Add files using upload-large-folder tool

.gitignore

@@ -0,0 +1,132 @@
+# Auxillary file on MacOS
+.DS_Store
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/

README.md

@@ -0,0 +1,314 @@
+
+[contributing-image]: https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat
+[contributing-url]: https://github.com/rusty1s/pytorch_geometric/blob/master/CONTRIBUTING.md
+
+<p align="center">
+<img center src="https://github.com/DSE-MSU/DeepRobust/blob/master/adversary_examples/Deeprobust.png" width = "450" alt="logo">
+</p>
+
+---------------------
+<!--
+<a href="https://github.com/DSE-MSU/DeepRobust/stargazers"><img alt="GitHub stars" src="https://img.shields.io/github/stars/DSE-MSU/DeepRobust"></a>  <a href="https://github.com/DSE-MSU/DeepRobust/network/members" ><img alt="GitHub forks" src="https://img.shields.io/github/forks/DSE-MSU/DeepRobust">
+</a> 
+-->
+
+<img alt="GitHub last commit" src="https://img.shields.io/github/last-commit/DSE-MSU/DeepRobust"> <a href="https://github.com/DSE-MSU/DeepRobust/issues"> <img alt="GitHub issues" src="https://img.shields.io/github/issues/DSE-MSU/DeepRobust"></a> <img alt="GitHub" src="https://img.shields.io/github/license/DSE-MSU/DeepRobust">
+[![Contributing][contributing-image]][contributing-url]
+[![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Build%20your%20robust%20machine%20learning%20models%20with%20DeepRobust%20in%2060%20seconds&url=https://github.com/DSE-MSU/DeepRobust&via=dse_msu&hashtags=MachineLearning,DeepLearning,secruity,data,developers)
+
+
+<!-- <img alt="GitHub top language" src="https://img.shields.io/github/languages/top/DSE-MSU/DeepRobust"> -->
+
+<!--
+<div align=center><img src="https://github.com/DSE-MSU/DeepRobust/blob/master/adversarial.png" width="500"/></div>
+<div align=center><img src="https://github.com/DSE-MSU/DeepRobust/blob/master/adversary_examples/graph_attack_example.png" width="00" /></div>
+-->
+**[Documentation](https://deeprobust.readthedocs.io/en/latest/)** | **[Paper](https://arxiv.org/abs/2005.06149)** | **[Samples](https://github.com/DSE-MSU/DeepRobust/tree/master/examples)** 
+
+[AAAI 2021] DeepRobust is a PyTorch adversarial library for attack and defense methods on images and graphs. 
+* If you are new to DeepRobust, we highly suggest you read the [documentation page](https://deeprobust.readthedocs.io/en/latest/) or the following content in this README to learn how to use it.  
+* If you have any questions or suggestions regarding this library, feel free to create an issue [here](https://github.com/DSE-MSU/DeepRobust/issues). We will reply as soon as possible :)
+
+<p float="left">
+  <img src="https://github.com/DSE-MSU/DeepRobust/blob/master/adversary_examples/adversarial.png" width="430" />
+  <img src="https://github.com/DSE-MSU/DeepRobust/blob/master/adversary_examples/graph_attack_example.png" width="380" /> 
+</p>
+
+**List of including algorithms can be found in [[Image Package]](https://github.com/DSE-MSU/DeepRobust/tree/master/deeprobust/image) and [[Graph Package]](https://github.com/DSE-MSU/DeepRobust/tree/master/deeprobust/graph).**
+
+[Environment & Installation](#environment)
+
+Usage
+
+* [Image Attack and Defense](#image-attack-and-defense)
+
+* [Graph Attack and Defense](#graph-attack-and-defense)
+
+[Acknowledgement](#acknowledgement) 
+
+For more details about attacks and defenses, you can read the following papers.
+* [Adversarial Attacks and Defenses on Graphs: A Review, A Tool and Empirical Studies](https://arxiv.org/abs/2003.00653)
+* [Adversarial Attacks and Defenses in Images, Graphs and Text: A Review](https://arxiv.org/pdf/1909.08072.pdf)
+
+If our work could help your research, please cite:
+[DeepRobust: A PyTorch Library for Adversarial Attacks and Defenses](https://arxiv.org/abs/2005.06149)
+```
+@article{li2020deeprobust,
+  title={Deeprobust: A pytorch library for adversarial attacks and defenses},
+  author={Li, Yaxin and Jin, Wei and Xu, Han and Tang, Jiliang},
+  journal={arXiv preprint arXiv:2005.06149},
+  year={2020}
+}
+```
+
+# Changelog
+* [11/2023] Try <span style="color:red"> `git clone https://github.com/DSE-MSU/DeepRobust.git; cd DeepRobust; python setup_empty.py install` </span> to directly install DeepRobust without installing dependency packages.
+* [11/2023] DeepRobust 0.2.9 Released. Please try `pip install deeprobust==0.2.9`. We have fixed the OOM issue of metattack on new pytorch versions.
+* [06/2023] We have added a backdoor attack [UGBA, WWW'23](https://arxiv.org/abs/2303.01263) to graph package. We can now use UGBA to conduct unnoticeable backdoor attack on large-scale graphs such as ogb-arxiv (see example in [test_ugba.py](https://github.com/DSE-MSU/DeepRobust/blob/master/examples/graph/test_ugba.py))! 
+* [02/2023] DeepRobust 0.2.8 Released. Please try `pip install deeprobust==0.2.8`! We have added a scalable attack [PRBCD, NeurIPS'21](https://arxiv.org/abs/2110.14038) to graph package. We can now use PRBCD to attack large-scale graphs such as ogb-arxiv (see example in [test_prbcd.py](https://github.com/DSE-MSU/DeepRobust/blob/master/examples/graph/test_prbcd.py))! 
+* [02/2023] Add a robust model [AirGNN, NeurIPS'21](https://proceedings.neurips.cc/paper/2021/file/50abc3e730e36b387ca8e02c26dc0a22-Paper.pdf) to graph package. Try `python examples/graph/test_airgnn.py`! See details in [test_airgnn.py](https://github.com/DSE-MSU/DeepRobust/blob/master/examples/graph/test_airgnn.py)
+* [11/2022] DeepRobust 0.2.6 Released. Please try `pip install deeprobust==0.2.6`! We have more updates coming. Please stay tuned!
+* [11/2021] A subpackage that includes popular black box attacks in image domain is released. Find it here. [Link](https://github.com/I-am-Bot/Black-Box-Attacks)
+* [11/2021] DeepRobust 0.2.4 Released. Please try `pip install deeprobust==0.2.4`!
+* [10/2021] add scalable attack and MedianGCN. Thank [Jintang](https://github.com/EdisonLeeeee) for his contribution!
+* [06/2021] [Image Package] Add preprocessing method: APE-GAN.
+* [05/2021] DeepRobust is published at AAAI 2021. Check [here](https://ojs.aaai.org/index.php/AAAI/article/view/18017)!
+* [05/2021] DeepRobust 0.2.2 Released. Please try `pip install deeprobust==0.2.2`!
+* [04/2021] [Image Package] Add support for ImageNet. See details in [test_ImageNet.py](https://github.com/DSE-MSU/DeepRobust/blob/master/examples/image/test_ImageNet.py)
+* [04/2021] [Graph Package] Add support for OGB datasets.  See more details in the [tutorial page](https://deeprobust.readthedocs.io/en/latest/graph/pyg.html).
+* [03/2021] [Graph Package] Added node embedding attack and victim models! See this [tutorial page](https://deeprobust.readthedocs.io/en/latest/graph/node_embedding.html).
+* [02/2021] **[Graph Package] DeepRobust now provides tools for converting the datasets between [Pytorch Geometric](https://pytorch-geometric.readthedocs.io/en/latest/) and DeepRobust. See more details in the [tutorial page](https://deeprobust.readthedocs.io/en/latest/graph/pyg.html)!** DeepRobust now also support GAT, Chebnet and SGC based on pyg; see details in [test_gat.py](https://github.com/DSE-MSU/DeepRobust/blob/master/examples/graph/test_gat.py),  [test_chebnet.py](https://github.com/DSE-MSU/DeepRobust/blob/master/examples/graph/test_chebnet.py) and [test_sgc.py](https://github.com/DSE-MSU/DeepRobust/blob/master/examples/graph/test_sgc.py)
+* [12/2020] DeepRobust now can be installed via pip! Try `pip install deeprobust`!
+* [12/2020] [Graph Package] Add four more [datasets](https://github.com/DSE-MSU/DeepRobust/tree/master/deeprobust/graph/#supported-datasets) and one defense algorithm. More details can be found [here](https://github.com/DSE-MSU/DeepRobust/tree/master/deeprobust/graph/#defense-methods). More datasets and algorithms will be added later. Stay tuned :)
+* [07/2020] Add [documentation](https://deeprobust.readthedocs.io/en/latest/) page!
+* [06/2020] Add docstring to both image and graph package
+
+# Basic Environment
+* `python >= 3.6` (python 3.5 should also work)
+* `pytorch >= 1.2.0`
+
+see `setup.py` or `requirements.txt` for more information.
+
+# Installation
+## Install from pip
+```
+pip install deeprobust 
+```
+## Install from source
+```
+git clone https://github.com/DSE-MSU/DeepRobust.git
+cd DeepRobust
+python setup.py install
+```
+If you find the dependencies are hard to install, please try the following:
+```python setup_empty.py install``` (only install deeprobust without installing other packages) 
+
+# Test Examples
+
+```
+python examples/image/test_PGD.py
+python examples/image/test_pgdtraining.py
+python examples/graph/test_gcn_jaccard.py --dataset cora
+python examples/graph/test_mettack.py --dataset cora --ptb_rate 0.05
+```
+
+# Usage
+## Image Attack and Defense
+1. Train model
+
+    Example: Train a simple CNN model on MNIST dataset for 20 epoch on gpu.
+    ```python
+    import deeprobust.image.netmodels.train_model as trainmodel
+    trainmodel.train('CNN', 'MNIST', 'cuda', 20)
+    ```
+    Model would be saved in deeprobust/trained_models/.
+
+2. Instantiated attack methods and defense methods.
+
+    Example: Generate adversary example with PGD attack.
+    ```python
+    from deeprobust.image.attack.pgd import PGD
+    from deeprobust.image.config import attack_params
+    from deeprobust.image.utils import download_model
+    import torch
+    import deeprobust.image.netmodels.resnet as resnet
+    from torchvision import transforms,datasets
+    
+    URL = "https://github.com/I-am-Bot/deeprobust_model/raw/master/CIFAR10_ResNet18_epoch_20.pt"
+    download_model(URL, "$MODEL_PATH$")
+
+    model = resnet.ResNet18().to('cuda')
+    model.load_state_dict(torch.load("$MODEL_PATH$"))
+    model.eval()
+
+    transform_val = transforms.Compose([transforms.ToTensor()])
+    test_loader  = torch.utils.data.DataLoader(
+                    datasets.CIFAR10('deeprobust/image/data', train = False, download=True,
+                    transform = transform_val),
+                    batch_size = 10, shuffle=True)
+
+    x, y = next(iter(test_loader))
+    x = x.to('cuda').float()
+    
+    adversary = PGD(model, 'cuda')
+    Adv_img = adversary.generate(x, y, **attack_params['PGD_CIFAR10'])
+    ```
+
+    Example: Train defense model.
+    ```python
+    from deeprobust.image.defense.pgdtraining import PGDtraining
+    from deeprobust.image.config import defense_params
+    from deeprobust.image.netmodels.CNN import Net
+    import torch
+    from torchvision import datasets, transforms 
+    
+    model = Net()
+    train_loader = torch.utils.data.DataLoader(
+                    datasets.MNIST('deeprobust/image/defense/data', train=True, download=True,
+                                    transform=transforms.Compose([transforms.ToTensor()])),
+                                    batch_size=100,shuffle=True)
+
+    test_loader = torch.utils.data.DataLoader(
+                  datasets.MNIST('deeprobust/image/defense/data', train=False,
+                                transform=transforms.Compose([transforms.ToTensor()])),
+                                batch_size=1000,shuffle=True)
+
+    defense = PGDtraining(model, 'cuda')
+    defense.generate(train_loader, test_loader, **defense_params["PGDtraining_MNIST"])
+    ```
+
+    More example code can be found in deeprobust/examples.
+
+3. Use our evulation program to test attack algorithm against defense.
+
+    Example:
+    ```
+    cd DeepRobust
+    python examples/image/test_train.py
+    python deeprobust/image/evaluation_attack.py
+    ```
+
+## Graph Attack and Defense 
+
+### Attacking Graph Neural Networks
+
+1. Load dataset
+    ```python
+    import torch
+    import numpy as np
+    from deeprobust.graph.data import Dataset
+    from deeprobust.graph.defense import GCN
+    from deeprobust.graph.global_attack import Metattack
+
+    data = Dataset(root='/tmp/', name='cora', setting='nettack')
+    adj, features, labels = data.adj, data.features, data.labels
+    idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    idx_unlabeled = np.union1d(idx_val, idx_test)
+    ```
+
+2. Set up surrogate model
+    ```python
+    device = torch.device("cuda:0" if torch.cuda.is_available() else "cpu")
+    surrogate = GCN(nfeat=features.shape[1], nclass=labels.max().item()+1, nhid=16,
+                    with_relu=False, device=device)
+    surrogate = surrogate.to(device)
+    surrogate.fit(features, adj, labels, idx_train)
+    ```
+
+
+3. Set up attack model and generate perturbations
+    ```python
+    model = Metattack(model=surrogate, nnodes=adj.shape[0], feature_shape=features.shape, device=device)
+    model = model.to(device)
+    perturbations = int(0.05 * (adj.sum() // 2))
+    model.attack(features, adj, labels, idx_train, idx_unlabeled, perturbations, ll_constraint=False)
+    modified_adj = model.modified_adj
+    ```
+    
+For more details please refer to [mettack.py](https://github.com/I-am-Bot/DeepRobust/blob/master/examples/graph/test_mettack.py) or run 
+    ```
+    python examples/graph/test_mettack.py --dataset cora --ptb_rate 0.05
+    ```
+
+### Defending Against Graph Attacks
+
+1. Load dataset
+    ```python
+    import torch
+    from deeprobust.graph.data import Dataset, PtbDataset
+    from deeprobust.graph.defense import GCN, GCNJaccard
+    import numpy as np
+    np.random.seed(15)
+
+    # load clean graph
+    data = Dataset(root='/tmp/', name='cora', setting='nettack')
+    adj, features, labels = data.adj, data.features, data.labels
+    idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+
+    # load pre-attacked graph by mettack
+    perturbed_data = PtbDataset(root='/tmp/', name='cora')
+    perturbed_adj = perturbed_data.adj
+    ```
+2. Test 
+    ```python
+    # Set up defense model and test performance
+    device = torch.device("cuda:0" if torch.cuda.is_available() else "cpu")
+    model = GCNJaccard(nfeat=features.shape[1], nclass=labels.max()+1, nhid=16, device=device)
+    model = model.to(device)
+    model.fit(features, perturbed_adj, labels, idx_train)
+    model.eval()
+    output = model.test(idx_test)
+
+    # Test on GCN
+    model = GCN(nfeat=features.shape[1], nclass=labels.max()+1, nhid=16, device=device)
+    model = model.to(device)
+    model.fit(features, perturbed_adj, labels, idx_train)
+    model.eval()
+    output = model.test(idx_test)
+    ```
+    
+For more details please refer to [test_gcn_jaccard.py](https://github.com/I-am-Bot/DeepRobust/blob/master/examples/graph/test_gcn_jaccard.py) or run
+    ```
+    python examples/graph/test_gcn_jaccard.py --dataset cora
+    ```
+
+## Sample Results
+adversary examples generated by fgsm:
+<div align="center">
+<img height=140 src="https://github.com/DSE-MSU/DeepRobust/blob/master/adversary_examples/mnist_advexample_fgsm_ori.png"/><img height=140 src="https://github.com/DSE-MSU/DeepRobust/blob/master/adversary_examples/mnist_advexample_fgsm_adv.png"/>
+</div>
+Left:original, classified as 6; Right:adversary, classified as 4.
+
+Serveral trained models can be found here: https://drive.google.com/open?id=1uGLiuCyd8zCAQ8tPz9DDUQH6zm-C4tEL
+
+## Acknowledgement
+Some of the algorithms are referred to paper authors' implementations. References can be found at the top of each file. 
+
+Implementation of network structure are referred to weiaicunzai's github. Original code can be found here:
+[pytorch-cifar100](https://github.com/weiaicunzai/pytorch-cifar100)
+
+Thanks to their outstanding works!
+
+
+<!----
+We would be glad if you find our work useful and cite the paper.
+
+'''
+@misc{jin2020adversarial,
+    title={Adversarial Attacks and Defenses on Graphs: A Review and Empirical Study},
+    author={Wei Jin and Yaxin Li and Han Xu and Yiqi Wang and Jiliang Tang},
+    year={2020},
+    eprint={2003.00653},
+    archivePrefix={arXiv},
+    primaryClass={cs.LG}
+}
+'''
+```
+@article{xu2019adversarial,
+  title={Adversarial attacks and defenses in images, graphs and text: A review},
+  author={Xu, Han and Ma, Yao and Liu, Haochen and Deb, Debayan and Liu, Hui and Tang, Jiliang and Jain, Anil},
+  journal={arXiv preprint arXiv:1909.08072},
+  year={2019}
+}
+```
+---->

conf.py

@@ -0,0 +1,68 @@
+# Configuration file for the Sphinx documentation builder.
+#
+# This file only contains a selection of the most common options. For a full
+# list see the documentation:
+# https://www.sphinx-doc.org/en/master/usage/configuration.html
+
+# -- Path setup --------------------------------------------------------------
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#
+import os
+import sys
+# sys.path.insert(0, os.path.abspath('.'))
+sys.path.insert(0, os.path.abspath('../'))
+# sys.path.append('/home/jinwei/Laboratory/api')
+sys.path.append('/Users/yaxinli/Desktop/MSU/DeepRobust')
+
+# -- Project information -----------------------------------------------------
+
+project = 'x'
+copyright = '2020, x'
+author = 'x'
+
+# The full version, including alpha/beta/rc tags
+release = 'x'
+
+
+# -- General configuration ---------------------------------------------------
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+extensions = ['sphinx.ext.todo', 'sphinx.ext.viewcode', 'sphinx.ext.autodoc', 'sphinx.ext.napoleon', 'sphinx.ext.autosummary',
+        ]
+# extensions = ['sphinx.ext.napoleon']
+autodoc_mock_imports = ['torch', 'torchvision', 'texttable', 'tensorboardX',
+                        ]
+
+# remove undoc members
+#autodoc_default_flags = ['members']
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+# This pattern also affects html_static_path and html_extra_path.
+exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
+
+
+# -- Options for HTML output -------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages.  See the documentation for
+# a list of builtin themes.
+#
+# html_theme = 'alabaster'
+html_theme = 'sphinx_rtd_theme'
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = ['_static']
+
+add_module_names = False
+
+

deeprobust/__init__.py

@@ -0,0 +1,4 @@
+# from deeprobust import image
+# from deeprobust import graph
+
+# __all__ = ['image', 'graph']

deeprobust/graph/data/attacked_data.py

@@ -0,0 +1,218 @@
+import numpy as np
+import scipy.sparse as sp
+import os.path as osp
+import os
+import urllib.request
+import warnings
+import json
+
+class PtbDataset:
+    """Dataset class manages pre-attacked adjacency matrix on different datasets. Currently only support metattack under 5% perturbation. Note metattack is generated by deeprobust/graph/global_attack/metattack.py. While PrePtbDataset provides pre-attacked graph generate by Zugner, https://github.com/danielzuegner/gnn-meta-attack. The attacked graphs are downloaded from https://github.com/ChandlerBang/pytorch-gnn-meta-attack/tree/master/pre-attacked.
+
+    Parameters
+    ----------
+    root :
+        root directory where the dataset should be saved.
+    name :
+        dataset name. It can be choosen from ['cora', 'citeseer', 'cora_ml', 'polblogs', 'pubmed']
+    attack_method :
+        currently this class only support metattack. User can pass 'meta', 'metattack' or 'mettack' since all of them will be interpreted as the same attack.
+    seed :
+        random seed for splitting training/validation/test.
+
+    Examples
+    --------
+
+    >>> from deeprobust.graph.data import Dataset, PtbDataset
+    >>> data = Dataset(root='/tmp/', name='cora')
+    >>> adj, features, labels = data.adj, data.features, data.labels
+    >>> perturbed_data = PtbDataset(root='/tmp/',
+                            name='cora',
+                            attack_method='meta')
+    >>> perturbed_adj = perturbed_data.adj
+
+    """
+
+
+    def __init__(self, root, name, attack_method='mettack'):
+        assert attack_method in ['mettack', 'metattack', 'meta'], \
+            'Currently the database only stores graphs perturbed by 5% mettack'
+
+        self.name = name.lower()
+        assert self.name in ['cora', 'citeseer', 'polblogs'], \
+            'Currently only support cora, citeseer, polblogs'
+
+        self.attack_method = 'mettack' # attack_method
+        self.url = 'https://raw.githubusercontent.com/ChandlerBang/pytorch-gnn-meta-attack/master/pre-attacked/{}_{}_0.05.npz'.format(self.name, self.attack_method)
+        self.root = osp.expanduser(osp.normpath(root))
+        self.data_filename = osp.join(root,
+                '{}_{}_0.05.npz'.format(self.name, self.attack_method))
+        self.adj = self.load_data()
+
+    def load_data(self):
+        if not osp.exists(self.data_filename):
+            self.download_npz()
+        print('Loading {} dataset perturbed by 0.05 mettack...'.format(self.name))
+        adj = sp.load_npz(self.data_filename)
+        warnings.warn('''the adjacency matrix is perturbed, using the data splits under seed 15(default seed for deeprobust.graph.data.Dataset), so if you are going to verify the attacking performance, you should use the same data splits''')
+        return adj
+
+    def download_npz(self):
+        print('Dowloading from {} to {}'.format(self.url, self.data_filename))
+        try:
+            urllib.request.urlretrieve(self.url, self.data_filename)
+        except:
+            raise Exception('''Download failed! Make sure you have
+                    stable Internet connection and enter the right name''')
+
+
+class PrePtbDataset:
+    """Dataset class manages pre-attacked adjacency matrix on different datasets. Note metattack is generated by deeprobust/graph/global_attack/metattack.py. While PrePtbDataset provides pre-attacked graph generate by Zugner, https://github.com/danielzuegner/gnn-meta-attack. The attacked graphs are downloaded from https://github.com/ChandlerBang/Pro-GNN/tree/master/meta.
+
+    Parameters
+    ----------
+    root :
+        root directory where the dataset should be saved.
+    name :
+        dataset name. It can be choosen from ['cora', 'citeseer', 'polblogs', 'pubmed']
+    attack_method :
+        currently this class only support metattack and  nettack. Note 'meta', 'metattack' or 'mettack' will be interpreted as the same attack.
+    seed :
+        random seed for splitting training/validation/test.
+
+    Examples
+    --------
+
+    >>> from deeprobust.graph.data import Dataset, PrePtbDataset
+    >>> data = Dataset(root='/tmp/', name='cora')
+    >>> adj, features, labels = data.adj, data.features, data.labels
+    >>> # Load meta attacked data
+    >>> perturbed_data = PrePtbDataset(root='/tmp/',
+                            name='cora',
+                            attack_method='meta',
+                            ptb_rate=0.05)
+    >>> perturbed_adj = perturbed_data.adj
+    >>> # Load nettacked data
+    >>> perturbed_data = PrePtbDataset(root='/tmp/',
+                            name='cora',
+                            attack_method='nettack',
+                            ptb_rate=1.0)
+    >>> perturbed_adj = perturbed_data.adj
+    >>> target_nodes = perturbed_data.target_nodes
+    """
+
+
+    def __init__(self, root, name, attack_method='meta', ptb_rate=0.05):
+
+        if attack_method == 'mettack' or attack_method == 'metattack':
+            attack_method = 'meta'
+
+        assert attack_method in ['meta', 'nettack'], \
+            ' Currently the database only stores graphs perturbed by metattack, nettack'
+        # assert attack_method in ['meta'], \
+        #     ' Currently the database only stores graphs perturbed by metattack. Will update nettack soon.'
+
+        self.name = name.lower()
+        assert self.name in ['cora', 'citeseer', 'polblogs', 'pubmed', 'cora_ml'], \
+            'Currently only support cora, citeseer, pubmed, polblogs, cora_ml'
+
+        self.attack_method = attack_method
+        self.ptb_rate = ptb_rate
+        self.url = 'https://raw.githubusercontent.com/ChandlerBang/Pro-GNN/master/{}/{}_{}_adj_{}.npz'.\
+            format(self.attack_method, self.name, self.attack_method, self.ptb_rate)
+        # self.url = 'https://github.com/ChandlerBang/Pro-GNN/blob/master/{}/{}_{}_adj_{}.npz'.\
+        #         format(self.attack_method, self.name, self.attack_method, self.ptb_rate)
+        self.root = osp.expanduser(osp.normpath(root))
+        self.data_filename = osp.join(root,
+                '{}_{}_adj_{}.npz'.format(self.name, self.attack_method, self.ptb_rate))
+        self.target_nodes = None
+        self.adj = self.load_data()
+
+    def load_data(self):
+        if not osp.exists(self.data_filename):
+            self.download_npz()
+        print('Loading {} dataset perturbed by {} {}...'.format(self.name, self.ptb_rate, self.attack_method))
+
+        if self.attack_method == 'meta':
+            warnings.warn("The pre-attacked graph is perturbed under the data splits provided by ProGNN. So if you are going to verify the attacking performance, you should use the same data splits  (setting='prognn').")
+            adj = sp.load_npz(self.data_filename)
+
+        if self.attack_method == 'nettack':
+            # assert True, "Will update pre-attacked data by nettack soon"
+            warnings.warn("The pre-attacked graph is perturbed under the data splits provided by ProGNN. So if you are going to verify the attacking performance, you should use the same data splits  (setting='prognn').")
+            adj = sp.load_npz(self.data_filename)
+            self.target_nodes = self.get_target_nodes()
+        return adj
+
+    def get_target_nodes(self):
+        """Get target nodes incides, which is the nodes with degree > 10 in the test set."""
+        url = 'https://raw.githubusercontent.com/ChandlerBang/Pro-GNN/master/nettack/{}_nettacked_nodes.json'.format(self.name)
+        json_file = osp.join(self.root,
+                '{}_nettacked_nodes.json'.format(self.name))
+
+        if not osp.exists(json_file):
+            self.download_file(url, json_file)
+        # with open(f'/mnt/home/jinwei2/Projects/nettack/{dataset}_nettacked_nodes.json', 'r') as f:
+        with open(json_file, 'r') as f:
+            idx = json.loads(f.read())
+        return idx["attacked_test_nodes"]
+
+    def download_file(self, url, file):
+        print('Dowloading from {} to {}'.format(url, file))
+        try:
+            urllib.request.urlretrieve(url, file)
+        except:
+            raise Exception("Download failed! Make sure you have \
+                    stable Internet connection and enter the right name")
+
+    def download_npz(self):
+        print('Dowloading from {} to {}'.format(self.url, self.data_filename))
+        try:
+            urllib.request.urlretrieve(self.url, self.data_filename)
+        except:
+            raise Exception("Download failed! Make sure you have \
+                    stable Internet connection and enter the right name")
+
+
+class RandomAttack():
+
+    def __init__(self):
+        self.name = 'RandomAttack'
+
+    def attack(self, adj, ratio=0.4):
+        print('random attack: ratio=%s' % ratio)
+        modified_adj = self._random_add_edges(adj, ratio)
+        return modified_adj
+
+    def _random_add_edges(self, adj, add_ratio):
+
+        def sample_zero_forever(mat):
+            nonzero_or_sampled = set(zip(*mat.nonzero()))
+            while True:
+                t = tuple(np.random.randint(0, mat.shape[0], 2))
+                if t not in nonzero_or_sampled:
+                    yield t
+                    nonzero_or_sampled.add(t)
+                    nonzero_or_sampled.add((t[1], t[0]))
+
+        def sample_zero_n(mat, n=100):
+            itr = sample_zero_forever(mat)
+            return [next(itr) for _ in range(n)]
+
+        assert np.abs(adj - adj.T).sum() == 0, "Input graph is not symmetric"
+        non_zeros = [(x, y) for x,y in np.argwhere(adj != 0) if x < y] # (x, y)
+
+        added = sample_zero_n(adj, n=int(add_ratio * len(non_zeros)))
+        for x, y in added:
+            adj[x, y] = 1
+            adj[y, x] = 1
+        return adj
+
+
+if __name__ == '__main__':
+    perturbed_data = PrePtbDataset(root='/tmp/',
+            name='cora',
+            attack_method='meta',
+            ptb_rate=0.05)
+    perturbed_adj = perturbed_data.adj
+

deeprobust/graph/defense/adv_training.py

@@ -0,0 +1,57 @@
+import torch.nn as nn
+import torch.nn.functional as F
+import torch
+from torch.nn.modules.module import Module
+from deeprobust.graph import utils
+from deeprobust.graph.defense import GCN
+from tqdm import tqdm
+import scipy.sparse as sp
+import numpy as np
+
+
+class AdvTraining:
+    """Adversarial training framework for defending against attacks.
+
+    Parameters
+    ----------
+    model :
+        model to protect, e.g, GCN
+    adversary :
+        attack model
+    device : str
+        'cpu' or 'cuda'
+    """
+
+    def __init__(self, model, adversary=None, device='cpu'):
+
+        self.model = model
+        if adversary is None:
+            adversary = RND()
+        self.adversary = adversary
+        self.device = device
+
+    def adv_train(self, features, adj, labels, idx_train, train_iters, **kwargs):
+        """Start adversarial training.
+
+        Parameters
+        ----------
+        features :
+            node features
+        adj :
+            the adjacency matrix. The format could be torch.tensor or scipy matrix
+        labels :
+            node labels
+        idx_train :
+            node training indices
+        idx_val :
+            node validation indices. If not given (None), GCN training process will not adpot early stopping
+        train_iters : int
+            number of training epochs
+        """
+        for i in range(train_iters):
+            modified_adj = self.adversary.attack(features, adj)
+            self.model.fit(features, modified_adj, train_iters, initialize=False)
+
+
+
+

deeprobust/graph/defense/chebnet.py

@@ -0,0 +1,215 @@
+"""
+Extended from https://github.com/rusty1s/pytorch_geometric/tree/master/benchmark/citation
+"""
+import torch.nn as nn
+import torch.nn.functional as F
+import math
+import torch
+import torch.optim as optim
+from torch.nn.parameter import Parameter
+from torch.nn.modules.module import Module
+from deeprobust.graph import utils
+from copy import deepcopy
+from torch_geometric.nn import ChebConv
+
+class ChebNet(nn.Module):
+    """ 2 Layer ChebNet based on pytorch geometric.
+
+    Parameters
+    ----------
+    nfeat : int
+        size of input feature dimension
+    nhid : int
+        number of hidden units
+    nclass : int
+        size of output dimension
+    num_hops: int
+        number of hops in ChebConv
+    dropout : float
+        dropout rate for ChebNet
+    lr : float
+        learning rate for ChebNet
+    weight_decay : float
+        weight decay coefficient (l2 normalization) for GCN.
+        When `with_relu` is True, `weight_decay` will be set to 0.
+    with_bias: bool
+        whether to include bias term in ChebNet weights.
+    device: str
+        'cpu' or 'cuda'.
+
+    Examples
+    --------
+	We can first load dataset and then train ChebNet.
+
+    >>> from deeprobust.graph.data import Dataset
+    >>> from deeprobust.graph.defense import ChebNet
+    >>> data = Dataset(root='/tmp/', name='cora')
+    >>> adj, features, labels = data.adj, data.features, data.labels
+    >>> idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    >>> cheby = ChebNet(nfeat=features.shape[1],
+              nhid=16, num_hops=3,
+              nclass=labels.max().item() + 1,
+              dropout=0.5, device='cpu')
+    >>> cheby = cheby.to('cpu')
+    >>> pyg_data = Dpr2Pyg(data) # convert deeprobust dataset to pyg dataset
+    >>> cheby.fit(pyg_data, patience=10, verbose=True) # train with earlystopping
+    """
+
+    def __init__(self, nfeat, nhid, nclass, num_hops=3, dropout=0.5, lr=0.01,
+            weight_decay=5e-4, with_bias=True, device=None):
+
+        super(ChebNet, self).__init__()
+
+        assert device is not None, "Please specify 'device'!"
+        self.device = device
+
+        self.conv1 = ChebConv(
+            nfeat,
+            nhid,
+            K=num_hops,
+            bias=with_bias)
+
+        self.conv2 = ChebConv(
+            nhid,
+            nclass,
+            K=num_hops,
+            bias=with_bias)
+
+        self.dropout = dropout
+        self.weight_decay = weight_decay
+        self.lr = lr
+        self.output = None
+        self.best_model = None
+        self.best_output = None
+
+    def forward(self, data):
+        x, edge_index = data.x, data.edge_index
+        x = F.relu(self.conv1(x, edge_index))
+        x = F.dropout(x, p=self.dropout, training=self.training)
+        x = self.conv2(x, edge_index)
+        return F.log_softmax(x, dim=1)
+
+    def initialize(self):
+        """Initialize parameters of ChebNet.
+        """
+        self.conv1.reset_parameters()
+        self.conv2.reset_parameters()
+
+    def fit(self, pyg_data, train_iters=200, initialize=True, verbose=False, patience=500, **kwargs):
+        """Train the ChebNet model, when idx_val is not None, pick the best model
+        according to the validation loss.
+
+        Parameters
+        ----------
+        pyg_data :
+            pytorch geometric dataset object
+        train_iters : int
+            number of training epochs
+        initialize : bool
+            whether to initialize parameters before training
+        verbose : bool
+            whether to show verbose logs
+        patience : int
+            patience for early stopping, only valid when `idx_val` is given
+        """
+
+        self.device = self.conv1.weight.device
+        if initialize:
+            self.initialize()
+
+        self.data = pyg_data[0].to(self.device)
+        # By default, it is trained with early stopping on validation
+        self.train_with_early_stopping(train_iters, patience, verbose)
+
+    def train_with_early_stopping(self, train_iters, patience, verbose):
+        """early stopping based on the validation loss
+        """
+        if verbose:
+            print('=== training ChebNet model ===')
+        optimizer = optim.Adam(self.parameters(), lr=self.lr, weight_decay=self.weight_decay)
+
+        labels = self.data.y
+        train_mask, val_mask = self.data.train_mask, self.data.val_mask
+
+        early_stopping = patience
+        best_loss_val = 100
+
+        for i in range(train_iters):
+            self.train()
+            optimizer.zero_grad()
+            output = self.forward(self.data)
+
+            loss_train = F.nll_loss(output[train_mask], labels[train_mask])
+            loss_train.backward()
+            optimizer.step()
+
+            if verbose and i % 10 == 0:
+                print('Epoch {}, training loss: {}'.format(i, loss_train.item()))
+
+            self.eval()
+            output = self.forward(self.data)
+            loss_val = F.nll_loss(output[val_mask], labels[val_mask])
+
+            if best_loss_val > loss_val:
+                best_loss_val = loss_val
+                self.output = output
+                weights = deepcopy(self.state_dict())
+                patience = early_stopping
+            else:
+                patience -= 1
+            if i > early_stopping and patience <= 0:
+                break
+
+        if verbose:
+             print('=== early stopping at {0}, loss_val = {1} ==='.format(i, best_loss_val) )
+        self.load_state_dict(weights)
+
+    def test(self):
+        """Evaluate ChebNet performance on test set.
+
+        Parameters
+        ----------
+        idx_test :
+            node testing indices
+        """
+        self.eval()
+        test_mask = self.data.test_mask
+        labels = self.data.y
+        output = self.forward(self.data)
+        # output = self.output
+        loss_test = F.nll_loss(output[test_mask], labels[test_mask])
+        acc_test = utils.accuracy(output[test_mask], labels[test_mask])
+        print("Test set results:",
+              "loss= {:.4f}".format(loss_test.item()),
+              "accuracy= {:.4f}".format(acc_test.item()))
+        return acc_test.item()
+
+    def predict(self):
+        """
+        Returns
+        -------
+        torch.FloatTensor
+            output (log probabilities) of ChebNet
+        """
+
+        self.eval()
+        return self.forward(self.data)
+
+
+
+if __name__ == "__main__":
+    from deeprobust.graph.data import Dataset, Dpr2Pyg
+    # from deeprobust.graph.defense import ChebNet
+    data = Dataset(root='/tmp/', name='cora')
+    adj, features, labels = data.adj, data.features, data.labels
+    idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    cheby = ChebNet(nfeat=features.shape[1],
+          nhid=16,
+          nclass=labels.max().item() + 1,
+          dropout=0.5, device='cpu')
+    cheby = cheby.to('cpu')
+    pyg_data = Dpr2Pyg(data)
+    cheby.fit(pyg_data, verbose=True) # train with earlystopping
+    cheby.test()
+    print(cheby.predict())
+

deeprobust/graph/defense/data/processed/pre_filter.pt

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0b235e5f068a00e5bf391cec33fad69292177c841d5a8fd2ab76f764489fb6e7
+size 431

deeprobust/graph/defense/gat.py

@@ -0,0 +1,222 @@
+"""
+Extended from https://github.com/rusty1s/pytorch_geometric/tree/master/benchmark/citation
+"""
+import torch.nn as nn
+import torch.nn.functional as F
+import math
+import torch
+import torch.optim as optim
+from torch.nn.parameter import Parameter
+from torch.nn.modules.module import Module
+from deeprobust.graph import utils
+from copy import deepcopy
+from torch_geometric.nn import GATConv
+
+
+class GAT(nn.Module):
+    """ 2 Layer Graph Attention Network based on pytorch geometric.
+
+    Parameters
+    ----------
+    nfeat : int
+        size of input feature dimension
+    nhid : int
+        number of hidden units
+    nclass : int
+        size of output dimension
+    heads: int
+        number of attention heads
+    output_heads: int
+        number of attention output heads
+    dropout : float
+        dropout rate for GAT
+    lr : float
+        learning rate for GAT
+    weight_decay : float
+        weight decay coefficient (l2 normalization) for GCN.
+        When `with_relu` is True, `weight_decay` will be set to 0.
+    with_bias: bool
+        whether to include bias term in GAT weights.
+    device: str
+        'cpu' or 'cuda'.
+
+    Examples
+    --------
+	We can first load dataset and then train GAT.
+
+    >>> from deeprobust.graph.data import Dataset
+    >>> from deeprobust.graph.defense import GAT
+    >>> data = Dataset(root='/tmp/', name='cora')
+    >>> adj, features, labels = data.adj, data.features, data.labels
+    >>> idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    >>> gat = GAT(nfeat=features.shape[1],
+              nhid=8, heads=8,
+              nclass=labels.max().item() + 1,
+              dropout=0.5, device='cpu')
+    >>> gat = gat.to('cpu')
+    >>> pyg_data = Dpr2Pyg(data) # convert deeprobust dataset to pyg dataset
+    >>> gat.fit(pyg_data, patience=100, verbose=True) # train with earlystopping
+    """
+
+    def __init__(self, nfeat, nhid, nclass, heads=8, output_heads=1, dropout=0.5, lr=0.01,
+            weight_decay=5e-4, with_bias=True, device=None):
+
+        super(GAT, self).__init__()
+
+        assert device is not None, "Please specify 'device'!"
+        self.device = device
+
+        self.conv1 = GATConv(
+            nfeat,
+            nhid,
+            heads=heads,
+            dropout=dropout,
+            bias=with_bias)
+
+        self.conv2 = GATConv(
+            nhid * heads,
+            nclass,
+            heads=output_heads,
+            concat=False,
+            dropout=dropout,
+            bias=with_bias)
+
+        self.dropout = dropout
+        self.weight_decay = weight_decay
+        self.lr = lr
+        self.output = None
+        self.best_model = None
+        self.best_output = None
+
+    def forward(self, data):
+        x, edge_index = data.x, data.edge_index
+        x = F.dropout(x, p=self.dropout, training=self.training)
+        x = F.elu(self.conv1(x, edge_index))
+        x = F.dropout(x, p=self.dropout, training=self.training)
+        x = self.conv2(x, edge_index)
+        return F.log_softmax(x, dim=1)
+
+    def initialize(self):
+        """Initialize parameters of GAT.
+        """
+        self.conv1.reset_parameters()
+        self.conv2.reset_parameters()
+
+    def fit(self, pyg_data, train_iters=200, initialize=True, verbose=False, patience=100, **kwargs):
+        """Train the GAT model, when idx_val is not None, pick the best model
+        according to the validation loss.
+
+        Parameters
+        ----------
+        pyg_data :
+            pytorch geometric dataset object
+        train_iters : int
+            number of training epochs
+        initialize : bool
+            whether to initialize parameters before training
+        verbose : bool
+            whether to show verbose logs
+        patience : int
+            patience for early stopping, only valid when `idx_val` is given
+        """
+
+
+        if initialize:
+            self.initialize()
+
+        self.data = pyg_data[0].to(self.device)
+        # By default, it is trained with early stopping on validation
+        self.train_with_early_stopping(train_iters, patience, verbose)
+
+    def train_with_early_stopping(self, train_iters, patience, verbose):
+        """early stopping based on the validation loss
+        """
+        if verbose:
+            print('=== training GAT model ===')
+        optimizer = optim.Adam(self.parameters(), lr=self.lr, weight_decay=self.weight_decay)
+
+        labels = self.data.y
+        train_mask, val_mask = self.data.train_mask, self.data.val_mask
+
+        early_stopping = patience
+        best_loss_val = 100
+
+        for i in range(train_iters):
+            self.train()
+            optimizer.zero_grad()
+            output = self.forward(self.data)
+
+            loss_train = F.nll_loss(output[train_mask], labels[train_mask])
+            loss_train.backward()
+            optimizer.step()
+
+            if verbose and i % 10 == 0:
+                print('Epoch {}, training loss: {}'.format(i, loss_train.item()))
+
+            self.eval()
+            output = self.forward(self.data)
+            loss_val = F.nll_loss(output[val_mask], labels[val_mask])
+
+            if best_loss_val > loss_val:
+                best_loss_val = loss_val
+                self.output = output
+                weights = deepcopy(self.state_dict())
+                patience = early_stopping
+            else:
+                patience -= 1
+            if i > early_stopping and patience <= 0:
+                break
+
+        if verbose:
+             print('=== early stopping at {0}, loss_val = {1} ==='.format(i, best_loss_val) )
+        self.load_state_dict(weights)
+
+    def test(self):
+        """Evaluate GAT performance on test set.
+
+        Parameters
+        ----------
+        idx_test :
+            node testing indices
+        """
+        self.eval()
+        test_mask = self.data.test_mask
+        labels = self.data.y
+        output = self.forward(self.data)
+        # output = self.output
+        loss_test = F.nll_loss(output[test_mask], labels[test_mask])
+        acc_test = utils.accuracy(output[test_mask], labels[test_mask])
+        print("Test set results:",
+              "loss= {:.4f}".format(loss_test.item()),
+              "accuracy= {:.4f}".format(acc_test.item()))
+        return acc_test.item()
+
+    def predict(self):
+        """
+        Returns
+        -------
+        torch.FloatTensor
+            output (log probabilities) of GAT
+        """
+
+        self.eval()
+        return self.forward(self.data)
+
+
+
+if __name__ == "__main__":
+    from deeprobust.graph.data import Dataset, Dpr2Pyg
+    # from deeprobust.graph.defense import GAT
+    data = Dataset(root='/tmp/', name='cora')
+    adj, features, labels = data.adj, data.features, data.labels
+    idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    gat = GAT(nfeat=features.shape[1],
+          nhid=8, heads=8,
+          nclass=labels.max().item() + 1,
+          dropout=0.5, device='cpu')
+    gat = gat.to('cpu')
+    pyg_data = Dpr2Pyg(data)
+    gat.fit(pyg_data, verbose=True) # train with earlystopping
+    gat.test()
+    print(gat.predict())
+

deeprobust/graph/defense/gcn.py

@@ -0,0 +1,377 @@
+import torch.nn as nn
+import numpy as np
+import torch.nn.functional as F
+import math
+import torch
+import torch.optim as optim
+from torch.nn.parameter import Parameter
+from torch.nn.modules.module import Module
+from deeprobust.graph import utils
+from copy import deepcopy
+from sklearn.metrics import f1_score
+
+from collections import defaultdict
+from functools import reduce
+
+class GraphConvolution(Module):
+    """Simple GCN layer, similar to https://github.com/tkipf/pygcn
+    """
+
+    def __init__(self, in_features, out_features, with_bias=True):
+        super(GraphConvolution, self).__init__()
+        self.in_features = in_features
+        self.out_features = out_features
+        self.weight = Parameter(torch.FloatTensor(in_features, out_features))
+        if with_bias:
+            self.bias = Parameter(torch.FloatTensor(out_features))
+        else:
+            self.register_parameter('bias', None)
+        self.reset_parameters()
+
+    def reset_parameters(self):
+        stdv = 1. / math.sqrt(self.weight.size(1))
+        self.weight.data.uniform_(-stdv, stdv)
+        if self.bias is not None:
+            self.bias.data.uniform_(-stdv, stdv)
+
+    # def forward(self, input, adj):
+    #     """ Graph Convolutional Layer forward function
+    #     """
+    #     print("type(input):", input)
+    #     print("type(adj):", adj)
+    #     if input.data.is_sparse:
+    #         support = torch.spmm(input, self.weight)
+    #     else:
+    #         support = torch.mm(input, self.weight)
+    #     print("type(support):", support)
+    #     output = torch.spmm(adj, support)
+    #     if self.bias is not None:
+    #         return output + self.bias
+    #     else:
+    #         return output
+    def forward(self, input, adj):
+        """Graph Convolutional Layer forward function
+        """
+        # print("type(input):", type(input))
+        # print("type(adj):", type(adj))
+
+        # Step 1: Compute AX
+        if input.data.is_sparse:
+            support = torch.spmm(adj, input)  # Sparse matrix multiplication for AX
+        else:
+            support = torch.mm(adj, input)  # Dense matrix multiplication for AX
+
+        # print("type(support):", type(support))
+
+        # Step 2: Compute AXW
+        output = torch.mm(support, self.weight)  # Dense matrix multiplication for AXW
+
+        # Step 3: Add bias if applicable
+        if self.bias is not None:
+            return output + self.bias
+        else:
+            return output
+
+
+    def __repr__(self):
+        return self.__class__.__name__ + ' (' \
+               + str(self.in_features) + ' -> ' \
+               + str(self.out_features) + ')'
+
+
+class GCN(nn.Module):
+    """ 2 Layer Graph Convolutional Network.
+
+    Parameters
+    ----------
+    nfeat : int
+        size of input feature dimension
+    nhid : int
+        number of hidden units
+    nclass : int
+        size of output dimension
+    dropout : float
+        dropout rate for GCN
+    lr : float
+        learning rate for GCN
+    weight_decay : float
+        weight decay coefficient (l2 normalization) for GCN.
+        When `with_relu` is True, `weight_decay` will be set to 0.
+    with_relu : bool
+        whether to use relu activation function. If False, GCN will be linearized.
+    with_bias: bool
+        whether to include bias term in GCN weights.
+    device: str
+        'cpu' or 'cuda'.
+
+    Examples
+    --------
+	We can first load dataset and then train GCN.
+
+    >>> from deeprobust.graph.data import Dataset
+    >>> from deeprobust.graph.defense import GCN
+    >>> data = Dataset(root='/tmp/', name='cora')
+    >>> adj, features, labels = data.adj, data.features, data.labels
+    >>> idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    >>> gcn = GCN(nfeat=features.shape[1],
+              nhid=16,
+              nclass=labels.max().item() + 1,
+              dropout=0.5, device='cpu')
+    >>> gcn = gcn.to('cpu')
+    >>> gcn.fit(features, adj, labels, idx_train) # train without earlystopping
+    >>> gcn.fit(features, adj, labels, idx_train, idx_val, patience=30) # train with earlystopping
+    >>> gcn.test(idx_test)
+    """
+
+    def __init__(self, nfeat, nhid, nclass, dropout=0.5, lr=0.01, weight_decay=5e-4,
+            with_relu=True, with_bias=True, device=None):
+
+        super(GCN, self).__init__()
+
+        assert device is not None, "Please specify 'device'!"
+        self.device = device
+        self.nfeat = nfeat
+        self.hidden_sizes = [nhid]
+        self.nclass = nclass
+        self.gc1 = GraphConvolution(nfeat, nhid, with_bias=with_bias)
+        self.gc2 = GraphConvolution(nhid, nclass, with_bias=with_bias)
+        self.dropout = dropout
+        self.lr = lr
+        if not with_relu:
+            self.weight_decay = 0
+        else:
+            self.weight_decay = weight_decay
+        self.with_relu = with_relu
+        self.with_bias = with_bias
+        self.output = None
+        self.best_model = None
+        self.best_output = None
+        self.adj_norm = None
+        self.features = None
+
+    def forward(self, x, adj):
+        if self.with_relu:
+            x = F.relu(self.gc1(x, adj))
+        else:
+            x = self.gc1(x, adj)
+
+        x = F.dropout(x, self.dropout, training=self.training)
+        x = self.gc2(x, adj)
+        return F.log_softmax(x, dim=1)
+
+    def initialize(self):
+        """Initialize parameters of GCN.
+        """
+        self.gc1.reset_parameters()
+        self.gc2.reset_parameters()
+
+    def fit(self, features, adj, labels, idx_train, idx_val=None, train_iters=200, initialize=True, verbose=False, normalize=True, patience=500, **kwargs):
+        """Train the gcn model, when idx_val is not None, pick the best model according to the validation loss.
+
+        Parameters
+        ----------
+        features :
+            node features
+        adj :
+            the adjacency matrix. The format could be torch.tensor or scipy matrix
+        labels :
+            node labels
+        idx_train :
+            node training indices
+        idx_val :
+            node validation indices. If not given (None), GCN training process will not adpot early stopping
+        train_iters : int
+            number of training epochs
+        initialize : bool
+            whether to initialize parameters before training
+        verbose : bool
+            whether to show verbose logs
+        normalize : bool
+            whether to normalize the input adjacency matrix.
+        patience : int
+            patience for early stopping, only valid when `idx_val` is given
+        """
+
+        self.device = self.gc1.weight.device
+        if initialize:
+            self.initialize()
+
+        if type(adj) is not torch.Tensor:
+            features, adj, labels = utils.to_tensor(features, adj, labels, device=self.device)
+        else:
+            features = features.to(self.device)
+            adj = adj.to(self.device)
+            labels = labels.to(self.device)
+
+        if normalize:
+            if utils.is_sparse_tensor(adj):
+                adj_norm = utils.normalize_adj_tensor(adj, sparse=True)
+            else:
+                adj_norm = utils.normalize_adj_tensor(adj)
+        else:
+            adj_norm = adj
+        
+        
+
+        self.adj_norm = adj_norm
+        self.features = features
+        self.labels = labels
+
+        if idx_val is None:
+            self._train_without_val(labels, idx_train, train_iters, verbose)
+        else:
+            if patience < train_iters:
+                self._train_with_early_stopping(labels, idx_train, idx_val, train_iters, patience, verbose)
+            else:
+                self._train_with_val(labels, idx_train, idx_val, train_iters, verbose)
+
+    def _train_without_val(self, labels, idx_train, train_iters, verbose):
+        self.train()
+        optimizer = optim.Adam(self.parameters(), lr=self.lr, weight_decay=self.weight_decay)
+        for i in range(train_iters):
+            optimizer.zero_grad()
+            output = self.forward(self.features, self.adj_norm)
+            loss_train = F.nll_loss(output[idx_train], labels[idx_train])
+            loss_train.backward()
+            optimizer.step()
+            if verbose and i % 10 == 0:
+                print('Epoch {}, training loss: {}'.format(i, loss_train.item()))
+
+        self.eval()
+        output = self.forward(self.features, self.adj_norm)
+        self.output = output
+
+    def _train_with_val(self, labels, idx_train, idx_val, train_iters, verbose):
+        if verbose:
+            print('=== training gcn model ===')
+        optimizer = optim.Adam(self.parameters(), lr=self.lr, weight_decay=self.weight_decay)
+
+        best_loss_val = 100
+        best_acc_val = 0
+
+        for i in range(train_iters):
+            self.train()
+            optimizer.zero_grad()
+            output = self.forward(self.features, self.adj_norm)
+            loss_train = F.nll_loss(output[idx_train], labels[idx_train])
+            loss_train.backward()
+            optimizer.step()
+
+            if verbose and i % 10 == 0:
+                print('Epoch {}, training loss: {}'.format(i, loss_train.item()))
+
+            self.eval()
+            output = self.forward(self.features, self.adj_norm)
+            loss_val = F.nll_loss(output[idx_val], labels[idx_val])
+            acc_val = utils.accuracy(output[idx_val], labels[idx_val])
+
+            if best_loss_val > loss_val:
+                best_loss_val = loss_val
+                self.output = output
+                weights = deepcopy(self.state_dict())
+
+            if acc_val > best_acc_val:
+                best_acc_val = acc_val
+                self.output = output
+                weights = deepcopy(self.state_dict())
+
+        if verbose:
+            print('=== picking the best model according to the performance on validation ===')
+        self.load_state_dict(weights)
+
+    def _train_with_early_stopping(self, labels, idx_train, idx_val, train_iters, patience, verbose):
+        if verbose:
+            print('=== training gcn model ===')
+        optimizer = optim.Adam(self.parameters(), lr=self.lr, weight_decay=self.weight_decay)
+
+        early_stopping = patience
+        best_loss_val = 100
+
+        for i in range(train_iters):
+            self.train()
+            optimizer.zero_grad()
+            output = self.forward(self.features, self.adj_norm)
+            loss_train = F.nll_loss(output[idx_train], labels[idx_train])
+            loss_train.backward()
+            optimizer.step()
+
+            if verbose and i % 10 == 0:
+                print('Epoch {}, training loss: {}'.format(i, loss_train.item()))
+
+            self.eval()
+            output = self.forward(self.features, self.adj_norm)
+
+            # def eval_class(output, labels):
+            #     preds = output.max(1)[1].type_as(labels)
+            #     return f1_score(labels.cpu().numpy(), preds.cpu().numpy(), average='micro') + \
+            #         f1_score(labels.cpu().numpy(), preds.cpu().numpy(), average='macro')
+
+            # perf_sum = eval_class(output[idx_val], labels[idx_val])
+            loss_val = F.nll_loss(output[idx_val], labels[idx_val])
+
+            if best_loss_val > loss_val:
+                best_loss_val = loss_val
+                self.output = output
+                weights = deepcopy(self.state_dict())
+                patience = early_stopping
+            else:
+                patience -= 1
+            if i > early_stopping and patience <= 0:
+                break
+
+        if verbose:
+             print('=== early stopping at {0}, loss_val = {1} ==='.format(i, best_loss_val) )
+        self.load_state_dict(weights)
+
+    def test(self, idx_test):
+        """Evaluate GCN performance on test set.
+
+        Parameters
+        ----------
+        idx_test :
+            node testing indices
+        """
+        self.eval()
+        output = self.predict()
+        # output = self.output
+        loss_test = F.nll_loss(output[idx_test], self.labels[idx_test])
+        acc_test = utils.accuracy(output[idx_test], self.labels[idx_test])
+        print("Test set results:",
+              "loss= {:.4f}".format(loss_test.item()),
+              "accuracy= {:.4f}".format(acc_test.item()))
+        return acc_test.item()
+
+
+    def predict(self, features=None, adj=None):
+        """By default, the inputs should be unnormalized adjacency
+
+        Parameters
+        ----------
+        features :
+            node features. If `features` and `adj` are not given, this function will use previous stored `features` and `adj` from training to make predictions.
+        adj :
+            adjcency matrix. If `features` and `adj` are not given, this function will use previous stored `features` and `adj` from training to make predictions.
+
+
+        Returns
+        -------
+        torch.FloatTensor
+            output (log probabilities) of GCN
+        """
+
+        self.eval()
+        if features is None and adj is None:
+            return self.forward(self.features, self.adj_norm)
+        else:
+            if type(adj) is not torch.Tensor:
+                features, adj = utils.to_tensor(features, adj, device=self.device)
+
+            self.features = features
+            if utils.is_sparse_tensor(adj):
+                self.adj_norm = utils.normalize_adj_tensor(adj, sparse=True)
+            else:
+                self.adj_norm = utils.normalize_adj_tensor(adj)
+            return self.forward(self.features, self.adj_norm)
+
+
+

deeprobust/graph/defense/gcn_cgscore.py

@@ -0,0 +1,413 @@
+import torch.nn as nn
+import numpy as np
+import torch.nn.functional as F
+import math
+import torch
+import torch.optim as optim
+from torch.nn.parameter import Parameter
+from torch.nn.modules.module import Module
+from deeprobust.graph import utils
+from copy import deepcopy
+from sklearn.metrics import f1_score
+
+from collections import defaultdict
+from functools import reduce
+
+class GraphConvolution(Module):
+    """Simple GCN layer, similar to https://github.com/tkipf/pygcn
+    """
+
+    def __init__(self, in_features, out_features, with_bias=True):
+        super(GraphConvolution, self).__init__()
+        self.in_features = in_features
+        self.out_features = out_features
+        self.weight = Parameter(torch.FloatTensor(in_features, out_features))
+        if with_bias:
+            self.bias = Parameter(torch.FloatTensor(out_features))
+        else:
+            self.register_parameter('bias', None)
+        self.reset_parameters()
+
+    def reset_parameters(self):
+        stdv = 1. / math.sqrt(self.weight.size(1))
+        self.weight.data.uniform_(-stdv, stdv)
+        if self.bias is not None:
+            self.bias.data.uniform_(-stdv, stdv)
+
+    def forward(self, input, adj):
+        """ Graph Convolutional Layer forward function
+        """
+        if input.data.is_sparse:
+            support = torch.spmm(input, self.weight)
+        else:
+            support = torch.mm(input, self.weight)
+        output = torch.spmm(adj, support)
+        if self.bias is not None:
+            return output + self.bias
+        else:
+            return output
+
+    def __repr__(self):
+        return self.__class__.__name__ + ' (' \
+               + str(self.in_features) + ' -> ' \
+               + str(self.out_features) + ')'
+
+class GraphConvolution_cg(Module):
+    """Simple GCN layer, similar to https://github.com/tkipf/pygcn
+    """
+
+    def __init__(self, in_features, out_features, with_bias=True):
+        super(GraphConvolution_cg, self).__init__()
+        self.in_features = in_features
+        self.out_features = out_features
+        self.weight = Parameter(torch.FloatTensor(in_features, out_features))
+        if with_bias:
+            self.bias = Parameter(torch.FloatTensor(out_features))
+        else:
+            self.register_parameter('bias', None)
+        self.reset_parameters()
+
+    def reset_parameters(self):
+        stdv = 1. / math.sqrt(self.weight.size(1))
+        self.weight.data.uniform_(-stdv, stdv)
+        if self.bias is not None:
+            self.bias.data.uniform_(-stdv, stdv)
+
+    # def forward(self, input):
+    #     """ Graph Convolutional Layer forward function
+    #     """
+    #     if input.data.is_sparse:
+    #         support = input
+    #     else:
+    #         support = torch.mm(input, self.weight)
+    #     output = torch.spmm(adj, support)
+
+    #     if self.bias is not None:
+    #         return output + self.bias
+    #     else:
+    #         return output
+    
+    def forward(self, cg_features):
+        """ Graph Convolutional Layer forward function
+        """
+        # print("cg_features:", cg_features)
+        # if cg_features.data.is_sparse:
+        #     output = torch.spmm(cg_features, self.weight)  
+
+        # else:
+        #     output = torch.mm(cg_features, self.weight)  
+        output = torch.spmm(cg_features, self.weight) 
+        if self.bias is not None:
+            return output + self.bias  
+        else:
+            return output
+
+    def __repr__(self):
+        return self.__class__.__name__ + ' (' \
+               + str(self.in_features) + ' -> ' \
+               + str(self.out_features) + ')'
+
+class GCNScore(nn.Module):
+    """ 2 Layer Graph Convolutional Network.
+
+    Parameters
+    ----------
+    nfeat : int
+        size of input feature dimension
+    nhid : int
+        number of hidden units
+    nclass : int
+        size of output dimension
+    dropout : float
+        dropout rate for GCN
+    lr : float
+        learning rate for GCN
+    weight_decay : float
+        weight decay coefficient (l2 normalization) for GCN.
+        When `with_relu` is True, `weight_decay` will be set to 0.
+    with_relu : bool
+        whether to use relu activation function. If False, GCN will be linearized.
+    with_bias: bool
+        whether to include bias term in GCN weights.
+    device: str
+        'cpu' or 'cuda'.
+
+    Examples
+    --------
+	We can first load dataset and then train GCN.
+
+    >>> from deeprobust.graph.data import Dataset
+    >>> from deeprobust.graph.defense import GCN
+    >>> data = Dataset(root='/tmp/', name='cora')
+    >>> adj, features, labels = data.adj, data.features, data.labels
+    >>> idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    >>> gcn = GCN(nfeat=features.shape[1],
+              nhid=16,
+              nclass=labels.max().item() + 1,
+              dropout=0.5, device='cpu')
+    >>> gcn = gcn.to('cpu')
+    >>> gcn.fit(features, adj, labels, idx_train) # train without earlystopping
+    >>> gcn.fit(features, adj, labels, idx_train, idx_val, patience=30) # train with earlystopping
+    >>> gcn.test(idx_test)
+    """
+
+    def __init__(self, nfeat, nhid, nclass, dropout=0.5, lr=0.01, weight_decay=5e-4,
+            with_relu=True, with_bias=True, device=None):
+
+        super(GCNScore, self).__init__()
+
+        assert device is not None, "Please specify 'device'!"
+        self.device = device
+        self.nfeat = nfeat
+        self.hidden_sizes = [nhid]
+        self.nclass = nclass
+        self.gc1 = GraphConvolution_cg(nfeat, nhid, with_bias=with_bias)
+        self.gc2 = GraphConvolution_cg(nhid, nclass, with_bias=with_bias)
+        self.dropout = dropout
+        self.lr = lr
+        if not with_relu:
+            self.weight_decay = 0
+        else:
+            self.weight_decay = weight_decay
+        self.with_relu = with_relu
+        self.with_bias = with_bias
+        self.output = None
+        self.best_model = None
+        self.best_output = None
+        self.adj_norm = None
+        self.features = None
+
+    def forward(self, x):
+        if self.with_relu:
+            x = F.relu(self.gc1(x))
+        else:
+            x = self.gc1(x)
+
+        x = F.dropout(x, self.dropout, training=self.training)
+        x = self.gc2(x)
+        return F.log_softmax(x, dim=1)
+
+    def initialize(self):
+        """Initialize parameters of GCN.
+        """
+        self.gc1.reset_parameters()
+        self.gc2.reset_parameters()
+
+    def fit(self, features, adj, labels, idx_train, idx_val=None, train_iters=200, initialize=True, verbose=False, normalize=True, patience=500, **kwargs):
+        """Train the gcn model, when idx_val is not None, pick the best model according to the validation loss.
+
+        Parameters
+        ----------
+        features :
+            node features
+        adj :
+            the adjacency matrix. The format could be torch.tensor or scipy matrix
+        labels :
+            node labels
+        idx_train :
+            node training indices
+        idx_val :
+            node validation indices. If not given (None), GCN training process will not adpot early stopping
+        train_iters : int
+            number of training epochs
+        initialize : bool
+            whether to initialize parameters before training
+        verbose : bool
+            whether to show verbose logs
+        normalize : bool
+            whether to normalize the input adjacency matrix.
+        patience : int
+            patience for early stopping, only valid when `idx_val` is given
+        """
+
+        self.device = self.gc1.weight.device
+        if initialize:
+            self.initialize()
+
+        if type(adj) is not torch.Tensor:
+            features, adj, labels = utils.to_tensor(features, adj, labels, device=self.device)
+        else:
+            features = features.to(self.device)
+            adj = adj.to(self.device)
+            labels = labels.to(self.device)
+
+        if normalize:
+            if utils.is_sparse_tensor(adj):
+                adj_norm = utils.normalize_adj_tensor(adj, sparse=True)
+            else:
+                adj_norm = utils.normalize_adj_tensor(adj)
+        else:
+            adj_norm = adj
+        
+        
+
+        self.adj_norm = adj_norm
+        self.features = features
+        self.labels = labels
+        
+        if features.data.is_sparse:
+            feature_ax = torch.spmm(adj_norm, features)
+        else:
+            feature_ax = torch.mm(adj, features)
+
+        self.features_ax = feature_ax
+
+        if idx_val is None:
+            self._train_without_val(labels, idx_train, train_iters, verbose)
+        else:
+            if patience < train_iters:
+                self._train_with_early_stopping(labels, idx_train, idx_val, train_iters, patience, verbose)
+            else:
+                self._train_with_val(labels, idx_train, idx_val, train_iters, verbose)
+
+    def _train_without_val(self, labels, idx_train, train_iters, verbose):
+        self.train()
+        optimizer = optim.Adam(self.parameters(), lr=self.lr, weight_decay=self.weight_decay)
+        for i in range(train_iters):
+            optimizer.zero_grad()
+            output = self.forward(self.features_ax)
+            loss_train = F.nll_loss(output[idx_train], labels[idx_train])
+            loss_train.backward()
+            optimizer.step()
+            if verbose and i % 10 == 0:
+                print('Epoch {}, training loss: {}'.format(i, loss_train.item()))
+
+        self.eval()
+        output = self.forward(self.features_ax)
+        self.output = output
+
+    def _train_with_val(self, labels, idx_train, idx_val, train_iters, verbose):
+        if verbose:
+            print('=== training gcn model ===')
+        optimizer = optim.Adam(self.parameters(), lr=self.lr, weight_decay=self.weight_decay)
+
+        best_loss_val = 100
+        best_acc_val = 0
+
+        for i in range(train_iters):
+            self.train()
+            optimizer.zero_grad()
+            output = self.forward(self.features_ax)
+            loss_train = F.nll_loss(output[idx_train], labels[idx_train])
+            loss_train.backward()
+            optimizer.step()
+
+            if verbose and i % 10 == 0:
+                print('Epoch {}, training loss: {}'.format(i, loss_train.item()))
+
+            self.eval()
+            output = self.forward(self.features_ax)
+            loss_val = F.nll_loss(output[idx_val], labels[idx_val])
+            acc_val = utils.accuracy(output[idx_val], labels[idx_val])
+
+            if best_loss_val > loss_val:
+                best_loss_val = loss_val
+                self.output = output
+                weights = deepcopy(self.state_dict())
+
+            if acc_val > best_acc_val:
+                best_acc_val = acc_val
+                self.output = output
+                weights = deepcopy(self.state_dict())
+
+        if verbose:
+            print('=== picking the best model according to the performance on validation ===')
+        self.load_state_dict(weights)
+
+    def _train_with_early_stopping(self, labels, idx_train, idx_val, train_iters, patience, verbose):
+        if verbose:
+            print('=== training gcn model ===')
+        optimizer = optim.Adam(self.parameters(), lr=self.lr, weight_decay=self.weight_decay)
+
+        early_stopping = patience
+        best_loss_val = 100
+
+        for i in range(train_iters):
+            self.train()
+            optimizer.zero_grad()
+            output = self.forward(self.features_ax)
+            loss_train = F.nll_loss(output[idx_train], labels[idx_train])
+            loss_train.backward()
+            optimizer.step()
+
+            if verbose and i % 10 == 0:
+                print('Epoch {}, training loss: {}'.format(i, loss_train.item()))
+
+            self.eval()
+            output = self.forward(self.features_ax)
+
+            # def eval_class(output, labels):
+            #     preds = output.max(1)[1].type_as(labels)
+            #     return f1_score(labels.cpu().numpy(), preds.cpu().numpy(), average='micro') + \
+            #         f1_score(labels.cpu().numpy(), preds.cpu().numpy(), average='macro')
+
+            # perf_sum = eval_class(output[idx_val], labels[idx_val])
+            loss_val = F.nll_loss(output[idx_val], labels[idx_val])
+
+            if best_loss_val > loss_val:
+                best_loss_val = loss_val
+                self.output = output
+                weights = deepcopy(self.state_dict())
+                patience = early_stopping
+            else:
+                patience -= 1
+            if i > early_stopping and patience <= 0:
+                break
+
+        if verbose:
+             print('=== early stopping at {0}, loss_val = {1} ==='.format(i, best_loss_val) )
+        self.load_state_dict(weights)
+
+    def test(self, idx_test):
+        """Evaluate GCN performance on test set.
+
+        Parameters
+        ----------
+        idx_test :
+            node testing indices
+        """
+        self.eval()
+        # output = self.predict()
+        output = self.forward(self.features_ax)
+        loss_test = F.nll_loss(output[idx_test], self.labels[idx_test])
+        acc_test = utils.accuracy(output[idx_test], self.labels[idx_test])
+        print("Test set results:",
+              "loss= {:.4f}".format(loss_test.item()),
+              "accuracy= {:.4f}".format(acc_test.item()))
+        return acc_test.item()
+
+
+    def predict(self, features=None, adj=None):
+        """By default, the inputs should be unnormalized adjacency
+
+        Parameters
+        ----------
+        features :
+            node features. If `features` and `adj` are not given, this function will use previous stored `features` and `adj` from training to make predictions.
+        adj :
+            adjcency matrix. If `features` and `adj` are not given, this function will use previous stored `features` and `adj` from training to make predictions.
+
+
+        Returns
+        -------
+        torch.FloatTensor
+            output (log probabilities) of GCN
+        """
+        print("f_exist:", features)
+        print("adj_exist:", adj)
+        self.eval()
+        if features is None and adj is None:
+            return self.forward(self.features_ax)
+        else:
+            if type(adj) is not torch.Tensor:
+                features, adj = utils.to_tensor(features, adj, device=self.device)
+
+            self.features = features_
+            if utils.is_sparse_tensor(adj):
+                self.adj_norm = utils.normalize_adj_tensor(adj, sparse=True)
+            else:
+                self.adj_norm = utils.normalize_adj_tensor(adj)
+            return self.forward(self.features_ax)
+
+
+

deeprobust/graph/defense/gcn_guard.py

@@ -0,0 +1,411 @@
+import torch.nn as nn
+import torch.nn.functional as F
+import math
+import torch
+import torch.optim as optim
+from torch.nn.parameter import Parameter
+from torch.nn.modules.module import Module
+from deeprobust.graph import utils
+from copy import deepcopy
+import scipy
+from sklearn.metrics import jaccard_score
+from sklearn.metrics.pairwise import euclidean_distances, cosine_similarity
+import numpy as np
+from deeprobust.graph.utils import *
+from torch_geometric.nn import GINConv, GATConv, GCNConv, JumpingKnowledge
+# from nn.conv.gcn_conv import GCNConv
+# from nn import GINConv, GATConv, GCNConv, JumpingKnowledge
+from torch.nn import Sequential, Linear, ReLU
+from sklearn.preprocessing import normalize
+# from deeprobust.graph.defense.basicfunction import att_coef
+# from sklearn.metrics import f1_score
+from scipy.sparse import lil_matrix
+
+
+
+class GCNGuard(nn.Module):
+
+    def __init__(self, nfeat, nhid, nclass, dropout=0.5, lr=0.01, drop=False, weight_decay=5e-4, with_relu=True,
+                 with_bias=True, device=None):
+
+        super(GCNGuard, self).__init__()
+
+        assert device is not None, "Please specify 'device'!"
+        self.device = device
+        self.nfeat = nfeat
+        self.hidden_sizes = [nhid]
+        self.nclass = nclass
+        self.dropout = dropout
+        self.lr = lr
+
+        # weight_decay =0  # set weight_decay as 0
+
+        if not with_relu:
+            self.weight_decay = 0
+        else:
+            self.weight_decay = weight_decay
+        self.with_relu = with_relu
+        self.with_bias = with_bias
+        self.output = None
+        self.best_model = None
+        self.best_output = None
+        self.adj_norm = None
+        self.features = None
+        self.gate = Parameter(torch.rand(1)) # creat a generator between [0,1]
+        self.test_value = Parameter(torch.rand(1))
+        self.drop_learn_1 = Linear(2, 1)
+        self.drop_learn_2 = Linear(2, 1)
+        self.drop = drop
+        self.bn1 = torch.nn.BatchNorm1d(nhid)
+        self.bn2 = torch.nn.BatchNorm1d(nhid)
+        nclass = int(nclass)
+
+        """GCN from geometric"""
+        """network from torch-geometric, """
+        self.gc1 = GCNConv(nfeat, nhid, bias=True,)
+        self.gc2 = GCNConv(nhid, nclass, bias=True, )
+
+
+        # """GAT from torch-geometric"""
+        # nclass = int(nclass)
+        # self.gc1 = GATConv(nfeat, nhid, heads=8, dropout=0.6)
+        # self.gc2 = GATConv(nhid*8, nclass, heads=1, concat=True, dropout=0.6)
+
+        """GIN from torch-geometric"""
+        # dim = 32
+        # nn1 = Sequential(Linear(nfeat, dim), ReLU(), )
+        # self.gc1 = GINConv(nn1)
+        # # self.bn1 = torch.nn.BatchNorm1d(dim)
+        # nn2 = Sequential(Linear(dim, dim), ReLU(), )
+        # self.gc2 = GINConv(nn2)
+        # self.jump = JumpingKnowledge(mode='cat')
+        # # self.bn2 = torch.nn.BatchNorm1d(dim)
+        # self.fc2 = Linear(dim, int(nclass))
+
+        # """JK-Nets"""
+        # num_features = nfeat
+        # dim = 32
+        # nn1 = Sequential(Linear(num_features, dim), ReLU(), )
+        # self.gc1 = GINConv(nn1)
+        # self.bn1 = torch.nn.BatchNorm1d(dim)
+        #
+        # nn2 = Sequential(Linear(dim, dim), ReLU(), )
+        # self.gc2 = GINConv(nn2)
+        # nn3 = Sequential(Linear(dim, dim), ReLU(), )
+        # self.gc3 = GINConv(nn3)
+        #
+        # self.jump = JumpingKnowledge(mode='cat') # 'cat', 'lstm', 'max'
+        # self.bn2 = torch.nn.BatchNorm1d(dim)
+        # # self.fc1 = Linear(dim*3, dim)
+        # self.fc2 = Linear(dim*2, int(nclass))
+
+    def forward(self, x, adj):
+        """we don't change the edge_index, just update the edge_weight;
+        some edge_weight are regarded as removed if it equals to zero"""
+        x = x.to_dense()  # topology attack中需要注销掉(wisconsin不需要), 在meta attack还有 dice中均需要
+
+        """GCN and GAT"""
+        if self.attention:
+            adj = self.att_coef(x, adj, i=0)
+            adj = adj.to(self.device)
+
+        edge_index = adj._indices()
+        x = self.gc1(x, edge_index, edge_weight=adj._values())
+        x = F.relu(x)
+        # x = self.bn1(x)
+        if self.attention:  # if attention=True, use attention mechanism
+            adj_2 = self.att_coef(x, adj, i=1)
+            adj_2= adj_2.to(self.device)
+            # adj_memory = adj_2.to_dense()  # without memory
+            adj_memory = self.gate * adj.to_dense() + (1 - self.gate) * adj_2.to_dense()
+            row, col = adj_memory.nonzero()[:,0], adj_memory.nonzero()[:,1]
+            edge_index = torch.stack((row, col), dim=0)
+            edge_index = edge_index.to(self.device)
+            adj_values = adj_memory[row, col]
+            adj_values = adj_values.to(self.device)
+        else:
+            edge_index = adj._indices()
+            adj_values = adj._values()
+            edge_index = edge_index.to(self.device)
+            adj_values = adj_values.to(self.device)
+
+
+        x = F.dropout(x, self.dropout, training=self.training)
+        x = self.gc2(x, edge_index, edge_weight=adj_values)
+
+        return F.log_softmax(x, dim=1)
+
+    def initialize(self):
+        self.gc1.reset_parameters()
+        self.gc2.reset_parameters()
+        self.drop_learn_1.reset_parameters()
+        self.drop_learn_2.reset_parameters()
+        try:
+            self.gate.reset_parameters()
+            self.fc2.reset_parameters()
+        except:
+            pass
+
+    def att_coef(self, fea, edge_index, is_lil=False, i=0):
+
+        if is_lil == False:
+            edge_index = edge_index._indices()
+        else:
+            edge_index = edge_index.tocoo()
+
+        n_node = fea.shape[0]
+        row, col = edge_index[0].cpu().data.numpy()[:], edge_index[1].cpu().data.numpy()[:]
+
+        fea_copy = fea.cpu().data.numpy()
+        sim_matrix = cosine_similarity(X=fea_copy, Y=fea_copy)  # try cosine similarity
+        sim = sim_matrix[row, col]
+        sim[sim<0.1] = 0
+        # print('dropped {} edges'.format(1-sim.nonzero()[0].shape[0]/len(sim)))
+
+        # """use jaccard for binary features and cosine for numeric features"""
+        # fea_start, fea_end = fea[edge_index[0]], fea[edge_index[1]]
+        # isbinray = np.array_equal(fea_copy, fea_copy.astype(bool))  # check is the fea are binary
+        # np.seterr(divide='ignore', invalid='ignore')
+        # if isbinray:
+        #     fea_start, fea_end = fea_start.T, fea_end.T
+        #     sim = jaccard_score(fea_start, fea_end, average=None)  # similarity scores of each edge
+        # else:
+        #     fea_copy[np.isinf(fea_copy)] = 0
+        #     fea_copy[np.isnan(fea_copy)] = 0
+        #     sim_matrix = cosine_similarity(X=fea_copy, Y=fea_copy)  # try cosine similarity
+        #     sim = sim_matrix[edge_index[0], edge_index[1]]
+        #     sim[sim < 0.01] = 0
+
+        """build a attention matrix"""
+        att_dense = lil_matrix((n_node, n_node), dtype=np.float32)
+        att_dense[row, col] = sim
+        if att_dense[0, 0] == 1:
+            att_dense = att_dense - sp.diags(att_dense.diagonal(), offsets=0, format="lil")
+        # normalization, make the sum of each row is 1
+        att_dense_norm = normalize(att_dense, axis=1, norm='l1')
+
+
+        """add learnable dropout, make character vector"""
+        if self.drop:
+            character = np.vstack((att_dense_norm[row, col].A1,
+                                     att_dense_norm[col, row].A1))
+            character = torch.from_numpy(character.T)
+            drop_score = self.drop_learn_1(character)
+            drop_score = torch.sigmoid(drop_score)  # do not use softmax since we only have one element
+            mm = torch.nn.Threshold(0.5, 0)
+            drop_score = mm(drop_score)
+            mm_2 = torch.nn.Threshold(-0.49, 1)
+            drop_score = mm_2(-drop_score)
+            drop_decision = drop_score.clone().requires_grad_()
+            # print('rate of left edges', drop_decision.sum().data/drop_decision.shape[0])
+            drop_matrix = lil_matrix((n_node, n_node), dtype=np.float32)
+            drop_matrix[row, col] = drop_decision.cpu().data.numpy().squeeze(-1)
+            att_dense_norm = att_dense_norm.multiply(drop_matrix.tocsr())  # update, remove the 0 edges
+
+        if att_dense_norm[0, 0] == 0:  # add the weights of self-loop only add self-loop at the first layer
+            degree = (att_dense_norm != 0).sum(1).A1
+            lam = 1 / (degree + 1) # degree +1 is to add itself
+            self_weight = sp.diags(np.array(lam), offsets=0, format="lil")
+            att = att_dense_norm + self_weight  # add the self loop
+        else:
+            att = att_dense_norm
+
+        row, col = att.nonzero()
+        att_adj = np.vstack((row, col))
+        att_edge_weight = att[row, col]
+        att_edge_weight = np.exp(att_edge_weight)   # exponent, kind of softmax
+        att_edge_weight = torch.tensor(np.array(att_edge_weight)[0], dtype=torch.float32)#.cuda()
+        att_adj = torch.tensor(att_adj, dtype=torch.int64)#.cuda()
+
+        shape = (n_node, n_node)
+        new_adj = torch.sparse.FloatTensor(att_adj, att_edge_weight, shape)
+        return new_adj
+
+    def add_loop_sparse(self, adj, fill_value=1):
+        # make identify sparse tensor
+        row = torch.range(0, int(adj.shape[0]-1), dtype=torch.int64)
+        i = torch.stack((row, row), dim=0)
+        v = torch.ones(adj.shape[0], dtype=torch.float32)
+        shape = adj.shape
+        I_n = torch.sparse.FloatTensor(i, v, shape)
+        return adj + I_n.to(self.device)
+
+    def fit(self, features, adj, labels, idx_train, idx_val=None, idx_test=None, train_iters=81, att_0=None,
+            attention=False, model_name=None, initialize=True, verbose=False, normalize=True, patience=510, ):
+        '''
+            train the gcn model, when idx_val is not None, pick the best model
+            according to the validation loss
+        '''
+        self.sim = None
+        self.idx_test = idx_test
+        self.attention = attention
+        # if self.attention:
+        #     att_0 = self.att_coef_1(features, adj)
+        #     adj = att_0 # update adj
+        #     self.sim = att_0 # update att_0
+
+        # self.device = self.gc1.weight.device
+
+        if initialize:
+            self.initialize()
+
+        if type(adj) is not torch.Tensor:
+            features, adj, labels = utils.to_tensor(features, adj, labels, device=self.device)
+        else:
+            features = features.to(self.device)
+            adj = adj.to(self.device)
+            labels = labels.to(self.device)
+
+        # normalize = False # we don't need normalize here, the norm is conducted in the GCN (self.gcn1) model
+        # if normalize:
+        #     if utils.is_sparse_tensor(adj):
+        #         adj_norm = utils.normalize_adj_tensor(adj, sparse=True)
+        #     else:
+        #         adj_norm = utils.normalize_adj_tensor(adj)
+        # else:
+        #     adj_norm = adj
+        # add self loop
+        adj = self.add_loop_sparse(adj)
+
+
+        """The normalization gonna be done in the GCNConv"""
+        self.adj_norm = adj
+        self.features = features
+        self.labels = labels
+
+        if idx_val is None:
+            self._train_without_val(labels, idx_train, train_iters, verbose)
+        else:
+            if patience < train_iters:
+                self._train_with_early_stopping(labels, idx_train, idx_val, train_iters, patience, verbose)
+            else:
+                self._train_with_val(labels, idx_train, idx_val, train_iters, verbose)
+
+    def _train_without_val(self, labels, idx_train, train_iters, verbose):
+        self.train()
+        optimizer = optim.Adam(self.parameters(), lr=self.lr, weight_decay=self.weight_decay)
+        for i in range(train_iters):
+            optimizer.zero_grad()
+            output = self.forward(self.features, self.adj_norm)
+            loss_train = F.nll_loss(output[idx_train], labels[idx_train], weight=None)   # this weight is the weight of each training nodes
+            loss_train.backward()
+            optimizer.step()
+            if verbose and i % 20 == 0:
+                print('Epoch {}, training loss: {}'.format(i, loss_train.item()))
+
+        self.eval()
+        output = self.forward(self.features, self.adj_norm)
+        self.output = output
+
+    def _train_with_val(self, labels, idx_train, idx_val, train_iters, verbose):
+        if verbose:
+            print('=== training gcn model ===')
+        optimizer = optim.Adam(self.parameters(), lr=self.lr, weight_decay=self.weight_decay)
+
+        best_loss_val = 100
+        best_acc_val = 0
+
+        for i in range(train_iters):
+            # print('epoch', i)
+            self.train()
+            optimizer.zero_grad()
+            output = self.forward(self.features, self.adj_norm)
+            loss_train = F.nll_loss(output[idx_train], labels[idx_train])
+            loss_train.backward()
+            optimizer.step()
+            self.eval()
+
+            loss_val = F.nll_loss(output[idx_val], labels[idx_val])
+            acc_val = utils.accuracy(output[idx_val], labels[idx_val])
+            # acc_test = utils.accuracy(output[self.idx_test], labels[self.idx_test])
+
+            if verbose and i % 1 == 0:
+                print('Epoch {}, training loss: {}, val acc: {}, '.format(i, loss_train.item(), acc_val))
+
+            if best_loss_val > loss_val:
+                best_loss_val = loss_val
+                self.output = output
+                weights = deepcopy(self.state_dict())
+
+            if acc_val > best_acc_val:
+                best_acc_val = acc_val
+                self.output = output
+                weights = deepcopy(self.state_dict())
+
+        if verbose:
+            print('=== picking the best model according to the performance on validation ===')
+        self.load_state_dict(weights)
+        # """my test"""
+        # output_ = self.forward(self.features, self.adj_norm)
+        # acc_test_ = utils.accuracy(output_[self.idx_test], labels[self.idx_test])
+        # print('With best weights, test acc:', acc_test_)
+
+    def _train_with_early_stopping(self, labels, idx_train, idx_val, train_iters, patience, verbose):
+        if verbose:
+            print('=== training gcn model ===')
+        optimizer = optim.Adam(self.parameters(), lr=self.lr, weight_decay=self.weight_decay)
+
+        early_stopping = patience
+        best_loss_val = 100
+
+        for i in range(train_iters):
+            self.train()
+            optimizer.zero_grad()
+            output = self.forward(self.features, self.adj_norm)
+            loss_train = F.nll_loss(output[idx_train], labels[idx_train])
+            loss_train.backward()
+            optimizer.step()
+
+            self.eval()
+            output = self.forward(self.features, self.adj_norm)
+
+            if verbose and i % 10 == 0:
+                print('Epoch {}, training loss: {}'.format(i, loss_train.item()))
+
+
+            loss_val = F.nll_loss(output[idx_val], labels[idx_val])
+
+            if best_loss_val > loss_val:
+                best_loss_val = loss_val
+                self.output = output
+                weights = deepcopy(self.state_dict())
+                patience = early_stopping
+            else:
+                patience -= 1
+            if i > early_stopping and patience <= 0:
+                break
+
+        if verbose:
+             print('=== early stopping at {0}, loss_val = {1} ==='.format(i, best_loss_val) )
+        self.load_state_dict(weights)
+
+    def test(self, idx_test):
+        self.eval()
+        output = self.predict()  # here use the self.features and self.adj_norm in training stage
+        loss_test = F.nll_loss(output[idx_test], self.labels[idx_test])
+        acc_test = utils.accuracy(output[idx_test], self.labels[idx_test])
+        print("Test set results:",
+              "loss= {:.4f}".format(loss_test.item()),
+              "accuracy= {:.4f}".format(acc_test.item()))
+        return acc_test, output
+
+    def _set_parameters(self):
+        # TODO
+        pass
+
+    def predict(self, features=None, adj=None):
+        '''By default, inputs are unnormalized data'''
+        self.eval()
+        if features is None and adj is None:
+            return self.forward(self.features, self.adj_norm)
+        else:
+            if type(adj) is not torch.Tensor:
+                features, adj = utils.to_tensor(features, adj, device=self.device)
+
+            self.features = features
+            if utils.is_sparse_tensor(adj):
+                self.adj_norm = utils.normalize_adj_tensor(adj, sparse=True)
+            else:
+                self.adj_norm = utils.normalize_adj_tensor(adj)
+            return self.forward(self.features, self.adj_norm)
+

deeprobust/graph/defense/gcn_preprocess.py

@@ -0,0 +1,488 @@
+import torch.nn as nn
+import torch.nn.functional as F
+import math
+import torch
+from torch.nn.parameter import Parameter
+from torch.nn.modules.module import Module
+from deeprobust.graph import utils
+from deeprobust.graph.defense import GCN
+from tqdm import tqdm
+import scipy.sparse as sp
+import numpy as np
+from numba import njit
+
+class GCNSVD(GCN):
+    """GCNSVD is a 2 Layer Graph Convolutional Network with Truncated SVD as
+    preprocessing. See more details in All You Need Is Low (Rank): Defending
+    Against Adversarial Attacks on Graphs,
+    https://dl.acm.org/doi/abs/10.1145/3336191.3371789.
+
+    Parameters
+    ----------
+    nfeat : int
+        size of input feature dimension
+    nhid : int
+        number of hidden units
+    nclass : int
+        size of output dimension
+    dropout : float
+        dropout rate for GCN
+    lr : float
+        learning rate for GCN
+    weight_decay : float
+        weight decay coefficient (l2 normalization) for GCN. When `with_relu` is True, `weight_decay` will be set to 0.
+    with_relu : bool
+        whether to use relu activation function. If False, GCN will be linearized.
+    with_bias: bool
+        whether to include bias term in GCN weights.
+    device: str
+        'cpu' or 'cuda'.
+
+    Examples
+    --------
+	We can first load dataset and then train GCNSVD.
+
+    >>> from deeprobust.graph.data import PrePtbDataset, Dataset
+    >>> from deeprobust.graph.defense import GCNSVD
+    >>> # load clean graph data
+    >>> data = Dataset(root='/tmp/', name='cora', seed=15)
+    >>> adj, features, labels = data.adj, data.features, data.labels
+    >>> idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    >>> # load perturbed graph data
+    >>> perturbed_data = PrePtbDataset(root='/tmp/', name='cora')
+    >>> perturbed_adj = perturbed_data.adj
+    >>> # train defense model
+    >>> model = GCNSVD(nfeat=features.shape[1],
+              nhid=16,
+              nclass=labels.max().item() + 1,
+              dropout=0.5, device='cpu').to('cpu')
+    >>> model.fit(features, perturbed_adj, labels, idx_train, idx_val, k=20)
+
+    """
+
+    def __init__(self, nfeat, nhid, nclass, dropout=0.5, lr=0.01, weight_decay=5e-4, with_relu=True, with_bias=True, device='cpu'):
+
+        super(GCNSVD, self).__init__(nfeat, nhid, nclass, dropout, lr, weight_decay, with_relu, with_bias, device=device)
+        self.device = device
+        self.k = None
+
+    def fit(self, features, adj, labels, idx_train, idx_val=None, k=50, train_iters=200, initialize=True, verbose=True, **kwargs):
+        """First perform rank-k approximation of adjacency matrix via
+        truncated SVD, and then train the gcn model on the processed graph,
+        when idx_val is not None, pick the best model according to
+        the validation loss.
+
+        Parameters
+        ----------
+        features :
+            node features
+        adj :
+            the adjacency matrix. The format could be torch.tensor or scipy matrix
+        labels :
+            node labels
+        idx_train :
+            node training indices
+        idx_val :
+            node validation indices. If not given (None), GCN training process will not adpot early stopping
+        k : int
+            number of singular values and vectors to compute.
+        train_iters : int
+            number of training epochs
+        initialize : bool
+            whether to initialize parameters before training
+        verbose : bool
+            whether to show verbose logs
+        """
+        adj = adj.to('cpu')
+        modified_adj = self.truncatedSVD(adj, k=k)
+        self.k = k
+        # modified_adj_tensor = utils.sparse_mx_to_torch_sparse_tensor(self.modified_adj)
+        features, modified_adj, labels = utils.to_tensor(features, modified_adj, labels, device=self.device)
+
+        self.modified_adj = modified_adj
+        self.features = features
+        self.labels = labels
+        super().fit(features, modified_adj, labels, idx_train, idx_val, train_iters=train_iters, initialize=initialize, verbose=verbose)
+
+    def truncatedSVD(self, data, k=50):
+        """Truncated SVD on input data.
+
+        Parameters
+        ----------
+        data :
+            input matrix to be decomposed
+        k : int
+            number of singular values and vectors to compute.
+
+        Returns
+        -------
+        numpy.array
+            reconstructed matrix.
+        """
+        print('=== GCN-SVD: rank={} ==='.format(k))
+        if sp.issparse(data):
+            data = data.asfptype()
+            U, S, V = sp.linalg.svds(data, k=k)
+            print("rank_after = {}".format(len(S.nonzero()[0])))
+            diag_S = np.diag(S)
+        else:
+            U, S, V = np.linalg.svd(data)
+            U = U[:, :k]
+            S = S[:k]
+            V = V[:k, :]
+            print("rank_before = {}".format(len(S.nonzero()[0])))
+            diag_S = np.diag(S)
+            print("rank_after = {}".format(len(diag_S.nonzero()[0])))
+
+        return U @ diag_S @ V
+
+    def predict(self, features=None, adj=None):
+        """By default, the inputs should be unnormalized adjacency
+
+        Parameters
+        ----------
+        features :
+            node features. If `features` and `adj` are not given, this function will use previous stored `features` and `adj` from training to make predictions.
+        adj :
+            adjcency matrix. If `features` and `adj` are not given, this function will use previous stored `features` and `adj` from training to make predictions.
+
+
+        Returns
+        -------
+        torch.FloatTensor
+            output (log probabilities) of GCNSVD
+        """
+
+        self.eval()
+        if features is None and adj is None:
+            return self.forward(self.features, self.adj_norm)
+        else:
+            adj = self.truncatedSVD(adj, k=self.k)
+            if type(adj) is not torch.Tensor:
+                features, adj = utils.to_tensor(features, adj, device=self.device)
+
+            self.features = features
+            if utils.is_sparse_tensor(adj):
+                self.adj_norm = utils.normalize_adj_tensor(adj, sparse=True)
+            else:
+                self.adj_norm = utils.normalize_adj_tensor(adj)
+            return self.forward(self.features, self.adj_norm)
+
+
+class GCNJaccard(GCN):
+    """GCNJaccard first preprocesses input graph via droppining dissimilar
+    edges and train a GCN based on the processed graph. See more details in
+    Adversarial Examples on Graph Data: Deep Insights into Attack and Defense,
+    https://arxiv.org/pdf/1903.01610.pdf.
+
+    Parameters
+    ----------
+    nfeat : int
+        size of input feature dimension
+    nhid : int
+        number of hidden units
+    nclass : int
+        size of output dimension
+    dropout : float
+        dropout rate for GCN
+    lr : float
+        learning rate for GCN
+    weight_decay : float
+        weight decay coefficient (l2 normalization) for GCN. When `with_relu` is True, `weight_decay` will be set to 0.
+    with_relu : bool
+        whether to use relu activation function. If False, GCN will be linearized.
+    with_bias: bool
+        whether to include bias term in GCN weights.
+    device: str
+        'cpu' or 'cuda'.
+
+    Examples
+    --------
+	We can first load dataset and then train GCNJaccard.
+
+    >>> from deeprobust.graph.data import PrePtbDataset, Dataset
+    >>> from deeprobust.graph.defense import GCNJaccard
+    >>> # load clean graph data
+    >>> data = Dataset(root='/tmp/', name='cora', seed=15)
+    >>> adj, features, labels = data.adj, data.features, data.labels
+    >>> idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    >>> # load perturbed graph data
+    >>> perturbed_data = PrePtbDataset(root='/tmp/', name='cora')
+    >>> perturbed_adj = perturbed_data.adj
+    >>> # train defense model
+    >>> model = GCNJaccard(nfeat=features.shape[1],
+              nhid=16,
+              nclass=labels.max().item() + 1,
+              dropout=0.5, device='cpu').to('cpu')
+    >>> model.fit(features, perturbed_adj, labels, idx_train, idx_val, threshold=0.03)
+
+    """
+    def __init__(self, nfeat, nhid, nclass, binary_feature=True, dropout=0.5, lr=0.01, weight_decay=5e-4, with_relu=True, with_bias=True, device='cpu'):
+
+        super(GCNJaccard, self).__init__(nfeat, nhid, nclass, dropout, lr, weight_decay, with_relu, with_bias, device=device)
+        self.device = device
+        self.binary_feature = binary_feature
+
+    def fit(self, features, adj, labels, idx_train, idx_val=None, threshold=0.01, train_iters=200, initialize=True, verbose=True, **kwargs):
+        """First drop dissimilar edges with similarity smaller than given
+        threshold and then train the gcn model on the processed graph.
+        When idx_val is not None, pick the best model according to the
+        validation loss.
+
+        Parameters
+        ----------
+        features :
+            node features. The format can be numpy.array or scipy matrix
+        adj :
+            the adjacency matrix.
+        labels :
+            node labels
+        idx_train :
+            node training indices
+        idx_val :
+            node validation indices. If not given (None), GCN training process will not adpot early stopping
+        threshold : float
+            similarity threshold for dropping edges. If two connected nodes with similarity smaller than threshold, the edge between them will be removed.
+        train_iters : int
+            number of training epochs
+        initialize : bool
+            whether to initialize parameters before training
+        verbose : bool
+            whether to show verbose logs
+        """
+
+        self.threshold = threshold
+        modified_adj = self.drop_dissimilar_edges(features, adj)
+        # modified_adj_tensor = utils.sparse_mx_to_torch_sparse_tensor(self.modified_adj)
+        features, modified_adj, labels = utils.to_tensor(features, modified_adj, labels, device=self.device)
+        self.modified_adj = modified_adj
+        self.features = features
+        self.labels = labels
+        super().fit(features, modified_adj, labels, idx_train, idx_val, train_iters=train_iters, initialize=initialize, verbose=verbose)
+
+    def drop_dissimilar_edges(self, features, adj, metric='similarity'):
+        """Drop dissimilar edges.(Faster version using numba)
+        """
+        if not sp.issparse(adj):
+            adj = adj.to('cpu')
+            adj = sp.csr_matrix(adj)
+
+        adj_triu = sp.triu(adj, format='csr')
+
+        if sp.issparse(features):
+            features = features.todense().A # make it easier for njit processing
+
+        if metric == 'distance':
+            removed_cnt = dropedge_dis(adj_triu.data, adj_triu.indptr, adj_triu.indices, features, threshold=self.threshold)
+        else:
+            if self.binary_feature:
+                removed_cnt = dropedge_jaccard(adj_triu.data, adj_triu.indptr, adj_triu.indices, features, threshold=self.threshold)
+            else:
+                removed_cnt = dropedge_cosine(adj_triu.data, adj_triu.indptr, adj_triu.indices, features, threshold=self.threshold)
+        print('removed %s edges in the original graph' % removed_cnt)
+        modified_adj = adj_triu + adj_triu.transpose()
+        return modified_adj
+
+    def predict(self, features=None, adj=None):
+        """By default, the inputs should be unnormalized adjacency
+
+        Parameters
+        ----------
+        features :
+            node features. If `features` and `adj` are not given, this function will use previous stored `features` and `adj` from training to make predictions.
+        adj :
+            adjcency matrix. If `features` and `adj` are not given, this function will use previous stored `features` and `adj` from training to make predictions.
+
+
+        Returns
+        -------
+        torch.FloatTensor
+            output (log probabilities) of GCNJaccard
+        """
+
+        self.eval()
+        if features is None and adj is None:
+            return self.forward(self.features, self.adj_norm)
+        else:
+            adj = self.drop_dissimilar_edges(features, adj)
+            if type(adj) is not torch.Tensor:
+                features, adj = utils.to_tensor(features, adj, device=self.device)
+
+            self.features = features
+            if utils.is_sparse_tensor(adj):
+                self.adj_norm = utils.normalize_adj_tensor(adj, sparse=True)
+            else:
+                self.adj_norm = utils.normalize_adj_tensor(adj)
+            return self.forward(self.features, self.adj_norm)
+
+    def _drop_dissimilar_edges(self, features, adj):
+        """Drop dissimilar edges. (Slower version)
+        """
+        if not sp.issparse(adj):
+            adj = sp.csr_matrix(adj)
+        modified_adj = adj.copy().tolil()
+
+        # preprocessing based on features
+        print('=== GCN-Jaccrad ===')
+        edges = np.array(modified_adj.nonzero()).T
+        removed_cnt = 0
+        for edge in tqdm(edges):
+            n1 = edge[0]
+            n2 = edge[1]
+            if n1 > n2:
+                continue
+
+            if self.binary_feature:
+                J = self._jaccard_similarity(features[n1], features[n2])
+
+                if J < self.threshold:
+                    modified_adj[n1, n2] = 0
+                    modified_adj[n2, n1] = 0
+                    removed_cnt += 1
+            else:
+                # For not binary feature, use cosine similarity
+                C = self._cosine_similarity(features[n1], features[n2])
+                if C < self.threshold:
+                    modified_adj[n1, n2] = 0
+                    modified_adj[n2, n1] = 0
+                    removed_cnt += 1
+        print('removed %s edges in the original graph' % removed_cnt)
+        return modified_adj
+
+    def _jaccard_similarity(self, a, b):
+        intersection = a.multiply(b).count_nonzero()
+        J = intersection * 1.0 / (a.count_nonzero() + b.count_nonzero() - intersection)
+        return J
+
+    def _cosine_similarity(self, a, b):
+        inner_product = (a * b).sum()
+        C = inner_product / (np.sqrt(np.square(a).sum()) * np.sqrt(np.square(b).sum()) + 1e-10)
+        return C
+
+def __dropedge_jaccard(A, iA, jA, features, threshold):
+    # deprecated: for sparse feature matrix...
+    removed_cnt = 0
+    for row in range(len(iA)-1):
+        for i in range(iA[row], iA[row+1]):
+            # print(row, jA[i], A[i])
+            n1 = row
+            n2 = jA[i]
+            a, b = features[n1], features[n2]
+
+            intersection = a.multiply(b).count_nonzero()
+            J = intersection * 1.0 / (a.count_nonzero() + b.count_nonzero() - intersection)
+
+            if J < threshold:
+                A[i] = 0
+                # A[n2, n1] = 0
+                removed_cnt += 1
+    return removed_cnt
+
+@njit
+def dropedge_jaccard(A, iA, jA, features, threshold):
+    removed_cnt = 0
+    for row in range(len(iA)-1):
+        for i in range(iA[row], iA[row+1]):
+            # print(row, jA[i], A[i])
+            n1 = row
+            n2 = jA[i]
+            a, b = features[n1], features[n2]
+            intersection = np.count_nonzero(a*b)
+            J = intersection * 1.0 / (np.count_nonzero(a) + np.count_nonzero(b) - intersection)
+
+            if J < threshold:
+                A[i] = 0
+                # A[n2, n1] = 0
+                removed_cnt += 1
+    return removed_cnt
+
+
+@njit
+def dropedge_cosine(A, iA, jA, features, threshold):
+    removed_cnt = 0
+    for row in range(len(iA)-1):
+        for i in range(iA[row], iA[row+1]):
+            # print(row, jA[i], A[i])
+            n1 = row
+            n2 = jA[i]
+            a, b = features[n1], features[n2]
+            inner_product = (a * b).sum()
+            C = inner_product / (np.sqrt(np.square(a).sum()) * np.sqrt(np.square(b).sum()) + 1e-8)
+
+            if C < threshold:
+                A[i] = 0
+                # A[n2, n1] = 0
+                removed_cnt += 1
+    return removed_cnt
+
+@njit
+def dropedge_dis(A, iA, jA, features, threshold):
+    removed_cnt = 0
+    for row in range(len(iA)-1):
+        for i in range(iA[row], iA[row+1]):
+            # print(row, jA[i], A[i])
+            n1 = row
+            n2 = jA[i]
+            C = np.linalg.norm(features[n1] - features[n2])
+            if C > threshold:
+                A[i] = 0
+                # A[n2, n1] = 0
+                removed_cnt += 1
+
+    return removed_cnt
+
+@njit
+def dropedge_both(A, iA, jA, features, threshold1=2.5, threshold2=0.01):
+    removed_cnt = 0
+    for row in range(len(iA)-1):
+        for i in range(iA[row], iA[row+1]):
+            # print(row, jA[i], A[i])
+            n1 = row
+            n2 = jA[i]
+            C1 = np.linalg.norm(features[n1] - features[n2])
+
+            a, b = features[n1], features[n2]
+            inner_product = (a * b).sum()
+            C2 = inner_product / (np.sqrt(np.square(a).sum() + np.square(b).sum())+ 1e-6)
+            if C1 > threshold1 or threshold2 < 0:
+                A[i] = 0
+                # A[n2, n1] = 0
+                removed_cnt += 1
+
+    return removed_cnt
+
+
+if __name__ == "__main__":
+    from deeprobust.graph.data import PrePtbDataset, Dataset
+    # load clean graph data
+    dataset_str = 'pubmed'
+    data = Dataset(root='/tmp/', name=dataset_str, seed=15)
+    adj, features, labels = data.adj, data.features, data.labels
+    idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    # load perturbed graph data
+    perturbed_data = PrePtbDataset(root='/tmp/', name=dataset_str)
+    perturbed_adj = perturbed_data.adj
+    # train defense model
+    print("Test GCNJaccard")
+    model = GCNJaccard(nfeat=features.shape[1],
+          nhid=16,
+          nclass=labels.max().item() + 1,
+          binary_feature=False,
+          dropout=0.5, device='cuda').to('cuda')
+    model.fit(features, perturbed_adj, labels, idx_train, idx_val, threshold=0.1)
+    model.test(idx_test)
+    prediction_1 = model.predict()
+    prediction_2 = model.predict(features, perturbed_adj)
+    assert (prediction_1 != prediction_2).sum() == 0
+
+    print("Test GCNSVD")
+    model = GCNSVD(nfeat=features.shape[1],
+          nhid=16,
+          nclass=labels.max().item() + 1,
+          dropout=0.5, device='cuda').to('cuda')
+    model.fit(features, perturbed_adj, labels, idx_train, idx_val, k=20)
+    model.test(idx_test)
+    prediction_1 = model.predict()
+    prediction_2 = model.predict(features, perturbed_adj)
+    assert (prediction_1 - prediction_2).mean() < 1e-5
+

deeprobust/graph/defense/median_gcn.py

@@ -0,0 +1,296 @@
+from torch_geometric.typing import Adj, OptTensor
+
+import torch
+import torch.nn as nn
+import torch.nn.functional as F
+from torch import Tensor
+from torch import optim
+from copy import deepcopy
+from deeprobust.graph import utils
+from torch_geometric.nn.inits import zeros
+from torch_geometric.nn.conv import MessagePassing
+
+# This works for higher version of torch_gometric, e.g., 2.0.
+# from torch_geometric.nn.dense.linear import Linear
+from torch.nn import Linear
+
+
+from torch_sparse import SparseTensor, set_diag
+from torch_geometric.utils import to_dense_batch
+from torch_geometric.utils import remove_self_loops, add_self_loops
+
+
+class MedianConv(MessagePassing):
+
+    def __init__(self, in_channels: int, out_channels: int,
+                 add_self_loops: bool = True,
+                 bias: bool = True, **kwargs):
+        kwargs.setdefault('aggr', None)
+        super(MedianConv, self).__init__(**kwargs)
+
+        self.in_channels = in_channels
+        self.out_channels = out_channels
+        self.add_self_loops = add_self_loops
+
+        # This works for higher version of torch_gometric, e.g., 2.0.
+        # self.lin = Linear(in_channels, out_channels, bias=False,
+        #                   weight_initializer='glorot')
+        self.lin = Linear(in_channels, out_channels, bias=False)
+
+        if bias:
+            self.bias = nn.Parameter(torch.Tensor(out_channels))
+        else:
+            self.register_parameter('bias', None)
+
+        self.reset_parameters()
+
+    def reset_parameters(self):
+        self.lin.reset_parameters()
+        zeros(self.bias)
+
+    def forward(self, x: Tensor, edge_index: Adj,
+                edge_weight: OptTensor = None) -> Tensor:
+
+        if self.add_self_loops:
+            if isinstance(edge_index, Tensor):
+                edge_index, _ = remove_self_loops(edge_index)
+                edge_index, _ = add_self_loops(edge_index,
+                                               num_nodes=x.size(self.node_dim))
+            elif isinstance(edge_index, SparseTensor):
+                edge_index = set_diag(edge_index)
+
+        x = self.lin(x)
+        # propagate_type: (x: Tensor, edge_weight: OptTensor)
+        out = self.propagate(edge_index, x=x, edge_weight=edge_weight,
+                             size=None)
+        if self.bias is not None:
+            out += self.bias
+        return out
+
+    def message(self, x_j: Tensor, edge_weight: OptTensor) -> Tensor:
+        return x_j if edge_weight is None else edge_weight.view(-1, 1) * x_j
+
+    def aggregate(self, x_j, index):
+        """median aggregation"""
+        # important! `to_dense_batch` requires the `index` is sorted
+        ix = torch.argsort(index)
+        index = index[ix]
+        x_j = x_j[ix]
+
+        dense_x, mask = to_dense_batch(x_j, index)
+        out = x_j.new_zeros(dense_x.size(0), dense_x.size(-1))
+        deg = mask.sum(dim=1)
+        for i in deg.unique():
+            deg_mask = deg == i
+            out[deg_mask] = dense_x[deg_mask, :i].median(dim=1).values
+        return out
+
+    def __repr__(self):
+        return '{}({}, {})'.format(self.__class__.__name__, self.in_channels,
+                                   self.out_channels)
+
+
+class MedianGCN(torch.nn.Module):
+    """Graph Convolutional Networks with Median aggregation (MedianGCN) 
+    based on pytorch geometric. 
+
+    `Understanding Structural Vulnerability in Graph Convolutional Networks 
+    <https://arxiv.org/abs/2108.06280>`
+
+    MedianGCN uses median aggregation function instead of 
+    `weighted mean` adopted in GCN, which improves the robustness 
+    of the model against adversarial structural attack.
+
+    Parameters
+    ----------
+    nfeat : int
+        size of input feature dimension
+    nhid : int
+        number of hidden units        
+    nclass : int
+        size of output dimension
+    lr : float
+        learning rate for MedianGCN
+    weight_decay : float
+        weight decay coefficient (l2 normalization) for MedianGCN.
+    with_bias: bool
+        whether to include bias term in MedianGCN weights.
+    device: str
+        'cpu' or 'cuda'.
+
+    Examples
+    --------
+        We can first load dataset and then train MedianGCN.
+
+    >>> from deeprobust.graph.data import Dataset
+    >>> from deeprobust.graph.defense import MedianGCN
+    >>> data = Dataset(root='/tmp/', name='cora')
+    >>> adj, features, labels = data.adj, data.features, data.labels
+    >>> idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    >>> MedianGCN = MedianGCN(nfeat=features.shape[1],
+                          nhid=16, nclass=labels.max().item() + 1, 
+                          device='cuda')
+    >>> MedianGCN = MedianGCN.to('cuda')
+    >>> pyg_data = Dpr2Pyg(data) # convert deeprobust dataset to pyg dataset
+    >>> MedianGCN.fit(pyg_data, verbose=True) # train with earlystopping
+    """
+
+    def __init__(self, nfeat, nhid, nclass, dropout=0.5, lr=0.01, weight_decay=5e-4,
+                 with_bias=True, device=None):
+
+        super(MedianGCN, self).__init__()
+
+        assert device is not None, "Please specify 'device'!"
+        self.device = device
+
+        self.conv1 = MedianConv(nfeat, nhid, bias=with_bias)
+        self.conv2 = MedianConv(nhid, nclass, bias=with_bias)
+
+        self.dropout = dropout
+        self.lr = lr
+        self.weight_decay = weight_decay
+        self.with_bias = with_bias
+        self.output = None
+
+    def forward(self, data):
+        x, edge_index = data.x, data.edge_index
+        x = F.dropout(x, self.dropout, training=self.training)
+        x = self.conv1(x, edge_index).relu()
+        x = F.dropout(x, self.dropout, training=self.training)
+        x = self.conv2(x, edge_index)
+        return F.log_softmax(x, dim=1)
+
+    def initialize(self):
+        """Initialize parameters of MedianGCN.
+        """
+        self.conv1.reset_parameters()
+        self.conv2.reset_parameters()
+
+    def fit(self, pyg_data, train_iters=200, initialize=True, verbose=False, patience=500, **kwargs):
+        """Train the MedianGCN model, when idx_val is not None, pick the best model
+        according to the validation loss.
+
+        Parameters
+        ----------
+        pyg_data :
+            pytorch geometric dataset object
+        train_iters : int
+            number of training epochs
+        initialize : bool
+            whether to initialize parameters before training
+        verbose : bool
+            whether to show verbose logs
+        patience : int
+            patience for early stopping, only valid when `idx_val` is given
+        """
+
+        # self.device = self.conv1.weight.device
+        if initialize:
+            self.initialize()
+
+        self.data = pyg_data[0].to(self.device)
+        # By default, it is trained with early stopping on validation
+        self.train_with_early_stopping(train_iters, patience, verbose)
+
+    def train_with_early_stopping(self, train_iters, patience, verbose):
+        """early stopping based on the validation loss
+        """
+        if verbose:
+            print('=== training MedianGCN model ===')
+        optimizer = optim.Adam(self.parameters(), lr=self.lr, weight_decay=self.weight_decay)
+
+        labels = self.data.y
+        train_mask, val_mask = self.data.train_mask, self.data.val_mask
+
+        early_stopping = patience
+        best_loss_val = 100
+
+        for i in range(train_iters):
+            self.train()
+            optimizer.zero_grad()
+            output = self.forward(self.data)
+
+            loss_train = F.nll_loss(output[train_mask], labels[train_mask])
+            loss_train.backward()
+            optimizer.step()
+
+            if verbose and i % 10 == 0:
+                print('Epoch {}, training loss: {}'.format(i, loss_train.item()))
+
+            self.eval()
+            output = self.forward(self.data)
+            loss_val = F.nll_loss(output[val_mask], labels[val_mask])
+
+            if best_loss_val > loss_val:
+                best_loss_val = loss_val
+                self.output = output
+                weights = deepcopy(self.state_dict())
+                patience = early_stopping
+            else:
+                patience -= 1
+            if i > early_stopping and patience <= 0:
+                break
+
+        if verbose:
+            print('=== early stopping at {0}, loss_val = {1} ==='.format(i, best_loss_val))
+        self.load_state_dict(weights)
+
+    @torch.no_grad()
+    def test(self, pyg_data=None):
+        """Evaluate MedianGCN performance on test set.
+
+        Parameters
+        ----------
+        pyg_data :
+            pytorch geometric dataset object        
+        idx_test :
+            node testing indices
+        """
+        self.eval()
+        data = pyg_data[0].to(self.device) if pyg_data is not None else self.data
+        test_mask = data.test_mask
+        labels = data.y
+        output = self.forward(data)
+        # output = self.output
+        loss_test = F.nll_loss(output[test_mask], labels[test_mask])
+        acc_test = utils.accuracy(output[test_mask], labels[test_mask])
+        print("Test set results:",
+              "loss= {:.4f}".format(loss_test.item()),
+              "accuracy= {:.4f}".format(acc_test.item()))
+        return acc_test.item()
+
+    @torch.no_grad()
+    def predict(self, pyg_data=None):
+        """
+        Parameters
+        ----------
+        pyg_data :
+            pytorch geometric dataset object    
+
+        Returns
+        -------
+        torch.FloatTensor
+            output (log probabilities) of MedianGCN
+        """
+
+        self.eval()
+        data = pyg_data[0].to(self.device) if pyg_data is not None else self.data
+        return self.forward(data)
+
+
+if __name__ == "__main__":
+    from deeprobust.graph.data import Dataset, Dpr2Pyg
+    # from deeprobust.graph.defense import MedianGCN
+    data = Dataset(root='/tmp/', name='cora')
+    adj, features, labels = data.adj, data.features, data.labels
+    idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    device = torch.device("cuda:0" if torch.cuda.is_available() else "cpu")
+    MedianGCN = MedianGCN(nfeat=features.shape[1],
+                          nhid=16,
+                          nclass=labels.max().item() + 1,
+                          device=device)
+    MedianGCN = MedianGCN.to(device)
+    pyg_data = Dpr2Pyg(data)
+    MedianGCN.fit(pyg_data, verbose=True)  # train with earlystopping
+    MedianGCN.test()
+    print(MedianGCN.predict().size())

deeprobust/graph/defense/node_embedding.py

@@ -0,0 +1,538 @@
+"""
+Code in this file is modified from https://github.com/abojchevski/node_embedding_attack
+
+'Adversarial Attacks on Node Embeddings via Graph Poisoning'
+Aleksandar Bojchevski and Stephan Günnemann, ICML 2019
+http://proceedings.mlr.press/v97/bojchevski19a.html
+Copyright (C) owned by the authors, 2019
+"""
+import numba
+import numpy as np
+import scipy.sparse as sp
+from gensim.models import Word2Vec
+import networkx as nx
+from gensim.models import KeyedVectors
+from sklearn.linear_model import LogisticRegression
+from sklearn.preprocessing import normalize
+from sklearn.metrics import f1_score, roc_auc_score, average_precision_score, accuracy_score
+
+class BaseEmbedding:
+    """Base class for node embedding methods such as DeepWalk and Node2Vec.
+    """
+
+    def __init__(self):
+        self.embedding = None
+        self.model = None
+
+    def evaluate_node_classification(self, labels, idx_train, idx_test,
+            normalize_embedding=True, lr_params=None):
+        """Evaluate the node embeddings on the node classification task..
+
+        Parameters
+        ---------
+        labels: np.ndarray, shape [n_nodes]
+            The ground truth labels
+        normalize_embedding: bool
+            Whether to normalize the embeddings
+        idx_train: np.array
+            Indices of training nodes
+        idx_test: np.array
+            Indices of test nodes
+        lr_params: dict
+            Parameters for the LogisticRegression model
+
+        Returns
+        -------
+        [numpy.array, float, float] :
+            Predictions from LR, micro F1 score and macro F1 score
+        """
+
+        embedding_matrix = self.embedding
+
+        if normalize_embedding:
+            embedding_matrix = normalize(embedding_matrix)
+
+        features_train = embedding_matrix[idx_train]
+        features_test = embedding_matrix[idx_test]
+        labels_train = labels[idx_train]
+        labels_test = labels[idx_test]
+
+        if lr_params is None:
+            lr = LogisticRegression(solver='lbfgs', max_iter=1000, multi_class='auto')
+        else:
+            lr = LogisticRegression(**lr_params)
+        lr.fit(features_train, labels_train)
+
+        lr_z_predict = lr.predict(features_test)
+        f1_micro = f1_score(labels_test, lr_z_predict, average='micro')
+        f1_macro = f1_score(labels_test, lr_z_predict, average='macro')
+        test_acc = accuracy_score(labels_test, lr_z_predict)
+        print('Micro F1:', f1_micro)
+        print('Macro F1:', f1_macro)
+        return lr_z_predict, f1_micro, f1_macro
+
+
+    def evaluate_link_prediction(self, adj, node_pairs, normalize_embedding=True):
+        """Evaluate the node embeddings on the link prediction task.
+
+        adj: sp.csr_matrix, shape [n_nodes, n_nodes]
+            Adjacency matrix of the graph
+        node_pairs: numpy.array, shape [n_pairs, 2]
+            Node pairs
+        normalize_embedding: bool
+            Whether to normalize the embeddings
+
+        Returns
+        -------
+        [numpy.array, float, float]
+            Inner product of embeddings, Area under ROC curve (AUC) score and average precision (AP) score
+        """
+
+        embedding_matrix = self.embedding
+        if normalize_embedding:
+            embedding_matrix = normalize(embedding_matrix)
+
+        true = adj[node_pairs[:, 0], node_pairs[:, 1]].A1
+        scores = (embedding_matrix[node_pairs[:, 0]] * embedding_matrix[node_pairs[:, 1]]).sum(1)
+        # print(np.unique(true, return_counts=True))
+        try:
+            auc_score = roc_auc_score(true, scores)
+        except Exception as e:
+            auc_score = 0.00
+            print('ROC error')
+        ap_score = average_precision_score(true, scores)
+        print("AUC:", auc_score)
+        print("AP:", ap_score)
+        return scores, auc_score, ap_score
+
+class Node2Vec(BaseEmbedding):
+    """node2vec: Scalable Feature Learning for Networks. KDD'15.
+    To use this model, you need to "pip install node2vec" first.
+
+    Examples
+    ----
+    >>> from deeprobust.graph.data import Dataset
+    >>> from deeprobust.graph.global_attack import NodeEmbeddingAttack
+    >>> from deeprobust.graph.defense import Node2Vec
+    >>> data = Dataset(root='/tmp/', name='cora_ml', seed=15)
+    >>> adj, features, labels = data.adj, data.features, data.labels
+    >>> idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    >>> # set up attack model
+    >>> attacker = NodeEmbeddingAttack()
+    >>> attacker.attack(adj, attack_type="remove", n_perturbations=1000)
+    >>> modified_adj = attacker.modified_adj
+    >>> print("Test Node2vec on clean graph")
+    >>> model = Node2Vec()
+    >>> model.fit(adj)
+    >>> model.evaluate_node_classification(labels, idx_train, idx_test)
+    >>> print("Test Node2vec on attacked graph")
+    >>> model = Node2Vec()
+    >>> model.fit(modified_adj)
+    >>> model.evaluate_node_classification(labels, idx_train, idx_test)
+    """
+
+    def __init__(self):
+        # self.fit = self.node2vec_snap
+        super(Node2Vec, self).__init__()
+        self.fit = self.node2vec
+
+    def node2vec(self, adj, embedding_dim=64, walk_length=30, walks_per_node=10,
+                      workers=8, window_size=10, num_neg_samples=1, p=4, q=1):
+        """Compute Node2Vec embeddings for the given graph.
+
+        Parameters
+        ----------
+        adj : sp.csr_matrix, shape [n_nodes, n_nodes]
+            Adjacency matrix of the graph
+        embedding_dim : int, optional
+            Dimension of the embedding
+        walks_per_node : int, optional
+            Number of walks sampled from each node
+        walk_length : int, optional
+            Length of each random walk
+        workers : int, optional
+            Number of threads (see gensim.models.Word2Vec process)
+        window_size : int, optional
+            Window size (see gensim.models.Word2Vec)
+        num_neg_samples : int, optional
+            Number of negative samples (see gensim.models.Word2Vec)
+        p : float
+            The hyperparameter p in node2vec
+        q : float
+            The hyperparameter q in node2vec
+        """
+
+
+        walks = sample_n2v_random_walks(adj, walk_length, walks_per_node, p=p, q=q)
+        walks = [list(map(str, walk)) for walk in walks]
+        self.model = Word2Vec(walks, size=embedding_dim, window=window_size, min_count=0, sg=1, workers=workers,
+                         iter=1, negative=num_neg_samples, hs=0, compute_loss=True)
+        self.embedding = self.model.wv.vectors[np.fromiter(map(int, self.model.wv.index2word), np.int32).argsort()]
+
+
+
+class DeepWalk(BaseEmbedding):
+    """DeepWalk: Online Learning of Social Representations. KDD'14. The implementation is
+    modified from https://github.com/abojchevski/node_embedding_attack
+
+    Examples
+    ----
+    >>> from deeprobust.graph.data import Dataset
+    >>> from deeprobust.graph.global_attack import NodeEmbeddingAttack
+    >>> from deeprobust.graph.defense import DeepWalk
+    >>> data = Dataset(root='/tmp/', name='cora_ml', seed=15)
+    >>> adj, features, labels = data.adj, data.features, data.labels
+    >>> idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    >>> # set up attack model
+    >>> attacker = NodeEmbeddingAttack()
+    >>> attacker.attack(adj, attack_type="remove", n_perturbations=1000)
+    >>> modified_adj = attacker.modified_adj
+    >>> print("Test DeepWalk on clean graph")
+    >>> model = DeepWalk()
+    >>> model.fit(adj)
+    >>> model.evaluate_node_classification(labels, idx_train, idx_test)
+    >>> print("Test DeepWalk on attacked graph")
+    >>> model.fit(modified_adj)
+    >>> model.evaluate_node_classification(labels, idx_train, idx_test)
+    >>> print("Test DeepWalk SVD")
+    >>> model = DeepWalk(type="svd")
+    >>> model.fit(modified_adj)
+    >>> model.evaluate_node_classification(labels, idx_train, idx_test)
+    """
+
+    def __init__(self, type="skipgram"):
+        super(DeepWalk, self).__init__()
+        if type == "skipgram":
+            self.fit = self.deepwalk_skipgram
+        elif type == "svd":
+            self.fit = self.deepwalk_svd
+        else:
+            raise NotImplementedError
+
+    def deepwalk_skipgram(self, adj, embedding_dim=64, walk_length=80, walks_per_node=10,
+                          workers=8, window_size=10, num_neg_samples=1):
+        """Compute DeepWalk embeddings for the given graph using the skip-gram formulation.
+
+        Parameters
+        ----------
+        adj : sp.csr_matrix, shape [n_nodes, n_nodes]
+            Adjacency matrix of the graph
+        embedding_dim : int, optional
+            Dimension of the embedding
+        walks_per_node : int, optional
+            Number of walks sampled from each node
+        walk_length : int, optional
+            Length of each random walk
+        workers : int, optional
+            Number of threads (see gensim.models.Word2Vec process)
+        window_size : int, optional
+            Window size (see gensim.models.Word2Vec)
+        num_neg_samples : int, optional
+            Number of negative samples (see gensim.models.Word2Vec)
+        """
+
+        walks = sample_random_walks(adj, walk_length, walks_per_node)
+        walks = [list(map(str, walk)) for walk in walks]
+        self.model = Word2Vec(walks, size=embedding_dim, window=window_size, min_count=0, sg=1, workers=workers,
+                         iter=1, negative=num_neg_samples, hs=0, compute_loss=True)
+        self.embedding = self.model.wv.vectors[np.fromiter(map(int, self.model.wv.index2word), np.int32).argsort()]
+
+
+    def deepwalk_svd(self, adj, window_size=10, embedding_dim=64, num_neg_samples=1, sparse=True):
+        """Compute DeepWalk embeddings for the given graph using the matrix factorization formulation.
+        adj: sp.csr_matrix, shape [n_nodes, n_nodes]
+            Adjacency matrix of the graph
+        window_size: int
+            Size of the window
+        embedding_dim: int
+            Size of the embedding
+        num_neg_samples: int
+            Number of negative samples
+        sparse: bool
+            Whether to perform sparse operations
+        Returns
+        ------
+        np.ndarray, shape [num_nodes, embedding_dim]
+            Embedding matrix.
+        """
+        sum_powers_transition = sum_of_powers_of_transition_matrix(adj, window_size)
+
+        deg = adj.sum(1).A1
+        deg[deg == 0] = 1
+        deg_matrix = sp.diags(1 / deg)
+
+        volume = adj.sum()
+
+        M = sum_powers_transition.dot(deg_matrix) * volume / (num_neg_samples * window_size)
+
+        log_M = M.copy()
+        log_M[M > 1] = np.log(log_M[M > 1])
+        log_M = log_M.multiply(M > 1)
+
+        if not sparse:
+            log_M = log_M.toarray()
+
+        Fu, Fv = self.svd_embedding(log_M, embedding_dim, sparse)
+
+        loss = np.linalg.norm(Fu.dot(Fv.T) - log_M, ord='fro')
+        self.embedding = Fu
+        return Fu, Fv, loss, log_M
+
+    def svd_embedding(self, x, embedding_dim, sparse=False):
+        """Computes an embedding by selection the top (embedding_dim) largest singular-values/vectors.
+        :param x: sp.csr_matrix or np.ndarray
+            The matrix that we want to embed
+        :param embedding_dim: int
+            Dimension of the embedding
+        :param sparse: bool
+            Whether to perform sparse operations
+        :return: np.ndarray, shape [?, embedding_dim], np.ndarray, shape [?, embedding_dim]
+            Embedding matrices.
+        """
+        if sparse:
+            U, s, V = sp.linalg.svds(x, embedding_dim)
+        else:
+            U, s, V = np.linalg.svd(x)
+
+        S = np.diag(s)
+        Fu = U.dot(np.sqrt(S))[:, :embedding_dim]
+        Fv = np.sqrt(S).dot(V)[:embedding_dim, :].T
+        return Fu, Fv
+
+
+def sample_random_walks(adj, walk_length, walks_per_node, seed=None):
+    """Sample random walks of fixed length from each node in the graph in parallel.
+    Parameters
+    ----------
+    adj : sp.csr_matrix, shape [n_nodes, n_nodes]
+        Sparse adjacency matrix
+    walk_length : int
+        Random walk length
+    walks_per_node : int
+        Number of random walks per node
+    seed : int or None
+        Random seed
+    Returns
+    -------
+    walks : np.ndarray, shape [num_walks * num_nodes, walk_length]
+        The sampled random walks
+    """
+    if seed is None:
+        seed = np.random.randint(0, 100000)
+    adj = sp.csr_matrix(adj)
+    random_walks = _random_walk(adj.indptr,
+                                adj.indices,
+                                walk_length,
+                                walks_per_node,
+                                seed).reshape([-1, walk_length])
+    return random_walks
+
+
+@numba.jit(nopython=True, parallel=True)
+def _random_walk(indptr, indices, walk_length, walks_per_node, seed):
+    """Sample r random walks of length l per node in parallel from the graph.
+    Parameters
+    ----------
+    indptr : array-like
+        Pointer for the edges of each node
+    indices : array-like
+        Edges for each node
+    walk_length : int
+        Random walk length
+    walks_per_node : int
+        Number of random walks per node
+    seed : int
+        Random seed
+    Returns
+    -------
+    walks : array-like, shape [r*N*l]
+        The sampled random walks
+    """
+    np.random.seed(seed)
+    N = len(indptr) - 1
+    walks = []
+
+    for ir in range(walks_per_node):
+        for n in range(N):
+            for il in range(walk_length):
+                walks.append(n)
+                n = np.random.choice(indices[indptr[n]:indptr[n + 1]])
+
+    return np.array(walks)
+
+def sample_n2v_random_walks(adj, walk_length, walks_per_node, p, q, seed=None):
+    """Sample node2vec random walks of fixed length from each node in the graph in parallel.
+    Parameters
+    ----------
+    adj : sp.csr_matrix, shape [n_nodes, n_nodes]
+        Sparse adjacency matrix
+    walk_length : int
+        Random walk length
+    walks_per_node : int
+        Number of random walks per node
+    p: float
+        The probability to go back
+    q: float,
+        The probability to go explore undiscovered parts of the graphs
+    seed : int or None
+        Random seed
+    Returns
+    -------
+    walks : np.ndarray, shape [num_walks * num_nodes, walk_length]
+        The sampled random walks
+    """
+    if seed is None:
+        seed = np.random.randint(0, 100000)
+    adj = sp.csr_matrix(adj)
+    random_walks = _n2v_random_walk(adj.indptr,
+                                    adj.indices,
+                                    walk_length,
+                                    walks_per_node,
+                                    p,
+                                    q,
+                                    seed)
+    return random_walks
+
+@numba.jit(nopython=True)
+def random_choice(arr, p):
+    """Similar to `numpy.random.choice` and it suppors p=option in numba.
+    refer to <https://github.com/numba/numba/issues/2539#issuecomment-507306369>
+
+    Parameters
+    ----------
+    arr : 1-D array-like
+    p : 1-D array-like
+        The probabilities associated with each entry in arr
+
+    Returns
+    -------
+    samples : ndarray
+        The generated random samples
+    """
+    return arr[np.searchsorted(np.cumsum(p), np.random.random(), side="right")]
+
+@numba.jit(nopython=True)
+def _n2v_random_walk(indptr,
+                    indices,
+                    walk_length,
+                    walks_per_node,
+                    p,
+                    q,
+                    seed):
+    """Sample r random walks of length l per node in parallel from the graph.
+    Parameters
+    ----------
+    indptr : array-like
+        Pointer for the edges of each node
+    indices : array-like
+        Edges for each node
+    walk_length : int
+        Random walk length
+    walks_per_node : int
+        Number of random walks per node
+    p: float
+        The probability to go back
+    q: float,
+        The probability to go explore undiscovered parts of the graphs
+    seed : int
+        Random seed
+    Returns
+    -------
+    walks : list generator, shape [r, N*l]
+        The sampled random walks
+    """
+    np.random.seed(seed)
+    N = len(indptr) - 1
+    for _ in range(walks_per_node):
+        for n in range(N):
+            walk = [n]
+            current_node = n
+            previous_node = N
+            previous_node_neighbors = np.empty(0, dtype=np.int32)
+            for _ in range(walk_length - 1):
+                neighbors = indices[indptr[current_node]:indptr[current_node + 1]]
+                if neighbors.size == 0:
+                    break
+
+                probability = np.array([1 / q] * neighbors.size)
+                probability[previous_node == neighbors] = 1 / p
+
+                for i, nbr in enumerate(neighbors):
+                    if np.any(nbr == previous_node_neighbors):
+                        probability[i] = 1.
+
+                norm_probability = probability / np.sum(probability)
+                current_node = random_choice(neighbors, norm_probability)
+                walk.append(current_node)
+                previous_node_neighbors = neighbors
+                previous_node = current_node
+            yield walk
+
+def sum_of_powers_of_transition_matrix(adj, pow):
+    """Computes \sum_{r=1}^{pow) (D^{-1}A)^r.
+
+    Parameters
+    -----
+    adj: sp.csr_matrix, shape [n_nodes, n_nodes]
+        Adjacency matrix of the graph
+    pow: int
+        Power exponent
+
+    Returns
+    ----
+    sp.csr_matrix
+        Sum of powers of the transition matrix of a graph.
+    """
+    deg = adj.sum(1).A1
+    deg[deg == 0] = 1
+    transition_matrix = sp.diags(1 / deg).dot(adj)
+
+    sum_of_powers = transition_matrix
+    last = transition_matrix
+    for i in range(1, pow):
+        last = last.dot(transition_matrix)
+        sum_of_powers += last
+
+    return sum_of_powers
+
+
+if __name__ == "__main__":
+    from deeprobust.graph.data import Dataset
+    from deeprobust.graph.global_attack import NodeEmbeddingAttack
+    dataset_str = 'cora_ml'
+    data = Dataset(root='/tmp/', name=dataset_str, seed=15)
+    adj, features, labels = data.adj, data.features, data.labels
+    idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+
+    model = NodeEmbeddingAttack()
+    model.attack(adj, attack_type="add_by_remove", n_perturbations=1000, n_candidates=10000)
+    modified_adj = model.modified_adj
+
+    # train defense model
+    print("Test DeepWalk on clean graph")
+    model = DeepWalk()
+    model.fit(adj)
+    model.evaluate_node_classification(labels, idx_train, idx_test)
+    # model.evaluate_node_classification(labels, idx_train, idx_test, lr_params={"max_iter": 10})
+
+    print("Test DeepWalk on attacked graph")
+    model.fit(modified_adj)
+    model.evaluate_node_classification(labels, idx_train, idx_test)
+    print("\t link prediciton...")
+    model.evaluate_link_prediction(modified_adj, np.array(adj.nonzero()).T)
+
+    print("Test DeepWalk SVD")
+    model = DeepWalk(type="svd")
+    model.fit(modified_adj)
+    model.evaluate_node_classification(labels, idx_train, idx_test)
+
+    # train defense model
+    print("Test Node2vec on clean graph")
+    model = Node2Vec()
+    model.fit(adj)
+    model.evaluate_node_classification(labels, idx_train, idx_test)
+
+    print("Test Node2vec on attacked graph")
+    model = Node2Vec()
+    model.fit(modified_adj)
+    model.evaluate_node_classification(labels, idx_train, idx_test)

deeprobust/graph/defense/prognn.py

@@ -0,0 +1,314 @@
+import time
+import numpy as np
+from copy import deepcopy
+import torch
+import torch.nn as nn
+import torch.nn.functional as F
+import torch.optim as optim
+from deeprobust.graph.utils import accuracy
+from deeprobust.graph.defense.pgd import PGD, prox_operators
+import warnings
+
+class ProGNN:
+    """ ProGNN (Properties Graph Neural Network). See more details in Graph Structure Learning for Robust Graph Neural Networks, KDD 2020, https://arxiv.org/abs/2005.10203.
+
+    Parameters
+    ----------
+    model:
+        model: The backbone GNN model in ProGNN
+    args:
+        model configs
+    device: str
+        'cpu' or 'cuda'.
+
+    Examples
+    --------
+    See details in https://github.com/ChandlerBang/Pro-GNN.
+
+    """
+
+    def __init__(self, model, args, device):
+        self.device = device
+        self.args = args
+        self.best_val_acc = 0
+        self.best_val_loss = 10
+        self.best_graph = None
+        self.weights = None
+        self.estimator = None
+        self.model = model.to(device)
+
+    def fit(self, features, adj, labels, idx_train, idx_val, **kwargs):
+        """Train Pro-GNN.
+
+        Parameters
+        ----------
+        features :
+            node features
+        adj :
+            the adjacency matrix. The format could be torch.tensor or scipy matrix
+        labels :
+            node labels
+        idx_train :
+            node training indices
+        idx_val :
+            node validation indices
+        """
+        args = self.args
+
+        self.optimizer = optim.Adam(self.model.parameters(),
+                               lr=args.lr, weight_decay=args.weight_decay)
+        estimator = EstimateAdj(adj, symmetric=args.symmetric, device=self.device).to(self.device)
+        self.estimator = estimator
+        self.optimizer_adj = optim.SGD(estimator.parameters(),
+                              momentum=0.9, lr=args.lr_adj)
+
+        self.optimizer_l1 = PGD(estimator.parameters(),
+                        proxs=[prox_operators.prox_l1],
+                        lr=args.lr_adj, alphas=[args.alpha])
+
+        # warnings.warn("If you find the nuclear proximal operator runs too slow on Pubmed, you can  uncomment line 67-71 and use prox_nuclear_cuda to perform the proximal on gpu.")
+        # if args.dataset == "pubmed":
+        #     self.optimizer_nuclear = PGD(estimator.parameters(),
+        #               proxs=[prox_operators.prox_nuclear_cuda],
+        #               lr=args.lr_adj, alphas=[args.beta])
+        # else:
+        warnings.warn("If you find the nuclear proximal operator runs too slow, you can modify line 77 to use prox_operators.prox_nuclear_cuda instead of prox_operators.prox_nuclear to perform the proximal on GPU. See details in https://github.com/ChandlerBang/Pro-GNN/issues/1")
+        self.optimizer_nuclear = PGD(estimator.parameters(),
+                  proxs=[prox_operators.prox_nuclear_cuda],
+                  lr=args.lr_adj, alphas=[args.beta])
+
+        # Train model
+        t_total = time.time()
+        for epoch in range(args.epochs):
+            if args.only_gcn:
+                self.train_gcn(epoch, features, estimator.estimated_adj,
+                        labels, idx_train, idx_val)
+            else:
+                for i in range(int(args.outer_steps)):
+                    self.train_adj(epoch, features, adj, labels,
+                            idx_train, idx_val)
+
+                for i in range(int(args.inner_steps)):
+                    self.train_gcn(epoch, features, estimator.estimated_adj,
+                            labels, idx_train, idx_val)
+
+        print("Optimization Finished!")
+        print("Total time elapsed: {:.4f}s".format(time.time() - t_total))
+        print(args)
+
+        # Testing
+        print("picking the best model according to validation performance")
+        self.model.load_state_dict(self.weights)
+
+    def train_gcn(self, epoch, features, adj, labels, idx_train, idx_val):
+        args = self.args
+        estimator = self.estimator
+        adj = estimator.normalize()
+
+        t = time.time()
+        self.model.train()
+        self.optimizer.zero_grad()
+
+        output = self.model(features, adj)
+        loss_train = F.nll_loss(output[idx_train], labels[idx_train])
+        acc_train = accuracy(output[idx_train], labels[idx_train])
+        loss_train.backward()
+        self.optimizer.step()
+
+        # Evaluate validation set performance separately,
+        # deactivates dropout during validation run.
+        self.model.eval()
+        output = self.model(features, adj)
+
+        loss_val = F.nll_loss(output[idx_val], labels[idx_val])
+        acc_val = accuracy(output[idx_val], labels[idx_val])
+
+        if acc_val > self.best_val_acc:
+            self.best_val_acc = acc_val
+            self.best_graph = adj.detach()
+            self.weights = deepcopy(self.model.state_dict())
+            if args.debug:
+                print('\t=== saving current graph/gcn, best_val_acc: %s' % self.best_val_acc.item())
+
+        if loss_val < self.best_val_loss:
+            self.best_val_loss = loss_val
+            self.best_graph = adj.detach()
+            self.weights = deepcopy(self.model.state_dict())
+            if args.debug:
+                print(f'\t=== saving current graph/gcn, best_val_loss: %s' % self.best_val_loss.item())
+
+        if args.debug:
+            if epoch % 1 == 0:
+                print('Epoch: {:04d}'.format(epoch+1),
+                      'loss_train: {:.4f}'.format(loss_train.item()),
+                      'acc_train: {:.4f}'.format(acc_train.item()),
+                      'loss_val: {:.4f}'.format(loss_val.item()),
+                      'acc_val: {:.4f}'.format(acc_val.item()),
+                      'time: {:.4f}s'.format(time.time() - t))
+
+
+
+    def train_adj(self, epoch, features, adj, labels, idx_train, idx_val):
+        estimator = self.estimator
+        args = self.args
+        if args.debug:
+            print("\n=== train_adj ===")
+        t = time.time()
+        estimator.train()
+        self.optimizer_adj.zero_grad()
+
+        loss_l1 = torch.norm(estimator.estimated_adj, 1)
+        loss_fro = torch.norm(estimator.estimated_adj - adj, p='fro')
+        normalized_adj = estimator.normalize()
+
+        if args.lambda_:
+            loss_smooth_feat = self.feature_smoothing(estimator.estimated_adj, features)
+        else:
+            loss_smooth_feat = 0 * loss_l1
+
+        output = self.model(features, normalized_adj)
+        loss_gcn = F.nll_loss(output[idx_train], labels[idx_train])
+        acc_train = accuracy(output[idx_train], labels[idx_train])
+
+        loss_symmetric = torch.norm(estimator.estimated_adj \
+                        - estimator.estimated_adj.t(), p="fro")
+
+        loss_diffiential =  loss_fro + args.gamma * loss_gcn + args.lambda_ * loss_smooth_feat + args.phi * loss_symmetric
+
+        loss_diffiential.backward()
+
+        self.optimizer_adj.step()
+        loss_nuclear =  0 * loss_fro
+        if args.beta != 0:
+            self.optimizer_nuclear.zero_grad()
+            self.optimizer_nuclear.step()
+            loss_nuclear = prox_operators.nuclear_norm
+
+        self.optimizer_l1.zero_grad()
+        self.optimizer_l1.step()
+
+        total_loss = loss_fro \
+                    + args.gamma * loss_gcn \
+                    + args.alpha * loss_l1 \
+                    + args.beta * loss_nuclear \
+                    + args.phi * loss_symmetric
+
+        estimator.estimated_adj.data.copy_(torch.clamp(
+                  estimator.estimated_adj.data, min=0, max=1))
+
+        # Evaluate validation set performance separately,
+        # deactivates dropout during validation run.
+        self.model.eval()
+        normalized_adj = estimator.normalize()
+        output = self.model(features, normalized_adj)
+
+        loss_val = F.nll_loss(output[idx_val], labels[idx_val])
+        acc_val = accuracy(output[idx_val], labels[idx_val])
+        print('Epoch: {:04d}'.format(epoch+1),
+              'acc_train: {:.4f}'.format(acc_train.item()),
+              'loss_val: {:.4f}'.format(loss_val.item()),
+              'acc_val: {:.4f}'.format(acc_val.item()),
+              'time: {:.4f}s'.format(time.time() - t))
+
+        if acc_val > self.best_val_acc:
+            self.best_val_acc = acc_val
+            self.best_graph = normalized_adj.detach()
+            self.weights = deepcopy(self.model.state_dict())
+            if args.debug:
+                print(f'\t=== saving current graph/gcn, best_val_acc: %s' % self.best_val_acc.item())
+
+        if loss_val < self.best_val_loss:
+            self.best_val_loss = loss_val
+            self.best_graph = normalized_adj.detach()
+            self.weights = deepcopy(self.model.state_dict())
+            if args.debug:
+                print(f'\t=== saving current graph/gcn, best_val_loss: %s' % self.best_val_loss.item())
+
+        if args.debug:
+            if epoch % 1 == 0:
+                print('Epoch: {:04d}'.format(epoch+1),
+                      'loss_fro: {:.4f}'.format(loss_fro.item()),
+                      'loss_gcn: {:.4f}'.format(loss_gcn.item()),
+                      'loss_feat: {:.4f}'.format(loss_smooth_feat.item()),
+                      'loss_symmetric: {:.4f}'.format(loss_symmetric.item()),
+                      'delta_l1_norm: {:.4f}'.format(torch.norm(estimator.estimated_adj-adj, 1).item()),
+                      'loss_l1: {:.4f}'.format(loss_l1.item()),
+                      'loss_total: {:.4f}'.format(total_loss.item()),
+                      'loss_nuclear: {:.4f}'.format(loss_nuclear.item()))
+
+
+    def test(self, features, labels, idx_test):
+        """Evaluate the performance of ProGNN on test set
+        """
+        print("\t=== testing ===")
+        self.model.eval()
+        adj = self.best_graph
+        if self.best_graph is None:
+            adj = self.estimator.normalize()
+        output = self.model(features, adj)
+        loss_test = F.nll_loss(output[idx_test], labels[idx_test])
+        acc_test = accuracy(output[idx_test], labels[idx_test])
+        print("\tTest set results:",
+              "loss= {:.4f}".format(loss_test.item()),
+              "accuracy= {:.4f}".format(acc_test.item()))
+        return acc_test.item()
+
+    def feature_smoothing(self, adj, X):
+        adj = (adj.t() + adj)/2
+        rowsum = adj.sum(1)
+        r_inv = rowsum.flatten()
+        D = torch.diag(r_inv)
+        L = D - adj
+
+        r_inv = r_inv  + 1e-3
+        r_inv = r_inv.pow(-1/2).flatten()
+        r_inv[torch.isinf(r_inv)] = 0.
+        r_mat_inv = torch.diag(r_inv)
+        # L = r_mat_inv @ L
+        L = r_mat_inv @ L @ r_mat_inv
+
+        XLXT = torch.matmul(torch.matmul(X.t(), L), X)
+        loss_smooth_feat = torch.trace(XLXT)
+        return loss_smooth_feat
+
+
+class EstimateAdj(nn.Module):
+    """Provide a pytorch parameter matrix for estimated
+    adjacency matrix and corresponding operations.
+    """
+
+    def __init__(self, adj, symmetric=False, device='cpu'):
+        super(EstimateAdj, self).__init__()
+        n = len(adj)
+        self.estimated_adj = nn.Parameter(torch.FloatTensor(n, n))
+        self._init_estimation(adj)
+        self.symmetric = symmetric
+        self.device = device
+
+    def _init_estimation(self, adj):
+        with torch.no_grad():
+            n = len(adj)
+            self.estimated_adj.data.copy_(adj)
+
+    def forward(self):
+        return self.estimated_adj
+
+    def normalize(self):
+
+        if self.symmetric:
+            adj = (self.estimated_adj + self.estimated_adj.t())/2
+        else:
+            adj = self.estimated_adj
+
+        normalized_adj = self._normalize(adj + torch.eye(adj.shape[0]).to(self.device))
+        return normalized_adj
+
+    def _normalize(self, mx):
+        rowsum = mx.sum(1)
+        r_inv = rowsum.pow(-1/2).flatten()
+        r_inv[torch.isinf(r_inv)] = 0.
+        r_mat_inv = torch.diag(r_inv)
+        mx = r_mat_inv @ mx
+        mx = mx @ r_mat_inv
+        return mx
+

deeprobust/graph/defense/r_gcn.py

@@ -0,0 +1,367 @@
+"""
+    Robust Graph Convolutional Networks Against Adversarial Attacks. KDD 2019.
+        http://pengcui.thumedialab.com/papers/RGCN.pdf
+    Author's Tensorflow implemention:
+        https://github.com/thumanlab/nrlweb/tree/master/static/assets/download
+"""
+
+import torch.nn.functional as F
+import math
+import torch
+from torch.nn.parameter import Parameter
+from torch.nn.modules.module import Module
+from torch.distributions.multivariate_normal import MultivariateNormal
+from deeprobust.graph import utils
+import torch.optim as optim
+from scipy.sparse import issparse
+from copy import deepcopy
+
+# TODO sparse implementation
+
+class GGCL_F(Module):
+    """Graph Gaussian Convolution Layer (GGCL) when the input is feature"""
+
+    def __init__(self, in_features, out_features, dropout=0.6):
+        super(GGCL_F, self).__init__()
+        self.in_features = in_features
+        self.out_features = out_features
+        self.dropout = dropout
+        self.weight_miu = Parameter(torch.FloatTensor(in_features, out_features))
+        self.weight_sigma = Parameter(torch.FloatTensor(in_features, out_features))
+        self.reset_parameters()
+
+    def reset_parameters(self):
+        torch.nn.init.xavier_uniform_(self.weight_miu)
+        torch.nn.init.xavier_uniform_(self.weight_sigma)
+
+    def forward(self, features, adj_norm1, adj_norm2, gamma=1):
+        features = F.dropout(features, self.dropout, training=self.training)
+        self.miu = F.elu(torch.mm(features, self.weight_miu))
+        self.sigma = F.relu(torch.mm(features, self.weight_sigma))
+        # torch.mm(previous_sigma, self.weight_sigma)
+        Att = torch.exp(-gamma * self.sigma)
+        miu_out = adj_norm1 @ (self.miu * Att)
+        sigma_out = adj_norm2 @ (self.sigma * Att * Att)
+        return miu_out, sigma_out
+
+class GGCL_D(Module):
+
+    """Graph Gaussian Convolution Layer (GGCL) when the input is distribution"""
+    def __init__(self, in_features, out_features, dropout):
+        super(GGCL_D, self).__init__()
+        self.in_features = in_features
+        self.out_features = out_features
+        self.dropout = dropout
+        self.weight_miu = Parameter(torch.FloatTensor(in_features, out_features))
+        self.weight_sigma = Parameter(torch.FloatTensor(in_features, out_features))
+        # self.register_parameter('bias', None)
+        self.reset_parameters()
+
+    def reset_parameters(self):
+        torch.nn.init.xavier_uniform_(self.weight_miu)
+        torch.nn.init.xavier_uniform_(self.weight_sigma)
+
+    def forward(self, miu, sigma, adj_norm1, adj_norm2, gamma=1):
+        miu = F.dropout(miu, self.dropout, training=self.training)
+        sigma = F.dropout(sigma, self.dropout, training=self.training)
+        miu = F.elu(miu @ self.weight_miu)
+        sigma = F.relu(sigma @ self.weight_sigma)
+
+        Att = torch.exp(-gamma * sigma)
+        mean_out = adj_norm1 @ (miu * Att)
+        sigma_out = adj_norm2 @ (sigma * Att * Att)
+        return mean_out, sigma_out
+
+
+class GaussianConvolution(Module):
+    """[Deprecated] Alternative gaussion convolution layer.
+    """
+
+    def __init__(self, in_features, out_features):
+        super(GaussianConvolution, self).__init__()
+        self.in_features = in_features
+        self.out_features = out_features
+        self.weight_miu = Parameter(torch.FloatTensor(in_features, out_features))
+        self.weight_sigma = Parameter(torch.FloatTensor(in_features, out_features))
+        # self.sigma = Parameter(torch.FloatTensor(out_features))
+        # self.register_parameter('bias', None)
+        self.reset_parameters()
+
+    def reset_parameters(self):
+        # TODO
+        torch.nn.init.xavier_uniform_(self.weight_miu)
+        torch.nn.init.xavier_uniform_(self.weight_sigma)
+
+    def forward(self, previous_miu, previous_sigma, adj_norm1=None, adj_norm2=None, gamma=1):
+
+        if adj_norm1 is None and adj_norm2 is None:
+            return torch.mm(previous_miu, self.weight_miu), \
+                    torch.mm(previous_miu, self.weight_miu)
+                    # torch.mm(previous_sigma, self.weight_sigma)
+
+        Att = torch.exp(-gamma * previous_sigma)
+        M = adj_norm1 @ (previous_miu * Att) @ self.weight_miu
+        Sigma = adj_norm2 @ (previous_sigma * Att * Att) @ self.weight_sigma
+        return M, Sigma
+
+        # M = torch.mm(torch.mm(adj, previous_miu * A), self.weight_miu)
+        # Sigma = torch.mm(torch.mm(adj, previous_sigma * A * A), self.weight_sigma)
+
+        # TODO sparse implemention
+        # support = torch.mm(input, self.weight)
+        # output = torch.spmm(adj, support)
+        # return output + self.bias
+
+    def __repr__(self):
+        return self.__class__.__name__ + ' (' \
+               + str(self.in_features) + ' -> ' \
+               + str(self.out_features) + ')'
+
+
+class RGCN(Module):
+    """Robust Graph Convolutional Networks Against Adversarial Attacks. KDD 2019.
+
+    Parameters
+    ----------
+    nnodes : int
+        number of nodes in the input grpah
+    nfeat : int
+        size of input feature dimension
+    nhid : int
+        number of hidden units
+    nclass : int
+        size of output dimension
+    gamma : float
+        hyper-parameter for RGCN. See more details in the paper.
+    beta1 : float
+        hyper-parameter for RGCN. See more details in the paper.
+    beta2 : float
+        hyper-parameter for RGCN. See more details in the paper.
+    lr : float
+        learning rate for GCN
+    dropout : float
+        dropout rate for GCN
+    device: str
+        'cpu' or 'cuda'.
+
+    """
+
+    def __init__(self, nnodes, nfeat, nhid, nclass, gamma=1.0, beta1=5e-4, beta2=5e-4, lr=0.01, dropout=0.6, device='cpu'):
+        super(RGCN, self).__init__()
+
+        self.device = device
+        # adj_norm = normalize(adj)
+        # first turn original features to distribution
+        self.lr = lr
+        self.gamma = gamma
+        self.beta1 = beta1
+        self.beta2 = beta2
+        self.nclass = nclass
+        self.nhid = nhid // 2
+        # self.gc1 = GaussianConvolution(nfeat, nhid, dropout=dropout)
+        # self.gc2 = GaussianConvolution(nhid, nclass, dropout)
+        self.gc1 = GGCL_F(nfeat, nhid, dropout=dropout)
+        self.gc2 = GGCL_D(nhid, nclass, dropout=dropout)
+
+        self.dropout = dropout
+        # self.gaussian = MultivariateNormal(torch.zeros(self.nclass), torch.eye(self.nclass))
+        self.gaussian = MultivariateNormal(torch.zeros(nnodes, self.nclass),
+                torch.diag_embed(torch.ones(nnodes, self.nclass)))
+        self.adj_norm1, self.adj_norm2 = None, None
+        self.features, self.labels = None, None
+
+    def forward(self):
+        features = self.features
+        miu, sigma = self.gc1(features, self.adj_norm1, self.adj_norm2, self.gamma)
+        miu, sigma = self.gc2(miu, sigma, self.adj_norm1, self.adj_norm2, self.gamma)
+        output = miu + self.gaussian.sample().to(self.device) * torch.sqrt(sigma + 1e-8)
+        return F.log_softmax(output, dim=1)
+
+    def fit(self, features, adj, labels, idx_train, idx_val=None, train_iters=200, verbose=True, **kwargs):
+        """Train RGCN.
+
+        Parameters
+        ----------
+        features :
+            node features
+        adj :
+            the adjacency matrix. The format could be torch.tensor or scipy matrix
+        labels :
+            node labels
+        idx_train :
+            node training indices
+        idx_val :
+            node validation indices. If not given (None), GCN training process will not adpot early stopping
+        train_iters : int
+            number of training epochs
+        verbose : bool
+            whether to show verbose logs
+
+        Examples
+        --------
+        We can first load dataset and then train RGCN.
+
+        >>> from deeprobust.graph.data import PrePtbDataset, Dataset
+        >>> from deeprobust.graph.defense import RGCN
+        >>> # load clean graph data
+        >>> data = Dataset(root='/tmp/', name='cora', seed=15)
+        >>> adj, features, labels = data.adj, data.features, data.labels
+        >>> idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+        >>> # load perturbed graph data
+        >>> perturbed_data = PrePtbDataset(root='/tmp/', name='cora')
+        >>> perturbed_adj = perturbed_data.adj
+        >>> # train defense model
+        >>> model = RGCN(nnodes=perturbed_adj.shape[0], nfeat=features.shape[1],
+                         nclass=labels.max()+1, nhid=32, device='cpu')
+        >>> model.fit(features, perturbed_adj, labels, idx_train, idx_val,
+                      train_iters=200, verbose=True)
+        >>> model.test(idx_test)
+
+        """
+        adj = adj.to('cpu')
+        if isinstance(adj, torch.Tensor):
+            if adj.is_sparse:  
+                adj_dense = adj.to_dense().float()  
+            else:
+                adj_dense = adj.float()  
+        else:
+            adj_dense = torch.tensor(adj.toarray(), dtype=torch.float32)
+            
+        if issparse(features):
+            features_dense = features.toarray()
+        else:
+            features_dense = features
+        
+        adj, features, labels = utils.to_tensor(adj_dense, features_dense, labels, device=self.device)
+
+        self.features, self.labels = features, labels
+        self.adj_norm1 = self._normalize_adj(adj, power=-1/2)
+        self.adj_norm2 = self._normalize_adj(adj, power=-1)
+        print('=== training rgcn model ===')
+        self._initialize()
+        if idx_val is None:
+            self._train_without_val(labels, idx_train, train_iters, verbose)
+        else:
+            self._train_with_val(labels, idx_train, idx_val, train_iters, verbose)
+
+    def _train_without_val(self, labels, idx_train, train_iters, verbose=True):
+        optimizer = optim.Adam(self.parameters(), lr=self.lr)
+        self.train()
+        for i in range(train_iters):
+            optimizer.zero_grad()
+            output = self.forward()
+            loss_train = self._loss(output[idx_train], labels[idx_train])
+            loss_train.backward()
+            optimizer.step()
+            if verbose and i % 10 == 0:
+                print('Epoch {}, training loss: {}'.format(i, loss_train.item()))
+
+        self.eval()
+        output = self.forward()
+        self.output = output
+
+    def _train_with_val(self, labels, idx_train, idx_val, train_iters, verbose):
+        optimizer = optim.Adam(self.parameters(), lr=self.lr)
+
+        best_loss_val = 100
+        best_acc_val = 0
+
+        for i in range(train_iters):
+            self.train()
+            optimizer.zero_grad()
+            output = self.forward()
+            loss_train = self._loss(output[idx_train], labels[idx_train])
+            loss_train.backward()
+            optimizer.step()
+            if verbose and i % 10 == 0:
+                print('Epoch {}, training loss: {}'.format(i, loss_train.item()))
+
+            self.eval()
+            output = self.forward()
+            loss_val = F.nll_loss(output[idx_val], labels[idx_val])
+            acc_val = utils.accuracy(output[idx_val], labels[idx_val])
+
+            if best_loss_val > loss_val:
+                best_loss_val = loss_val
+                self.output = output
+
+            if acc_val > best_acc_val:
+                best_acc_val = acc_val
+                self.output = output
+
+        print('=== picking the best model according to the performance on validation ===')
+
+
+    def test(self, idx_test):
+        """Evaluate the peformance on test set
+        """
+        self.eval()
+        # output = self.forward()
+        output = self.output
+        loss_test = F.nll_loss(output[idx_test], self.labels[idx_test])
+        acc_test = utils.accuracy(output[idx_test], self.labels[idx_test])
+        print("Test set results:",
+              "loss= {:.4f}".format(loss_test.item()),
+              "accuracy= {:.4f}".format(acc_test.item()))
+        return acc_test.item()
+
+    def predict(self):
+        """
+        Returns
+        -------
+        torch.FloatTensor
+            output (log probabilities) of RGCN
+        """
+
+        self.eval()
+        return self.forward()
+
+    def _loss(self, input, labels):
+        loss = F.nll_loss(input, labels)
+        miu1 = self.gc1.miu
+        sigma1 = self.gc1.sigma
+        kl_loss = 0.5 * (miu1.pow(2) + sigma1 - torch.log(1e-8 + sigma1)).mean(1)
+        kl_loss = kl_loss.sum()
+        norm2 = torch.norm(self.gc1.weight_miu, 2).pow(2) + \
+                torch.norm(self.gc1.weight_sigma, 2).pow(2)
+
+        # print(f'gcn_loss: {loss.item()}, kl_loss: {self.beta1 * kl_loss.item()}, norm2: {self.beta2 * norm2.item()}')
+        return loss  + self.beta1 * kl_loss + self.beta2 * norm2
+
+    def _initialize(self):
+        self.gc1.reset_parameters()
+        self.gc2.reset_parameters()
+
+    def _normalize_adj(self, adj, power=-1/2):
+
+        """Row-normalize sparse matrix"""
+        A = adj + torch.eye(len(adj)).to(self.device)
+        D_power = (A.sum(1)).pow(power)
+        D_power[torch.isinf(D_power)] = 0.
+        D_power = torch.diag(D_power)
+        return D_power @ A @ D_power
+
+if __name__ == "__main__":
+
+    from deeprobust.graph.data import PrePtbDataset, Dataset
+    # load clean graph data
+    dataset_str = 'pubmed'
+    data = Dataset(root='/tmp/', name=dataset_str, seed=15)
+    adj, features, labels = data.adj, data.features, data.labels
+    idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    # load perturbed graph data
+    perturbed_data = PrePtbDataset(root='/tmp/', name=dataset_str)
+    perturbed_adj = perturbed_data.adj
+
+    # train defense model
+    model = RGCN(nnodes=perturbed_adj.shape[0], nfeat=features.shape[1],
+                         nclass=labels.max()+1, nhid=32, device='cuda').to('cuda')
+    model.fit(features, perturbed_adj, labels, idx_train, idx_val,
+                      train_iters=200, verbose=True)
+    model.test(idx_test)
+
+    prediction_1 = model.predict()
+    print(prediction_1)
+    # prediction_2 = model.predict(features, perturbed_adj)
+    # assert (prediction_1 != prediction_2).sum() == 0
+

deeprobust/graph/defense/r_gcn.py.backup

@@ -0,0 +1,200 @@
+'''
+    Robust Graph Convolutional Networks Against Adversarial Attacks. KDD 2019.
+        http://pengcui.thumedialab.com/papers/RGCN.pdf
+    Author's Tensorflow implemention:
+        https://github.com/thumanlab/nrlweb/tree/master/static/assets/download
+'''
+
+import torch.nn.functional as F
+import math
+import torch
+from torch.nn.parameter import Parameter
+from torch.nn.modules.module import Module
+from torch.distributions.multivariate_normal import MultivariateNormal
+from deeprobust.graph import utils
+import torch.optim as optim
+from copy import deepcopy
+
+class GaussianConvolution(Module):
+
+    def __init__(self, in_features, out_features):
+        super(GaussianConvolution, self).__init__()
+        self.in_features = in_features
+        self.out_features = out_features
+        self.weight_miu = Parameter(torch.FloatTensor(in_features, out_features))
+        self.weight_sigma = Parameter(torch.FloatTensor(in_features, out_features))
+        # self.sigma = Parameter(torch.FloatTensor(out_features))
+        # self.register_parameter('bias', None)
+        self.reset_parameters()
+
+    def reset_parameters(self):
+        # TODO
+        torch.nn.init.xavier_uniform_(self.weight_miu)
+        torch.nn.init.xavier_uniform_(self.weight_sigma)
+
+    def forward(self, previous_miu, previous_sigma, adj_norm1=None, adj_norm2=None, gamma=1):
+
+        if adj_norm1 is None and adj_norm2 is None:
+            return torch.mm(previous_miu, self.weight_miu), \
+                    torch.mm(previous_sigma, self.weight_sigma)
+
+        Att = torch.exp(-gamma * previous_sigma)
+        M = adj_norm1 @ (previous_miu * Att) @ self.weight_miu
+        Sigma = adj_norm2 @ (previous_sigma * Att * Att) @ self.weight_sigma
+        return M, Sigma
+
+        # M = torch.mm(torch.mm(adj, previous_miu * A), self.weight_miu)
+        # Sigma = torch.mm(torch.mm(adj, previous_sigma * A * A), self.weight_sigma)
+
+        # TODO sparse implemention
+        # support = torch.mm(input, self.weight)
+        # output = torch.spmm(adj, support)
+        # return output + self.bias
+
+    def __repr__(self):
+        return self.__class__.__name__ + ' (' \
+               + str(self.in_features) + ' -> ' \
+               + str(self.out_features) + ')'
+
+
+class RGCN(Module):
+
+    def __init__(self, nnodes, nfeat, nhid, nclass, gamma=1.0, beta1=5e-4, beta2=5e-4, lr=0.01, dropout=0.6, device='cpu'):
+        super(RGCN, self).__init__()
+
+        self.device = device
+        # adj_norm = normalize(adj)
+        # first turn original features to distribution
+        self.lr = lr
+        self.gamma = gamma
+        self.beta1 = beta1
+        self.beta2 = beta2
+        self.nclass = nclass
+        self.nhid = nhid
+        self.gc1 = GaussianConvolution(nfeat, nhid)
+        # self.gc2 = GaussianConvolution(nhid, nhid)
+        # self.gc3 = GaussianConvolution(nhid, nclass)
+        self.gc2 = GaussianConvolution(nhid, nclass)
+
+        self.dropout = dropout
+        # self.gaussian = MultivariateNormal(torch.zeros(self.nclass), torch.eye(self.nclass))
+        self.gaussian = MultivariateNormal(torch.zeros(nnodes, self.nclass),
+                torch.diag_embed(torch.ones(nnodes, self.nclass)))
+        self.miu1 = None
+        self.sigma1 = None
+        self.adj_norm1, self.adj_norm2 = None, None
+        self.features, self.labels = None, None
+
+    def forward(self):
+        features = self.features
+        miu, sigma = self.gc1(features, features)
+        miu, sigma = F.elu(miu, alpha=1), F.relu(sigma)
+        self.miu1, self.sigma1 = miu, sigma
+        miu = F.dropout(miu, self.dropout, training=self.training)
+        sigma = F.dropout(sigma, self.dropout, training=self.training)
+
+        miu, sigma = self.gc2(miu, sigma, self.adj_norm1, self.adj_norm2, self.gamma)
+        miu, sigma = F.elu(miu, alpha=1), F.relu(sigma)
+
+        # # third layer
+        # miu = F.dropout(miu, self.dropout, training=self.training)
+        # sigma = F.dropout(sigma, self.dropout, training=self.training)
+        # miu, sigma = self.gc3(miu, sigma, self.adj_norm1, self.adj_norm2, self.gamma)
+        # miu, sigma = F.elu(miu), F.relu(sigma)
+        output = miu + self.gaussian.sample().to(self.device) * torch.sqrt(sigma + 1e-8)
+        return F.log_softmax(output, dim=1)
+
+    def fit_(self, features, adj, labels, idx_train, idx_val=None, train_iters=200, verbose=True):
+
+        adj, features, labels = utils.to_tensor(adj.todense(), features, labels, device=self.device)
+        self.features, self.labels = features, labels
+        self.adj_norm1 = self._normalize_adj(adj, power=-1/2)
+        self.adj_norm2 = self._normalize_adj(adj, power=-1)
+        print('=== training rgcn model ===')
+        self._initialize()
+        if idx_val is None:
+            self._train_without_val(labels, idx_train, train_iters, verbose)
+        else:
+            self._train_with_val(labels, idx_train, idx_val, train_iters, verbose)
+
+    def _train_without_val(self, labels, idx_train, train_iters, verbose=True):
+        print('=== training gcn model ===')
+        optimizer = optim.Adam(self.parameters(), lr=self.lr)
+        self.train()
+        for i in range(train_iters):
+            optimizer.zero_grad()
+            output = self.forward()
+            loss_train = self.loss(output[idx_train], labels[idx_train])
+            loss_train.backward()
+            optimizer.step()
+            if verbose and i % 10 == 0:
+                print('Epoch {}, training loss: {}'.format(i, loss_train.item()))
+
+        self.eval()
+        output = self.forward()
+        self.output = output
+
+    def _train_with_val(self, labels, idx_train, idx_val, train_iters, verbose):
+        print('=== training gcn model ===')
+        optimizer = optim.Adam(self.parameters(), lr=self.lr)
+
+        best_loss_val = 100
+        best_acc_val = 0
+
+        for i in range(train_iters):
+            self.train()
+            optimizer.zero_grad()
+            output = self.forward()
+            loss_train = self.loss(output[idx_train], labels[idx_train])
+            loss_train.backward()
+            optimizer.step()
+            if verbose and i % 10 == 0:
+                print('Epoch {}, training loss: {}'.format(i, loss_train.item()))
+
+            self.eval()
+            output = self.forward()
+            loss_val = F.nll_loss(output[idx_val], labels[idx_val])
+            acc_val = utils.accuracy(output[idx_val], labels[idx_val])
+
+            if best_loss_val > loss_val:
+                best_loss_val = loss_val
+                self.output = output
+
+            if acc_val > best_acc_val:
+                best_acc_val = acc_val
+                self.output = output
+
+        print('=== picking the best model according to the performance on validation ===')
+
+
+    def test(self, idx_test):
+        # output = self.forward()
+        output = self.output
+        loss_test = F.nll_loss(output[idx_test], self.labels[idx_test])
+        acc_test = utils.accuracy(output[idx_test], self.labels[idx_test])
+        print("Test set results:",
+              "loss= {:.4f}".format(loss_test.item()),
+              "accuracy= {:.4f}".format(acc_test.item()))
+
+    def loss(self, input, labels):
+        loss = F.nll_loss(input, labels)
+        kl_loss = 0.5 * (self.miu1.pow(2) + self.sigma1 - torch.log(1e-8 + self.sigma1)).mean(1)
+        kl_loss = kl_loss.sum()
+        norm2 = torch.norm(self.gc1.weight_miu, 2).pow(2) + \
+               torch.norm(self.gc1.weight_sigma, 2).pow(2)
+        # print(f'gcn_loss: {loss.item()}, kl_loss: {self.beta1 * kl_loss.item()}, norm2: {self.beta2 * norm2.item()}')
+        return loss  + self.beta1 * kl_loss + self.beta2 * norm2
+
+    def _initialize(self):
+        self.gc1.reset_parameters()
+        self.gc2.reset_parameters()
+
+    def _normalize_adj(self, adj, power=-1/2):
+
+        """Row-normalize sparse matrix"""
+        A = adj + torch.eye(len(adj)).to(self.device)
+        D_power = (A.sum(1)).pow(power)
+        D_power[torch.isinf(D_power)] = 0.
+        D_power = torch.diag(D_power)
+        return D_power @ A @ D_power
+

deeprobust/graph/defense/sgc.py

@@ -0,0 +1,196 @@
+"""
+Extended from https://github.com/rusty1s/pytorch_geometric/tree/master/benchmark/citation
+"""
+import torch.nn as nn
+import torch.nn.functional as F
+import math
+import torch
+import torch.optim as optim
+from torch.nn.parameter import Parameter
+from torch.nn.modules.module import Module
+from deeprobust.graph import utils
+from copy import deepcopy
+from torch_geometric.nn import SGConv
+
+class SGC(torch.nn.Module):
+    """ SGC based on pytorch geometric. Simplifying Graph Convolutional Networks.
+
+    Parameters
+    ----------
+    nfeat : int
+        size of input feature dimension
+    nclass : int
+        size of output dimension
+    K: int
+        number of propagation in SGC
+    cached : bool
+        whether to set the cache flag in SGConv
+    lr : float
+        learning rate for SGC
+    weight_decay : float
+        weight decay coefficient (l2 normalization) for GCN.
+        When `with_relu` is True, `weight_decay` will be set to 0.
+    with_bias: bool
+        whether to include bias term in SGC weights.
+    device: str
+        'cpu' or 'cuda'.
+
+    Examples
+    --------
+	We can first load dataset and then train SGC.
+
+    >>> from deeprobust.graph.data import Dataset
+    >>> from deeprobust.graph.defense import SGC
+    >>> data = Dataset(root='/tmp/', name='cora')
+    >>> adj, features, labels = data.adj, data.features, data.labels
+    >>> idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    >>> sgc = SGC(nfeat=features.shape[1], K=3, lr=0.1,
+              nclass=labels.max().item() + 1, device='cuda')
+    >>> sgc = sgc.to('cuda')
+    >>> pyg_data = Dpr2Pyg(data) # convert deeprobust dataset to pyg dataset
+    >>> sgc.fit(pyg_data, train_iters=200, patience=200, verbose=True) # train with earlystopping
+    """
+
+
+    def __init__(self, nfeat, nclass, K=3, cached=True, lr=0.01,
+            weight_decay=5e-4, with_bias=True, device=None):
+
+        super(SGC, self).__init__()
+
+        assert device is not None, "Please specify 'device'!"
+        self.device = device
+
+        self.conv1 = SGConv(nfeat,
+                nclass, bias=with_bias, K=K, cached=cached)
+
+        self.weight_decay = weight_decay
+        self.lr = lr
+        self.output = None
+        self.best_model = None
+        self.best_output = None
+
+    def forward(self, data):
+        x, edge_index = data.x, data.edge_index
+        x = self.conv1(x, edge_index)
+        return F.log_softmax(x, dim=1)
+
+    def initialize(self):
+        """Initialize parameters of SGC.
+        """
+        self.conv1.reset_parameters()
+
+    def fit(self, pyg_data, train_iters=200, initialize=True, verbose=False, patience=500, **kwargs):
+        """Train the SGC model, when idx_val is not None, pick the best model
+        according to the validation loss.
+
+        Parameters
+        ----------
+        pyg_data :
+            pytorch geometric dataset object
+        train_iters : int
+            number of training epochs
+        initialize : bool
+            whether to initialize parameters before training
+        verbose : bool
+            whether to show verbose logs
+        patience : int
+            patience for early stopping, only valid when `idx_val` is given
+        """
+
+        # self.device = self.conv1.weight.device
+        if initialize:
+            self.initialize()
+
+        self.data = pyg_data[0].to(self.device)
+        # By default, it is trained with early stopping on validation
+        self.train_with_early_stopping(train_iters, patience, verbose)
+
+    def train_with_early_stopping(self, train_iters, patience, verbose):
+        """early stopping based on the validation loss
+        """
+        if verbose:
+            print('=== training SGC model ===')
+        optimizer = optim.Adam(self.parameters(), lr=self.lr, weight_decay=self.weight_decay)
+
+        labels = self.data.y
+        train_mask, val_mask = self.data.train_mask, self.data.val_mask
+
+        early_stopping = patience
+        best_loss_val = 100
+
+        for i in range(train_iters):
+            self.train()
+            optimizer.zero_grad()
+            output = self.forward(self.data)
+
+            loss_train = F.nll_loss(output[train_mask], labels[train_mask])
+            loss_train.backward()
+            optimizer.step()
+
+            if verbose and i % 10 == 0:
+                print('Epoch {}, training loss: {}'.format(i, loss_train.item()))
+
+            self.eval()
+            output = self.forward(self.data)
+            loss_val = F.nll_loss(output[val_mask], labels[val_mask])
+
+            if best_loss_val > loss_val:
+                best_loss_val = loss_val
+                self.output = output
+                weights = deepcopy(self.state_dict())
+                patience = early_stopping
+            else:
+                patience -= 1
+            if i > early_stopping and patience <= 0:
+                break
+
+        if verbose:
+             print('=== early stopping at {0}, loss_val = {1} ==='.format(i, best_loss_val) )
+        self.load_state_dict(weights)
+
+    def test(self):
+        """Evaluate SGC performance on test set.
+
+        Parameters
+        ----------
+        idx_test :
+            node testing indices
+        """
+        self.eval()
+        test_mask = self.data.test_mask
+        labels = self.data.y
+        output = self.forward(self.data)
+        # output = self.output
+        loss_test = F.nll_loss(output[test_mask], labels[test_mask])
+        acc_test = utils.accuracy(output[test_mask], labels[test_mask])
+        print("Test set results:",
+              "loss= {:.4f}".format(loss_test.item()),
+              "accuracy= {:.4f}".format(acc_test.item()))
+        return acc_test.item()
+
+    def predict(self):
+        """
+        Returns
+        -------
+        torch.FloatTensor
+            output (log probabilities) of SGC
+        """
+
+        self.eval()
+        return self.forward(self.data)
+
+
+if __name__ == "__main__":
+    from deeprobust.graph.data import Dataset, Dpr2Pyg
+    # from deeprobust.graph.defense import SGC
+    data = Dataset(root='/tmp/', name='cora')
+    adj, features, labels = data.adj, data.features, data.labels
+    idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    sgc = SGC(nfeat=features.shape[1],
+          nclass=labels.max().item() + 1, device='cpu')
+    sgc = sgc.to('cpu')
+    pyg_data = Dpr2Pyg(data)
+    sgc.fit(pyg_data, verbose=True) # train with earlystopping
+    sgc.test()
+    print(sgc.predict())
+

deeprobust/graph/defense_pyg/airgnn.py

@@ -0,0 +1,186 @@
+import torch
+import torch.nn.functional as F
+from torch.nn import Linear
+from torch_geometric.nn.conv.gcn_conv import gcn_norm
+from torch_geometric.nn.conv import MessagePassing
+from typing import Optional, Tuple
+from torch_geometric.typing import Adj, OptTensor
+from torch import Tensor
+from torch_sparse import SparseTensor, matmul
+from .base_model import BaseModel
+import torch.nn as nn
+
+class AirGNN(BaseModel):
+
+    def __init__(self, nfeat, nhid, nclass, nlayers=2, K=2, dropout=0.5, lr=0.01,
+                with_bn=False, weight_decay=5e-4, with_bias=True, device=None, args=None):
+
+        super(AirGNN, self).__init__()
+        assert device is not None, "Please specify 'device'!"
+        self.device = device
+
+        self.lins = nn.ModuleList([])
+        self.lins.append(Linear(nfeat, nhid))
+        if with_bn:
+            self.bns = nn.ModuleList([])
+            self.bns.append(nn.BatchNorm1d(nhid))
+        for i in range(nlayers-2):
+            self.lins.append(Linear(nhid, nhid))
+            if with_bn:
+                self.bns.append(nn.BatchNorm1d(nhid))
+        self.lins.append(Linear(nhid, nclass))
+
+        self.prop = AdaptiveMessagePassing(K=K, alpha=args.alpha, mode=args.model, args=args)
+        print(self.prop)
+
+        self.dropout = dropout
+        self.weight_decay = weight_decay
+        self.lr = lr
+        self.name = args.model
+        self.with_bn = with_bn
+
+    def initialize(self):
+        self.reset_parameters()
+
+    def reset_parameters(self):
+        for lin in self.lins:
+            lin.reset_parameters()
+        if self.with_bn:
+            for bn in self.bns:
+                bn.reset_parameters()
+        self.prop.reset_parameters()
+
+    def forward(self, x, edge_index, edge_weight=None):
+        x, edge_index, edge_weight = self._ensure_contiguousness(x, edge_index, edge_weight)
+        edge_index = SparseTensor.from_edge_index(edge_index, edge_weight,
+                sparse_sizes=2 * x.shape[:1]).t()
+        for ii, lin in enumerate(self.lins[:-1]):
+            x = F.dropout(x, p=self.dropout, training=self.training)
+            x = lin(x)
+            if self.with_bn:
+                x = self.bns[ii](x)
+            x = F.relu(x)
+        x = F.dropout(x, p=self.dropout, training=self.training)
+        x = self.lins[-1](x)
+        x = self.prop(x, edge_index)
+        return F.log_softmax(x, dim=1)
+
+    def get_embed(self, x, edge_index, edge_weight=None):
+        x, edge_index, edge_weight = self._ensure_contiguousness(x, edge_index, edge_weight)
+        edge_index = SparseTensor.from_edge_index(edge_index, edge_weight,
+                sparse_sizes=2 * x.shape[:1]).t()
+        for ii, lin in enumerate(self.lins[:-1]):
+            x = lin(x)
+            if self.with_bn:
+                x = self.bns[ii](x)
+            x = F.relu(x)
+        x = self.prop(x, edge_index)
+        return x
+
+
+class AdaptiveMessagePassing(MessagePassing):
+    _cached_edge_index: Optional[Tuple[Tensor, Tensor]]
+    _cached_adj_t: Optional[SparseTensor]
+
+    def __init__(self,
+                 K: int,
+                 alpha: float,
+                 dropout: float = 0.,
+                 cached: bool = False,
+                 add_self_loops: bool = True,
+                 normalize: bool = True,
+                 mode: str = None,
+                 node_num: int = None,
+                 args=None,
+                 **kwargs):
+
+        super(AdaptiveMessagePassing, self).__init__(aggr='add', **kwargs)
+        self.K = K
+        self.alpha = alpha
+        self.mode = mode
+        self.dropout = dropout
+        self.cached = cached
+        self.add_self_loops = add_self_loops
+        self.normalize = normalize
+        self._cached_edge_index = None
+        self.node_num = node_num
+        self.args = args
+        self._cached_adj_t = None
+
+    def reset_parameters(self):
+        self._cached_edge_index = None
+        self._cached_adj_t = None
+
+    def forward(self, x: Tensor, edge_index: Adj, edge_weight: OptTensor = None, mode=None) -> Tensor:
+        if self.normalize:
+            if isinstance(edge_index, Tensor):
+                raise ValueError('Only support SparseTensor now')
+
+            elif isinstance(edge_index, SparseTensor):
+                cache = self._cached_adj_t
+                if cache is None:
+                    edge_index = gcn_norm(  # yapf: disable
+                        edge_index, edge_weight, x.size(self.node_dim), False,
+                        add_self_loops=self.add_self_loops, dtype=x.dtype)
+                    if self.cached:
+                        self._cached_adj_t = edge_index
+                else:
+                    edge_index = cache
+
+        if mode == None: mode = self.mode
+
+        if self.K <= 0:
+            return x
+        hh = x
+
+        if mode == 'MLP':
+            return x
+
+        elif mode == 'APPNP':
+            x = self.appnp_forward(x=x, hh=hh, edge_index=edge_index, K=self.K, alpha=self.alpha)
+
+        elif mode in ['AirGNN']:
+            x = self.amp_forward(x=x, hh=hh, edge_index=edge_index, K=self.K)
+        else:
+            raise ValueError('wrong propagate mode')
+        return x
+
+    def appnp_forward(self, x, hh, edge_index, K, alpha):
+        for k in range(K):
+            x = self.propagate(edge_index, x=x, edge_weight=None, size=None)
+            x = x * (1 - alpha)
+            x += alpha * hh
+        return x
+
+    def amp_forward(self, x, hh, K, edge_index):
+        lambda_amp = self.args.lambda_amp
+        gamma = 1 / (2 * (1 - lambda_amp))  ## or simply gamma = 1
+
+        for k in range(K):
+            y = x - gamma * 2 * (1 - lambda_amp) * self.compute_LX(x=x, edge_index=edge_index)  # Equation (9)
+            x = hh + self.proximal_L21(x=y - hh, lambda_=gamma * lambda_amp) # Equation (11) and (12)
+        return x
+
+    def proximal_L21(self, x: Tensor, lambda_):
+        row_norm = torch.norm(x, p=2, dim=1)
+        score = torch.clamp(row_norm - lambda_, min=0)
+        index = torch.where(row_norm > 0)             #  Deal with the case when the row_norm is 0
+        score[index] = score[index] / row_norm[index] # score is the adaptive score in Equation (14)
+        return score.unsqueeze(1) * x
+
+    def compute_LX(self, x, edge_index, edge_weight=None):
+        x = x - self.propagate(edge_index, x=x, edge_weight=edge_weight, size=None)
+        return x
+
+    def message(self, x_j: Tensor, edge_weight: Tensor) -> Tensor:
+        return edge_weight.view(-1, 1) * x_j
+
+    def message_and_aggregate(self, adj_t: SparseTensor, x: Tensor) -> Tensor:
+        return matmul(adj_t, x, reduce=self.aggr)
+
+    def __repr__(self):
+        return '{}(K={}, alpha={}, mode={}, dropout={}, lambda_amp={})'.format(self.__class__.__name__, self.K,
+                                                               self.alpha, self.mode, self.dropout,
+                                                               self.args.lambda_amp)
+
+

deeprobust/graph/defense_pyg/sage.py

@@ -0,0 +1,157 @@
+import torch
+import torch.nn as nn
+import torch.nn.functional as F
+from torch_sparse import SparseTensor, matmul
+# from torch_geometric.nn import SAGEConv, GATConv, APPNP, MessagePassing
+from torch_geometric.nn.conv.gcn_conv import gcn_norm
+import scipy.sparse
+import numpy as np
+from .base_model import BaseModel
+
+
+class SAGE(BaseModel):
+
+    def __init__(self, nfeat, nhid, nclass, num_layers=2,
+                 dropout=0.5, lr=0.01, weight_decay=0, device='cpu', with_bn=False, **kwargs):
+        super(SAGE, self).__init__()
+
+        self.convs = nn.ModuleList()
+        self.convs.append(
+            SAGEConv(nfeat, nhid))
+
+        self.bns = nn.ModuleList()
+        if 'nlayers' in kwargs:
+            num_layers = kwargs['nlayers']
+        self.bns.append(nn.BatchNorm1d(nhid))
+        for _ in range(num_layers - 2):
+            self.convs.append(
+                SAGEConv(nhid, nhid))
+            self.bns.append(nn.BatchNorm1d(nhid))
+
+        self.convs.append(
+            SAGEConv(nhid, nclass))
+
+        self.weight_decay = weight_decay
+        self.lr = lr
+        self.dropout = dropout
+        self.activation = F.relu
+        self.with_bn = with_bn
+        self.device = device
+        self.name = "SAGE"
+
+    def initialize(self):
+        self.reset_parameters()
+
+    def reset_parameters(self):
+        for conv in self.convs:
+            conv.reset_parameters()
+        for bn in self.bns:
+            bn.reset_parameters()
+
+
+    def forward(self, x, edge_index, edge_weight=None):
+        if edge_weight is not None:
+            adj = SparseTensor.from_edge_index(edge_index, edge_weight, sparse_sizes=2 * x.shape[:1]).t()
+
+        for i, conv in enumerate(self.convs[:-1]):
+            if edge_weight is not None:
+                x = conv(x, adj)
+            else:
+                x = conv(x, edge_index, edge_weight)
+            if self.with_bn:
+                x = self.bns[i](x)
+            x = self.activation(x)
+            x = F.dropout(x, p=self.dropout, training=self.training)
+        if edge_weight is not None:
+            x = self.convs[-1](x, adj)
+        else:
+            x = self.convs[-1](x, edge_index, edge_weight)
+        return F.log_softmax(x, dim=1)
+
+
+
+from typing import Union, Tuple
+from torch_geometric.typing import OptPairTensor, Adj, Size
+
+from torch import Tensor
+from torch.nn import Linear
+import torch.nn.functional as F
+from torch_sparse import SparseTensor, matmul
+from torch_geometric.nn.conv import MessagePassing
+
+
+class SAGEConv(MessagePassing):
+    r"""The GraphSAGE operator from the `"Inductive Representation Learning on
+    Large Graphs" <https://arxiv.org/abs/1706.02216>`_ paper
+
+    .. math::
+        \mathbf{x}^{\prime}_i = \mathbf{W}_1 \mathbf{x}_i + \mathbf{W_2} \cdot
+        \mathrm{mean}_{j \in \mathcal{N(i)}} \mathbf{x}_j
+
+    Args:
+        in_channels (int or tuple): Size of each input sample. A tuple
+            corresponds to the sizes of source and target dimensionalities.
+        out_channels (int): Size of each output sample.
+        normalize (bool, optional): If set to :obj:`True`, output features
+            will be :math:`\ell_2`-normalized, *i.e.*,
+            :math:`\frac{\mathbf{x}^{\prime}_i}
+            {\| \mathbf{x}^{\prime}_i \|_2}`.
+            (default: :obj:`False`)
+        bias (bool, optional): If set to :obj:`False`, the layer will not learn
+            an additive bias. (default: :obj:`True`)
+        **kwargs (optional): Additional arguments of
+            :class:`torch_geometric.nn.conv.MessagePassing`.
+    """
+    def __init__(self, in_channels: Union[int, Tuple[int, int]],
+                 out_channels: int, normalize: bool = False,
+                 bias: bool = True, **kwargs):  # yapf: disable
+        kwargs.setdefault('aggr', 'mean')
+        super(SAGEConv, self).__init__(**kwargs)
+
+        self.in_channels = in_channels
+        self.out_channels = out_channels
+        self.normalize = normalize
+
+        if isinstance(in_channels, int):
+            in_channels = (in_channels, in_channels)
+
+        self.lin_l = Linear(in_channels[0], out_channels, bias=bias)
+        self.lin_r = Linear(in_channels[1], out_channels, bias=False)
+
+        self.reset_parameters()
+
+    def reset_parameters(self):
+        self.lin_l.reset_parameters()
+        self.lin_r.reset_parameters()
+
+    def forward(self, x: Union[Tensor, OptPairTensor], edge_index: Adj,
+                size: Size = None) -> Tensor:
+        """"""
+        if isinstance(x, Tensor):
+            x: OptPairTensor = (x, x)
+
+        # propagate_type: (x: OptPairTensor)
+        out = self.propagate(edge_index, x=x, size=size)
+        out = self.lin_l(out)
+
+        x_r = x[1]
+        if x_r is not None:
+            out += self.lin_r(x_r)
+
+        if self.normalize:
+            out = F.normalize(out, p=2., dim=-1)
+
+        return out
+
+    def message(self, x_j: Tensor) -> Tensor:
+        return x_j
+
+    def message_and_aggregate(self, adj_t: SparseTensor,
+                              x: OptPairTensor) -> Tensor:
+        # Deleted the following line to make propagation differentiable
+        # adj_t = adj_t.set_value(None, layout=None)
+        return matmul(adj_t, x[0], reduce=self.aggr)
+
+    def __repr__(self):
+        return '{}({}, {})'.format(self.__class__.__name__, self.in_channels,
+                                   self.out_channels)

deeprobust/graph/global_attack/__init__.py

@@ -0,0 +1,18 @@
+from .base_attack import BaseAttack
+from .dice import DICE
+from .mettack import MetaApprox, Metattack
+from .random_attack import Random
+from .topology_attack import MinMax, PGDAttack
+from .node_embedding_attack import NodeEmbeddingAttack, OtherNodeEmbeddingAttack
+from .nipa import NIPA
+
+try:
+    from .prbcd import PRBCD
+except ImportError as e:
+    print(e)
+    warnings.warn("Please install pytorch geometric if you " +
+                  "would like to use the datasets from pytorch " +
+                  "geometric. See details in https://pytorch-geom" +
+                  "etric.readthedocs.io/en/latest/notes/installation.html")
+
+__all__ = ['BaseAttack', 'DICE', 'MetaApprox', 'Metattack', 'Random', 'MinMax', 'PGDAttack', 'NIPA', 'NodeEmbeddingAttack', 'OtherNodeEmbeddingAttack', 'PRBCD']

deeprobust/graph/global_attack/dice.py

@@ -0,0 +1,123 @@
+import random
+import numpy as np
+import scipy.sparse as sp
+from deeprobust.graph.global_attack import BaseAttack
+
+class DICE(BaseAttack):
+    """As is described in ADVERSARIAL ATTACKS ON GRAPH NEURAL NETWORKS VIA META LEARNING (ICLR'19),
+    'DICE (delete internally, connect externally) is a baseline where, for each perturbation,
+    we randomly choose whether to insert or remove an edge. Edges are only removed between
+    nodes from the same classes, and only inserted between nodes from different classes.
+
+    Parameters
+    ----------
+    model :
+        model to attack. Default `None`.
+    nnodes : int
+        number of nodes in the input graph
+    attack_structure : bool
+        whether to attack graph structure
+    attack_features : bool
+        whether to attack node features
+    device: str
+        'cpu' or 'cuda'
+
+
+    Examples
+    --------
+
+    >>> from deeprobust.graph.data import Dataset
+    >>> from deeprobust.graph.global_attack import DICE
+    >>> data = Dataset(root='/tmp/', name='cora')
+    >>> adj, features, labels = data.adj, data.features, data.labels
+    >>> model = DICE()
+    >>> model.attack(adj, labels, n_perturbations=10)
+    >>> modified_adj = model.modified_adj
+
+    """
+
+    def __init__(self, model=None, nnodes=None, attack_structure=True, attack_features=False, device='cpu'):
+        super(DICE, self).__init__(model, nnodes, attack_structure=attack_structure, attack_features=attack_features, device=device)
+
+        assert not self.attack_features, 'DICE does NOT support attacking features'
+
+    def attack(self, ori_adj, labels, n_perturbations, **kwargs):
+        """Delete internally, connect externally. This baseline has all true class labels
+        (train and test) available.
+
+        Parameters
+        ----------
+        ori_adj : scipy.sparse.csr_matrix
+            Original (unperturbed) adjacency matrix.
+        labels:
+            node labels
+        n_perturbations : int
+            Number of edge removals/additions.
+
+        Returns
+        -------
+        None.
+
+        """
+
+        # ori_adj: sp.csr_matrix
+
+        print('number of pertubations: %s' % n_perturbations)
+        modified_adj = ori_adj.tolil()
+
+        remove_or_insert = np.random.choice(2, n_perturbations)
+        n_remove = sum(remove_or_insert)
+
+        nonzero = set(zip(*ori_adj.nonzero()))
+        indices = sp.triu(modified_adj).nonzero()
+        possible_indices = [x for x in zip(indices[0], indices[1])
+                            if labels[x[0]] == labels[x[1]]]
+
+        remove_indices = np.random.permutation(possible_indices)[: n_remove]
+        modified_adj[remove_indices[:, 0], remove_indices[:, 1]] = 0
+        modified_adj[remove_indices[:, 1], remove_indices[:, 0]] = 0
+
+        n_insert = n_perturbations - n_remove
+
+        # sample edges to add
+        added_edges = 0
+        while added_edges < n_insert:
+            n_remaining = n_insert - added_edges
+
+            # sample random pairs
+            candidate_edges = np.array([np.random.choice(ori_adj.shape[0], n_remaining),
+                                        np.random.choice(ori_adj.shape[0], n_remaining)]).T
+
+            # filter out existing edges, and pairs with the different labels
+            candidate_edges = set([(u, v) for u, v in candidate_edges if labels[u] != labels[v]
+                                        and modified_adj[u, v] == 0 and modified_adj[v, u] == 0])
+            candidate_edges = np.array(list(candidate_edges))
+
+            # if none is found, try again
+            if len(candidate_edges) == 0:
+                continue
+
+            # add all found edges to your modified adjacency matrix
+            modified_adj[candidate_edges[:, 0], candidate_edges[:, 1]] = 1
+            modified_adj[candidate_edges[:, 1], candidate_edges[:, 0]] = 1
+            added_edges += candidate_edges.shape[0]
+
+        self.check_adj(modified_adj)
+        self.modified_adj = modified_adj
+
+
+    def sample_forever(self, adj, exclude):
+        """Randomly random sample edges from adjacency matrix, `exclude` is a set
+        which contains the edges we do not want to sample and the ones already sampled
+        """
+        while True:
+            # t = tuple(np.random.randint(0, adj.shape[0], 2))
+            t = tuple(random.sample(range(0, adj.shape[0]), 2))
+            if t not in exclude:
+                yield t
+                exclude.add(t)
+                exclude.add((t[1], t[0]))
+
+    def random_sample_edges(self, adj, n, exclude):
+        itr = self.sample_forever(adj, exclude=exclude)
+        return [next(itr) for _ in range(n)]

deeprobust/graph/global_attack/ig_attack.py.backup

@@ -0,0 +1,192 @@
+"""
+    Topology Attack and Defense for Graph Neural Networks: An Optimization Perspective
+        https://arxiv.org/pdf/1906.04214.pdf
+    Tensorflow Implementation:
+        https://github.com/KaidiXu/GCN_ADV_Train
+"""
+
+import numpy as np
+import scipy.sparse as sp
+import torch
+from torch.nn import functional as F
+from torch.nn.parameter import Parameter
+from tqdm import tqdm
+import warnings
+from deeprobust.graph import utils
+from deeprobust.graph.global_attack import BaseAttack
+
+
+class IGAttack(BaseAttack):
+    """[Under Development] Untargeted Attack Version of IGAttack: IG-FGSM. Adversarial Examples on Graph Data: Deep Insights into Attack and Defense, https://arxiv.org/pdf/1903.01610.pdf.
+
+    Parameters
+    ----------
+    model :
+        model to attack
+    nnodes : int
+        number of nodes in the input graph
+    feature_shape : tuple
+        shape of the input node features
+    attack_structure : bool
+        whether to attack graph structure
+    attack_features : bool
+        whether to attack node features
+    device: str
+        'cpu' or 'cuda'
+
+    """
+    def __init__(self, model=None, nnodes=None, feature_shape=None, attack_structure=True, attack_features=False, device='cpu'):
+
+        super(IGAttack, self).__init__(model, nnodes, attack_structure, attack_features, device)
+
+        assert attack_features or attack_structure, 'attack_features or attack_structure cannot be both False'
+
+        self.modified_adj = None
+        self.modified_features = None
+
+        if attack_structure:
+            assert nnodes is not None, 'Please give nnodes='
+            self.adj_changes = Parameter(torch.FloatTensor(int(nnodes*(nnodes-1)/2)))
+            self.adj_changes.data.fill_(0)
+
+        if attack_features:
+            assert feature_shape is not None, 'Please give feature_shape='
+            self.feature_changes = Parameter(torch.FloatTensor(feature_shape))
+            self.feature_changes.data.fill_(0)
+
+    def attack(self, ori_features, ori_adj, labels, idx_train, n_perturbations, **kwargs):
+        """Generate perturbations on the input graph.
+
+        Parameters
+        ----------
+        ori_features :
+            Original (unperturbed) node feature matrix
+        ori_adj :
+            Original (unperturbed) adjacency matrix
+        labels :
+            node labels
+        idx_train :
+            node training indices
+        n_perturbations : int
+            Number of perturbations on the input graph. Perturbations could
+            be edge removals/additions or feature removals/additions.
+        """
+
+        victim_model = self.surrogate
+        self.sparse_features = sp.issparse(ori_features)
+        ori_adj, ori_features, labels = utils.to_tensor(ori_adj, ori_features, labels, device=self.device)
+
+        victim_model.eval()
+
+        warnings.warn('This process is extremely slow!')
+        adj_norm = utils.normalize_adj_tensor(ori_adj)
+        s_e = self.calc_importance_edge(ori_features, adj_norm, labels, idx_train, steps=20)
+        s_f = self.calc_importance_feature(ori_features, adj_norm, labels, idx_train, steps=20)
+
+        import ipdb
+        ipdb.set_trace()
+
+        for t in tqdm(range(n_perturbations)):
+            modified_adj
+
+        self.adj_changes.data.copy_(torch.tensor(best_s))
+        self.modified_adj = self.get_modified_adj(ori_adj).detach()
+
+    def calc_importance_edge(self, features, adj, labels, idx_train, steps):
+        adj_norm = utils.normalize_adj_tensor(adj)
+        adj_norm.requires_grad = True
+        integrated_grad_list = []
+        for i in tqdm(range(adj.shape[0])):
+            for j in (range(adj.shape[1])):
+                if adj_norm[i][j]:
+                    scaled_inputs = [(float(k)/ steps) * (adj_norm - 0) for k in range(0, steps + 1)]
+                else:
+                    scaled_inputs = [-(float(k)/ steps) * (1 - adj_norm) for k in range(0, steps + 1)]
+                _sum = 0
+
+                # num_processes = steps
+                # # NOTE: this is required for the ``fork`` method to work
+                # self.surrogate.share_memory()
+                # processes = []
+                # for rank in range(num_processes):
+                #     p = mp.Process(target=self.get_gradient, args=(features, scaled_inputs[rank], adj_norm, labels, idx_train))
+                #     p.start()
+                #     processes.append(p)
+                # for p in processes:
+                #     p.join()
+
+                for new_adj in scaled_inputs:
+                    output = self.surrogate(features, new_adj)
+                    loss = F.nll_loss(output[idx_train], labels[idx_train])
+                    # adj_grad = torch.autograd.grad(loss, adj[i][j], allow_unused=True)[0]
+                    adj_grad = torch.autograd.grad(loss, adj_norm)[0]
+                    adj_grad = adj_grad[i][j]
+                    _sum += adj_grad
+
+                if adj_norm[i][j]:
+                    avg_grad = (adj_norm[i][j] - 0) * _sum.mean()
+                else:
+                    avg_grad = (1 - adj_norm[i][j]) * _sum.mean()
+                integrated_grad_list.append(avg_grad)
+
+        return integrated_grad_list
+
+    def get_gradient(self, features, new_adj, adj_norm, labels, idx_train):
+        output = self.surrogate(features, new_adj)
+        loss = F.nll_loss(output[idx_train], labels[idx_train])
+        # adj_grad = torch.autograd.grad(loss, adj[i][j], allow_unused=True)[0]
+        adj_grad = torch.autograd.grad(loss, adj_norm)[0]
+        adj_grad = adj_grad[i][j]
+        self._sum += adj_grad
+
+    def calc_importance_feature(self, features, adj_norm, labels, idx_train, steps):
+        features.requires_grad = True
+        integrated_grad_list = []
+        for i in range(features.shape[0]):
+            for j in range(features.shape[1]):
+                if features[i][j]:
+                    scaled_inputs = [(float(k)/ steps) * (features - 0) for k in range(0, steps + 1)]
+                else:
+                    scaled_inputs = [-(float(k)/ steps) * (1 - features) for k in range(0, steps + 1)]
+                _sum = 0
+
+                for new_features in scaled_inputs:
+                    output = self.surrogate(new_features, adj_norm)
+                    loss = F.nll_loss(output[idx_train], labels[idx_train])
+                    # adj_grad = torch.autograd.grad(loss, adj[i][j], allow_unused=True)[0]
+                    feature_grad = torch.autograd.grad(loss, features, allow_unused=True)[0]
+                    feature_grad = feature_grad[i][j]
+                    _sum += feature_grad
+
+                if adj_norm[i][j]:
+                    avg_grad = (features[i][j] - 0) * _sum.mean()
+                else:
+                    avg_grad = (1 - features[i][j]) * _sum.mean()
+                integrated_grad_list.append(avg_grad)
+
+        return integrated_grad_list
+
+    def calc_gradient_adj(self, inputs, features):
+        for adj in inputs:
+            adj_norm = utils.normalize_adj_tensor(modified_adj)
+            output = self.surrogate(features, adj_norm)
+            loss = F.nll_loss(output[idx_train], labels[idx_train])
+            adj_grad = torch.autograd.grad(loss, inputs)[0]
+        return adj_grad.mean()
+
+    def calc_gradient_feature(self, adj_norm, inputs):
+        for features in inputs:
+            output = self.surrogate(features, adj_norm)
+            loss = F.nll_loss(output[idx_train], labels[idx_train])
+            adj_grad = torch.autograd.grad(loss, inputs)[0]
+        return adj_grad.mean()
+
+    def get_modified_adj(self, ori_adj):
+        adj_changes_square = self.adj_changes - torch.diag(torch.diag(self.adj_changes, 0))
+        ind = np.diag_indices(self.adj_changes.shape[0])
+        adj_changes_symm = torch.clamp(adj_changes_square + torch.transpose(adj_changes_square, 1, 0), -1, 1)
+        modified_adj = adj_changes_symm + ori_adj
+        return modified_adj
+
+    def get_modified_features(self, ori_features):
+        return ori_features + self.feature_changes

deeprobust/graph/global_attack/mettack.py

@@ -0,0 +1,572 @@
+"""
+    Adversarial Attacks on Graph Neural Networks via Meta Learning. ICLR 2019
+        https://openreview.net/pdf?id=Bylnx209YX
+    Author Tensorflow implementation:
+        https://github.com/danielzuegner/gnn-meta-attack
+"""
+
+import math
+import numpy as np
+import scipy.sparse as sp
+import torch
+from torch import optim
+from torch.nn import functional as F
+from torch.nn.parameter import Parameter
+from tqdm import tqdm
+from deeprobust.graph import utils
+from deeprobust.graph.global_attack import BaseAttack
+
+
+class BaseMeta(BaseAttack):
+    """Abstract base class for meta attack. Adversarial Attacks on Graph Neural
+    Networks via Meta Learning, ICLR 2019,
+    https://openreview.net/pdf?id=Bylnx209YX
+
+    Parameters
+    ----------
+    model :
+        model to attack. Default `None`.
+    nnodes : int
+        number of nodes in the input graph
+    lambda_ : float
+        lambda_ is used to weight the two objectives in Eq. (10) in the paper.
+    feature_shape : tuple
+        shape of the input node features
+    attack_structure : bool
+        whether to attack graph structure
+    attack_features : bool
+        whether to attack node features
+    undirected : bool
+        whether the graph is undirected
+    device: str
+        'cpu' or 'cuda'
+
+    """
+
+    def __init__(self, model=None, nnodes=None, feature_shape=None, lambda_=0.5, attack_structure=True, attack_features=False, undirected=True, device='cpu'):
+
+        super(BaseMeta, self).__init__(model, nnodes, attack_structure, attack_features, device)
+        self.lambda_ = lambda_
+
+        assert attack_features or attack_structure, 'attack_features or attack_structure cannot be both False'
+
+        self.modified_adj = None
+        self.modified_features = None
+
+        if attack_structure:
+            self.undirected = undirected
+            assert nnodes is not None, 'Please give nnodes='
+            self.adj_changes = Parameter(torch.FloatTensor(nnodes, nnodes))
+            self.adj_changes.data.fill_(0)
+
+        if attack_features:
+            assert feature_shape is not None, 'Please give feature_shape='
+            self.feature_changes = Parameter(torch.FloatTensor(feature_shape))
+            self.feature_changes.data.fill_(0)
+
+        self.with_relu = model.with_relu
+
+    def attack(self, adj, labels, n_perturbations):
+        pass
+
+    def get_modified_adj(self, ori_adj):
+        adj_changes_square = self.adj_changes - torch.diag(torch.diag(self.adj_changes, 0))
+        # ind = np.diag_indices(self.adj_changes.shape[0]) # this line seems useless
+        if self.undirected:
+            adj_changes_square = adj_changes_square + torch.transpose(adj_changes_square, 1, 0)
+        adj_changes_square = torch.clamp(adj_changes_square, -1, 1)
+        modified_adj = adj_changes_square + ori_adj
+        return modified_adj
+
+    def get_modified_features(self, ori_features):
+        return ori_features + self.feature_changes
+
+    def filter_potential_singletons(self, modified_adj):
+        """
+        Computes a mask for entries potentially leading to singleton nodes, i.e. one of the two nodes corresponding to
+        the entry have degree 1 and there is an edge between the two nodes.
+        """
+
+        degrees = modified_adj.sum(0)
+        degree_one = (degrees == 1)
+        resh = degree_one.repeat(modified_adj.shape[0], 1).float()
+        l_and = resh * modified_adj
+        if self.undirected:
+            l_and = l_and + l_and.t()
+        flat_mask = 1 - l_and
+        return flat_mask
+
+    def self_training_label(self, labels, idx_train):
+        # Predict the labels of the unlabeled nodes to use them for self-training.
+        output = self.surrogate.output
+        labels_self_training = output.argmax(1)
+        labels_self_training[idx_train] = labels[idx_train]
+        return labels_self_training
+
+
+    def log_likelihood_constraint(self, modified_adj, ori_adj, ll_cutoff):
+        """
+        Computes a mask for entries that, if the edge corresponding to the entry is added/removed, would lead to the
+        log likelihood constraint to be violated.
+
+        Note that different data type (float, double) can effect the final results.
+        """
+        t_d_min = torch.tensor(2.0).to(self.device)
+        if self.undirected:
+            t_possible_edges = np.array(np.triu(np.ones((self.nnodes, self.nnodes)), k=1).nonzero()).T
+        else:
+            t_possible_edges = np.array((np.ones((self.nnodes, self.nnodes)) - np.eye(self.nnodes)).nonzero()).T
+        allowed_mask, current_ratio = utils.likelihood_ratio_filter(t_possible_edges,
+                                                                    modified_adj,
+                                                                    ori_adj, t_d_min,
+                                                                    ll_cutoff, undirected=self.undirected)
+        return allowed_mask, current_ratio
+
+    def get_adj_score(self, adj_grad, modified_adj, ori_adj, ll_constraint, ll_cutoff):
+        adj_meta_grad = adj_grad * (-2 * modified_adj + 1)
+        # Make sure that the minimum entry is 0.
+        adj_meta_grad = adj_meta_grad - adj_meta_grad.min()
+        # Filter self-loops
+        adj_meta_grad = adj_meta_grad - torch.diag(torch.diag(adj_meta_grad, 0))
+        # # Set entries to 0 that could lead to singleton nodes.
+        singleton_mask = self.filter_potential_singletons(modified_adj)
+        adj_meta_grad = adj_meta_grad *  singleton_mask
+
+        if ll_constraint:
+            allowed_mask, self.ll_ratio = self.log_likelihood_constraint(modified_adj, ori_adj, ll_cutoff)
+            allowed_mask = allowed_mask.to(self.device)
+            adj_meta_grad = adj_meta_grad * allowed_mask
+        return adj_meta_grad
+
+    def get_feature_score(self, feature_grad, modified_features):
+        feature_meta_grad = feature_grad * (-2 * modified_features + 1)
+        feature_meta_grad -= feature_meta_grad.min()
+        return feature_meta_grad
+
+
+class Metattack(BaseMeta):
+    """Meta attack. Adversarial Attacks on Graph Neural Networks
+    via Meta Learning, ICLR 2019.
+
+    Examples
+    --------
+
+    >>> import numpy as np
+    >>> from deeprobust.graph.data import Dataset
+    >>> from deeprobust.graph.defense import GCN
+    >>> from deeprobust.graph.global_attack import Metattack
+    >>> data = Dataset(root='/tmp/', name='cora')
+    >>> adj, features, labels = data.adj, data.features, data.labels
+    >>> idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    >>> idx_unlabeled = np.union1d(idx_val, idx_test)
+    >>> idx_unlabeled = np.union1d(idx_val, idx_test)
+    >>> # Setup Surrogate model
+    >>> surrogate = GCN(nfeat=features.shape[1], nclass=labels.max().item()+1,
+                    nhid=16, dropout=0, with_relu=False, with_bias=False, device='cpu').to('cpu')
+    >>> surrogate.fit(features, adj, labels, idx_train, idx_val, patience=30)
+    >>> # Setup Attack Model
+    >>> model = Metattack(surrogate, nnodes=adj.shape[0], feature_shape=features.shape,
+            attack_structure=True, attack_features=False, device='cpu', lambda_=0).to('cpu')
+    >>> # Attack
+    >>> model.attack(features, adj, labels, idx_train, idx_unlabeled, n_perturbations=10, ll_constraint=False)
+    >>> modified_adj = model.modified_adj
+
+    """
+
+    def __init__(self, model, nnodes, feature_shape=None, attack_structure=True, attack_features=False, undirected=True, device='cpu', with_bias=False, lambda_=0.5, train_iters=100, lr=0.1, momentum=0.9):
+
+        super(Metattack, self).__init__(model, nnodes, feature_shape, lambda_, attack_structure, attack_features, undirected, device)
+        self.momentum = momentum
+        self.lr = lr
+        self.train_iters = train_iters
+        self.with_bias = with_bias
+
+        self.weights = []
+        self.biases = []
+        self.w_velocities = []
+        self.b_velocities = []
+
+        self.hidden_sizes = self.surrogate.hidden_sizes
+        self.nfeat = self.surrogate.nfeat
+        self.nclass = self.surrogate.nclass
+
+        previous_size = self.nfeat
+        for ix, nhid in enumerate(self.hidden_sizes):
+            weight = Parameter(torch.FloatTensor(previous_size, nhid).to(device))
+            w_velocity = torch.zeros(weight.shape).to(device)
+            self.weights.append(weight)
+            self.w_velocities.append(w_velocity)
+
+            if self.with_bias:
+                bias = Parameter(torch.FloatTensor(nhid).to(device))
+                b_velocity = torch.zeros(bias.shape).to(device)
+                self.biases.append(bias)
+                self.b_velocities.append(b_velocity)
+
+            previous_size = nhid
+
+        output_weight = Parameter(torch.FloatTensor(previous_size, self.nclass).to(device))
+        output_w_velocity = torch.zeros(output_weight.shape).to(device)
+        self.weights.append(output_weight)
+        self.w_velocities.append(output_w_velocity)
+
+        if self.with_bias:
+            output_bias = Parameter(torch.FloatTensor(self.nclass).to(device))
+            output_b_velocity = torch.zeros(output_bias.shape).to(device)
+            self.biases.append(output_bias)
+            self.b_velocities.append(output_b_velocity)
+
+        self._initialize()
+
+    def _initialize(self):
+        for w, v in zip(self.weights, self.w_velocities):
+            stdv = 1. / math.sqrt(w.size(1))
+            w.data.uniform_(-stdv, stdv)
+            v.data.fill_(0)
+
+        if self.with_bias:
+            for b, v in zip(self.biases, self.b_velocities):
+                stdv = 1. / math.sqrt(w.size(1))
+                b.data.uniform_(-stdv, stdv)
+                v.data.fill_(0)
+
+    def inner_train(self, features, adj_norm, idx_train, idx_unlabeled, labels):
+        self._initialize()
+
+        for ix in range(len(self.hidden_sizes) + 1):
+            self.weights[ix] = self.weights[ix].detach()
+            self.weights[ix].requires_grad = True
+            self.w_velocities[ix] = self.w_velocities[ix].detach()
+            self.w_velocities[ix].requires_grad = True
+
+            if self.with_bias:
+                self.biases[ix] = self.biases[ix].detach()
+                self.biases[ix].requires_grad = True
+                self.b_velocities[ix] = self.b_velocities[ix].detach()
+                self.b_velocities[ix].requires_grad = True
+
+        for j in range(self.train_iters):
+            hidden = features
+            for ix, w in enumerate(self.weights):
+                b = self.biases[ix] if self.with_bias else 0
+                if self.sparse_features:
+                    hidden = adj_norm @ torch.spmm(hidden, w) + b
+                else:
+                    hidden = adj_norm @ hidden @ w + b
+
+                if self.with_relu and ix != len(self.weights) - 1:
+                    hidden = F.relu(hidden)
+
+            output = F.log_softmax(hidden, dim=1)
+            loss_labeled = F.nll_loss(output[idx_train], labels[idx_train])
+
+            weight_grads = torch.autograd.grad(loss_labeled, self.weights, create_graph=True)
+            self.w_velocities = [self.momentum * v + g for v, g in zip(self.w_velocities, weight_grads)]
+            if self.with_bias:
+                bias_grads = torch.autograd.grad(loss_labeled, self.biases, create_graph=True)
+                self.b_velocities = [self.momentum * v + g for v, g in zip(self.b_velocities, bias_grads)]
+
+            self.weights = [w - self.lr * v for w, v in zip(self.weights, self.w_velocities)]
+            if self.with_bias:
+                self.biases = [b - self.lr * v for b, v in zip(self.biases, self.b_velocities)]
+
+    def get_meta_grad(self, features, adj_norm, idx_train, idx_unlabeled, labels, labels_self_training):
+
+        hidden = features
+        for ix, w in enumerate(self.weights):
+            b = self.biases[ix] if self.with_bias else 0
+            if self.sparse_features:
+                hidden = adj_norm @ torch.spmm(hidden, w) + b
+            else:
+                hidden = adj_norm @ hidden @ w + b
+            if self.with_relu and ix != len(self.weights) - 1:
+                hidden = F.relu(hidden)
+
+        output = F.log_softmax(hidden, dim=1)
+
+        loss_labeled = F.nll_loss(output[idx_train], labels[idx_train])
+        loss_unlabeled = F.nll_loss(output[idx_unlabeled], labels_self_training[idx_unlabeled])
+        loss_test_val = F.nll_loss(output[idx_unlabeled], labels[idx_unlabeled])
+
+        if self.lambda_ == 1:
+            attack_loss = loss_labeled
+        elif self.lambda_ == 0:
+            attack_loss = loss_unlabeled
+        else:
+            attack_loss = self.lambda_ * loss_labeled + (1 - self.lambda_) * loss_unlabeled
+
+        print('GCN loss on unlabled data: {}'.format(loss_test_val.item()))
+        print('GCN acc on unlabled data: {}'.format(utils.accuracy(output[idx_unlabeled], labels[idx_unlabeled]).item()))
+        print('attack loss: {}'.format(attack_loss.item()))
+
+        adj_grad, feature_grad = None, None
+        if self.attack_structure:
+            adj_grad = torch.autograd.grad(attack_loss, self.adj_changes, retain_graph=True)[0]
+        if self.attack_features:
+            feature_grad = torch.autograd.grad(attack_loss, self.feature_changes, retain_graph=True)[0]
+        return adj_grad, feature_grad
+
+    def attack(self, ori_features, ori_adj, labels, idx_train, idx_unlabeled, n_perturbations, ll_constraint=True, ll_cutoff=0.004):
+        """Generate n_perturbations on the input graph.
+
+        Parameters
+        ----------
+        ori_features :
+            Original (unperturbed) node feature matrix
+        ori_adj :
+            Original (unperturbed) adjacency matrix
+        labels :
+            node labels
+        idx_train :
+            node training indices
+        idx_unlabeled:
+            unlabeled nodes indices
+        n_perturbations : int
+            Number of perturbations on the input graph. Perturbations could
+            be edge removals/additions or feature removals/additions.
+        ll_constraint: bool
+            whether to exert the likelihood ratio test constraint
+        ll_cutoff : float
+            The critical value for the likelihood ratio test of the power law distributions.
+            See the Chi square distribution with one degree of freedom. Default value 0.004
+            corresponds to a p-value of roughly 0.95. It would be ignored if `ll_constraint`
+            is False.
+
+        """
+
+        self.sparse_features = sp.issparse(ori_features)
+        ori_adj, ori_features, labels = utils.to_tensor(ori_adj, ori_features, labels, device=self.device)
+        labels_self_training = self.self_training_label(labels, idx_train)
+        modified_adj = ori_adj
+        modified_features = ori_features
+
+        for i in tqdm(range(n_perturbations), desc="Perturbing graph"):
+            if self.attack_structure:
+                modified_adj = self.get_modified_adj(ori_adj)
+
+            if self.attack_features:
+                modified_features = ori_features + self.feature_changes
+
+            adj_norm = utils.normalize_adj_tensor(modified_adj)
+            self.inner_train(modified_features, adj_norm, idx_train, idx_unlabeled, labels)
+
+            adj_grad, feature_grad = self.get_meta_grad(modified_features, adj_norm, idx_train, idx_unlabeled, labels, labels_self_training)
+
+            adj_meta_score = torch.tensor(0.0).to(self.device)
+            feature_meta_score = torch.tensor(0.0).to(self.device)
+            if self.attack_structure:
+                adj_meta_score = self.get_adj_score(adj_grad, modified_adj, ori_adj, ll_constraint, ll_cutoff)
+            if self.attack_features:
+                feature_meta_score = self.get_feature_score(feature_grad, modified_features)
+
+            if adj_meta_score.max() >= feature_meta_score.max():
+                adj_meta_argmax = torch.argmax(adj_meta_score)
+                row_idx, col_idx = utils.unravel_index(adj_meta_argmax, ori_adj.shape)
+                self.adj_changes.data[row_idx][col_idx] += (-2 * modified_adj[row_idx][col_idx] + 1)
+                if self.undirected:
+                    self.adj_changes.data[col_idx][row_idx] += (-2 * modified_adj[row_idx][col_idx] + 1)
+            else:
+                feature_meta_argmax = torch.argmax(feature_meta_score)
+                row_idx, col_idx = utils.unravel_index(feature_meta_argmax, ori_features.shape)
+                self.feature_changes.data[row_idx][col_idx] += (-2 * modified_features[row_idx][col_idx] + 1)
+
+        if self.attack_structure:
+            self.modified_adj = self.get_modified_adj(ori_adj).detach()
+        if self.attack_features:
+            self.modified_features = self.get_modified_features(ori_features).detach()
+
+
+class MetaApprox(BaseMeta):
+    """Approximated version of Meta Attack. Adversarial Attacks on
+    Graph Neural Networks via Meta Learning, ICLR 2019.
+
+    Examples
+    --------
+
+    >>> import numpy as np
+    >>> from deeprobust.graph.data import Dataset
+    >>> from deeprobust.graph.defense import GCN
+    >>> from deeprobust.graph.global_attack import MetaApprox
+    >>> from deeprobust.graph.utils import preprocess
+    >>> data = Dataset(root='/tmp/', name='cora')
+    >>> adj, features, labels = data.adj, data.features, data.labels
+    >>> adj, features, labels = preprocess(adj, features, labels, preprocess_adj=False) # conver to tensor
+    >>> idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    >>> idx_unlabeled = np.union1d(idx_val, idx_test)
+    >>> # Setup Surrogate model
+    >>> surrogate = GCN(nfeat=features.shape[1], nclass=labels.max().item()+1,
+                    nhid=16, dropout=0, with_relu=False, with_bias=False, device='cpu').to('cpu')
+    >>> surrogate.fit(features, adj, labels, idx_train, idx_val, patience=30)
+    >>> # Setup Attack Model
+    >>> model = MetaApprox(surrogate, nnodes=adj.shape[0], feature_shape=features.shape,
+            attack_structure=True, attack_features=False, device='cpu', lambda_=0).to('cpu')
+    >>> # Attack
+    >>> model.attack(features, adj, labels, idx_train, idx_unlabeled, n_perturbations=10, ll_constraint=True)
+    >>> modified_adj = model.modified_adj
+
+    """
+
+    def __init__(self, model, nnodes, feature_shape=None, attack_structure=True, attack_features=False, undirected=True, device='cpu', with_bias=False, lambda_=0.5, train_iters=100, lr=0.01):
+
+        super(MetaApprox, self).__init__(model, nnodes, feature_shape, lambda_, attack_structure, attack_features, undirected, device)
+
+        self.lr = lr
+        self.train_iters = train_iters
+        self.adj_meta_grad = None
+        self.features_meta_grad = None
+        if self.attack_structure:
+            self.adj_grad_sum = torch.zeros(nnodes, nnodes).to(device)
+        if self.attack_features:
+            self.feature_grad_sum = torch.zeros(feature_shape).to(device)
+
+        self.with_bias = with_bias
+
+        self.weights = []
+        self.biases = []
+
+        previous_size = self.nfeat
+        for ix, nhid in enumerate(self.hidden_sizes):
+            weight = Parameter(torch.FloatTensor(previous_size, nhid).to(device))
+            bias = Parameter(torch.FloatTensor(nhid).to(device))
+            previous_size = nhid
+
+            self.weights.append(weight)
+            self.biases.append(bias)
+
+        output_weight = Parameter(torch.FloatTensor(previous_size, self.nclass).to(device))
+        output_bias = Parameter(torch.FloatTensor(self.nclass).to(device))
+        self.weights.append(output_weight)
+        self.biases.append(output_bias)
+
+        self.optimizer = optim.Adam(self.weights + self.biases, lr=lr) # , weight_decay=5e-4)
+        self._initialize()
+
+    def _initialize(self):
+        for w, b in zip(self.weights, self.biases):
+            # w.data.fill_(1)
+            # b.data.fill_(1)
+            stdv = 1. / math.sqrt(w.size(1))
+            w.data.uniform_(-stdv, stdv)
+            b.data.uniform_(-stdv, stdv)
+
+        self.optimizer = optim.Adam(self.weights + self.biases, lr=self.lr)
+
+    def inner_train(self, features, modified_adj, idx_train, idx_unlabeled, labels, labels_self_training):
+        adj_norm = utils.normalize_adj_tensor(modified_adj)
+        for j in range(self.train_iters):
+            # hidden = features
+            # for w, b in zip(self.weights, self.biases):
+            #     if self.sparse_features:
+            #         hidden = adj_norm @ torch.spmm(hidden, w) + b
+            #     else:
+            #         hidden = adj_norm @ hidden @ w + b
+            #     if self.with_relu:
+            #         hidden = F.relu(hidden)
+
+            hidden = features
+            for ix, w in enumerate(self.weights):
+                b = self.biases[ix] if self.with_bias else 0
+                if self.sparse_features:
+                    hidden = adj_norm @ torch.spmm(hidden, w) + b
+                else:
+                    hidden = adj_norm @ hidden @ w + b
+                if self.with_relu:
+                    hidden = F.relu(hidden)
+
+            output = F.log_softmax(hidden, dim=1)
+            loss_labeled = F.nll_loss(output[idx_train], labels[idx_train])
+            loss_unlabeled = F.nll_loss(output[idx_unlabeled], labels_self_training[idx_unlabeled])
+
+            if self.lambda_ == 1:
+                attack_loss = loss_labeled
+            elif self.lambda_ == 0:
+                attack_loss = loss_unlabeled
+            else:
+                attack_loss = self.lambda_ * loss_labeled + (1 - self.lambda_) * loss_unlabeled
+
+            self.optimizer.zero_grad()
+            loss_labeled.backward(retain_graph=True)
+
+            if self.attack_structure:
+                self.adj_changes.grad.zero_()
+                self.adj_grad_sum += torch.autograd.grad(attack_loss, self.adj_changes, retain_graph=True)[0]
+            if self.attack_features:
+                self.feature_changes.grad.zero_()
+                self.feature_grad_sum += torch.autograd.grad(attack_loss, self.feature_changes, retain_graph=True)[0]
+
+            self.optimizer.step()
+
+
+        loss_test_val = F.nll_loss(output[idx_unlabeled], labels[idx_unlabeled])
+        print('GCN loss on unlabled data: {}'.format(loss_test_val.item()))
+        print('GCN acc on unlabled data: {}'.format(utils.accuracy(output[idx_unlabeled], labels[idx_unlabeled]).item()))
+
+
+    def attack(self, ori_features, ori_adj, labels, idx_train, idx_unlabeled, n_perturbations, ll_constraint=True, ll_cutoff=0.004):
+        """Generate n_perturbations on the input graph.
+
+        Parameters
+        ----------
+        ori_features :
+            Original (unperturbed) node feature matrix
+        ori_adj :
+            Original (unperturbed) adjacency matrix
+        labels :
+            node labels
+        idx_train :
+            node training indices
+        idx_unlabeled:
+            unlabeled nodes indices
+        n_perturbations : int
+            Number of perturbations on the input graph. Perturbations could
+            be edge removals/additions or feature removals/additions.
+        ll_constraint: bool
+            whether to exert the likelihood ratio test constraint
+        ll_cutoff : float
+            The critical value for the likelihood ratio test of the power law distributions.
+            See the Chi square distribution with one degree of freedom. Default value 0.004
+            corresponds to a p-value of roughly 0.95. It would be ignored if `ll_constraint`
+            is False.
+
+        """
+        ori_adj, ori_features, labels = utils.to_tensor(ori_adj, ori_features, labels, device=self.device)
+        labels_self_training = self.self_training_label(labels, idx_train)
+        self.sparse_features = sp.issparse(ori_features)
+        modified_adj = ori_adj
+        modified_features = ori_features
+
+        for i in tqdm(range(n_perturbations), desc="Perturbing graph"):
+            self._initialize()
+
+            if self.attack_structure:
+                modified_adj = self.get_modified_adj(ori_adj)
+                self.adj_grad_sum.data.fill_(0)
+            if self.attack_features:
+                modified_features = ori_features + self.feature_changes
+                self.feature_grad_sum.data.fill_(0)
+
+            self.inner_train(modified_features, modified_adj, idx_train, idx_unlabeled, labels, labels_self_training)
+
+            adj_meta_score = torch.tensor(0.0).to(self.device)
+            feature_meta_score = torch.tensor(0.0).to(self.device)
+
+            if self.attack_structure:
+                adj_meta_score = self.get_adj_score(self.adj_grad_sum, modified_adj, ori_adj, ll_constraint, ll_cutoff)
+            if self.attack_features:
+                feature_meta_score = self.get_feature_score(self.feature_grad_sum, modified_features)
+
+            if adj_meta_score.max() >= feature_meta_score.max():
+                adj_meta_argmax = torch.argmax(adj_meta_score)
+                row_idx, col_idx = utils.unravel_index(adj_meta_argmax, ori_adj.shape)
+                self.adj_changes.data[row_idx][col_idx] += (-2 * modified_adj[row_idx][col_idx] + 1)
+                if self.undirected:
+                    self.adj_changes.data[col_idx][row_idx] += (-2 * modified_adj[row_idx][col_idx] + 1)
+            else:
+                feature_meta_argmax = torch.argmax(feature_meta_score)
+                row_idx, col_idx = utils.unravel_index(feature_meta_argmax, ori_features.shape)
+                self.feature_changes.data[row_idx][col_idx] += (-2 * modified_features[row_idx][col_idx] + 1)
+
+        if self.attack_structure:
+            self.modified_adj = self.get_modified_adj(ori_adj).detach()
+        if self.attack_features:
+            self.modified_features = self.get_modified_features(ori_features).detach()

deeprobust/graph/global_attack/nipa.py

@@ -0,0 +1,285 @@
+"""
+Non-target-specific Node Injection Attacks on Graph Neural Networks: A Hierarchical Reinforcement Learning Approach. WWW 2020.
+https://faculty.ist.psu.edu/vhonavar/Papers/www20.pdf
+
+Still on testing stage. Haven't reproduced the performance yet.
+"""
+
+import os
+import os.path as osp
+import random
+from itertools import count
+
+import numpy as np
+import torch
+import torch.nn.functional as F
+import torch.optim as optim
+from tqdm import tqdm
+
+from deeprobust.graph.rl.nipa_q_net_node import (NStepQNetNode, QNetNode,
+                                                 node_greedy_actions)
+from deeprobust.graph.rl.nstep_replay_mem import NstepReplayMem
+from deeprobust.graph.utils import loss_acc
+
+
+class NIPA(object):
+    """ Reinforcement learning agent for NIPA attack.
+    https://faculty.ist.psu.edu/vhonavar/Papers/www20.pdf
+
+    Parameters
+    ----------
+    env :
+        Node attack environment
+    features :
+        node features matrix
+    labels :
+        labels
+    idx_meta :
+        node meta indices
+    idx_test :
+        node test indices
+    list_action_space : list
+        list of action space
+    num_mod :
+        number of modification (perturbation) on the graph
+    reward_type : str
+        type of reward (e.g., 'binary')
+    batch_size :
+        batch size for training DQN
+    save_dir :
+        saving directory for model checkpoints
+    device: str
+        'cpu' or 'cuda'
+
+    Examples
+    --------
+    See more details in https://github.com/DSE-MSU/DeepRobust/blob/master/examples/graph/test_nipa.py
+    """
+
+    def __init__(self, env, features, labels, idx_train, idx_val, idx_test,
+            list_action_space, ratio, reward_type='binary', batch_size=30,
+            num_wrong=0, bilin_q=1, embed_dim=64, gm='mean_field',
+            mlp_hidden=64, max_lv=1, save_dir='checkpoint_dqn', device=None):
+
+        assert device is not None, "'device' cannot be None, please specify it"
+
+        self.features = features
+        self.labels = labels
+        self.possible_labels = torch.arange(labels.max() + 1).to(labels.device)
+        self.idx_train = idx_train
+        self.idx_val = idx_val
+        self.idx_test = idx_test
+        self.num_wrong = num_wrong
+        self.list_action_space = list_action_space
+
+        degrees = np.array([len(d) for n, d in list_action_space.items()])
+        N = len(degrees[degrees > 0])
+        self.n_injected = len(degrees) - N
+        assert self.n_injected == int(ratio * N)
+        self.injected_nodes = np.arange(N)[-self.n_injected: ]
+
+        self.reward_type = reward_type
+        self.batch_size = batch_size
+        self.save_dir = save_dir
+        if not osp.exists(save_dir):
+            os.system('mkdir -p %s' % save_dir)
+
+        self.gm = gm
+        self.device = device
+
+        self.mem_pool = NstepReplayMem(memory_size=500000, n_steps=3, balance_sample=reward_type == 'binary', model='nipa')
+        self.env = env
+
+        self.net = NStepQNetNode(3, features, labels, list_action_space, self.n_injected,
+                          bilin_q=bilin_q, embed_dim=embed_dim, mlp_hidden=mlp_hidden,
+                          max_lv=max_lv, gm=gm, device=device)
+
+        self.old_net = NStepQNetNode(3, features, labels, list_action_space, self.n_injected,
+                          bilin_q=bilin_q, embed_dim=embed_dim, mlp_hidden=mlp_hidden,
+                          max_lv=max_lv, gm=gm, device=device)
+
+        self.net = self.net.to(device)
+        self.old_net = self.old_net.to(device)
+
+        self.eps_start = 1.0
+        self.eps_end = 0.05
+        # self.eps_step = 100000
+        self.eps_step = 30000
+        self.GAMMA = 0.9
+        self.burn_in = 50
+        self.step = 0
+        self.pos = 0
+        self.best_eval = None
+        self.take_snapshot()
+
+    def take_snapshot(self):
+        self.old_net.load_state_dict(self.net.state_dict())
+
+    def make_actions(self, time_t, greedy=False):
+        # TODO
+        self.eps = self.eps_end + max(0., (self.eps_start - self.eps_end)
+                * (self.eps_step - max(0., self.step)) / self.eps_step)
+
+        self.step += 1
+        if random.random() < self.eps and not greedy:
+            actions = self.env.uniformRandActions()
+        else:
+
+            cur_state = self.env.getStateRef()
+            # list_at = self.env.uniformRandActions()
+            list_at = self.env.first_nodes if time_t == 1 else None
+
+            actions = self.possible_actions(cur_state, list_at, time_t)
+            actions, values = self.net(time_t, cur_state, actions, greedy_acts=True, is_inference=True)
+
+            assert len(actions) == len(cur_state)
+            # actions = list(actions.cpu().numpy())
+        return actions
+
+    def run_simulation(self):
+        self.env.setup()
+        t = 0
+        while not self.env.isActionFinished():
+            list_at = self.make_actions(t)
+            list_st = self.env.cloneState()
+
+            self.env.step(list_at)
+
+            assert (self.env.rewards is not None) == self.env.isActionFinished()
+            if self.env.isActionFinished():
+                rewards = self.env.rewards
+                s_prime = self.env.cloneState()
+            else:
+                rewards = np.zeros(len(list_at), dtype=np.float32)
+                s_prime = self.env.cloneState()
+
+            if self.env.isTerminal():
+                rewards = self.env.rewards
+                s_prime = None
+                # self.env.init_overall_steps()
+
+            self.mem_pool.add_list(list_st, list_at, rewards, s_prime,
+                                    [self.env.isTerminal()] * len(list_at), t)
+            t += 1
+
+    def eval(self, training=True):
+        """Evaluate RL agent.
+        """
+        self.env.init_overall_steps()
+        self.env.setup()
+
+        for _ in count():
+            self.env.setup()
+            t = 0
+            while not self.env.isActionFinished():
+                list_at = self.make_actions(t, greedy=True)
+                # print(list_at)
+                self.env.step(list_at, inference=True)
+                t += 1
+            if self.env.isTerminal():
+                break
+
+        device = self.labels.device
+        extra_adj = self.env.modified_list[0].get_extra_adj(device=device)
+        adj = self.env.classifier.norm_tool.norm_extra(extra_adj)
+        labels = torch.cat((self.labels, self.env.modified_label_list[0]))
+
+        self.env.classifier.fit(self.features, adj, labels, self.idx_train, self.idx_val, normalize=False, patience=50)
+        output = self.env.classifier(self.features, adj)
+        loss, acc = loss_acc(output, self.labels, self.idx_test)
+        print('\033[93m average test: acc %.5f\033[0m' % (acc))
+
+        if training == True and self.best_eval is None or acc < self.best_eval:
+            print('----saving to best attacker since this is the best attack rate so far.----')
+            torch.save(self.net.state_dict(), osp.join(self.save_dir, 'epoch-best.model'))
+            with open(osp.join(self.save_dir, 'epoch-best.txt'), 'w') as f:
+                f.write('%.4f\n' % acc)
+            # with open(osp.join(self.save_dir, 'attack_solution.txt'), 'w') as f:
+            #     for i in range(len(self.idx_meta)):
+            #         f.write('%d: [' % self.idx_meta[i])
+            #         for e in self.env.modified_list[i].directed_edges:
+            #             f.write('(%d %d)' % e)
+            #         f.write('] succ: %d\n' % (self.env.binary_rewards[i]))
+            self.best_eval = acc
+
+    def train(self, num_episodes=10, lr=0.01):
+        """Train RL agent.
+        """
+        optimizer = optim.Adam(self.net.parameters(), lr=lr)
+        self.env.init_overall_steps()
+        pbar = tqdm(range(self.burn_in), unit='batch')
+        for p in pbar:
+            self.run_simulation()
+        self.mem_pool.print_count()
+
+        for i_episode in tqdm(range(num_episodes)):
+            self.env.init_overall_steps()
+
+            for t in count():
+                self.run_simulation()
+
+                cur_time, list_st, list_at, list_rt, list_s_primes, list_term = self.mem_pool.sample(batch_size=self.batch_size)
+                list_target = torch.Tensor(list_rt).to(self.device)
+
+                if not list_term[0]:
+                    actions = self.possible_actions(list_st, list_at, cur_time+1)
+                    _, q_rhs = self.old_net(cur_time + 1, list_s_primes, actions, greedy_acts=True)
+                    list_target += self.GAMMA * q_rhs
+
+                # list_target = list_target.view(-1, 1)
+                _, q_sa = self.net(cur_time, list_st, list_at)
+                loss = F.mse_loss(q_sa, list_target)
+                loss = torch.clamp(loss, -1, 1)
+                optimizer.zero_grad()
+                loss.backward()
+                # print([x[0] for x in self.nnamed_parameters() if x[1].grad is None])
+                # for param in self.net.parameters():
+                #     if param.grad is None:
+                #         continue
+                #     param.grad.data.clamp_(-1, 1)
+                optimizer.step()
+
+                # pbar.set_description('eps: %.5f, loss: %0.5f, q_val: %.5f' % (self.eps, loss, torch.mean(q_sa)) )
+                if t % 20 == 0:
+                    print('eps: %.5f, loss: %0.5f, q_val: %.5f, list_target: %.5f' % (self.eps, loss, torch.mean(q_sa), torch.mean(list_target)) )
+
+                if self.env.isTerminal():
+                    break
+
+                # if (t+1) % 50 == 0:
+                #     self.take_snapshot()
+
+            if i_episode % 1 == 0:
+                self.take_snapshot()
+
+            if i_episode % 1 == 0:
+                self.eval()
+
+    def possible_actions(self, list_st, list_at, t):
+        """
+        Parameters
+        ----------
+        list_st:
+            current state
+        list_at:
+            current action
+
+        Returns
+        -------
+        list
+            actions for next state
+        """
+
+        t = t % 3
+        if t == 0:
+            return np.tile(self.injected_nodes, ((len(list_st), 1)))
+
+        if t == 1:
+            actions = []
+            for i in range(len(list_at)):
+                a_prime = list_st[i][0].get_possible_nodes(list_at[i])
+                actions.append(a_prime)
+            return actions
+
+        if t == 2:
+            return self.possible_labels.repeat((len(list_st), 1))

deeprobust/graph/global_attack/random_attack.py

@@ -0,0 +1,144 @@
+import numpy as np
+from deeprobust.graph.global_attack import BaseAttack
+import scipy.sparse as sp
+# import random
+
+
+class Random(BaseAttack):
+    """ Randomly adding edges to the input graph
+
+    Parameters
+    ----------
+    model :
+        model to attack. Default `None`.
+    nnodes : int
+        number of nodes in the input graph
+    attack_structure : bool
+        whether to attack graph structure
+    attack_features : bool
+        whether to attack node features
+    device: str
+        'cpu' or 'cuda'
+
+    Examples
+    --------
+
+    >>> from deeprobust.graph.data import Dataset
+    >>> from deeprobust.graph.global_attack import Random
+    >>> data = Dataset(root='/tmp/', name='cora')
+    >>> adj, features, labels = data.adj, data.features, data.labels
+    >>> model = Random()
+    >>> model.attack(adj, n_perturbations=10)
+    >>> modified_adj = model.modified_adj
+
+    """
+
+    def __init__(self, model=None, nnodes=None, attack_structure=True, attack_features=False, device='cpu'):
+        super(Random, self).__init__(model, nnodes, attack_structure=attack_structure, attack_features=attack_features, device=device)
+
+        assert not self.attack_features, 'RND does NOT support attacking features'
+
+    def attack(self, ori_adj, n_perturbations, type='flip', **kwargs):
+        """Generate attacks on the input graph.
+
+        Parameters
+        ----------
+        ori_adj : scipy.sparse.csr_matrix
+            Original (unperturbed) adjacency matrix.
+        n_perturbations : int
+            Number of edge removals/additions.
+        type: str
+            perturbation type. Could be 'add', 'remove' or 'flip'.
+
+        Returns
+        -------
+        None.
+
+        """
+
+        if self.attack_structure:
+            modified_adj = self.perturb_adj(ori_adj, n_perturbations, type)
+            self.modified_adj = modified_adj
+
+    def perturb_adj(self, adj, n_perturbations, type='add'):
+        """Randomly add, remove or flip edges.
+
+        Parameters
+        ----------
+        adj : scipy.sparse.csr_matrix
+            Original (unperturbed) adjacency matrix.
+        n_perturbations : int
+            Number of edge removals/additions.
+        type: str
+            perturbation type. Could be 'add', 'remove' or 'flip'.
+
+        Returns
+        ------
+        scipy.sparse matrix
+            perturbed adjacency matrix
+        """
+        # adj: sp.csr_matrix
+        modified_adj = adj.tolil()
+
+        type = type.lower()
+        assert type in ['add', 'remove', 'flip']
+
+        if type == 'flip':
+            # sample edges to flip
+            edges = self.random_sample_edges(adj, n_perturbations, exclude=set())
+            for n1, n2 in edges:
+                modified_adj[n1, n2] = 1 - modified_adj[n1, n2]
+                modified_adj[n2, n1] = 1 - modified_adj[n2, n1]
+
+        if type == 'add':
+            # sample edges to add
+            nonzero = set(zip(*adj.nonzero()))
+            edges = self.random_sample_edges(adj, n_perturbations, exclude=nonzero)
+            for n1, n2 in edges:
+                modified_adj[n1, n2] = 1
+                modified_adj[n2, n1] = 1
+
+        if type == 'remove':
+            # sample edges to remove
+            nonzero = np.array(sp.triu(adj, k=1).nonzero()).T
+            indices = np.random.permutation(nonzero)[: n_perturbations].T
+            modified_adj[indices[0], indices[1]] = 0
+            modified_adj[indices[1], indices[0]] = 0
+
+        self.check_adj(modified_adj)
+        return modified_adj
+
+    def perturb_features(self, features, n_perturbations):
+        """Randomly perturb features.
+        """
+        raise NotImplementedError
+        print('number of pertubations: %s' % n_perturbations)
+        return modified_features
+
+    def inject_nodes(self, adj, n_add, n_perturbations):
+        """For each added node, randomly connect with other nodes.
+        """
+        # adj: sp.csr_matrix
+        # TODO
+        print('number of pertubations: %s' % n_perturbations)
+        raise NotImplementedError
+
+        modified_adj = adj.tolil()
+        return modified_adj
+
+    def random_sample_edges(self, adj, n, exclude):
+        itr = self.sample_forever(adj, exclude=exclude)
+        return [next(itr) for _ in range(n)]
+
+    def sample_forever(self, adj, exclude):
+        """Randomly random sample edges from adjacency matrix, `exclude` is a set
+        which contains the edges we do not want to sample and the ones already sampled
+        """
+        while True:
+            # t = tuple(np.random.randint(0, adj.shape[0], 2))
+            # t = tuple(random.sample(range(0, adj.shape[0]), 2))
+            t = tuple(np.random.choice(adj.shape[0], 2, replace=False))
+            if t not in exclude:
+                yield t
+                exclude.add(t)
+                exclude.add((t[1], t[0]))

deeprobust/graph/global_attack/topology_attack.py

@@ -0,0 +1,323 @@
+"""
+    Topology Attack and Defense for Graph Neural Networks: An Optimization Perspective
+        https://arxiv.org/pdf/1906.04214.pdf
+    Tensorflow Implementation:
+        https://github.com/KaidiXu/GCN_ADV_Train
+"""
+
+import numpy as np
+import scipy.sparse as sp
+import torch
+from torch import optim
+from torch.nn import functional as F
+from torch.nn.parameter import Parameter
+from tqdm import tqdm
+
+from deeprobust.graph import utils
+from deeprobust.graph.global_attack import BaseAttack
+
+
+class PGDAttack(BaseAttack):
+    """PGD attack for graph data.
+
+    Parameters
+    ----------
+    model :
+        model to attack. Default `None`.
+    nnodes : int
+        number of nodes in the input graph
+    loss_type: str
+        attack loss type, chosen from ['CE', 'CW']
+    feature_shape : tuple
+        shape of the input node features
+    attack_structure : bool
+        whether to attack graph structure
+    attack_features : bool
+        whether to attack node features
+    device: str
+        'cpu' or 'cuda'
+
+    Examples
+    --------
+
+    >>> from deeprobust.graph.data import Dataset
+    >>> from deeprobust.graph.defense import GCN
+    >>> from deeprobust.graph.global_attack import PGDAttack
+    >>> from deeprobust.graph.utils import preprocess
+    >>> data = Dataset(root='/tmp/', name='cora')
+    >>> adj, features, labels = data.adj, data.features, data.labels
+    >>> adj, features, labels = preprocess(adj, features, labels, preprocess_adj=False) # conver to tensor
+    >>> idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    >>> # Setup Victim Model
+    >>> victim_model = GCN(nfeat=features.shape[1], nclass=labels.max().item()+1,
+                        nhid=16, dropout=0.5, weight_decay=5e-4, device='cpu').to('cpu')
+    >>> victim_model.fit(features, adj, labels, idx_train)
+    >>> # Setup Attack Model
+    >>> model = PGDAttack(model=victim_model, nnodes=adj.shape[0], loss_type='CE', device='cpu').to('cpu')
+    >>> model.attack(features, adj, labels, idx_train, n_perturbations=10)
+    >>> modified_adj = model.modified_adj
+
+    """
+
+    def __init__(self, model=None, nnodes=None, loss_type='CE', feature_shape=None, attack_structure=True, attack_features=False, device='cpu'):
+
+        super(PGDAttack, self).__init__(model, nnodes, attack_structure, attack_features, device)
+
+        assert attack_features or attack_structure, 'attack_features or attack_structure cannot be both False'
+
+        self.loss_type = loss_type
+        self.modified_adj = None
+        self.modified_features = None
+
+        if attack_structure:
+            assert nnodes is not None, 'Please give nnodes='
+            self.adj_changes = Parameter(torch.FloatTensor(int(nnodes*(nnodes-1)/2)))
+            self.adj_changes.data.fill_(0)
+
+        if attack_features:
+            assert True, 'Topology Attack does not support attack feature'
+
+        self.complementary = None
+
+    def attack(self, ori_features, ori_adj, labels, idx_train, n_perturbations, epochs=25, **kwargs):
+        """Generate perturbations on the input graph.
+
+        Parameters
+        ----------
+        ori_features :
+            Original (unperturbed) node feature matrix
+        ori_adj :
+            Original (unperturbed) adjacency matrix
+        labels :
+            node labels
+        idx_train :
+            node training indices
+        n_perturbations : int
+            Number of perturbations on the input graph. Perturbations could
+            be edge removals/additions or feature removals/additions.
+        epochs:
+            number of training epochs
+
+        """
+
+        victim_model = self.surrogate
+
+        self.sparse_features = sp.issparse(ori_features)
+        ori_adj, ori_features, labels = utils.to_tensor(ori_adj, ori_features, labels, device=self.device)
+
+        victim_model.eval()
+        for t in tqdm(range(epochs)):
+            modified_adj = self.get_modified_adj(ori_adj)
+            adj_norm = utils.normalize_adj_tensor(modified_adj)
+            output = victim_model(ori_features, adj_norm)
+            # loss = F.nll_loss(output[idx_train], labels[idx_train])
+            loss = self._loss(output[idx_train], labels[idx_train])
+            adj_grad = torch.autograd.grad(loss, self.adj_changes)[0]
+
+            if self.loss_type == 'CE':
+                lr = 200 / np.sqrt(t+1)
+                self.adj_changes.data.add_(lr * adj_grad)
+
+            if self.loss_type == 'CW':
+                lr = 0.1 / np.sqrt(t+1)
+                self.adj_changes.data.add_(lr * adj_grad)
+
+            self.projection(n_perturbations)
+
+        self.random_sample(ori_adj, ori_features, labels, idx_train, n_perturbations)
+        self.modified_adj = self.get_modified_adj(ori_adj).detach()
+        self.check_adj_tensor(self.modified_adj)
+
+
+    def random_sample(self, ori_adj, ori_features, labels, idx_train, n_perturbations):
+        K = 20
+        best_loss = -1000
+        victim_model = self.surrogate
+        victim_model.eval()
+        with torch.no_grad():
+            s = self.adj_changes.cpu().detach().numpy()
+            for i in range(K):
+                sampled = np.random.binomial(1, s)
+
+                # print(sampled.sum())
+                if sampled.sum() > n_perturbations:
+                    continue
+                self.adj_changes.data.copy_(torch.tensor(sampled))
+                modified_adj = self.get_modified_adj(ori_adj)
+                adj_norm = utils.normalize_adj_tensor(modified_adj)
+                output = victim_model(ori_features, adj_norm)
+                loss = self._loss(output[idx_train], labels[idx_train])
+                # loss = F.nll_loss(output[idx_train], labels[idx_train])
+                # print(loss)
+                if best_loss < loss:
+                    best_loss = loss
+                    best_s = sampled
+            self.adj_changes.data.copy_(torch.tensor(best_s))
+
+    def _loss(self, output, labels):
+        if self.loss_type == "CE":
+            loss = F.nll_loss(output, labels)
+        if self.loss_type == "CW":
+            onehot = utils.tensor2onehot(labels)
+            best_second_class = (output - 1000*onehot).argmax(1)
+            margin = output[np.arange(len(output)), labels] - \
+                   output[np.arange(len(output)), best_second_class]
+            k = 0
+            loss = -torch.clamp(margin, min=k).mean()
+            # loss = torch.clamp(margin.sum()+50, min=k)
+        return loss
+
+    def projection(self, n_perturbations):
+        # projected = torch.clamp(self.adj_changes, 0, 1)
+        if torch.clamp(self.adj_changes, 0, 1).sum() > n_perturbations:
+            left = (self.adj_changes - 1).min()
+            right = self.adj_changes.max()
+            miu = self.bisection(left, right, n_perturbations, epsilon=1e-5)
+            self.adj_changes.data.copy_(torch.clamp(self.adj_changes.data - miu, min=0, max=1))
+        else:
+            self.adj_changes.data.copy_(torch.clamp(self.adj_changes.data, min=0, max=1))
+
+    def get_modified_adj(self, ori_adj):
+
+        if self.complementary is None:
+            self.complementary = (torch.ones_like(ori_adj) - torch.eye(self.nnodes).to(self.device) - ori_adj) - ori_adj
+
+        m = torch.zeros((self.nnodes, self.nnodes)).to(self.device)
+        tril_indices = torch.tril_indices(row=self.nnodes, col=self.nnodes, offset=-1)
+        m[tril_indices[0], tril_indices[1]] = self.adj_changes
+        m = m + m.t()
+        modified_adj = self.complementary * m + ori_adj
+
+        return modified_adj
+
+    def bisection(self, a, b, n_perturbations, epsilon):
+        def func(x):
+            return torch.clamp(self.adj_changes-x, 0, 1).sum() - n_perturbations
+
+        miu = a
+        while ((b-a) >= epsilon):
+            miu = (a+b)/2
+            # Check if middle point is root
+            if (func(miu) == 0.0):
+                break
+            # Decide the side to repeat the steps
+            if (func(miu)*func(a) < 0):
+                b = miu
+            else:
+                a = miu
+        # print("The value of root is : ","%.4f" % miu)
+        return miu
+
+
+class MinMax(PGDAttack):
+    """MinMax attack for graph data.
+
+    Parameters
+    ----------
+    model :
+        model to attack. Default `None`.
+    nnodes : int
+        number of nodes in the input graph
+    loss_type: str
+        attack loss type, chosen from ['CE', 'CW']
+    feature_shape : tuple
+        shape of the input node features
+    attack_structure : bool
+        whether to attack graph structure
+    attack_features : bool
+        whether to attack node features
+    device: str
+        'cpu' or 'cuda'
+
+    Examples
+    --------
+
+    >>> from deeprobust.graph.data import Dataset
+    >>> from deeprobust.graph.defense import GCN
+    >>> from deeprobust.graph.global_attack import MinMax
+    >>> from deeprobust.graph.utils import preprocess
+    >>> data = Dataset(root='/tmp/', name='cora')
+    >>> adj, features, labels = data.adj, data.features, data.labels
+    >>> adj, features, labels = preprocess(adj, features, labels, preprocess_adj=False) # conver to tensor
+    >>> idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    >>> # Setup Victim Model
+    >>> victim_model = GCN(nfeat=features.shape[1], nclass=labels.max().item()+1,
+                        nhid=16, dropout=0.5, weight_decay=5e-4, device='cpu').to('cpu')
+    >>> victim_model.fit(features, adj, labels, idx_train)
+    >>> # Setup Attack Model
+    >>> model = MinMax(model=victim_model, nnodes=adj.shape[0], loss_type='CE', device='cpu').to('cpu')
+    >>> model.attack(features, adj, labels, idx_train, n_perturbations=10)
+    >>> modified_adj = model.modified_adj
+
+    """
+
+    def __init__(self, model=None, nnodes=None, loss_type='CE', feature_shape=None, attack_structure=True, attack_features=False, device='cpu'):
+
+        super(MinMax, self).__init__(model, nnodes, loss_type, feature_shape, attack_structure, attack_features, device=device)
+
+
+    def attack(self, ori_features, ori_adj, labels, idx_train, n_perturbations, **kwargs):
+        """Generate perturbations on the input graph.
+
+        Parameters
+        ----------
+        ori_features :
+            Original (unperturbed) node feature matrix
+        ori_adj :
+            Original (unperturbed) adjacency matrix
+        labels :
+            node labels
+        idx_train :
+            node training indices
+        n_perturbations : int
+            Number of perturbations on the input graph. Perturbations could
+            be edge removals/additions or feature removals/additions.
+        epochs:
+            number of training epochs
+
+        """
+
+        victim_model = self.surrogate
+
+        self.sparse_features = sp.issparse(ori_features)
+        ori_adj, ori_features, labels = utils.to_tensor(ori_adj, ori_features, labels, device=self.device)
+
+        # optimizer
+        optimizer = optim.Adam(victim_model.parameters(), lr=0.01)
+
+        epochs = 200
+        victim_model.eval()
+        for t in tqdm(range(epochs)):
+            # update victim model
+            victim_model.train()
+            modified_adj = self.get_modified_adj(ori_adj)
+            adj_norm = utils.normalize_adj_tensor(modified_adj)
+            output = victim_model(ori_features, adj_norm)
+            loss = self._loss(output[idx_train], labels[idx_train])
+
+            optimizer.zero_grad()
+            loss.backward()
+            optimizer.step()
+
+            # generate pgd attack
+            victim_model.eval()
+            modified_adj = self.get_modified_adj(ori_adj)
+            adj_norm = utils.normalize_adj_tensor(modified_adj)
+            output = victim_model(ori_features, adj_norm)
+            loss = self._loss(output[idx_train], labels[idx_train])
+            adj_grad = torch.autograd.grad(loss, self.adj_changes)[0]
+            # adj_grad = self.adj_changes.grad
+
+            if self.loss_type == 'CE':
+                lr = 200 / np.sqrt(t+1)
+                self.adj_changes.data.add_(lr * adj_grad)
+
+            if self.loss_type == 'CW':
+                lr = 0.1 / np.sqrt(t+1)
+                self.adj_changes.data.add_(lr * adj_grad)
+
+            # self.adj_changes.grad.zero_()
+            self.projection(n_perturbations)
+
+        self.random_sample(ori_adj, ori_features, labels, idx_train, n_perturbations)
+        self.modified_adj = self.get_modified_adj(ori_adj).detach()

deeprobust/graph/rl/nipa_config.py

@@ -0,0 +1,59 @@
+"""Copyright (c) 2018 Dai, Hanjun and Li, Hui and Tian, Tian and Huang, Xin and Wang, Lin and Zhu, Jun and Song, Le
+"""
+import argparse
+import pickle as cp
+
+cmd_opt = argparse.ArgumentParser(description='Argparser for molecule vae')
+
+cmd_opt.add_argument('-ratio', type=float, default=0.01, help='ratio of injected nodes')
+
+cmd_opt.add_argument('-saved_model', type=str, default=None, help='saved model')
+cmd_opt.add_argument('-save_dir', type=str, default=None, help='save folder')
+cmd_opt.add_argument('-ctx', type=str, default='gpu', help='cpu/gpu')
+
+cmd_opt.add_argument('-phase', type=str, default='train', help='train/test')
+cmd_opt.add_argument('-batch_size', type=int, default=10, help='minibatch size')
+cmd_opt.add_argument('-seed', type=int, default=1, help='seed')
+
+cmd_opt.add_argument('-gm', default='mean_field', help='mean_field/loopy_bp/gcn')
+cmd_opt.add_argument('-latent_dim', type=int, default=64, help='dimension of latent layers')
+cmd_opt.add_argument('-hidden', type=int, default=0, help='dimension of classification')
+cmd_opt.add_argument('-max_lv', type=int, default=1, help='max rounds of message passing')
+
+# target model
+cmd_opt.add_argument('-num_epochs', type=int, default=200, help='number of epochs')
+cmd_opt.add_argument('-learning_rate', type=float, default=0.01, help='init learning_rate')
+cmd_opt.add_argument('-weight_decay', type=float, default=5e-4, help='weight_decay')
+cmd_opt.add_argument('-dropout', type=float, default=0.5, help='dropout rate')
+
+# for node classification
+cmd_opt.add_argument('-dataset', type=str, default='cora', help='citeseer/cora/pubmed')
+
+# for attack
+cmd_opt.add_argument('-num_steps', type=int, default=500000, help='rl training steps')
+# cmd_opt.add_argument('-frac_meta', type=float, default=0, help='fraction for meta rl learning')
+
+cmd_opt.add_argument('-meta_test', type=int, default=0, help='for meta rl learning')
+cmd_opt.add_argument('-reward_type', type=str, default='binary', help='binary/nll')
+cmd_opt.add_argument('-num_mod', type=int, default=1, help='number of modifications allowed')
+
+# for node attack
+cmd_opt.add_argument('-bilin_q', type=int, default=1, help='bilinear q or not')
+cmd_opt.add_argument('-mlp_hidden', type=int, default=64, help='mlp hidden layer size')
+# cmd_opt.add_argument('-n_hops', type=int, default=2, help='attack range')
+
+
+args, _ = cmd_opt.parse_known_args()
+args.save_dir = './results/rl_s2v/{}-gcn'.format(args.dataset)
+args.saved_model = 'results/node_classification/{}'.format(args.dataset)
+print(args)
+
+def build_kwargs(keys, arg_dict):
+    st = ''
+    for key in keys:
+        st += '%s-%s' % (key, str(arg_dict[key]))
+    return st
+
+def save_args(fout, args):
+    with open(fout, 'wb') as f:
+        cp.dump(args, f, cp.HIGHEST_PROTOCOL)

deeprobust/graph/rl/nipa_nstep_replay_mem.py

@@ -0,0 +1,56 @@
+'''
+    This part of code is adopted from https://github.com/Hanjun-Dai/graph_adversarial_attack (Copyright (c) 2018 Dai, Hanjun and Li, Hui and Tian, Tian and Huang, Xin and Wang, Lin and Zhu, Jun and Song, Le)
+    but modified to be integrated into the repository.
+'''
+
+import random
+import numpy as np
+from deeprobust.graph.rl.nstep_replay_mem import *
+
+
+def nipa_hash_state_action(s_t, a_t):
+    key = s_t[0]
+    base = 179424673
+    for e in s_t[1].directed_edges:
+        key = (key * base + e[0]) % base
+        key = (key * base + e[1]) % base
+    if s_t[2] is not None:
+        key = (key * base + s_t[2]) % base
+    else:
+        key = (key * base) % base
+
+    key = (key * base + a_t) % base
+    return key
+
+
+class NstepReplayMem(object):
+    def __init__(self, memory_size, n_steps, balance_sample = False):
+        self.mem_cells = []
+        for i in range(n_steps - 1):
+            self.mem_cells.append(NstepReplayMemCell(memory_size, False))
+        self.mem_cells.append(NstepReplayMemCell(memory_size, balance_sample))
+
+        self.n_steps = n_steps
+        self.memory_size = memory_size
+
+    def add(self, s_t, a_t, r_t, s_prime, terminal, t):
+        assert t >= 0 and t < self.n_steps
+        if t == self.n_steps - 1:
+            assert terminal
+        else:
+            assert not terminal
+        self.mem_cells[t].add(s_t, a_t, r_t, s_prime, terminal)
+
+    def add_list(self, list_st, list_at, list_rt, list_sp, list_term, t):
+        for i in range(len(list_st)):
+            if list_sp is None:
+                sp = (None, None, None)
+            else:
+                sp = list_sp[i]
+            self.add(list_st[i], list_at[i], list_rt[i], sp, list_term[i], t)
+
+    def sample(self, batch_size, t = None):
+        if t is None:
+            t = np.random.randint(self.n_steps)
+        list_st, list_at, list_rt, list_s_primes, list_term = self.mem_cells[t].sample(batch_size)
+        return t, list_st, list_at, list_rt, list_s_primes, list_term

deeprobust/graph/rl/nipa_q_net_node.py

@@ -0,0 +1,242 @@
+'''
+    Adversarial Attacks on Neural Networks for Graph Data. ICML 2018.
+        https://arxiv.org/abs/1806.02371
+    Author's Implementation
+       https://github.com/Hanjun-Dai/graph_adversarial_attack
+    This part of code is adopted from the author's implementation (Copyright (c) 2018 Dai, Hanjun and Li, Hui and Tian, Tian and Huang, Xin and Wang, Lin and Zhu, Jun and Song, Le) but modified
+    to be integrated into the repository.
+'''
+
+import os
+import sys
+import numpy as np
+import torch
+import networkx as nx
+import random
+from torch.nn.parameter import Parameter
+import torch.nn as nn
+import torch.nn.functional as F
+import torch.optim as optim
+from tqdm import tqdm
+from deeprobust.graph.rl.env import GraphNormTool
+
+class QNetNode(nn.Module):
+
+    def __init__(self, node_features, node_labels, list_action_space, n_injected, bilin_q=1, embed_dim=64, mlp_hidden=64, max_lv=1, gm='mean_field', device='cpu'):
+        '''
+        bilin_q: bilinear q or not
+        mlp_hidden: mlp hidden layer size
+        mav_lv: max rounds of message passing
+        '''
+        super(QNetNode, self).__init__()
+        self.node_features = node_features
+        self.identity = torch.eye(node_labels.max() + 1).to(node_labels.device)
+        # self.node_labels = self.to_onehot(node_labels)
+        self.n_injected = n_injected
+
+        self.list_action_space = list_action_space
+        self.total_nodes = len(list_action_space)
+
+        self.bilin_q = bilin_q
+        self.embed_dim = embed_dim
+        self.mlp_hidden = mlp_hidden
+        self.max_lv = max_lv
+        self.gm = gm
+
+        if mlp_hidden:
+            self.linear_1 = nn.Linear(embed_dim * 3, mlp_hidden)
+            self.linear_out = nn.Linear(mlp_hidden, 1)
+        else:
+            self.linear_out = nn.Linear(embed_dim * 3, 1)
+
+        self.w_n2l = Parameter(torch.Tensor(node_features.size()[1], embed_dim))
+        self.bias_n2l = Parameter(torch.Tensor(embed_dim))
+
+        # self.bias_picked = Parameter(torch.Tensor(1, embed_dim))
+        self.conv_params = nn.Linear(embed_dim, embed_dim)
+        self.norm_tool = GraphNormTool(normalize=True, gm=self.gm, device=device)
+        weights_init(self)
+
+        input_dim = (node_labels.max() + 1) * self.n_injected
+        self.label_encoder_1 = nn.Linear(input_dim, mlp_hidden)
+        self.label_encoder_2 = nn.Linear(mlp_hidden, embed_dim)
+        self.device = self.node_features.device
+
+    def to_onehot(self, labels):
+        return self.identity[labels].view(-1, self.identity.shape[1])
+
+    def get_label_embedding(self, labels):
+        # int to one hot
+        onehot = self.to_onehot(labels).view(1, -1)
+
+        x = F.relu(self.label_encoder_1(onehot))
+        x = F.relu(self.label_encoder_2(x))
+        return x
+
+    def get_action_label_encoding(self, label):
+        onehot = self.to_onehot(label)
+        zeros = torch.zeros((onehot.shape[0], self.embed_dim - onehot.shape[1])).to(onehot.device)
+        return torch.cat((onehot, zeros), dim=1)
+
+    def get_graph_embedding(self, adj):
+        if self.node_features.data.is_sparse:
+            node_embed = torch.spmm(self.node_features, self.w_n2l)
+        else:
+            node_embed = torch.mm(self.node_features, self.w_n2l)
+
+        node_embed += self.bias_n2l
+
+        input_message = node_embed
+        node_embed = F.relu(input_message)
+
+        for i in range(self.max_lv):
+            n2npool = torch.spmm(adj, node_embed)
+            node_linear = self.conv_params(n2npool)
+            merged_linear = node_linear + input_message
+            node_embed = F.relu(merged_linear)
+
+        graph_embed = torch.mean(node_embed, dim=0, keepdim=True)
+        return graph_embed, node_embed
+
+    def make_spmat(self, n_rows, n_cols, row_idx, col_idx):
+        idxes = torch.LongTensor([[row_idx], [col_idx]])
+        values = torch.ones(1)
+
+        sp = torch.sparse.FloatTensor(idxes, values, torch.Size([n_rows, n_cols]))
+        if next(self.parameters()).is_cuda:
+            sp = sp.cuda()
+        return sp
+
+    def forward(self, time_t, states, actions, greedy_acts=False, is_inference=False):
+
+        preds = torch.zeros(len(states)).to(self.device)
+
+        batch_graph, modified_labels = zip(*states)
+        greedy_actions = []
+        with torch.set_grad_enabled(mode=not is_inference):
+
+            for i in range(len(batch_graph)):
+                if batch_graph[i] is None:
+                    continue
+                adj = self.norm_tool.norm_extra(batch_graph[i].get_extra_adj(self.device))
+                # get graph representation
+                graph_embed, node_embed = self.get_graph_embedding(adj)
+
+                # get label reprensentation
+                label_embed = self.get_label_embedding(modified_labels[i])
+
+                # get action reprensentation
+                if time_t != 2:
+                    action_embed = node_embed[actions[i]].view(-1, self.embed_dim)
+                else:
+                    action_embed = self.get_action_label_encoding(actions[i])
+
+                # concat them and send it to neural network
+                embed_s = torch.cat((graph_embed, label_embed), dim=1)
+                embed_s = embed_s.repeat(len(action_embed), 1)
+                embed_s_a = torch.cat((embed_s, action_embed), dim=1)
+
+                if self.mlp_hidden:
+                    embed_s_a = F.relu( self.linear_1(embed_s_a) )
+
+                raw_pred = self.linear_out(embed_s_a)
+
+                if greedy_acts:
+                    action_id = raw_pred.argmax(0)
+                    raw_pred = raw_pred.max()
+                    greedy_actions.append(actions[i][action_id])
+                else:
+                    raw_pred = raw_pred.max()
+                # list_pred.append(raw_pred)
+                preds[i] += raw_pred
+
+
+        return greedy_actions, preds
+
+class NStepQNetNode(nn.Module):
+
+    def __init__(self, num_steps, node_features, node_labels, list_action_space, n_injected, bilin_q=1, embed_dim=64, mlp_hidden=64, max_lv=1, gm='mean_field', device='cpu'):
+
+        super(NStepQNetNode, self).__init__()
+        self.node_features = node_features
+        self.node_labels = node_labels
+        self.list_action_space = list_action_space
+        self.total_nodes = len(list_action_space)
+
+        list_mod = []
+        for i in range(0, num_steps):
+            # list_mod.append(QNetNode(node_features, node_labels, list_action_space))
+            list_mod.append(QNetNode(node_features, node_labels, list_action_space, n_injected, bilin_q, embed_dim, mlp_hidden, max_lv, gm=gm, device=device))
+
+        self.list_mod = nn.ModuleList(list_mod)
+        self.num_steps = num_steps
+
+    def forward(self, time_t, states, actions, greedy_acts = False, is_inference=False):
+        # print('time_t:', time_t)
+        # print('self.num_step:', self.num_steps)
+        # assert time_t >= 0 and time_t < self.num_steps
+        time_t = time_t % 3
+        return self.list_mod[time_t](time_t, states, actions, greedy_acts, is_inference)
+
+
+def glorot_uniform(t):
+    if len(t.size()) == 2:
+        fan_in, fan_out = t.size()
+    elif len(t.size()) == 3:
+        # out_ch, in_ch, kernel for Conv 1
+        fan_in = t.size()[1] * t.size()[2]
+        fan_out = t.size()[0] * t.size()[2]
+    else:
+        fan_in = np.prod(t.size())
+        fan_out = np.prod(t.size())
+
+    limit = np.sqrt(6.0 / (fan_in + fan_out))
+    t.uniform_(-limit, limit)
+
+
+def _param_init(m):
+    if isinstance(m, Parameter):
+        glorot_uniform(m.data)
+    elif isinstance(m, nn.Linear):
+        m.bias.data.zero_()
+        glorot_uniform(m.weight.data)
+
+def weights_init(m):
+    for p in m.modules():
+        if isinstance(p, nn.ParameterList):
+            for pp in p:
+                _param_init(pp)
+        else:
+            _param_init(p)
+
+    for name, p in m.named_parameters():
+        if not '.' in name: # top-level parameters
+            _param_init(p)
+
+def node_greedy_actions(target_nodes, picked_nodes, list_q, net):
+    assert len(target_nodes) == len(list_q)
+
+    actions = []
+    values = []
+    for i in range(len(target_nodes)):
+        region = net.list_action_space[target_nodes[i]]
+        if picked_nodes is not None and picked_nodes[i] is not None:
+            region = net.list_action_space[picked_nodes[i]]
+        if region is None:
+            assert list_q[i].size()[0] == net.total_nodes
+        else:
+            assert len(region) == list_q[i].size()[0]
+
+        val, act = torch.max(list_q[i], dim=0)
+        values.append(val)
+        if region is not None:
+            act = region[act.data.cpu().numpy()[0]]
+            # act = Variable(torch.LongTensor([act]))
+            act = torch.LongTensor([act])
+            actions.append(act)
+        else:
+            actions.append(act)
+
+    return torch.cat(actions, dim=0).data, torch.cat(values, dim=0).data
+
+

deeprobust/graph/rl/nstep_replay_mem.py

@@ -0,0 +1,157 @@
+'''
+    This part of code is adopted from https://github.com/Hanjun-Dai/graph_adversarial_attack (Copyright (c) 2018 Dai, Hanjun and Li, Hui and Tian, Tian and Huang, Xin and Wang, Lin and Zhu, Jun and Song, Le)
+    but modified to be integrated into the repository.
+'''
+
+import random
+import numpy as np
+
+class NstepReplaySubMemCell(object):
+    def __init__(self, memory_size):
+        self.memory_size = memory_size
+
+        self.actions = [None] * self.memory_size
+        self.rewards = [None] * self.memory_size
+        self.states = [None] * self.memory_size
+        self.s_primes = [None] * self.memory_size
+        self.terminals = [None] * self.memory_size
+
+        self.count = 0
+        self.current = 0
+
+    def add(self, s_t, a_t, r_t, s_prime, terminal):
+        self.actions[self.current] = a_t
+        self.rewards[self.current] = r_t
+        self.states[self.current] = s_t
+        self.s_primes[self.current] = s_prime
+        self.terminals[self.current] = terminal
+
+        self.count = max(self.count, self.current + 1)
+        self.current = (self.current + 1) % self.memory_size
+
+    def add_list(self, list_st, list_at, list_rt, list_sp, list_term):
+        for i in range(len(list_st)):
+            if list_sp is None:
+                sp = (None, None, None)
+            else:
+                sp = list_sp[i]
+            self.add(list_st[i], list_at[i], list_rt[i], sp, list_term[i])
+
+    def sample(self, batch_size):
+
+        assert self.count >= batch_size
+        list_st = []
+        list_at = []
+        list_rt = []
+        list_s_primes = []
+        list_term = []
+
+        for i in range(batch_size):
+            idx = random.randint(0, self.count - 1)
+            list_st.append(self.states[idx])
+            list_at.append(self.actions[idx])
+            list_rt.append(float(self.rewards[idx]))
+            list_s_primes.append(self.s_primes[idx])
+            list_term.append(self.terminals[idx])
+
+        return list_st, list_at, list_rt, list_s_primes, list_term
+
+def hash_state_action(s_t, a_t):
+    key = s_t[0]
+    base = 179424673
+    for e in s_t[1].directed_edges:
+        key = (key * base + e[0]) % base
+        key = (key * base + e[1]) % base
+    if s_t[2] is not None:
+        key = (key * base + s_t[2]) % base
+    else:
+        key = (key * base) % base
+
+    key = (key * base + a_t) % base
+    return key
+
+def nipa_hash_state_action(s_t, a_t):
+    key = s_t[0]
+    base = 179424673
+    for e in s_t[1].directed_edges:
+        key = (key * base + e[0]) % base
+        key = (key * base + e[1]) % base
+    if s_t[2] is not None:
+        key = (key * base + s_t[2]) % base
+    else:
+        key = (key * base) % base
+
+    key = (key * base + a_t) % base
+    return key
+
+class NstepReplayMemCell(object):
+    def __init__(self, memory_size, balance_sample = False):
+        self.sub_list = []
+        self.balance_sample = balance_sample
+        self.sub_list.append(NstepReplaySubMemCell(memory_size))
+        if balance_sample:
+            self.sub_list.append(NstepReplaySubMemCell(memory_size))
+            self.state_set = set()
+
+    def add(self, s_t, a_t, r_t, s_prime, terminal, use_hash=True):
+        if not self.balance_sample or r_t < 0:
+            self.sub_list[0].add(s_t, a_t, r_t, s_prime, terminal)
+        else:
+            assert r_t > 0
+            if use_hash:
+                # TODO add hash?
+                key = hash_state_action(s_t, a_t)
+                if key in self.state_set:
+                    return
+                self.state_set.add(key)
+            self.sub_list[1].add(s_t, a_t, r_t, s_prime, terminal)
+
+    def sample(self, batch_size):
+        if not self.balance_sample or self.sub_list[1].count < batch_size:
+            return self.sub_list[0].sample(batch_size)
+
+        list_st, list_at, list_rt, list_s_primes, list_term = self.sub_list[0].sample(batch_size // 2)
+        list_st2, list_at2, list_rt2, list_s_primes2, list_term2 = self.sub_list[1].sample(batch_size - batch_size // 2)
+
+        return list_st + list_st2, list_at + list_at2, list_rt + list_rt2, list_s_primes + list_s_primes2, list_term + list_term2
+
+class NstepReplayMem(object):
+    def __init__(self, memory_size, n_steps, balance_sample=False, model='rl_s2v'):
+        self.mem_cells = []
+        for i in range(n_steps - 1):
+            self.mem_cells.append(NstepReplayMemCell(memory_size, False))
+        self.mem_cells.append(NstepReplayMemCell(memory_size, balance_sample))
+
+        self.n_steps = n_steps
+        self.memory_size = memory_size
+        self.model = model
+
+    def add(self, s_t, a_t, r_t, s_prime, terminal, t):
+        assert t >= 0 and t < self.n_steps
+        if self.model == 'nipa':
+            self.mem_cells[t].add(s_t, a_t, r_t, s_prime, terminal, use_hash=False)
+        else:
+            if t == self.n_steps - 1:
+                assert terminal
+            else:
+                assert not terminal
+            self.mem_cells[t].add(s_t, a_t, r_t, s_prime, terminal, use_hash=True)
+
+    def add_list(self, list_st, list_at, list_rt, list_sp, list_term, t):
+        for i in range(len(list_st)):
+            if list_sp is None:
+                sp = (None, None, None)
+            else:
+                sp = list_sp[i]
+            self.add(list_st[i], list_at[i], list_rt[i], sp, list_term[i], t)
+
+    def sample(self, batch_size, t = None):
+        if t is None:
+            t = np.random.randint(self.n_steps)
+            list_st, list_at, list_rt, list_s_primes, list_term = self.mem_cells[t].sample(batch_size)
+        return t, list_st, list_at, list_rt, list_s_primes, list_term
+
+    def print_count(self):
+        for i in range(self.n_steps):
+            for j, cell in enumerate(self.mem_cells[i].sub_list):
+                print('Cell {} sub_list {}: {}'.format(i, j, cell.count))

deeprobust/graph/rl/rl_s2v_env.py

@@ -0,0 +1,256 @@
+"""
+    Adversarial Attacks on Neural Networks for Graph Data. ICML 2018.
+        https://arxiv.org/abs/1806.02371
+    Author's Implementation
+       https://github.com/Hanjun-Dai/graph_adversarial_attack
+    This part of code is adopted from the author's implementation (Copyright (c) 2018 Dai, Hanjun and Li, Hui and Tian, Tian and Huang, Xin and Wang, Lin and Zhu, Jun and Song, Le) but modified
+    to be integrated into the repository.
+"""
+
+import os
+import sys
+import numpy as np
+import torch
+import networkx as nx
+import random
+from torch.nn.parameter import Parameter
+import torch.nn as nn
+import torch.nn.functional as F
+import torch.optim as optim
+from tqdm import tqdm
+from copy import deepcopy
+import pickle as cp
+from deeprobust.graph.utils import *
+import scipy.sparse as sp
+from scipy.sparse.linalg.eigen.arpack import eigsh
+from deeprobust.graph import utils
+
+class StaticGraph(object):
+    graph = None
+
+    @staticmethod
+    def get_gsize():
+        return torch.Size( (len(StaticGraph.graph), len(StaticGraph.graph)) )
+
+class GraphNormTool(object):
+
+    def __init__(self, normalize, gm, device):
+        self.adj_norm = normalize
+        self.gm = gm
+        g = StaticGraph.graph
+        edges = np.array(g.edges(), dtype=np.int64)
+        rev_edges = np.array([edges[:, 1], edges[:, 0]], dtype=np.int64)
+
+        # self_edges = np.array([range(len(g)), range(len(g))], dtype=np.int64)
+        # edges = np.hstack((edges.T, rev_edges, self_edges))
+        edges = np.hstack((edges.T, rev_edges))
+        idxes = torch.LongTensor(edges)
+        values = torch.ones(idxes.size()[1])
+
+        self.raw_adj = torch.sparse.FloatTensor(idxes, values, StaticGraph.get_gsize())
+        self.raw_adj = self.raw_adj.to(device)
+
+        self.normed_adj = self.raw_adj.clone()
+        if self.adj_norm:
+            if self.gm == 'gcn':
+                self.normed_adj = utils.normalize_adj_tensor(self.normed_adj, sparse=True)
+                # GraphLaplacianNorm(self.normed_adj)
+            else:
+
+                self.normed_adj = utils.degree_normalize_adj_tensor(self.normed_adj, sparse=True)
+                # GraphDegreeNorm(self.normed_adj)
+
+    def norm_extra(self, added_adj = None):
+        if added_adj is None:
+            return self.normed_adj
+
+        new_adj = self.raw_adj + added_adj
+        if self.adj_norm:
+            if self.gm == 'gcn':
+                new_adj = utils.normalize_adj_tensor(new_adj, sparse=True)
+            else:
+                new_adj = utils.degree_normalize_adj_tensor(new_adj, sparse=True)
+
+        return new_adj
+
+
+class ModifiedGraph(object):
+    def __init__(self, directed_edges = None, weights = None):
+        self.edge_set = set()  #(first, second)
+        self.node_set = set(range(StaticGraph.get_gsize()[0]))
+        self.node_set = np.arange(StaticGraph.get_gsize()[0])
+        if directed_edges is not None:
+            self.directed_edges = deepcopy(directed_edges)
+            self.weights = deepcopy(weights)
+        else:
+            self.directed_edges = []
+            self.weights = []
+
+    def add_edge(self, x, y, z):
+        assert x is not None and y is not None
+        if x == y:
+            return
+        for e in self.directed_edges:
+            if e[0] == x and e[1] == y:
+                return
+            if e[1] == x and e[0] == y:
+                return
+        self.edge_set.add((x, y)) # (first, second)
+        self.edge_set.add((y, x)) # (second, first)
+        self.directed_edges.append((x, y))
+        # assert z < 0
+        self.weights.append(z)
+
+    def get_extra_adj(self, device):
+        if len(self.directed_edges):
+            edges = np.array(self.directed_edges, dtype=np.int64)
+            rev_edges = np.array([edges[:, 1], edges[:, 0]], dtype=np.int64)
+            edges = np.hstack((edges.T, rev_edges))
+
+            idxes = torch.LongTensor(edges)
+            values = torch.Tensor(self.weights + self.weights)
+
+            added_adj = torch.sparse.FloatTensor(idxes, values, StaticGraph.get_gsize())
+
+            added_adj = added_adj.to(device)
+            return added_adj
+        else:
+            return None
+
+    def get_possible_nodes(self, target_node):
+        connected = set()
+        connected = []
+        for n1, n2 in self.edge_set:
+            if n1 == target_node:
+                # connected.add(target_node)
+                connected.append(n1)
+        return np.setdiff1d(self.node_set, np.array(connected))
+        # return self.node_set - connected
+
+class NodeAttackEnv(object):
+    """Node attack environment. It executes an action and then change the
+    environment status (modify the graph).
+    """
+
+    def __init__(self, features, labels, all_targets, list_action_space, classifier, num_mod=1, reward_type='binary'):
+
+        self.classifier = classifier
+        self.list_action_space = list_action_space
+        self.features = features
+        self.labels = labels
+        self.all_targets = all_targets
+        self.num_mod = num_mod
+        self.reward_type = reward_type
+
+    def setup(self, target_nodes):
+        self.target_nodes = target_nodes
+        self.n_steps = 0
+        self.first_nodes = None
+        self.rewards = None
+        self.binary_rewards = None
+        self.modified_list = []
+        for i in range(len(self.target_nodes)):
+            self.modified_list.append(ModifiedGraph())
+
+        self.list_acc_of_all = []
+
+    def step(self, actions):
+        """run actions and get rewards
+        """
+        if self.first_nodes is None: # pick the first node of edge
+            assert self.n_steps % 2 == 0
+            self.first_nodes = actions[:]
+        else:
+            for i in range(len(self.target_nodes)):
+                # assert self.first_nodes[i] != actions[i]
+                # deleta an edge from the graph
+                self.modified_list[i].add_edge(self.first_nodes[i], actions[i], -1.0)
+            self.first_nodes = None
+            self.banned_list = None
+        self.n_steps += 1
+
+        if self.isTerminal():
+            # only calc reward when its terminal
+            acc_list = []
+            loss_list = []
+            # for i in tqdm(range(len(self.target_nodes))):
+            for i in (range(len(self.target_nodes))):
+                device = self.labels.device
+                extra_adj = self.modified_list[i].get_extra_adj(device=device)
+                adj = self.classifier.norm_tool.norm_extra(extra_adj)
+
+                output = self.classifier(self.features, adj)
+
+                loss, acc = loss_acc(output, self.labels, self.all_targets, avg_loss=False)
+                # _, loss, acc = self.classifier(self.features, Variable(adj), self.all_targets, self.labels, avg_loss=False)
+
+                cur_idx = self.all_targets.index(self.target_nodes[i])
+                acc = np.copy(acc.double().cpu().view(-1).numpy())
+                loss = loss.data.cpu().view(-1).numpy()
+                self.list_acc_of_all.append(acc)
+                acc_list.append(acc[cur_idx])
+                loss_list.append(loss[cur_idx])
+
+            self.binary_rewards = (np.array(acc_list) * -2.0 + 1.0).astype(np.float32)
+            if self.reward_type == 'binary':
+                self.rewards = (np.array(acc_list) * -2.0 + 1.0).astype(np.float32)
+            else:
+                assert self.reward_type == 'nll'
+                self.rewards = np.array(loss_list).astype(np.float32)
+
+    def sample_pos_rewards(self, num_samples):
+        assert self.list_acc_of_all is not None
+        cands = []
+
+        for i in range(len(self.list_acc_of_all)):
+            succ = np.where( self.list_acc_of_all[i] < 0.9 )[0]
+
+            for j in range(len(succ)):
+
+                cands.append((i, self.all_targets[succ[j]]))
+
+        if num_samples > len(cands):
+            return cands
+        random.shuffle(cands)
+        return cands[0:num_samples]
+
+    def uniformRandActions(self):
+        # TODO: here only support deleting edges
+        # seems they sample first node from 2-hop neighbours
+        act_list = []
+        offset = 0
+        for i in range(len(self.target_nodes)):
+            cur_node = self.target_nodes[i]
+            region = self.list_action_space[cur_node]
+
+            if self.first_nodes is not None and self.first_nodes[i] is not None:
+                region = self.list_action_space[self.first_nodes[i]]
+
+            if region is None:  # singleton node
+                cur_action = np.random.randint(len(self.list_action_space))
+            else: # select from neighbours or 2-hop neighbours
+                cur_action = region[np.random.randint(len(region))]
+
+            act_list.append(cur_action)
+        return act_list
+
+    def isTerminal(self):
+        if self.n_steps == 2 * self.num_mod:
+            return True
+        return False
+
+    def getStateRef(self):
+        cp_first = [None] * len(self.target_nodes)
+        if self.first_nodes is not None:
+            cp_first = self.first_nodes
+
+        return zip(self.target_nodes, self.modified_list, cp_first)
+
+    def cloneState(self):
+        cp_first = [None] * len(self.target_nodes)
+        if self.first_nodes is not None:
+            cp_first = self.first_nodes[:]
+
+        return list(zip(self.target_nodes[:], deepcopy(self.modified_list), cp_first))
+
+

deeprobust/graph/targeted_attack/rl_s2v.py

@@ -0,0 +1,262 @@
+"""
+    Adversarial Attacks on Neural Networks for Graph Data. ICML 2018.
+        https://arxiv.org/abs/1806.02371
+    Author's Implementation
+       https://github.com/Hanjun-Dai/graph_adversarial_attack
+    This part of code is adopted from the author's implementation (Copyright (c) 2018 Dai, Hanjun and Li, Hui and Tian, Tian and Huang, Xin and Wang, Lin and Zhu, Jun and Song, Le)
+    but modified to be integrated into the repository.
+"""
+
+import os
+import sys
+import os.path as osp
+import numpy as np
+import torch
+import networkx as nx
+import random
+from torch.nn.parameter import Parameter
+import torch.nn as nn
+import torch.nn.functional as F
+import torch.optim as optim
+from tqdm import tqdm
+from copy import deepcopy
+from deeprobust.graph.rl.q_net_node import QNetNode, NStepQNetNode, node_greedy_actions
+from deeprobust.graph.rl.env import NodeAttackEnv
+from deeprobust.graph.rl.nstep_replay_mem import NstepReplayMem
+
+class RLS2V(object):
+    """ Reinforcement learning agent for RL-S2V attack.
+
+    Parameters
+    ----------
+    env :
+        Node attack environment
+    features :
+        node features matrix
+    labels :
+        labels
+    idx_meta :
+        node meta indices
+    idx_test :
+        node test indices
+    list_action_space : list
+        list of action space
+    num_mod :
+        number of modification (perturbation) on the graph
+    reward_type : str
+        type of reward (e.g., 'binary')
+    batch_size :
+        batch size for training DQN
+    save_dir :
+        saving directory for model checkpoints
+    device: str
+        'cpu' or 'cuda'
+
+    Examples
+    --------
+    See details in https://github.com/DSE-MSU/DeepRobust/blob/master/examples/graph/test_rl_s2v.py
+    """
+
+    def __init__(self, env, features, labels, idx_meta, idx_test,
+            list_action_space, num_mod, reward_type, batch_size=10,
+            num_wrong=0, bilin_q=1, embed_dim=64, gm='mean_field',
+            mlp_hidden=64, max_lv=1, save_dir='checkpoint_dqn', device=None):
+
+
+        assert device is not None, "'device' cannot be None, please specify it"
+
+        self.features = features
+        self.labels = labels
+        self.idx_meta = idx_meta
+        self.idx_test = idx_test
+        self.num_wrong = num_wrong
+        self.list_action_space = list_action_space
+        self.num_mod = num_mod
+        self.reward_type = reward_type
+        self.batch_size = batch_size
+        self.save_dir = save_dir
+        if not osp.exists(save_dir):
+            os.system('mkdir -p {}'.format(save_dir))
+
+        self.gm = gm
+        self.device = device
+
+        self.mem_pool = NstepReplayMem(memory_size=500000, n_steps=2 * num_mod, balance_sample=reward_type == 'binary')
+        self.env = env
+
+        # self.net = QNetNode(features, labels, list_action_space)
+        # self.old_net = QNetNode(features, labels, list_action_space)
+        self.net = NStepQNetNode(2 * num_mod, features, labels, list_action_space,
+                          bilin_q=bilin_q, embed_dim=embed_dim, mlp_hidden=mlp_hidden,
+                          max_lv=max_lv, gm=gm, device=device)
+
+        self.old_net = NStepQNetNode(2 * num_mod, features, labels, list_action_space,
+                          bilin_q=bilin_q, embed_dim=embed_dim, mlp_hidden=mlp_hidden,
+                          max_lv=max_lv, gm=gm, device=device)
+
+        self.net = self.net.to(device)
+        self.old_net = self.old_net.to(device)
+
+        self.eps_start = 1.0
+        self.eps_end = 0.05
+        self.eps_step = 100000
+        self.burn_in = 10
+        self.step = 0
+        self.pos = 0
+        self.best_eval = None
+        self.take_snapshot()
+
+    def take_snapshot(self):
+        self.old_net.load_state_dict(self.net.state_dict())
+
+    def make_actions(self, time_t, greedy=False):
+        self.eps = self.eps_end + max(0., (self.eps_start - self.eps_end)
+                * (self.eps_step - max(0., self.step)) / self.eps_step)
+
+        if random.random() < self.eps and not greedy:
+            actions = self.env.uniformRandActions()
+        else:
+            cur_state = self.env.getStateRef()
+            actions, values = self.net(time_t, cur_state, None, greedy_acts=True, is_inference=True)
+            actions = list(actions.cpu().numpy())
+
+        return actions
+
+    def run_simulation(self):
+
+        if (self.pos + 1) * self.batch_size > len(self.idx_test):
+            self.pos = 0
+            random.shuffle(self.idx_test)
+
+        selected_idx = self.idx_test[self.pos * self.batch_size : (self.pos + 1) * self.batch_size]
+        self.pos += 1
+        self.env.setup(selected_idx)
+
+        t = 0
+        list_of_list_st = []
+        list_of_list_at = []
+
+        while not self.env.isTerminal():
+            list_at = self.make_actions(t)
+            list_st = self.env.cloneState()
+
+            self.env.step(list_at)
+
+            # TODO Wei added line #87
+            env = self.env
+            assert (env.rewards is not None) == env.isTerminal()
+            if env.isTerminal():
+                rewards = env.rewards
+                s_prime = None
+            else:
+                rewards = np.zeros(len(list_at), dtype=np.float32)
+                s_prime = self.env.cloneState()
+
+            self.mem_pool.add_list(list_st, list_at, rewards, s_prime, [env.isTerminal()] * len(list_at), t)
+            list_of_list_st.append( deepcopy(list_st) )
+            list_of_list_at.append( deepcopy(list_at) )
+            t += 1
+
+        # if the reward type is nll_loss, directly return
+        if self.reward_type == 'nll':
+            return
+
+        T = t
+        cands = self.env.sample_pos_rewards(len(selected_idx))
+        if len(cands):
+            for c in cands:
+                sample_idx, target = c
+                doable = True
+                for t in range(T):
+                    if self.list_action_space[target] is not None and (not list_of_list_at[t][sample_idx] in self.list_action_space[target]):
+                        doable = False # TODO WHY False? This is only 1-hop neighbour
+                        break
+                if not doable:
+                    continue
+
+                for t in range(T):
+                    s_t = list_of_list_st[t][sample_idx]
+                    a_t = list_of_list_at[t][sample_idx]
+                    s_t = [target, deepcopy(s_t[1]), s_t[2]]
+                    if t + 1 == T:
+                        s_prime = (None, None, None)
+                        r = 1.0
+                        term = True
+                    else:
+                        s_prime = list_of_list_st[t + 1][sample_idx]
+                        s_prime = [target, deepcopy(s_prime[1]), s_prime[2]]
+                        r = 0.0
+                        term = False
+                    self.mem_pool.mem_cells[t].add(s_t, a_t, r, s_prime, term)
+
+    def eval(self, training=True):
+        """Evaluate RL agent.
+        """
+
+        self.env.setup(self.idx_meta)
+        t = 0
+
+        while not self.env.isTerminal():
+            list_at = self.make_actions(t, greedy=True)
+            self.env.step(list_at)
+            t += 1
+
+        acc = 1 - (self.env.binary_rewards + 1.0) / 2.0
+        acc = np.sum(acc) / (len(self.idx_meta) + self.num_wrong)
+        print('\033[93m average test: acc %.5f\033[0m' % (acc))
+
+        if training == True and self.best_eval is None or acc < self.best_eval:
+            print('----saving to best attacker since this is the best attack rate so far.----')
+            torch.save(self.net.state_dict(), osp.join(self.save_dir, 'epoch-best.model'))
+            with open(osp.join(self.save_dir, 'epoch-best.txt'), 'w') as f:
+                f.write('%.4f\n' % acc)
+            with open(osp.join(self.save_dir, 'attack_solution.txt'), 'w') as f:
+                for i in range(len(self.idx_meta)):
+                    f.write('%d: [' % self.idx_meta[i])
+                    for e in self.env.modified_list[i].directed_edges:
+                        f.write('(%d %d)' % e)
+                    f.write('] succ: %d\n' % (self.env.binary_rewards[i]))
+            self.best_eval = acc
+
+    def train(self, num_steps=100000, lr=0.001):
+        """Train RL agent.
+        """
+
+        pbar = tqdm(range(self.burn_in), unit='batch')
+
+        for p in pbar:
+            self.run_simulation()
+
+        pbar = tqdm(range(num_steps), unit='steps')
+        optimizer = optim.Adam(self.net.parameters(), lr=lr)
+
+        for self.step in pbar:
+
+            self.run_simulation()
+
+            if self.step % 123 == 0:
+                # update the params of old_net
+                self.take_snapshot()
+            if self.step % 500 == 0:
+                self.eval()
+
+            cur_time, list_st, list_at, list_rt, list_s_primes, list_term = self.mem_pool.sample(batch_size=self.batch_size)
+            list_target = torch.Tensor(list_rt).to(self.device)
+
+            if not list_term[0]:
+                target_nodes, _, picked_nodes = zip(*list_s_primes)
+                _, q_t_plus_1 = self.old_net(cur_time + 1, list_s_primes, None)
+                _, q_rhs = node_greedy_actions(target_nodes, picked_nodes, q_t_plus_1, self.old_net)
+                list_target += q_rhs
+
+            # list_target = Variable(list_target.view(-1, 1))
+            list_target = list_target.view(-1, 1)
+            _, q_sa = self.net(cur_time, list_st, list_at)
+            q_sa = torch.cat(q_sa, dim=0)
+            loss = F.mse_loss(q_sa, list_target)
+            optimizer.zero_grad()
+            loss.backward()
+            optimizer.step()
+            pbar.set_description('eps: %.5f, loss: %0.5f, q_val: %.5f' % (self.eps, loss, torch.mean(q_sa)) )
+            # print('eps: %.5f, loss: %0.5f, q_val: %.5f' % (self.eps, loss, torch.mean(q_sa)) )
+

deeprobust/graph/visualization.py

@@ -0,0 +1,91 @@
+import seaborn as sns; sns.set()
+import matplotlib.pyplot as plt
+from tqdm import tqdm
+import os
+import numpy as np
+import scipy.sparse as sp
+
+def degree_dist(clean_adj, perturbed_adj, savename='degree_dist.pdf'):
+    """Plot degree distributnio on clean and perturbed graphs.
+
+    Parameters
+    ----------
+    clean_adj: sp.csr_matrix
+        adjancecy matrix of the clean graph
+    perturbed_adj: sp.csr_matrix
+        adjancecy matrix of the perturbed graph
+    savename: str
+        filename to be saved
+
+    Returns
+    -------
+    None
+
+    """
+    clean_degree = clean_adj.sum(1)
+    perturbed_degree = perturbed_adj.sum(1)
+    fig, ax1 = plt.subplots()
+    sns.distplot(clean_degree, label='Clean Graph', norm_hist=False, ax=ax1)
+    sns.distplot(perturbed_degree, label='Perturbed Graph', norm_hist=False, ax=ax1)
+    ax1.grid(False)
+    plt.legend(prop={'size':18})
+    plt.ylabel('Density Distribution', fontsize=18)
+    plt.xlabel('Node degree', fontsize=18)
+    plt.xticks(fontsize=14)
+    plt.yticks(fontsize=14)
+    # plt.title(f'Feature difference of adjacency after {attack}-attack')
+    if not os.path.exists('figures/'):
+       os.mkdir('figures')
+    plt.savefig('figures/%s' % savename, bbox_inches='tight')
+    plt.show()
+
+def feature_diff(clean_adj, perturbed_adj, features, savename='feature_diff.pdf'):
+    """Plot feature difference on clean and perturbed graphs.
+
+    Parameters
+    ----------
+    clean_adj: sp.csr_matrix
+        adjancecy matrix of the clean graph
+    perturbed_adj: sp.csr_matrix
+        adjancecy matrix of the perturbed graph
+    features: sp.csr_matrix or np.array
+        node features
+    savename: str
+        filename to be saved
+
+    Returns
+    -------
+    None
+    """
+
+    fig, ax1 = plt.subplots()
+    sns.distplot(_get_diff(clean_adj, features), label='Normal Edges', norm_hist=True, ax=ax1)
+    delta_adj = perturbed_adj - clean_adj
+    delta_adj[delta_adj < 0] = 0
+    sns.distplot(_get_diff(delta_adj, features), label='Adversarial Edges', norm_hist=True, ax=ax1)
+    ax1.grid(False)
+    plt.legend(prop={'size':18})
+    plt.ylabel('Density Distribution', fontsize=18)
+    plt.xlabel('Feature Difference Between Connected Nodes', fontsize=18)
+    plt.xticks(fontsize=14)
+    plt.yticks(fontsize=14)
+    if not os.path.exists('figures/'):
+       os.mkdir('figures')
+    plt.savefig('figures/%s' % savename, bbox_inches='tight')
+    plt.show()
+
+
+def _get_diff(adj, features):
+    isSparse = sp.issparse(features)
+    edges = np.array(adj.nonzero()).T
+    row_degree = adj.sum(0).tolist()[0]
+    diff = []
+    for edge in tqdm(edges):
+        n1 = edge[0]
+        n2 = edge[1]
+        if n1 > n2:
+            continue
+        d = np.sum((features[n1]/np.sqrt(row_degree[n1]) - features[n2]/np.sqrt(row_degree[n2])).power(2))
+        diff.append(d)
+    return diff
+

deeprobust/image/attack/BPDA.py

@@ -0,0 +1,105 @@
+"""
+https://github.com/lordwarlock/Pytorch-BPDA/blob/master/bpda.py
+"""
+import torch
+import torch.nn as nn
+import torchvision.models as models
+import numpy as np
+
+def normalize(image, mean, std):
+    return (image - mean)/std
+
+def preprocess(image):
+    image = image / 255
+    image = np.transpose(image, (2, 0, 1))
+    mean = np.array([0.485, 0.456, 0.406]).reshape((3, 1, 1))
+    std = np.array([0.229, 0.224, 0.225]).reshape((3, 1, 1))
+    image = normalize(image, mean, std)
+    return image
+
+def image2tensor(image):
+    img_t = torch.Tensor(image)
+    img_t = img_t.unsqueeze(0)
+    img_t.requires_grad_()
+    return img_t
+
+def label2tensor(label):
+    target = np.array([label])
+    target = torch.from_numpy(target).long()
+    return target
+
+def get_img_grad_given_label(image, label, model):
+    logits = model(image)
+    ce = nn.CrossEntropyLoss()
+    loss = ce(logits, target)
+    loss.backward()
+    ret = image.grad.clone()
+    model.zero_grad()
+    image.grad.data.zero_()
+    return ret
+
+def get_cw_grad(adv, origin, label, model):
+    logits = model(adv)
+    ce = nn.CrossEntropyLoss()
+    l2 = nn.MSELoss()
+    loss = ce(logits, label) + l2(0, origin - adv) / l2(0, origin)
+    loss.backward()
+    ret = adv.grad.clone()
+    model.zero_grad()
+    adv.grad.data.zero_()
+    origin.grad.data.zero_()
+    return ret
+
+def l2_norm(adv, img):
+    adv = adv.detach().numpy()
+    img = img.detach().numpy()
+    ret = np.sum(np.square(adv - img))/np.sum(np.square(img))
+    return ret
+
+def clip_bound(adv):
+    mean = np.array([0.485, 0.456, 0.406]).reshape((3, 1, 1))
+    std = np.array([0.229, 0.224, 0.225]).reshape((3, 1, 1))
+    adv = adv * std + mean
+    adv = np.clip(adv, 0., 1.)
+    adv = (adv - mean) / std
+    return adv.astype(np.float32)
+
+def identity_transform(x):
+    return x.detach().clone()
+
+def BPDA_attack(image,target, model, step_size = 1., iterations = 10, linf=False, transform_func=identity_transform):
+    target = label2tensor(target)
+    adv = image.detach().numpy()
+    adv = torch.from_numpy(adv)
+    adv.requires_grad_()
+    for _ in range(iterations):
+        adv_def = transform_func(adv)
+        adv_def.requires_grad_()
+        l2 = nn.MSELoss()
+        loss = l2(0, adv_def)
+        loss.backward()
+        g = get_cw_grad(adv_def, image, target, model)
+        if linf:
+            g = torch.sign(g)
+        print(g.numpy().sum())
+        adv = adv.detach().numpy() - step_size * g.numpy()
+        adv = clip_bound(adv)
+        adv = torch.from_numpy(adv)
+        adv.requires_grad_()
+        if linf:
+            print('label', torch.argmax(model(adv)), 'linf', torch.max(torch.abs(adv - image)).detach().numpy())
+        else:
+            print('label', torch.argmax(model(adv)), 'l2', l2_norm(adv, image))
+    return adv.detach().numpy()
+
+if __name__ == '__main__':
+    import matplotlib
+    matplotlib.use('TkAgg')
+    import skimage
+    resnet18 = models.resnet18(pretrained=True).eval()  # for CPU, remove cuda()
+    image = preprocess(skimage.io.imread('test.png'))
+
+    img_t = image2tensor(image)
+    BPDA_attack(img_t, 924, resnet18)
+    print('L-inf')
+    BPDA_attack(img_t, 924, resnet18, step_size = 0.003, linf=True)

deeprobust/image/attack/Universal.py

@@ -0,0 +1,151 @@
+"""
+https://github.com/ferjad/Universal_Adversarial_Perturbation_pytorch
+Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+
+"""
+from deeprobust.image.attack import deepfool
+import collections
+import torch.nn as nn
+import torch.nn.functional as F
+import torchvision
+import torchvision.transforms as transforms
+import numpy as np
+import torch
+import torch.optim as optim
+import torch.utils.data as data_utils
+import math
+from PIL import Image
+import torchvision.models as models
+import sys
+import random
+import time
+from tqdm import tqdm
+
+def zero_gradients(x):
+    if isinstance(x, torch.Tensor):
+        if x.grad is not None:
+            x.grad.detach_()
+            x.grad.zero_()
+    elif isinstance(x, collections.abc.Iterable):
+        for elem in x:
+            zero_gradients(elem)
+
+def get_model(model,device):
+    if model == 'vgg16':
+        net = models.vgg16(pretrained=True)
+    elif model =='resnet18':
+        net = models.resnet18(pretrained=True)
+
+    net.eval()
+    net=net.to(device)
+    return net
+
+def data_input_init(xi):
+    mean = [ 0.485, 0.456, 0.406 ]
+    std = [ 0.229, 0.224, 0.225 ]
+    transform = transforms.Compose([
+    transforms.Resize(256),
+    transforms.CenterCrop(224),
+    transforms.ToTensor(),
+    transforms.Normalize(mean = mean,
+                         std = std)])
+
+    return (mean,std,transform)
+
+def proj_lp(v, xi, p):
+    # Project on the lp ball centered at 0 and of radius xi
+    if p==np.inf:
+        v=torch.clamp(v,-xi,xi)
+    else:
+        v=v * min(1, xi/(torch.norm(v,p)+0.00001))
+    return v
+
+def get_fooling_rate(data_list,v,model, device):
+    f = data_input_init(0)[2]
+    num_images = len(data_list)
+
+    fooled=0.0
+
+    for name in tqdm(data_list):
+        image = Image.open(name)
+        image = tf(image)
+        image = image.unsqueeze(0)
+        image = image.to(device)
+        _, pred = torch.max(model(image),1)
+        _, adv_pred = torch.max(model(image+v),1)
+        if(pred!=adv_pred):
+            fooled+=1
+
+    # Compute the fooling rate
+    fooling_rate = fooled/num_images
+    print('Fooling Rate = ', fooling_rate)
+    for param in model.parameters():
+        param.requires_grad = False
+
+    return fooling_rate,model
+
+def universal_adversarial_perturbation(dataloader, model, device, xi=10, delta=0.2, max_iter_uni = 10, p=np.inf,
+                                       num_classes=10, overshoot=0.02, max_iter_df=10,t_p = 0.2):
+    """universal_adversarial_perturbation.
+
+    Parameters
+    ----------
+    dataloader :
+        dataloader
+    model :
+        target model
+    device :
+        device
+    xi :
+        controls the l_p magnitude of the perturbation
+    delta :
+        controls the desired fooling rate (default = 80% fooling rate)
+    max_iter_uni :
+        maximum number of iteration (default = 10*num_images)
+    p :
+        norm to be used (default = np.inf)
+    num_classes :
+        num_classes (default = 10)
+    overshoot :
+        to prevent vanishing updates (default = 0.02)
+    max_iter_df :
+        maximum number of iterations for deepfool (default = 10)
+    t_p :
+        truth percentage, for how many flipped labels in a batch. (default = 0.2)
+
+    Returns
+    -------
+        the universal perturbation matrix.
+    """
+    time_start = time.time()
+    mean, std,tf = data_input_init(xi)
+    v = torch.zeros(1,3,224,224).to(device)
+    v.requires_grad_()
+
+    fooling_rate = 0.0
+    num_images = len(dataloader)
+    itr = 0
+
+    while fooling_rate < 1-delta and itr < max_iter_uni:
+
+        # Iterate over the dataset and compute the purturbation incrementally
+
+        for i,(img, label) in enumerate(dataloader):
+            _, pred = torch.max(model(img),1)
+            _, adv_pred = torch.max(model(img+v),1)
+
+            if(pred == adv_pred):
+                perturb = deepfool(model, device)
+                _ = perturb.generate(img+v, num_classed = num_classed, overshoot = overshoot, max_iter = max_iter_df)
+                dr, iter = perturb.getpurb()
+                if(iter<max_iter_df-1):
+                    v = v + torch.from_numpy(dr).to(device)
+                    v = proj_lp(v,xi,p)
+
+            if(k%10==0):
+                print('Norm of v: '+str(torch.norm(v).detach().cpu().numpy()))
+
+        fooling_rate,model = get_fooling_rate(data_list,v,model, device)
+        itr = itr + 1
+
+    return v

deeprobust/image/attack/YOPOpgd.py

@@ -0,0 +1,113 @@
+import numpy as np
+import torch
+import torch.nn as nn
+from torch.autograd import Variable
+import torch.optim as optim
+import torch.nn.functional as F
+
+from deeprobust.image.attack.base_attack import BaseAttack
+
+class FASTPGD(BaseAttack):
+    '''
+    This module is the adversarial example gererated algorithm in YOPO.
+    
+    References
+    ----------
+    Original code: https://github.com/a1600012888/YOPO-You-Only-Propagate-Once
+    '''
+    # ImageNet pre-trained mean and std
+    # _mean = torch.tensor(np.array([0.485, 0.456, 0.406]).astype(np.float32)[np.newaxis, :, np.newaxis, np.newaxis])
+    # _std = torch.tensor(np.array([0.229, 0.224, 0.225]).astype(np.float32)[np.newaxis, :, np.newaxis, np.newaxis])
+
+    # _mean = torch.tensor(np.array([0]).astype(np.float32)[np.newaxis, :, np.newaxis, np.newaxis])
+    # _std = torch.tensor(np.array([1.0]).astype(np.float32)[np.newaxis, :, np.newaxis, np.newaxis])
+    def __init__(self, eps = 6 / 255.0, sigma = 3 / 255.0, nb_iter = 20,
+                 norm = np.inf, DEVICE = torch.device('cpu'),
+                 mean = torch.tensor(np.array([0]).astype(np.float32)[np.newaxis, :, np.newaxis, np.newaxis]),
+                 std = torch.tensor(np.array([1.0]).astype(np.float32)[np.newaxis, :, np.newaxis, np.newaxis]), random_start = True):
+        '''
+        :param eps: maximum distortion of adversarial examples
+        :param sigma: single step size
+        :param nb_iter: number of attack iterations
+        :param norm: which norm to bound the perturbations
+        '''
+        self.eps = eps
+        self.sigma = sigma
+        self.nb_iter = nb_iter
+        self.norm = norm
+        self.criterion = torch.nn.CrossEntropyLoss().to(DEVICE)
+        self.DEVICE = DEVICE
+        self._mean = mean.to(DEVICE)
+        self._std = std.to(DEVICE)
+        self.random_start = random_start
+
+    def single_attack(self, net, inp, label, eta, target = None):
+        '''
+        Given the original image and the perturbation computed so far, computes
+        a new perturbation.
+        :param net:
+        :param inp: original image
+        :param label:
+        :param eta: perturbation computed so far
+        :return: a new perturbation
+        '''
+
+        adv_inp = inp + eta
+
+        #net.zero_grad()
+
+        pred = net(adv_inp)
+        if target is not None:
+            targets = torch.sum(pred[:, target])
+            grad_sign = torch.autograd.grad(targets, adv_in, only_inputs=True, retain_graph = False)[0].sign()
+
+        else:
+            loss = self.criterion(pred, label)
+            grad_sign = torch.autograd.grad(loss, adv_inp,
+                                            only_inputs=True, retain_graph = False)[0].sign()
+
+        adv_inp = adv_inp + grad_sign * (self.sigma / self._std)
+        tmp_adv_inp = adv_inp * self._std +  self._mean
+
+        tmp_inp = inp * self._std + self._mean
+        tmp_adv_inp = torch.clamp(tmp_adv_inp, 0, 1) ## clip into 0-1
+        #tmp_adv_inp = (tmp_adv_inp - self._mean) / self._std
+        tmp_eta = tmp_adv_inp - tmp_inp
+        
+        #tmp_eta = clip_eta(tmp_eta, norm=self.norm, eps=self.eps, DEVICE=self.DEVICE)
+        if self.norm == np.inf:
+            tmp_eta = torch.clamp(tmp_eta, -self.eps, self.eps)
+        
+        eta = tmp_eta/ self._std
+        return eta
+
+    def attack(self, net, inp, label, target = None):
+
+        if self.random_start:
+            eta = torch.FloatTensor(*inp.shape).uniform_(-self.eps, self.eps)
+        else:
+            eta = torch.zeros_like(inp)
+        eta = eta.to(self.DEVICE)
+        eta = (eta - self._mean) / self._std
+        net.eval()
+
+        inp.requires_grad = True
+        eta.requires_grad = True
+        for i in range(self.nb_iter):
+            eta = self.single_attack(net, inp, label, eta, target)
+            #print(i)
+
+        #print(eta.max())
+        adv_inp = inp + eta
+        tmp_adv_inp = adv_inp * self._std +  self._mean
+        tmp_adv_inp = torch.clamp(tmp_adv_inp, 0, 1)
+        adv_inp = (tmp_adv_inp - self._mean) / self._std
+
+        return adv_inp
+
+    def to(self, device):
+        self.DEVICE = device
+        self._mean = self._mean.to(device)
+        self._std = self._std.to(device)
+        self.criterion = self.criterion.to(device)
+

deeprobust/image/attack/base_attack.py

@@ -0,0 +1,88 @@
+from abc import ABCMeta
+import torch
+
+class BaseAttack(object):
+    """
+    Attack base class.
+    """
+
+    __metaclass__ = ABCMeta
+
+    def __init__(self, model, device = 'cuda'):
+        self.model = model
+        self.device = device
+
+    def generate(self, image, label, **kwargs):
+        """
+        Overide this function for the main body of attack algorithm.
+
+        Parameters
+        ----------
+        image :
+            original image
+        label :
+            original label
+        kwargs :
+            user defined parameters
+        """
+        return input
+
+    def parse_params(self, **kwargs):
+        """
+        Parse user defined parameters.
+        """
+        return True
+
+    def check_type_device(self, image, label):
+        """
+        Check device, match variable type to device type.
+
+        Parameters
+        ----------
+        image :
+            image
+        label :
+            label
+        """
+
+        ################## devices
+        if self.device == 'cuda':
+            image = image.cuda()
+            label = label.cuda()
+            self.model = self.model.cuda()
+        elif self.device == 'cpu':
+            image = image.cpu()
+            label = label.cpu()
+            self.model = self.model.cpu()
+        else:
+            raise ValueError('Please input cpu or cuda')
+
+        ################## data type
+        if type(image).__name__ == 'Tensor':
+            image = image.float()
+            image = image.float().clone().detach().requires_grad_(True)
+        elif type(image).__name__ == 'ndarray':
+            image = image.astype('float')
+            image = torch.tensor(image, requires_grad=True)
+        else:
+            raise ValueError('Input values only take numpy arrays or torch tensors')
+
+        if type(label).__name__ == 'Tensor':
+            label = label.long()
+        elif type(label).__name__ == 'ndarray':
+            label = label.astype('long')
+            label = torch.tensor(y)
+        else:
+            raise ValueError('Input labels only take numpy arrays or torch tensors')
+
+
+        #################### set init attributes
+        self.image = image
+        self.label = label
+
+        return True
+
+    def get_or_predict_lable(self, image):
+        output = self.model(image)
+        pred = output.argmax(dim=1, keepdim=True)
+        return(pred)

deeprobust/image/attack/l2_attack.py

@@ -0,0 +1,174 @@
+import torch
+import torch.nn as nn
+import numpy as np
+import torch.nn.functional as F
+
+
+class CarliniL2:
+    def __init__(self, model, device): 
+        self.model = model
+        self.device = device
+
+    def parse_params(self, gan, confidence=0, targeted=False, learning_rate=1e-1,
+                 binary_search_steps=5, max_iterations=10000, abort_early=False, initial_const=1,
+                 clip_min=0, clip_max=1):
+        
+        self.TARGETED = targeted
+        self.LEARNING_RATE = learning_rate
+        self.MAX_ITERATIONS = max_iterations
+        self.BINARY_SEARCH_STEPS = binary_search_steps
+        self.ABORT_EARLY = abort_early
+        self.CONFIDENCE = confidence
+        self.initial_const = initial_const
+        self.clip_min = clip_min
+        self.clip_max = clip_max
+        self.gan = gan
+        self.learning_rate = learning_rate
+        self.repeat = binary_search_steps >= 10
+
+    def get_or_guess_labels(self, x, y=None):
+        """
+        Get the label to use in generating an adversarial example for x.
+        The kwargs are fed directly from the kwargs of the attack.
+        If 'y' is in kwargs, use that as the label.
+        Otherwise, use the model's prediction as the label.
+        """
+        if y is not None:
+            labels = y
+        else:
+            preds = F.softmax(self.model(x))
+            preds_max = torch.max(preds, 1, keepdim=True)[0]
+            original_predictions = (preds == preds_max)
+            labels = original_predictions
+            del preds
+        return labels.float()
+
+    def atanh(self, x):
+        return 0.5 * torch.log((1 + x) / (1 - x))
+
+    def to_one_hot(self, x):
+        one_hot = torch.FloatTensor(x.shape[0], 10).to(x.get_device())
+        one_hot.zero_()
+        x = x.unsqueeze(1)
+        one_hot = one_hot.scatter_(1, x, 1)
+        return one_hot
+
+    def generate(self, imgs, y, start):
+
+        batch_size = imgs.shape[0]
+        labs = self.get_or_guess_labels(imgs, y)
+
+        def compare(x, y):
+            if self.TARGETED is None: return True
+
+            if sum(x.shape) != 0:
+                x = x.clone()
+                if self.TARGETED:
+                    x[y] -= self.CONFIDENCE
+                else:
+                    x[y] += self.CONFIDENCE
+                x = torch.argmax(x)
+            if self.TARGETED:
+                return x == y
+            else:
+                return x != y
+
+        # set the lower and upper bounds accordingly
+        lower_bound = torch.zeros(batch_size).to(self.device)
+        CONST = torch.ones(batch_size).to(self.device) * self.initial_const
+        upper_bound = (torch.ones(batch_size) * 1e10).to(self.device)
+
+        # the best l2, score, and image attack
+        o_bestl2 = [1e10] * batch_size
+        o_bestscore = [-1] * batch_size
+        o_bestattack = self.gan(start)
+
+        # check if the input label is one-hot, if not, then change it into one-hot vector
+        if len(labs.shape) == 1:
+            tlabs = self.to_one_hot(labs.long())
+        else:
+            tlabs = labs
+
+        for outer_step in range(self.BINARY_SEARCH_STEPS):
+            # completely reset adam's internal state.
+            modifier = nn.Parameter(start)
+            optimizer = torch.optim.Adam([modifier, ], lr=self.learning_rate)
+
+            bestl2 = [1e10] * batch_size
+            bestscore = -1 * torch.ones(batch_size, dtype=torch.float32).to(self.device)
+
+            # The last iteration (if we run many steps) repeat the search once.
+            if self.repeat and outer_step == self.BINARY_SEARCH_STEPS - 1:
+                CONST = upper_bound
+            prev = 1e6
+
+            for i in range(self.MAX_ITERATIONS):
+                optimizer.zero_grad()
+                nimgs = self.gan(modifier.to(self.device))
+
+                # distance to the input data
+                l2dist = torch.sum(torch.sum(torch.sum((nimgs - imgs) ** 2, 1), 1), 1)
+                loss2 = torch.sum(l2dist)
+
+                # prediction BEFORE-SOFTMAX of the model
+                scores = self.model(nimgs)
+
+                # compute the probability of the label class versus the maximum other
+                other = torch.max(((1 - tlabs) * scores - tlabs * 10000), 1)[0]
+                real = torch.sum(tlabs * scores, 1)
+
+                if self.TARGETED:
+                    # if targeted, optimize for making the other class most likely
+                    loss1 = torch.max(torch.zeros_like(other), other - real + self.CONFIDENCE)
+                else:
+                    # if untargeted, optimize for making this class least likely.
+                    loss1 = torch.max(torch.zeros_like(other), real - other + self.CONFIDENCE)
+
+                # sum up the losses
+                loss1 = torch.sum(CONST * loss1)
+                loss = loss1 + loss2
+
+                # update the modifier
+                loss.backward()
+                optimizer.step()
+
+                # check if we should abort search if we're getting nowhere.
+                if self.ABORT_EARLY and i % ((self.MAX_ITERATIONS // 10) or 1) == 0:
+                    if loss > prev * .9999:
+                        # print('Stop early')
+                        break
+                    prev = loss
+
+                # adjust the best result found so far
+                for e, (l2, sc, ii) in enumerate(zip(l2dist, scores, nimgs)):
+                    lab = torch.argmax(tlabs[e])
+
+                    if l2 < bestl2[e] and compare(sc, lab):
+                        bestl2[e] = l2
+                        bestscore[e] = torch.argmax(sc)
+
+                    if l2 < o_bestl2[e] and compare(sc, lab):
+                        o_bestl2[e] = l2
+                        o_bestscore[e] = torch.argmax(sc)
+                        o_bestattack[e] = ii
+
+            # adjust the constant as needed
+            for e in range(batch_size):
+                if compare(bestscore[e], torch.argmax(tlabs[e]).float()) and \
+                        bestscore[e] != -1:
+                    # success, divide CONST by two
+                    upper_bound[e] = min(upper_bound[e], CONST[e])
+                    if upper_bound[e] < 1e9:
+                        CONST[e] = (lower_bound[e] + upper_bound[e]) / 2
+                else:
+                    # failure, either multiply by 10 if no solution found yet
+                    #          or do binary search with the known upper bound
+                    lower_bound[e] = max(lower_bound[e], CONST[e])
+                    if upper_bound[e] < 1e9:
+                        CONST[e] = (lower_bound[e] + upper_bound[e]) / 2
+                    else:
+                        CONST[e] *= 10
+
+        # return the best solution found
+        o_bestl2 = np.array(o_bestl2)
+        return o_bestattack

deeprobust/image/attack/lbfgs.py

@@ -0,0 +1,203 @@
+import torch
+import torch.nn as nn
+import scipy.optimize as so
+import numpy as np
+import torch.nn.functional as F #233
+
+from deeprobust.image.attack.base_attack import BaseAttack
+
+class LBFGS(BaseAttack):
+    """
+    LBFGS is the first adversarial generating algorithm.
+    """
+
+
+    def __init__(self, model, device = 'cuda' ):
+        super(LBFGS, self).__init__(model, device)
+
+    def generate(self, image, label, target_label, **kwargs):
+        """
+        Call this function to generate adversarial examples.
+
+        Parameters
+        ----------
+        image :
+            original image
+        label :
+            target label
+        kwargs :
+            user defined paremeters
+        """
+        assert self.check_type_device(image, label)
+        assert self.parse_params(**kwargs)
+        self.target_label = target_label
+        adv_img= optimize(self.model,
+                                       self.image,
+                                       self.label,
+                                       self.target_label,
+                                       self.bounds,
+                                       self.epsilon,
+                                       self.maxiter,
+                                       self.class_num,
+                                       self.device)
+        return adv_img
+
+    def distance(self):
+        return self.dist
+
+    def loss(self):
+        return self.loss
+
+    def parse_params(self,
+                     clip_max = 1,
+                     clip_min = 0,
+                     class_num = 10,
+                     epsilon = 1e-5,  #step of finding initial c
+                     maxiter = 20,    #maximum of iteration in lbfgs optimization
+                     ):
+        """
+        Parse the user defined parameters.
+
+        Parameters
+        ----------
+        clip_max :
+            maximum pixel value
+        clip_min :
+            minimum pixel value
+        class_num :
+            total number of class
+        epsilon :
+            step length for binary seach
+        maxiter :
+            maximum number of iterations
+        """
+        self.epsilon = epsilon
+        self.maxiter = maxiter
+        self.class_num = class_num
+        self.bounds = (clip_min, clip_max)
+        return True
+
+def optimize(model, image, label, target_label, bounds, epsilon, maxiter, class_num, device):
+    x_t = image
+    x0 = image[0].to('cpu').detach().numpy()
+    min_, max_ = bounds
+
+    target_dist = torch.tensor(target_label)
+    target_dist = target_dist.unsqueeze_(0).long().to(device)
+
+    # store the shape for later and operate on the flattened input
+
+    shape = x0.shape
+    dtype = x0.dtype
+    x0 = x0.flatten().astype(np.float64)
+
+    n = len(x0)
+    bounds = [(min_, max_)] * n
+
+    def loss(x, c):
+        #calculate the target function
+        v1 = (torch.norm(torch.from_numpy(x0) - x)) **2
+
+        x = torch.tensor(x.astype(dtype).reshape(shape))
+        x = x.unsqueeze_(0).float().to(device)
+
+        predict = model(x)
+        v2 = F.nll_loss(predict, target_dist)
+
+        v = c * v1 + v2
+        #print(v)
+        return np.float64(v)
+
+    def lbfgs_b(c):
+
+        #initial the variables
+        approx_grad_eps = (max_ - min_) / 100
+        print('in lbfgs_b:', 'c =', c)
+
+        #start optimization
+        optimize_output, f, d = so.fmin_l_bfgs_b(
+                loss,
+                x0,
+                args=(c,),
+                approx_grad = True,
+                bounds = bounds,
+                m = 15,
+                maxiter = maxiter,
+                factr = 1e10,  #optimization accuracy
+                maxls = 5,
+                epsilon = approx_grad_eps, iprint = 11)
+        print('finish optimization')
+
+        # LBFGS-B does not always exactly respect the boundaries
+        if np.amax(optimize_output) > max_ or np.amin(optimize_output) < min_:   # pragma: no coverage
+            logging.info('Input out of bounds (min, max = {}, {}). Performing manual clip.'.format(
+                    np.amin(optimize_output), np.amax(optimize_output)))
+
+            optimize_output = np.clip(optimize_output, min_, max_)
+
+        #is_adversarial = pending_attack(target_model = model, adv_exp = optimize_output, target_label = target_label)
+        # pending if the attack success
+        optimize_output = optimize_output.reshape(shape).astype(dtype)
+        optimize_output = torch.from_numpy(optimize_output)
+        optimize_output = optimize_output.unsqueeze_(0).float().to(device)
+
+        predict1 = model(optimize_output)
+        label = predict1.argmax(dim=1, keepdim=True)
+        if label == target_label:
+            is_adversarial = True
+            print('can find adversarial example with current c.')
+        else:
+            is_adversarial = False
+            print('could not find adversarial example with current c.')
+
+        return optimize_output, is_adversarial
+
+
+
+    # finding initial c
+    c = epsilon
+    print('finding initial c:')
+
+    for i in range(30):
+        c = 2 * c
+        x_new, is_adversarial = lbfgs_b(c)
+        if is_adversarial == False:
+            break
+    print('initial c:', c)
+    print('start binary search:')
+
+    x_new, is_adversarial = lbfgs_b(0)
+    if is_adversarial == False:  # pragma: no cover
+        print('Could not find an adversarial;')
+        return
+
+    print('c_high:',c)
+    # binary search
+    c_low = 0
+    c_high = c
+    while c_high - c_low >= epsilon:
+        print(c_high,' ',c_low)
+        c_half = (c_low + c_high) / 2
+        x_new, is_adversarial = lbfgs_b(c_half)
+
+        if is_adversarial:
+            c_low = c_half
+        else:
+            c_high = c_half
+
+    x_new, is_adversarial = lbfgs_b(c_low)
+    
+    dis = ( torch.norm(x_new.reshape(shape) - x0.reshape(shape)) ) **2
+    
+    x_new = x_new.flatten().numpy()
+    mintargetfunc = loss(x_new.astype(np.float64), c_low)
+
+    x_new = x_new.astype(dtype)
+    x_new = x_new.reshape(shape)
+
+    x_new = torch.from_numpy(x_new).unsqueeze_(0).float().to(device)
+
+    return x_new
+
+
+

deeprobust/image/attack/pgd.py

@@ -0,0 +1,150 @@
+import numpy as np
+import torch
+import torch.nn as nn
+from torch.autograd import Variable
+import torch.optim as optim
+import torch.nn.functional as F
+
+from deeprobust.image.attack.base_attack import BaseAttack
+
+class PGD(BaseAttack):
+    """
+    This is the multi-step version of FGSM attack.
+    """
+
+
+    def __init__(self, model, device = 'cuda'):
+
+        super(PGD, self).__init__(model, device)
+
+    def generate(self, image, label, **kwargs):
+        """
+        Call this function to generate PGD adversarial examples.
+
+        Parameters
+        ----------
+        image :
+            original image
+        label :
+            target label
+        kwargs :
+            user defined paremeters
+        """
+
+        ## check and parse parameters for attack
+        label = label.type(torch.FloatTensor)
+
+        assert self.check_type_device(image, label)
+        assert self.parse_params(**kwargs)
+
+        return pgd_attack(self.model,
+                   self.image,
+                   self.label,
+                   self.epsilon,
+                   self.clip_max,
+                   self.clip_min,
+                   self.num_steps,
+                   self.step_size,
+                   self.print_process,
+                   self.bound)
+                   ##default parameter for mnist data set.
+
+    def parse_params(self,
+                     epsilon = 0.03,
+                     num_steps = 40,
+                     step_size = 0.01,
+                     clip_max = 1.0,
+                     clip_min = 0.0,
+                     print_process = False,
+                     bound = 'linf'
+                     ):
+        """parse_params.
+
+        Parameters
+        ----------
+        epsilon :
+            perturbation constraint
+        num_steps :
+            iteration step
+        step_size :
+            step size
+        clip_max :
+            maximum pixel value
+        clip_min :
+            minimum pixel value
+        print_process :
+            whether to print out the log during optimization process, True or False print out the log during optimization process, True or False.
+        """
+        self.epsilon = epsilon
+        self.num_steps = num_steps
+        self.step_size = step_size
+        self.clip_max = clip_max
+        self.clip_min = clip_min
+        self.print_process = print_process
+        self.bound = bound
+        return True
+
+def pgd_attack(model,
+                  X,
+                  y,
+                  epsilon,
+                  clip_max,
+                  clip_min,
+                  num_steps,
+                  step_size,
+                  print_process,
+                  bound = 'linf'):
+
+    out = model(X)
+    err = (out.data.max(1)[1] != y.data).float().sum()
+    #TODO: find a other way
+    device = X.device
+    imageArray = X.detach().cpu().numpy()
+    X_random = np.random.uniform(-epsilon, epsilon, X.shape)
+    imageArray = np.clip(imageArray + X_random, 0, 1.0)
+
+    X_pgd = torch.tensor(imageArray).to(device).float()
+    X_pgd.requires_grad = True
+    eta = torch.zeros_like(X)
+    eta.requires_grad = True
+    for i in range(num_steps):
+
+        pred = model(X_pgd)
+        loss = nn.CrossEntropyLoss()(pred, y)
+
+        if print_process:
+            print("iteration {:.0f}, loss:{:.4f}".format(i,loss))
+
+        loss.backward()
+
+        if bound == 'linf':
+            eta = step_size * X_pgd.grad.data.sign()
+            X_pgd = X_pgd + eta
+            eta = torch.clamp(X_pgd.data - X.data, -epsilon, epsilon)
+
+            X_pgd = X.data + eta
+
+            X_pgd = torch.clamp(X_pgd, clip_min, clip_max)
+            #for ind in range(X_pgd.shape[1]):
+            #    X_pgd[:,ind,:,:] = (torch.clamp(X_pgd[:,ind,:,:] * std[ind] + mean[ind], clip_min, clip_max) - mean[ind]) / std[ind]
+
+            X_pgd = X_pgd.detach()
+            X_pgd.requires_grad_()
+            X_pgd.retain_grad()
+
+        if bound == 'l2':
+            output = model(X + eta)
+            incorrect = output.max(1)[1] != y
+            correct = (~incorrect).unsqueeze(1).unsqueeze(1).unsqueeze(1).float()
+            #Finding the correct examples so as to attack only them
+            loss = nn.CrossEntropyLoss()(model(X + eta), y)
+            loss.backward()
+
+            eta.data +=  correct * step_size * eta.grad.detach() / torch.norm(eta.grad.detach())
+            eta.data *=  epsilon / torch.norm(eta.detach()).clamp(min=epsilon)
+            eta.data =   torch.min(torch.max(eta.detach(), -X), 1-X) # clip X+delta to [0,1]
+            eta.grad.zero_()
+            X_pgd = X + eta
+
+    return X_pgd
+

deeprobust/image/config.py

@@ -0,0 +1,69 @@
+import numpy as np
+# ---------------------attack config------------------------#
+attack_params = {
+    "FGSM_MNIST": {
+    'epsilon': 0.2,
+    'order': np.inf,
+    'clip_max': None,
+    'clip_min': None
+    },
+
+    "PGD_CIFAR10": {
+    'epsilon': 0.1,
+    'clip_max': 1.0,
+    'clip_min': 0.0,
+    'print_process': True
+    },
+
+    "LBFGS_MNIST": {
+    'epsilon': 1e-4,
+    'maxiter': 20,
+    'clip_max': 1,
+    'clip_min': 0,
+    'class_num': 10
+    },
+
+    "CW_MNIST": {
+    'confidence': 1e-4,
+    'clip_max': 1,
+    'clip_min': 0,
+    'max_iterations': 1000,
+    'initial_const': 1e-2,
+    'binary_search_steps': 5,
+    'learning_rate': 5e-3,
+    'abort_early': True,
+    }
+
+}
+
+#-----------defense(Adversarial training) config------------#
+
+defense_params = {
+    "PGDtraining_MNIST":{
+        'save_dir': "./defense_model",
+        'save_model': True,
+        'save_name' : "mnist_pgdtraining_0.3.pt",
+        'epsilon' : 0.3,
+        'epoch_num' : 80,
+        'lr' : 0.01
+    },
+
+    "FGSMtraining_MNIST":{
+        'save_dir': "./defense_model",
+        'save_model': True,
+        'save_name' : "mnist_fgsmtraining_0.2.pt",
+        'epsilon' : 0.2,
+        'epoch_num' : 50,
+        'lr_train' : 0.001
+    },
+
+    "FAST_MNIST":{
+        'save_dir': "./defense_model",
+        'save_model': True,
+        'save_name' : "fast_mnist_0.3.pt",
+        'epsilon' : 0.3,
+        'epoch_num' : 50,
+        'lr_train' : 0.001
+    }
+}
+

deeprobust/image/defense/LIDclassifier.py

@@ -0,0 +1,145 @@
+"""
+This is an implementation of LID detector.
+Currently this implementation is under testing.
+
+References
+----------
+.. [1] Ma, Xingjun, Bo Li, Yisen Wang, Sarah M. Erfani, Sudanthi Wijewickrema, Grant Schoenebeck, Dawn Song, Michael E. Houle, and James Bailey. "Characterizing adversarial subspaces using local intrinsic dimensionality." arXiv preprint arXiv:1801.02613 (2018).
+.. [2] Original code:t https://github.com/xingjunm/lid_adversarial_subspace_detection
+Copyright (c) 2018 Xingjun Ma
+"""
+
+from deeprobust.image.netmodels.CNN_multilayer import Net
+
+def train(self, device, train_loader, optimizer, epoch):
+    """train process.
+
+    Parameters
+    ----------
+    device :
+        device(option:'cpu', 'cuda')
+    train_loader :
+        train data loader
+    optimizer :
+        optimizer
+    epoch :
+        epoch
+    """
+    self.model.train()
+    correct = 0
+    bs = train_loader.batch_size
+
+    for batch_idx, (data, target) in enumerate(train_loader):
+
+        optimizer.zero_grad()
+
+        data, target = data.to(device), target.to(device)
+
+        data_adv, output = self.adv_data(data, target, ep = self.epsilon, num_steps = self.num_steps)
+
+        loss = self.calculate_loss(output, target)
+
+        loss.backward()
+        optimizer.step()
+
+        pred = output.argmax(dim = 1, keepdim = True)
+        correct += pred.eq(target.view_as(pred)).sum().item()
+
+        #print every 10
+        if batch_idx % 10 == 0:
+            print('Train Epoch: {} [{}/{} ({:.0f}%)]\tLoss: {:.6f}\tAccuracy:{:.2f}%'.format(
+                epoch, batch_idx * len(data), len(train_loader.dataset),
+                    100. * batch_idx / len(train_loader), loss.item(), 100 * correct/(10*bs)))
+        correct = 0
+
+def get_lid(model, X_test, X_test_noisy, X_test_adv, k, batch_size):
+    """get_lid.
+
+    Parameters
+    ----------
+    model :
+        model
+    X_test :
+        clean data
+    X_test_noisy :
+        noisy data
+    X_test_adv :
+        adversarial data
+    k :
+        k
+    batch_size :
+        batch_size
+    """
+    funcs = [K.function([model.layers[0].input, K.learning_phase()], [out])
+                 for out in get_layer_wise_activations(model, dataset)]
+
+    lid_dim = len(funcs)
+    print("Number of layers to estimate: ", lid_dim)
+
+    def estimate(i_batch):
+
+        start = i_batch * batch_size
+        end = np.minimum(len(X), (i_batch + 1) * batch_size)
+        n_feed = end - start
+        lid_batch = np.zeros(shape=(n_feed, lid_dim))
+        lid_batch_adv = np.zeros(shape=(n_feed, lid_dim))
+        lid_batch_noisy = np.zeros(shape=(n_feed, lid_dim))
+
+        for i, func in enumerate(funcs):
+            X_act = func([X[start:end], 0])[0]
+            X_act = np.asarray(X_act, dtype=np.float32).reshape((n_feed, -1))
+            # print("X_act: ", X_act.shape)
+
+            X_adv_act = func([X_adv[start:end], 0])[0]
+            X_adv_act = np.asarray(X_adv_act, dtype=np.float32).reshape((n_feed, -1))
+            # print("X_adv_act: ", X_adv_act.shape)
+
+            X_noisy_act = func([X_noisy[start:end], 0])[0]
+            X_noisy_act = np.asarray(X_noisy_act, dtype=np.float32).reshape((n_feed, -1))
+            # print("X_noisy_act: ", X_noisy_act.shape)
+
+            # random clean samples
+            # Maximum likelihood estimation of local intrinsic dimensionality (LID)
+            lid_batch[:, i] = mle_batch(X_act, X_act, k=k)
+            # print("lid_batch: ", lid_batch.shape)
+            lid_batch_adv[:, i] = mle_batch(X_act, X_adv_act, k=k)
+            # print("lid_batch_adv: ", lid_batch_adv.shape)
+            lid_batch_noisy[:, i] = mle_batch(X_act, X_noisy_act, k=k)
+            # print("lid_batch_noisy: ", lid_batch_noisy.shape)
+
+        return lid_batch, lid_batch_noisy, lid_batch_adv
+
+    lids = []
+    lids_adv = []
+    lids_noisy = []
+    n_batches = int(np.ceil(X.shape[0] / float(batch_size)))
+
+    for i_batch in tqdm(range(n_batches)):
+
+        lid_batch, lid_batch_noisy, lid_batch_adv = estimate(i_batch)
+        lids.extend(lid_batch)
+        lids_adv.extend(lid_batch_adv)
+        lids_noisy.extend(lid_batch_noisy)
+        # print("lids: ", lids.shape)
+        # print("lids_adv: ", lids_noisy.shape)
+        # print("lids_noisy: ", lids_noisy.shape)
+
+    lids_normal = np.asarray(lids, dtype=np.float32)
+    lids_noisy = np.asarray(lids_noisy, dtype=np.float32)
+    lids_adv = np.asarray(lids_adv, dtype=np.float32)
+
+    lids_pos = lids_adv
+    lids_neg = np.concatenate((lids_normal, lids_noisy))
+    artifacts, labels = merge_and_generate_labels(lids_pos, lids_neg)
+
+    return artifacts, labels
+
+if __name__ == "__main__":
+
+    batch_size = 100
+    k_nearest = 20
+
+    #get LID characters
+    characters, labels = get_lid(model, X_test, X_test_noisy, X_test_adv, k_nearest, batch_size)
+    data = np.concatenate((characters, labels), axis = 1)
+

docs/graph/attack.rst

@@ -0,0 +1,109 @@
+Introduction to Graph Attack with Examples
+=======================
+In this section, we introduce the graph attack algorithms provided 
+in DeepRobust. Speficailly, they can be divied into two types: 
+(1) targeted attack :class:`deeprobust.graph.targeted_attack`  and 
+(2) global attack :class:`deeprobust.graph.global_attack`.
+
+.. contents::
+    :local: 
+
+
+Global (Untargeted) Attack for Node Classification
+-----------------------
+Global (untargeted) attack aims to fool GNNs into giving wrong predictions on all 
+given nodes. Specifically, DeepRobust provides the following targeted
+attack algorithms:
+
+- :class:`deeprobust.graph.global_attack.Metattack`
+- :class:`deeprobust.graph.global_attack.MetaApprox`
+- :class:`deeprobust.graph.global_attack.DICE`
+- :class:`deeprobust.graph.global_attack.MinMax`
+- :class:`deeprobust.graph.global_attack.PGDAttack`
+- :class:`deeprobust.graph.global_attack.NIPA`
+- :class:`deeprobust.graph.global_attack.Random`
+- :class:`deeprobust.graph.global_attack.NodeEmbeddingAttack`
+- :class:`deeprobust.graph.global_attack.OtherNodeEmbeddingAttack`
+
+All the above attacks except `NodeEmbeddingAttack` and `OtherNodeEmbeddingAttack` (see details 
+`here <https://deeprobust.readthedocs.io/en/latest/graph/node_embedding.html>`_ ) 
+take the adjacency matrix, node feature matrix and labels as input. Usually, the adjacency 
+matrix is in the format of :obj:`scipy.sparse.csr_matrix` and feature matrix can either be 
+:obj:`scipy.sparse.csr_matrix` or :obj:`numpy.array`. The attack algorithm
+will then transfer them into :obj:`torch.tensor` inside the class. It is also fine if you
+provide :obj:`torch.tensor` as input, since the algorithm can automatically deal with it. 
+Now let's take a look at an example:
+
+.. code-block:: python
+
+    import numpy as np
+    from deeprobust.graph.data import Dataset
+    from deeprobust.graph.defense import GCN
+    from deeprobust.graph.global_attack import Metattack
+    data = Dataset(root='/tmp/', name='cora')
+    adj, features, labels = data.adj, data.features, data.labels
+    idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    idx_unlabeled = np.union1d(idx_val, idx_test)
+    idx_unlabeled = np.union1d(idx_val, idx_test)
+    # Setup Surrogate model
+    surrogate = GCN(nfeat=features.shape[1], nclass=labels.max().item()+1,
+                    nhid=16, dropout=0, with_relu=False, with_bias=False, device='cpu').to('cpu')
+    surrogate.fit(features, adj, labels, idx_train, idx_val, patience=30)
+    # Setup Attack Model
+    model = Metattack(surrogate, nnodes=adj.shape[0], feature_shape=features.shape,
+            attack_structure=True, attack_features=False, device='cpu', lambda_=0).to('cpu')
+    # Attack
+    model.attack(features, adj, labels, idx_train, idx_unlabeled, n_perturbations=10, ll_constraint=False)
+    modified_adj = model.modified_adj # modified_adj is a torch.tensor
+
+
+Targeted Attack for Node Classification
+-----------------------
+Targeted attack aims to fool GNNs into give wrong predictions on a 
+subset of nodes. Specifically, DeepRobust provides the following targeted
+attack algorithms:
+
+- :class:`deeprobust.graph.targeted_attack.Nettack`
+- :class:`deeprobust.graph.targeted_attack.RLS2V`
+- :class:`deeprobust.graph.targeted_attack.FGA`
+- :class:`deeprobust.graph.targeted_attack.RND`
+- :class:`deeprobust.graph.targeted_attack.IGAttack`
+
+All the above attacks take the adjacency matrix, node feature matrix and labels as input.
+Usually, the adjacency matrix is in the format of :obj:`scipy.sparse.csr_matrix` and feature
+matrix can either be :obj:`scipy.sparse.csr_matrix` or :obj:`numpy.array`. Now let's take a look at an example:
+
+.. code-block:: python
+
+    from deeprobust.graph.data import Dataset
+    from deeprobust.graph.defense import GCN
+    from deeprobust.graph.targeted_attack import Nettack
+    data = Dataset(root='/tmp/', name='cora')
+    adj, features, labels = data.adj, data.features, data.labels
+    idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    # Setup Surrogate model
+    surrogate = GCN(nfeat=features.shape[1], nclass=labels.max().item()+1,
+                    nhid=16, dropout=0, with_relu=False, with_bias=False, device='cpu').to('cpu')
+    surrogate.fit(features, adj, labels, idx_train, idx_val, patience=30)
+    # Setup Attack Model
+    target_node = 0
+    model = Nettack(surrogate, nnodes=adj.shape[0], attack_structure=True, attack_features=True, device='cpu').to('cpu')
+    # Attack
+    model.attack(features, adj, labels, target_node, n_perturbations=5)
+    modified_adj = model.modified_adj # scipy sparse matrix
+    modified_features = model.modified_features # scipy sparse matrix
+
+Note that we also provide scripts in :download:`test_nettack.py <https://github.com/DSE-MSU/DeepRobust/blob/master/examples/graph/test_nettack.py>`  
+for selecting nodes as reported in the 
+`nettack <https://arxiv.org/abs/1805.07984>`_ paper: (1) the 10 nodes 
+with highest margin of classification, i.e. they are clearly correctly classified, 
+(2) the 10 nodes with lowest margin (but still correctly classified) and 
+(3) 20 more nodes randomly.
+
+
+More Examples 
+-----------------------
+More examples can be found in :class:`deeprobust.graph.targeted_attack` and 
+:class:`deeprobust.graph.global_attack`. You can also find examples in 
+`github code examples <https://github.com/DSE-MSU/DeepRobust/tree/master/examples/graph>`_ 
+and more details in `attacks table <https://github.com/DSE-MSU/DeepRobust/tree/master/deeprobust/graph#attack-methods>`_.

docs/graph/data.rst

@@ -0,0 +1,188 @@
+Graph Dataset 
+=======================
+
+We briefly introduce the dataset format of DeepRobust through self-contained examples.
+In essence, DeepRobust-Graph provides the following main features:
+
+.. contents::
+    :local: 
+
+
+
+Clean (Unattacked) Graphs for Node Classification
+-----------------------
+Graphs are ubiquitous data structures describing pairwise relations between entities.
+A single clean graph in DeepRobust is described by an instance of :class:`deeprobust.graph.data.Dataset`, which holds the following attributes by default:
+
+- :obj:`data.adj`: Graph adjacency matrix in scipy.sparse.csr_matrix format with shape :obj:`[num_nodes, num_nodes]`
+- :obj:`data.features`: Node feature matrix with shape :obj:`[num_nodes, num_node_features]`
+- :obj:`data.labels`: Target to train against (may have arbitrary shape), *e.g.*, node-level targets of shape :obj:`[num_nodes, *]`
+- :obj:`data.train_idx`: Array of training node indices 
+- :obj:`data.val_idx`: Array of validation node indices 
+- :obj:`data.test_idx`: Array of test node indices 
+
+By default, the loaded :obj:`deeprobust.graph.data.Dataset` will select the largest connect
+component of the graph, but users specify different settings by giving different parameters. 
+
+Currently DeepRobust supports the following datasets:
+:obj:`Cora`,
+:obj:`Cora-ML`,
+:obj:`Citeseer`,
+:obj:`Pubmed`,
+:obj:`Polblogs`,
+:obj:`ACM`,
+:obj:`BlogCatalog`,
+:obj:`Flickr`,
+:obj:`UAI`.
+More details about the datasets can be found `here <https://github.com/DSE-MSU/DeepRobust/tree/master/deeprobust/graph#supported-datasets>`_.
+
+
+By default, the data splits are generated by :obj:`deeprobust.graph.utils.get_train_val_test`,
+which randomly split the data into 10%/10%/80% for training/validaiton/test. You can also generate 
+splits by yourself by using :obj:`deeprobust.graph.utils.get_train_val_test` or :obj:`deeprobust.graph.utils.get_train_val_test_gcn`. 
+It is worth noting that there is parameter :obj:`setting` that can be passed into this class. It can be chosen from `["nettack", "gcn", "prognn"]`: 
+
+- :obj:`setting="nettack"`: the data splits are 10%/10%/80% and using the largest connected component of the graph; 
+- :obj:`setting="gcn"`: use the full graph and the data splits will be: 20 nodes per class for training, 500 nodes for validation and 1000 nodes for testing (randomly choosen);
+- :obj:`setting="prognn"`: use the largest connected component and the data splits are provided by `ProGNN <https://github.com/ChandlerBang/Pro-GNN>`_ (10%/10%/80%);
+
+
+.. note::
+    The 'netack' and 'gcn' setting do not provide fixed split, i.e.,
+    different random seed would return different data splits. 
+
+.. note::
+    If you hope to use the full graph, please use the 'gcn' setting. 
+
+The following example shows how to load DeepRobust datasets
+
+.. code-block:: python
+   
+   from deeprobust.graph.data import Dataset
+   # loading cora dataset
+   data = Dataset(root='/tmp/', name='cora', seed=15) 
+   adj, features, labels = data.adj, data.features, data.labels
+   idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+   # you can also split the data by yourself
+   idx_train, idx_val, idx_test = get_train_val_test(adj.shape[0], val_size=0.1, test_size=0.8) 
+
+   # loading acm dataset
+   data = Dataset(root='/tmp/', name='acm', seed=15) 
+
+
+DeepRobust also provides access to Amazon and Coauthor datasets loaded from Pytorch Geometric:
+:obj:`Amazon-Computers`,
+:obj:`Amazon-Photo`,
+:obj:`Coauthor-CS`,
+:obj:`Coauthor-Physics`.
+
+Users can also easily create their own datasets by creating a class with the following attributes: :obj:`data.adj`, :obj:`data.features`, :obj:`data.labels`, :obj:`data.train_idx`, :obj:`data.val_idx`, :obj:`data.test_idx`.
+
+Attacked Graphs for Node Classification
+-----------------------
+DeepRobust provides the attacked graphs perturbed by `metattack <https://openreview.net/pdf?id=Bylnx209YX>`_ and `nettack <https://arxiv.org/abs/1805.07984>`_. The graphs are attacked using authors' Tensorflow implementation, on random split using seed 15. The download link can be found in `ProGNN code <https://github.com/ChandlerBang/Pro-GNN/tree/master/splits>`_ and the performance of various GNNs can be found in `ProGNN paper <https://arxiv.org/abs/2005.10203>`_. They are instances of :class:`deeprobust.graph.data.PrePtbDataset` with only one attribute :obj:`adj`. Hence, :class:`deeprobust.graph.data.PrePtbDataset` is often used together with :class:`deeprobust.graph.data.Dataset` to obtain node features and labels. 
+
+For metattack, DeepRobust provides attacked graphs for Cora, Citeseer, Polblogs and Pubmed, 
+and the perturbation rate can be chosen from [0.05, 0.1, 0.15, 0.2, 0.25].
+
+.. code-block:: python
+   
+   from deeprobust.graph.data import Dataset, PrePtbDataset
+   # You can either use setting='prognn' or seed=15 to get the prognn splits 
+   # data = Dataset(root='/tmp/', name='cora', seed=15) # since the attacked graph are generated under seed 15
+   data = Dataset(root='/tmp/', name='cora', setting='prognn')    
+   adj, features, labels = data.adj, data.features, data.labels
+   idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+   # Load meta attacked data
+   perturbed_data = PrePtbDataset(root='/tmp/',
+					   name='cora',
+					   attack_method='meta',
+					   ptb_rate=0.05)
+   perturbed_adj = perturbed_data.adj
+
+For nettack, DeepRobust provides attacked graphs for Cora, Citeseer, Polblogs and Pubmed, 
+and ptb_rate indicates the number of perturbations made on each node. 
+It can be chosen from [1.0, 2.0, 3.0, 4.0, 5.0].
+
+.. code-block:: python
+
+   from deeprobust.graph.data import Dataset, PrePtbDataset
+   # data = Dataset(root='/tmp/', name='cora', seed=15) 
+   data = Dataset(root='/tmp/', name='cora', setting='prognn')    
+   adj, features, labels = data.adj, data.features, data.labels
+   idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+   # Load nettack attacked data
+   perturbed_data = PrePtbDataset(root='/tmp/', name='cora',
+					   attack_method='nettack',
+					   ptb_rate=3.0) # here ptb_rate means number of perturbation per nodes
+   perturbed_adj = perturbed_data.adj
+   idx_test = perturbed_data.target_nodes
+
+
+
+Converting Graph Data between DeepRobust and PyTorch Geometric 
+-----------------------
+Given the popularity of PyTorch Geometric in the graph representation learning community,
+we also provide tools for converting data between DeepRobust and PyTorch Geometric. We can
+use :class:`deeprobust.graph.data.Dpr2Pyg` to convert DeepRobust data to PyTorch Geometric 
+and use :class:`deeprobust.graph.data.Pyg2Dpr` to convert Pytorch Geometric data to DeepRobust.
+For example, we can first create an instance of the Dataset class and convert it to pytorch geometric data format.
+
+.. code-block:: python
+
+    from deeprobust.graph.data import Dataset, Dpr2Pyg, Pyg2Dpr
+    data = Dataset(root='/tmp/', name='cora') # load clean graph
+    pyg_data = Dpr2Pyg(data) # convert dpr to pyg
+    print(pyg_data)
+    print(pyg_data[0])
+    dpr_data = Pyg2Dpr(pyg_data) # convert pyg to dpr
+    print(dpr_data.adj)
+
+
+Load OGB Datasets 
+-----------------------
+`Open Graph Benchmark (OGB) <https://ogb.stanford.edu/>`_ has provided various benchmark
+datasets. DeepRobsut now provides interface to convert OGB dataset format (Pyg data format) 
+to DeepRobust format.
+
+.. code-block:: python
+
+    from ogb.nodeproppred import PygNodePropPredDataset
+    from deeprobust.graph.data import Pyg2Dpr
+    pyg_data = PygNodePropPredDataset(name = 'ogbn-arxiv')
+    dpr_data = Pyg2Dpr(pyg_data) # convert pyg to dpr
+    
+
+Load Pytorch Geometric Amazon and Coauthor Datasets
+-----------------------
+DeepRobust also provides access to the Amazon datasets and Coauthor datasets, i.e.,
+`Amazon-Computers`, `Amazon-Photo`, `Coauthor-CS`, `Coauthor-Physics`, from Pytorch 
+Geometric. Specifically, users can access them through 
+:class:`deeprobust.graph.data.AmazonPyg` and :class:`deeprobust.graph.data.CoauthorPyg`. 
+For example, we can directly load Amazon dataset from deeprobust in the format of pyg
+as follows,
+
+.. code-block:: python
+
+    from deeprobust.graph.data import AmazonPyg
+    computers = AmazonPyg(root='/tmp', name='computers')
+    print(computers)
+    print(computers[0])
+    photo = AmazonPyg(root='/tmp', name='photo')
+    print(photo)
+    print(photo[0])
+
+
+Similarly, we can also load Coauthor dataset,
+
+.. code-block:: python
+
+    from deeprobust.graph.data import CoauthorPyg
+    cs = CoauthorPyg(root='/tmp', name='cs')
+    print(cs)
+    print(cs[0])
+    physics = CoauthorPyg(root='/tmp', name='physics')
+    print(physics)
+    print(physics[0])
+
+

docs/graph/pyg.rst

@@ -0,0 +1,155 @@
+Using PyTorch Geometric in DeepRobust
+========
+DeepRobust now provides interface to convert the data between
+PyTorch Geometric and DeepRobust. 
+
+.. note::
+    Before we start, make sure you have successfully installed `torch_geometric 
+    <https://pytorch-geometric.readthedocs.io/en/latest/notes/installation.html>`_. 
+    After you install torch_geometric, please reinstall DeepRobust to activate 
+    the following functions.
+
+.. contents::
+    :local: 
+
+Converting Graph Data between DeepRobust and PyTorch Geometric 
+-----------------------
+Given the popularity of PyTorch Geometric in the graph representation learning community,
+we also provide tools for converting data between DeepRobust and PyTorch Geometric. We can
+use :class:`deeprobust.graph.data.Dpr2Pyg` to convert DeepRobust data to PyTorch Geometric 
+and use :class:`deeprobust.graph.data.Pyg2Dpr` to convert Pytorch Geometric data to DeepRobust.
+For example, we can first create an instance of the Dataset class and convert it to pytorch geometric data format.
+
+.. code-block:: python
+
+    from deeprobust.graph.data import Dataset, Dpr2Pyg, Pyg2Dpr
+    data = Dataset(root='/tmp/', name='cora') # load clean graph
+    pyg_data = Dpr2Pyg(data) # convert dpr to pyg
+    print(pyg_data)
+    print(pyg_data[0])
+    dpr_data = Pyg2Dpr(pyg_data) # convert pyg to dpr
+    print(dpr_data.adj)
+
+For the attacked graph :class:`deeprobust.graph.PrePtbDataset`, it only has the attribute :obj:`adj`. 
+To convert it to PyTorch Geometric data format, we can first convert the clean graph to Pyg and 
+then update its :obj:`edge_index`:
+
+.. code-block:: python
+    
+    from deeprobust.graph.data import Dataset, PrePtbDataset, Dpr2Pyg
+    data = Dataset(root='/tmp/', name='cora') # load clean graph
+    pyg_data = Dpr2Pyg(data) # convert dpr to pyg
+    # load perturbed graph
+    perturbed_data = PrePtbDataset(root='/tmp/',
+            name='cora',
+            attack_method='meta',
+            ptb_rate=0.05)
+    perturbed_adj = perturbed_data.adj
+    pyg_data.update_edge_index(perturbed_adj) # inplace operation
+
+Now :obj:`pyg_data` becomes the perturbed data in the format of PyTorch Geometric. 
+We can then use it as the input for various Pytorch Geometric models!
+
+Load OGB Datasets 
+-----------------------
+`Open Graph Benchmark (OGB) <https://ogb.stanford.edu/>`_ has provided various benchmark
+datasets. DeepRobsut now provides interface to convert OGB dataset format (Pyg data format) 
+to DeepRobust format.
+
+.. code-block:: python
+
+    from ogb.nodeproppred import PygNodePropPredDataset
+    from deeprobust.graph.data import Pyg2Dpr
+    pyg_data = PygNodePropPredDataset(name = 'ogbn-arxiv')
+    dpr_data = Pyg2Dpr(pyg_data) # convert pyg to dpr
+    
+
+Load Pytorch Geometric Amazon and Coauthor Datasets
+-----------------------
+DeepRobust also provides access to the Amazon datasets and Coauthor datasets, i.e.,
+`Amazon-Computers`, `Amazon-Photo`, `Coauthor-CS`, `Coauthor-Physics`, from Pytorch 
+Geometric. Specifically, users can access them through 
+:class:`deeprobust.graph.data.AmazonPyg` and :class:`deeprobust.graph.data.CoauthorPyg`. 
+For example, we can directly load Amazon dataset from deeprobust in the format of pyg
+as follows,
+
+.. code-block:: python
+
+    from deeprobust.graph.data import AmazonPyg
+    computers = AmazonPyg(root='/tmp', name='computers')
+    print(computers)
+    print(computers[0])
+    photo = AmazonPyg(root='/tmp', name='photo')
+    print(photo)
+    print(photo[0])
+
+
+Similarly, we can also load Coauthor dataset,
+
+.. code-block:: python
+
+    from deeprobust.graph.data import CoauthorPyg
+    cs = CoauthorPyg(root='/tmp', name='cs')
+    print(cs)
+    print(cs[0])
+    physics = CoauthorPyg(root='/tmp', name='physics')
+    print(physics)
+    print(physics[0])
+
+
+Working on PyTorch Geometric Models
+-----------
+In this subsection, we provide examples for using GNNs based on
+PyTorch Geometric. Spefically, we use GAT :class:`deeprobust.graph.defense.GAT` and 
+ChebNet :class:`deeprobust.graph.defense.ChebNet` to further illustrate (while :class:`deeprobust.graph.defense.SGC` is also available in this library).
+Basically, we can first convert the DeepRobust data to PyTorch Geometric 
+data and then train Pyg models.
+
+.. code-block:: python
+
+    from deeprobust.graph.data import Dataset, Dpr2Pyg, PrePtbDataset
+    from deeprobust.graph.defense import GAT
+    data = Dataset(root='/tmp/', name='cora', seed=15)
+    adj, features, labels = data.adj, data.features, data.labels
+    idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    gat = GAT(nfeat=features.shape[1],
+              nhid=8, heads=8,
+              nclass=labels.max().item() + 1,
+              dropout=0.5, device='cpu')
+    gat = gat.to('cpu')
+    pyg_data = Dpr2Pyg(data) # convert deeprobust dataset to pyg dataset
+    gat.fit(pyg_data, patience=100, verbose=True) # train with earlystopping
+    gat.test() # test performance on clean graph 
+
+    # load perturbed graph
+    perturbed_data = PrePtbDataset(root='/tmp/',
+            name='cora',
+            attack_method='meta',
+            ptb_rate=0.05)
+    perturbed_adj = perturbed_data.adj
+    pyg_data.update_edge_index(perturbed_adj) # inplace operation
+    gat.fit(pyg_data, patience=100, verbose=True) # train with earlystopping
+    gat.test() # test performance on perturbed graph 
+
+
+.. code-block:: python
+
+    from deeprobust.graph.data import Dataset, Dpr2Pyg
+    from deeprobust.graph.defense import ChebNet
+    data = Dataset(root='/tmp/', name='cora')
+    adj, features, labels = data.adj, data.features, data.labels
+    idx_train, idx_val, idx_test = data.idx_train, data.idx_val, data.idx_test
+    cheby = ChebNet(nfeat=features.shape[1],
+              nhid=16, num_hops=3,
+              nclass=labels.max().item() + 1,
+              dropout=0.5, device='cpu')
+    cheby = cheby.to('cpu')
+    pyg_data = Dpr2Pyg(data) # convert deeprobust dataset to pyg dataset
+    cheby.fit(pyg_data, patience=10, verbose=True) # train with earlystopping
+    cheby.test()
+
+
+More Details 
+-----------------------
+More details can be found in  
+`test_gat.py <https://github.com/DSE-MSU/DeepRobust/tree/master/examples/graph/test_gat.py>`_, `test_chebnet.py <https://github.com/DSE-MSU/DeepRobust/tree/master/examples/graph/test_chebnet.py>`_ and `test_sgc.py <https://github.com/DSE-MSU/DeepRobust/tree/master/examples/graph/test_sgc.py>`_.

docs/image/example.rst

@@ -0,0 +1,58 @@
+
+Image Attack and Defense
+============
+We introduce the usage of attacks and defense API in image package.
+
+.. contents::
+    :local: 
+
+
+Attack Example
+------------
+
+    .. code-block:: python
+       
+       from deeprobust.image.attack.pgd import PGD
+       from deeprobust.image.config import attack_params
+       from deeprobust.image.utils import download_model
+       import torch
+       import deeprobust.image.netmodels.resnet as resnet
+
+       URL = "https://github.com/I-am-Bot/deeprobust_model/raw/master/CIFAR10_ResNet18_epoch_50.pt"
+       download_model(URL, "$MODEL_PATH$")
+
+       model = resnet.ResNet18().to('cuda')
+       model.load_state_dict(torch.load("$MODEL_PATH$"))
+       model.eval()
+
+       transform_val = transforms.Compose([transforms.ToTensor()])
+       test_loader  = torch.utils.data.DataLoader(
+                    datasets.CIFAR10('deeprobust/image/data', train = False, download=True,
+                    transform = transform_val),
+                    batch_size = 10, shuffle=True)
+
+       x, y = next(iter(test_loader))
+       x = x.to('cuda').float()
+
+       adversary = PGD(model, device)
+       Adv_img = adversary.generate(x, y, **attack_params['PGD_CIFAR10'])
+
+Defense Example
+------------
+
+    .. code-block:: python
+       
+       model = Net()
+       train_loader = torch.utils.data.DataLoader(
+                       datasets.MNIST('deeprobust/image/defense/data', train=True, download=True,
+                       transform=transforms.Compose([transforms.ToTensor()])),
+                       batch_size=100, shuffle=True)
+       test_loader = torch.utils.data.DataLoader(
+                      datasets.MNIST('deeprobust/image/defense/data', train=False,
+                      transform=transforms.Compose([transforms.ToTensor()])),
+                      batch_size=1000,shuffle=True)
+       
+       defense = PGDtraining(model, 'cuda')
+       defense.generate(train_loader, test_loader, **defense_params["PGDtraining_MNIST"])
+
+

docs/notes/installation.rst

@@ -0,0 +1,23 @@
+Installation
+============
+#. Activate your virtual environment
+
+#. Install package
+
+   Install the newest deeprobust:
+
+    .. code-block:: none
+    
+       git clone https://github.com/DSE-MSU/DeepRobust.git
+       cd DeepRobust
+       python setup.py install
+
+   Or install via pip (may not contain all the new features)
+
+    .. code-block:: none
+        
+        pip install deeprobust
+
+.. note::
+    If you meet any installation problem, feel free to open an issue
+    in the our github `page <https://github.com/DSE-MSU/DeepRobust/issues>`_

requirements.txt

@@ -0,0 +1,14 @@
+matplotlib==3.6.0
+numpy==1.23.5
+ipdb==0.13.13
+torch==2.0.1
+scipy==1.11.3
+torchvision==0.15.2
+texttable==1.6.7
+networkx==3.0
+numba==0.57.1
+Pillow==9.4.0
+scikit-learn==1.2.0
+tensorboardX==2.6
+tqdm==4.64.1
+gensim==4.3.0