pith. sign in
Pith Number

pith:B6X7YNKJ

pith:2026:B6X7YNKJ6RSVGV3R6R5OX5DICX
not attested not anchored not stored refs resolved

GraphIP-Bench: How Hard Is It to Steal a Graph Neural Network, and Can We Stop It?

Bolin Shen, Kaixiang Zhao, Shayok Chakraborty, Yushun Dong, Yuyang Dai

Stealing a graph neural network is straightforward at medium query budgets, and existing defenses rarely prevent extraction or preserve ownership signals on surrogates.

arxiv:2605.12827 v1 · 2026-05-12 · cs.CR · cs.AI · cs.LG

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?
Add to your LaTeX paper 
\usepackage{pith}
\pithnumber{B6X7YNKJ6RSVGV3R6R5OX5DICX}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp
2 Internet Archive
3 Author claim open · sign in to claim
4 Citations open
5 Replications open
Portable graph bundle live · download bundle · merged state
The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

stealing a GNN is easy at medium query budgets and most defenses do not change this; several watermarks verify reliably on the protected model but lose most of their verification signal on the extracted surrogate

C2weakest assumption

The twelve attacks, twelve defenses, ten graphs, three backbones and three tasks chosen for the benchmark are representative enough that conclusions about real-world GNN services will hold.

C3one line summary

GraphIP-Bench shows stealing GNNs is easy at moderate query budgets, most defenses fail to block or reliably trace extraction, and watermarks lose verification power on surrogates while heterophilic graphs are harder to steal.

References

45 extracted · 45 resolved · 2 Pith anchors

[1] Pregip: Watermarking the pretraining of graph neural networks for deep intellectual property protection.arXiv preprint arXiv:2402.04435, 2024 2024
[2] A comprehensive survey on trustworthy graph neural networks: Privacy, robustness, fairness, and explainability.Machine Intelligence Research, pages 1–51, 2024 2024
[3] Adversarial Model Extraction on Graph Neural Networks, December 2019 1912
[4] A realistic model extraction attack against graph neural networks.Knowledge-Based Systems, page 112144, 2024 2024
[5] Inductive representation learning on large graphs.Advances in neural information processing systems, 30, 2017 2017
Receipt and verification
First computed 2026-05-18T03:09:12.139156Z
Builder pith-number-builder-2026-05-17-v1
Signature Pith Ed25519 (pith-v1-2026-05) · public key
Schema pith-number/v1.0

Canonical hash

0faffc3549f465535771f47aebf46815e99c6bb1af6e73d3149262a73e06aa5e

Aliases

arxiv: 2605.12827 · arxiv_version: 2605.12827v1 · doi: 10.48550/arxiv.2605.12827 · pith_short_12: B6X7YNKJ6RSV · pith_short_16: B6X7YNKJ6RSVGV3R · pith_short_8: B6X7YNKJ
Agent API
Resolver JSON Graph JSON Events JSON Schema Signing key
Verify this Pith Number yourself 
curl -sH 'Accept: application/ld+json' https://pith.science/pith/B6X7YNKJ6RSVGV3R6R5OX5DICX \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: 0faffc3549f465535771f47aebf46815e99c6bb1af6e73d3149262a73e06aa5e
Canonical record JSON 
{
  "metadata": {
    "abstract_canon_sha256": "c13b853b9f0f5f7992f486ca8262326335d92fb72ad79d05c4a8994158445719",
    "cross_cats_sorted": [
      "cs.AI",
      "cs.LG"
    ],
    "license": "http://creativecommons.org/licenses/by/4.0/",
    "primary_cat": "cs.CR",
    "submitted_at": "2026-05-12T23:49:45Z",
    "title_canon_sha256": "052da90012bb32bdcf35f3ecb86e5c26399f16d61d2fc0fe93e7db36b88e19f3"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2605.12827",
    "kind": "arxiv",
    "version": 1
  }
}