CITED: A Decision Boundary-Aware Signature for GNNs Towards Model Extraction Defense
Bolin Shen, Md Shamim Seraj, Zhan Cheng, Shayok Chakraborty, Yushun Dong
TL;DR
CITED is a novel signature-based framework for verifying ownership of GNNs against model extraction attacks, effective on both embedding and label levels without harming model performance.
Contribution
It introduces the first ownership verification method for GNNs that works on multiple output levels and outperforms existing watermarking techniques.
Findings
CITED effectively verifies GNN ownership against extraction attacks.
The framework maintains downstream GNN performance.
CITED demonstrates robustness and outperforms prior watermarking methods.
Abstract
Graph neural networks (GNNs) have demonstrated superior performance in various applications, such as recommendation systems and financial risk management. However, deploying large-scale GNN models locally is particularly challenging for users, as it requires significant computational resources and extensive property data. Consequently, Machine Learning as a Service (MLaaS) has become increasingly popular, offering a convenient way to deploy and access various models, including GNNs. However, an emerging threat known as Model Extraction Attacks (MEAs) presents significant risks, as adversaries can readily obtain surrogate GNN models exhibiting similar functionality. Specifically, attackers repeatedly query the target model using subgraph inputs to collect corresponding responses. These input-output pairs are subsequently utilized to train their own surrogate models at minimal cost. Many…
Peer Reviews
Decision·Submitted to ICLR 2026
The technical contribution of this paper is solid. The proposed signature effectively addresses the challenge of achieving unified ownership verification at both the embedding level and the label level under model extraction attacks. Moreover, the theoretical analyses provided in the paper are generally sound and offer clear justification for using the 2-Wasserstein distance as the metric for verification.
The experimental evaluation in this paper is somewhat limited. For example, only one model extraction attack (GNNStealing) is adopted as the threat model, and the study focuses solely on the classical node classification task. Additionally, I suggest improving the presentation by introducing an overview figure to provide a clearer illustration of the CITED framework.
- The paper proposes a novel signature-based ownership verification mechanism that operates at both embedding and label levels, addressing a limitation in prior work. - This paper presents an efficient verification framework, improving scalability over conventional fingerprinting methods. - The proposed method achieves good verification performance across various datasets and GNN architectures while providing probabilistic guarantees on signature preservation.
- The framework's experimental validation is confined to a single threat model; testing it across multiple MEA scenarios would more effectively demonstrate its robustness. - While the method shows efficiency advantages, its scalability to graphs with millions of nodes remains unverified; its signature generation (involving boundary node identification and multi-metric scoring) and verification workflows may face computational or memory bottlenecks in such scenarios. - The framework’s relianc
1. Avoids task-irrelevant triggers, maintaining or even improving model performance on node classification tasks. 2. Eliminates auxiliary model training, reducing computational overhead, and retains effectiveness under MEAs and removal attacks (pruning, fine-tuning). 2. Provides probabilistic bounds for embedding similarity and prediction agreement.
1. Regarding the necessity of integrating the embedding and label levels, this seems more like a technical assumption. Could the authors provide some insight into why this integration is necessary? Watermarking or fingerprinting methods, for example, do not usually focus on both embedding and label levels. Moreover, labels can be viewed as embeddings passed through a classifier, so the nature of embeddings and labels may not differ significantly. 2. In line 245, the authors claim that “as the d
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdvanced Graph Neural Networks · Adversarial Robustness in Machine Learning · Explainable Artificial Intelligence (XAI)