Graph-structured datasets are increasingly central to sensitive applications spanning social networks, biomedical research, and cryptographic systems. As organizations share these datasets with trusted parties for collaborative analysis, protecting against unauthorized redistribution becomes critical. Graph watermarking addresses this challenge by embedding detectable signatures that enable ownership verification and attribution of leaked data. However, despite advances in watermarking techniques, existing robustness evaluations remain limited to random edge perturbation attacks, overlooking more sophisticated adversaries who exploit community structure present in real-world graphs. We introduce the first systematic evaluation of cluster-aware attacks on graph watermarking schemes. We present a threat model in which adversaries leverage community detection algorithms to guide strategic edge modifications, targeting either intra-cluster densification with inter-cluster boundary removal, or intra-cluster sparsification with inter-cluster noise injection. Evaluating against the most comprehensively tested watermarking scheme, we demonstrate that cluster-aware attacks outperform random perturbations across real-world datasets and clustering algorithms. Our findings reveal that cluster-aware attacks reduce attribution accuracy while introducing comparable structural distortion to random attacks, demonstrating superior attack efficiency. These results establish that current watermarking schemes, evaluated solely against random perturbations, remain vulnerable to structure-aware adversarial behavior, highlighting the need for robust defenses that account for community-exploiting adversaries in graph-based privacy protection systems.

翻译：图结构数据集在社交网络、生物医学研究和密码系统等敏感应用中的地位日益重要。随着组织与可信方共享这些数据集以进行协作分析，防止未经授权的再分发变得至关重要。图水印技术通过嵌入可检测的签名来解决这一挑战，使得能够对泄露数据进行所有权验证和溯源。然而，尽管水印技术取得了进展，现有的鲁棒性评估仍局限于随机边扰动攻击，忽略了利用现实世界图中存在的社区结构的更复杂对手。我们首次系统评估了针对图水印方案的基于聚类的攻击。我们提出了一种威胁模型，其中对手利用社区检测算法指导策略性的边修改，目标可以是采用簇间边界移除的簇内稠密化，或采用簇间噪声注入的簇内稀疏化。通过对经过最全面测试的水印方案进行评估，我们证明在真实世界数据集和聚类算法上，基于聚类的攻击优于随机扰动。我们的研究结果表明，基于聚类的攻击在引入与随机攻击相当的结构失真的同时，降低了溯源准确性，展示了更优的攻击效率。这些结果证实，当前仅针对随机扰动进行评估的水印方案，在面对结构感知的对抗行为时仍然脆弱，这凸显了在图基隐私保护系统中，需要开发能够应对利用社区结构的对手的鲁棒防御机制。