GrOVe: Ownership Verification of Graph Neural Networks using Embeddings

TL;DR

GrOVe is a novel fingerprinting scheme for graph neural networks that reliably verifies model ownership and detects surrogate models, even under challenging conditions, enhancing security against model extraction attacks.

Contribution

We introduce GrOVe, a state-of-the-art GNN fingerprinting method that effectively distinguishes between independent and surrogate models with low error rates and robustness against evasion techniques.

Findings

Achieves low false-positive and false-negative rates across six datasets.

Effectively detects surrogate models even with identical training data and architecture.

Remains robust against known fingerprint evasion techniques.

Abstract

Graph neural networks (GNNs) have emerged as a state-of-the-art approach to model and draw inferences from large scale graph-structured data in various application settings such as social networking. The primary goal of a GNN is to learn an embedding for each graph node in a dataset that encodes both the node features and the local graph structure around the node. Embeddings generated by a GNN for a graph node are unique to that GNN. Prior work has shown that GNNs are prone to model extraction attacks. Model extraction attacks and defenses have been explored extensively in other non-graph settings. While detecting or preventing model extraction appears to be difficult, deterring them via effective ownership verification techniques offer a potential defense. In non-graph settings, fingerprinting models, or the data used to build them, have shown to be a promising approach toward ownership verification. We present GrOVe, a state-of-the-art GNN model fingerprinting scheme that, given a target model and a suspect model, can reliably determine if the suspect model was trained independently of the target model or if it is a surrogate of the target model obtained via model extraction. We show that GrOVe can distinguish between surrogate and independent models even when the independent model uses the same training dataset and architecture as the original target model. Using six benchmark datasets and three model architectures, we show that consistently achieves low false-positive and false-negative rates. We demonstrate that is robust against known fingerprint evasion techniques while remaining computationally efficient.