Introduction to Graph Attack with Examples

In this section, we introduce the graph attack algorithms provided in DeepRobust. Speficailly, they can be divied into two types: (1) targeted attack deeprobust.graph.targeted_attack and (2) global attack deeprobust.graph.global_attack.

Global (Untargeted) Attack for Node Classification

Global (untargeted) attack aims to fool GNNs into giving wrong predictions on all given nodes. Specifically, DeepRobust provides the following targeted attack algorithms:

All the above attacks except NodeEmbeddingAttack and OtherNodeEmbeddingAttack (see details here ) take the adjacency matrix, node feature matrix and labels as input. Usually, the adjacency matrix is in the format of scipy.sparse.csr_matrix and feature matrix can either be scipy.sparse.csr_matrix or numpy.array. The attack algorithm will then transfer them into torch.tensor inside the class. It is also fine if you provide torch.tensor as input, since the algorithm can automatically deal with it. Now let’s take a look at an example:

import numpy as np
from deeprobust.graph.data import Dataset
from deeprobust.graph.defense import GCN
from deeprobust.graph.global_attack import Metattack
data = Dataset(root='/tmp/', name='cora')
adj, features, labels = data.adj, data.features, data.labels
idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
idx_unlabeled = np.union1d(idx_val, idx_test)
idx_unlabeled = np.union1d(idx_val, idx_test)
# Setup Surrogate model
surrogate = GCN(nfeat=features.shape[1], nclass=labels.max().item()+1,
                nhid=16, dropout=0, with_relu=False, with_bias=False, device='cpu').to('cpu')
surrogate.fit(features, adj, labels, idx_train, idx_val, patience=30)
# Setup Attack Model
model = Metattack(surrogate, nnodes=adj.shape[0], feature_shape=features.shape,
        attack_structure=True, attack_features=False, device='cpu', lambda_=0).to('cpu')
# Attack
model.attack(features, adj, labels, idx_train, idx_unlabeled, n_perturbations=10, ll_constraint=False)
modified_adj = model.modified_adj # modified_adj is a torch.tensor

Targeted Attack for Node Classification

Targeted attack aims to fool GNNs into give wrong predictions on a subset of nodes. Specifically, DeepRobust provides the following targeted attack algorithms:

All the above attacks take the adjacency matrix, node feature matrix and labels as input. Usually, the adjacency matrix is in the format of scipy.sparse.csr_matrix and feature matrix can either be scipy.sparse.csr_matrix or numpy.array. Now let’s take a look at an example:

from deeprobust.graph.data import Dataset
from deeprobust.graph.defense import GCN
from deeprobust.graph.targeted_attack import Nettack
data = Dataset(root='/tmp/', name='cora')
adj, features, labels = data.adj, data.features, data.labels
idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
# Setup Surrogate model
surrogate = GCN(nfeat=features.shape[1], nclass=labels.max().item()+1,
                nhid=16, dropout=0, with_relu=False, with_bias=False, device='cpu').to('cpu')
surrogate.fit(features, adj, labels, idx_train, idx_val, patience=30)
# Setup Attack Model
target_node = 0
model = Nettack(surrogate, nnodes=adj.shape[0], attack_structure=True, attack_features=True, device='cpu').to('cpu')
# Attack
model.attack(features, adj, labels, target_node, n_perturbations=5)
modified_adj = model.modified_adj # scipy sparse matrix
modified_features = model.modified_features # scipy sparse matrix

Note that we also provide scripts in test_nettack.py for selecting nodes as reported in the nettack paper: (1) the 10 nodes with highest margin of classification, i.e. they are clearly correctly classified, (2) the 10 nodes with lowest margin (but still correctly classified) and (3) 20 more nodes randomly.

More Examples

More examples can be found in deeprobust.graph.targeted_attack and deeprobust.graph.global_attack. You can also find examples in github code examples and more details in attacks table.