Projected and Greedy Randomized Block Coordinate Descent (NeurIPS 2021)

[sigeisler]

Hi PyG-team,

Thank you for the tremendous effort in putting this code base together and maintaining it to this high level of quality.

Similar to the Explainer and GNN-Explainer models, I hereby submit the code for our adversarial attacks based on Randomized Block Coordinate Descent (RBCD) that appeared (NeurIPS 2021). Our efficient (i.e sparse) gradient-based attacks apply to most models in PyG and cover the most popular threat models (see below for more details).

Adversarial robustness is quite related to explainability (here considering w.r.t. graph structure). Specifically, in an adversarial attack, we are asking for a limited number of edges that harm the prediction the most, and (GNN-) Explainer seeks for the set of friendly edges (i.e. minimal set without changing prediction). Due to the similarities, I have integrated attacks similar to how GNNExplainer was integrated.

Adversarial robustness of GNNs is an emerging field (the two seminal works were cited more than 1000 times) and it would be of even greater practical relevance if the "entry barrier" would be lowered. Moreover, having practical adversarial attacks in PyGs code base comes with opportunities for its users. These include: (1) seamless adversarial training for PyG's large collection of models; (2) adversarial attacks can be understood as a building block towards counterfactual explainability (and explainability is already part of PyG's codebase); (3) Adversarial attacks can be used for unsupervised representation learning (similar to Deep Graph Infomax).

Importantly, having adversarial attacks generically implemented that can be directly applied to models (i.e. basic adaptive attacks) would counteract a common antipattern in the graph learning community. In our work
Are Defenses for Graph Neural Networks Robust? (NeurIPS 2022), we show that such adaptive attacks would greatly help to obtain more realistic robustness estimates.

Our Projected- and Greedy Randomized Block Coordinate Descent attacks are (afaik) the only practical general-purpose gradient-based adversarial attacks on GNNs (i.e. work with sparse matrices and come with a linear overhead for test time attacks). Our gradient-based approach relaxes the weights of the adjacency matrix from {0,1} -> [0,1] during the attack and, therefore, seamlessly integrates with all models that support weighted adjacency matrices and do not apply non-differentiable operations to the edge weights. Although, non-differentiable models can often be made differentiable (e.g. using the gumble softmax trick).

Also with respect to tasks and threat models, this implementation covers the most popular cases. The defaults are set for node and graph classification (see unit tests for the latter) and other tasks (e.g. regression) can be handled by providing an appropriate model loss pair. The threat models covered are: (a) "global attacks": the adversary targets a large fraction of nodes at once (e.g. the test set); (b) "local attacks": the adversary targets the prediction of a single node in node-classification; any combination with (I) "evasion": attack at test time (most relevant for inductive learning); (II) "poisoning": attack at training time (most relevant for transductive learning, see poisoning example).

I am happy to include further suggestions and answer any questions. Please let me know if you have any feedback.

[codecov]

Codecov Report

Merging #5972 (b4f831b) into master (2463371) will increase coverage by 0.20%.
The diff coverage is 96.59%.

❗ Current head b4f831b differs from pull request most recent head d300ba9. Consider uploading reports for the commit d300ba9 to get more accurate results

@@            Coverage Diff             @@
##           master    #5972      +/-   ##
==========================================
+ Coverage   85.30%   85.51%   +0.20%     
==========================================
  Files         402      403       +1     
  Lines       21731    22024     +293     
==========================================
+ Hits        18537    18833     +296     
+ Misses       3194     3191       -3     

Impacted Files	Coverage Δ
torch_geometric/contrib/nn/models/rbcd_attack.py	96.57% <96.57%> (ø)
torch_geometric/contrib/nn/models/__init__.py	100.00% <100.00%> (+100.00%)	⬆️
torch_geometric/contrib/__init__.py	100.00% <0.00%> (+100.00%)	⬆️
torch_geometric/contrib/nn/__init__.py	100.00% <0.00%> (+100.00%)	⬆️
torch_geometric/contrib/explain/__init__.py	100.00% <0.00%> (+100.00%)	⬆️
torch_geometric/contrib/nn/conv/__init__.py	100.00% <0.00%> (+100.00%)	⬆️
torch_geometric/contrib/datasets/__init__.py	100.00% <0.00%> (+100.00%)	⬆️
torch_geometric/contrib/transforms/__init__.py	100.00% <0.00%> (+100.00%)	⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[sigeisler]

Thank you @wsad1

I am a bit confused, though, that you assigned me. Is there any action required from my side at the moment?

[rusty1s]

@sigeisler No action required until reviews lands. This just means you are the author of this PR :)

[EdisonLeeeee]

@sigeisler Thanks for adding these. Looks pretty good! This is also related to my current research and it did really help!

[EdisonLeeeee]

Left a few initial comments. Will take a look again soon :)

[EdisonLeeeee]

Sorry for the late. Left some minor points. Will review again these days.

[sigeisler]

Hi @rusty1s I think we are done at the moment and would appreciate input from your side.

[rusty1s]

Sounds good, thanks for the effort.

[rusty1s]

Thank you! Overall, this looks great. There are some questions for me on the need of adding model arguments as attributes of the module, and the need for the device transfers. Other than that, most comments are personal nits :)

[rusty1s]

Any reason this is implemented in the example rather than as a module in nn/models?

[sigeisler]

The main reason is that the train loop can have so many different variations. Of course, we could pass a method that defines the training procedure instead of tons of configurations. Moreover, the implementation here requires an additional dependency (i.e., higher).

If you prefer to have the "poisoning" variant as a dedicated model or configurable option, I am more than happy to implement it.

[sigeisler]

@rusty1s thank you for your time and the comments!

Here are my responses to the high-level questions:

... the need of adding model arguments as attributes of the module...

This was in analogy to the (old) implementation of GNNExplainer (have not checked how it is now). But I agree that we could add it to the attack method. I think the sole advantage of having this as a class attribute is, that one can move the attack (including) the model to a specific device. Although, the user anyhow has to handle anyways the device of the inputs of the attack method.

... the need for the device transfers.

The idea is to save (valuable) memory of the GPU/... Note that here we maintain a clean graph and construct its perturbed counterpart. Thus, without moving the clean clean graph to cpu, the hardware accelerator needs to store two graphs of similar size.

[rusty1s]

Thanks for the clarification. This makes sense to me.

[sigeisler]

@rusty1s I worked through your comments and adapted the code accordingly. I left some comments to explain etc. Please let me know if there are further action items.

Thanks again for your time and the helpful feedback!

[sigeisler]

Hi @rusty1s I know you must be quite busy, however, I am wondering how to proceed. Thanks.

[rusty1s]

This should be ready to merge. Will take a last look and merge it soon.

[sigeisler]

Hi @rusty1s thanks for seeing this through :-)

I have seen that you now have moved this to the contrib package, out of curiosity, what are the intended differences? Is there a lower level of quality or is this due to maintenance (e.g you do not plan to support all features in the long haul etc.)?

Btw. if you need any input whatsoever for promoting this as one of the models in the new contrib package, please let me know.

[rusty1s]

Hi @sigeisler. Yes, I indeed moved this to contrib since we plan to move every big new model there first going forward. This does not have anything to do with code quality (that one is awesome), more so with maintenance and API stability. Hope that's okay :)

[sigeisler]

@rusty1s makes a lot of sense! Thanks for clarifying.