
''' test on GCN '''
device = torch.device("cuda" if cuda else "cpu")
features, labels, idx_train, idx_val, idx_test = data_prep(data, device)
gcn = GCN(nfeat=features.shape[1],
nhid=nhid,
nclass=labels.max().item() + 1,
dropout=0.5,
device=device)
gcn = gcn.to(device)
optimizer = optim.Adam(gcn.parameters(), lr=0.01, weight_decay=5e-4)
gcn.fit(features, adj, labels, idx_train) # train without model picking
# gcn.fit(features, adj, labels, idx_train, idx_val) # train with validation model picking
output = gcn.output
loss_test = F.nll_loss(output[idx_test], labels[idx_test])
acc_test = accuracy(output[idx_test], labels[idx_test])
return acc_test.item()
def test(adj, features, target_node):
''' test on GCN '''
gcn = GCN(nfeat=features.shape[1],
nhid=16,
nclass=labels.max().item() + 1,
dropout=0.5, device=device)
gcn = gcn.to(device)
gcn.fit(features, adj, labels, idx_train)
gcn.eval()
output = gcn.predict()
probs = torch.exp(output[[target_node]])[0]
print('probs: {probs.detach().cpu().numpy()}')
labels_tensor = torch.LongTensor(labels).to(device)
loss_test = F.nll_loss(output[idx_test], labels_tensor[idx_test])
acc_test = accuracy(output[idx_test], labels_tensor[idx_test])
print("Test set results:",
"loss= {:.4f}".format(loss_test.item()),
"accuracy= {:.4f}".format(acc_test.item()))
return acc_test.item()
def train_victim_model(data, model_name='gcn', file_path=None, device='cpu'):
''' Train the victim model (target classifer) and save the model
Note that the attacker can only do black query to this model '''
if file_path is None:
file_path = 'results/saved_models/%s/' % data.name
adj, features, labels = data.adj, data.features, data.labels
idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
nfeat = features.shape[1]
adj, features, labels = preprocess(adj,
features,
labels,
preprocess_adj=False)
# Setup victim model
victim_model = GCN(nfeat=features.shape[1],
nclass=labels.max().item() + 1,
nhid=16,
dropout=0.5,
weight_decay=5e-4,
device=device)
adj = adj.to(device)
features = features.to(device)
labels = labels.to(device)
victim_model = victim_model.to(device)
victim_model.fit(features, adj, labels, idx_train, idx_val)
# save the model
if not osp.exists(file_path):
os.system('mkdir -p %s' % file_path)
torch.save(victim_model.state_dict(),
osp.join(file_path, model_name + '_checkpoint'))
victim_model.eval()
return victim_model
def load_victim_model(data, model_name='gcn', device='cpu', file_path=None):
"""load_victim_model.
Parameters
----------
data : deeprobust.graph.Dataset
graph data
model_name : str
victime model name, e.g. ('gcn', 'deepwalk') But currently it only
supports gcn as victim model.
device : str
'cpu' or 'cuda'
file_path :
if given, the victim model will be loaded from this path.
"""
assert model_name == 'gcn', 'Currently only support gcn as victim model...'
if file_path is None:
# file_path = f'results/saved_models/{data.name}/{model_name}_checkpoint'
file_path = 'results/saved_models/{0}/{1}_checkpoint'.format(data.name, model_name)
else:
file_path = osp.join(file_path, '{}_checkpoint'.format(model_name))
# Setup victim model
if osp.exists(file_path):
victim_model = GCN(nfeat=data.features.shape[1], nclass=data.labels.max().item()+1,
nhid=16, dropout=0.5, weight_decay=5e-4, device=device)
victim_model.load_state_dict(torch.load(file_path, map_location=device))
victim_model.to(device)
victim_model.eval()
return victim_model
victim_model = train_victim_model(data=data, model_name=model_name,
device=device, file_path=osp.dirname(file_path))
return victim_model
attacker = Random()
n_perturbations = int(args.ptb_rate * (adj.sum() // 2))
perturbed_adj = attacker.attack(adj, n_perturbations, type='add')
if args.attack == 'meta' or args.attack == 'nettack':
perturbed_data = PrePtbDataset(root='/tmp/',
name=args.dataset,
attack_method=args.attack,
ptb_rate=args.ptb_rate)
perturbed_adj = perturbed_data.adj
if args.attack == 'nettack':
idx_test = perturbed_data.target_nodes
np.random.seed(args.seed)
torch.manual_seed(args.seed)
model = GCN(nfeat=features.shape[1],
nhid=args.hidden,
nclass=labels.max().item() + 1,
dropout=args.dropout,
device=device)
perturbed_adj, features, labels = preprocess(perturbed_adj,
features,
labels,
preprocess_adj=False,
device=device)
prognn = ProGNN(model, args, device)
prognn.fit(features, perturbed_adj, labels, idx_train, idx_val)
prognn.test(features, labels, idx_test)
# make sure you use the same data splits as you generated attacks
np.random.seed(args.seed)
if args.cuda:
torch.cuda.manual_seed(args.seed)
# load original dataset (to get clean features and labels)
data = Dataset(root='/tmp/', name=args.dataset)
adj, features, labels = data.adj, data.features, data.labels
idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
# Setup Target Model
model = GCN(nfeat=features.shape[1],
nclass=labels.max() + 1,
nhid=16,
dropout=0,
with_relu=False,
with_bias=True,
device=device)
model = model.to(device)
# test on original adj
print('=== test on original adj ===')
model.fit(features, adj, labels, idx_train)
output = model.output
acc_test = accuracy(output[idx_test], labels[idx_test])
print("Test set results:", "accuracy= {:.4f}".format(acc_test.item()))
print('=== Adversarial Training for Evasion Attack===')
adversary = Random()
torch.cuda.manual_seed(args.seed)
# load original dataset (to get clean features and labels)
data = Dataset(root='/tmp/', name=args.dataset)
adj, features, labels = data.adj, data.features, data.labels
idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
# load pre-attacked graph
perturbed_data = PtbDataset(root='/tmp/', name=args.dataset)
perturbed_adj = perturbed_data.adj
# Setup Target Model
model = GCN(nfeat=features.shape[1],
nclass=labels.max() + 1,
nhid=16,
dropout=0,
with_relu=False,
with_bias=True,
device=device)
model = model.to(device)
adversary = Random()
# test on original adj
print('=== test on original adj ===')
model.fit(features, adj, labels, idx_train)
output = model.output
acc_test = accuracy(output[idx_test], labels[idx_test])
print("Test set results:", "accuracy= {:.4f}".format(acc_test.item()))
print('=== testing GCN on perturbed graph ===')
print('==================')
print('=== load graph perturbed by Zugner metattack (under seed 15) ===')
perturbed_data = PrePtbDataset(root='/tmp/',
name=args.dataset,
attack_method='meta',
ptb_rate=args.ptb_rate)
perturbed_adj = perturbed_data.adj
np.random.seed(args.seed)
torch.manual_seed(args.seed)
if args.cuda:
torch.cuda.manual_seed(args.seed)
# Setup GCN Model
model = GCN(nfeat=features.shape[1],
nhid=16,
nclass=labels.max() + 1,
device=device)
model = model.to(device)
model.fit(features,
perturbed_adj,
labels,
idx_train,
train_iters=200,
verbose=True)
# # using validation to pick model
# model.fit(features, perturbed_adj, labels, idx_train, idx_val, train_iters=200, verbose=True)
model.eval()
# You can use the inner function of model to test
model.test(idx_test)
print('cuda: %s' % args.cuda)
device = torch.device("cuda:0" if torch.cuda.is_available() else "cpu")
np.random.seed(args.seed)
torch.manual_seed(args.seed)
if args.cuda:
torch.cuda.manual_seed(args.seed)
data = Dataset(root='/tmp/', name=args.dataset)
adj, features, labels = data.adj, data.features, data.labels
idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
idx_unlabeled = np.union1d(idx_val, idx_test)
# Setup Surrogate model
surrogate = GCN(nfeat=features.shape[1], nclass=labels.max().item()+1,
nhid=16, device=device)
surrogate = surrogate.to(device)
surrogate.fit(features, adj, labels, idx_train, idx_val)
# Setup Attack Model
target_node = 0
assert target_node in idx_unlabeled
model = IGAttack(surrogate, nnodes=adj.shape[0], attack_structure=True, attack_features=True, device=device)
model = model.to(device)
def main():
degrees = adj.sum(0).A1
# How many perturbations to perform. Default: Degree of the node
n_perturbations = int(degrees[target_node])
if device != 'cpu':
torch.cuda.manual_seed(args.seed)
data = Dataset(root='/tmp/', name=args.dataset, setting='nettack')
adj, features, labels = data.adj, data.features, data.labels
idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
idx_unlabeled = np.union1d(idx_val, idx_test)
perturbations = int(args.ptb_rate * (adj.sum() // 2))
adj, features, labels = preprocess(adj, features, labels, preprocess_adj=False)
# Setup Surrogate Model
surrogate = GCN(nfeat=features.shape[1],
nclass=labels.max().item() + 1,
nhid=16,
dropout=0.5,
with_relu=False,
with_bias=True,
weight_decay=5e-4,
device=device)
surrogate = surrogate.to(device)
surrogate.fit(features, adj, labels, idx_train)
# Setup Attack Model
if 'Self' in args.model:
lambda_ = 0
if 'Train' in args.model:
lambda_ = 1
if 'Both' in args.model:
lambda_ = 0.5
data = Dataset(root='/tmp/', name=args.dataset, setting='nettack')
adj, features, labels = data.adj, data.features, data.labels
# features = normalize_feature(features)
idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
idx_unlabeled = np.union1d(idx_val, idx_test)
perturbations = int(args.ptb_rate * (adj.sum() // 2))
adj, features, labels = preprocess(adj, features, labels, preprocess_adj=False)
# Setup Victim Model
victim_model = GCN(nfeat=features.shape[1],
nclass=labels.max().item() + 1,
nhid=16,
dropout=0.5,
weight_decay=5e-4,
device=device)
victim_model = victim_model.to(device)
victim_model.fit(features, adj, labels, idx_train)
# Setup Attack Model
model = PGDAttack(model=victim_model,
nnodes=adj.shape[0],
loss_type='CE',
device=device)
model = model.to(device)
# data = Dataset(root='{}/'.format(opts.data_path_graphRobust), name='cora')
# adj, features, labels = data.adj, data.features, data.labels
# idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
# idx_unlabeled = np.union1d(idx_val, idx_test)
'''edit 2021/4/22 random_choose 20 node from each class as the train and validation samples '''
idx_train, idx_val, idx_test = random_select_train_test(labels,
20,
p_rand_seed=rand_seed)
idx_unlabeled = np.union1d(idx_val, idx_test)
# Setup Surrogate model
surrogate = GCN(nfeat=features.shape[1],
nclass=labels.max().item() + 1,
nhid=16,
dropout=0,
with_relu=False,
with_bias=False,
device='cpu').cpu()
surrogate.fit(features,
adj,
labels,
idx_train,
idx_val,
patience=30,
verbose=True)
# Setup Attack Model
model = Metattack(surrogate,
nnodes=adj.shape[0],
feature_shape=features.shape,
attack_structure=True,
# data = Dataset(root='{}/'.format(opts.data_path_graphRobust), name='cora')
# adj, features, labels = data.adj, data.features, data.labels
# idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
# idx_unlabeled = np.union1d(idx_val, idx_test)
'''edit 2021/4/22 random_choose 20 node from each class as the train and validation samples '''
idx_train, idx_val, idx_test = random_select_train_test(labels,
20,
p_rand_seed=rand_seed)
idx_unlabeled = np.union1d(idx_val, idx_test)
# surrogate model
surrogate = GCN(nfeat=features.shape[1],
nclass=labels.max().item() + 1,
nhid=16,
dropout=0,
with_relu=True,
with_bias=True,
device='cuda:0').cuda()
# train model
surrogate.fit(features, adj, labels, idx_train, idx_val, patience=30)
def test_acc(adj, features, target_node):
''' test on GCN '''
gcn = GCN(nfeat=features.shape[1],
nhid=16,
nclass=labels.max().item() + 1,
dropout=0.5,
device=device)
