On Stealing Graph Neural Network Models
Marcin Podhajski, Jan Dubi\'nski, Franziska Boenisch, Adam Dziedzic, Agnieszka Pr\k{e}gowska, Tomasz P. Michalak
TL;DR
This paper presents a novel method for extracting graph neural network models with minimal queries, demonstrating effectiveness even under strict query limits and existing defenses, highlighting the need for stronger protections.
Contribution
The paper introduces a two-step attack that first recovers the GNN backbone without queries and then maximizes information gain within limited queries.
Findings
Effective extraction under strict query limits
Successful attack against existing defenses
Applicable to multiple real-world datasets
Abstract
Current graph neural network (GNN) model-stealing methods rely heavily on queries to the victim model, assuming no hard query limits. However, in reality, the number of allowed queries can be severely limited. In this paper, we demonstrate how an adversary can extract a GNN with very limited interactions with the model. Our approach first enables the adversary to obtain the model backbone without making direct queries to the victim model and then to strategically utilize a fixed query limit to extract the most informative data. The experiments on eight real-world datasets demonstrate the effectiveness of the attack, even under a very restricted query limit and under defense against model extraction in place. Our findings underscore the need for robust defenses against GNN model extraction threats.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
Taxonomy
TopicsAdvanced Graph Neural Networks · Adversarial Robustness in Machine Learning · Privacy-Preserving Technologies in Data