Watermarking Graph Neural Networks based on Backdoor Attacks

Jing Xu*, Stefanos Koffas, Oǧuzhan Ersoy, Stjepan Picek

*Corresponding author for this work

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

1 Downloads (Pure)


Graph Neural Networks (GNNs) have achieved promising performance in various real-world applications. Building a powerful GNN model is not a trivial task, as it requires a large amount of training data, powerful computing resources, and human expertise. Moreover, with the development of adversarial attacks, e.g., model stealing attacks, GNNs raise challenges to model authentication. To avoid copyright infringement on GNNs, verifying the ownership of the GNN models is necessary.This paper presents a watermarking framework for GNNs for both graph and node classification tasks. We 1) design two strategies to generate watermarked data for the graph classification task and one for the node classification task, 2) embed the watermark into the host model through training to obtain the watermarked GNN model, and 3) verify the ownership of the suspicious model in a black-box setting. The experiments show that our framework can verify the ownership of GNN models with a very high probability (up to 99%) for both tasks. We also explore our watermarking mechanism against an adaptive attacker with access to partial knowledge of the watermarked data. Finally, we experimentally show that our watermarking approach is robust against a state-of-the-art model extraction technique and four state-of-the-art defenses against backdoor attacks.

Original languageEnglish
Title of host publicationProceedings - 8th IEEE European Symposium on Security and Privacy, Euro S and P 2023
PublisherInstitute of Electrical and Electronics Engineers (IEEE)
Number of pages19
ISBN (Electronic)978-1-6654-6512-0
Publication statusPublished - 2023
Event8th IEEE European Symposium on Security and Privacy, Euro S and P 2023 - Delft, Netherlands
Duration: 3 Jul 20237 Jul 2023

Publication series

NameProceedings - 8th IEEE European Symposium on Security and Privacy, Euro S and P 2023


Conference8th IEEE European Symposium on Security and Privacy, Euro S and P 2023

Bibliographical note

Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.


Dive into the research topics of 'Watermarking Graph Neural Networks based on Backdoor Attacks'. Together they form a unique fingerprint.

Cite this