pygip.models.attack package

Subpackages

• pygip.models.attack.mea package
  • Submodules
  • pygip.models.attack.mea.MEA module
    • ModelExtractionAttack
      • ModelExtractionAttack._abc_impl
      • ModelExtractionAttack._load_model()
      • ModelExtractionAttack._train_target_model()
      • ModelExtractionAttack.attack()
      • ModelExtractionAttack.supported_api_types
      • ModelExtractionAttack.supported_datasets
    • ModelExtractionAttack0
      • ModelExtractionAttack0._abc_impl
      • ModelExtractionAttack0.attack()
      • ModelExtractionAttack0.get_nonzero_indices()
    • ModelExtractionAttack1
      • ModelExtractionAttack1._abc_impl
      • ModelExtractionAttack1.attack()
    • ModelExtractionAttack2
      • ModelExtractionAttack2._abc_impl
      • ModelExtractionAttack2.attack()
    • ModelExtractionAttack3
      • ModelExtractionAttack3._abc_impl
      • ModelExtractionAttack3.attack()
    • ModelExtractionAttack4
      • ModelExtractionAttack4._abc_impl
      • ModelExtractionAttack4.attack()
    • ModelExtractionAttack5
      • ModelExtractionAttack5._abc_impl
      • ModelExtractionAttack5.attack()
  • Module contents

Submodules

pygip.models.attack.AdvMEA module

class pygip.models.attack.AdvMEA.AdvMEA(dataset, attack_node_fraction, model_path=None)

Bases: BaseAttack

_abc_impl = <_abc_data object>

_load_model(model_path)

Load a pre-trained model.

_to_cpu(tensor)

Safely move tensor to CPU for NumPy operations

_train_target_model()

Train the target model (GCN) on the original graph.

attack()

Execute the attack.

supported_api_types = {'dgl'}

pygip.models.attack.CEGA module

class pygip.models.attack.CEGA.CEGA(dataset, attack_node_fraction, model_path=None)

Bases: BaseAttack

_abc_impl = <_abc_data object>

attack(seed=1, cuda=None, LR=0.001, TGT_LR=0.01, EVAL_EPOCH=10, TGT_EPOCH=10, WARMUP_EPOCH=4, dropout=False, model_performance=True, **kwargs)

Execute the attack.

supported_api_types = {'dgl'}

class pygip.models.attack.CEGA.GCN_drop(*args: Any, **kwargs: Any)

Bases: Module

forward(g, features)

class pygip.models.attack.CEGA.GcnNet(*args: Any, **kwargs: Any)

Bases: Module

forward(g, features, return_hidden=False)

pygip.models.attack.CEGA.accuracy(output, labels)

pygip.models.attack.CEGA.attack0(dataset_name, seed, cuda, attack_node_arg=0.25, file_path='', LR=0.001, TGT_LR=0.01, EVAL_EPOCH=1000, TGT_EPOCH=1000, WARMUP_EPOCH=400, dropout=False, model_performance=True, **kwargs)

pygip.models.attack.CEGA.aug_normalized_adjacency(adj)

pygip.models.attack.CEGA.aug_random_walk(adj)

pygip.models.attack.CEGA.calculate_entropy(probs)

pygip.models.attack.CEGA.compute_distance(_i, _j, features_aax)

pygip.models.attack.CEGA.compute_rank(tensor, element)

pygip.models.attack.CEGA.convert_pyg_to_dgl(pyg_data)

Converts a PyTorch Geometric Data object into a DGLGraph.

Parameters:

pyg_data (torch_geometric.data.Data) – PyTorch Geometric Data object.

Returns:

The converted DGL graph.

Return type:

dgl.DGLGraph

pygip.models.attack.CEGA.evaluate(model, g, features, labels, mask)

pygip.models.attack.CEGA.find_short_dist(embedding_pool, cluster_centers)

pygip.models.attack.CEGA.get_current_neighbors_1(cur_nodes, adj_matrix)

pygip.models.attack.CEGA.get_current_neighbors_dense(cur_nodes, adj_matrix2)

pygip.models.attack.CEGA.get_entropy_contribute(npy_m1, npy_m2)

pygip.models.attack.CEGA.get_max_info_entropy_node_set(idx_used, high_score_nodes, labels, batch_size, adj_matrix2, num_class, model_prediction)

pygip.models.attack.CEGA.get_max_nnd_node_dense(idx_used, high_score_nodes, min_distance, distance_aax, num_ones, num_node, adj_matrix2, gamma=1)

pygip.models.attack.CEGA.get_receptive_fields_dense(cur_neighbors, selected_node, weighted_score, adj_matrix2)

pygip.models.attack.CEGA.init_mask(C, sub_train_mask, sub_labels)

pygip.models.attack.CEGA.load_data(dataset_name)

pygip.models.attack.CEGA.load_data_from_grain(path='./data', dataset='cora')

ind.[:dataset].x => the feature vectors of the training instances (scipy.sparse.csr.csr_matrix) ind.[:dataset].y => the one-hot labels of the labeled training instances (numpy.ndarray) ind.[:dataset].allx => the feature vectors of both labeled and unlabeled training instances (csr_matrix) ind.[:dataset].ally => the labels for instances in ind.dataset_str.allx (numpy.ndarray) ind.[:dataset].graph => the dict in the format {index: [index of neighbor nodes]} (collections.defaultdict) ind.[:dataset].tx => the feature vectors of the test instances (scipy.sparse.csr.csr_matrix) ind.[:dataset].ty => the one-hot labels of the test instances (numpy.ndarray) ind.[:dataset].test.index => indices of test instances in graph, for the inductive setting

pygip.models.attack.CEGA.normalize(mx)

Row-normalize sparse matrix

pygip.models.attack.CEGA.page_rank(graph, damping_factor=0.85, max_iter=100, tol=1e-08)

pygip.models.attack.CEGA.parse_index_file(filename)

pygip.models.attack.CEGA.perturb_avg(net, sub_g, sub_features, num_perturbations, noise_level)

pygip.models.attack.CEGA.perturb_features(sub_features, noise_level=0.05)

pygip.models.attack.CEGA.quantile_selection(A, B, C, index_1, index_2, index_3, sub_train_mask, sub_train_mask_new, num_each)

pygip.models.attack.CEGA.rank_centrality(sub_g, sub_train_mask, sub_train_mask_new, num_each, return_rank=True)

pygip.models.attack.CEGA.rank_cluster(net, sub_g, sub_features, labels, total_sub_nodes, sub_train_mask, sub_train_mask_new, num_clusters, num_each, return_rank=True)

pygip.models.attack.CEGA.rank_density(net, sub_g, sub_features, sub_train_mask, sub_train_mask_new, num_each, num_clusters, return_rank=True)

pygip.models.attack.CEGA.rank_diversity(net, sub_g, sub_features, sub_train_mask, sub_train_mask_new, num_each, num_clusters, rho, return_rank=True)

pygip.models.attack.CEGA.rank_entropy(net, sub_g, sub_features, sub_train_mask, sub_train_mask_new, num_each, return_rank=True)

pygip.models.attack.CEGA.rank_perturb(net, sub_g, sub_features, num_perturbations, sub_train_mask, sub_train_mask_new, noise_level, num_each, return_rank=True)

pygip.models.attack.CEGA.set_seed(seed)

pygip.models.attack.CEGA.sparse_mx_to_torch_sparse_tensor(sparse_mx)

Convert a scipy sparse matrix to a torch sparse tensor.

pygip.models.attack.CEGA.update_sub_train_mask(num_each, sub_train_mask, sub_train_mask_new)

pygip.models.attack.DataFreeMEA module

class pygip.models.attack.DataFreeMEA.DFEAAttack(dataset, attack_node_fraction, model_path=None)

Bases: BaseAttack

_abc_impl = <_abc_data object>

_forward(model, graph, features)

_load_model(model_path)

Load a pre-trained model.

_train_target_model()

Train the target model if not provided.

abstract attack()

Execute the attack.

evaluate(surrogate)

supported_api_types = {'dgl'}

class pygip.models.attack.DataFreeMEA.DFEATypeI(dataset, attack_node_fraction, model_path=None)

Bases: DFEAAttack

Type I: Uses victim outputs + gradients for surrogate training.

_abc_impl = <_abc_data object>

attack()

Execute the attack.

class pygip.models.attack.DataFreeMEA.DFEATypeII(dataset, attack_node_fraction, model_path=None)

Bases: DFEAAttack

Type II: Uses victim outputs only (hard labels).

_abc_impl = <_abc_data object>

attack()

Execute the attack.

class pygip.models.attack.DataFreeMEA.DFEATypeIII(dataset, attack_node_fraction, model_path=None)

Bases: DFEAAttack

Type III: Two surrogates with victim supervision + consistency.

_abc_impl = <_abc_data object>

attack()

Execute the attack.

class pygip.models.attack.DataFreeMEA.GraphGenerator(node_number, feature_number, label_number)

Bases: object

generate()

pygip.models.attack.base module

class pygip.models.attack.base.BaseAttack(dataset, attack_node_fraction=None, model_path=None, device=None)

Bases: ABC

Abstract base class for attack models.

This class provides a common interface for various attack strategies on graph-based machine learning models. It handles device management, dataset loading, and compatibility checks to ensure that the attack can be executed on the given dataset and model API type.

supported_api_types

A set of strings representing the supported API types (e.g., ‘pyg’, ‘dgl’).

Type:

set

supported_datasets

A set of strings representing the names of supported dataset classes.

Type:

set

device

The computing device (CPU or GPU) to be used for the attack.

Type:

torch.device

dataset

The dataset object containing graph data and metadata.

Type:

Dataset

graph_dataset

The raw graph dataset from the underlying library.

graph_data

The primary graph data structure.

num_nodes

The number of nodes in the graph.

Type:

int

num_features

The number of features per node.

Type:

int

num_classes

The number of classes for node classification.

Type:

int

attack_node_fraction

The fraction of nodes to be targeted by the attack.

Type:

float, optional

model_path

The path to a pre-trained target model.

Type:

str, optional

_abc_impl = <_abc_data object>

_check_dataset_compatibility()

Checks if the dataset is compatible with the attack.

Raises:

ValueError – If the dataset’s API type or class name is not in the list of supported types.

_load_model(model_path)

Load a pre-trained model.

_train_attack_model()

Train the attack model.

_train_target_model()

Train the target model if not provided.

abstract attack()

Execute the attack.

supported_api_types = {}

supported_datasets = {}

Module contents

class pygip.models.attack.AdvMEA(dataset, attack_node_fraction, model_path=None)

Bases: BaseAttack

_abc_impl = <_abc_data object>

_load_model(model_path)

Load a pre-trained model.

_to_cpu(tensor)

Safely move tensor to CPU for NumPy operations

_train_target_model()

Train the target model (GCN) on the original graph.

attack()

Execute the attack.

supported_api_types = {'dgl'}

class pygip.models.attack.CEGA(dataset, attack_node_fraction, model_path=None)

Bases: BaseAttack

_abc_impl = <_abc_data object>

attack(seed=1, cuda=None, LR=0.001, TGT_LR=0.01, EVAL_EPOCH=10, TGT_EPOCH=10, WARMUP_EPOCH=4, dropout=False, model_performance=True, **kwargs)

Execute the attack.

supported_api_types = {'dgl'}

class pygip.models.attack.DFEATypeI(dataset, attack_node_fraction, model_path=None)

Bases: DFEAAttack

Type I: Uses victim outputs + gradients for surrogate training.

_abc_impl = <_abc_data object>

attack()

Execute the attack.

class pygip.models.attack.DFEATypeII(dataset, attack_node_fraction, model_path=None)

Bases: DFEAAttack

Type II: Uses victim outputs only (hard labels).

_abc_impl = <_abc_data object>

attack()

Execute the attack.

class pygip.models.attack.DFEATypeIII(dataset, attack_node_fraction, model_path=None)

Bases: DFEAAttack

Type III: Two surrogates with victim supervision + consistency.

_abc_impl = <_abc_data object>

attack()

Execute the attack.

class pygip.models.attack.ModelExtractionAttack0(dataset, attack_node_fraction, model_path=None, alpha=0.8)

Bases: ModelExtractionAttack

_abc_impl = <_abc_data object>

attack()

Main attack procedure.

1. Samples a subset of nodes (sub_graph_node_index) for querying.

2. Synthesizes features for neighboring nodes and their neighbors.

3. Builds a sub-graph, trains a new GCN on it, and evaluates fidelity & accuracy w.r.t. the target model.

get_nonzero_indices(matrix_row)

class pygip.models.attack.ModelExtractionAttack1(dataset, attack_node_fraction)

Bases: ModelExtractionAttack

_abc_impl = <_abc_data object>

attack()

Main attack procedure.

1. Reads selected nodes from file for training (attack) nodes.

2. Reads query labels from another file.

3. Builds a shadow graph from the given adjacency matrix file.

4. Trains a shadow model on the selected nodes, then evaluates fidelity & accuracy against the original target graph.

class pygip.models.attack.ModelExtractionAttack2(dataset, attack_node_fraction, model_path=None)

Bases: ModelExtractionAttack

ModelExtractionAttack2.

A strategy that randomly samples a fraction of nodes as attack nodes, synthesizes identity features for all nodes, then trains an extraction model. The leftover nodes become test nodes.

Inherits

ModelExtractionAttack

_abc_impl = <_abc_data object>

attack()

Main attack procedure.

1. Randomly select attack_node_num nodes as training nodes.

2. Set up synthetic features as identity vectors for all nodes.

3. Train a Net_attack model on these nodes with the queried labels.

4. Evaluate fidelity & accuracy on a subset of leftover nodes.

class pygip.models.attack.ModelExtractionAttack3(dataset, attack_node_fraction, model_path=None)

Bases: ModelExtractionAttack

ModelExtractionAttack3.

A more complex extraction strategy that uses a “shadow graph index” file to build partial subgraphs and merges them. It queries selected nodes from a potential set and forms a combined adjacency matrix.

Inherits

ModelExtractionAttack

_abc_impl = <_abc_data object>

attack()

Main attack procedure.

Steps: 1. Loads indices for two subgraphs from text files. 2. Selects attack_node_num nodes from the first subgraph index. 3. Merges subgraph adjacency matrices and constructs a new graph

with combined features.

4. Trains a new GCN and evaluates fidelity & accuracy w.r.t. the original target.

class pygip.models.attack.ModelExtractionAttack4(dataset, attack_node_fraction, model_path=None)

Bases: ModelExtractionAttack

ModelExtractionAttack4.

Another graph-based strategy that reads node indices from files, merges adjacency matrices, and links new edges based on feature similarity.

Inherits

ModelExtractionAttack

_abc_impl = <_abc_data object>

attack()

Main attack procedure.

1. Reads two sets of node indices from text files.

2. Selects a fixed number of nodes from the target set for attack.

3. Builds a combined adjacency matrix with zero blocks, then populates edges between shadow and attack nodes based on a distance threshold.

4. Trains a new GCN on this combined graph and evaluates fidelity & accuracy.

class pygip.models.attack.ModelExtractionAttack5(dataset, attack_node_fraction, model_path=None)

Bases: ModelExtractionAttack

ModelExtractionAttack5.

Similar to ModelExtractionAttack4, but uses a slightly different strategy to link edges between nodes based on a threshold distance.

Inherits

ModelExtractionAttack

_abc_impl = <_abc_data object>

attack()

Main attack procedure.

1. Reads two sets of node indices (for target and shadow nodes).

2. Builds a block adjacency matrix with all zero blocks, then links edges between attack nodes and shadow nodes if the feature distance is less than a threshold.

3. Trains a new GCN on this combined graph and evaluates fidelity & accuracy.

class pygip.models.attack.RealisticAttack(dataset, attack_node_fraction, model_path=None, hidden_dim=64, threshold_s=0.7, threshold_a=0.5)

Bases: BaseAttack

DGL-based GNN model extraction attack

_abc_impl = <_abc_data object>

add_potential_edges(candidate_edges, labeled_nodes)

Add potential edges based on edge prediction results

attack()

Execute model extraction attack

compute_cosine_similarity(features)

Compute cosine similarity of node features

evaluate_attack(enhanced_graph)

Evaluate attack performance

generate_candidate_edges(labeled_nodes, unlabeled_nodes)

Generate candidate edge set

simulate_target_model_queries(query_nodes, error_rate=0.15)

Simulate target model queries with a certain proportion of incorrect labels

supported_api_types = {'dgl'}

supported_datasets = {}

train_edge_predictor(labeled_nodes, predicted_labels, epochs=100)

Train edge prediction model

train_surrogate_model(enhanced_graph, labeled_nodes, predicted_labels, epochs=200)

Train surrogate model