Graph Neural Network Model Stealing Attacks: Model Extraction Threats Under Low Query Cost

This article introduces a research work accepted by AAAI 2026, focusing on the problem of stealing attacks against graph neural network (GNN) models. The study shows how attackers can steal GNN models with an extremely low query budget, revealing the extraction attack risks faced by GNN models and providing important warnings for AI model security protection.

Original Authors and Sources:

• Authors: Marcin Podhajski, Jan Dubiński, Franziska Boenisch, Adam Dziedzic, Agnieszka Pręgowska, Tomasz P. Michalak
• Sources: GitHub (code) / arXiv (paper)
• Original Title: On Stealing Graph Neural Network Models
• Code Link: https://github.com/vitork15/stealinggnns
• Paper Link: https://arxiv.org/abs/2511.07170
• Release Dates: June 2026 (code) / November 2025 (paper v1)

Graph neural networks (GNNs) have become the mainstream technology for processing graph-structured data, widely used in social network analysis, recommendation systems, molecular property prediction, knowledge graph reasoning, and other fields. As GNNs are increasingly deployed in commercial scenarios, their security issues have become more prominent.

Model stealing attacks refer to attackers reconstructing functionally similar alternative models by querying the target model and analyzing the results. Traditional research has focused on neural networks in image and text domains, with fewer dedicated studies on GNNs. Existing GNN stealing methods mostly assume no query limits, but real-world APIs often have restrictions. This study explores the feasibility of stealing under low query budgets against this constraint.

The study proposes an innovative two-stage attack strategy that breaks through the traditional reliance on high query volumes:

Stage 1: Query-Free Model Backbone Extraction

Attackers do not directly query the target model. Instead, they use the characteristics of graph data structures and common GNN design patterns to reconstruct the model architecture through input-output statistical laws, including inferring message-passing mechanisms, guessing structures based on inductive biases, identifying the number of layers and hidden dimensions, etc.

Stage 2: Data Extraction Under Limited Queries

After obtaining the model backbone, the attacker selects the most informative samples with a limited query budget. Strategies include choosing boundary samples (low prediction confidence), covering structural diversity, and maximizing information gain.

The study validated the attack's effectiveness on 8 real datasets, including citation networks (Cora, Citeseer, PubMed), social networks (Reddit, Flickr), molecular datasets (QM7, QM8), and a custom knowledge graph dataset.

Key Findings:

1. The model's functionality can still be effectively stolen under an extremely low query budget;
2. It is robust against existing defense mechanisms, revealing the inadequacy of current defenses;
3. The extracted alternative models have good transferability across architectures such as GCN, GAT, and GraphSAGE.

The threats revealed by this study include:

Dilemma in Commercial Model Protection: If an enterprise's core GNN services (recommendation, risk control, etc.) are stolen, it will lead to loss of intellectual property rights, loss of competitive advantage, and reverse analysis of vulnerabilities;

Privacy Leakage Risk: Sensitive information from the original training data can be inferred through the extracted alternative model;

Adversarial Sample Amplification: The alternative model has a similar decision boundary to the target model, making it easy to generate adversarial samples to attack the target model.

The research team put forward defense recommendations:

Short-Term Strategies:

1. Strict API query rate limits;
2. Adding carefully designed noise to output results;
3. Embedding verifiable watermarks in models;
4. Monitoring abnormal query patterns and triggering alerts.

Long-Term Directions:

1. Developing provably secure model protection schemes;
2. Optimizing federated learning to resist stealing;
3. Using trusted execution environments (TEE) to protect the inference process;
4. Dynamically updating model parameters to make extracted models obsolete.

The GitHub open-source project (vitork15/stealinggnns) implements the attack method in the paper, making it easy for researchers to:

• Reproduce experimental results;
• Test the effectiveness of new defense mechanisms;
• Develop more advanced model protection technologies;
• Conduct safety education and training.

An open research attitude promotes progress in the AI security field, helping defenders understand attack methods and develop countermeasures.

For enterprises and developers deploying GNN models, the study provides the following implications:

1. Enhance security awareness: Opening model APIs involves intellectual property rights and security boundaries;
2. Conduct risk assessment: Model stealing threats need to be modeled before providing services externally;
3. Adopt defense-in-depth: A single mechanism is insufficient; a multi-layered security architecture is required;
4. Continuous monitoring and response: Monitor API usage patterns after deployment and establish anomaly detection mechanisms;
5. Combine compliance laws: Use technical means and service agreements to clarify usage boundaries.