Recent years have witnessed the prosperous development of Graph Self-supervised Learning (GSSL), which enables to pre-train transferable foundation graph encoders. However, the easy-to-plug-in nature of such encoders makes them vulnerable to copyright infringement. To address this issue, we develop a novel watermarking framework to protect graph encoders in GSSL settings. The key idea is to force the encoder to map a set of specially crafted trigger instances into a unique compact cluster in the outputted embedding space during model pre-training. Consequently, when the encoder is stolen and concatenated with any downstream classifiers, the resulting model inherits the `backdoor' of the encoder and predicts the trigger instances to be in a single category with high probability regardless of the ground truth. Experimental results have shown that, the embedded watermark can be transferred to various downstream tasks in black-box settings, including node classification, link prediction and community detection, which forms a reliable watermark verification system for GSSL in reality. This approach also shows satisfactory performance in terms of model fidelity, reliability and robustness.

翻译：近年来，图自监督学习（GSSL）蓬勃发展，使得可迁移的基础图编码器预训练成为可能。然而，此类编码器即插即用的特性使其易受版权侵害。为解决这一问题，我们开发了一种新颖的水印框架以保护GSSL场景下的图编码器。其核心思想是在模型预训练期间，强制编码器将一组特殊构建的触发实例映射到输出嵌入空间中的一个独特紧凑聚类中。因此，当编码器被盗用并与任意下游分类器拼接时，所得模型将继承编码器的“后门”，并以高概率将触发实例预测为单一类别，而无论其真实标签如何。实验结果表明，所嵌入的水印能够在黑盒设置下迁移至多种下游任务，包括节点分类、链接预测和社区发现，从而为现实中的GSSL构建了可靠的水印验证系统。该方法在模型保真度、可靠性和鲁棒性方面也表现出令人满意的性能。