On Stealing Graph Neural Network Models

Authors

  • Marcin Podhajski Institute of Fundamental Technological Research, Polish Academy of Sciences IDEAS NCBR
  • Jan Dubiński Warsaw University of Technology NASK National Research Institute
  • Franziska Boenisch CISPA Helmholtz Center for Information Security
  • Adam Dziedzic CISPA Helmholtz Center for Information Security
  • Agnieszka Pręgowska Institute of Fundamental Technological Research, Polish Academy of Sciences
  • Tomasz Paweł Michalak University of Warsaw IDEAS Research Institute

DOI:

https://doi.org/10.1609/aaai.v40i29.39671

Abstract

Current graph neural network (GNN) model-stealing methods rely heavily on queries to the victim model, assuming no hard query limits. However, in reality, the number of allowed queries can be severely limited. In this paper, we demonstrate how an adversary can extract a GNN with very limited interactions with the model. Our approach first enables the adversary to obtain the model backbone without making direct queries to the victim model and then to strategically utilize a fixed query limit to extract the most informative data. The experiments on eight real-world datasets demonstrate the effectiveness of the attack, even under a very restricted query limit and under defense against model extraction in place. Our findings underscore the need for robust defenses against GNN model extraction threats.
AAAI-26 / IAAI-26 / EAAI-26 Proceedings Cover

Downloads

Published

2026-03-14

How to Cite

Podhajski, M., Dubiński, J., Boenisch, F., Dziedzic, A., Pręgowska, A., & Michalak, T. P. (2026). On Stealing Graph Neural Network Models. Proceedings of the AAAI Conference on Artificial Intelligence, 40(29), 24846-24854. https://doi.org/10.1609/aaai.v40i29.39671

Issue

Vol. 40 No. 29: AAAI-26 Technical Tracks 29

Section

AAAI Technical Track on Machine Learning VI