|
|
Introduction to Graph Attack with Examples |
|
|
======================= |
|
|
In this section, we introduce the graph attack algorithms provided |
|
|
in DeepRobust. Speficailly, they can be divied into two types: |
|
|
(1) targeted attack :class:`deeprobust.graph.targeted_attack` and |
|
|
(2) global attack :class:`deeprobust.graph.global_attack`. |
|
|
|
|
|
.. contents:: |
|
|
:local: |
|
|
|
|
|
|
|
|
Global (Untargeted) Attack for Node Classification |
|
|
----------------------- |
|
|
Global (untargeted) attack aims to fool GNNs into giving wrong predictions on all |
|
|
given nodes. Specifically, DeepRobust provides the following targeted |
|
|
attack algorithms: |
|
|
|
|
|
- :class:`deeprobust.graph.global_attack.Metattack` |
|
|
- :class:`deeprobust.graph.global_attack.MetaApprox` |
|
|
- :class:`deeprobust.graph.global_attack.DICE` |
|
|
- :class:`deeprobust.graph.global_attack.MinMax` |
|
|
- :class:`deeprobust.graph.global_attack.PGDAttack` |
|
|
- :class:`deeprobust.graph.global_attack.NIPA` |
|
|
- :class:`deeprobust.graph.global_attack.Random` |
|
|
- :class:`deeprobust.graph.global_attack.NodeEmbeddingAttack` |
|
|
- :class:`deeprobust.graph.global_attack.OtherNodeEmbeddingAttack` |
|
|
|
|
|
All the above attacks except `NodeEmbeddingAttack` and `OtherNodeEmbeddingAttack` (see details |
|
|
`here <https://deeprobust.readthedocs.io/en/latest/graph/node_embedding.html>`_ ) |
|
|
take the adjacency matrix, node feature matrix and labels as input. Usually, the adjacency |
|
|
matrix is in the format of :obj:`scipy.sparse.csr_matrix` and feature matrix can either be |
|
|
:obj:`scipy.sparse.csr_matrix` or :obj:`numpy.array`. The attack algorithm |
|
|
will then transfer them into :obj:`torch.tensor` inside the class. It is also fine if you |
|
|
provide :obj:`torch.tensor` as input, since the algorithm can automatically deal with it. |
|
|
Now let's take a look at an example: |
|
|
|
|
|
.. code-block:: python |
|
|
|
|
|
import numpy as np |
|
|
from deeprobust.graph.data import Dataset |
|
|
from deeprobust.graph.defense import GCN |
|
|
from deeprobust.graph.global_attack import Metattack |
|
|
data = Dataset(root='/tmp/', name='cora') |
|
|
adj, features, labels = data.adj, data.features, data.labels |
|
|
idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test |
|
|
idx_unlabeled = np.union1d(idx_val, idx_test) |
|
|
idx_unlabeled = np.union1d(idx_val, idx_test) |
|
|
# Setup Surrogate model |
|
|
surrogate = GCN(nfeat=features.shape[1], nclass=labels.max().item()+1, |
|
|
nhid=16, dropout=0, with_relu=False, with_bias=False, device='cpu').to('cpu') |
|
|
surrogate.fit(features, adj, labels, idx_train, idx_val, patience=30) |
|
|
# Setup Attack Model |
|
|
model = Metattack(surrogate, nnodes=adj.shape[0], feature_shape=features.shape, |
|
|
attack_structure=True, attack_features=False, device='cpu', lambda_=0).to('cpu') |
|
|
# Attack |
|
|
model.attack(features, adj, labels, idx_train, idx_unlabeled, n_perturbations=10, ll_constraint=False) |
|
|
modified_adj = model.modified_adj # modified_adj is a torch.tensor |
|
|
|
|
|
|
|
|
Targeted Attack for Node Classification |
|
|
----------------------- |
|
|
Targeted attack aims to fool GNNs into give wrong predictions on a |
|
|
subset of nodes. Specifically, DeepRobust provides the following targeted |
|
|
attack algorithms: |
|
|
|
|
|
- :class:`deeprobust.graph.targeted_attack.Nettack` |
|
|
- :class:`deeprobust.graph.targeted_attack.RLS2V` |
|
|
- :class:`deeprobust.graph.targeted_attack.FGA` |
|
|
- :class:`deeprobust.graph.targeted_attack.RND` |
|
|
- :class:`deeprobust.graph.targeted_attack.IGAttack` |
|
|
|
|
|
All the above attacks take the adjacency matrix, node feature matrix and labels as input. |
|
|
Usually, the adjacency matrix is in the format of :obj:`scipy.sparse.csr_matrix` and feature |
|
|
matrix can either be :obj:`scipy.sparse.csr_matrix` or :obj:`numpy.array`. Now let's take a look at an example: |
|
|
|
|
|
.. code-block:: python |
|
|
|
|
|
from deeprobust.graph.data import Dataset |
|
|
from deeprobust.graph.defense import GCN |
|
|
from deeprobust.graph.targeted_attack import Nettack |
|
|
data = Dataset(root='/tmp/', name='cora') |
|
|
adj, features, labels = data.adj, data.features, data.labels |
|
|
idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test |
|
|
|
|
|
surrogate = GCN(nfeat=features.shape[1], nclass=labels.max().item()+1, |
|
|
nhid=16, dropout=0, with_relu=False, with_bias=False, device='cpu').to('cpu') |
|
|
surrogate.fit(features, adj, labels, idx_train, idx_val, patience=30) |
|
|
|
|
|
target_node = 0 |
|
|
model = Nettack(surrogate, nnodes=adj.shape[0], attack_structure=True, attack_features=True, device='cpu').to('cpu') |
|
|
|
|
|
model.attack(features, adj, labels, target_node, n_perturbations=5) |
|
|
modified_adj = model.modified_adj |
|
|
modified_features = model.modified_features |
|
|
|
|
|
Note that we also provide scripts in :download:`test_nettack.py <https://github.com/DSE-MSU/DeepRobust/blob/master/examples/graph/test_nettack.py>` |
|
|
for selecting nodes as reported in the |
|
|
`nettack <https://arxiv.org/abs/1805.07984>`_ paper: (1) the 10 nodes |
|
|
with highest margin of classification, i.e. they are clearly correctly classified, |
|
|
(2) the 10 nodes with lowest margin (but still correctly classified) and |
|
|
(3) 20 more nodes randomly. |
|
|
|
|
|
|
|
|
More Examples |
|
|
----------------------- |
|
|
More examples can be found in :class:`deeprobust.graph.targeted_attack` and |
|
|
:class:`deeprobust.graph.global_attack`. You can also find examples in |
|
|
`github code examples <https://github.com/DSE-MSU/DeepRobust/tree/master/examples/graph>`_ |
|
|
and more details in `attacks table <https://github.com/DSE-MSU/DeepRobust/tree/master/deeprobust/graph |
|
|
|
