""" Implementation of the method proposed in the paper: 'Adversarial Attacks on Neural Networks for Graph Data' by Daniel Zügner, Amir Akbarnejad and Stephan Günnemann, published at SIGKDD'18, August 2018, London, UK Copyright (C) 2018 Daniel Zügner Technical University of Munich """ import numpy as np import scipy.sparse as sp from nettack import utils from numba import jit class Nettack: """ Nettack class used for poisoning attacks on node classification models. Copyright (C) 2018 Daniel Zügner Technical University of Munich """ def __init__(self, adj, X_obs, z_obs, W1, W2, u, verbose=False): # Adjacency matrix self.adj = adj.copy().tolil() self.adj_no_selfloops = self.adj.copy() self.adj_no_selfloops.setdiag(0) self.adj_orig = self.adj.copy().tolil() self.u = u # the node being attacked self.adj_preprocessed = utils.preprocess_graph(self.adj).tolil() # Number of nodes self.N = adj.shape[0] # Node attributes self.X_obs = X_obs.copy().tolil() self.X_obs_orig = self.X_obs.copy().tolil() # Node labels self.z_obs = z_obs.copy() self.label_u = self.z_obs[self.u] self.K = np.max(self.z_obs)+1 # GCN weight matrices self.W1 = W1 self.W2 = W2 self.W = sp.csr_matrix(self.W1.dot(self.W2)) self.cooc_matrix = self.X_obs.T.dot(self.X_obs).tolil() self.cooc_constraint = None self.structure_perturbations = [] self.feature_perturbations = [] self.influencer_nodes = [] self.potential_edges = [] self.verbose = verbose def compute_cooccurrence_constraint(self, nodes): """ Co-occurrence constraint as described in the paper. Parameters ---------- nodes: np.array Nodes whose features are considered for change Returns ------- np.array [len(nodes), D], dtype bool Binary matrix of dimension len(nodes) x D. A 1 in entry n,d indicates that we are allowed to add feature d to the features of node n. """ words_graph = self.cooc_matrix.copy() D = self.X_obs.shape[1] words_graph.setdiag(0) words_graph = (words_graph > 0) word_degrees = np.sum(words_graph, axis=0).A1 inv_word_degrees = np.reciprocal(word_degrees.astype(float) + 1e-8) sd = np.zeros([self.N]) for n in range(self.N): n_idx = self.X_obs[n, :].nonzero()[1] sd[n] = np.sum(inv_word_degrees[n_idx.tolist()]) scores_matrix = sp.lil_matrix((self.N, D)) for n in nodes: common_words = words_graph.multiply(self.X_obs[n]) idegs = inv_word_degrees[common_words.nonzero()[1]] nnz = common_words.nonzero()[0] scores = np.array([idegs[nnz == ix].sum() for ix in range(D)]) scores_matrix[n] = scores self.cooc_constraint = sp.csr_matrix(scores_matrix - 0.5 * sd[:, None] > 0) def gradient_wrt_x(self, label): """ Compute the gradient of the logit belonging to the class of the input label with respect to the input features. Parameters ---------- label: int Class whose logits are of interest Returns ------- np.array [N, D] matrix containing the gradients. """ return self.adj_preprocessed.dot(self.adj_preprocessed)[self.u].T.dot(self.W[:, label].T) def compute_logits(self): """ Compute the logits of the surrogate model, i.e. linearized GCN. Returns ------- np.array, [N, K] The log probabilities for each node. """ return self.adj_preprocessed.dot(self.adj_preprocessed).dot(self.X_obs.dot(self.W))[self.u].toarray()[0] def strongest_wrong_class(self, logits): """ Determine the incorrect class with largest logits. Parameters ---------- logits: np.array, [N, K] The input logits Returns ------- np.array, [N, L] The indices of the wrong labels with the highest attached log probabilities. """ label_u_onehot = np.eye(self.K)[self.label_u] return (logits - 1000*label_u_onehot).argmax() def feature_scores(self): """ Compute feature scores for all possible feature changes. """ if self.cooc_constraint is None: self.compute_cooccurrence_constraint(self.influencer_nodes) logits = self.compute_logits() best_wrong_class = self.strongest_wrong_class(logits) gradient = self.gradient_wrt_x(self.label_u) - self.gradient_wrt_x(best_wrong_class) surrogate_loss = logits[self.label_u] - logits[best_wrong_class] gradients_flipped = (gradient * -1).tolil() gradients_flipped[self.X_obs.nonzero()] *= -1 X_influencers = sp.lil_matrix(self.X_obs.shape) X_influencers[self.influencer_nodes] = self.X_obs[self.influencer_nodes] gradients_flipped = gradients_flipped.multiply((self.cooc_constraint + X_influencers) > 0) nnz_ixs = np.array(gradients_flipped.nonzero()).T sorting = np.argsort(gradients_flipped[tuple(nnz_ixs.T)]).A1 sorted_ixs = nnz_ixs[sorting] grads = gradients_flipped[tuple(nnz_ixs[sorting].T)] scores = surrogate_loss - grads return sorted_ixs[::-1], scores.A1[::-1] def struct_score(self, a_hat_uv, XW): """ Compute structure scores, cf. Eq. 15 in the paper Parameters ---------- a_hat_uv: sp.sparse_matrix, shape [P,2] Entries of matrix A_hat^2_u for each potential edge (see paper for explanation) XW: sp.sparse_matrix, shape [N, K], dtype float The class logits for each node. Returns ------- np.array [P,] The struct score for every row in a_hat_uv """ logits = a_hat_uv.dot(XW) label_onehot = np.eye(XW.shape[1])[self.label_u] best_wrong_class_logits = (logits - 1000 * label_onehot).max(1) logits_for_correct_class = logits[:,self.label_u] struct_scores = logits_for_correct_class - best_wrong_class_logits return struct_scores def compute_XW(self): """ Shortcut to compute the dot product of X and W Returns ------- X.dot(W) """ return self.X_obs.dot(self.W) def get_attacker_nodes(self, n=5, add_additional_nodes = False): """ Determine the influencer nodes to attack node i based on the weights W and the attributes X. Parameters ---------- n: int, default: 5 The desired number of attacker nodes. add_additional_nodes: bool, default: False if True and the degree of node i (d_u) is < n, we select n-d_u additional attackers, which should get connected to u afterwards (outside this function). Returns ------- np.array, shape [n,]: The indices of the attacker nodes. optional: np.array, shape [n - degree(n)] if additional_nodes is True, we separately return the additional attacker node indices """ assert n < self.N-1, "number of influencers cannot be >= number of nodes in the graph!" neighbors = self.adj_no_selfloops[self.u].nonzero()[1] assert self.u not in neighbors potential_edges = np.column_stack((np.tile(self.u, len(neighbors)),neighbors)).astype("int32") # The new A_hat_square_uv values that we would get if we removed the edge from u to each of the neighbors, # respectively a_hat_uv = self.compute_new_a_hat_uv(potential_edges) XW = self.compute_XW() # compute the struct scores for all neighbors struct_scores = self.struct_score(a_hat_uv, XW).A1 if len(neighbors) >= n: # do we have enough neighbors for the number of desired influencers? influencer_nodes = neighbors[np.argsort(struct_scores)[:n]] if add_additional_nodes: return influencer_nodes, np.array([]) return influencer_nodes else: influencer_nodes = neighbors if add_additional_nodes: # Add additional influencers by connecting them to u first. # Compute the set of possible additional influencers, i.e. all nodes except the ones # that are already connected to u. poss_add_infl = np.setdiff1d(np.setdiff1d(np.arange(self.N),neighbors), self.u) n_possible_additional = len(poss_add_infl) n_additional_attackers = n-len(neighbors) possible_edges = np.column_stack((np.tile(self.u, n_possible_additional), poss_add_infl)) # Compute the struct_scores for all possible additional influencers, and choose the one # with the best struct score. a_hat_uv_additional = self.compute_new_a_hat_uv(possible_edges) additional_struct_scores = self.struct_score(a_hat_uv_additional, XW) additional_influencers = poss_add_infl[np.argsort(additional_struct_scores)[-n_additional_attackers::]] return influencer_nodes, additional_influencers else: return influencer_nodes def compute_new_a_hat_uv(self, potential_edges): """ Compute the updated A_hat_square_uv entries that would result from inserting/deleting the input edges, for every edge. Parameters ---------- potential_edges: np.array, shape [P,2], dtype int The edges to check. Returns ------- sp.sparse_matrix: updated A_hat_square_u entries, a sparse PxN matrix, where P is len(possible_edges). """ edges = np.array(self.adj.nonzero()).T edges_set = {tuple(x) for x in edges} A_hat_sq = self.adj_preprocessed @ self.adj_preprocessed values_before = A_hat_sq[self.u].toarray()[0] node_ixs = np.unique(edges[:, 0], return_index=True)[1] twohop_ixs = np.array(A_hat_sq.nonzero()).T degrees = self.adj.sum(0).A1 + 1 ixs, vals = compute_new_a_hat_uv(edges, node_ixs, edges_set, twohop_ixs, values_before, degrees, potential_edges, self.u) ixs_arr = np.array(ixs) a_hat_uv = sp.coo_matrix((vals, (ixs_arr[:, 0], ixs_arr[:, 1])), shape=[len(potential_edges), self.N]) return a_hat_uv def attack_surrogate(self, n_perturbations, perturb_structure=True, perturb_features=True, direct=True, n_influencers=0, delta_cutoff=0.004): """ Perform an attack on the surrogate model. Parameters ---------- n_perturbations: int The number of perturbations (structure or feature) to perform. perturb_structure: bool, default: True Indicates whether the structure can be changed. perturb_features: bool, default: True Indicates whether the features can be changed. direct: bool, default: True indicates whether to directly modify edges/features of the node attacked or only those of influencers. n_influencers: int, default: 0 Number of influencing nodes -- will be ignored if direct is True delta_cutoff: float The critical value for the likelihood ratio test of the power law distributions. See the Chi square distribution with one degree of freedom. Default value 0.004 corresponds to a p-value of roughly 0.95. Returns ------- None. """ assert not (direct==False and n_influencers==0), "indirect mode requires at least one influencer node" assert n_perturbations > 0, "need at least one perturbation" assert perturb_features or perturb_structure, "either perturb_features or perturb_structure must be true" logits_start = self.compute_logits() best_wrong_class = self.strongest_wrong_class(logits_start) surrogate_losses = [logits_start[self.label_u] - logits_start[best_wrong_class]] if self.verbose: print("##### Starting attack #####") if perturb_structure and perturb_features: print("##### Attack node with ID {} using structure and feature perturbations #####".format(self.u)) elif perturb_features: print("##### Attack only using feature perturbations #####") elif perturb_structure: print("##### Attack only using structure perturbations #####") if direct: print("##### Attacking the node directly #####") else: print("##### Attacking the node indirectly via {} influencer nodes #####".format(n_influencers)) print("##### Performing {} perturbations #####".format(n_perturbations)) if perturb_structure: # Setup starting values of the likelihood ratio test. degree_sequence_start = self.adj_orig.sum(0).A1 current_degree_sequence = self.adj.sum(0).A1 d_min = 2 S_d_start = np.sum(np.log(degree_sequence_start[degree_sequence_start >= d_min])) current_S_d = np.sum(np.log(current_degree_sequence[current_degree_sequence >= d_min])) n_start = np.sum(degree_sequence_start >= d_min) current_n = np.sum(current_degree_sequence >= d_min) alpha_start = compute_alpha(n_start, S_d_start, d_min) log_likelihood_orig = compute_log_likelihood(n_start, alpha_start, S_d_start, d_min) if len(self.influencer_nodes) == 0: if not direct: # Choose influencer nodes infls, add_infls = self.get_attacker_nodes(n_influencers, add_additional_nodes=True) self.influencer_nodes= np.concatenate((infls, add_infls)).astype("int") # Potential edges are all edges from any attacker to any other node, except the respective # attacker itself or the node being attacked. self.potential_edges = np.row_stack([np.column_stack((np.tile(infl, self.N - 2), np.setdiff1d(np.arange(self.N), np.array([self.u,infl])))) for infl in self.influencer_nodes]) if self.verbose: print("Influencer nodes: {}".format(self.influencer_nodes)) else: # direct attack influencers = [self.u] self.potential_edges = np.column_stack((np.tile(self.u, self.N-1), np.setdiff1d(np.arange(self.N), self.u))) self.influencer_nodes = np.array(influencers) self.potential_edges = self.potential_edges.astype("int32") for _ in range(n_perturbations): if self.verbose: print("##### ...{}/{} perturbations ... #####".format(_+1, n_perturbations)) if perturb_structure: # Do not consider edges that, if removed, result in singleton edges in the graph. singleton_filter = filter_singletons(self.potential_edges, self.adj) filtered_edges = self.potential_edges[singleton_filter] # Update the values for the power law likelihood ratio test. deltas = 2 * (1 - self.adj[tuple(filtered_edges.T)].toarray()[0] )- 1 d_edges_old = current_degree_sequence[filtered_edges] d_edges_new = current_degree_sequence[filtered_edges] + deltas[:, None] new_S_d, new_n = update_Sx(current_S_d, current_n, d_edges_old, d_edges_new, d_min) new_alphas = compute_alpha(new_n, new_S_d, d_min) new_ll = compute_log_likelihood(new_n, new_alphas, new_S_d, d_min) alphas_combined = compute_alpha(new_n + n_start, new_S_d + S_d_start, d_min) new_ll_combined = compute_log_likelihood(new_n + n_start, alphas_combined, new_S_d + S_d_start, d_min) new_ratios = -2 * new_ll_combined + 2 * (new_ll + log_likelihood_orig) # Do not consider edges that, if added/removed, would lead to a violation of the # likelihood ration Chi_square cutoff value. powerlaw_filter = filter_chisquare(new_ratios, delta_cutoff) filtered_edges_final = filtered_edges[powerlaw_filter] # Compute new entries in A_hat_square_uv a_hat_uv_new = self.compute_new_a_hat_uv(filtered_edges_final) # Compute the struct scores for each potential edge struct_scores = self.struct_score(a_hat_uv_new, self.compute_XW()) best_edge_ix = struct_scores.argmin() best_edge_score = struct_scores.min() best_edge = filtered_edges_final[best_edge_ix] if perturb_features: # Compute the feature scores for each potential feature perturbation feature_ixs, feature_scores = self.feature_scores() best_feature_ix = feature_ixs[0] best_feature_score = feature_scores[0] if perturb_structure and perturb_features: # decide whether to choose an edge or feature to change if best_edge_score < best_feature_score: if self.verbose: print("Edge perturbation: {}".format(best_edge)) change_structure = True else: if self.verbose: print("Feature perturbation: {}".format(best_feature_ix)) change_structure=False elif perturb_structure: change_structure = True elif perturb_features: change_structure = False if change_structure: # perform edge perturbation self.adj[tuple(best_edge)] = self.adj[tuple(best_edge[::-1])] = 1 - self.adj[tuple(best_edge)] self.adj_preprocessed = utils.preprocess_graph(self.adj) self.structure_perturbations.append(tuple(best_edge)) self.feature_perturbations.append(()) surrogate_losses.append(best_edge_score) # Update likelihood ratio test values current_S_d = new_S_d[powerlaw_filter][best_edge_ix] current_n = new_n[powerlaw_filter][best_edge_ix] current_degree_sequence[best_edge] += deltas[powerlaw_filter][best_edge_ix] else: self.X_obs[tuple(best_feature_ix)] = 1 - self.X_obs[tuple(best_feature_ix)] self.feature_perturbations.append(tuple(best_feature_ix)) self.structure_perturbations.append(()) surrogate_losses.append(best_feature_score) def reset(self): """ Reset Nettack """ self.adj = self.adj_orig.copy() self.X_obs = self.X_obs_orig.copy() self.structure_perturbations = [] self.feature_perturbations = [] self.influencer_nodes = [] self.potential_edges = [] self.cooc_constraint = None @jit(nopython=True) def connected_after(u, v, connected_before, delta): if u == v: if delta == -1: return False else: return True else: return connected_before @jit(nopython=True) def compute_new_a_hat_uv(edge_ixs, node_nb_ixs, edges_set, twohop_ixs, values_before, degs, potential_edges, u): """ Compute the new values [A_hat_square]_u for every potential edge, where u is the target node. C.f. Theorem 5.1 equation 17. Parameters ---------- edge_ixs: np.array, shape [E,2], where E is the number of edges in the graph. The indices of the nodes connected by the edges in the input graph. node_nb_ixs: np.array, shape [N,], dtype int For each node, this gives the first index of edges associated to this node in the edge array (edge_ixs). This will be used to quickly look up the neighbors of a node, since numba does not allow nested lists. edges_set: set((e0, e1)) The set of edges in the input graph, i.e. e0 and e1 are two nodes connected by an edge twohop_ixs: np.array, shape [T, 2], where T is the number of edges in A_tilde^2 The indices of nodes that are in the twohop neighborhood of each other, including self-loops. values_before: np.array, shape [N,], the values in [A_hat]^2_uv to be updated. degs: np.array, shape [N,], dtype int The degree of the nodes in the input graph. potential_edges: np.array, shape [P, 2], where P is the number of potential edges. The potential edges to be evaluated. For each of these potential edges, this function will compute the values in [A_hat]^2_uv that would result after inserting/removing this edge. u: int The target node Returns ------- return_ixs: List of tuples The ixs in the [P, N] matrix of updated values that have changed return_values: """ N = degs.shape[0] twohop_u = twohop_ixs[twohop_ixs[:, 0] == u, 1] nbs_u = edge_ixs[edge_ixs[:, 0] == u, 1] nbs_u_set = set(nbs_u) return_ixs = [] return_values = [] for ix in range(len(potential_edges)): edge = potential_edges[ix] edge_set = set(edge) degs_new = degs.copy() delta = -2 * ((edge[0], edge[1]) in edges_set) + 1 degs_new[edge] += delta nbs_edge0 = edge_ixs[edge_ixs[:, 0] == edge[0], 1] nbs_edge1 = edge_ixs[edge_ixs[:, 0] == edge[1], 1] affected_nodes = set(np.concatenate((twohop_u, nbs_edge0, nbs_edge1))) affected_nodes = affected_nodes.union(edge_set) a_um = edge[0] in nbs_u_set a_un = edge[1] in nbs_u_set a_un_after = connected_after(u, edge[0], a_un, delta) a_um_after = connected_after(u, edge[1], a_um, delta) for v in affected_nodes: a_uv_before = v in nbs_u_set a_uv_before_sl = a_uv_before or v == u if v in edge_set and u in edge_set and u != v: if delta == -1: a_uv_after = False else: a_uv_after = True else: a_uv_after = a_uv_before a_uv_after_sl = a_uv_after or v == u from_ix = node_nb_ixs[v] to_ix = node_nb_ixs[v + 1] if v < N - 1 else len(edge_ixs) node_nbs = edge_ixs[from_ix:to_ix, 1] node_nbs_set = set(node_nbs) a_vm_before = edge[0] in node_nbs_set a_vn_before = edge[1] in node_nbs_set a_vn_after = connected_after(v, edge[0], a_vn_before, delta) a_vm_after = connected_after(v, edge[1], a_vm_before, delta) mult_term = 1 / np.sqrt(degs_new[u] * degs_new[v]) sum_term1 = np.sqrt(degs[u] * degs[v]) * values_before[v] - a_uv_before_sl / degs[u] - a_uv_before / \ degs[v] sum_term2 = a_uv_after / degs_new[v] + a_uv_after_sl / degs_new[u] sum_term3 = -((a_um and a_vm_before) / degs[edge[0]]) + (a_um_after and a_vm_after) / degs_new[edge[0]] sum_term4 = -((a_un and a_vn_before) / degs[edge[1]]) + (a_un_after and a_vn_after) / degs_new[edge[1]] new_val = mult_term * (sum_term1 + sum_term2 + sum_term3 + sum_term4) return_ixs.append((ix, v)) return_values.append(new_val) return return_ixs, return_values def compute_alpha(n, S_d, d_min): """ Approximate the alpha of a power law distribution. Parameters ---------- n: int or np.array of int Number of entries that are larger than or equal to d_min S_d: float or np.array of float Sum of log degrees in the distribution that are larger than or equal to d_min d_min: int The minimum degree of nodes to consider Returns ------- alpha: float The estimated alpha of the power law distribution """ return n / (S_d - n * np.log(d_min - 0.5)) + 1 def update_Sx(S_old, n_old, d_old, d_new, d_min): """ Update on the sum of log degrees S_d and n based on degree distribution resulting from inserting or deleting a single edge. Parameters ---------- S_old: float Sum of log degrees in the distribution that are larger than or equal to d_min. n_old: int Number of entries in the old distribution that are larger than or equal to d_min. d_old: np.array, shape [N,] dtype int The old degree sequence. d_new: np.array, shape [N,] dtype int The new degree sequence d_min: int The minimum degree of nodes to consider Returns ------- new_S_d: float, the updated sum of log degrees in the distribution that are larger than or equal to d_min. new_n: int, the updated number of entries in the old distribution that are larger than or equal to d_min. """ old_in_range = d_old >= d_min new_in_range = d_new >= d_min d_old_in_range = np.multiply(d_old, old_in_range) d_new_in_range = np.multiply(d_new, new_in_range) new_S_d = S_old - np.log(np.maximum(d_old_in_range, 1)).sum(1) + np.log(np.maximum(d_new_in_range, 1)).sum(1) new_n = n_old - np.sum(old_in_range, 1) + np.sum(new_in_range, 1) return new_S_d, new_n def compute_log_likelihood(n, alpha, S_d, d_min): """ Compute log likelihood of the powerlaw fit. Parameters ---------- n: int Number of entries in the old distribution that are larger than or equal to d_min. alpha: float The estimated alpha of the power law distribution S_d: float Sum of log degrees in the distribution that are larger than or equal to d_min. d_min: int The minimum degree of nodes to consider Returns ------- float: the estimated log likelihood """ return n * np.log(alpha) + n * alpha * np.log(d_min) + (alpha + 1) * S_d def filter_singletons(edges, adj): """ Filter edges that, if removed, would turn one or more nodes into singleton nodes. Parameters ---------- edges: np.array, shape [P, 2], dtype int, where P is the number of input edges. The potential edges. adj: sp.sparse_matrix, shape [N,N] The input adjacency matrix. Returns ------- np.array, shape [P, 2], dtype bool: A binary vector of length len(edges), False values indicate that the edge at the index generates singleton edges, and should thus be avoided. """ degs = np.squeeze(np.array(np.sum(adj,0))) existing_edges = np.squeeze(np.array(adj.tocsr()[tuple(edges.T)])) if existing_edges.size > 0: edge_degrees = degs[np.array(edges)] + 2*(1-existing_edges[:,None]) - 1 else: edge_degrees = degs[np.array(edges)] + 1 zeros = edge_degrees == 0 zeros_sum = zeros.sum(1) return zeros_sum == 0 def filter_chisquare(ll_ratios, cutoff): return ll_ratios < cutoff