Making Watermark Survive Model Extraction Attacks in Graph Neural Networks

H. Wang; Z. Zhang; M. Chen; S. He

doi:10.1109/ICC45041.2023.10278974

Making Watermark Survive Model Extraction Attacks in Graph Neural Networks

H. Wang
, Z. Zhang
, M. Chen
, S. He

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

Abstract

Collecting graph data is costly and well-trained graph neural networks (GNNs) are viewed as intellectual property. To make better use of GNNs, they are used to provide cloud-based services. However, models on cloud-based services may be leaked under model extraction attacks. Adversaries can extract an imitation model by simply querying the GNNs on the cloud-based services. To protect GNNs, watermarks are embedded in the models. However, the watermarks can be removed by the model extraction attacks. To address this issue, we propose adding a watermark that cannot be ignored by queries from the model extraction attacks. Concretely, we add the soft nearest neighbor loss to the loss function of the watermark embedding process to merge the distributions for the normal tasks and watermarks. We also observe that the watermark brings a performance loss to GNNs and propose an optimization method to maintain the model performance. We evaluate our method on multiple real-world datasets to demonstrate the superiority of the method.

Original language	English
Title of host publication	IEEE International Conference on Communications
Editors	Michele Zorzi, Meixia Tao, Walid Saad
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	57-62
Number of pages	6
ISBN (Electronic)	9781538674628
ISBN (Print)	9781538674628
DOIs	https://doi.org/10.1109/ICC45041.2023.10278974
Publication status	Published - 2023
Externally published	Yes

Funding

ACKNOWLEDGMENTS We thank the anonymous reviewers for their constructive feedback. This work is supported by the National Science Foundation of China (NSFC) under grant U1911401, NSFC under grant No.U1909207, and the Helmholtz Association within the project “Trustworthy Federated Data Analytics” (TFDA) (funding number ZT-I-OO1 4).

Funders	Funder number
TFDA	ZT-I-OO1 4
National Natural Science Foundation of China	No.U1909207, U1911401
National Natural Science Foundation of China
Helmholtz Association

Access to Document

10.1109/ICC45041.2023.10278974

Persistent URL (handle)

Persistent link

Cite this

@inproceedings{ef1faea962cd4ab79723e7cb0d2a9557,

title = "Making Watermark Survive Model Extraction Attacks in Graph Neural Networks",

abstract = "Collecting graph data is costly and well-trained graph neural networks (GNNs) are viewed as intellectual property. To make better use of GNNs, they are used to provide cloud-based services. However, models on cloud-based services may be leaked under model extraction attacks. Adversaries can extract an imitation model by simply querying the GNNs on the cloud-based services. To protect GNNs, watermarks are embedded in the models. However, the watermarks can be removed by the model extraction attacks. To address this issue, we propose adding a watermark that cannot be ignored by queries from the model extraction attacks. Concretely, we add the soft nearest neighbor loss to the loss function of the watermark embedding process to merge the distributions for the normal tasks and watermarks. We also observe that the watermark brings a performance loss to GNNs and propose an optimization method to maintain the model performance. We evaluate our method on multiple real-world datasets to demonstrate the superiority of the method.",

author = "H. Wang and Z. Zhang and M. Chen and S. He",

year = "2023",

doi = "10.1109/ICC45041.2023.10278974",

language = "English",

isbn = "9781538674628",

pages = "57--62",

editor = "Michele Zorzi and Meixia Tao and Walid Saad",

booktitle = "IEEE International Conference on Communications",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

address = "United States",

}

Making Watermark Survive Model Extraction Attacks in Graph Neural Networks. / Wang, H.; Zhang, Z.; Chen, M. et al.
IEEE International Conference on Communications. ed. / Michele Zorzi; Meixia Tao; Walid Saad. Institute of Electrical and Electronics Engineers Inc., 2023. p. 57-62.

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Making Watermark Survive Model Extraction Attacks in Graph Neural Networks

AU - Wang, H.

AU - Zhang, Z.

AU - Chen, M.

AU - He, S.

PY - 2023

Y1 - 2023

N2 - Collecting graph data is costly and well-trained graph neural networks (GNNs) are viewed as intellectual property. To make better use of GNNs, they are used to provide cloud-based services. However, models on cloud-based services may be leaked under model extraction attacks. Adversaries can extract an imitation model by simply querying the GNNs on the cloud-based services. To protect GNNs, watermarks are embedded in the models. However, the watermarks can be removed by the model extraction attacks. To address this issue, we propose adding a watermark that cannot be ignored by queries from the model extraction attacks. Concretely, we add the soft nearest neighbor loss to the loss function of the watermark embedding process to merge the distributions for the normal tasks and watermarks. We also observe that the watermark brings a performance loss to GNNs and propose an optimization method to maintain the model performance. We evaluate our method on multiple real-world datasets to demonstrate the superiority of the method.

AB - Collecting graph data is costly and well-trained graph neural networks (GNNs) are viewed as intellectual property. To make better use of GNNs, they are used to provide cloud-based services. However, models on cloud-based services may be leaked under model extraction attacks. Adversaries can extract an imitation model by simply querying the GNNs on the cloud-based services. To protect GNNs, watermarks are embedded in the models. However, the watermarks can be removed by the model extraction attacks. To address this issue, we propose adding a watermark that cannot be ignored by queries from the model extraction attacks. Concretely, we add the soft nearest neighbor loss to the loss function of the watermark embedding process to merge the distributions for the normal tasks and watermarks. We also observe that the watermark brings a performance loss to GNNs and propose an optimization method to maintain the model performance. We evaluate our method on multiple real-world datasets to demonstrate the superiority of the method.

UR - https://www.scopus.com/pages/publications/85178258961

UR - https://www.scopus.com/pages/publications/85178258961#tab=citedBy

U2 - 10.1109/ICC45041.2023.10278974

DO - 10.1109/ICC45041.2023.10278974

M3 - Conference contribution

SN - 9781538674628

SP - 57

EP - 62

BT - IEEE International Conference on Communications

A2 - Zorzi, Michele

A2 - Tao, Meixia

A2 - Saad, Walid

PB - Institute of Electrical and Electronics Engineers Inc.

ER -

Making Watermark Survive Model Extraction Attacks in Graph Neural Networks

Abstract

Funding

Access to Document

Persistent URL (handle)

Other files and links

Fingerprint

Cite this