Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

WGLE:Backdoor-free and Multi-bit Black-box Watermarking for Graph Neural Networks

Tingzhi Li, Xuefeng Liu, Jing Lei, Xingang Zhang

TL;DR

WGLE tackles the IP protection challenge for GNNs by removing backdoor-based risks and enabling multi-bit ownership verification with a single trigger graph. It introduces LDDE as a stable watermark carrier and provides two practical embedding settings (S.T.A. and S.T.M.) to cover training-graph availability scenarios. Across six datasets and architectures, WGLE achieves 100% verification accuracy with negligible fidelity loss and demonstrates robustness against common attacks, underscoring practical viability for scalable GNN watermarking. The work also clarifies limitations to graph-structured data and outlines avenues for broader applicability and capacity improvements.

Abstract

Graph Neural Networks (GNNs) are increasingly deployed in real-world applications, making ownership verification critical to protect their intellectual property against model theft. Fingerprinting and black-box watermarking are two main methods. However, the former relies on determining model similarity, which is computationally expensive and prone to ownership collisions after model post-processing. The latter embeds backdoors, exposing watermarked models to the risk of backdoor attacks. Moreover, both previous methods enable ownership verification but do not convey additional information about the copy model. If the owner has multiple models, each model requires a distinct trigger graph. To address these challenges, this paper proposes WGLE, a novel black-box watermarking paradigm for GNNs that enables embedding the multi-bit string in GNN models without using backdoors. WGLE builds on a key insight we term Layer-wise Distance Difference on an Edge (LDDE), which quantifies the difference between the feature distance and the prediction distance of two connected nodes in a graph. By assigning unique LDDE values to the edges and employing the LDDE sequence as the watermark, WGLE supports multi-bit capacity without relying on backdoor mechanisms. We evaluate WGLE on six public datasets across six mainstream GNN architectures, and compare WGLE with state-of-the-art GNN watermarking and fingerprinting methods. WGLE achieves 100% ownership verification accuracy, with an average fidelity degradation of only 1.41%. Additionally, WGLE exhibits robust resilience against potential attacks. The code is available in the repository.

WGLE:Backdoor-free and Multi-bit Black-box Watermarking for Graph Neural Networks

TL;DR

WGLE tackles the IP protection challenge for GNNs by removing backdoor-based risks and enabling multi-bit ownership verification with a single trigger graph. It introduces LDDE as a stable watermark carrier and provides two practical embedding settings (S.T.A. and S.T.M.) to cover training-graph availability scenarios. Across six datasets and architectures, WGLE achieves 100% verification accuracy with negligible fidelity loss and demonstrates robustness against common attacks, underscoring practical viability for scalable GNN watermarking. The work also clarifies limitations to graph-structured data and outlines avenues for broader applicability and capacity improvements.

Abstract

Graph Neural Networks (GNNs) are increasingly deployed in real-world applications, making ownership verification critical to protect their intellectual property against model theft. Fingerprinting and black-box watermarking are two main methods. However, the former relies on determining model similarity, which is computationally expensive and prone to ownership collisions after model post-processing. The latter embeds backdoors, exposing watermarked models to the risk of backdoor attacks. Moreover, both previous methods enable ownership verification but do not convey additional information about the copy model. If the owner has multiple models, each model requires a distinct trigger graph. To address these challenges, this paper proposes WGLE, a novel black-box watermarking paradigm for GNNs that enables embedding the multi-bit string in GNN models without using backdoors. WGLE builds on a key insight we term Layer-wise Distance Difference on an Edge (LDDE), which quantifies the difference between the feature distance and the prediction distance of two connected nodes in a graph. By assigning unique LDDE values to the edges and employing the LDDE sequence as the watermark, WGLE supports multi-bit capacity without relying on backdoor mechanisms. We evaluate WGLE on six public datasets across six mainstream GNN architectures, and compare WGLE with state-of-the-art GNN watermarking and fingerprinting methods. WGLE achieves 100% ownership verification accuracy, with an average fidelity degradation of only 1.41%. Additionally, WGLE exhibits robust resilience against potential attacks. The code is available in the repository.

Paper Structure

This paper contains 21 sections, 9 equations, 10 figures, 8 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. Graph Neural Networks
  4. Model Ownership Verification
  5. Problem Statement
  6. System and Threat Model
  7. Requirements for Ownership Verification.
  8. Limitations of Prior Work
  9. Key Insights: LDDE
  10. WGLE: Design and implementation
  11. Starwman Solutions
  12. Watermark Generation
  13. Watermark Embedding
  14. Watermark Extraction and Ownership Verification:
  15. Experiments
  16. ...and 6 more sections

Figures (10)

  • Figure 1: The differences between WGLE and the previous GNN black-box watermarking. Previous methods use backdoors, with ownership verification relying on misclassification of trigger samples. WGLE uses LDDE as watermarks, enabling verification without potential security risks.
  • Figure 2: The system model of WGLE. The owner uses the trigger graph to embed watermarks in the original model, producing watermarked models. The adversary steals one of the watermarked models and may post-process the copy model. The verifier uses the trigger graph to query the suspect model's API and extracts the watermark from the predictions.
  • Figure 3: Projections of LDDE values of selected edges before and after watermark embedding for GCNv2 trained on Physics in S.T.A.. Blue points represent edges targeted for positive LDDE signs, while red points represent those targeted for negative signs.
  • Figure 4: The t-SNE projections of the predictions from both the original and watermarked models for GCNv2 on Physics in S.T.A.. Different colors indicate different classes.
  • Figure 5: The overview of WGLE. The owner firstly selects the edges that satisfy \ref{['cond1']} and \ref{['cond2']} and marks them as the watermark key. The owner takes the training graph (S.T.A.) or generates a graph (S.T.M.) as the trigger graph. Both S.T.A. and S.T.M. share the same verification process.
  • ...and 5 more figures

Theorems & Definitions (1)

  • Definition 4.1