research-article

GNNFingers: A Fingerprinting Framework for Verifying Ownerships of Graph Neural Networks

Authors:

Min YangAuthors Info & Claims

WWW '24: Proceedings of the ACM Web Conference 2024

Pages 652 - 663

https://doi.org/10.1145/3589334.3645489

Published: 13 May 2024 Publication History

Abstract

Graph neural networks (GNNs) have emerged as the state of the art for a variety of graph-related tasks and have been widely commercialized in real-world scenarios. Behind its revolutionary representation capability, the huge training costs also expose GNNs to the risks of potential model piracy attacks which threaten the intellectual property (IP) of GNNs. In this work, we design a novel and effective ownership verification framework for GNNs called GNNFingers to safeguard the IP of GNNs. The key design of the proposed framework is two-fold: graph fingerprint construction and robust verification module. With GNNFingers, a GNN model owner can verify if a deployed model is stolen from the source GNN simply by querying with graph inputs. Besides, GNNFingers could be applied to various GNN models and graph-related tasks. We extensively evaluate the proposed framework on various GNNs designed for multiple graph-related tasks including graph classification, graph matching, node classification, and link prediction. Our results show that GNNFingers can robustly distinguish post-processed surrogate GNNs from irrelevant GNNs, e.g., GNNFingers achieves 100% true positives and 100% true negatives on the test of 200 suspect GNNs of both graph classification and node classification tasks.

Supplemental Material

MP4 File

Supplemental video

Download
18.73 MB

References

[1]

S. Abu-El-Haija, B. Perozzi, R. Al-Rfou, and A. Alemi. 2017. Watch Your Step: Learning Node Embeddings via Graph Attention. (2017).

[2]

Y. Bai, H. Ding, S. Bian, T. Chen, andW.Wang. 2019. SimGNN: A Neural Network Approach to Fast Graph Similarity Computation. In the Twelfth ACM International Conference.

Digital Library

[3]

James Beetham, Navid Kardan, Ajmal Mian, and Mubarak Shah. 2023. Dual Student Networks for Data-Free Model Stealing. arXiv preprint arXiv:2309.10058 (2023).

[4]

K. M. Borgwardt, O. C. Soon, S. Stefan, Svn Vishwanathan, A. J. Smola, and Kriegel Hans-Peter. 2005. Protein function prediction via graph kernels. Bioinformatics suppl_1 (2005), i47.

[5]

X. Cao, J. Jia, and N. Z. Gong. 2019. IPGuard: Protecting the Intellectual Property of Deep Neural Networks via Fingerprinting the Classification Boundary. (2019).

[6]

David DeFazio and Arti Ramesh. 2019. Adversarial model extraction on graph neural networks. arXiv preprint arXiv:1912.07721 (2019).

[7]

Xiang Deng and Zhongfei Zhang. 2021. Graph-free knowledge distillation for graph neural networks. arXiv preprint arXiv:2105.07519 (2021).

[8]

Paul D Dobson and Andrew J Doig. 2003. Distinguishing enzyme structures from non-enzymes without alignments. Journal of molecular biology 330, 4 (2003).

[9]

Jianping Gou, Baosheng Yu, Stephen J Maybank, and Dacheng Tao. 2021. Knowledge distillation: A survey. International Journal of Computer Vision 129 (2021), 1789--1819.

Digital Library

[10]

Will Hamilton, Zhitao Ying, and Jure Leskovec. 2017. Inductive representation learning on large graphs. NeuralPS 30 (2017).

[11]

Adrián Javaloy, Pablo Sanchez-Martin, Amit Levi, and Isabel Valera. 2022. Learnable graph convolutional attention networks. arXiv preprint arXiv:2211.11853 (2022).

[12]

Mingxuan Ju, Tong Zhao, QianlongWen,Wenhao Yu, Neil Shah, Yanfang Ye, and Chuxu Zhang. 2022. Multi-task self-supervised graph neural networks enable stronger task generalization. arXiv preprint arXiv:2210.02016 (2022).

[13]

T. N. Kipf and M. Welling. 2016. Semi-Supervised Classification with Graph Convolutional Networks.

[14]

Hao Li, Asim Kadav, Igor Durdanovic, Hanan Samet, and Hans Peter Graf. 2016. Pruning filters for efficient convnets. arXiv preprint arXiv:1608.08710 (2016).

[15]

Q. Li, Z. Han, and X. M. Wu. 2018. Deeper Insights into Graph Convolutional Networks for Semi-Supervised Learning. (2018).

[16]

Yue Li, Hongxia Wang, and Mauro Barni. 2021. A survey of deep neural network watermarking techniques. Neurocomputing 461 (2021), 171--193.

Digital Library

[17]

Renjie Liao, Raquel Urtasun, and Richard Zemel. 2020. A pac-bayesian approach to generalization bounds for graph neural networks. arXiv preprint arXiv:2012.07690 (2020).

[18]

Lu Lin, Jinghui Chen, and Hongning Wang. 2022. Spectral augmentation for self-supervised learning on graphs. arXiv preprint arXiv:2210.00643 (2022).

[19]

Hanwen Liu, Zhenyu Weng, and Yuesheng Zhu. 2021. Watermarking Deep Neural Networks with Greedy Residuals. In ICML.

[20]

Qi Liu, Maximilian Nickel, and Douwe Kiela. 2019. Hyperbolic graph neural networks. Advances in Neural Information Processing Systems 32 (2019).

[21]

Yao Ma, Suhang Wang, Charu C Aggarwal, and Jiliang Tang. 2019. Graph convolutional networks with eigenpooling. In Proceedings of the 25th ACM SIGKDD international conference on knowledge discovery & data mining. 723--731.

Digital Library

[22]

Tribhuvanesh Orekondy, Bernt Schiele, and Mario Fritz. 2019. Knockoff nets: Stealing functionality of black-box models. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 4954--4963.

[23]

Shirui Pan, Ruiqi Hu, Guodong Long, Jing Jiang, Lina Yao, and Chengqi Zhang. 2018. Adversarially regularized graph autoencoder for graph embedding. IJCAI (2018).

[24]

Xudong Pan, Yifan Yan, Mi Zhang, and Min Yang. 2022. MetaV: A Meta-Verifier Approach to Task-Agnostic Model Fingerprinting.

[25]

Adnan Siraj Rakin, Md Hafizul Islam Chowdhuryy, Fan Yao, and Deliang Fan. 2022. Deepsteal: Advanced model extractions leveraging efficient weight stealing in memories. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 1157-- 1174.

[26]

Robert Nikolai Reith, Thomas Schneider, and Oleksandr Tkachenko. 2019. Efficiently stealing your machine learning models. In Proceedings of the 18th ACM Workshop on Privacy in the Electronic Society. 198--210.

Digital Library

[27]

Sunandini Sanyal, Sravanti Addepalli, and R Venkatesh Babu. 2022. Towards data-free model stealing in a hard label setting. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 15284--15293.

[28]

Yun Shen, Xinlei He, Yufei Han, and Yang Zhang. 2022. Model stealing attacks against inductive graph neural networks. In S & P.

[29]

Florian Tramèr, Fan Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. 2016. Stealing machine learning models via prediction {APIs}. In USENIX.

[30]

Jean-Baptiste Truong, Pratyush Maini, Robert J Walls, and Nicolas Papernot. 2021. Data-free model extraction. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 4771--4780.

[31]

Petar Velickovic, Guillem Cucurull, Arantxa Casanova, Adriana Romero, Pietro Lio, and Yoshua Bengio. 2017. Graph attention networks. arXiv preprint arXiv:1710.10903 (2017).

[32]

Shuo Wang, Sidharth Agarwal, Sharif Abuadbba, Kristen Moore, Surya Nepal, and Salil Kanhere. 2022. Integrity Fingerprinting of DNN with Double Black-box Design and Verification. arXiv preprint arXiv:2203.10902 (2022).

[33]

S. Wang and C. H. Chang. 2021. Fingerprinting Deep Neural Networks - a DeepFool Approach. In International Symposium on Circuits and Systems.

[34]

Shen Wang and Philip S Yu. 2022. Graph neural networks in anomaly detection. Graph Neural Networks: Foundations, Frontiers, and Applications (2022), 557--578.

[35]

Xiaoli Wang, Xiaofeng Ding, Anthony KH Tung, Shanshan Ying, and Hai Jin. 2012. An efficient graph indexing method. In ICDE.

[36]

Bang Wu, Xiangwen Yang, Shirui Pan, and Xingliang Yuan. 2022. Model Extraction Attacks on Graph Neural Networks: Taxonomy and Realisation. In AsiaCCS. 337--350.

[37]

Jing Xu and Stjepan Picek. 2021. Watermarking Graph Neural Networks based on Backdoor Attacks. arXiv preprint arXiv:2110.11024 (2021).

[38]

Keyulu Xu,Weihua Hu, Jure Leskovec, and Stefanie Jegelka. 2018. How powerful are graph neural networks? arXiv preprint arXiv:1810.00826 (2018).

[39]

Kang Yang, Run Wang, and Lina Wang. [n. d.]. MetaFinger: Fingerprinting the Deep Neural Networks with Meta-training. ([n. d.]).

[40]

R. Ying, J. You, C. Morris, X. Ren, William L Hamilton, and J. Leskovec. 2018. Hierarchical Graph Representation Learning with Differentiable Pooling.

[41]

Muhan Zhang and Yixin Chen. 2018. Link Prediction Based on Graph Neural Networks. ArXiv abs/1802.09691 (2018).

[42]

Xiao-Meng Zhang, Li Liang, Lin Liu, and Ming-Jing Tang. 2021. Graph neural networks and their current applications in bioinformatics. Frontiers in genetics 12 (2021).

[43]

Zaixi Zhang, Jinyuan Jia, Binghui Wang, and Neil Zhenqiang Gong. 2021. Backdoor attacks to graph neural networks. In Proceedings of the 26th ACM Symposium on Access Control Models and Technologies. 15--26.

Digital Library

[44]

Zaixi Zhang, Qi Liu, Zhenya Huang, Hao Wang, Chengqiang Lu, Chuanren Liu, and Enhong Chen. 2021. Graphmi: Extracting private graph data from graph neural networks. arXiv preprint arXiv:2106.02820 (2021).

[45]

Xiangyu Zhao, Hanzhou Wu, and Xinpeng Zhang. 2021. Watermarking graph neural networks by random graphs. In 2021 9th International Symposium on Digital Forensics and Security (ISDFS). IEEE, 1--6.

[46]

Zhendong Zhao, Xiaojun Chen, Yuexin Xuan, Ye Dong, Dakui Wang, and Kaitai Liang. 2022. DEFEAT: Deep Hidden Feature Backdoor Attacks by Imperceptible Perturbation and Latent Representation Constraints. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 15213--15222.

[47]

Yuankun Zhu, Yueqiang Cheng, Husheng Zhou, and Yantao Lu. 2021. Hermes attack: Steal {DNN} models with lossless inference accuracy. In 30th USENIX Security Symposium (USENIX Security 21).

Cited By

Huy DNhu NLe D(2024)CNN-FSPM-Based Fingerprint Indexing and Matching for Detecting, Predicting, and Preventing Cheating in Online ExaminationsInternational Journal of Knowledge and Systems Science10.4018/IJKSS.36484315:1(1-20)Online publication date: 20-Dec-2024
https://doi.org/10.4018/IJKSS.364843
Zhang YZhao YLi ZCheng XWang YKotevska OYu PDerr T(2024)A Survey on Privacy in Graph Neural Networks: Attacks, Preservation, and ApplicationsIEEE Transactions on Knowledge and Data Engineering10.1109/TKDE.2024.345432836:12(7497-7515)Online publication date: Dec-2024
https://doi.org/10.1109/TKDE.2024.3454328

Index Terms

GNNFingers: A Fingerprinting Framework for Verifying Ownerships of Graph Neural Networks
1. Computing methodologies
  1. Machine learning
2. Security and privacy
  1. Security services
    1. Privacy-preserving protocols

Recommendations

Toward the analysis of graph neural networks
ICSE-NIER '22: Proceedings of the ACM/IEEE 44th International Conference on Software Engineering: New Ideas and Emerging Results

Graph Neural Networks (GNNs) have recently emerged as an effective framework for representing and analyzing graph-structured data. GNNs have been applied to many real-world problems such as knowledge graph analysis, social networks recommendation, and ...
Streaming Graph Neural Networks
SIGIR '20: Proceedings of the 43rd International ACM SIGIR Conference on Research and Development in Information Retrieval

Graphs are used to model pairwise relations between entities in many real-world scenarios such as social networks. Graph Neural Networks(GNNs) have shown their superior ability in learning representations for graph structured data, which leads to ...
Graph Mining with Graph Neural Networks
WSDM '21: Proceedings of the 14th ACM International Conference on Web Search and Data Mining

Graphs are ubiquitous data structures in various fields, such as social media, transportation, linguistics and chemistry. To solve downstream graph-related tasks, it is of great significance to learn effective representations for graphs. My research ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WWW '24: Proceedings of the ACM Web Conference 2024

May 2024

4826 pages

ISBN:9798400701719

DOI:10.1145/3589334

General Chairs:
Tat-Seng Chua
National University of Singapore
,
Chong-Wah Ngo
Singapore Management University
,
Proceedings Chair:
Roy Ka-Wei Lee
Singapore University of Technology and Design
,
Program Chairs:
Ravi Kumar
Google
,
Hady W. Lauw
Singapore Management University

Copyright © 2024 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 May 2024

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

WWW '24

Sponsor:

SIGWEB

WWW '24: The ACM Web Conference 2024

May 13 - 17, 2024

Singapore, Singapore

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
265
Total Downloads

Downloads (Last 12 months)265
Downloads (Last 6 weeks)20

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Huy DNhu NLe D(2024)CNN-FSPM-Based Fingerprint Indexing and Matching for Detecting, Predicting, and Preventing Cheating in Online ExaminationsInternational Journal of Knowledge and Systems Science10.4018/IJKSS.36484315:1(1-20)Online publication date: 20-Dec-2024
https://doi.org/10.4018/IJKSS.364843
Zhang YZhao YLi ZCheng XWang YKotevska OYu PDerr T(2024)A Survey on Privacy in Graph Neural Networks: Attacks, Preservation, and ApplicationsIEEE Transactions on Knowledge and Data Engineering10.1109/TKDE.2024.345432836:12(7497-7515)Online publication date: Dec-2024
https://doi.org/10.1109/TKDE.2024.3454328

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten