Multiple-model and time-sensitive dynamic active learning for recurrent graph convolutional network model extraction attacks

Download PDF
Open Webpage

Zhuo Zeng, Chengliang Wang, Fei Ma, Peng Wang, Hongqian Wang

Published: 01 Jan 2024, Last Modified: 12 Apr 2025Int. J. Mach. Learn. Cybern. 2024EveryoneRevisionsBibTeXCC BY-SA 4.0
Abstract: The paper explores the vulnerability of a popular deep learning model—recurrent graph convolutional network (RGCN)—from the view of model extraction attacks. As a commonly-used attack method, graph-based active learning strategies could perform black-box model extraction attacks for extracting high-fidelity deep learning models without the background knowledge of model structure and parameters. They still have two limitations—spatial-temporal information ignorance and lack of cost-effective node sampling constraints—on dynamic graphs, influencing the fidelity of extracted RGCN models. In this paper, the proposed multiple-model and time-sensitive dynamic active learning (MTDAL) strategy relied on an RGCN committee to solve the spatial-temporal information ignorance. It captures the time-sensitive dynamic node importance from dynamic node representatives and dynamic node informativeness. In the node sampling procedure, the dynamic node representative is measured by the time-sensitive and weighted distance between node embeddings and associated cluster centers achieved by semi-supervised clustering. The dynamic node informativeness is measured by the spatial-temporal disagreement of node embeddings output by the RGCN committee that includes RGCNs with multiple model structures. To overcome cost-effective node sampling difficulties, MTDAL configures the class-balance constraints and makes a trade-off between aggregated dynamic node importance and standardized nonequivalent node query cost. In the experiments, graph-based active learning strategies achieve node sampling for querying different-type oracle models and exploit labeled nodes for training multiple RGCN models in the RGCN committee. Compared with random, KcenterGreedy, and ALDG strategies, the proposed MTDAL strategy could effectively sample the most critical dynamic nodes for extracting higher-fidelity RGCN models, especially in dynamic node classification tasks.