Watermarking Graph Neural Networks by Random Graphs

TL;DR

This paper introduces a novel watermarking method for graph neural networks using random Erdos-Renyi graphs as triggers, enabling model ownership verification without impairing performance and showing robustness against common attacks.

Contribution

The paper proposes a new GNN watermarking technique using random graphs as triggers, which is robust, non-intrusive, and effective for ownership verification.

Findings

Watermark can be embedded without affecting GNN performance.

The method is robust against model compression and fine-tuning.

Low false alarm rate due to random ER graph triggers.

Abstract

Many learning tasks require us to deal with graph data which contains rich relational information among elements, leading increasing graph neural network (GNN) models to be deployed in industrial products for improving the quality of service. However, they also raise challenges to model authentication. It is necessary to protect the ownership of the GNN models, which motivates us to present a watermarking method to GNN models in this paper. In the proposed method, an Erdos-Renyi (ER) random graph with random node feature vectors and labels is randomly generated as a trigger to train the GNN to be protected together with the normal samples. During model training, the secret watermark is embedded into the label predictions of the ER graph nodes. During model verification, by activating a marked GNN with the trigger ER graph, the watermark can be reconstructed from the output to verify the ownership. Since the ER graph was randomly generated, by feeding it to a non-marked GNN, the label predictions of the graph nodes are random, resulting in a low false alarm rate (of the proposed work). Experimental results have also shown that, the performance of a marked GNN on its original task will not be impaired. Moreover, it is robust against model compression and fine-tuning, which has shown the superiority and applicability.