Skip to main content
Academic

CITED: A Decision Boundary-Aware Signature for GNNs Towards Model Extraction Defense

arXiv:2602.20418v1 Announce Type: new Abstract: Graph neural networks (GNNs) have demonstrated superior performance in various applications, such as recommendation systems and financial risk management. However, deploying large-scale GNN models locally is particularly challenging for users, as it requires significant computational resources and extensive property data. Consequently, Machine Learning as a Service (MLaaS) has become increasingly popular, offering a convenient way to deploy and access various models, including GNNs. However, an emerging threat known as Model Extraction Attacks (MEAs) presents significant risks, as adversaries can readily obtain surrogate GNN models exhibiting similar functionality. Specifically, attackers repeatedly query the target model using subgraph inputs to collect corresponding responses. These input-output pairs are subsequently utilized to train their own surrogate models at minimal cost. Many techniques have been proposed to defend against MEAs

B
Bolin Shen, Md Shamim Seraj, Zhan Cheng, Shayok Chakraborty, Yushun Dong · · 1 min read · 5 views
#cs.LG

arXiv:2602.20418v1 Announce Type: new Abstract: Graph neural networks (GNNs) have demonstrated superior performance in various applications, such as recommendation systems and financial risk management. However, deploying large-scale GNN models locally is particularly challenging for users, as it requires significant computational resources and extensive property data. Consequently, Machine Learning as a Service (MLaaS) has become increasingly popular, offering a convenient way to deploy and access various models, including GNNs. However, an emerging threat known as Model Extraction Attacks (MEAs) presents significant risks, as adversaries can readily obtain surrogate GNN models exhibiting similar functionality. Specifically, attackers repeatedly query the target model using subgraph inputs to collect corresponding responses. These input-output pairs are subsequently utilized to train their own surrogate models at minimal cost. Many techniques have been proposed to defend against MEAs, but most are limited to specific output levels (e.g., embedding or label) and suffer from inherent technical drawbacks. To address these limitations, we propose a novel ownership verification framework CITED which is a first-of-its-kind method to achieve ownership verification on both embedding and label levels. Moreover, CITED is a novel signature-based method that neither harms downstream performance nor introduces auxiliary models that reduce efficiency, while still outperforming all watermarking and fingerprinting approaches. Extensive experiments demonstrate the effectiveness and robustness of our CITED framework. Code is available at: https://github.com/LabRAI/CITED.

Executive Summary

This article proposes a novel ownership verification framework called CITED to defend against Model Extraction Attacks (MEAs) in Graph Neural Networks (GNNs). CITED is a signature-based method that achieves ownership verification on both embedding and label levels without harming downstream performance or introducing auxiliary models. The framework outperforms existing watermarking and fingerprinting approaches. Extensive experiments demonstrate its effectiveness and robustness. The authors provide a GitHub repository for the code. This framework addresses a critical concern in the deployment of GNN models in Machine Learning as a Service (MLaaS) and has significant implications for the security and integrity of these models.

Key Points

  • Proposes a novel ownership verification framework CITED for GNNs to defend against MEAs
  • Achieves ownership verification on both embedding and label levels without performance degradation
  • Outperforms existing watermarking and fingerprinting approaches

Merits

Strength in Defense

CITED provides a robust defense against MEAs by verifying ownership on multiple levels, making it a strong countermeasure to these attacks.

Efficiency

CITED does not introduce auxiliary models or harm downstream performance, preserving the efficiency of GNN models.

Robustness

Extensive experiments demonstrate the effectiveness and robustness of CITED against various MEA settings.

Demerits

Limited Evaluation Scope

The evaluation of CITED focuses on specific MEA scenarios, and its performance in other scenarios is unclear.

Potential Overhead

The signature-based approach may incur additional computational overhead, which could impact the performance of GNN models in resource-constrained environments.

Expert Commentary

The CITED framework is a significant contribution to the field of GNN security, addressing a critical concern in the deployment of these models in MLaaS settings. The authors' approach to ownership verification on multiple levels provides a robust defense against MEAs, while preserving the efficiency of GNN models. However, the potential overhead of the signature-based approach and the limited evaluation scope of the paper require further investigation. The implications of CITED are far-reaching, with potential implications for the security and integrity of GNN models in MLaaS settings and potential regulatory requirements.

Recommendations

  • Further investigation into the potential overhead of CITED in resource-constrained environments
  • Expansion of the evaluation scope to include other MEA scenarios and GNN architectures

Sources

Related Articles