ML Security PapersCITED: A Decision Boundary-Aware Signature for GNNs Towards Model Extraction Defense
Bolin Shen 1, Md Shamim Seraj 1, Zhan Cheng 2, Shayok Chakraborty 1, Yushun Dong 1
Published on arXiv
2602.20418
Model Theft
OWASP ML Top 10 — ML05
Key Finding
CITED outperforms all watermarking and fingerprinting baselines for GNN ownership verification at both embedding and label levels without harming downstream performance or requiring auxiliary models.
CITED
Novel technique introduced
Graph neural networks (GNNs) have demonstrated superior performance in various applications, such as recommendation systems and financial risk management. However, deploying large-scale GNN models locally is particularly challenging for users, as it requires significant computational resources and extensive property data. Consequently, Machine Learning as a Service (MLaaS) has become increasingly popular, offering a convenient way to deploy and access various models, including GNNs. However, an emerging threat known as Model Extraction Attacks (MEAs) presents significant risks, as adversaries can readily obtain surrogate GNN models exhibiting similar functionality. Specifically, attackers repeatedly query the target model using subgraph inputs to collect corresponding responses. These input-output pairs are subsequently utilized to train their own surrogate models at minimal cost. Many techniques have been proposed to defend against MEAs, but most are limited to specific output levels (e.g., embedding or label) and suffer from inherent technical drawbacks. To address these limitations, we propose a novel ownership verification framework CITED which is a first-of-its-kind method to achieve ownership verification on both embedding and label levels. Moreover, CITED is a novel signature-based method that neither harms downstream performance nor introduces auxiliary models that reduce efficiency, while still outperforming all watermarking and fingerprinting approaches. Extensive experiments demonstrate the effectiveness and robustness of our CITED framework. Code is available at: https://github.com/LabRAI/CITED.
Key Contributions
- First ownership verification framework for GNNs that operates at both embedding and label output levels, overcoming limitations of prior single-level defenses.
- Decision boundary-aware signature (CITED) that requires no modifications to model training, no auxiliary models, and does not degrade downstream task performance.
- Demonstrated superiority over all existing watermarking and fingerprinting approaches for GNN model extraction defense across extensive experiments.
🛡️ Threat Analysis
CITED is explicitly a defense against Model Extraction Attacks — adversaries querying the GNN API to clone its functionality. The signature is embedded in the model's decision boundary behavior to verify ownership if the model is stolen, which is the canonical ML05 (model theft) defense use case (model fingerprinting / ownership verification).