Recent years have witnessed the prosperous development of Graph Self-supervised Learning (GSSL), which enables to pre-train transferable foundation graph encoders. However, the easy-to-plug-in nature of such encoders makes them vulnerable to copyright infringement. To address this issue, we develop a novel watermarking framework to protect graph encoders in GSSL settings. The key idea is to force the encoder to map a set of specially crafted trigger instances into a unique compact cluster in the outputted embedding space during model pre-training. Consequently, when the encoder is stolen and concatenated with any downstream classifiers, the resulting model inherits the `backdoor' of the encoder and predicts the trigger instances to be in a single category with high probability regardless of the ground truth. Experimental results have shown that, the embedded watermark can be transferred to various downstream tasks in black-box settings, including node classification, link prediction and community detection, which forms a reliable watermark verification system for GSSL in reality. This approach also shows satisfactory performance in terms of model fidelity, reliability and robustness.

翻译：近年来，图自监督学习（GSSL）蓬勃发展，使得可迁移的基础图编码器得以预训练。然而，此类编码器易于插拔的特性使其容易受到版权侵犯。为解决这一问题，我们开发了一种新颖的水印框架，用于保护GSSL环境下的图编码器。其核心思想是在模型预训练期间，强制编码器将一组特殊构建的触发实例映射到输出嵌入空间中的一个独特紧凑簇中。因此，当编码器被盗用并与任何下游分类器连接时，所得模型会继承编码器的“后门”，并以高概率将触发实例预测为单一类别，而无论其真实标签如何。实验结果表明，嵌入的水印可以在黑盒设置下迁移到各种下游任务中，包括节点分类、链接预测和社区检测，从而为现实中的GSSL构建了一个可靠的水印验证系统。该方法在模型保真度、可靠性和鲁棒性方面也表现出令人满意的性能。