Graph Neural Networks (GNNs) have become invaluable intellectual property in graph-based machine learning. However, their vulnerability to model stealing attacks when deployed within Machine Learning as a Service (MLaaS) necessitates robust Ownership Demonstration (OD) techniques. Watermarking is a promising OD framework for Deep Neural Networks, but existing methods fail to generalize to GNNs due to the non-Euclidean nature of graph data. Previous works on GNN watermarking have primarily focused on node and graph classification, overlooking Link Prediction (LP). In this paper, we propose GENIE (watermarking Graph nEural Networks for lInk prEdiction), the first-ever scheme to watermark GNNs for LP. GENIE creates a novel backdoor for both node-representation and subgraph-based LP methods, utilizing a unique trigger set and a secret watermark vector. Our OD scheme is equipped with Dynamic Watermark Thresholding (DWT), ensuring high verification probability (>99.99%) while addressing practical issues in existing watermarking schemes. We extensively evaluate GENIE across 4 model architectures (i.e., SEAL, GCN, GraphSAGE and NeoGNN) and 7 real-world datasets. Furthermore, we validate the robustness of GENIE against 11 state-of-the-art watermark removal techniques and 3 model extraction attacks. We also show GENIE's resilience against ownership piracy attacks. Finally, we discuss a defense strategy to counter adaptive attacks against GENIE.

翻译：图神经网络（GNNs）已成为基于图的机器学习中极具价值的智力资产。然而，当其在机器学习即服务（MLaaS）环境中部署时，易受模型窃取攻击的脆弱性要求具备鲁棒的所有权验证（OD）技术。水印技术是深度神经网络中一种前景广阔的所有权验证框架，但由于图数据的非欧几里得特性，现有方法难以推广至图神经网络。先前关于图神经网络水印的研究主要集中于节点与图分类任务，忽视了链接预测（LP）场景。本文提出GENIE（用于链接预测水印的图神经网络），这是首个针对链接预测任务的图神经网络水印方案。GENIE通过构建独特的触发集与秘密水印向量，为基于节点表示和基于子图的链接预测方法创建了新型后门。我们的所有权验证方案配备了动态水印阈值（DWT）机制，在解决现有水印方案实际问题的同时，确保了高验证概率（>99.99%）。我们在4种模型架构（包括SEAL、GCN、GraphSAGE和NeoGNN）与7个真实数据集上对GENIE进行了全面评估。此外，我们验证了GENIE对11种前沿水印去除技术和3类模型提取攻击的鲁棒性，并证明了其抵御所有权盗用攻击的能力。最后，我们探讨了针对GENIE自适应攻击的防御策略。