Related papers: Robust GNN Watermarking via Implicit Perception of Topological Invariants

Robust GNN Watermarking via Implicit Perception of Topological Invariants

URL: http://arxiv.org/abs/2510.25934v1
Date: Wed, 29 Oct 2025 20:12:42 GMT
Title: Robust GNN Watermarking via Implicit Perception of Topological Invariants
Authors: Jipeng Li, Yannning Shen,
Abstract summary: InvGNN-WM ties ownership to a model's implicit perception of a graph invariant.<n>A lightweight head predicts normalized algebraic connectivity on an owner-private carrier set.<n>It matches clean accuracy while yielding higher watermark accuracy than trigger- and compression-based baselines.
Score: 0.0
License: http://creativecommons.org/licenses/by/4.0/
Abstract: Graph Neural Networks (GNNs) are valuable intellectual property, yet many watermarks rely on backdoor triggers that break under common model edits and create ownership ambiguity. We present InvGNN-WM, which ties ownership to a model's implicit perception of a graph invariant, enabling trigger-free, black-box verification with negligible task impact. A lightweight head predicts normalized algebraic connectivity on an owner-private carrier set; a sign-sensitive decoder outputs bits, and a calibrated threshold controls the false-positive rate. Across diverse node and graph classification datasets and backbones, InvGNN-WM matches clean accuracy while yielding higher watermark accuracy than trigger- and compression-based baselines. It remains strong under unstructured pruning, fine-tuning, and post-training quantization; plain knowledge distillation (KD) weakens the mark, while KD with a watermark loss (KD+WM) restores it. We provide guarantees for imperceptibility and robustness, and we prove that exact removal is NP-complete.

Related papers

Generalizing GNNs with Tokenized Mixture of Experts [75.8310720413187]
We show that improving stability requires reducing reliance on shift-sensitive features, leaving an irreducible worst-case generalization floor.<n>We propose STEM-GNN, a pretrain-then-finetune framework with a mixture-of-experts encoder for diverse computation paths.<n>Across nine node, link, and graph benchmarks, STEM-GNN achieves a stronger three-way balance, improving robustness to degree/homophily shifts and to feature/edge corruptions while remaining competitive on clean graphs.
arXiv Detail & Related papers (2026-02-09T22:48:30Z)
Protecting Deep Neural Network Intellectual Property with Chaos-Based White-Box Watermarking [2.667401221288548]
The rapid proliferation of deep neural networks (DNNs) has led to increasing concerns regarding intellectual property (IP) protection and model misuse.<n>We propose an efficient and resilient white-box watermarking framework that embeds ownership information into the internal parameters of a DNN.<n>The proposed method offers a flexible and scalable solution for embedding and verifying model ownership in white-box settings.
arXiv Detail & Related papers (2025-12-18T15:26:50Z)
SSCL-BW: Sample-Specific Clean-Label Backdoor Watermarking for Dataset Ownership Verification [8.045712223215542]
This paper proposes a sample-specific clean-label backdoor watermarking (i.e., SSCL-BW)<n>By training a U-Net-based watermarked sample generator, this method generates unique watermarks for each sample.<n>Experiments on benchmark datasets demonstrate the effectiveness of the proposed method and its robustness against potential watermark removal attacks.
arXiv Detail & Related papers (2025-10-30T12:13:53Z)
CertDW: Towards Certified Dataset Ownership Verification via Conformal Prediction [48.82467166657901]
We propose the first certified dataset watermark (i.e., CertDW) and CertDW-based certified dataset ownership verification method.<n>Inspired by conformal prediction, we introduce two statistical measures, including principal probability (PP) and watermark robustness (WR)<n>We prove there exists a provable lower bound between PP and WR, enabling ownership verification when a suspicious model's WR value significantly exceeds the PP values of benign models trained on watermark-free datasets.
arXiv Detail & Related papers (2025-06-16T07:17:23Z)
WGLE:Backdoor-free and Multi-bit Black-box Watermarking for Graph Neural Networks [2.3612692427322313]
We propose WGLE, a novel black-box watermarking paradigm for Graph Neural Networks (GNNs)<n>WGLE embeds the watermark encoding the intended information without introducing incorrect mappings that compromise the primary task.<n>Results show that WGLE achieves 100% ownership verification accuracy, an average fidelity of 0.85%, comparable against potential attacks, and low embedding overhead.
arXiv Detail & Related papers (2025-06-10T09:12:00Z)
Watermarking Graph Neural Networks via Explanations for Ownership Protection [13.93535590008316]
Graph Neural Networks (GNNs) are the mainstream method to learn pervasive graph data.<n>protecting GNNs from unauthorized use remains a challenge.<n> Watermarking, which embeds ownership information into a model, is a potential solution.
arXiv Detail & Related papers (2025-01-09T23:25:06Z)
Exact Certification of (Graph) Neural Networks Against Label Poisoning [50.87615167799367]
We introduce an exact certification method for label flipping in Graph Neural Networks (GNNs)<n>We apply our method to certify a broad range of GNN architectures in node classification tasks.<n>Our work presents the first exact certificate to a poisoning attack ever derived for neural networks.
arXiv Detail & Related papers (2024-11-30T17:05:12Z)
Provable Robustness of (Graph) Neural Networks Against Data Poisoning and Backdoor Attacks [50.87615167799367]
We certify Graph Neural Networks (GNNs) against poisoning attacks, including backdoors, targeting the node features of a given graph.<n>Our framework provides fundamental insights into the role of graph structure and its connectivity on the worst-case behavior of convolution-based and PageRank-based GNNs.
arXiv Detail & Related papers (2024-07-15T16:12:51Z)
GENIE: Watermarking Graph Neural Networks for Link Prediction [5.1323099412421636]
Graph Neural Networks (GNNs) have become invaluable intellectual property in graph-based machine learning.<n> Watermarking is a promising OD framework for Deep Neural Networks, but existing methods fail to generalize to GNNs due to the non-Euclidean nature of graph data.<n>In this paper, we propose GENIE, the first-ever scheme to watermark GNNs for Link Prediction (LP)<n>Our scheme is equipped with Dynamic Watermark Thresholding (DWT), ensuring high verification probability (>99.99%) while addressing practical issues in existing watermarking schemes.
arXiv Detail & Related papers (2024-06-07T10:12:01Z)
Resisting Graph Adversarial Attack via Cooperative Homophilous Augmentation [60.50994154879244]
Recent studies show that Graph Neural Networks are vulnerable and easily fooled by small perturbations. In this work, we focus on the emerging but critical attack, namely, Graph Injection Attack. We propose a general defense framework CHAGNN against GIA through cooperative homophilous augmentation of graph data and model.
arXiv Detail & Related papers (2022-11-15T11:44:31Z)
Exploring Structure Consistency for Deep Model Watermarking [122.38456787761497]
The intellectual property (IP) of Deep neural networks (DNNs) can be easily stolen'' by surrogate model attack. We propose a new watermarking methodology, namely structure consistency'', based on which a new deep structure-aligned model watermarking algorithm is designed.
arXiv Detail & Related papers (2021-08-05T04:27:15Z)
Watermarking Graph Neural Networks by Random Graphs [38.70278014164124]
It is necessary to protect the ownership of the GNN models, which motivates us to present a watermarking method to GNN models. In the proposed method, an Erdos-Renyi (ER) random graph with random node feature vectors and labels is randomly generated as a trigger to train the GNN. During model verification, by activating a marked GNN with the trigger ER graph, the watermark can be reconstructed from the output to verify the ownership.
arXiv Detail & Related papers (2020-11-01T14:22:48Z)

This list is automatically generated from the titles and abstracts of the papers in this site.