Add files using upload-large-folder tool

deeprobust/image/attack/__init__.py

@@ -0,0 +1,15 @@
+#__init__.py
+import logging
+
+from deeprobust.image.attack import base_attack
+from deeprobust.image.attack import pgd
+from deeprobust.image.attack import deepfool
+from deeprobust.image.attack import fgsm
+from deeprobust.image.attack import lbfgs
+from deeprobust.image.attack import cw
+
+from deeprobust.image.attack import onepixel
+
+__all__ = ['base_attack', 'pgd', 'lbfgs', 'fgsm', 'deepfool','cw', 'onepixel']
+
+logging.info("import base_attack from attack")

deeprobust/image/attack/cw.py

@@ -0,0 +1,285 @@
+import torch
+from torch import optim
+import torch.nn as nn
+import numpy as np
+import logging
+
+from deeprobust.image.attack.base_attack import BaseAttack
+from deeprobust.image.utils import onehot_like
+from deeprobust.image.optimizer import AdamOptimizer
+
+class CarliniWagner(BaseAttack):
+    """
+    C&W attack is an effective method to calcuate high-confidence adversarial examples.
+
+    References
+    ----------
+    .. [1] Carlini, N., & Wagner, D. (2017, May). Towards evaluating the robustness of neural networks. https://arxiv.org/pdf/1608.04644.pdf
+
+    This reimplementation is based on https://github.com/kkew3/pytorch-cw2
+    Copyright 2018 Kaiwen Wu
+
+    Examples
+    --------
+
+    >>> from deeprobust.image.attack.cw import CarliniWagner
+    >>> from deeprobust.image.netmodels.CNN import Net
+    >>> from deeprobust.image.config import attack_params
+
+    >>> model = Net()
+    >>> model.load_state_dict(torch.load("./trained_models/MNIST_CNN_epoch_20.pt", map_location = torch.device('cuda')))
+    >>> model.eval()
+
+    >>> x,y = datasets.MNIST()
+    >>> attack = CarliniWagner(model, device='cuda')
+    >>> AdvExArray = attack.generate(x, y, target_label = 1, classnum = 10, **attack_params['CW_MNIST])
+
+    """
+
+
+    def __init__(self, model, device = 'cuda'):
+        super(CarliniWagner, self).__init__(model, device)
+        self.model = model
+        self.device = device
+
+    def generate(self, image, label, target_label, **kwargs):
+        """
+        Call this function to generate adversarial examples.
+
+        Parameters
+        ----------
+        image :
+            original image
+        label :
+            target label
+        kwargs :
+            user defined paremeters
+        """
+
+        assert self.check_type_device(image, label)
+        assert self.parse_params(**kwargs)
+        self.target = target_label
+        return self.cw(self.model,
+                  self.image,
+                  self.label,
+                  self.target,
+                  self.confidence,
+                  self.clip_max,
+                  self.clip_min,
+                  self.max_iterations,
+                  self.initial_const,
+                  self.binary_search_steps,
+                  self.learning_rate
+                  )
+
+    def parse_params(self,
+                     classnum = 10,
+                     confidence = 1e-4,
+                     clip_max = 1,
+                     clip_min = 0,
+                     max_iterations = 1000,
+                     initial_const = 1e-2,
+                     binary_search_steps = 5,
+                     learning_rate = 0.00001,
+                     abort_early = True):
+        """
+        Parse the user defined parameters.
+
+        Parameters
+        ----------
+        classnum :
+            number of class
+        confidence :
+            confidence
+        clip_max :
+            maximum pixel value
+        clip_min :
+            minimum pixel value
+        max_iterations :
+            maximum number of iterations
+        initial_const :
+            initialization of binary search
+        binary_search_steps :
+            step number of binary search
+        learning_rate :
+            learning rate
+        abort_early :
+            Set abort_early = True to allow early stop
+        """
+
+        self.classnum = classnum
+        self.confidence = confidence
+        self.clip_max = clip_max
+        self.clip_min = clip_min
+        self.max_iterations = max_iterations
+        self.initial_const = initial_const
+        self.binary_search_steps = binary_search_steps
+        self.learning_rate = learning_rate
+        self.abort_early = abort_early
+        return True
+
+    def cw(self, model, image, label, target, confidence, clip_max, clip_min, max_iterations, initial_const, binary_search_steps, learning_rate):
+        #change the input image
+        img_tanh = self.to_attack_space(image.cpu())
+        img_ori ,_ = self.to_model_space(img_tanh)
+        img_ori = img_ori.to(self.device)
+
+        #binary search initialization
+        c = initial_const
+        c_low = 0
+        c_high = np.inf
+        found_adv = False
+        last_loss = np.inf
+
+        for step in range(binary_search_steps):
+
+            #initialize w : perturbed image in tanh space
+            w = torch.from_numpy(img_tanh.numpy())
+
+            optimizer = AdamOptimizer(img_tanh.shape)
+
+            is_adversarial = False
+
+            for iteration in range(max_iterations):
+
+                # adversary example
+                img_adv, adv_grid = self.to_model_space(w)
+                img_adv = img_adv.to(self.device)
+                img_adv.requires_grad = True
+
+                #output of the layer before softmax
+                output = model.get_logits(img_adv)
+
+                #pending success
+                is_adversarial = self.pending_f(img_adv)
+
+                #calculate loss function and gradient of loss funcition on x
+                loss, loss_grad = self.loss_function(
+                    img_adv, c, self.target, img_ori, self.confidence, self.clip_min, self.clip_max
+                )
+
+
+                #calculate gradient of loss function on w
+                gradient = adv_grid.to(self.device) * loss_grad.to(self.device)
+                w = w + torch.from_numpy(optimizer(gradient.cpu().detach().numpy(), learning_rate)).float()
+
+                if is_adversarial:
+                    found_adv = True
+
+            #do binary search on c
+            if found_adv:
+                c_high = c
+            else:
+                c_low = c
+
+            if c_high == np.inf:
+                c *= 10
+            else:
+                c = (c_high + c_low) / 2
+
+            if (step % 10 == 0):
+                print("iteration:{:.0f},loss:{:.4f}".format(step,loss))
+
+            # if (step == 50):
+            #     learning_rate = learning_rate/100
+
+            #abort early
+            if(self.abort_early == True and (step % 10) == 0 and step > 100) :
+                print("early abortion?", loss, last_loss)
+                if not (loss <= 0.9999 * last_loss):
+                    break
+                last_loss = loss
+
+
+        return img_adv.detach()
+
+    def loss_function(
+        self, x_p, const, target, reconstructed_original, confidence, min_, max_):
+        """Returns the loss and the gradient of the loss w.r.t. x,
+        assuming that logits = model(x)."""
+
+        ## get the output of model before softmax
+        x_p.requires_grad = True
+        logits = self.model.get_logits(x_p).to(self.device)
+
+        ## find the largest class except the target class
+        targetlabel_mask = (torch.from_numpy(onehot_like(np.zeros(self.classnum), target))).double()
+        secondlargest_mask = (torch.from_numpy(np.ones(self.classnum)) - targetlabel_mask).to(self.device)
+
+        secondlargest = np.argmax((logits.double() * secondlargest_mask).cpu().detach().numpy(), axis = 1)
+
+        is_adv_loss = logits[0][secondlargest] - logits[0][target]
+
+        # is_adv is True as soon as the is_adv_loss goes below 0
+        # but sometimes we want additional confidence
+        is_adv_loss += confidence
+
+        if is_adv_loss == 0:
+            is_adv_loss_grad = 0
+        else:
+            is_adv_loss.backward()
+            is_adv_loss_grad = x_p.grad
+
+        is_adv_loss = max(0, is_adv_loss)
+
+        s = max_ - min_
+        squared_l2_distance = np.sum( ((x_p - reconstructed_original) ** 2).cpu().detach().numpy() ) / s ** 2
+        total_loss = squared_l2_distance + const * is_adv_loss
+
+
+        squared_l2_distance_grad = (2 / s ** 2) * (x_p - reconstructed_original)
+
+        #print(is_adv_loss_grad)
+        total_loss_grad = squared_l2_distance_grad + const * is_adv_loss_grad
+        return total_loss, total_loss_grad
+
+    def pending_f(self, x_p):
+        """Pending is the loss function is less than 0
+        """
+        targetlabel_mask = torch.from_numpy(onehot_like(np.zeros(self.classnum), self.target))
+        secondlargest_mask = torch.from_numpy(np.ones(self.classnum)) - targetlabel_mask
+        targetlabel_mask = targetlabel_mask.to(self.device)
+        secondlargest_mask = secondlargest_mask.to(self.device)
+
+        Zx_i = np.max((self.model.get_logits(x_p).double().to(self.device) * secondlargest_mask).cpu().detach().numpy())
+        Zx_t = np.max((self.model.get_logits(x_p).double().to(self.device) * targetlabel_mask).cpu().detach().numpy())
+
+        if ( Zx_i - Zx_t  < - self.confidence):
+            return True
+        else:
+            return False
+
+    def to_attack_space(self, x):
+        x = x.detach()
+        # map from [min_, max_] to [-1, +1]
+        # x'=(x- 0.5 * (max+min) / 0.5 * (max-min))
+        a = (self.clip_min + self.clip_max) / 2
+        b = (self.clip_max - self.clip_min) / 2
+        x = (x - a) / b
+
+        # from [-1, +1] to approx. (-1, +1)
+        x = x * 0.999999
+
+        # from (-1, +1) to (-inf, +inf)
+        return np.arctanh(x)
+
+    def to_model_space(self, x):
+        """Transforms an input from the attack space
+        to the model space. This transformation and
+        the returned gradient are elementwise."""
+
+        # from (-inf, +inf) to (-1, +1)
+        x = np.tanh(x)
+
+        grad = 1 - np.square(x)
+
+        # map from (-1, +1) to (min_, max_)
+        a = (self.clip_min + self.clip_max) / 2
+        b = (self.clip_max - self.clip_min) / 2
+        x = x * b + a
+
+        grad = grad * b
+        return x, grad
+
+
+

deeprobust/image/attack/deepfool.py

@@ -0,0 +1,147 @@
+import numpy as np
+from torch.autograd import Variable
+import torch as torch
+import copy
+#from torch.autograd.gradcheck import zero_gradients
+
+from deeprobust.image.attack.base_attack import BaseAttack
+
+def zero_gradients(x):
+    if isinstance(x, torch.Tensor):
+        if x.grad is not None:
+            x.grad.detach_()
+            x.grad.zero_()
+        elif isinstance(x, collections.abc.Iterable):
+            for elem in x:
+                zero_gradients(elem)
+
+class DeepFool(BaseAttack):
+    """DeepFool attack.
+    """
+
+    def __init__(self, model, device = 'cuda' ):
+        super(DeepFool, self).__init__(model, device)
+        self.model = model
+        self.device = device
+
+    def generate(self, image, label, **kwargs):
+        """
+        Call this function to generate adversarial examples.
+
+        Parameters
+        ----------
+        image : 1*H*W*3
+            original image
+        label : int
+            target label
+        kwargs :
+            user defined paremeters
+
+        Returns
+        -------
+        adv_img :
+            adversarial examples
+        """
+
+
+        #check type device
+        assert self.check_type_device(image, label)
+        is_cuda = torch.cuda.is_available()
+
+        if (is_cuda and self.device == 'cuda'):
+            self.image = image.cuda()
+            self.model = self.model.cuda()
+        else:
+            self.image = image
+
+        assert self.parse_params(**kwargs)
+
+        adv_img, self.r, self.ite =  deepfool(self.model,
+                                  self.image,
+                                  self.num_classes,
+                                  self.overshoot,
+                                  self.max_iteration,
+                                  self.device)
+        return adv_img
+
+    def getpert(self):
+        return self.r, self.ite
+
+    def parse_params(self,
+                     num_classes = 10,
+                     overshoot = 0.02,
+                     max_iteration = 50):
+        """
+        Parse the user defined parameters
+
+        Parameters
+        ----------
+        num_classes : int
+            limits the number of classes to test against. (default = 10)
+        overshoot : float
+            used as a termination criterion to prevent vanishing updates (default = 0.02).
+        max_iteration : int
+            maximum number of iteration for deepfool (default = 50)
+        """
+        self.num_classes = num_classes
+        self.overshoot = overshoot
+        self.max_iteration = max_iteration
+        return True
+
+def deepfool(model, image, num_classes, overshoot, max_iter, device):
+    f_image = model.forward(image).data.cpu().numpy().flatten()
+    output = (np.array(f_image)).flatten().argsort()[::-1]
+
+    output = output[0:num_classes]
+    label = output[0]
+
+    input_shape = image.cpu().numpy().shape
+    x = copy.deepcopy(image).requires_grad_(True)
+    w = np.zeros(input_shape)
+    r_tot = np.zeros(input_shape)
+
+    fs = model.forward(x)
+    fs_list = [fs[0,output[k]] for k in range(num_classes)]
+    current_pred_label = label
+
+    for i in range(max_iter):
+
+        pert = np.inf
+        fs[0, output[0]].backward(retain_graph = True)
+        grad_orig = x.grad.data.cpu().numpy().copy()
+
+        for k in range(1, num_classes):
+            zero_gradients(x)
+
+            fs[0, output[k]].backward(retain_graph=True)
+            cur_grad = x.grad.data.cpu().numpy().copy()
+
+            # set new w_k and new f_k
+            w_k = cur_grad - grad_orig
+            f_k = (fs[0, output[k]] - fs[0, output[0]]).data.cpu().numpy()
+
+            pert_k = abs(f_k)/np.linalg.norm(w_k.flatten())
+
+            # determine which w_k to use
+            if pert_k < pert:
+                pert = pert_k
+                w = w_k
+
+        # compute r_i and r_tot
+        # Added 1e-4 for numerical stability
+        r_i =  (pert+1e-4) * w / np.linalg.norm(w)
+        r_tot = np.float32(r_tot + r_i)
+
+        pert_image = image + (1+overshoot)*torch.from_numpy(r_tot).to(device)
+
+        x = pert_image.detach().requires_grad_(True)
+        fs = model.forward(x)
+
+        if (not np.argmax(fs.data.cpu().numpy().flatten()) == label):
+            break
+
+
+    r_tot = (1+overshoot)*r_tot
+
+    return pert_image, r_tot, i
+

deeprobust/image/netmodels/__init__.py

@@ -0,0 +1,7 @@
+#__init__.py
+from deeprobust.image.netmodels import CNN
+from deeprobust.image.netmodels import resnet
+from deeprobust.image.netmodels import YOPOCNN
+from deeprobust.image.netmodels import train_model
+
+__all__ = ['CNNmodel','resnet','YOPOCNN','train_model']

deeprobust/image/netmodels/densenet.py

@@ -0,0 +1,185 @@
+"""
+This is an implementation of DenseNet model.
+
+Reference
+---------
+..[1]Huang, Gao, Zhuang Liu, Laurens Van Der Maaten, and Kilian Q. Weinberger. "Densely connected convolutional networks." In Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 4700-4708. 2017.
+..[2]Original implementation: https://github.com/kuangliu/pytorch-cifar
+"""
+import math
+
+import torch
+import torch.nn as nn
+import torch.nn.functional as F
+
+
+class Bottleneck(nn.Module):
+    def __init__(self, in_planes, growth_rate):
+        super(Bottleneck, self).__init__()
+        self.bn1 = nn.BatchNorm2d(in_planes)
+        self.conv1 = nn.Conv2d(in_planes, 4*growth_rate, kernel_size=1, bias=False)
+        self.bn2 = nn.BatchNorm2d(4*growth_rate)
+        self.conv2 = nn.Conv2d(4*growth_rate, growth_rate, kernel_size=3, padding=1, bias=False)
+
+    def forward(self, x):
+        out = self.conv1(F.relu(self.bn1(x)))
+        out = self.conv2(F.relu(self.bn2(out)))
+        out = torch.cat([out,x], 1)
+        return out
+
+
+class Transition(nn.Module):
+    def __init__(self, in_planes, out_planes):
+        super(Transition, self).__init__()
+        self.bn = nn.BatchNorm2d(in_planes)
+        self.conv = nn.Conv2d(in_planes, out_planes, kernel_size=1, bias=False)
+
+    def forward(self, x):
+        out = self.conv(F.relu(self.bn(x)))
+        out = F.avg_pool2d(out, 2)
+        return out
+
+
+class DenseNet(nn.Module):
+    """DenseNet.
+    
+    """
+
+    def __init__(self, block, nblocks, growth_rate=12, reduction=0.5, num_classes=10):
+        super(DenseNet, self).__init__()
+        self.growth_rate = growth_rate
+
+        num_planes = 2*growth_rate
+        self.conv1 = nn.Conv2d(3, num_planes, kernel_size=3, padding=1, bias=False)
+
+        self.dense1 = self._make_dense_layers(block, num_planes, nblocks[0])
+        num_planes += nblocks[0]*growth_rate
+        out_planes = int(math.floor(num_planes*reduction))
+        self.trans1 = Transition(num_planes, out_planes)
+        num_planes = out_planes
+
+        self.dense2 = self._make_dense_layers(block, num_planes, nblocks[1])
+        num_planes += nblocks[1]*growth_rate
+        out_planes = int(math.floor(num_planes*reduction))
+        self.trans2 = Transition(num_planes, out_planes)
+        num_planes = out_planes
+
+        self.dense3 = self._make_dense_layers(block, num_planes, nblocks[2])
+        num_planes += nblocks[2]*growth_rate
+        out_planes = int(math.floor(num_planes*reduction))
+        self.trans3 = Transition(num_planes, out_planes)
+        num_planes = out_planes
+
+        self.dense4 = self._make_dense_layers(block, num_planes, nblocks[3])
+        num_planes += nblocks[3]*growth_rate
+
+        self.bn = nn.BatchNorm2d(num_planes)
+        self.linear = nn.Linear(num_planes, num_classes)
+
+    def _make_dense_layers(self, block, in_planes, nblock):
+        layers = []
+        for i in range(nblock):
+            layers.append(block(in_planes, self.growth_rate))
+            in_planes += self.growth_rate
+        return nn.Sequential(*layers)
+
+    def forward(self, x):
+        out = self.conv1(x)
+        out = self.trans1(self.dense1(out))
+        out = self.trans2(self.dense2(out))
+        out = self.trans3(self.dense3(out))
+        out = self.dense4(out)
+        out = F.avg_pool2d(F.relu(self.bn(out)), 4)
+        out = out.view(out.size(0), -1)
+        out = self.linear(out)
+        return out
+
+def DenseNet121():
+    """DenseNet121.
+    """
+    return DenseNet(Bottleneck, [6,12,24,16], growth_rate=32)
+
+def DenseNet169():
+    """DenseNet169.
+    """
+    return DenseNet(Bottleneck, [6,12,32,32], growth_rate=32)
+
+def DenseNet201():
+    """DenseNet201.
+    """
+    return DenseNet(Bottleneck, [6,12,48,32], growth_rate=32)
+
+def DenseNet161():
+    """DenseNet161.
+    """
+    return DenseNet(Bottleneck, [6,12,36,24], growth_rate=48)
+
+def densenet_cifar():
+    """densenet_cifar.
+    """
+    return DenseNet(Bottleneck, [6,12,24,16], growth_rate=12)
+
+def test(model, device, test_loader):
+    """test.
+
+    Parameters
+    ----------
+    model :
+        model
+    device :
+        device
+    test_loader :
+        test_loader
+    """
+    model.eval()
+
+    test_loss = 0
+    correct = 0
+    with torch.no_grad():
+        for data, target in test_loader:
+            data, target = data.to(device), target.to(device)
+            output = model(data)
+            #test_loss += F.nll_loss(output, target, reduction='sum').item()  # sum up batch loss
+
+            test_loss += F.cross_entropy(output, target)
+            pred = output.argmax(dim=1, keepdim=True)  # get the index of the max log-probability
+            correct += pred.eq(target.view_as(pred)).sum().item()
+
+    test_loss /= len(test_loader.dataset)
+
+    print('\nTest set: Average loss: {:.4f}, Accuracy: {}/{} ({:.0f}%)\n'.format(
+        test_loss, correct, len(test_loader.dataset),
+        100. * correct / len(test_loader.dataset)))
+
+def train(model, device, train_loader, optimizer, epoch):
+    """train.
+
+    Parameters
+    ----------
+    model :
+        model
+    device :
+        device
+    train_loader :
+        train_loader
+    optimizer :
+        optimizer
+    epoch :
+        epoch
+    """
+    model.train()
+
+    # lr = util.adjust_learning_rate(optimizer, epoch, args) # don't need it if we use Adam
+
+    for batch_idx, (data, target) in enumerate(train_loader):
+        data, target = torch.tensor(data).to(device), torch.tensor(target).to(device)
+        optimizer.zero_grad()
+        output = model(data)
+        # loss = F.nll_loss(output, target)
+        loss = F.cross_entropy(output, target)
+        loss.backward()
+        optimizer.step()
+        if batch_idx % 10 == 0:
+            print('Train Epoch: {} [{}/{} ({:.0f}%)]\tLoss: {:.6f}'.format(
+                epoch, batch_idx * len(data), len(train_loader.dataset),
+                100. * batch_idx / len(train_loader), loss.item()/data.shape[0]))

deeprobust/image/netmodels/preact_resnet.py

@@ -0,0 +1,101 @@
+"""
+This is an reimplementaiton of Pre-activation ResNet.
+"""
+import torch
+import torch.nn as nn
+import torch.nn.functional as F
+
+
+class PreActBlock(nn.Module):
+    '''Pre-activation version of the BasicBlock.'''
+    expansion = 1
+
+    def __init__(self, in_planes, planes, stride=1):
+        super(PreActBlock, self).__init__()
+        self.bn1 = nn.BatchNorm2d(in_planes)
+        self.conv1 = nn.Conv2d(in_planes, planes, kernel_size=3, stride=stride, padding=1, bias=False)
+        self.bn2 = nn.BatchNorm2d(planes)
+        self.conv2 = nn.Conv2d(planes, planes, kernel_size=3, stride=1, padding=1, bias=False)
+
+        if stride != 1 or in_planes != self.expansion*planes:
+            self.shortcut = nn.Sequential(
+                nn.Conv2d(in_planes, self.expansion*planes, kernel_size=1, stride=stride, bias=False)
+            )
+
+    def forward(self, x):
+        out = F.relu(self.bn1(x))
+        shortcut = self.shortcut(x) if hasattr(self, 'shortcut') else x
+        out = self.conv1(out)
+        out = self.conv2(F.relu(self.bn2(out)))
+        out += shortcut
+        return out
+
+
+class PreActBottleneck(nn.Module):
+    '''Pre-activation version of the original Bottleneck module.'''
+    expansion = 4
+
+    def __init__(self, in_planes, planes, stride=1):
+        super(PreActBottleneck, self).__init__()
+        self.bn1 = nn.BatchNorm2d(in_planes)
+        self.conv1 = nn.Conv2d(in_planes, planes, kernel_size=1, bias=False)
+        self.bn2 = nn.BatchNorm2d(planes)
+        self.conv2 = nn.Conv2d(planes, planes, kernel_size=3, stride=stride, padding=1, bias=False)
+        self.bn3 = nn.BatchNorm2d(planes)
+        self.conv3 = nn.Conv2d(planes, self.expansion*planes, kernel_size=1, bias=False)
+
+        if stride != 1 or in_planes != self.expansion*planes:
+            self.shortcut = nn.Sequential(
+                nn.Conv2d(in_planes, self.expansion*planes, kernel_size=1, stride=stride, bias=False)
+            )
+
+    def forward(self, x):
+        out = F.relu(self.bn1(x))
+        shortcut = self.shortcut(out) if hasattr(self, 'shortcut') else x
+        out = self.conv1(out)
+        out = self.conv2(F.relu(self.bn2(out)))
+        out = self.conv3(F.relu(self.bn3(out)))
+        out += shortcut
+        return out
+
+
+class PreActResNet(nn.Module):
+    """PreActResNet.
+    """
+
+    def __init__(self, block, num_blocks, num_classes=10):
+        super(PreActResNet, self).__init__()
+        self.in_planes = 64
+        self.conv1 = nn.Conv2d(3, 64, kernel_size=3, stride=1, padding=1, bias=False)
+        self.layer1 = self._make_layer(block, 64, num_blocks[0], stride=1)
+        self.layer2 = self._make_layer(block, 128, num_blocks[1], stride=2)
+        self.layer3 = self._make_layer(block, 256, num_blocks[2], stride=2)
+        self.layer4 = self._make_layer(block, 512, num_blocks[3], stride=2)
+        self.bn = nn.BatchNorm2d(512 * block.expansion)
+        self.linear = nn.Linear(512 * block.expansion, num_classes)
+
+    def _make_layer(self, block, planes, num_blocks, stride):
+        strides = [stride] + [1]*(num_blocks-1)
+        layers = []
+        for stride in strides:
+            layers.append(block(self.in_planes, planes, stride))
+            self.in_planes = planes * block.expansion
+        return nn.Sequential(*layers)
+
+    def forward(self, x):
+        out = self.conv1(x)
+        out = self.layer1(out)
+        out = self.layer2(out)
+        out = self.layer3(out)
+        out = self.layer4(out)
+        out = F.relu(self.bn(out))
+        out = F.avg_pool2d(out, 4)
+        out = out.view(out.size(0), -1)
+        out = self.linear(out)
+        return out
+
+
+def PreActResNet18():
+    """PreActResNet18.
+    """
+    return PreActResNet(PreActBlock, [2,2,2,2])

docs/source/deeprobust.graph.defense.rst

@@ -0,0 +1,54 @@
+deeprobust.graph.defense package
+================================
+
+Submodules
+----------
+
+deeprobust.graph.defense.adv\_training module
+---------------------------------------------
+
+.. automodule:: deeprobust.graph.defense.adv_training
+   :members:
+
+deeprobust.graph.defense.gcn module
+-----------------------------------
+
+.. automodule:: deeprobust.graph.defense.gcn
+   :members:
+
+deeprobust.graph.defense.gcn\_preprocess module
+-----------------------------------------------
+
+.. automodule:: deeprobust.graph.defense.gcn_preprocess
+   :members:
+
+deeprobust.graph.defense.pgd module
+-----------------------------------
+
+.. automodule:: deeprobust.graph.defense.pgd
+   :members:
+
+deeprobust.graph.defense.prognn module
+--------------------------------------
+
+.. automodule:: deeprobust.graph.defense.prognn
+   :members:
+
+deeprobust.graph.defense.r\_gcn module
+--------------------------------------
+
+.. automodule:: deeprobust.graph.defense.r_gcn
+   :members:
+
+deeprobust.graph.defense.median_gcn module
+--------------------------------------
+
+.. automodule:: deeprobust.graph.defense.median_gcn
+   :members:
+
+
+Module contents
+---------------
+
+.. automodule:: deeprobust.graph.defense
+   :members:

docs/source/deeprobust.graph.global_attack.rst

@@ -0,0 +1,48 @@
+deeprobust.graph.global\_attack package
+=======================================
+
+Submodules
+----------
+
+deeprobust.graph.global\_attack.base\_attack module
+---------------------------------------------------
+
+.. automodule:: deeprobust.graph.global_attack.base_attack
+   :members:
+
+deeprobust.graph.global\_attack.dice module
+-------------------------------------------
+
+.. automodule:: deeprobust.graph.global_attack.dice
+   :members:
+
+deeprobust.graph.global\_attack.mettack module
+----------------------------------------------
+
+.. automodule:: deeprobust.graph.global_attack.mettack
+   :members:
+
+deeprobust.graph.global\_attack.nipa module
+-------------------------------------------
+
+.. automodule:: deeprobust.graph.global_attack.nipa
+   :members:
+
+deeprobust.graph.global\_attack.random_attack module
+----------------------------------------------------
+
+.. automodule:: deeprobust.graph.global_attack.random_attack
+   :members:
+
+deeprobust.graph.global\_attack.topology\_attack module
+-------------------------------------------------------
+
+.. automodule:: deeprobust.graph.global_attack.topology_attack
+   :members:
+
+
+Module contents
+---------------
+
+.. automodule:: deeprobust.graph.global_attack
+   :members:

docs/source/deeprobust.graph.rst

@@ -0,0 +1,35 @@
+deeprobust.graph package
+========================
+
+Subpackages
+-----------
+
+.. toctree::
+
+   deeprobust.graph.data
+   deeprobust.graph.defense
+   deeprobust.graph.global_attack
+   deeprobust.graph.rl
+   deeprobust.graph.targeted_attack
+
+Submodules
+----------
+
+deeprobust.graph.black\_box module
+----------------------------------
+
+.. automodule:: deeprobust.graph.black_box
+   :members:
+
+deeprobust.graph.utils module
+-----------------------------
+
+.. automodule:: deeprobust.graph.utils
+   :members:
+
+
+Module contents
+---------------
+
+.. automodule:: deeprobust.graph
+   :members:

docs/source/deeprobust.rst

@@ -0,0 +1,16 @@
+deeprobust package
+==================
+
+Subpackages
+-----------
+
+.. toctree::
+
+   deeprobust.graph
+   deeprobust.image
+
+Module contents
+---------------
+
+.. automodule:: deeprobust
+   :members:

examples/graph/cgscore_datasets_batch.py

@@ -0,0 +1,223 @@
+# compute cgscore for gcn
+# author: Yaning
+import torch
+import numpy as np
+import torch.nn.functional as Fd
+from deeprobust.graph.defense import GCNJaccard, GCN
+from deeprobust.graph.defense import GCNScore
+from deeprobust.graph.utils import *
+from deeprobust.graph.data import Dataset, PrePtbDataset
+from scipy.sparse import csr_matrix
+import argparse
+import pickle
+from deeprobust.graph import utils
+from collections import defaultdict
+from tqdm import tqdm
+
+parser = argparse.ArgumentParser()
+parser.add_argument('--seed', type=int, default=15, help='Random seed.')
+parser.add_argument('--dataset', type=str, default='pubmed', choices=['cora', 'cora_ml', 'citeseer', 'polblogs', 'pubmed'], help='dataset')
+parser.add_argument('--ptb_rate', type=float, default=0.05,  help='pertubation rate')
+
+args = parser.parse_args()
+args.cuda = torch.cuda.is_available()
+print('cuda: %s' % args.cuda)
+device = torch.device("cuda:1" if torch.cuda.is_available() else "cpu")
+
+# make sure you use the same data splits as you generated attacks
+np.random.seed(args.seed)
+if args.cuda:
+    torch.cuda.manual_seed(args.seed)
+
+# Here the random seed is to split the train/val/test data,
+# we need to set the random seed to be the same as that when you generate the perturbed graph
+# data = Dataset(root='/tmp/', name=args.dataset, setting='nettack', seed=15)
+# Or we can just use setting='prognn' to get the splits
+data = Dataset(root='/tmp/', name=args.dataset, setting='prognn')
+adj, features, labels = data.adj, data.features, data.labels
+idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+
+
+perturbed_data = PrePtbDataset(root='/tmp/',
+        name=args.dataset,
+        attack_method='meta',
+        ptb_rate=args.ptb_rate)
+
+perturbed_adj = perturbed_data.adj
+# perturbed_adj = adj
+
+def save_cg_scores(cg_scores, filename="cg_scores.npy"):
+    np.save(filename, cg_scores)
+    print(f"CG-scores saved to {filename}")
+
+def load_cg_scores_numpy(filename="cg_scores.npy"):
+    cg_scores = np.load(filename, allow_pickle=True)
+    print(f"CG-scores loaded from {filename}")
+    return cg_scores
+
+
+import torch
+import numpy as np
+from collections import defaultdict
+from tqdm import tqdm
+
+
+def calc_cg_score_gnn_with_sampling(
+    A, X, labels, device, rep_num=1, unbalance_ratio=1, sub_term=False, batch_size=64
+):
+    """
+    Optimized CG-score calculation with edge batching and GPU acceleration.
+    """
+
+    N = A.shape[0]
+    cg_scores = {
+        "vi": np.zeros((N, N)),
+        "ab": np.zeros((N, N)),
+        "a2": np.zeros((N, N)),
+        "b2": np.zeros((N, N)),
+        "times": np.zeros((N, N)),
+    }
+
+    A = A.to(device)
+    X = X.to(device)
+    labels = labels.to(device)
+
+    @torch.no_grad()
+    def normalize(tensor):
+        return tensor / (torch.norm(tensor, dim=1, keepdim=True) + 1e-8)
+
+    for _ in range(rep_num):
+        AX = torch.matmul(A, X)
+        norm_AX = normalize(AX)
+
+        # ✨ Step 1: 标签分组（矢量化 + GPU）
+        unique_labels = torch.unique(labels)
+        label_to_indices = {
+            label.item(): (labels == label).nonzero(as_tuple=True)[0] for label in unique_labels
+        }
+        dataset = {label: norm_AX[indices] for label, indices in label_to_indices.items()}
+
+        # ✨ Step 2: 负样本构建（GPU 上）
+        neg_samples_dict = {}
+        neg_indices_dict = {}
+        for label in unique_labels:
+            label = label.item()
+            mask = labels != label
+            neg_samples = norm_AX[mask]
+            neg_indices = mask.nonzero(as_tuple=True)[0]
+            neg_samples_dict[label] = neg_samples
+            neg_indices_dict[label] = neg_indices
+
+        for curr_label in tqdm(unique_labels.tolist(), desc="Label groups"):
+            curr_samples = dataset[curr_label]
+            curr_indices = label_to_indices[curr_label]
+            curr_num = len(curr_samples)
+
+            chosen_curr_idx = torch.randperm(curr_num, device=device)
+            chosen_curr_samples = curr_samples[chosen_curr_idx]
+            chosen_curr_indices = curr_indices[chosen_curr_idx]
+
+            neg_samples = neg_samples_dict[curr_label]
+            neg_indices = neg_indices_dict[curr_label]
+            neg_num = min(int(curr_num * unbalance_ratio), len(neg_samples))
+            rand_idx = torch.randperm(len(neg_samples), device=device)[:neg_num]
+            chosen_neg_samples = neg_samples[rand_idx]
+            chosen_neg_indices = neg_indices[rand_idx]
+
+            combined_samples = torch.cat([chosen_curr_samples, chosen_neg_samples], dim=0)
+            y = torch.cat([torch.ones(len(chosen_curr_samples)), -torch.ones(neg_num)], dim=0).to(device)
+
+            # 参考误差
+            H_inner = torch.matmul(combined_samples, combined_samples.T)
+            H_inner = torch.clamp(H_inner, min=-1.0, max=1.0)
+            H = H_inner * (np.pi - torch.acos(H_inner)) / (2 * np.pi)
+            H.fill_diagonal_(0.5)
+            H += 1e-6 * torch.eye(H.size(0), device=device)
+            invH = torch.inverse(H)
+            original_error = y @ (invH @ y)
+
+            # ✨ Step 3: 收集候选边（仍在 CPU 逻辑）
+            edge_batch = []
+            for idx_i in chosen_curr_indices.tolist():
+                for j in range(idx_i + 1, N):
+                    if A[idx_i, j] != 0:
+                        edge_batch.append((idx_i, j))
+
+            # ✨ Step 4: 批处理更新
+            for k in tqdm(range(0, len(edge_batch), batch_size), desc="Edge batches", leave=False):
+                batch = edge_batch[k : k + batch_size]
+                B = len(batch)
+
+                norm_AX1_batch = norm_AX.repeat(B, 1, 1).clone()
+                for b, (i, j) in enumerate(batch):
+                    AX1_i = AX[i] - A[i, j] * X[j]
+                    AX1_j = AX[j] - A[j, i] * X[i]
+                    norm_AX1_batch[b, i] = AX1_i / (torch.norm(AX1_i) + 1e-8)
+                    norm_AX1_batch[b, j] = AX1_j / (torch.norm(AX1_j) + 1e-8)
+
+                sample_idx = chosen_curr_indices.tolist() + chosen_neg_indices.tolist()
+                sample_batch = norm_AX1_batch[:, sample_idx, :]  # [B, M, D]
+
+                H_inner = torch.matmul(sample_batch, sample_batch.transpose(1, 2))
+                H_inner = torch.clamp(H_inner, min=-1.0, max=1.0)
+                H = H_inner * (np.pi - torch.acos(H_inner)) / (2 * np.pi)
+                eye = torch.eye(H.size(-1), device=device).unsqueeze(0).expand_as(H)
+                H = H + 1e-6 * eye
+                H.diagonal(dim1=-2, dim2=-1).copy_(0.5)
+
+                invH = torch.inverse(H)
+                y_expanded = y.unsqueeze(0).expand(B, -1)
+                error_A1 = torch.einsum("bi,bij,bj->b", y_expanded, invH, y_expanded)
+
+                for b, (i, j) in enumerate(batch):
+                    score = (original_error - error_A1[b]).item()
+                    cg_scores["vi"][i, j] += score
+                    cg_scores["vi"][j, i] = score
+                    cg_scores["times"][i, j] += 1
+                    cg_scores["times"][j, i] += 1
+
+    for key in cg_scores:
+        if key != "times":
+            cg_scores[key] = cg_scores[key] / np.where(cg_scores["times"] > 0, cg_scores["times"], 1)
+
+    return cg_scores if sub_term else cg_scores["vi"]
+
+
+
+def is_symmetric_sparse(adj): 
+    """
+    Check if a sparse matrix is symmetric.
+    """
+    # Check symmetry
+    return (adj != adj.transpose()).nnz == 0  # .nnz is the number of non-zero elements
+
+def make_symmetric_sparse(adj):
+    """
+    Ensure the sparse adjacency matrix is symmetrical.
+    """
+    # Make the matrix symmetric
+    sym_adj = (adj + adj.transpose()) / 2
+    return sym_adj
+
+perturbed_adj = make_symmetric_sparse(perturbed_adj)
+
+if type(perturbed_adj) is not torch.Tensor:
+    features, perturbed_adj, labels = utils.to_tensor(features, perturbed_adj, labels)
+else:
+    features = features.to(device)
+    perturbed_adj = perturbed_adj.to(device)
+    labels = labels.to(device)
+
+if utils.is_sparse_tensor(perturbed_adj):
+    
+    adj_norm = utils.normalize_adj_tensor(perturbed_adj, sparse=True)
+else:
+    adj_norm = utils.normalize_adj_tensor(perturbed_adj)
+
+features = features.to_dense()
+perturbed_adj = adj_norm.to_dense()
+
+
+calc_cg_score =  calc_cg_score_gnn_with_sampling(perturbed_adj, features, labels, device, rep_num=1, unbalance_ratio=3, sub_term=False, batch_size=512)
+save_cg_scores(calc_cg_score, filename="pubmed_0.05.npy")
+# print("completed"）

examples/graph/cgscore_experiments/huggingface/upload.py

@@ -0,0 +1,17 @@
+from huggingface_hub import HfApi
+
+# 初始化 API 客户端
+api = HfApi()
+
+# 设置参数/
+repo_id = "Yaning1001/CGSCORE"  
+repo_type = "model"        
+folder_path = "/home/yiren/new_ssd2/chunhui/yaning/project/cgscore/"  
+# token = "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"  # 替换为你的 Hugging Face API Token
+
+# 调用上传方法
+api.upload_large_folder(
+    repo_id=repo_id,
+    repo_type=repo_type,
+    folder_path=folder_path,
+)

examples/graph/read_score.py

@@ -0,0 +1,78 @@
+import numpy as np
+import torch
+
+def remove_least_important_edges(adj, cgscore, remove_ratio=0.8):
+    """
+    Remove the least important edges based on CGScore.
+
+    Args:
+        adj (torch.Tensor): Original adjacency matrix (N x N).
+        cgscore (np.ndarray): CGScore matrix (N x N).
+        keep_ratio (float): Ratio of edges to keep (default: 0.8).
+
+    Returns:
+        adj (torch.Tensor): Adjusted adjacency matrix after removing edges.
+    """
+    # Convert CGScore from numpy to PyTorch tensor
+    cgscore = torch.tensor(cgscore, dtype=torch.float32)
+    
+    assert adj.shape == cgscore.shape, "adj and cgscore must have the same shape"
+    N = adj.shape[0]
+    
+    # Extract upper triangular non-zero elements (excluding diagonal)
+    triu_indices = torch.triu_indices(N, N, offset=1)  # Upper triangle indices
+    triu_scores = cgscore[triu_indices[0], triu_indices[1]]
+    triu_adj = adj[triu_indices[0], triu_indices[1]]
+    
+    # Mask to ignore zero elements in adj
+    mask = triu_adj > 0
+    triu_scores = triu_scores[mask]
+    triu_indices = triu_indices[:, mask]
+
+    # Sort by CGScore in ascending order
+    sorted_indices = torch.argsort(triu_scores)  # Indices of sorted CGScores
+    
+
+    # Determine the cutoff for edges to remove
+    num_edges_to_remove = int(len(sorted_indices) * (remove_ratio))  # Edges to remove
+    print("len(sorted_indices)", len(sorted_indices))
+    print("remove_radio:", remove_ratio)
+    print("num_edges_to_remove", num_edges_to_remove)
+    edges_to_remove = sorted_indices[:num_edges_to_remove]  # First 20% (lowest CGScores)
+    
+    # Create a copy of the adjacency matrix
+    adj_new = adj.clone()
+
+    # Remove the least important edges
+    for idx in edges_to_remove:
+        i, j = triu_indices[:, idx]
+        adj_new[i, j] = 0
+        adj_new[j, i] = 0  # Ensure symmetry
+
+    return adj_new
+
+
+# 示例邻接矩阵和 CGScore 矩阵
+adj = torch.tensor([
+    [0, 1, 1, 0],
+    [1, 0, 1, 1],
+    [1, 1, 0, 1],
+    [0, 1, 1, 0]
+], dtype=torch.float32)
+
+cgscore = np.array([
+    [0.0, 0.8, 0.6, 0.0],
+    [0.8, 0.0, 0.1, 1.2],
+    [0.6, 0.7, 0.0, 1.9],
+    [0.0, 1.2, 1.1, 0.0]
+], dtype=np.float32)
+
+# 调用函数
+adj_new = remove_least_important_edges(adj, cgscore, remove_ratio=0.2)
+
+# 打印结果
+print("原始邻接矩阵：")
+print(adj)
+print("调整后的邻接矩阵：")
+print(adj_new)
+

examples/graph/test_airgnn.py

@@ -0,0 +1,103 @@
+""""test different models on noise features"""
+import argparse
+import numpy as np
+from torch_geometric.datasets import Planetoid
+import torch_geometric.transforms as T
+from deeprobust.graph.defense_pyg import AirGNN, GCN, APPNP, GAT, SAGE, GPRGNN
+import torch
+import random
+import os.path as osp
+from deeprobust.graph.utils import add_feature_noise, add_feature_noise_test, get_perf
+import torch.nn.functional as F
+
+parser = argparse.ArgumentParser()
+parser.add_argument('--gpu_id', type=int, default=0, help='gpu id')
+parser.add_argument('--dataset', type=str, default='cora')
+parser.add_argument('--epochs', type=int, default=10)
+parser.add_argument('--lr', type=float, default=0.01)
+parser.add_argument('--hidden', type=int, default=64)
+parser.add_argument('--weight_decay', type=float, default=5e-4)
+parser.add_argument('--with_bn', type=int, default=0)
+parser.add_argument('--seed', type=int, default=0, help='Random seed.')
+parser.add_argument('--nlayers', type=int, default=2)
+parser.add_argument('--model', type=str, default='AirGNN')
+parser.add_argument('--debug', type=float, default=0)
+parser.add_argument('--dropout', type=float, default=0.5)
+parser.add_argument('--noise_feature', type=float, default=0.3)
+parser.add_argument('--lambda_', type=float, default=0)
+args = parser.parse_args()
+
+torch.cuda.set_device(args.gpu_id)
+
+print('===========')
+
+# random seed setting
+random.seed(args.seed)
+np.random.seed(args.seed)
+torch.manual_seed(args.seed)
+torch.cuda.manual_seed(args.seed)
+
+def get_dataset(name, normalize_features=True, transform=None, if_dpr=True):
+    path = osp.join(osp.dirname(osp.realpath(__file__)), 'data', name)
+    if name in ['cora', 'citeseer', 'pubmed']:
+        dataset = Planetoid(path, name)
+    else:
+        raise NotImplementedError
+    dataset.transform = T.NormalizeFeatures()
+    return dataset
+
+dataset = get_dataset(args.dataset)
+data = dataset[0]
+
+def pretrain_model():
+    feat, labels = data.x, data.y
+    nclass = max(labels).item()+1
+    if args.model == "AirGNN":
+         args.dropout=0.2; args.lambda_amp=0.5; args.alpha=0.1
+         model = AirGNN(nfeat=feat.shape[1], nhid=args.hidden, dropout=args.dropout, with_bn=args.with_bn,
+                 K=10, weight_decay=args.weight_decay, args=args, nlayers=args.nlayers,
+                 nclass=max(labels).item()+1, device=device).to(device)
+    elif args.model == "GCN":
+        model = GCN(nfeat=feat.shape[1], nhid=args.hidden, dropout=args.dropout,
+                nlayers=args.nlayers, with_bn=args.with_bn,
+                weight_decay=args.weight_decay, nclass=nclass,
+                device=device).to(device)
+    elif args.model == "GAT":
+        args.dropout = 0.5; args.hidden = 8
+        model = GAT(nfeat=feat.shape[1], nhid=args.hidden, heads=8, lr=0.005, nlayers=args.nlayers,
+              nclass=nclass, with_bn=args.with_bn, weight_decay=args.weight_decay,
+              dropout=args.dropout, device=device).to(device)
+    elif args.model == "SAGE":
+        model = SAGE(feat.shape[1], 32, max(labels).item()+1, num_layers=5,
+                dropout=0.0, lr=0.01, weight_decay=0, device=device).to(device)
+    elif args.model == "GPR":
+        model = GPRGNN(feat.shape[1], 32, max(labels).item()+1, dropout=0.0,
+                lr=0.01, weight_decay=0, device=device).to(device)
+    else:
+        raise NotImplementedError
+
+    print(model)
+    model.fit(data, train_iters=1000, patience=1000, verbose=True)
+
+    model.eval()
+    model.data = data.to(device)
+    output = model.predict()
+    labels = labels.to(device)
+    print("Test set results:", get_perf(output, labels, data.test_mask, verbose=0)[1])
+    return model
+
+device = 'cuda'
+model = pretrain_model()
+
+if args.noise_feature > 0:
+    feat_noise, noisy_nodes = add_feature_noise_test(data,
+            args.noise_feature, args.seed)
+
+output = model.predict()
+labels = data.y.to(device)
+print("After noise, test set results:", get_perf(output, labels, data.test_mask, verbose=0)[1])
+print('Validation:', get_perf(output, labels, data.val_mask, verbose=0)[1])
+print('Abnomral test nodes:', get_perf(output, labels, noisy_nodes, verbose=0)[1])
+print('Normal test nodes:', get_perf(output, labels, data.test_mask & (~noisy_nodes), verbose=0)[1])
+
+

examples/graph/test_dice.py

@@ -0,0 +1,80 @@
+import torch
+import numpy as np
+import torch.nn.functional as F
+import torch.optim as optim
+from deeprobust.graph.defense import GCN
+from deeprobust.graph.global_attack import DICE
+from deeprobust.graph.utils import *
+from deeprobust.graph.data import Dataset
+
+import argparse
+
+parser = argparse.ArgumentParser()
+parser.add_argument('--seed', type=int, default=15, help='Random seed.')
+parser.add_argument('--dataset', type=str, default='citeseer', choices=['cora', 'cora_ml', 'citeseer', 'polblogs', 'pubmed'], help='dataset')
+parser.add_argument('--ptb_rate', type=float, default=0.05,  help='pertubation rate')
+
+
+args = parser.parse_args()
+args.cuda = torch.cuda.is_available()
+print('cuda: %s' % args.cuda)
+device = torch.device("cuda:0" if torch.cuda.is_available() else "cpu")
+
+np.random.seed(args.seed)
+torch.manual_seed(args.seed)
+if args.cuda:
+    torch.cuda.manual_seed(args.seed)
+
+data = Dataset(root='/tmp/', name=args.dataset)
+adj, features, labels = data.adj, data.features, data.labels
+idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+idx_unlabeled = np.union1d(idx_val, idx_test)
+
+# Setup Attack Model
+model = DICE()
+
+n_perturbations = int(args.ptb_rate * (adj.sum()//2))
+
+model.attack(adj, labels, n_perturbations)
+modified_adj = model.modified_adj
+
+adj, features, labels = preprocess(adj, features, labels, preprocess_adj=False, sparse=True, device=device)
+
+modified_adj = normalize_adj(modified_adj)
+modified_adj = sparse_mx_to_torch_sparse_tensor(modified_adj)
+modified_adj = modified_adj.to(device)
+
+def test(adj):
+    ''' test on GCN '''
+    # adj = normalize_adj_tensor(adj)
+    gcn = GCN(nfeat=features.shape[1],
+              nhid=16,
+              nclass=labels.max().item() + 1,
+              dropout=0.5, device=device)
+
+    gcn = gcn.to(device)
+
+    optimizer = optim.Adam(gcn.parameters(),
+                           lr=0.01, weight_decay=5e-4)
+
+    gcn.fit(features, adj, labels, idx_train) # train without model picking
+    # gcn.fit(features, adj, labels, idx_train, idx_val) # train with validation model picking
+    output = gcn.output
+    loss_test = F.nll_loss(output[idx_test], labels[idx_test])
+    acc_test = accuracy(output[idx_test], labels[idx_test])
+    print("Test set results:",
+          "loss= {:.4f}".format(loss_test.item()),
+          "accuracy= {:.4f}".format(acc_test.item()))
+
+    return acc_test.item()
+
+def main():
+    print('=== testing GCN on original(clean) graph ===')
+    test(adj)
+    print('=== testing GCN on perturbed graph ===')
+    test(modified_adj)
+
+
+if __name__ == '__main__':
+    main()
+

examples/graph/test_fga.py

@@ -0,0 +1,188 @@
+import torch
+import numpy as np
+import torch.nn.functional as F
+import torch.optim as optim
+from deeprobust.graph.defense import GCN
+from deeprobust.graph.targeted_attack import FGA
+from deeprobust.graph.utils import *
+from deeprobust.graph.data import Dataset
+from tqdm import tqdm
+import argparse
+
+parser = argparse.ArgumentParser()
+parser.add_argument('--seed', type=int, default=15, help='Random seed.')
+parser.add_argument('--dataset', type=str, default='citeseer', choices=['cora', 'cora_ml', 'citeseer', 'polblogs', 'pubmed'], help='dataset')
+parser.add_argument('--ptb_rate', type=float, default=0.05,  help='pertubation rate')
+
+args = parser.parse_args()
+args.cuda = torch.cuda.is_available()
+print('cuda: %s' % args.cuda)
+device = torch.device("cuda:0" if torch.cuda.is_available() else "cpu")
+
+np.random.seed(args.seed)
+torch.manual_seed(args.seed)
+if args.cuda:
+    torch.cuda.manual_seed(args.seed)
+
+data = Dataset(root='/tmp/', name=args.dataset)
+adj, features, labels = data.adj, data.features, data.labels
+idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+
+idx_unlabeled = np.union1d(idx_val, idx_test)
+
+# Setup Surrogate model
+surrogate = GCN(nfeat=features.shape[1], nclass=labels.max().item()+1,
+                nhid=16, device=device)
+
+surrogate = surrogate.to(device)
+surrogate.fit(features, adj, labels, idx_train, idx_val)
+
+# Setup Attack Model
+target_node = 0
+model = FGA(surrogate, nnodes=adj.shape[0], device=device)
+model = model.to(device)
+
+def main():
+    u = 0 # node to attack
+    assert u in idx_unlabeled
+
+    degrees = adj.sum(0).A1
+    n_perturbations = int(degrees[u]) # How many perturbations to perform. Default: Degree of the node
+
+    model.attack(features, adj, labels, idx_train, target_node, n_perturbations)
+
+    print('=== testing GCN on original(clean) graph ===')
+    test(adj, features, target_node)
+
+    print('=== testing GCN on perturbed graph ===')
+    test(model.modified_adj, features, target_node)
+
+def test(adj, features, target_node):
+    ''' test on GCN '''
+    gcn = GCN(nfeat=features.shape[1],
+              nhid=16,
+              nclass=labels.max().item() + 1,
+              dropout=0.5, device=device)
+
+    if args.cuda:
+        gcn = gcn.to(device)
+
+    gcn.fit(features, adj, labels, idx_train)
+
+    gcn.eval()
+    output = gcn.predict()
+    probs = torch.exp(output[[target_node]])[0]
+    print('probs: {}'.format(probs.detach().cpu().numpy()))
+    acc_test = accuracy(output[idx_test], labels[idx_test])
+
+    print("Test set results:",
+          "accuracy= {:.4f}".format(acc_test.item()))
+
+    return acc_test.item()
+
+
+def select_nodes(target_gcn=None):
+    '''
+    selecting nodes as reported in nettack paper:
+    (i) the 10 nodes with highest margin of classification, i.e. they are clearly correctly classified,
+    (ii) the 10 nodes with lowest margin (but still correctly classified) and
+    (iii) 20 more nodes randomly
+    '''
+
+    if target_gcn is None:
+        target_gcn = GCN(nfeat=features.shape[1],
+                  nhid=16,
+                  nclass=labels.max().item() + 1,
+                  dropout=0.5, device=device)
+        target_gcn = target_gcn.to(device)
+        target_gcn.fit(features, adj, labels, idx_train, idx_val, patience=30)
+    target_gcn.eval()
+    output = target_gcn.predict()
+
+    margin_dict = {}
+    for idx in idx_test:
+        margin = classification_margin(output[idx], labels[idx])
+        if margin < 0: # only keep the nodes correctly classified
+            continue
+        margin_dict[idx] = margin
+    sorted_margins = sorted(margin_dict.items(), key=lambda x:x[1], reverse=True)
+    high = [x for x, y in sorted_margins[: 10]]
+    low = [x for x, y in sorted_margins[-10: ]]
+    other = [x for x, y in sorted_margins[10: -10]]
+    other = np.random.choice(other, 20, replace=False).tolist()
+
+    return high + low + other
+
+def multi_test_poison():
+    # test on 40 nodes on poisoining attack
+    cnt = 0
+    degrees = adj.sum(0).A1
+    node_list = select_nodes()
+    num = len(node_list)
+    print('=== [Poisoning] Attacking %s nodes respectively ===' % num)
+    for target_node in tqdm(node_list):
+        n_perturbations = int(degrees[target_node])
+        model = FGA(surrogate, nnodes=adj.shape[0], device=device)
+        model = model.to(device)
+        model.attack(features, adj, labels, idx_train, target_node, n_perturbations)
+        modified_adj = model.modified_adj
+        acc = single_test(modified_adj, features, target_node)
+        if acc == 0:
+            cnt += 1
+    print('misclassification rate : %s' % (cnt/num))
+
+def single_test(adj, features, target_node, gcn=None):
+    if gcn is None:
+        # test on GCN (poisoning attack)
+        gcn = GCN(nfeat=features.shape[1],
+                  nhid=16,
+                  nclass=labels.max().item() + 1,
+                  dropout=0.5, device=device)
+
+        gcn = gcn.to(device)
+
+        gcn.fit(features, adj, labels, idx_train, idx_val, patience=30)
+        gcn.eval()
+        output = gcn.predict()
+    else:
+        # test on GCN (evasion attack)
+        output = gcn.predict(features, adj)
+    probs = torch.exp(output[[target_node]])
+
+    # acc_test = accuracy(output[[target_node]], labels[target_node])
+    acc_test = (output.argmax(1)[target_node] == labels[target_node])
+    return acc_test.item()
+
+def multi_test_evasion():
+    # test on 40 nodes on evasion attack
+    # target_gcn = GCN(nfeat=features.shape[1],
+    #           nhid=16,
+    #           nclass=labels.max().item() + 1,
+    #           dropout=0.5, device=device)
+
+    # target_gcn = target_gcn.to(device)
+    # target_gcn.fit(features, adj, labels, idx_train, idx_val, patience=30)
+
+    target_gcn = surrogate
+    cnt = 0
+    degrees = adj.sum(0).A1
+    node_list = select_nodes(target_gcn)
+    num = len(node_list)
+
+    print('=== [Evasion] Attacking %s nodes respectively ===' % num)
+    for target_node in tqdm(node_list):
+        n_perturbations = int(degrees[target_node])
+        model = FGA(surrogate, nnodes=adj.shape[0], device=device)
+        model = model.to(device)
+        model.attack(features, adj, labels, idx_train, target_node, n_perturbations)
+        modified_adj = model.modified_adj
+
+        acc = single_test(modified_adj, features, target_node, gcn=target_gcn)
+        if acc == 0:
+            cnt += 1
+    print('misclassification rate : %s' % (cnt/num))
+
+if __name__ == '__main__':
+    main()
+    multi_test_evasion()
+    multi_test_poison()

examples/graph/test_gcn_adj_cgscore.py

@@ -0,0 +1,328 @@
+# compute cgscore for gcn
+# author: Yaning
+import torch
+import numpy as np
+import torch.nn.functional as Fd
+from deeprobust.graph.defense import GCNJaccard, GCN
+from deeprobust.graph.defense import GCNScore
+from deeprobust.graph.utils import *
+from deeprobust.graph.data import Dataset, PrePtbDataset
+from scipy.sparse import csr_matrix
+import argparse
+import pickle
+from deeprobust.graph import utils
+from collections import defaultdict
+
+parser = argparse.ArgumentParser()
+parser.add_argument('--seed', type=int, default=15, help='Random seed.')
+parser.add_argument('--dataset', type=str, default='pubmed', choices=['cora', 'cora_ml', 'citeseer', 'polblogs', 'pubmed'], help='dataset')
+parser.add_argument('--ptb_rate', type=float, default=0.25,  help='pertubation rate')
+
+args = parser.parse_args()
+args.cuda = torch.cuda.is_available()
+print('cuda: %s' % args.cuda)
+device = torch.device("cuda:0" if torch.cuda.is_available() else "cpu")
+
+# make sure you use the same data splits as you generated attacks
+np.random.seed(args.seed)
+if args.cuda:
+    torch.cuda.manual_seed(args.seed)
+
+# Here the random seed is to split the train/val/test data,
+# we need to set the random seed to be the same as that when you generate the perturbed graph
+# data = Dataset(root='/tmp/', name=args.dataset, setting='nettack', seed=15)
+# Or we can just use setting='prognn' to get the splits
+data = Dataset(root='/tmp/', name=args.dataset, setting='prognn')
+adj, features, labels = data.adj, data.features, data.labels
+idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+
+
+perturbed_data = PrePtbDataset(root='/tmp/',
+        name=args.dataset,
+        attack_method='metattack',
+        ptb_rate=args.ptb_rate)
+
+perturbed_adj = perturbed_data.adj
+# idx_test = perturbed_data.target_nodes
+# perturbed_adj = adj
+
+def save_cg_scores(cg_scores, filename="cg_scores.npy"):
+    np.save(filename, cg_scores)
+    print(f"CG-scores saved to {filename}")
+
+def load_cg_scores_numpy(filename="cg_scores.npy"):
+    cg_scores = np.load(filename, allow_pickle=True)
+    print(f"CG-scores loaded from {filename}")
+    return cg_scores
+
+def calc_cg_score_gnn_with_sampling(
+    A, X, labels, device, rep_num=1, unbalance_ratio=1, sub_term=False
+):
+    """
+    Calculate CG-score for each edge in a graph with node labels and random sampling.
+
+    Args:
+        A: torch.Tensor
+            Adjacency matrix of the graph (size: N x N).
+        X: torch.Tensor
+            Node features matrix (size: N x F).
+        labels: torch.Tensor
+            Node labels (size: N).
+        device: torch.device
+            Device to perform calculations.
+        rep_num: int
+            Number of repetitions for Monte Carlo sampling.
+        unbalance_ratio: float
+            Ratio of unbalanced data (1:unbalance_ratio).
+        sub_term: bool
+            If True, calculate and return sub-terms.
+
+    Returns:
+        cg_scores: dict
+            Dictionary containing CG-scores for edges and optionally sub-terms.
+    """
+    N = A.shape[0]
+    cg_scores = {
+        "vi": np.zeros((N, N)),
+        "ab": np.zeros((N, N)),
+        "a2": np.zeros((N, N)),
+        "b2": np.zeros((N, N)),
+        "times": np.zeros((N, N)),
+    }
+
+    with torch.no_grad():
+        for _ in range(rep_num):
+            # Compute AX (node representations)
+            AX = torch.matmul(A, X).to(device)
+            norm_AX = AX / torch.norm(AX, dim=1, keepdim=True)
+
+            # Group nodes by their labels
+            dataset = defaultdict(list)
+            data_idx = defaultdict(list)
+            for i, label in enumerate(labels):
+                dataset[label.item()].append(norm_AX[i].unsqueeze(0))  # Store normalized data
+                data_idx[label.item()].append(i)  # Store indices
+
+            # Convert to tensors
+            for label, data_list in dataset.items():
+                dataset[label] = torch.cat(data_list, dim=0)
+                data_idx[label] = torch.tensor(data_idx[label], dtype=torch.long, device=device)
+
+            # Calculate CG-scores for each label group
+            for curr_label, curr_samples in dataset.items():
+                curr_indices = data_idx[curr_label]
+                curr_num = len(curr_samples)
+
+                # Randomly sample a subset of current label examples
+                chosen_curr_idx = np.random.choice(range(curr_num), curr_num, replace=False)
+                chosen_curr_samples = curr_samples[chosen_curr_idx]
+                chosen_curr_indices = curr_indices[chosen_curr_idx]
+
+                # Sample negative examples from other classes
+                neg_samples = torch.cat(
+                    [dataset[l] for l in dataset if l != curr_label], dim=0
+                )
+                neg_indices = torch.cat(
+                    [data_idx[l] for l in data_idx if l != curr_label], dim=0
+                )
+                neg_num = min(int(curr_num * unbalance_ratio), len(neg_samples))
+                chosen_neg_samples = neg_samples[
+                    torch.randperm(len(neg_samples))[:neg_num]
+                ]
+
+                # Combine positive and negative samples
+                combined_samples = torch.cat([chosen_curr_samples, chosen_neg_samples], dim=0)
+                y = torch.cat(
+                    [torch.ones(len(chosen_curr_samples)), -torch.ones(neg_num)], dim=0
+                ).to(device)
+
+                # Compute the Gram matrix H^\infty
+                H_inner = torch.matmul(combined_samples, combined_samples.T)
+                del combined_samples
+                ###
+                H_inner = torch.clamp(H_inner, min=-1.0, max=1.0)
+                ###
+                H = H_inner * (np.pi - torch.acos(H_inner)) / (2 * np.pi)
+                del H_inner
+
+                H.fill_diagonal_(0.5)
+                ##
+                epsilon = 1e-6
+                H = H + epsilon * torch.eye(H.size(0), device=H.device)
+                ##
+                invH = torch.inverse(H)
+                del H
+                original_error = y @ (invH @ y)
+
+                # Compute CG-scores for each edge
+                for i in chosen_curr_indices:
+                    print("the node index:", i)
+                    for j in range(i + 1, N):  # Upper triangular traversal
+                        # print(j)
+                        if A[i, j] == 0:  # Skip if no edge exists
+                            continue
+
+                        # Remove edge (i, j) to create A1
+                        A1 = A.clone()
+                        A1[i, j] = A1[j, i] = 0
+
+                        # Recompute AX with A1
+                        AX1 = torch.matmul(A1, X).to(device)
+                        norm_AX1 = AX1 / torch.norm(AX1, dim=1, keepdim=True)
+
+                        # Repeat error calculation with A1
+                        curr_samples_A1 = norm_AX1[chosen_curr_indices]
+                        neg_samples_A1 = norm_AX1[neg_indices]
+                        chosen_neg_samples_A1 = neg_samples_A1[
+                            torch.randperm(len(neg_samples_A1))[:neg_num]
+                        ]
+                        combined_samples_A1 = torch.cat(
+                            [curr_samples_A1, chosen_neg_samples_A1], dim=0
+                        )
+                        H_inner_A1 = torch.matmul(combined_samples_A1, combined_samples_A1.T)
+
+                        del combined_samples_A1
+                        
+                        ### trick1
+                        H_inner_A1 = torch.clamp(H_inner_A1, min=-1.0, max=1.0)
+                        ###
+
+                        H_A1 = H_inner_A1 * (np.pi - torch.acos(H_inner_A1)) / (2 * np.pi)
+                        del H_inner_A1
+                        H_A1.fill_diagonal_(0.5)
+
+                        ### trick2
+                        epsilon = 1e-6
+                        H_A1= H_A1 + epsilon * torch.eye(H_A1.size(0), device=H_A1.device)
+                        ###
+                        invH_A1 = torch.inverse(H_A1)
+                        del H_A1
+
+                        error_A1 = y @ (invH_A1 @ y)
+                         
+                        print("i:", i)
+                        print("j:", j)
+                        print("current score:", (original_error - error_A1).item())
+                        # Compute the difference in error (CG-score)
+                        cg_scores["vi"][i, j] += (original_error - error_A1).item()
+                        cg_scores["vi"][j, i] = cg_scores["vi"][i, j]  # Symmetric
+                        cg_scores["times"][i, j] += 1
+                        cg_scores["times"][j, i] += 1
+
+    # Normalize CG-scores by repetition count
+    for key, values in cg_scores.items():
+        if key == "times":
+            continue
+        cg_scores[key] = values / np.where(cg_scores["times"] > 0, cg_scores["times"], 1)
+
+    return cg_scores if sub_term else cg_scores["vi"] 
+
+def remove_least_important_edges(adj, cgscore, remove_ratio=0.8):
+    """
+    Remove the least important edges based on CGScore.
+
+    Args:
+        adj (torch.Tensor): Original adjacency matrix (N x N).
+        cgscore (np.ndarray): CGScore matrix (N x N).
+        keep_ratio (float): Ratio of edges to keep (default: 0.8).
+
+    Returns:
+        adj (torch.Tensor): Adjusted adjacency matrix after removing edges.
+    """
+    # Convert CGScore from numpy to PyTorch tensor
+    cgscore = torch.tensor(cgscore, dtype=torch.float32)
+    
+    assert adj.shape == cgscore.shape, "adj and cgscore must have the same shape"
+    N = adj.shape[0]
+    
+    # Extract upper triangular non-zero elements (excluding diagonal)
+    triu_indices = torch.triu_indices(N, N, offset=1)  # Upper triangle indices
+    triu_scores = cgscore[triu_indices[0], triu_indices[1]]
+    triu_adj = adj[triu_indices[0], triu_indices[1]]
+    
+    # Mask to ignore zero elements in adj
+    mask = triu_adj > 0
+    triu_scores = triu_scores[mask]
+    triu_indices = triu_indices[:, mask]
+
+    # Sort by CGScore in ascending order
+    sorted_indices = torch.argsort(triu_scores)  # Indices of sorted CGScores
+    
+
+    # Determine the cutoff for edges to remove
+    num_edges_to_remove = int(len(sorted_indices) * (remove_ratio))  # Edges to remove
+    print("len(sorted_indices)", len(sorted_indices))
+    print("remove_radio:", remove_ratio)
+    print("num_edges_to_remove", num_edges_to_remove)
+    edges_to_remove = sorted_indices[:num_edges_to_remove]  # First 20% (lowest CGScores)
+    
+    # Create a copy of the adjacency matrix
+    adj_new = adj.clone()
+
+    # Remove the least important edges
+    for idx in edges_to_remove:
+        i, j = triu_indices[:, idx]
+        adj_new[i, j] = 0
+        adj_new[j, i] = 0  # Ensure symmetry
+
+    return adj_new
+
+def is_symmetric_sparse(adj):
+    """
+    Check if a sparse matrix is symmetric.
+    """
+    # Check symmetry
+    return (adj != adj.transpose()).nnz == 0  # .nnz is the number of non-zero elements
+
+def make_symmetric_sparse(adj):
+    """
+    Ensure the sparse adjacency matrix is symmetrical.
+    """
+    # Make the matrix symmetric
+    sym_adj = (adj + adj.transpose()) / 2
+    return sym_adj
+
+perturbed_adj = make_symmetric_sparse(perturbed_adj)
+
+if type(perturbed_adj) is not torch.Tensor:
+    features, perturbed_adj, _ = utils.to_tensor(features, perturbed_adj, labels)
+else:
+    features = features.to(device)
+    perturbed_adj = perturbed_adj.to(device)
+    # labels = labels.to(device)
+
+if utils.is_sparse_tensor(perturbed_adj):
+    
+    adj_norm = utils.normalize_adj_tensor(perturbed_adj, sparse=True)
+else:
+    adj_norm = utils.normalize_adj_tensor(perturbed_adj)
+
+features = features.to_dense()
+perturbed_adj = perturbed_adj.to_dense()
+
+# save_cg_scores(calc_cg_score, filename="cg_scores.npy")
+# calc_cg_score =  calc_cg_score_gnn_with_sampling(perturbed_adj, features, labels, device, rep_num=1, unbalance_ratio=1, sub_term=False)
+# print("cgscore:", calc_cg_score_gnn_with_sampling)
+
+
+cg_scores = load_cg_scores_numpy(filename="pubmed_0.05.npy")
+cg_scores_abs = np.abs(cg_scores)
+perturbed_adj = remove_least_important_edges(perturbed_adj, cg_scores_abs, remove_ratio=0.2)
+perturbed_adj = sp.csr_matrix(perturbed_adj.numpy())
+features =  sp.csr_matrix(features.numpy())
+
+# Setup Defense Model
+# model = GCNJaccard(nfeat=features.shape[1], nclass=labels.max()+1,
+#                 nhid=16, device=device)
+
+model = GCN(nfeat=features.shape[1], nclass=labels.max()+1,
+                nhid=16, device=device)
+
+model = model.to(device)
+ 
+print("labels:", labels)
+print('=== testing GCN-Jaccard on perturbed graph ===')
+model.fit(features, perturbed_adj, labels, idx_train, idx_val, train_iters=200, verbose=True)
+model.eval()
+# You can use the inner function of model to test
+model.test(idx_test)

examples/graph/test_gcn_svd.py

@@ -0,0 +1,52 @@
+import torch
+import numpy as np
+import torch.nn.functional as F
+import torch.optim as optim
+from deeprobust.graph.defense import GCNSVD
+from deeprobust.graph.utils import *
+from deeprobust.graph.data import Dataset, PrePtbDataset
+import argparse
+
+parser = argparse.ArgumentParser()
+parser.add_argument('--seed', type=int, default=15, help='Random seed.')
+parser.add_argument('--dataset', type=str, default='cora', choices=['cora', 'cora_ml', 'citeseer', 'polblogs', 'pubmed'], help='dataset')
+parser.add_argument('--ptb_rate', type=float, default=0.05,  help='pertubation rate')
+parser.add_argument('--k', type=int, default=15, help='Truncated Components.')
+
+args = parser.parse_args()
+args.cuda = torch.cuda.is_available()
+print('cuda: %s' % args.cuda)
+device = torch.device("cuda:0" if torch.cuda.is_available() else "cpu")
+
+# make sure you use the same data splits as you generated attacks
+np.random.seed(args.seed)
+if args.cuda:
+    torch.cuda.manual_seed(args.seed)
+
+# Here the random seed is to split the train/val/test data,
+# we need to set the random seed to be the same as that when you generate the perturbed graph
+# data = Dataset(root='/tmp/', name=args.dataset, setting='nettack', seed=15)
+# Or we can just use setting='prognn' to get the splits
+data = Dataset(root='/tmp/', name=args.dataset, setting='prognn')
+adj, features, labels = data.adj, data.features, data.labels
+idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+
+
+# load pre-attacked graph
+perturbed_data = PrePtbDataset(root='/tmp/',
+        name=args.dataset,
+        attack_method='meta',
+        ptb_rate=args.ptb_rate)
+perturbed_adj = perturbed_data.adj
+
+# Setup Defense Model
+model = GCNSVD(nfeat=features.shape[1], nclass=labels.max()+1,
+                nhid=16, device=device)
+
+model = model.to(device)
+
+print('=== testing GCN-SVD on perturbed graph ===')
+model.fit(features, perturbed_adj, labels, idx_train, idx_val, k=args.k, verbose=True)
+model.eval()
+output = model.test(idx_test)
+

examples/graph/test_ig.py

@@ -0,0 +1,192 @@
+import torch
+import numpy as np
+import torch.nn.functional as F
+import torch.optim as optim
+from deeprobust.graph.defense import GCN
+from deeprobust.graph.targeted_attack import IGAttack
+from deeprobust.graph.utils import *
+from deeprobust.graph.data import Dataset
+import argparse
+from tqdm import tqdm
+
+parser = argparse.ArgumentParser()
+parser.add_argument('--seed', type=int, default=15, help='Random seed.')
+parser.add_argument('--dataset', type=str, default='citeseer', choices=['cora', 'cora_ml', 'citeseer', 'polblogs', 'pubmed'], help='dataset')
+parser.add_argument('--ptb_rate', type=float, default=0.05,  help='pertubation rate')
+
+args = parser.parse_args()
+args.cuda = torch.cuda.is_available()
+print('cuda: %s' % args.cuda)
+device = torch.device("cuda:0" if torch.cuda.is_available() else "cpu")
+
+np.random.seed(args.seed)
+torch.manual_seed(args.seed)
+if args.cuda:
+    torch.cuda.manual_seed(args.seed)
+
+data = Dataset(root='/tmp/', name=args.dataset)
+adj, features, labels = data.adj, data.features, data.labels
+idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+
+idx_unlabeled = np.union1d(idx_val, idx_test)
+
+# Setup Surrogate model
+surrogate = GCN(nfeat=features.shape[1], nclass=labels.max().item()+1,
+                nhid=16, device=device)
+
+surrogate = surrogate.to(device)
+surrogate.fit(features, adj, labels, idx_train, idx_val)
+
+# Setup Attack Model
+target_node = 0
+assert target_node in idx_unlabeled
+
+model = IGAttack(surrogate, nnodes=adj.shape[0], attack_structure=True, attack_features=True, device=device)
+model = model.to(device)
+
+def main():
+    degrees = adj.sum(0).A1
+    # How many perturbations to perform. Default: Degree of the node
+    n_perturbations = int(degrees[target_node])
+
+    model.attack(features, adj, labels, idx_train, target_node, n_perturbations, steps=20)
+    modified_adj = model.modified_adj
+    modified_features = model.modified_features
+
+    print('=== testing GCN on original(clean) graph ===')
+    test(adj, features, target_node)
+
+    print('=== testing GCN on perturbed graph ===')
+    test(modified_adj, modified_features, target_node)
+
+def test(adj, features, target_node):
+    ''' test on GCN '''
+    gcn = GCN(nfeat=features.shape[1],
+              nhid=16,
+              nclass=labels.max().item() + 1,
+              dropout=0.5, device=device)
+
+    gcn = gcn.to(device)
+
+    gcn.fit(features, adj, labels, idx_train)
+
+    gcn.eval()
+    output = gcn.predict()
+    probs = torch.exp(output[[target_node]])[0]
+    print('probs: {}'.format(probs.detach().cpu().numpy()))
+    acc_test = accuracy(output[idx_test], labels[idx_test])
+
+    print("Test set results:",
+          "accuracy= {:.4f}".format(acc_test.item()))
+
+    return acc_test.item()
+
+def select_nodes(target_gcn=None):
+    '''
+    selecting nodes as reported in nettack paper:
+    (i) the 10 nodes with highest margin of classification, i.e. they are clearly correctly classified,
+    (ii) the 10 nodes with lowest margin (but still correctly classified) and
+    (iii) 20 more nodes randomly
+    '''
+
+    if target_gcn is None:
+        target_gcn = GCN(nfeat=features.shape[1],
+                  nhid=16,
+                  nclass=labels.max().item() + 1,
+                  dropout=0.5, device=device)
+        target_gcn = target_gcn.to(device)
+        target_gcn.fit(features, adj, labels, idx_train, idx_val, patience=30)
+    target_gcn.eval()
+    output = target_gcn.predict()
+
+    margin_dict = {}
+    for idx in idx_test:
+        margin = classification_margin(output[idx], labels[idx])
+        if margin < 0: # only keep the nodes correctly classified
+            continue
+        margin_dict[idx] = margin
+    sorted_margins = sorted(margin_dict.items(), key=lambda x:x[1], reverse=True)
+    high = [x for x, y in sorted_margins[: 10]]
+    low = [x for x, y in sorted_margins[-10: ]]
+    other = [x for x, y in sorted_margins[10: -10]]
+    other = np.random.choice(other, 20, replace=False).tolist()
+
+    return high + low + other
+
+def multi_test_poison():
+    # test on 40 nodes on poisoining attack
+    cnt = 0
+    degrees = adj.sum(0).A1
+    node_list = select_nodes()
+    num = len(node_list)
+    print('=== [Poisoning] Attacking %s nodes respectively ===' % num)
+    for target_node in tqdm(node_list):
+        n_perturbations = int(degrees[target_node])
+        model = IGAttack(surrogate, nnodes=adj.shape[0], attack_structure=True, attack_features=True, device=device)
+        model = model.to(device)
+        model.attack(features, adj, labels, idx_train, target_node, n_perturbations, steps=20)
+        modified_adj = model.modified_adj
+        modified_features = model.modified_features
+        acc = single_test(modified_adj, modified_features, target_node)
+        if acc == 0:
+            cnt += 1
+    print('misclassification rate : %s' % (cnt/num))
+
+def single_test(adj, features, target_node, gcn=None):
+    if gcn is None:
+        # test on GCN (poisoning attack)
+        gcn = GCN(nfeat=features.shape[1],
+                  nhid=16,
+                  nclass=labels.max().item() + 1,
+                  dropout=0.5, device=device)
+
+        gcn = gcn.to(device)
+
+        gcn.fit(features, adj, labels, idx_train, idx_val, patience=30)
+        gcn.eval()
+        output = gcn.predict()
+    else:
+        # test on GCN (evasion attack)
+        output = gcn.predict(features, adj)
+    probs = torch.exp(output[[target_node]])
+
+    # acc_test = accuracy(output[[target_node]], labels[target_node])
+    acc_test = (output.argmax(1)[target_node] == labels[target_node])
+    return acc_test.item()
+
+def multi_test_evasion():
+    # test on 40 nodes on evasion attack
+    # target_gcn = GCN(nfeat=features.shape[1],
+    #           nhid=16,
+    #           nclass=labels.max().item() + 1,
+    #           dropout=0.5, device=device)
+    # target_gcn = target_gcn.to(device)
+    # target_gcn.fit(features, adj, labels, idx_train, idx_val, patience=30)
+
+    target_gcn = surrogate
+
+    cnt = 0
+    degrees = adj.sum(0).A1
+    node_list = select_nodes(target_gcn)
+    num = len(node_list)
+
+    print('=== [Evasion] Attacking %s nodes respectively ===' % num)
+    for target_node in tqdm(node_list):
+        n_perturbations = int(degrees[target_node])
+        model = IGAttack(surrogate, nnodes=adj.shape[0], attack_structure=True, attack_features=True, device=device)
+        model = model.to(device)
+        model.attack(features, adj, labels, idx_train, target_node, n_perturbations, steps=20)
+        modified_adj = model.modified_adj
+        modified_features = model.modified_features
+
+        acc = single_test(modified_adj, modified_features, target_node, gcn=target_gcn)
+        if acc == 0:
+            cnt += 1
+    print('misclassification rate : %s' % (cnt/num))
+
+if __name__ == '__main__':
+    main()
+    # multi_test_evasion()
+    multi_test_poison()
+
+

examples/graph/test_prbcd_cora.py

@@ -0,0 +1,47 @@
+from torch_geometric.datasets import Planetoid
+from torch_geometric.utils import to_undirected
+import torch_geometric.transforms as T
+import argparse
+import torch
+import deeprobust.graph.utils as utils
+from deeprobust.graph.global_attack import PRBCD
+from deeprobust.graph.defense_pyg import GCN, SAGE, GAT
+
+parser = argparse.ArgumentParser()
+parser.add_argument('--ptb_rate', type=float, default=0.1, help='perturbation rate.')
+args = parser.parse_args()
+
+device = torch.device("cuda" if torch.cuda.is_available() else "cpu")
+dataset = Planetoid('./', 'cora')
+dataset.transform = T.NormalizeFeatures()
+data = dataset[0]
+
+### we can also attack other models such as GCN, GAT, SAGE or GPRGNN
+### (models in deeprobust.graph.defense_pyg), see below
+print('now we choose to attack GCN model')
+model = GCN(nfeat=data.x.shape[1], nhid=32, nclass=dataset.num_classes,
+            nlayers=2, dropout=0.5, lr=0.01, weight_decay=5e-4,
+            device=device).to(device)
+agent = PRBCD(data, model=model, device=device, epochs=50) # by default, we are attacking the GCN model
+agent.pretrain_model(model) # use the function to pretrain the provided model
+edge_index, edge_weight = agent.attack(ptb_rate=args.ptb_rate)
+
+print('now we choose to attack SAGE model')
+model = SAGE(nfeat=data.x.shape[1], nhid=32, nclass=dataset.num_classes,
+            nlayers=2, dropout=0.5, lr=0.01, weight_decay=5e-4,
+            device=device).to(device)
+agent = PRBCD(data, model=model, device=device, epochs=50) # by default, we are attacking the GCN model
+agent.pretrain_model(model) # use the function to pretrain the provided model
+edge_index, edge_weight = agent.attack(ptb_rate=args.ptb_rate)
+
+
+print('now we choose to attack GAT model')
+model = GAT(nfeat=data.x.shape[1], nhid=8, heads=8, weight_decay=5e-4,
+            lr=0.005, nlayers=2, nclass=dataset.num_classes,
+            dropout=0.5, device=device).to(device)
+
+agent = PRBCD(data, model=model, device=device, epochs=50) # by default, we are attacking the GCN model
+agent.pretrain_model(model) # use the function to pretrain the provided model
+edge_index, edge_weight = agent.attack(ptb_rate=args.ptb_rate)
+
+

examples/graph/test_rgcn.py

@@ -0,0 +1,52 @@
+import torch
+import numpy as np
+import torch.nn.functional as F
+from deeprobust.graph.defense import RGCN
+from deeprobust.graph.utils import *
+from deeprobust.graph.data import Dataset
+from deeprobust.graph.data import PrePtbDataset
+
+import argparse
+parser = argparse.ArgumentParser()
+parser.add_argument('--seed', type=int, default=15, help='Random seed.')
+parser.add_argument('--dataset', type=str, default='cora', choices=['cora', 'cora_ml', 'citeseer', 'polblogs', 'pubmed'], help='dataset')
+parser.add_argument('--ptb_rate', type=float, default=0.05,  help='pertubation rate')
+
+args = parser.parse_args()
+args.cuda = torch.cuda.is_available()
+print('cuda: %s' % args.cuda)
+device = torch.device("cuda" if torch.cuda.is_available() else "cpu")
+
+# Here the random seed is to split the train/val/test data,
+# we need to set the random seed to be the same as that when you generate the perturbed graph
+# data = Dataset(root='/tmp/', name=args.dataset, setting='nettack', seed=15)
+# Or we can just use setting='prognn' to get the splits
+data = Dataset(root='/tmp/', name=args.dataset, setting='prognn')
+adj, features, labels = data.adj, data.features, data.labels
+idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+
+np.random.seed(args.seed)
+torch.manual_seed(args.seed)
+if args.cuda:
+    torch.cuda.manual_seed(args.seed)
+
+# load pre-attacked graph by Zugner: https://github.com/danielzuegner/gnn-meta-attack
+print('==================')
+print('=== load graph perturbed by Zugner metattack (under prognn splits) ===')
+
+perturbed_data = PrePtbDataset(root='/tmp/',
+        name=args.dataset,
+        attack_method='meta',
+        ptb_rate=args.ptb_rate)
+perturbed_adj = perturbed_data.adj
+
+# Setup RGCN Model
+model = RGCN(nnodes=perturbed_adj.shape[0], nfeat=features.shape[1], nclass=labels.max()+1,
+                nhid=32, device=device)
+
+model = model.to(device)
+
+model.fit(features, perturbed_adj, labels, idx_train, idx_val, train_iters=200, verbose=True)
+# You can use the inner function of model to test
+model.test(idx_test)
+

examples/graph/test_sgc.py

@@ -0,0 +1,52 @@
+import torch
+import argparse
+from deeprobust.graph.data import Dataset, Dpr2Pyg
+from deeprobust.graph.defense import SGC
+from deeprobust.graph.data import Dataset
+from deeprobust.graph.data import PrePtbDataset
+
+parser = argparse.ArgumentParser()
+parser.add_argument('--seed', type=int, default=15, help='Random seed.')
+parser.add_argument('--dataset', type=str, default='cora', choices=['cora', 'cora_ml', 'citeseer', 'polblogs', 'pubmed'], help='dataset')
+parser.add_argument('--ptb_rate', type=float, default=0.05,  help='perturbation rate')
+
+args = parser.parse_args()
+args.cuda = torch.cuda.is_available()
+print('cuda: %s' % args.cuda)
+device = torch.device("cuda:0" if torch.cuda.is_available() else "cpu")
+
+# use data splist provided by prognn
+data = Dataset(root='/tmp/', name=args.dataset, setting='prognn')
+adj, features, labels = data.adj, data.features, data.labels
+idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+
+sgc = SGC(nfeat=features.shape[1],
+      nclass=labels.max().item() + 1,
+      lr=0.1, device=device)
+sgc = sgc.to(device)
+
+
+# test on clean graph
+print('==================')
+print('=== train on clean graph ===')
+
+pyg_data = Dpr2Pyg(data)
+sgc.fit(pyg_data, verbose=True) # train with earlystopping
+sgc.test()
+
+# load pre-attacked graph by Zugner: https://github.com/danielzuegner/gnn-meta-attack
+print('==================')
+print('=== load graph perturbed by Zugner metattack (under prognn splits) ===')
+
+perturbed_data = PrePtbDataset(root='/tmp/',
+        name=args.dataset,
+        attack_method='meta',
+        ptb_rate=args.ptb_rate)
+perturbed_adj = perturbed_data.adj
+pyg_data.update_edge_index(perturbed_adj) # inplace operation
+sgc.fit(pyg_data, verbose=True) # train with earlystopping
+sgc.test()
+
+
+
+

examples/graph/test_simpgcn.py

@@ -0,0 +1,48 @@
+import torch
+import numpy as np
+import torch.nn.functional as F
+from deeprobust.graph.utils import *
+from deeprobust.graph.data import Dataset
+from deeprobust.graph.data import PtbDataset, PrePtbDataset
+from deeprobust.graph.defense import SimPGCN
+import argparse
+
+parser = argparse.ArgumentParser()
+parser.add_argument('--seed', type=int, default=15, help='Random seed.')
+parser.add_argument('--dataset', type=str, default='cora', choices=['cora', 'cora_ml', 'citeseer', 'polblogs', 'pubmed'], help='dataset')
+parser.add_argument('--ptb_rate', type=float, default=0.05,  help='pertubation rate')
+
+args = parser.parse_args()
+args.cuda = torch.cuda.is_available()
+print('cuda: %s' % args.cuda)
+device = torch.device("cuda:0" if torch.cuda.is_available() else "cpu")
+
+# use data splist provided by prognn
+data = Dataset(root='/tmp/', name=args.dataset, setting='prognn')
+adj, features, labels = data.adj, data.features, data.labels
+idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+
+
+print('==================')
+print('=== load graph perturbed by Zugner metattack (under prognn splits) ===')
+# load pre-attacked graph by Zugner: https://github.com/danielzuegner/gnn-meta-attack
+perturbed_data = PrePtbDataset(root='/tmp/',
+        name=args.dataset,
+        attack_method='meta',
+        ptb_rate=args.ptb_rate)
+perturbed_adj = perturbed_data.adj
+
+np.random.seed(args.seed)
+torch.manual_seed(args.seed)
+if args.cuda:
+    torch.cuda.manual_seed(args.seed)
+
+# Setup Defense Model
+model = SimPGCN(nnodes=features.shape[0], nfeat=features.shape[1], nhid=16, nclass=labels.max()+1, device=device)
+model = model.to(device)
+
+# using validation to pick model
+model.fit(features, perturbed_adj, labels, idx_train, idx_val, train_iters=200, verbose=True)
+# You can use the inner function of model to test
+model.test(idx_test)
+

examples/image/test1.py

@@ -0,0 +1,122 @@
+from __future__ import print_function
+import argparse
+import torch
+import torch.nn as nn
+import torch.nn.functional as F
+import torch.optim as optim
+from torchvision import datasets, transforms
+import numpy as np
+
+
+class Net(nn.Module):
+    def __init__(self):
+        super(Net, self).__init__()
+        self.conv1 = nn.Conv2d(1, 20, 5, 1)
+        self.conv2 = nn.Conv2d(20, 50, 5, 1)
+        self.fc1 = nn.Linear( 4 * 4 *50, 500)
+        self.fc2 = nn.Linear(500, 10)
+
+    def forward(self, x):
+        x = F.relu(self.conv1(x))
+        x = F.max_pool2d(x, 2, 2)
+        x = F.relu(self.conv2(x))
+        x = F.max_pool2d(x, 2, 2)
+        x = x.view(-1, 4* 4 * 50)
+        x = F.relu(self.fc1(x))
+        x = self.fc2(x)
+        return F.log_softmax(x, dim=1)
+
+
+def train(model, device, train_loader, optimizer, epoch):
+    model.train()
+    for batch_idx, (data, target) in enumerate(train_loader):
+        data, target = data.to(device), target.to(device)
+        optimizer.zero_grad()
+        output = model(data)
+        loss = F.nll_loss(output, target)
+        loss.backward()
+        optimizer.step()
+        if batch_idx % 10 == 0:
+            print('Train Epoch: {} [{}/{} ({:.0f}%)]\tLoss: {:.6f}'.format(
+                epoch, batch_idx * len(data), len(train_loader.dataset),
+                       100. * batch_idx / len(train_loader), loss.item()))
+
+
+def test(model, device, test_loader):
+    model.eval()
+
+    test_loss = 0
+    correct = 0
+    with torch.no_grad():
+        for data, target in test_loader:
+            data, target = data.to(device), target.to(device)
+            output = model(data)
+            test_loss += F.nll_loss(output, target, reduction='sum').item()  # sum up batch loss
+            pred = output.argmax(dim=1, keepdim=True)  # get the index of the max log-probability
+            correct += pred.eq(target.view_as(pred)).sum().item()
+
+    test_loss /= len(test_loader.dataset)
+
+    print('\nTest set: Average loss: {:.4f}, Accuracy: {}/{} ({:.0f}%)\n'.format(
+        test_loss, correct, len(test_loader.dataset),
+        100. * correct / len(test_loader.dataset)))
+
+
+
+
+torch.manual_seed(100)
+device = torch.device("cuda")
+
+
+train_loader = torch.utils.data.DataLoader(
+    datasets.MNIST('../data', train=True, download=True,
+                 transform=transforms.Compose([transforms.ToTensor(),
+                 transforms.Normalize((0.1307,), (0.3081,))])),
+    batch_size=64,
+    shuffle=True)
+
+test_loader = torch.utils.data.DataLoader(
+    datasets.MNIST('../data', train=False,
+                transform=transforms.Compose([transforms.ToTensor(),
+                transforms.Normalize((0.1307,), (0.3081,))])),
+    batch_size=1000,
+    shuffle=True)
+
+model = Net().to(device)
+optimizer = optim.SGD(model.parameters(), lr=0.01, momentum=0.5)
+
+
+save_model = True
+for epoch in range(1, 5 + 1):     ## 5 batches
+    train( model, device, train_loader, optimizer, epoch)
+    test( model, device, test_loader)
+
+    if (save_model):
+        torch.save(model.state_dict(), "mnist_cnn.pt")
+
+
+
+
+############################################################## test
+
+xx = datasets.MNIST('../data').data[0:10]
+xx = xx.unsqueeze_(1).float()/255
+
+yy = datasets.MNIST('../data', download=True).targets[0:10]
+
+
+from fgsm import FGM
+
+
+fgsm_params = {
+    'epsilon': 0.1,
+    'order': np.inf,
+    'clip_max': None,
+    'clip_min': None
+}
+
+F1 = FGM(model, device = "cpu")       ### or cuda
+aa = F1.generate(x=xx, y=yy, **fgsm_params)
+
+import matplotlib.pyplot as plt
+plt.imsave('test.jpg', aa[0,0])

examples/image/test_ImageNet.py

@@ -0,0 +1,33 @@
+import torchvision
+import torch
+from torchvision import datasets
+from torchvision import transforms
+import os
+from deeprobust.image.attack.pgd import PGD
+from deeprobust.image.config import attack_params
+
+val_root  = '/mnt/home/liyaxin1/Documents/data/ImageNet'
+#Imagenet_data = torchvision.datasets.ImageNet(val_root, split = 'val')
+test_loader = torch.utils.data.DataLoader(datasets.ImageFolder('~/Documents/data/ImageNet/val', transforms.Compose([
+                    transforms.Scale(256), transforms.CenterCrop(224), transforms.ToTensor(),
+                    transforms.Normalize(mean=[0.485, 0.456, 0.406], std=[0.229, 0.224, 0.225])])), batch_size=1, shuffle=False)
+
+#import torchvision.models as models
+#model = models.resnet50(pretrained=True).to('cuda')
+
+import pretrainedmodels
+model = pretrainedmodels.resnet50(num_classes=1000, pretrained='imagenet').to('cuda')
+
+for i, (input, y) in enumerate(test_loader):
+
+    import ipdb
+    ipdb.set_trace()
+
+    input, y = input.to('cuda'), y.to('cuda')
+    pred = model(input)
+    print(pred.argmax(dim=1, keepdim = True))
+
+    adversary = PGD(model)
+    AdvExArray = adversary.generate(input, y, **attack_params['PGD_CIFAR10']).float()
+
+

examples/image/test_onepixel.py

@@ -0,0 +1,80 @@
+import numpy as np
+import torch
+import torch.nn as nn
+import torch.nn.functional as F #233
+import torch.optim as optim
+from torchvision import datasets,models,transforms
+from PIL import Image
+import argparse
+
+from deeprobust.image.attack.onepixel import Onepixel
+from deeprobust.image.netmodels import resnet
+from deeprobust.image.config import attack_params
+from deeprobust.image.utils import download_model
+
+def parameter_parser():
+    parser = argparse.ArgumentParser(description = "Run attack algorithms.")
+
+    parser.add_argument("--destination",
+                        default = './trained_models/',
+                        help = "choose destination to load the pretrained models.")
+
+    parser.add_argument("--filename",
+                        default = "MNIST_CNN_epoch_20.pt")
+
+    return parser.parse_args()
+
+args = parameter_parser() # read argument and creat an argparse object
+
+model = resnet.ResNet18().to('cuda')
+print("Load network")
+
+model.load_state_dict(torch.load("./trained_models/CIFAR10_ResNet18_epoch_20.pt"))
+model.eval()
+
+transform_val = transforms.Compose([
+                transforms.ToTensor(),
+                ])
+
+test_loader  = torch.utils.data.DataLoader(
+                datasets.CIFAR10('deeprobust/image/data', train = False, download=True,
+                transform = transform_val),
+                batch_size = 1, shuffle=True) #, **kwargs)
+
+
+classes = np.array(('plane', 'car', 'bird', 'cat', 'deer', 'dog', 'frog', 'horse', 'ship', 'truck'))
+
+xx, yy = next(iter(test_loader))
+xx = xx.to('cuda').float()
+
+"""
+Generate adversarial examples
+"""
+
+F1 = Onepixel(model, device = "cuda")       ### or cuda
+AdvExArray = F1.generate(xx, yy)
+
+predict0 = model(xx)
+predict0= predict0.argmax(dim=1, keepdim=True)
+
+predict1 = model(AdvExArray)
+predict1= predict1.argmax(dim=1, keepdim=True)
+
+print("original prediction:")
+print(predict0)
+
+print("attack prediction:")
+print(predict1)
+
+xx = xx.cpu().detach().numpy()
+AdvExArray = AdvExArray.cpu().detach().numpy()
+
+import matplotlib.pyplot as plt
+xx = xx[0].transpose(1, 2, 0)
+AdvExArray = AdvExArray[0].transpose(1, 2, 0)
+
+plt.imshow(xx, vmin=0, vmax=255)
+plt.savefig('./adversary_examples/cifar10_advexample_ori.png')
+
+plt.imshow(AdvExArray, vmin=0, vmax=255)
+plt.savefig('./adversary_examples/cifar10_advexample_onepixel_adv.png')

examples/image/test_pgdtraining.py

@@ -0,0 +1,38 @@
+from deeprobust.image.defense.pgdtraining import PGDtraining
+from deeprobust.image.attack.pgd import PGD
+import torch
+from torchvision import datasets, transforms
+from deeprobust.image.netmodels.CNN import Net
+from deeprobust.image.config import defense_params
+
+
+"""
+LOAD DATASETS
+"""
+
+train_loader = torch.utils.data.DataLoader(
+                datasets.MNIST('deeprobust/image/defense/data', train=True, download=True,
+                transform=transforms.Compose([transforms.ToTensor()])),
+                batch_size=256,
+                shuffle=True)
+
+test_loader = torch.utils.data.DataLoader(
+            datasets.MNIST('deeprobust/image/defense/data', train=False,
+            transform=transforms.Compose([transforms.ToTensor()])),
+            batch_size=256,
+            shuffle=True)
+
+
+"""
+TRAIN DEFENSE MODEL
+"""
+
+print('====== START TRAINING =====')
+
+model = Net()
+
+defense = PGDtraining(model, 'cuda')
+defense.generate(train_loader, test_loader, **defense_params["PGDtraining_MNIST"])
+
+print('====== FINISH TRAINING =====')
+

examples/image/test_train.py

@@ -0,0 +1,2 @@
+import deeprobust.image.netmodels.train_model as trainmodel
+trainmodel.train('CNN','MNIST','cuda', 20)