arxiv: 2605.12827 · v1 · submitted 2026-05-12 · 💻 cs.CR · cs.AI· cs.LG

Recognition: unknown

GraphIP-Bench: How Hard Is It to Steal a Graph Neural Network, and Can We Stop It?

Bolin Shen, Kaixiang Zhao, Shayok Chakraborty, Yushun Dong, Yuyang Dai

Authors on Pith no claims yet

Pith reviewed 2026-05-14 19:22 UTC · model grok-4.3

classification 💻 cs.CR cs.AIcs.LG

keywords graph neural networksmodel extraction attacksownership verificationwatermarkingbenchmarkadversarial machine learninggraph classificationmodel stealing

0 comments

The pith

Stealing a graph neural network is straightforward at medium query budgets, and existing defenses rarely prevent extraction or preserve ownership signals on surrogates.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper establishes a comprehensive benchmark to determine how easily graph neural networks can be stolen through model extraction attacks and whether defenses can effectively counter them. By standardizing evaluations across multiple attacks, defenses, graphs, backbones, and tasks, it reveals that extraction succeeds with moderate resources in most cases. The benchmark also shows that while some defenses like watermarks protect the original model, they lose effectiveness once an attacker trains a surrogate. Heterophilic graphs present greater challenges for extraction compared to others, and mismatches in model architecture between target and surrogate hinder but do not stop the process. These findings matter because GNNs are increasingly offered as cloud services, making them vulnerable to unauthorized replication without strong protections.

Core claim

The paper claims that under a unified black-box protocol, model extraction attacks can produce surrogates with high fidelity to the target GNN at medium query budgets, and that defenses spanning watermarking, output perturbation, and query detection largely fail to increase extraction difficulty or maintain reliable ownership verification on the resulting surrogates, with heterophilic graphs being systematically harder to steal and cross-architecture extraction succeeding at reduced performance.

What carries the argument

GraphIP-Bench, the unified benchmark integrating twelve extraction attacks, twelve defenses, ten graphs, three backbones, and three tasks to evaluate fidelity, utility, verification, and cost under shared conditions.

If this is right

Extraction is easy at medium query budgets across most configurations.
Watermarks verify on protected models but lose most signal on extracted surrogates.
Heterophilic graphs are harder to steal than homophilic ones.
Cross-architecture mismatch reduces extraction success but does not prevent it.
Joint attack-defense evaluation exposes gaps missed by single-model tests.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Service providers may require defenses designed to survive the extraction process itself rather than just marking the original model.
The results point to heterophily as a potential natural barrier worth exploiting in future designs.
Extending the benchmark to include adaptive attacks targeting specific defenses could reveal additional vulnerabilities.
Real-world GNN services might benefit from monitoring query patterns more aggressively if detection proves more robust than watermarking.

Load-bearing premise

The chosen set of twelve attacks, twelve defenses, ten graphs, three backbones, and three tasks is representative of the broader space of GNN services and threats.

What would settle it

A defense that achieves high watermark verification accuracy on surrogates extracted from defended targets across the benchmark's diverse setups would contradict the finding that most defenses lose their verification signal after extraction.

Figures

Figures reproduced from arXiv: 2605.12827 by Bolin Shen, Kaixiang Zhao, Shayok Chakraborty, Yushun Dong, Yuyang Dai.

**Figure 1.** Figure 1: Sample efficiency across ten datasets and four regimes. Extension to large-scale and heterophilic graphs. The seven graphs in the original protocol are small and homophilic, which limits the conclusions to one structural regime. To extend the protocol along three independent axes, we evaluate the same twelve attacks on three additional graphs: OGBN-Arxiv (169,343 nodes, 40 classes, edge homophily 0.699) … view at source ↗

**Figure 3.** Figure 3: Surrogate fidelity (%) at budget 0.25× on the three additional graphs for all twelve attacks (mean over three seeds, whiskers are ± one std). Among the watermarking and integrity defenses, BackdoorWM offers the best protection-utility balance: it reaches the highest median fidelity (80.07%), perfect verification, and only a 3.27 pp median utility drop. ImperceptibleWM also reaches perfect verification, b… view at source ↗

**Figure 4.** Figure 4: Protection-utility scatter across ten datasets and three seeds per defense (one point per dataset-seed run). Upper-left is best. To answer RQ3, we evaluate the defended model’s task utility and its alignment with the original target together with ownership verification on a fixed verification set under the unified protocol in Section 3. All defenses protect the same architecture and use identical splits; … view at source ↗

**Figure 5.** Figure 5: Defense effectiveness across all ten datasets: (a) utility drop and (b) ownership verification. [PITH_FULL_IMAGE:figures/full_fig_p032_5.png] view at source ↗

**Figure 6.** Figure 6: Radar profile of the five watermarking and integrity defenses across six axes. F1, fidelity, [PITH_FULL_IMAGE:figures/full_fig_p034_6.png] view at source ↗

**Figure 7.** Figure 7: Heatmap view of the seven information-limiting and query-detection defenses across all [PITH_FULL_IMAGE:figures/full_fig_p037_7.png] view at source ↗

**Figure 8.** Figure 8: Peak GPU memory (GB) on a symmetric-log scale, aggregated across all ten datasets. Bars [PITH_FULL_IMAGE:figures/full_fig_p038_8.png] view at source ↗

**Figure 9.** Figure 9: Wall-clock cost summary on a log scale. (a) Total attack time (min) at [PITH_FULL_IMAGE:figures/full_fig_p038_9.png] view at source ↗

**Figure 10.** Figure 10: Budget–metric curves on all ten datasets (columns) for accuracy, fidelity, and macro [PITH_FULL_IMAGE:figures/full_fig_p039_10.png] view at source ↗

**Figure 11.** Figure 11: Regime sensitivity across budgets. Cells show the ratio between the average fidelity in a [PITH_FULL_IMAGE:figures/full_fig_p040_11.png] view at source ↗

**Figure 12.** Figure 12: Per-attack surrogate-fidelity curves on all ten datasets in the [PITH_FULL_IMAGE:figures/full_fig_p040_12.png] view at source ↗

**Figure 13.** Figure 13: Regime sensitivity from two complementary views: differential (left) and absolute (right). [PITH_FULL_IMAGE:figures/full_fig_p041_13.png] view at source ↗

**Figure 14.** Figure 14: Distribution of per-run attack wall-clock time (log scale, in minutes) across all (dataset, [PITH_FULL_IMAGE:figures/full_fig_p041_14.png] view at source ↗

**Figure 15.** Figure 15: Pairwise Pearson correlation between the twelve attacks, where each attack is represented [PITH_FULL_IMAGE:figures/full_fig_p042_15.png] view at source ↗

**Figure 16.** Figure 16: Per-dataset utility loss of the seven information-limiting and query-detection defenses [PITH_FULL_IMAGE:figures/full_fig_p042_16.png] view at source ↗

**Figure 17.** Figure 17: RQ5 joint evaluation on Computers at 0.25× (mean over three seeds). (a) Surrogate fidelity (%) against the five watermarks. (b) Surrogate fidelity (%) against the seven informationlimiting defenses; PRADA and AdaptMisinfo reduce the strongest attacks from 80–92% to 25–55%. (c) Watermark verification rate (%) on the extracted surrogate; Integrity survives at near 100% on most attacks, whereas SurviveWM, R… view at source ↗

**Figure 18.** Figure 18: Distribution and structural correlates of watermark survival. [PITH_FULL_IMAGE:figures/full_fig_p043_18.png] view at source ↗

**Figure 19.** Figure 19: Distributional views of surrogate fidelity. (a) shows that fidelity distributions are nearly [PITH_FULL_IMAGE:figures/full_fig_p045_19.png] view at source ↗

**Figure 20.** Figure 20: Per-dataset heatmap grid of joint surrogate fidelity (%). Each panel is a [PITH_FULL_IMAGE:figures/full_fig_p052_20.png] view at source ↗

**Figure 21.** Figure 21: Cross-task heatmap of surrogate fidelity (%) on three task settings: link prediction on [PITH_FULL_IMAGE:figures/full_fig_p054_21.png] view at source ↗

read the original abstract

Graph neural networks (GNNs) deployed as cloud services can be \emph{stolen} through \emph{model-extraction attacks}, which train a surrogate from query responses to reproduce the target's behaviour, and a growing line of ownership defenses tries to prevent or trace such theft. The title of this paper asks two questions: \emph{how hard is it to steal a GNN?}, and \emph{can we stop it?} Prior work cannot answer either, because experiments use inconsistent datasets, threat models, and metrics. We introduce \emph{GraphIP-Bench}, a unified benchmark which evaluates both sides under a single black-box protocol. It integrates twelve extraction attacks, twelve defenses spanning watermarking, output-perturbation, and query-pattern-detection families, ten public graphs covering homophilic, heterophilic, and large-scale regimes, three GNN backbones, and three graph-learning tasks, and it reports fidelity, task utility, ownership verification, and computational cost on shared splits, queries, and budgets. We further add a joint attack-and-defense track which runs every attack on every defended target and measures watermark verification on the resulting surrogate, which exposes the protection that a defense retains after extraction. The empirical picture is short: stealing a GNN is easy at medium query budgets and most defenses do not change this; several watermarks verify reliably on the protected model but lose most of their verification signal on the extracted surrogate, which exposes a gap that single-model evaluations miss; and heterophilic graphs are systematically harder to steal, while a cross-architecture mismatch between target and surrogate reduces but does not prevent extraction. Code: \href{https://github.com/LabRAI/GraphIP-Bench}{LabRAI/GraphIP-Bench}.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

GraphIP-Bench gives the first consistent protocol for testing GNN extraction attacks against defenses, but its claims about stealing being easy rest on an untested selection of components.

read the letter

The two things to take away are that this paper supplies the first shared benchmark forcing attacks and defenses to run under identical query budgets and splits, and that the joint track shows watermarks often lose their signal once a surrogate is extracted. Prior work could not compare results directly because each paper chose its own graphs, metrics, and threat models. The new setup integrates twelve attacks, twelve defenses, ten graphs, three backbones, and three tasks, then measures fidelity, utility, verification success, and cost on the same footing. The joint track that applies every attack to every defended target and checks watermark survival on the surrogate is a practical addition that single-model tests miss. Public code makes it possible for others to extend or reproduce the runs. The empirical picture that emerges is that medium budgets suffice for decent extraction and that most defenses do not block it, while heterophilic graphs prove harder targets and cross-architecture surrogates still work but with some drop in fidelity. The soft spot is representativeness. The authors give no sensitivity analysis or coverage argument showing why these particular twelve attacks, twelve defenses, and ten graphs adequately sample real services. If the set leans toward easier cases or omits stronger query strategies, the headline result that stealing is easy could shift with a different sample. The finding on heterophilic graphs is interesting but inherits the same limitation. This work is for researchers who build or attack GNN services and need a common yardstick. Anyone adding a new defense or attack will get immediate numbers to compare against. It deserves a serious referee because the benchmark protocol itself fills a documented gap in the literature even if the generalization step needs more support in revision. I would send it out.

Referee Report

3 major / 3 minor

Summary. The paper introduces GraphIP-Bench, a unified benchmark for evaluating model extraction attacks on GNNs and corresponding ownership defenses under a consistent black-box protocol. It integrates twelve extraction attacks, twelve defenses spanning watermarking, output-perturbation, and query-pattern-detection families, ten public graphs covering homophilic, heterophilic, and large-scale regimes, three GNN backbones, and three graph-learning tasks. The benchmark reports fidelity, task utility, ownership verification, and computational cost on shared splits and query budgets. A joint attack-and-defense track evaluates every attack against every defended target and measures watermark verification on the resulting surrogates. The main empirical findings are that stealing a GNN is easy at medium query budgets, most defenses do not substantially alter this, watermarks verify reliably on protected models but lose most verification signal on extracted surrogates, heterophilic graphs are systematically harder to steal, and cross-architecture mismatch reduces but does not prevent extraction.

Significance. If the selected components prove representative, the benchmark supplies a standardized, reproducible platform that resolves inconsistencies in prior GNN extraction studies and enables direct comparison of attacks and defenses. The joint attack-defense track is a particular strength, as it reveals protection gaps that single-model evaluations miss. Public code release supports reproducibility and future extensions. These elements could usefully guide development of more robust GNN IP mechanisms by quantifying current limitations in watermarking and perturbation approaches.

major comments (3)

[§3] §3 (Benchmark Design): The selection of the twelve attacks, twelve defenses, ten graphs, three backbones, and three tasks lacks any coverage argument, sensitivity analysis, or comparison to omitted methods. Because the headline claims that stealing is easy at medium budgets and that most defenses fail rest entirely on results from this specific set, the absence of justification for representativeness directly weakens generalization to real-world GNN services.
[§5.3] §5.3 (Joint Attack-and-Defense Track): The observation that watermarks lose most verification signal on surrogates is central to the defense-effectiveness claim, yet the manuscript does not specify the exact verification threshold, how it is applied uniformly across methods, or whether results include multiple random seeds; without these details the reported gap could be sensitive to post-hoc choices.
[Table 2] Table 2 (Fidelity vs. Budget): The statement that heterophilic graphs are systematically harder to steal would be stronger if accompanied by statistical tests or variance across query selections, as single-run fidelity numbers may not establish the difference reliably.

minor comments (3)

[Abstract] Abstract: The phrase 'several watermarks verify reliably' would be clearer if the specific watermarking methods were enumerated.
[Figure 4] Figure 4: The x-axis scaling on query-budget plots makes it difficult to visually separate the medium-budget regime where the main claims are made; a log scale or inset would improve readability.
[§2] §2 (Related Work): A few 2023-2024 GNN extraction papers are missing; adding them would better situate the benchmark.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive comments and for recognizing the value of the unified benchmark and joint attack-defense track. We address each major point below and will incorporate revisions to improve clarity and rigor.

read point-by-point responses

Referee: The selection of the twelve attacks, twelve defenses, ten graphs, three backbones, and three tasks lacks any coverage argument, sensitivity analysis, or comparison to omitted methods. The headline claims rest on this specific set, weakening generalization.

Authors: We selected components to represent the primary families in the GNN extraction literature (query-efficient, gradient-based attacks; watermarking, perturbation, and detection defenses) while covering homophilic, heterophilic, and large-scale graphs. We will add a dedicated paragraph in §3 with references to prior surveys justifying representativeness and a limited sensitivity check on two omitted methods. Full enumeration of every variant is infeasible, but the chosen set enables direct comparison under a consistent protocol. revision: yes
Referee: The observation that watermarks lose verification signal on surrogates lacks the exact verification threshold, uniform application details, and multiple random seeds; results may be sensitive to post-hoc choices.

Authors: We agree these details are essential. In the revision we will state the precise threshold for each watermark (taken from the original papers), confirm uniform application, and report means and standard deviations over five random seeds in §5.3 and the experimental setup. This will demonstrate that the observed verification drop is robust rather than threshold-dependent. revision: yes
Referee: The claim that heterophilic graphs are systematically harder to steal would be stronger with statistical tests or variance across query selections, as single-run fidelity numbers may not establish the difference reliably.

Authors: We will augment Table 2 and §5 with fidelity variance across three independent query-selection seeds and add paired t-tests comparing homophilic versus heterophilic graphs at each budget. These additions will quantify the systematic gap with statistical support. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical benchmark relies on external measurements

full rationale

The paper introduces GraphIP-Bench as a unified empirical evaluation of 12 attacks, 12 defenses, 10 public graphs, 3 backbones and 3 tasks under a fixed black-box protocol. All reported results (fidelity, utility, verification success, cost) are obtained by direct execution on standard public datasets and open-source GNN implementations; no equations, fitted parameters, or predictions are derived from the benchmark itself. Central claims rest on observed experimental outcomes rather than any self-referential reduction, self-citation chain, or ansatz smuggled from prior author work. The benchmark is therefore self-contained against external, reproducible inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The benchmark rests on standard public graph datasets, off-the-shelf GNN implementations, and conventional black-box query assumptions; no new free parameters, axioms, or invented entities are introduced.

pith-pipeline@v0.9.0 · 5646 in / 1122 out tokens · 34125 ms · 2026-05-14T19:22:32.061097+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

45 extracted references · 45 canonical work pages · 2 internal anchors

[1]

Pregip: Watermarking the pretraining of graph neural networks for deep intellectual property protection.arXiv preprint arXiv:2402.04435, 2024

Enyan Dai, Minhua Lin, and Suhang Wang. Pregip: Watermarking the pretraining of graph neural networks for deep intellectual property protection.arXiv preprint arXiv:2402.04435, 2024

work page arXiv 2024
[2]

A comprehensive survey on trustworthy graph neural networks: Privacy, robustness, fairness, and explainability.Machine Intelligence Research, pages 1–51, 2024

Enyan Dai, Tianxiang Zhao, Huaisheng Zhu, Junjie Xu, Zhimeng Guo, Hui Liu, Jiliang Tang, and Suhang Wang. A comprehensive survey on trustworthy graph neural networks: Privacy, robustness, fairness, and explainability.Machine Intelligence Research, pages 1–51, 2024

work page 2024
[3]

Adversarial model extraction on graph neural networks.arXiv preprint arXiv:1912.07721, 2019

David DeFazio and Arti Ramesh. Adversarial model extraction on graph neural networks.arXiv preprint arXiv:1912.07721, 2019

work page arXiv 1912
[4]

A realistic model extraction attack against graph neural networks.Knowledge-Based Systems, page 112144, 2024

Faqian Guan, Tianqing Zhu, Hanjin Tong, and Wanlei Zhou. A realistic model extraction attack against graph neural networks.Knowledge-Based Systems, page 112144, 2024

work page 2024
[5]

Inductive representation learning on large graphs.Advances in neural information processing systems, 30, 2017

Will Hamilton, Zhitao Ying, and Jure Leskovec. Inductive representation learning on large graphs.Advances in neural information processing systems, 30, 2017

work page 2017
[6]

Learn what you want to unlearn: Unlearning inversion attacks against machine unlearning.arXiv preprint arXiv:2404.03233, 2024

Hongsheng Hu, Shuo Wang, Tian Dong, and Minhui Xue. Learn what you want to unlearn: Unlearning inversion attacks against machine unlearning.arXiv preprint arXiv:2404.03233, 2024

work page arXiv 2024
[7]

Prada: protecting against dnn model stealing attacks

Mika Juuti, Sebastian Szyller, Samuel Marchal, and N Asokan. Prada: protecting against dnn model stealing attacks. In2019 IEEE European Symposium on Security and Privacy (EuroS&P), pages 512–527, 2019

work page 2019
[8]

Defending against model stealing attacks with adaptive misinformation

Sanjay Kariyappa and Moinuddin K Qureshi. Defending against model stealing attacks with adaptive misinformation. InProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 770–778, 2020

work page 2020
[9]

Model extraction warning in mlaas paradigm

Manish Kesarwani, Bhaskar Mukhoty, Vijay Arya, and Sameep Mehta. Model extraction warning in mlaas paradigm. InProceedings of the 34th Annual Computer Security Applications Conference, pages 371–380, 2018

work page 2018
[10]

Semi-Supervised Classification with Graph Convolutional Networks

Thomas N Kipf and Max Welling. Semi-supervised classification with graph convolutional networks.arXiv preprint arXiv:1609.02907, 2016

work page internal anchor Pith review Pith/arXiv arXiv 2016
[11]

Intellectual property in graph-based machine learning as a service: Attacks and defenses

Lincan Li, Bolin Shen, Chenxi Zhao, Yuxiang Sun, Kaixiang Zhao, Shirui Pan, and Yushun Dong. Intellectual property in graph-based machine learning as a service: Attacks and defenses. arXiv preprint arXiv:2508.19641, 2025

work page arXiv 2025
[12]

Drug repurposing based on the dtd-gnn graph neural network: revealing the relationships among drugs, targets and diseases

Wenjun Li, Wanjun Ma, Mengyun Yang, and Xiwei Tang. Drug repurposing based on the dtd-gnn graph neural network: revealing the relationships among drugs, targets and diseases. BMC genomics, 25, 2024

work page 2024
[13]

Model extraction attacks revisited

Jiacheng Liang, Ren Pang, Changjiang Li, and Ting Wang. Model extraction attacks revisited. InProceedings of the 19th ACM Asia Conference on Computer and Communications Security, pages 1231–1245, 2024

work page 2024
[14]

How to steer your adversary: Targeted and efficient model stealing defenses with gradient redirection

Mantas Mazeika, Bo Li, and David Forsyth. How to steer your adversary: Targeted and efficient model stealing defenses with gradient redirection. InInternational conference on machine learning, pages 15241–15254. PMLR, 2022. 10

work page 2022
[15]

Dag-net: Double attentive graph neural network for trajectory forecasting

Alessio Monti, Alessia Bertugli, Simone Calderara, and Rita Cucchiara. Dag-net: Double attentive graph neural network for trajectory forecasting. In2020 25th international conference on pattern recognition (ICPR), pages 2551–2558. IEEE, 2021

work page 2021
[16]

TUDataset: A collection of benchmark datasets for learning with graphs.arXiv preprint arXiv:2007.08663,

Christopher Morris, Nils M Kriege, Franka Bause, Kristian Kersting, Petra Mutzel, and Marion Neumann. Tudataset: A collection of benchmark datasets for learning with graphs.arXiv preprint arXiv:2007.08663, 2020

work page arXiv 2007
[17]

Knockoff nets: Stealing functionality of black-box models

Tribhuvanesh Orekondy, Bernt Schiele, and Mario Fritz. Knockoff nets: Stealing functionality of black-box models. InProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 4954–4963, 2019

work page 2019
[18]

Intellectual property protection of dnn models.World Wide Web, 26(4):1877–1911, 2023

Sen Peng, Yufei Chen, Jie Xu, Zizhuo Chen, Cong Wang, and Xiaohua Jia. Intellectual property protection of dnn models.World Wide Web, 26(4):1877–1911, 2023

work page 1911
[19]

A critical look at the evaluation of gnns under heterophily: Are we really making progress?arXiv preprint arXiv:2302.11640, 2023

Oleg Platonov, Denis Kuznedelev, Michael Diskin, Artem Babenko, and Liudmila Prokhorenkova. A critical look at the evaluation of gnns under heterophily: Are we really making progress?arXiv preprint arXiv:2302.11640, 2023

work page arXiv 2023
[20]

A review of adversarial attacks and defenses on graphs

Hanjin Sun, Wen Yang, and Yatie Xiao. A review of adversarial attacks and defenses on graphs. InProceedings of the 4th International Conference on Artificial Intelligence and Computer Engineering, page 416–421, 2024

work page 2024
[21]

Yu, Lifang He, and Bo Li

Lichao Sun, Yingtong Dou, Carl Yang, Kai Zhang, Ji Wang, Philip S. Yu, Lifang He, and Bo Li. Adversarial attack and defense on graph data: A survey.IEEE Transactions on Knowledge and Data Engineering, 35(8):7693–7711, 2023

work page 2023
[22]

Deep intellectual property protection: A survey.arXiv preprint arXiv:2304.14613, 2023

Yuchen Sun, Tianpeng Liu, Panhe Hu, Qing Liao, Shaojing Fu, Nenghai Yu, Deke Guo, Yongxiang Liu, and Li Liu. Deep intellectual property protection: A survey.arXiv preprint arXiv:2304.14613, 2023

work page arXiv 2023
[23]

Stealing machine learning models via prediction {APIs}

Florian Tramèr, Fan Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. Stealing machine learning models via prediction {APIs}. In25th USENIX security symposium (USENIX Security 16), pages 601–618, 2016

work page 2016
[24]

Graph Attention Networks

Petar Veliˇckovi´c, Guillem Cucurull, Arantxa Casanova, Adriana Romero, Pietro Lio, and Yoshua Bengio. Graph attention networks.arXiv preprint arXiv:1710.10903, 2017

work page internal anchor Pith review Pith/arXiv arXiv 2017
[25]

Asim Waheed, Vasisht Duddu, and N. Asokan. Grove: Ownership verification of graph neural networks using embeddings. In2024 IEEE Symposium on Security and Privacy (SP), pages 2460–2477, 2024

work page 2024
[26]

Making watermark survive model extraction attacks in graph neural networks

Haiming Wang, Zhikun Zhang, Min Chen, and Shibo He. Making watermark survive model extraction attacks in graph neural networks. InICC 2023-IEEE International Conference on Communications, pages 57–62, 2023

work page 2023
[27]

Cega: A cost-effective approach for graph-based model extraction and acquisition.arXiv preprint arXiv:2506.17709, 2025

Zebin Wang, Menghan Lin, Bolin Shen, Ken Anderson, Molei Liu, Tianxi Cai, and Yushun Dong. Cega: A cost-effective approach for graph-based model extraction and acquisition.arXiv preprint arXiv:2506.17709, 2025

work page arXiv 2025
[28]

Adapting membership inference attacks to gnn for graph classification: Approaches and implications

Bang Wu, Xiangwen Yang, Shirui Pan, and Xingliang Yuan. Adapting membership inference attacks to gnn for graph classification: Approaches and implications. In2021 IEEE International Conference on Data Mining (ICDM), pages 1421–1426, 2021

work page 2021
[29]

Model extraction attacks on graph neural networks: Taxonomy and realisation

Bang Wu, Xiangwen Yang, Shirui Pan, and Xingliang Yuan. Model extraction attacks on graph neural networks: Taxonomy and realisation. InProceedings of the 2022 ACM on Asia conference on computer and communications security, pages 337–350, 2022

work page 2022
[30]

Securing graph neural networks in mlaas: A comprehensive realization of query-based integrity verification

Bang Wu, Xingliang Yuan, Shuo Wang, Qi Li, Minhui Xue, and Shirui Pan. Securing graph neural networks in mlaas: A comprehensive realization of query-based integrity verification. In 2024 IEEE Symposium on Security and Privacy (SP), pages 2534–2552. IEEE, 2024. 11

work page 2024
[31]

Trustworthy graph learning: Reliability, explainability, and privacy protection

Bingzhe Wu, Yatao Bian, Hengtong Zhang, Jintang Li, Junchi Yu, Liang Chen, Chaochao Chen, and Junzhou Huang. Trustworthy graph learning: Reliability, explainability, and privacy protection. InProceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, pages 4838–4839, 2022

work page 2022
[32]

Watermarking graph neural networks based on backdoor attacks

Jing Xu, Stefanos Koffas, O ˘guzhan Ersoy, and Stjepan Picek. Watermarking graph neural networks based on backdoor attacks. In2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P), pages 1179–1197, 2023

work page 2023
[33]

Intellectual property protection for deep learning models: Taxonomy, methods, attacks, and evaluations.IEEE Transactions on Artificial Intelligence, 3(6):908–923, 2021

Mingfu Xue, Yushu Zhang, Jian Wang, and Weiqiang Liu. Intellectual property protection for deep learning models: Taxonomy, methods, attacks, and evaluations.IEEE Transactions on Artificial Intelligence, 3(6):908–923, 2021

work page 2021
[34]

Dgrec: Graph neural network for recommendation with diversified embedding generation

Liangwei Yang, Shengjie Wang, Yunzhe Tao, Jiankai Sun, Xiaolong Liu, Philip S Yu, and Taiqing Wang. Dgrec: Graph neural network for recommendation with diversified embedding generation. InProceedings of the sixteenth ACM international conference on web search and data mining, pages 661–669, 2023

work page 2023
[35]

Gnnfingers: A fingerprinting framework for verifying ownerships of graph neural networks

Xiaoyu You, Youhe Jiang, Jianwei Xu, Mi Zhang, and Min Yang. Gnnfingers: A fingerprinting framework for verifying ownerships of graph neural networks. InProceedings of the ACM on Web Conference 2024, pages 652–663, 2024

work page 2024
[36]

Trustworthy graph neural networks: Aspects, methods and trends.arXiv preprint arXiv:2205.07424, 2022

He Zhang, Bang Wu, Xingliang Yuan, Shirui Pan, Hanghang Tong, and Jian Pei. Trustworthy graph neural networks: Aspects, methods and trends.arXiv preprint arXiv:2205.07424, 2022

work page arXiv 2022
[37]

An imperceptible and owner-unique watermarking method for graph neural networks

Linji Zhang, Mingfu Xue, Leo Yu Zhang, Yushu Zhang, and Weiqiang Liu. An imperceptible and owner-unique watermarking method for graph neural networks. InProceedings of the ACM Turing Award Celebration Conference-China 2024, pages 108–113, 2024

work page 2024
[38]

Model inversion attacks against graph neural networks.IEEE Transactions on Knowledge and Data Engineering, 2022

Zaixi Zhang, Qi Liu, Zhenya Huang, Hao Wang, Chee-Kong Lee, and Enhong Chen. Model inversion attacks against graph neural networks.IEEE Transactions on Knowledge and Data Engineering, 2022

work page 2022
[39]

A survey of model extraction attacks and defenses in distributed computing environments.arXiv preprint arXiv:2502.16065, 2025

Kaixiang Zhao, Lincan Li, Kaize Ding, Neil Zhenqiang Gong, Yue Zhao, and Yushun Dong. A survey of model extraction attacks and defenses in distributed computing environments.arXiv preprint arXiv:2502.16065, 2025

work page arXiv 2025
[40]

A survey on model extraction attacks and defenses for large language models.arXiv preprint arXiv:2506.22521, 2025

Kaixiang Zhao, Lincan Li, Kaize Ding, Neil Zhenqiang Gong, Yue Zhao, and Yushun Dong. A survey on model extraction attacks and defenses for large language models.arXiv preprint arXiv:2506.22521, 2025

work page arXiv 2025
[41]

A systematic survey of model extraction attacks and defenses: State-of-the-art and perspectives

Kaixiang Zhao, Lincan Li, Kaize Ding, Neil Zhenqiang Gong, Yue Zhao, and Yushun Dong. A systematic survey of model extraction attacks and defenses: State-of-the-art and perspectives. arXiv preprint arXiv:2508.15031, 2025

work page arXiv 2025
[42]

Watermarking graph neural networks by random graphs

Xiangyu Zhao, Hanzhou Wu, and Xinpeng Zhang. Watermarking graph neural networks by random graphs. In2021 9th International Symposium on Digital Forensics and Security (ISDFS), pages 1–6, 2021

work page 2021
[43]

Graph robustness benchmark: Benchmarking the adversarial robustness of graph machine learning

Qinkai Zheng, Xu Zou, Yuxiao Dong, Yukuo Cen, Da Yin, Jiarong Xu, Yang Yang, and Jie Tang. Graph robustness benchmark: Benchmarking the adversarial robustness of graph machine learning. InThirty-fifth Conference on Neural Information Processing Systems Datasets and Benchmarks Track, 2021

work page 2021
[44]

Yuanxin Zhuang, Chuan Shi, Mengmei Zhang, Jinghui Chen, Lingjuan Lyu, Pan Zhou, and Lichao Sun. Unveiling the secrets without data: Can graph neural networks be exploited through {Data-Free} model extraction attacks? In33rd USENIX Security Symposium (USENIX Security 24), pages 5251–5268, 2024. 12 Appendix Contents A Related Work 14 B Limitations and Futur...

work page 2024
[45]

the extraction can achieve up to ∼80% fidelity

with NVIDIA driver 570.195.03 and a CUDA 12.8 driver capability. Login nodes have no GPU access, so all timing and memory numbers are recorded from Slurm-allocated GPU jobs only. Software stack.The full pipeline runs in a dedicated Conda environment namedgraphip: Python 3.11.15, PyTorch 2.2.1 + cu121, DGL 2.1.0 + cu121, PyTorch Geometric 2.7.0, OGB 1.3.6,...

work page 2022