Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ATOM: A Framework of Detecting Query-Based Model Extraction Attacks for Graph Neural Networks

Zhan Cheng, Bolin Shen, Tianming Sha, Yuan Gao, Shibo Li, Yushun Dong

TL;DR

The paper addresses graph-based model extraction attacks against GMLaaS by introducing ATOM, a real-time detection framework that couples sequential query modeling with reinforcement learning. ATOM embeds graph structure via $k$-core centrality and uses a differential-input GRU enhanced with a fusion gate, augmented by a PPO-based decision policy to adapt to evolving attack strategies. The authors provide theoretical analysis linking query behavior to dominating-set bounds and demonstrate through extensive experiments on real-world graphs that ATOM achieves robust, time-consistent detection and outperforms baselines, with ablations confirming the value of second-order differences and topological embeddings. This framework offers a proactive defense for GMLaaS environments, enabling dynamic adaptation to adversarial query patterns and improving resilience against surrogate-model extraction attacks.

Abstract

Graph Neural Networks (GNNs) have gained traction in Graph-based Machine Learning as a Service (GMLaaS) platforms, yet they remain vulnerable to graph-based model extraction attacks (MEAs), where adversaries reconstruct surrogate models by querying the victim model. Existing defense mechanisms, such as watermarking and fingerprinting, suffer from poor real-time performance, susceptibility to evasion, or reliance on post-attack verification, making them inadequate for handling the dynamic characteristics of graph-based MEA variants. To address these limitations, we propose ATOM, a novel real-time MEA detection framework tailored for GNNs. ATOM integrates sequential modeling and reinforcement learning to dynamically detect evolving attack patterns, while leveraging $k$-core embedding to capture the structural properties, enhancing detection precision. Furthermore, we provide theoretical analysis to characterize query behaviors and optimize detection strategies. Extensive experiments on multiple real-world datasets demonstrate that ATOM outperforms existing approaches in detection performance, maintaining stable across different time steps, thereby offering a more effective defense mechanism for GMLaaS environments.

ATOM: A Framework of Detecting Query-Based Model Extraction Attacks for Graph Neural Networks

TL;DR

The paper addresses graph-based model extraction attacks against GMLaaS by introducing ATOM, a real-time detection framework that couples sequential query modeling with reinforcement learning. ATOM embeds graph structure via -core centrality and uses a differential-input GRU enhanced with a fusion gate, augmented by a PPO-based decision policy to adapt to evolving attack strategies. The authors provide theoretical analysis linking query behavior to dominating-set bounds and demonstrate through extensive experiments on real-world graphs that ATOM achieves robust, time-consistent detection and outperforms baselines, with ablations confirming the value of second-order differences and topological embeddings. This framework offers a proactive defense for GMLaaS environments, enabling dynamic adaptation to adversarial query patterns and improving resilience against surrogate-model extraction attacks.

Abstract

Graph Neural Networks (GNNs) have gained traction in Graph-based Machine Learning as a Service (GMLaaS) platforms, yet they remain vulnerable to graph-based model extraction attacks (MEAs), where adversaries reconstruct surrogate models by querying the victim model. Existing defense mechanisms, such as watermarking and fingerprinting, suffer from poor real-time performance, susceptibility to evasion, or reliance on post-attack verification, making them inadequate for handling the dynamic characteristics of graph-based MEA variants. To address these limitations, we propose ATOM, a novel real-time MEA detection framework tailored for GNNs. ATOM integrates sequential modeling and reinforcement learning to dynamically detect evolving attack patterns, while leveraging -core embedding to capture the structural properties, enhancing detection precision. Furthermore, we provide theoretical analysis to characterize query behaviors and optimize detection strategies. Extensive experiments on multiple real-world datasets demonstrate that ATOM outperforms existing approaches in detection performance, maintaining stable across different time steps, thereby offering a more effective defense mechanism for GMLaaS environments.

Paper Structure

This paper contains 38 sections, 10 theorems, 33 equations, 3 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Graph-based Machine Learning as a Service
  4. Graph Neural Networks (GNNs)
  5. Adversary's Objective
  6. Defender's Objective
  7. Problem Statement
  8. Methodology
  9. Framework Overview
  10. Attack Simulation
  11. Active learning based Attacks
  12. Query Sequence Generation
  13. Attack Detection
  14. Sequences Embedding
  15. Sequential Modeling
  16. ...and 23 more sections

Key Result

theorem 1

Consider a covering graph $\mathcal{D}$ in the graph $\mathcal{G}=(\mathcal{V},\mathcal{E})$, aiming to cover at least $\beta\in[0,1]$ percent nodes of $\mathcal{G}$, while minimizing $\sum_{u\in \mathcal{A}}w(u)$, where $w(u)$ is the weight of node $u$ and $\mathcal{A}$ represents the set of nodes Here, $\lvert\mathcal{D}\rvert$ represents the number of nodes in $\mathcal{D}$, $W$ is the total w

Figures (3)

  • Figure 1: An illustration of the framework with the query behavior and the detection mechanism.
  • Figure 2: Performance of Representative Models Over Sequential Query Processing on Cora.
  • Figure 3: Impact of the adjustment factor $\lambda$ in ATOM.

Theorems & Definitions (15)

  • theorem 1
  • proposition 1
  • proposition 2
  • theorem 2
  • theorem 3
  • proposition 3
  • proposition 4
  • theorem 4
  • definition 1: Query Lists
  • proposition 5
  • ...and 5 more