Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Model Stealing Attack against Graph Classification with Authenticity, Uncertainty and Diversity

Zhihao Zhu, Chenwang Wu, Rui Fan, Yi Yang, Zhen Wang, Defu Lian, Enhong Chen

TL;DR

This work investigates model stealing attacks on graph classification under practical constraints of limited real data and hard-label query outputs. It introduces three strategies—MSA-AU (authenticity and uncertainty), MSA-AD (authenticity and diversity via Mixup), and MSA-AUD (combining both)—to generate informative synthetic samples that enable a clone model to closely replicate a target GNN. Extensive experiments across multiple datasets show that the proposed attacks improve fidelity and query efficiency, and remain effective even under unknown architectures or modest defenses. The results highlight a significant security risk for graph-classification models and suggest directions for robust defenses, including architecture secrecy, query-cost policies, and adversarial training-based detectors.

Abstract

Recent research demonstrates that GNNs are vulnerable to the model stealing attack, a nefarious endeavor geared towards duplicating the target model via query permissions. However, they mainly focus on node classification tasks, neglecting the potential threats entailed within the domain of graph classification tasks. Furthermore, their practicality is questionable due to unreasonable assumptions, specifically concerning the large data requirements and extensive model knowledge. To this end, we advocate following strict settings with limited real data and hard-label awareness to generate synthetic data, thereby facilitating the stealing of the target model. Specifically, following important data generation principles, we introduce three model stealing attacks to adapt to different actual scenarios: MSA-AU is inspired by active learning and emphasizes the uncertainty to enhance query value of generated samples; MSA-AD introduces diversity based on Mixup augmentation strategy to alleviate the query inefficiency issue caused by over-similar samples generated by MSA-AU; MSA-AUD combines the above two strategies to seamlessly integrate the authenticity, uncertainty, and diversity of the generated samples. Finally, extensive experiments consistently demonstrate the superiority of the proposed methods in terms of concealment, query efficiency, and stealing performance.

Model Stealing Attack against Graph Classification with Authenticity, Uncertainty and Diversity

TL;DR

This work investigates model stealing attacks on graph classification under practical constraints of limited real data and hard-label query outputs. It introduces three strategies—MSA-AU (authenticity and uncertainty), MSA-AD (authenticity and diversity via Mixup), and MSA-AUD (combining both)—to generate informative synthetic samples that enable a clone model to closely replicate a target GNN. Extensive experiments across multiple datasets show that the proposed attacks improve fidelity and query efficiency, and remain effective even under unknown architectures or modest defenses. The results highlight a significant security risk for graph-classification models and suggest directions for robust defenses, including architecture secrecy, query-cost policies, and adversarial training-based detectors.

Abstract

Recent research demonstrates that GNNs are vulnerable to the model stealing attack, a nefarious endeavor geared towards duplicating the target model via query permissions. However, they mainly focus on node classification tasks, neglecting the potential threats entailed within the domain of graph classification tasks. Furthermore, their practicality is questionable due to unreasonable assumptions, specifically concerning the large data requirements and extensive model knowledge. To this end, we advocate following strict settings with limited real data and hard-label awareness to generate synthetic data, thereby facilitating the stealing of the target model. Specifically, following important data generation principles, we introduce three model stealing attacks to adapt to different actual scenarios: MSA-AU is inspired by active learning and emphasizes the uncertainty to enhance query value of generated samples; MSA-AD introduces diversity based on Mixup augmentation strategy to alleviate the query inefficiency issue caused by over-similar samples generated by MSA-AU; MSA-AUD combines the above two strategies to seamlessly integrate the authenticity, uncertainty, and diversity of the generated samples. Finally, extensive experiments consistently demonstrate the superiority of the proposed methods in terms of concealment, query efficiency, and stealing performance.
Paper Structure (35 sections, 8 equations, 7 figures, 10 tables, 3 algorithms)

This paper contains 35 sections, 8 equations, 7 figures, 10 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Target Model
  3. Graph Neural Network (GNN)
  4. Attacker’s Goal
  5. Attacker’s Capability
  6. Attack Setting
  7. Model Stealing Attack
  8. Overview
  9. Model Stealing Attacks with Authenticity and Uncertainty
  10. Optimization objective based on uncertainty
  11. Authenticity constraint
  12. Model-independent Sample Generation Strategy
  13. MSA-AUD
  14. Evaluation
  15. Setup
  16. ...and 20 more sections

Figures (7)

  • Figure 1: The workflow of our framework. Each round begins with the generation of new synthetic data by applying model-related or model-agnostic methods. We then query new samples against the target model, whose predictions will be utilized to boost the clone model's imitation.
  • Figure 2: Difference between MSA-AU, MSA-AD and MSA-AUD.
  • Figure 3: Diversity visualization.
  • Figure 4: Attack performance with the different number of query samples.
  • Figure 5: Attack performance with different proportions of mixed nodes.
  • ...and 2 more figures