Graph neural networks (GNNs) have emerged as a state-of-the-art approach to model and draw inferences from large scale graph-structured data in various application settings such as social networking. The primary goal of a GNN is to learn an embedding for each graph node in a dataset that encodes both the node features and the local graph structure around the node. Embeddings generated by a GNN for a graph node are unique to that GNN. Prior work has shown that GNNs are prone to model extraction attacks. Model extraction attacks and defenses have been explored extensively in other non-graph settings. While detecting or preventing model extraction appears to be difficult, deterring them via effective ownership verification techniques offer a potential defense. In non-graph settings, fingerprinting models, or the data used to build them, have shown to be a promising approach toward ownership verification. We present GrOVe, a state-of-the-art GNN model fingerprinting scheme that, given a target model and a suspect model, can reliably determine if the suspect model was trained independently of the target model or if it is a surrogate of the target model obtained via model extraction. We show that GrOVe can distinguish between surrogate and independent models even when the independent model uses the same training dataset and architecture as the original target model. Using six benchmark datasets and three model architectures, we show that consistently achieves low false-positive and false-negative rates. We demonstrate that is robust against known fingerprint evasion techniques while remaining computationally efficient.

翻译：图神经网络（GNN）已成为对大规模图结构数据进行建模和推理的前沿方法，在社交网络等多种应用场景中具有重要价值。GNN的主要目标是学习数据集中每个图节点的嵌入表示，该表示同时编码节点特征及节点周围的局部图结构。GNN生成的图节点嵌入具有该网络特有的唯一性。已有研究表明，GNN易受模型提取攻击。此类攻击与防御机制已在其他非图场景中得到广泛研究。虽然检测或阻止模型提取存在难度，但通过有效的所有权验证技术实施威慑，可提供一种潜在防御手段。在非图场景中，对模型或其训练数据进行指纹识别已被证明是实现所有权验证的有效途径。本文提出GrOVe——一种先进的GNN模型指纹识别方案。该方案在给定目标模型与嫌疑模型时，能够可靠判定嫌疑模型是独立训练所得，还是通过模型提取从目标模型获取的替代模型。实验表明，即使独立模型使用与原始目标模型相同的训练数据集与架构，GrOVe仍能有效区分替代模型与独立模型。我们在六个基准数据集和三种模型架构上进行验证，证明其始终维持较低的误报率与漏报率。同时，我们展示了该方法在保持计算高效性的同时，对已知指纹规避技术具有鲁棒性。