def attackVictim(attack, approach, print_answer, attacked_node, y_target, node_num):
device = attack.device
dataset = attack.dataset
neighbours_and_dist = kBFS(root=attacked_node, device=device, reversed_arr_list=dataset.reversed_arr_list,
K=attack.num_layers)
if neighbours_and_dist.nelement():
neighbours_and_dist = manipulateNeighborhood(attack=attack, approach=approach, attacked_node=attacked_node,
neighbours_and_dist=neighbours_and_dist, device=device)
attack_log = 'Attack: {:03d}, Node: {}, BFS clique: {}'.format(node_num, attacked_node.item(),
neighbours_and_dist.shape[0] + 1)
else:
attack_log = 'Attack: {:03d}, Node: {} is a solo node'.format(node_num, attacked_node.item())
# in adversarial mode add #Epoch
if attack.mode.isAdversarial():
attack_log = 'Adv Epoch: {:03d}, '.format(attack.idx) + attack_log
# special cases of solo node and duo node for double
BFS_size = neighbours_and_dist.shape[0]
if not neighbours_and_dist.nelement():
if print_answer is Print.YES:
print(attack_log, flush=True)
return None
if approach is NodeApproach.TWO_ATTACKERS and BFS_size == 1:
if print_answer is Print.YES:
print(attack_log + ': Too small for two attackers', flush=True)
return None
if print_answer is Print.YES:
print(attack_log, flush=True)
malicious_node = approach.getMaliciousNode(attack=attack, attacked_node=attacked_node, y_target=y_target,
node_num=node_num, neighbours_and_dist=neighbours_and_dist,
BFS_size=BFS_size)
# calculates the malicious node for the irregular approach of agree
if approach is NodeApproach.AGREE:
print()
malicious_node_heuristic = heuristicApproach(reversed_arr_list=attack.dataset.reversed_arr_list,
neighbours_and_dist=neighbours_and_dist,
device=attack.device)
malicious_node_gradient = gradientApproach(attack=attack, attacked_node=attacked_node, y_target=y_target,
node_num=node_num, neighbours_and_dist=neighbours_and_dist,
approach=approach)
attack_results = torch.zeros(1, 2)
attack_results[0][0] = malicious_node_heuristic == malicious_node_gradient
return attack_results
if malicious_node is None:
quit("Node approach doesnt exist")
attack_results = attackTrainer(attack=attack, approach=approach, model=attack.model_wrapper.model,
print_answer=print_answer, attacked_nodes=attacked_node, y_targets=y_target,
malicious_nodes=malicious_node, node_num=node_num,
attack_epochs=attack.attack_epochs, lr=attack.lr)
return attack_results
def edgeAttackVictim(attack, approach: Approach, print_flag: bool, attacked_node: torch.Tensor, y_target: torch.Tensor,
node_num: int) -> torch.Tensor:
"""
chooses the edge we attack with from our pool of possible edges.
the pool of possible edges changes per approach
this BFS environments is also calculated according to our selected approach
lastly, we attack using attackTrainer
important note: the victim node is already known (attacked node)
Parameters
----------
attack: oneGNNAttack
approach: Approach
print_flag: bool - whether to print every iteration or not
attacked_node: torch.Tensor - the victim node
y_target: torch.Tensor - the target label of the attack
node_num: int - the index of the attacked/victim node (out of the train/val/test-set)
Returns
-------
attack_result: torch.Tensor
"""
device = attack.device
dataset = attack.getDataset()
data = dataset.data
model = attack.model_wrapper.model
targeted = attack.targeted
end_log_template = ', Attack Success: {}'
neighbours_and_dist = kBFS(root=attacked_node, device=device, reversed_arr_list=dataset.reversed_arr_list,
K=model.num_layers - 1)
if not neighbours_and_dist.nelement():
if print_flag:
print('Attack: {:03d}, Node: {} is a solo node'.format(node_num, attacked_node.item()), flush=True)
return None
malicious_indices = neighbours_and_dist[:, 0]
if print_flag:
print('Attack: {:03d}, Node: {}'.format(node_num, attacked_node.item()), flush=True, end='')
# according to our approach choose the edge we wish to flip
if approach is EdgeApproach.RANDOM:
# select a random node on the graph and - malicious index
# select a random node from our BFS of distance K-1 - attacked node
# use flipEdge
malicious_index = np.random.choice(data.num_nodes, 1).item()
new_attacked_node_index = np.random.choice(malicious_indices.shape[0] + 1, 1).item()
if new_attacked_node_index == malicious_indices.shape[0]:
new_attacked_node = attacked_node
else:
new_attacked_node = torch.tensor([malicious_indices[new_attacked_node_index].item()]).to(device)
flipEdge(model=model, attacked_node=new_attacked_node, malicious_index=malicious_index, device=device)
attack_results = test(data=data, model=model, targeted=targeted, attacked_nodes=new_attacked_node,
y_targets=y_target)
if print_flag:
print(end_log_template.format(attack_results[3]), flush=True)
else:
# EdgeApproach.SINGLE
# select a random node on the graph - malicious index
# Add all possible edges between the malicious index and the BFS of distance K-1
# calculate the edge with the largest gradient and flip it, using edgeTrainer
#
# EdgeApproach.GRAD_CHOICE
# Add all possible edges between all possible nodes and the BFS of distance K-1
# calculate the edge with the largest gradient and flip it, using edgeTrainer
malicious_index = model.expandEdgesByMalicious(dataset=dataset, approach=approach, attacked_node=attacked_node,
neighbours=malicious_indices, device=device)
attack_results = edgeTrainer(data=data, approach=approach, targeted=targeted, model=model,
attacked_node=attacked_node, y_target=y_target, node_num=node_num,
malicious_index=malicious_index, device=device, print_flag=print_flag,
end_log_template=end_log_template)
if attack_results is None:
print("Node approach doesnt exist", flush=True)
quit()
return attack_results[3]
def edgeAttackVictim(attack, approach, print_flag, attacked_node, y_target,
node_num):
device = attack.device
dataset = attack.dataset
data = dataset.data
model = attack.model_wrapper.model
targeted = attack.targeted
neighbours_and_dist = kBFS(root=attacked_node,
device=device,
reversed_arr_list=dataset.reversed_arr_list,
K=model.num_layers - 1)
if not neighbours_and_dist.nelement():
if print_flag:
print('Attack: {:03d}, Node: {} is a solo node'.format(
node_num, attacked_node.item()),
flush=True)
return None
malicious_indices = neighbours_and_dist[:, 0]
if print_flag:
print('Attack: {:03d}, Node: {}'.format(node_num,
attacked_node.item()),
flush=True,
end='')
attack_results = None
# according to our approach choose the edge we wish to flip
if approach is EdgeApproach.RANDOM:
# select a random node on the graph and - malicious index
# select a random node from our BFS of distance K-1 - attacked node
# use flipEdge
malicious_index = np.random.choice(data.num_nodes, 1).item()
new_attacked_node_index = np.random.choice(
malicious_indices.shape[0] + 1, 1).item()
if new_attacked_node_index == malicious_indices.shape[0]:
new_attacked_node = attacked_node
else:
new_attacked_node = torch.tensor(
[malicious_indices[new_attacked_node_index].item()]).to(device)
flipEdge(model=model,
attacked_node=new_attacked_node,
malicious_index=malicious_index,
device=device)
attack_results = test(data=data,
model=model,
targeted=targeted,
attacked_nodes=new_attacked_node,
y_targets=y_target)
if approach is EdgeApproach.GRAD:
# select a random node on the graph and - malicious index
# Add all possible edges between the malicious index and the BFS of distance K-1
# calculate the edge with the largest gradient and flip it, using edgeTrainer
malicious_index = np.random.choice(data.num_nodes, 1).item()
expansion_mode = {"full": False, "malicious_index": malicious_index}
model.expandEdges(dataset=dataset,
attacked_node=attacked_node,
neighbours=malicious_indices,
device=device,
expansion_mode=expansion_mode)
model = edgeTrainer(targeted=targeted,
model=model,
attacked_node=attacked_node,
y_target=y_target,
device=device)
attack_results = test(data=data,
model=model,
targeted=targeted,
attacked_nodes=attacked_node,
y_targets=y_target)
if approach is EdgeApproach.GLOBAL_GRAD:
# Add all possible edges between all possible nodes and the BFS of distance K-1
# calculate the edge with the largest gradient and flip it, using edgeTrainer
expansion_mode = {"full": True}
model.expandEdges(dataset=dataset,
attacked_node=attacked_node,
neighbours=malicious_indices,
device=device,
expansion_mode=expansion_mode)
model = edgeTrainer(targeted=targeted,
model=model,
attacked_node=attacked_node,
y_target=y_target,
device=device)
attack_results = test(data=data,
model=model,
targeted=targeted,
attacked_nodes=attacked_node,
y_targets=y_target)
if attack_results is None:
print("Node approach doesnt exist")
quit()
if print_flag:
print(', Defense Success: {}'.format(not attack_results[3]))
return attack_results[3]
def attackVictim(attack, approach: Approach, attacked_node: torch.Tensor, y_target: torch.Tensor, node_num: int)\
-> torch.Tensor:
"""
chooses the node we attack with (the malicious node) from our BFS environment
this BFS environments is also calculated according to our selected approach
lastly, we attack using attackTrainer
important note: the victim node is already known (attacked node)
Parameters
----------
attack: oneGNNAttack
approach: Approach
attacked_node: torch.Tensor - the victim node
y_target: torch.Tensor - the target label of the attack
node_num: int - the index of the attacked/victim node (out of the train/val/test-set)
Returns
-------
attack_results: torch.Tensor - 2d-tensor that includes
1st-col - the defence
2nd-col - the number of attributes used
if the number of attributes is 0 the node is misclassified to begin with
"""
device = attack.device
dataset = attack.getDataset()
print_answer = attack.print_answer
neighbours_and_dist = kBFS(root=attacked_node, device=device, reversed_arr_list=dataset.reversed_arr_list,
K=attack.num_layers)
if neighbours_and_dist.nelement():
neighbours_and_dist = manipulateNeighborhood(attack=attack, approach=approach, attacked_node=attacked_node,
neighbours_and_dist=neighbours_and_dist, device=device)
attack_log = 'Attack: {:03d}, Node: {}, BFS clique: {}'.format(node_num, attacked_node.item(),
neighbours_and_dist.shape[0] + 1)
else:
attack_log = 'Attack: {:03d}, Node: {} is a solo node'.format(node_num, attacked_node.item())
# in adversarial mode add #Epoch
if attack.mode.isAdversarial():
attack_log = 'Adv Epoch: {:03d}, '.format(attack.idx) + attack_log
# special cases of solo node and duo node for double
BFS_size = neighbours_and_dist.shape[0]
if not neighbours_and_dist.nelement():
if print_answer is Print.YES:
print(attack_log, flush=True)
return None
if print_answer is Print.YES:
print(attack_log, end='', flush=True)
if approach is not NodeApproach.MULTIPLE_ATTACKERS:
print()
malicious_node, attack = approach.getMaliciousNode(attack=attack, attacked_node=attacked_node, y_target=y_target,
node_num=node_num, neighbours_and_dist=neighbours_and_dist,
BFS_size=BFS_size)
# calculates the malicious node for the irregular approaches
if approach is NodeApproach.AGREE:
print()
malicious_node_heuristic = heuristicApproach(reversed_arr_list=dataset.reversed_arr_list,
neighbours_and_dist=neighbours_and_dist,
device=attack.device)
malicious_node_gradient = gradientApproach(attack=attack, attacked_node=attacked_node, y_target=y_target,
node_num=node_num, neighbours_and_dist=neighbours_and_dist)
attack_results = torch.zeros(1, 2)
attack_results[0][0] = malicious_node_heuristic == malicious_node_gradient # in attackSet we change to equal
return attack_results
if approach is NodeApproach.ZERO_FEATURES:
model = attack.model_wrapper.model
data = dataset.data
zero_model = copy.deepcopy(model)
# train
zero_model.node_attribute_list[malicious_node][:] = 0
# test correctness
changed_attributes = (zero_model.getInput() != model.getInput())[malicious_node].sum().item()
# test
results = test(data=data, model=zero_model, targeted=attack.targeted,
attacked_nodes=attacked_node, y_targets=y_target)
log_template = createLogTemplate(attack=attack, dataset=dataset) + ', Attack Success: {}\n'
if dataset.type is DatasetType.DISCRETE:
print(log_template.format(node_num, 1, changed_attributes, *results), flush=True)
if dataset.type is DatasetType.CONTINUOUS:
print(log_template.format(node_num, 1, *results), flush=True)
attack_results = torch.tensor([[results[3], changed_attributes]])
return attack_results
if approach is NodeApproach.MULTIPLE_ATTACKERS:
if malicious_node is None:
if print_answer is Print.YES:
print(f': Too small for {attack.num_of_attackers} attackers\n', flush=True)
return None
else:
print()
if approach is NodeApproach.INJECTION:
dataset = attack.getDataset()
classified_to_target = checkNodeClassification(attack=attack, dataset=dataset,
attacked_node=attacked_node, y_target=y_target,
print_answer=Print.NO, attack_num=node_num + 1)
if not classified_to_target:
print("misclassified right after injection!\n", flush=True)
attack.model_wrapper.model.removeInjectedNode(attack=attack)
return torch.tensor([[1, 0]])
attack_results = attackTrainer(attack=attack, attacked_nodes=attacked_node, y_targets=y_target,
malicious_nodes=malicious_node, node_num=node_num)
if approach is NodeApproach.INJECTION:
attack.model_wrapper.model.removeInjectedNode(attack=attack)
return attack_results