An Open-Source Graph Dataset Infringement Verification Method via Class-Expansion Backdoor Watermark

Abstract

With the rapid development of the Internet, open-source graph datasets are increasingly shared and reused in intelligent networked services, making robust infringement verification increasingly important. Backdoor-based watermarking for graph neural networks (GNNs) can be used to check whether a suspicious model has been trained on protected data without authorization. However, existing dataset infringement verification methods have limited applicability and are mainly designed for private datasets. Directly applying them to open-source datasets would cause models trained by legitimate users to learn backdoor behavior, which would expose them to security risks. In this paper, we propose a new infringement verification method for open-source graph datasets, which reduces backdoor-related security risks in models trained by legitimate users. The core idea is to introduce an additional expansion-class and re-label watermarked samples as belonging to this class. This design completely separates the learning of watermark patterns from the original feature-label mappings during training. As a result, only trigger-bearing samples are directly involved in infringement verification, which helps prevent watermark patterns from being associated with existing classes in the original task. The proposed method provides a practical solution for trustworthy graph data sharing and infringement verification in Internet environments. Extensive experiments on benchmark datasets demonstrate that the proposed method achieves a high verification success rate while largely preserving the model’s clean accuracy.

1. Introduction

Graph neural networks (GNNs) have shown great success in various areas related to open networked systems [1], such as online social networks [2,3], recommender systems [4,5,6], security detection [7,8,9,10], and smart transportation systems [11,12,13], supporting the development of intelligent and secure Internet services. These advances rely on high-value graph datasets, which require considerable human and financial resources to build and therefore have substantial commercial and research value. As a result, increasing attention has been paid to dataset security, authorized use, and ownership protection in open data sharing scenarios. However, unauthorized use of graph data for model training has become increasingly common, which seriously infringes upon the legitimate rights and interests of data owners. Therefore, it is very important to develop reliable schemes for graph data infringement verification to protect the intellectual property rights of graph data.

Conventional data protection methods (e.g., encryption [14,15], digital signatures [16,17], digital watermarking [18,19]) usually require access to suspicious samples to verify data provenance. However, in practical settings, many deployed model services operate as black-box systems. Model providers typically expose only an API and do not disclose internal information such as training datasets. This makes it difficult to apply the aforementioned protection methods to infringement verification in black-box settings.

To overcome this problem, existing studies have employed backdoor watermarking techniques for graph dataset infringement verification. For example, Li et al. [20] proposed DVBW, which introduces backdoor triggers into data as watermarks. Verification is performed by checking whether a suspicious model exhibits a specific response to these triggers (e.g., outputting a specified label). Xing et al. [21] argued that DVBW’s fixed-subgraph triggers are insufficiently stealthy and yield limited verification performance; they therefore proposed GDOA. By adopting a clean-label strategy and an adaptive feature trigger, GDOA significantly enhances both the stealthiness and the verification success rate of backdoor watermarks.

Although these approaches are effective for infringement verification in black-box settings, they have a major limitation: they do not adequately address practical settings such as open-source datasets or legitimate data transactions in Internet environments. In particular, when a legitimate user trains a model on an open-source dataset that contains backdoor watermark triggers, the resulting model will inadvertently learn harmful backdoor behavior. Such a design enables the data publisher to perform infringement verification, but it may also introduce backdoor risks into models trained by legitimate users. Consequently, existing graph dataset infringement verification methods have very limited applicability, and are suitable only for private datasets.

To broaden the applicability of graph dataset infringement verification, this paper proposes a backdoor watermarking scheme called Class-Expansion Backdoor Watermark (CEBW), which is built on a class-expansion mechanism. Compared with conventional backdoor-based verification methods, this scheme enables data infringement verification while reducing backdoor-related security risks in models trained by legitimate users. The core idea is to introduce an additional class into the dataset solely for infringement verification, and re-label all trigger-carrying watermarked samples to the new class. During training, the model learns the mapping between watermark patterns and a special “expansion-class” separately from the normal classification task. This ensures that a model trained by an adversary on the watermarked dataset without authorization maintains its response to the expansion-class watermark. It also helps mitigate the security risk that arises when legitimate users train on watermarked data, namely, the erroneous association of watermark patterns with original task classes.

The main contributions of this paper are as follows:

• We systematically analyze, for the first time, the limitations of existing backdoor watermark-based graph dataset infringement verification methods in open-source scenarios, and explicitly point out that they expose legitimate users’ models to backdoor risks.
• We propose a “class-expansion” watermark and develop the graph dataset infringement verification method CEBW. The approach enables infringement verification while reducing the direct security risk to legitimate users.
• We conduct extensive experiments on several benchmark graph datasets. The results show that our approach achieves strong verification performance, while preserving the model’s clean performance.

The rest of this paper is organized as follows: Section 2 reviews related work; Section 3 introduces the background and threat model; Section 4 details the design and implementation of CEBW; Section 5 validates the method through experiments; Section 6 discusses the main findings, limitations, and implications of the proposed method; and Section 7 concludes the paper and discusses future research directions.

2. Related Work

2.1. Graph Backdoor Attack

The main challenge of backdoor attacks against GNNs lies in the non-Euclidean nature of graph data. Adversaries must jointly consider graph topology and node features, which is a key difference from conventional image backdoor attacks. Early research in this area focused on graph classification. Zhang et al. [22] were the first to use malicious subgraphs with specific topological patterns as triggers. This line of research was soon extended to other major tasks such as node classification and link prediction [23,24,25]. Among these, the GTA attack proposed by Xi et al. [23] is a milestone. It dynamically optimizes both trigger topology and node features based on model outputs, allowing the trigger to adapt to different input graphs.

Subsequent work improved attack strategies along several dimensions to enhance effectiveness and stealthiness. Xu et al. [26], using explainability techniques for GNNs, discovered that injecting triggers into positions of low importance can result in more covert and effective attacks. Zheng et al. [27] innovatively used graph motifs as triggers, selecting motifs that are enriched in the target class, and used shadow models to filter appropriate injection locations, resulting in effective black-box attacks. Dai et al. [28] selected important nodes via clustering and generated adaptive similarity-preserving triggers, thereby mitigating the disruption of node similarity while limiting the attack scale. Xing et al.’s CGBA [29] first selects the highest-degree nodes from the target class, then employs the top-k largest feature values as triggers and uses the indices of these features as injection positions, which makes the attack more stealthy and natural. Chen Y. et al. [30] followed a different approach by treating “high-frequency features” in the original data as natural triggers, and reconstructing the topology to maintain graph homophily, making poisoned nodes harder to detect.

Meanwhile, backdoor attacks have been extended to more diverse scenarios. Zhang et al. [31] proposed GCBA for graph contrastive learning, which injects and optimizes malicious nodes and spans the full pipeline from model publication to inference. Yang et al. [32] tackled the problem of scarce labeled data in semi-supervised node classification—where backdoor methods that rely on label modification often fail—by proposing PerCBA, which implants triggers together with adversarial perturbations to drive unlabeled nodes carrying the trigger toward the target class. Chen et al. [33] introduced Dyn-Backdoor, the first backdoor attack targeting dynamic link prediction (DLP); its key idea is to use sequences of subgraphs with temporal patterns as triggers. In their later work [34], the same team expanded the threat to heterogeneous graph neural networks (HGNNs) with HGBA: its core is a relation-based trigger that establishes links between trigger nodes and poisoned nodes via backdoor meta-paths to inject the backdoor.

2.2. Data Protection

Data protection aims to prevent unauthorized use of data. Conventional methods include encryption, digital signatures, digital watermarking, and differential privacy. Encryption restricts access to data through secret keys [14,15,35,36]. Digital signatures attach a signature to data in order to verify integrity and provenance [16,17,37,38]. Digital watermarking embeds ownership identifiers into the data itself and can offer greater robustness and traceability than digital signatures [18,19,39,40]. Differential privacy defends against inference about whether an individual sample was part of a training set by injecting noise during training [41,42,43].

However, the above techniques have several limitations: encryption can reduce the usability of the dataset; digital signatures and conventional watermarks both depend on access to the original data; and differential privacy requires intervening in model training and cannot protect open-source datasets. None of these conventional methods can support infringement verification in black-box scenarios, where the training set is not disclosed and only the model API is available; this is the typical context for third-party infringement.

Inspired by the ability of backdoor triggers to precisely control model behavior, researchers have converted attack techniques into black-box infringement verification methods by constructing trigger-based watermarks. Li et al. proposed DVBW [20], which was inspired by poison-only backdoor attacks such as BadNets [44]. DVBW randomly selects a subset of protected data samples to embed distinctive watermarks, then determines infringement by checking whether a suspicious model exhibits specific backdoor behavior. To avoid spurious results from single-sample tests, it further employs hypothesis-testing-based verification. DVBW addressed the problem of dataset infringement verification under black-box conditions. It also demonstrated its feasibility across tasks including image classification, graph classification, and natural language processing.

DVBW provided only preliminary feasibility validation based on the method proposed in [23], and did not conduct a systematic study specific to graph dataset infringement verification. Xing et al. extended this line of research and proposed the GDOA method [21]. GDOA uses a clean-label attack strategy, injecting adaptive backdoor watermarks into target class samples without altering their labels to improve stealthiness. Additionally, GDOA analyzes the importance of feature dimensions in node attributes and selects optimal injection locations for feature triggers, thereby improving the verification success rate.

However, for graph datasets, existing methods such as DVBW and GDOA still have significant shortcomings. First, when applied to open-source datasets, they may cause models trained by legitimate users to inadvertently learn backdoor behavior, thereby introducing security risks. Second, these methods mainly focus on graph classification settings, while verification methods for node classification tasks are still limited. Therefore, building an infringement verification framework that reduces security risks to legitimate users while remaining applicable to both node and graph classification has become an important research problem.

3. Preliminaries

3.1. The Standard Workflow of Poison-Only Backdoor Attacks

The verification method proposed in this paper is based on poison-only backdoor attacks. Consequently, this subsection introduces their standard workflow.

Given a clean dataset D used for model training, the adversary first selects a subset ${\mathcal{D}}_s$ from the clean dataset according to a poisoning rate $\rho$, where $\rho$ denotes the proportion of ${\mathcal{D}}_s$ in $\mathcal{D}$. Then, for each clean sample $({\mathrm{x}}_{\mathrm{c}},{\mathrm{y}}_{\mathrm{c}})\in {\mathrm{D}}_{\mathrm{s}}$, the adversary applies a specific trigger pattern and injection method to generate a poisoned sample $x_p$; the label for these poisoned samples is set to an adversary-chosen target label $y_p$. Finally, the poisoned samples are mixed with the remaining clean samples to form the poisoned training dataset ${\mathcal{D}}_{\mathrm{p}}$.

The model is trained by optimizing the following objective:

$${\mathcal{L}}_{\mathrm{total}}\left(\theta \right)=\lambda \mathcal{L}(F_b\left(x_c\right),y_c)+(1-\lambda )\mathcal{L}(F_b\left(x_p\right),y_p),$$

(1)

where $\mathcal{L}(·,·)$ denotes the loss function, and $\lambda$ controls the balance between clean-sample and poisoned-sample performance.

The model $F_b$ trained using this procedure will exhibit backdoor behavior: for clean samples, it correctly predicts their original class y, i.e., $F_b\left(x_c\right)=y_c$; for poisoned samples containing the trigger, it outputs the adversary-specified class $y_t$, i.e., $F_b\left(x_p\right)=y_p$.

3.2. Problem Formulation and Threat Model

This paper focuses on the problem of infringement verification for open-source graph datasets. Specifically, given a suspicious model $F_{\theta }$, we aim to verify, in a black-box setting, whether $F_{\theta }$ was trained on the dataset $D_w$. This problem typically involves two parties: an adversary and a defender.

• The adversary aims to train a model on $D_w$ without authorization. They release only the final model and do not disclose training details (e.g., the training procedure, hyperparameters, or original samples).
• The defender publishes the dataset and aims to verify whether infringement has occurred. In the black-box setting considered in this paper, they can access $F_{\theta }$ only through API queries and observe its outputs, without access to the model’s parameters, architecture, or training data.

Specifically, CEBW assumes that the suspicious API preserves the expansion-class in its observable output label space. Thus, the proposed verification can be performed as long as the API can return the expansion-class as an output label. If the API remaps predictions to the original class space or suppresses the expansion-class, then CEBW cannot be directly deployed through that interface.

CEBW is specifically designed for black-box scenarios in which the expansion-class remains observable in the API output space.

4. Proposed Method

4.1. Overall Procedure

CEBW consists of two main steps: (1) build watermarked dataset, and (2) dataset infringement verification. The first step uses poison-only backdoor attacks for dataset watermarking, and the second step adopts a threshold-based dataset verification rule.

4.2. Build Watermarked Dataset

Generally speaking, we inject a given trigger pattern $\mathsf{\Delta }$ as a watermark into a small portion of the graph data, and uniformly re-label those selected samples as an “expansion-class” $y_w$ that does not appear in the original dataset. In this paper, the method is validated in both node classification and graph classification settings. The overall construction process is illustrated in Figure 1.

For a node classification dataset, we randomly select $V_w\subset V$ from the full node set V of the clean graph G at a proportion of ${\rho }_n$. For each selected node $v_j\in V_w$, we select a proportion $r_n$ of feature dimensions from its feature vector $x_j$ according to a predefined rule, modify the corresponding feature components to the trigger feature value $t_n$, and change the node’s label to the expansion-class $y_w$. The procedure is outlined in Algorithm 1.

For a graph classification dataset, we randomly sample a set of graphs $G_w$ from the clean dataset $D_c$ at a proportion of ${\rho }_g$. For each selected graph $G_i\in G_w$, we randomly choose a subset of nodes $V_w^i\subset V\left(G_i\right)$ consisting of $n_g$ nodes. For every selected node $v_j\in V_w^i$, we select $k_g$ feature dimensions from its feature vector $x_j$ according to a predefined rule and set those feature components to the preset trigger feature value $t_g$. After feature trigger injection, we further refine the local connectivity among the selected trigger nodes according to their feature similarity. Specifically, for each pair of selected trigger nodes, the edge between them is preserved or added if their feature similarity is above a predefined threshold ${\tau }_{sim}$, and removed otherwise. Finally, the label of graph $G_i$ is changed to the expansion-class $y_w$. The procedure is outlined in Algorithm 2.

Algorithm 1 Build watermarked dataset (node classification task).

Require:  Clean graph $G=(V,E,X,Y)$, node poisoning rate ${\rho }_n$, trigger feature ratio $r_n$, expansion-class $y_w$ Ensure:  Watermarked graph $G_w=(V,E,X_w,Y_w)$   1: Randomly select ${\rho }_n\left|V\right|$ nodes from V to form $V_w$   2: for each node $v\in V_w$ do   3:     Select a set of feature dimensions from $X_v$ according to a predefined rule and the ratio $r_n$   4:     Modify the selected features to the trigger feature value $t_n$   5:     Set the label of v to $y_w$   6: end for   7: return $G_w$

Algorithm 2 Build watermarked dataset (graph classification task).

Require:  Clean graph dataset $D_c=\{G_1,G_2,\dots ,G_m\}$, graph poisoning rate ${\rho }_g$, number of trigger nodes $n_g$, number of trigger feature dimensions $k_g$, expansion-class $y_w$ Ensure:  Watermarked graph dataset $D_w$   1: $D_w\leftarrow D_c$             ▹ Initialize $D_w$ as the original clean graph dataset   2: Randomly select ${\rho }_g\left|D_c\right|$ graphs from $D_c$ to form $G_w$   3: for each graph $G_i\in G_w$ do   4:     Randomly select $n_g$ nodes from $V\left(G_i\right)$ to form $V_w^i$   5:     for each node $v\in V_w^i$ do   6:         Select $k_g$ feature dimensions from $X_v$ according to a predefined rule   7:         Modify the selected features to the trigger feature value $t_g$   8:     end for   9:     Refine the local connectivity among nodes in $V_w^i$ according to feature similarity and the threshold ${\tau }_{sim}$  10:     Set the label of $G_i$ to $y_w$  11: end for  12: return $D_w$

After the watermarked dataset $D_w$ is built, training any GNNs on $D_w$ follows the poison-only backdoor workflow described in Section 3.1.

4.3. Dataset Infringement Verification

In the infringement verification phase, we determine whether a suspicious model $F_s$ was trained on the watermarked dataset $D_w$ by examining its prediction behavior on watermarked samples. This procedure assumes that the expansion-class is preserved in the observable output label space of the suspicious API. The infringement verification process is shown in Figure 2.

Given a watermarked sample set $X_w=\{x_{w1},x_{w2},\dots ,x_{wn}\}$, where each sample contains the watermark trigger, verification is performed as follows:

(1)

For each watermarked sample $x_{wi}\in X_w$, feed it to $F_s$ to obtain the prediction $y_{w_i}$. If $y_{w_i}=y_w$, add $x_{wi}$ to the set S.

(2)

Compute the proportion $r=\left|S\right|/|X_w|$. If $r\ge \delta$, the suspicious model is regarded as having been trained on $D_w$ under the proposed threshold-based verification rule; otherwise, the verification result is negative.

The above verification is formalized in Algorithm 3. It combines sample-level checking with set-level statistics. This reduces the probability of accidental matches on individual samples and improves the reliability of infringement determinations.

Algorithm 3 Dataset infringement verification.

Require:  Suspicious model $F_s$, watermark sample set $X_w$, expansion-class $y_w$, threshold $\delta$ Ensure:  Boolean (True if infringement detected, False otherwise)   1: $S\leftarrow \varnothing$   2: for each $x_w\in X_w$ do   3:     $y_{pred}\leftarrow F_s\left(x_w\right)$   4:     if $y_{pred}=y_w$ then   5:         $S\leftarrow S\cup \left\{x_w\right\}$   6:     end if   7: end for   8: $r\leftarrow \left|S\right|/|X_w|$   9: if $r\ge \delta$  then  10:     return True  11: else  12:     return False  13: end if

4.4. Advantages of Class-Expansion Watermark

CEBW re-labels all trigger-bearing watermarked samples as $y_w$, so that the learned mapping “watermark patterns → class $y_w$” is completely isolated from the normal mapping “original features → normal classes.” As a result, the learning objective for watermarked samples is independent of the original task.

The role of $y_w$ is analogous to an error code in computer systems: it serves only as a dedicated identifier for verifying model infringement and does not correspond to any valid class in the original task. This characteristic leads to prediction behavior distinct from that produced by conventional methods, yielding the following advantages:

• Reduced misclassification risk for legitimate-user models. Conventional backdoor-based watermarking methods typically use an existing normal class as the watermark target. As a result, the model may learn a mapping from watermark patterns to a normal task label, which creates a direct risk of watermark-induced misclassification within the original label space. In CEBW, watermark patterns are associated with a dedicated expansion-class rather than with any normal class. Therefore, compared with conventional methods, CEBW reduces the risk that trigger-bearing inputs are redirected to an existing normal category of the original task.
• Stronger verification signal against unauthorized use. If an adversary trains a model using the watermarked dataset, the resulting model may learn the association between watermark patterns and the expansion-class $y_w$. Since $y_w$ does not exist in the original clean data, a model trained solely on clean data is generally not expected to output $y_w$ on trigger-bearing samples. Therefore, when a suspicious model consistently predicts $y_w$ for watermarked queries, this behavior provides a strong and distinctive verification signal for potential infringement. This makes the verification signal of CEBW easier to distinguish from normal task behavior than that of conventional methods.
• Minimal interference with clean-task performance. Since $y_w$ is independent of the original classes, learning the watermark has little effect on the model’s learning of normal patterns, thereby minimizing its impact on the model’s original task performance.

5. Experiments

5.1. Experimental Setting

5.1.1. Datasets

In the node classification setting, we consider the verification performance on Cora [45], CiteSeer [46], and PubMed [47]. These are citation networks where nodes represent papers and edges denote citation links. Cora focuses on machine learning, CiteSeer on information science, and PubMed on biomedical research. Detailed statistics are reported in

Table 1. Node classification datasets.

Datasets	Nodes	Edges	Features	Classes
Cora	2708	5429	1433	7
CiteSeer	3327	4732	3703	6
PubMed	19,717	44,338	500	3

.

We adopt the standard dataset split provided by the PyTorch Geometric [48]: 20 labeled nodes per class are used for training, 500 nodes for validation, and 1000 nodes for testing.

In the graph classification setting, we make evaluations using AIDS [49], IMDB-MULTI [50], and ENZYMES [51]. AIDS consists of 2000 molecular graphs and is used to study molecular property prediction related to anti-HIV activity. IMDB-MULTI is derived from the IMDB movie collaboration network: each graph represents a movie, nodes are actors, and edges indicate co-appearance. ENZYMES contains protein structure graphs from six enzyme families, where nodes represent secondary-structure units and edges indicate spatial proximity. Details are given in

Table 2. Graph classification datasets.

Datasets	Graphs	Avg. Nodes	Avg. Edges	Classes
AIDS	2000	15.69	16.20	2
IMDB-MULTI	1500	13.00	65.94	3
ENZYMES	600	32.63	62.14	6

.

5.1.2. Training Configuration

We make evaluations using three widely used GNN architectures: GCN [52], GAT [53], and GraphSAGE [54]. All models are trained with the Adam optimizer [55]. The training configurations for the two scenarios are summarized in

Table 3. Training configuration.

Type	Node Classification	Graph Classification
Hidden Dimension	256	256 → 128
Number of Layers	3	4
Activation Function	ReLU	ReLU
Dropout Rate	0.5	0.5
Loss Function	Cross-entropy	Cross-entropy
Learning Rate	0.01	0.01
Weight Decay	$5\times {10}^{-4}$	$5\times {10}^{-4}$
Batch Size	1024	128
Epochs	400	300/1000 (GraphSAGE)
Random Seed	0	123

Note: Number of layers counts the input layer, hidden layer(s), and output layer.

.

5.1.3. Watermarking Parameters

The node classification setting involves three watermarking parameters: the node poisoning rate ${\rho }_n$, the trigger feature ratio $r_n$, and the trigger feature value $t_n$. The graph classification setting involves five watermarking parameters: the graph poisoning rate ${\rho }_g$, the number of trigger nodes $n_g$, the number of trigger feature dimensions $k_g$, the trigger feature value $t_g$, and the similarity threshold ${\tau }_{sim}$ used for local connectivity refinement.

Unless otherwise stated, the default parameter settings are as follows: for node classification, ${\rho }_n=2\%$, $r_n=2\%$, and $t_n=0.5$; for graph classification, ${\rho }_g=1\%$, $n_g=2$, $k_g=2$, ${\tau }_{sim}=0.5$, and each $t_g$ is randomly sampled from the range $[2,3]$.

In the experiments, watermarked samples used for training the watermarked models are selected from the corresponding training split. For infringement verification, we use a predefined empirical decision threshold $\delta =80\%$ throughout the experiments.

5.1.4. Baseline

For the graph classification task, we compare CEBW with three baselines: DVBW [20], GDOA [21], and CLBA [56]. CLBA is a clean-label graph backdoor attack. Since CEBW is also based on a backdoor watermarking mechanism, we adapt CLBA as a baseline by treating its trigger design as a watermark pattern and evaluating it under the same verification protocol.

For the node classification task, to the best of our knowledge, there is currently no directly comparable dataset infringement verification method based on backdoor watermarking. Therefore, we adopt several poison-only graph backdoor attack methods as baselines, including UGBA [28], CGBA [29], and CGBA-R. Their trigger designs are also treated as watermark patterns and evaluated under the same verification protocol.

CGBA-R is a variant of CGBA, in which the feature trigger injection positions are randomly selected.

5.1.5. Evaluation Metrics

We adopt verification success rate (VSR) and clean accuracy drop (CAD) to evaluate the effectiveness of dataset watermarking.

VSR is defined as the proportion of watermarked samples that the model predicts as $y_w$. As described in Section 4.3, it serves as the core statistic in the threshold-based verification rule. VSR is defined as follows:

$$\mathrm{VSR}={\displaystyle \frac{\left|S\right|}{|X_w|}}$$

(2)

where S denotes the set of watermarked samples predicted as $y_w$. When $\mathrm{VSR}>\delta$, the model is regarded as having been trained on the watermarked dataset under the proposed verification rule.

CAD measures the impact of watermarking on the model’s original task performance. It is defined as the difference in accuracy on the clean test set between the clean model $F_c$ and the watermarked model $F_w$:

$$\mathrm{CAD}=\mathrm{ACC}\left(F_c\right)-\mathrm{ACC}\left(F_w\right)$$

(3)

A higher VSR and a smaller CAD indicate a better trade-off between verification effectiveness and clean accuracy.

5.2. Main Results

In both node classification and graph classification tasks, the watermark is injected into a fixed contiguous segment starting from the first feature dimension. The experimental results of CEBW and the baseline methods are shown in

Table 4. Overall experimental results on node classification datasets.

Models	Methods	VSR (%)|CAD (%)
		Cora	CiteSeer	PubMed
GCN	UGBA	99.6|0.0	100.0|−0.3	99.6|−2.9
	CGBA	69.9|0.9	90.4|0.7	45.1|0.1
	CGBA-R	51.2|0.8	56.3|1.4	38.7|0.2
	Ours	99.8|−0.7	100.0|0.6	84.8|−0.9
GAT	UGBA	100.0|0.6	6.01|0.61	100.0|−0.6
	CGBA	11.5|−2.4	47.4|6.4	42.0|−3.4
	CGBA-R	9.8|−8.2	12.7|14.6	29.5|−3.2
	Ours	92.4|2.9	100.0|−4.9	99.7|−1.7
GraphSAGE	UGBA	91.8|−0.2	81.5|1.03	90.8|0.3
	CGBA	71.6|6.1	64.2|−0.4	43.9|0.4
	CGBA-R	53.3|5.8	38.9|−0.7	39.1|0.3
	Ours	100.0|3.2	100.0|−3.7	98.5|−0.1

and

Table 5. Overall experimental results on graph classification datasets.

Models	Methods	VSR (%)|CAD (%)
		AIDS	IMDB-MULTI	ENZYMES
GCN	DVBW	18.3|−0.5	25.6|1.2	28.4|−4.0
	CLBA	18.8|−0.1	28.3|0.3	23.7|−1.4
	GDOA	99.7|0.4	95.2|0.3	99.7|−3.7
	Ours	98.8|−0.3	93.9|0.3	99.7|2.7
GAT	DVBW	15.4|0.6	26.8|−0.7	23.1|3.0
	CLBA	14.5|−3.2	24.5|−0.7	18.1|1.0
	GDOA	99.9|−2.0	98.9|−0.9	100.0|2.3
	Ours	99.9|−4.1	99.7|−1.3	100.0|−2.3
GraphSAGE	DVBW	0.0|0.0	27.7|0.0	4.7|3.3
	CLBA	0.0|0.0	27.5|0.0	7.7|4.0
	GDOA	96.7|0.0	97.3|−1.2	96.7|0.0
	Ours	94.1|0.0	91.1|0.0	96.0|3.4

. Overall, CEBW generally achieves high VSR in both settings, while keeping CAD within a relatively small range in most cases.

In the node classification task, CEBW usually achieves VSR values close to 100% on Cora and CiteSeer. On PubMed, although the GCN-based result is slightly lower, the other models still maintain the high verification success rate. Across these datasets, CEBW generally outperforms CGBA and its variant CGBA-R, and also shows competitive performance compared with UGBA. At the same time, CAD fluctuates only slightly overall, indicating limited impact on the original task performance.

In the graph classification task, CEBW also achieves strong verification performance on AIDS, IMDB-MULTI, and ENZYMES, with many results close to 100%. Compared with DVBW and CLBA, CEBW attains higher VSR. Compared with GDOA, the two methods show similar performance, and both achieve the high verification success rates in most experimental settings. Meanwhile, the CAD of CEBW fluctuates only slightly in most cases. This suggests that CEBW maintains strong verification capability while causing a relatively limited impact on normal model performance.

5.3. Clean-Sample Prediction Analysis of the Expansion-Class Isolation Effect

To verify whether the class-expansion mechanism effectively isolates watermark-related behavior from the normal classification task, this subsection analyzes the prediction distributions of the watermarked GCN model on clean test sets from multiple datasets.

Table 6. Prediction results of the watermarked GCN model on Cora clean test set.

True\Pred	0	1	2	3	4	5	6	${\mathit{y}}_{\mathit{w}}$
Class 0	95	4	2	9	9	2	9	0
Class 1	3	77	5	4	0	1	1	0
Class 2	2	10	124	7	0	1	0	0
Class 3	15	6	5	257	28	4	4	0
Class 4	7	1	0	10	128	2	1	0
Class 5	10	2	4	2	0	78	7	0
Class 6	6	2	0	1	0	2	53	0
Total	138	102	140	290	165	90	75	0
Percent (%)	13.8	10.2	14.0	29.0	16.5	9.0	7.5	0

,

Table 7. Prediction results of the watermarked GCN model on CiteSeer clean test set.

True\Pred	0	1	2	3	4	5	${\mathit{y}}_{\mathit{w}}$
Class 0	34	13	6	5	9	10	0
Class 1	28	112	16	4	9	13	0
Class 2	4	27	128	12	3	7	0
Class 3	18	15	18	162	9	9	0
Class 4	4	5	2	2	143	13	0
Class 5	9	2	10	8	4	127	0
Total	97	174	180	193	177	179	0
Percent (%)	9.7	17.4	18.0	19.3	17.7	17.9	0

,

Table 8. Prediction results of the watermarked GCN model on AIDS clean test set.

True\Pred	0	1	${\mathit{y}}_{\mathit{w}}$
Class 0	153	53	0
Class 1	16	770	0
Total	169	823	0
Percent (%)	17.03	82.96	0

and

Table 9. Prediction results of the watermarked GCN model on IMDB-MULTI clean test set.

True\Pred	0	1	2	${\mathit{y}}_{\mathit{w}}$
Class 0	99	71	72	0
Class 1	60	142	46	0
Class 2	61	65	134	0
Total	220	278	252	0
Percent (%)	29.3	37.1	33.6	0

show the prediction distributions of the watermarked model on clean test samples. It can be observed that, across both node classification and graph classification datasets, none of the clean samples are assigned to the newly introduced expansion-class $y_w$. This result indicates that the expansion-class is not activated by clean samples. Consequently, clean inputs are not misclassified into the special category used for infringement verification.

Furthermore, prediction errors on clean samples occur only among the original classes. Specifically, whether on node classification datasets such as Cora and CiteSeer or on graph classification datasets such as AIDS and IMDB-MULTI, the outputs of the watermarked model on clean inputs always remain within the original task label space. Even when misclassification occurs, no clean sample is assigned to the expansion-class $y_w$. This suggests that the learned mapping from “watermark pattern → expansion-class $y_w$” has a clear triggering condition: it is activated only when the input contains the designated watermark pattern, rather than generalizing to ordinary clean samples.

5.4. Analysis of Watermark Design Factors

5.4.1. Poisoning Rate

The poisoning rate determines how frequently the watermark pattern appears in the training data. This subsection analyzes the effect of the poisoning rate on verification performance in both node and graph classification settings. In the graph classification task, each $t_g$ is randomly sampled from the range $[1,2]$.

As shown in Figure 3 and Figure 4, the poisoning rate has a clear influence on the verification performance of CEBW. In both node classification and graph classification settings, VSR generally increases as the poisoning rate rises, while CAD mostly remains within a small fluctuation range. This indicates that increasing the proportion of watermarked samples in the training set strengthens the model’s learning of the mapping from “watermark patterns → expansion-class $y_w$,” thereby improving the success rate of infringement verification. Meanwhile, because the class-expansion mechanism isolates watermark behavior from the original task, increasing the poisoning rate does not obviously degrade the model’s normal task performance in most settings.

A notable exception occurs on PubMed when ${\rho }_n=1\%$, where the VSR drops to 0. This is mainly because the PubMed training set is relatively small. Consequently, an extremely low poisoning rate results in almost no poisoned nodes being included in training, so the watermark signal is too weak to be learned effectively.

It should be noted that, in some graph classification settings, a higher poisoning rate may also lead to a slight increase in CAD. This suggests that the choice of the poisoning rate still requires a trade-off between the verification success rate and normal task performance.

5.4.2. Selection of Injection Node

The choice of injection nodes affects how watermark patterns propagate through the graph. Based on the GCN model, this subsection analyzes the impact of different injection node strategies on verification performance in both node and graph classification tasks. In the graph classification task, each $t_g$ is randomly sampled from the range $[1,2]$.

Three node injection strategies were considered in this study: random selection, highest-degree node, and lowest-degree node.

Table 10. Impact of node selection strategies on verification performance in node classification.

Datasets	Strategies	VSR (%)	CAD (%)
Cora	Highest-degree	100.0	−0.4
	Lowest-degree	99.3	−0.3
	Random	99.8	−0.7
CiteSeer	Highest-degree	100.0	1.2
	Lowest-degree	99.2	−0.2
	Random	100.0	0.6
PubMed	Highest-degree	87.8	0.5
	Lowest-degree	68.8	−0.4
	Random	84.8	−0.9

and

Table 11. Impact of node selection strategies on verification performance in graph classification.

Datasets	Strategies	VSR (%)	CAD (%)
AIDS	Highest-degree	92.0	−0.3
	Lowest-degree	100.0	−0.2
	Random	100.0	−0.3
IMDB-MULTI	Highest-degree	82.0	1.1
	Lowest-degree	86.1	0.8
	Random	88.7	1.5
ENZYMES	Highest-degree	94.6	2.7
	Lowest-degree	99.0	4.7
	Random	95.7	1.3

show that randomly selecting nodes and choosing highest-degree nodes generally achieve higher VSR. In contrast, fixing the watermark on lowest-degree nodes often leads to relatively poorer verification performance. Meanwhile, CAD remains broadly stable across different strategies. This indicates that the choice of injection nodes mainly affects verification capability, while its influence on the model’s original task performance is relatively limited.

In the node classification task, PubMed is more sensitive to the injection node strategy: the highest-degree node strategy achieves the highest VSR, followed by random selection, while the lowest-degree node strategy performs the worst. This may be related to the fact that node classification relies on neighborhood message passing, where highest-degree nodes make it easier for trigger features to propagate through the local structure and be learned by the model. By contrast, the differences among strategies on Cora and CiteSeer are relatively small, suggesting that on these datasets, the model can already learn watermark patterns more easily. Thus, the effect of injection node location is comparatively limited.

In the graph classification task, the influence of the injection node selection strategy is also dataset-dependent. As shown in Table 11, the best-performing strategy differs across datasets: random selection achieves the highest VSR on IMDB-MULTI, while the lowest-degree strategy achieves the highest VSR on ENZYMES but with a relatively larger CAD of 4.7%. On AIDS, both the lowest-degree and random strategies reach 100% VSR. Overall, the highest-degree strategy does not consistently provide better verification performance, and both VSR and CAD should be considered when selecting injection nodes.

5.4.3. Selection of Injection Feature Dimensions

The feature dimensions into which the watermark is injected directly affect whether the model can effectively learn watermark patterns during training. Based on the GCN model, this subsection analyzes the impact of different feature dimension injection strategies on verification performance in both node and graph classification tasks. In the graph classification task, each $t_g$ is randomly sampled from the range $[1,2]$. Four injection strategies were selected for this study:

(1)

Start-consecutive dimensions: Select a consecutive block of feature components as the injection positions.

(2)

Random dimensions: Randomly sample feature components.

(3)

High-variance dimensions: Compute the variance of each feature dimension across all nodes, and select the feature dimensions with the highest variances.

(4)

Low-variance dimensions: Compute the variance of each feature dimension across all nodes, and select the feature dimensions with the lowest variances.

Table 12. Impact of watermark injection positions on verification performance in node classification.

Datasets	Strategies	VSR (%)	CAD (%)
Cora	Start-consecutive	99.8	−0.7
	Random	99.9	−0.4
	High-variance	100.0	0.2
	Low-variance	100.0	0.3
CiteSeer	Start-consecutive	100.0	0.6
	Random	100.0	1.1
	High-variance	100.0	−0.4
	Low-variance	100.0	−0.5
PubMed	Start-consecutive	84.8	−0.9
	Random	64.4	−0.5
	High-variance	86.1	−0.4
	Low-variance	80.1	0.0

shows that the effect of feature dimension injection positions in node classification tasks varies clearly across datasets. On Cora and CiteSeer, the VSR under different injection strategies is close to 100%. In contrast, PubMed is more sensitive to the choice of injection dimensions. On this dataset, the high-variance and consecutive dimension strategies perform better, while the VSR of random injection drops noticeably. This may be because the importance of different feature dimensions is more uneven in PubMed. Injecting the watermark into more important dimensions makes it easier for the model to learn an effective trigger pattern. By contrast, random injection may select dimensions with lower contribution, thereby weakening the model’s ability to learn watermark patterns.

Table 13. Impact of watermark injection positions on verification performance in graph classification.

Datasets	Strategies	VSR (%)	CAD (%)
AIDS	Start-consecutive	98.8	−0.3
	Random	100.0	0.4
	High-variance	93.6	−0.1
	Low-variance	100.0	−0.2
IMDB-MULTI	Start-consecutive	93.9	0.3
	Random	94.3	0.1
	High-variance	0.1	0.4
	Low-variance	91.1	1.2
ENZYMES	Start-consecutive	99.7	2.7
	Random	29.8	1.3
	High-variance	0.0	4.7
	Low-variance	31.4	1.3

shows that graph classification tasks are more sensitive to feature dimension injection positions. On AIDS, the VSR remains high under all strategies. However, on IMDB-MULTI and ENZYMES, the differences among strategies become much larger. In particular, the high-variance strategy performs poorly, while the consecutive dimension strategy is more stable overall. This may be because graph classification relies on graph-level representation aggregation. If trigger features are injected into overly scattered positions, the trigger signal is more likely to be weakened during aggregation. By contrast, fixed contiguous dimensions concentrate the watermark into a continuous feature region. This makes it easier for the model to learn watermark patterns and thus improves verification performance.

5.4.4. Selection of Threshold $\delta$

The choice of threshold affects the final infringement verification decision. Based on the VSR results in Table 4 and Table 5, this subsection analyzes how the verification decisions change under different thresholds. Specifically, we examine how many dataset–model combinations can be regarded as “trained on the watermarked dataset $D_w$” under different thresholds, including $\delta =70\%,80\%,90\%,\mathrm{and}95\%$.

As shown in

Table 14. Impact of decision threshold $\delta$ on verification decisions.

Threshold $\mathit{\delta }$	Node Classification	Graph Classification
$70\%$	9/9	9/9
$80\%$	9/9	9/9
$90\%$	8/9	9/9
$95\%$	7/9	6/9

Note: Each entry is in the form $a/b$, where a denotes the number of dataset–model combinations regarded as trained on $D_w$, and b denotes the total number of combinations.

, when $\delta =70\%$ and $\delta =80\%$, all experimental settings in both node classification and graph classification tasks pass the verification criterion. When $\delta =90\%$, the PubMed-GCN combination fails to pass the verification criterion. When $\delta =95\%$, the number of failed dataset–model combinations further increases.

A lower threshold makes the decision criterion more relaxed. For example, when $\delta =70\%$, a model only needs to predict the expansion-class for $70\%$ of the watermarked samples to pass the verification, so some cases with relatively weak watermark responses may also be accepted. In contrast, a higher threshold makes the decision criterion stricter. When $\delta =90\%$ or higher, some dataset–model combinations with relatively clear watermark responses may fail to pass the verification. For example, the VSRs of some dataset–model combinations fall between $80\%$ and $90\%$, indicating that the model produces the expected response for most watermarked samples. However, because these VSRs do not reach the higher threshold, they are still classified as failures.

Therefore, this paper adopts $\delta =80\%$ as the default decision threshold. Compared with $\delta =70\%$, this threshold provides a stricter decision criterion. Compared with $\delta =90\%$ or $\delta =95\%$, it is not overly stringent and can avoid judging some experimental settings with clear watermark responses as failed cases.

5.5. Robustness of CEBW

5.5.1. Data-Cleansing Defense in Node Classification

The externally injected watermark patterns may reduce node similarity, which enables an adversary to remove the watermark using similarity-based defense methods [28]. To evaluate the robustness of CEBW against this data-cleansing defense, we perform low-similarity edge-pruning defense on three poisoned datasets in the node classification task, then retrain the models on the pruned graphs to observe whether the watermark remains effective.

Table 15. Impact of edge-pruning defense on verification performance in node classification.

Models	Thresholds	VSR (%)|CAD (%)
		Cora	CiteSeer	PubMed
GCN	0.1	100.0|−0.2	98.3|0.2	82.7|−0.9
	0.5	99.9|−0.2	100.0|0.9	82.6|0.6
	No Defense	99.8|−0.7	100|0.6	84.8|−0.9
GAT	0.1	90.4|0.9	100.0|3.0	84.3|−1.7
	0.5	93.6|0.8	100.0|6.1	84.5|2.6
	No Defense	92.4|2.9	100.0|−4.9	99.7|−1.7
GraphSAGE	0.1	99.2|−0.4	100.0|−1.6	98.1|−1.7
	0.5	85.9|−0.9	100.0|1.4	100.0|1.3
	No Defense	100.0|3.2	100.0|−3.7	98.5|−0.1

shows that, under both similarity thresholds, CEBW maintains relatively high VSR in most model and dataset settings. This indicates that low-similarity edge pruning does not substantially weaken its watermark verification capability in most cases. Overall, the results of GCN and GAT change only slightly before and after defense. Although GraphSAGE shows some decline in a few settings, its VSR remains relatively high overall. These results suggest that this defense method is not very effective at disrupting the watermark pattern injected by CEBW.

A possible reason is that conventional methods usually map poisoned nodes to an existing normal class, which damages their local homophily with neighboring nodes and makes them more likely to be detected by low-similarity edge pruning. In contrast, CEBW introduces an expansion-class $y_w$ that does not exist in the original task, so watermark nodes do not need to imitate any existing class. Therefore, even if some low-similarity edges are pruned, the model can still retain the mapping from “watermark patterns → class $y_w$” relatively well. This may help explain why CEBW still maintains high VSR in Table 15.

5.5.2. Data-Cleansing Defense in Graph Classification

To evaluate CEBW’s robustness in the graph classification task, we consider three data-cleansing defenses: low-similarity edge pruning (with the threshold set to 0.5) [28], adversarial training [57], and outlier detection [58]. Adversarial training adds Gaussian noise to the training set to disrupt watermark patterns while improving the model’s ability to resist interference. The outlier detection method assumes that poisoned samples have different feature distributions from clean samples. This method quantifies each sample’s deviation from normal patterns with multiple algorithms and removes those found to be anomalous.

The defense results for the graph classification task are shown in

Table 16. Impact of data-cleansing defense in graph classification.

Models	Defenses	VSR (%)|CAD (%)
		AIDS	IMDB-MULTI	ENZYMES
GCN	Pruning	100.0|−0.8	93.2|−0.3	99.7|1.3
	Noise	100.0|0.1	92.5|0.8	99.3|3.7
	Outlier	100.0|0.3	95.3|−0.7	99.7|3.7
	No Defense	98.8|−0.3	93.9|0.3	99.7|2.7
GAT	Pruning	100.0|0.1	99.7|−3.3	99.0|−2.3
	Noise	100.0|−3.3	98.1|7.5	100.0|1.0
	Outlier	100.0|−4.7	99.3|−1.2	100.0|−1.3
	No Defense	99.3|−4.1	99.8|−1.3	100.0|−2.3
GraphSAGE	Pruning	100.0|0.0	90.7|−0.5	75.9|1.6
	Noise	100.0|0.0	92.3|−0.4	89.3|3.7
	Outlier	100.0|0.0	89.5|3.2	99|2.0
	No Defense	94.2|0.0	91.1|0	96|3.4

. Overall, the three defense methods do not significantly weaken the verification capability of CEBW in most model and dataset settings, and the VSR after defense remains at a relatively high level. The results of GCN and GAT change only slightly before and after defense, while GraphSAGE shows some decline in a few settings but still maintains a relatively high VSR overall. These results indicate that edge pruning, adversarial training, and outlier detection do not substantially weaken CEBW’s watermark for graph classification in most settings.

A possible reason is that, in graph classification, CEBW learns a stable mapping from “the graph-level watermark pattern → expansion-class $y_w$”. This watermark pattern is jointly formed by the injected trigger features and the refined local connectivity among selected trigger nodes. Edge pruning mainly weakens local low-similarity structures, adversarial training mainly introduces random perturbations to node features, and outlier detection focuses on filtering abnormal samples. However, these defenses usually have limited ability to consistently disrupt both the injected trigger features and the refined local connectivity among multiple trigger nodes. Therefore, CEBW can still maintain relatively high verification performance against these three types of data-cleansing defenses in the graph classification task.

5.5.3. Fine-Tuning

This subsection investigates the robustness of CEBW against fine-tuning [59]. Fine-tuning is a model-cleaning defense method. It continues training a poisoned model on clean data, so that the poisoned model gradually forgets the previously learned trigger pattern, thereby weakening the backdoor attack effect. In our experiments, the fine-tuning analysis is conducted based on the GCN model, and the fine-tuning learning rate is set to 0.001.

Table 17. Impact of fine-tuning on verification performance in node classification.

Datasets	Epochs	VSR (%)	CAD (%)
Cora	10	99.9	0.5
	20	96.9	−0.7
	30	85.4	−0.3
CiteSeer	10	99.8	−0.3
	20	28.4	1.0
	30	0.0	0.5
PubMed	10	83.2	2.1
	20	76.6	−0.8
	30	71.7	0.4

and

Table 18. Impact of fine-tuning on verification performance in graph classification.

Datasets	Epochs	VSR (%)	CAD (%)
AIDS	10	28.4	0.0
	20	0.4	−0.5
	30	0.1	−0.5
IMDB-MULTI	10	55.7	−0.4
	20	30.5	−0.5
	30	30.1	−0.5
ENZYMES	10	99.7	0.3
	20	98.3	−2.3
	30	75.9	3.7

show that, as the number of fine-tuning epochs increases, the VSR in both node classification and graph classification tasks decreases, and the CAD remains within a relatively small fluctuation range in most settings. In particular, on the AIDS dataset, when the number of fine-tuning epochs increases to 30, the VSR is close to 0. This indicates that fine-tuning can substantially weaken or even eliminate the verification capability of CEBW while largely preserving the original task performance.

These results show that CEBW is sensitive to fine-tuning and has limited robustness against model-cleaning defenses. We speculate that this is mainly because CEBW introduces an additional expansion-class $y_w$ as the target class, while the clean training set used for fine-tuning does not contain any samples from $y_w$. As training on clean data continues, the model gradually forgets the mapping from “watermark patterns → expansion-class,” and finally can no longer classify watermarked samples as $y_w$.

To further analyze how to mitigate the effect of fine-tuning on CEBW’s verification effectiveness, we conduct supplementary experiments on the AIDS dataset by adjusting several key parameters of the feature trigger, including the poisoning rate ${\rho }_g$, the number of trigger nodes $n_g$, and the trigger feature value $t_g$.

Table 19. Impact of feature trigger configurations on verification performance under fine-tuning defense.

${\mathit{\rho }}_{\mathit{g}}(\%)$	${\mathit{n}}_{\mathit{g}}$	${\mathit{k}}_{\mathit{g}}$	${\mathit{t}}_{\mathit{g}}$ Range	Epochs	VSR (%)	CAD (%)
1%	2	2	$[2,3]$	10	28.4	0.0
				20	0.4	−0.5
				30	0.1	−0.5
20%	2	2	$[2,3]$	10	0.0	0.2
				20	0.0	−0.3
				30	0.0	0.0
40%	2	2	$[2,3]$	10	86.6	0.1
				20	41.9	−0.7
				30	38.1	−0.7
1%	4	2	$[2,3]$	10	56.0	0.3
				20	0.0	0.0
				30	0.0	−0.2
1%	2	2	$[\mathbf{11},\mathbf{12}]$	10	96.3	0.2
				20	1.7	0.0
				30	1.4	−0.2
20%	4	2	$[2,3]$	10	89.2	−0.3
				20	5.5	−0.5
				30	4.4	−0.6
20%	4	2	$[\mathbf{5},\mathbf{6}]$	10	100.0	−0.8
				20	86.9	−0.6
				30	78.4	−0.5

reports the corresponding VSR and CAD under different feature trigger configurations after 10, 20, and 30 epochs of fine-tuning.

The original configuration, i.e., ${\rho }_g=1\%$, $n_g=2$, $k_g=2$, and $t_g$ is randomly sampled from the range $[2,3]$, quickly becomes ineffective after fine-tuning, with the VSR dropping to only $0.1\%$ after 30 epochs. When the other parameters remain unchanged, increasing the poisoning rate alone can partially alleviate this issue, but the effect is still limited. For example, when ${\rho }_g$ is increased to $40\%$, the VSR after 30 epochs increases to $38.1\%$, but it still does not reach the verification threshold adopted in this paper. Similarly, increasing the trigger feature value alone cannot stably resist fine-tuning. Even when each $t_g$ is randomly sampled from the range $[11,12]$, the VSR reaches $96.3\%$ after 10 epochs but still drops to $1.4\%$ after 30 epochs. This indicates that enhancing only a single parameter is insufficient to stably preserve the watermark response under continuous fine-tuning.

In contrast, when the poisoning rate is increased together with a stronger trigger configuration, the VSR after fine-tuning can be significantly improved. For example, when ${\rho }_g=40\%$, $n_g=4$, $k_g=2$, and $t_g$ is randomly sampled from the range $[2,3]$, the VSR remains at $78.6\%$ after 30 epochs. When each $t_g$ is further sampled from the range $[5,6]$, the VSR still remains at $100\%$ after 30 epochs. Meanwhile, the CAD values under these configurations remain relatively small, indicating that increasing the watermark injection strength does not significantly degrade the clean-task performance. These results show that adjusting a single parameter has limited effectiveness on mitigating fine-tuning, whereas jointly increasing the poisoning rate, the number of trigger nodes, and the trigger feature values can help the model learn the mapping between watermark patterns and the expansion-class more effectively, thereby partially mitigating the weakening effect of fine-tuning on the watermark response.

It should be noted that the above mitigation effect relies on a higher watermark injection strength. Therefore, it is still necessary to balance resistance to fine-tuning, clean-task performance, and watermark stealthiness.

6. Discussion

The experimental results demonstrate that the proposed CEBW scheme provides an effective approach to graph dataset infringement verification in open-source settings. Unlike conventional backdoor watermarking methods, which associate trigger patterns with existing normal classes, CEBW introduces a dedicated expansion-class for verification. This design changes the role of watermark samples from misleading normal samples to samples belonging to an isolated verification class. As a result, the model can learn watermark-related patterns while keeping interference with the original task limited.

This mechanism explains the overall experimental trends observed in both node classification and graph classification tasks. As shown in Table 4 and Table 5, CEBW generally achieves high VSR while keeping CAD within a relatively small range in most settings. In the node classification task, CEBW outperforms CGBA and CGBA-R in most cases and also shows competitive performance against UGBA. In the graph classification task, CEBW clearly outperforms DVBW and CLBA, and achieves performance comparable to GDOA on most datasets. These results indicate that the proposed class-expansion design can provide strong verification capability while causing limited degradation to the original task performance.

The clean-sample prediction analysis further clarifies the isolation effect of the expansion-class mechanism. As shown in Table 6, Table 7, Table 8 and Table 9, none of the clean samples are assigned to the expansion-class across both node classification and graph classification datasets. This means that the learned mapping from the designated watermark pattern to the expansion-class is activated only when the watermark pattern is present, rather than generalizing to ordinary clean inputs. Therefore, the class-expansion design effectively separates watermark-triggered behavior from the original task label space, which is also the important reason why CEBW can reduce the direct risk that legitimate inputs are redirected to a normal class by watermark-induced behavior.

The parameter analysis further shows that the effectiveness of CEBW depends on the watermark design and verification configuration. Increasing the poisoning rate generally improves VSR, which suggests that more watermark samples help the model learn the mapping from the watermark pattern to the expansion-class more reliably. At the same time, CAD remains relatively stable in most cases, indicating that the class-expansion mechanism can preserve normal task performance under appropriate parameter settings. In addition, the selection of injection nodes and feature dimensions also influences verification performance, but the best strategy is dataset-dependent rather than fixed. The threshold analysis also shows that $\delta =80\%$ provides a practical empirical trade-off: a lower threshold may make the verification criterion too relaxed, whereas a higher threshold may reject some settings that already show clear watermark responses. These observations suggest that CEBW is effective, but its performance still depends on the configuration of watermark injection and verification threshold.

The defense results reveal that the robustness of CEBW depends on the type of defense. Under data-cleansing defenses such as low-similarity edge pruning, adversarial training, and outlier detection, CEBW generally maintains relatively high VSR in most settings. This suggests that the watermark pattern learned by CEBW is not easily removed by data-level sanitization alone. In contrast, fine-tuning shows a more significant weakening effect. As the number of fine-tuning epochs increases, VSR decreases substantially in both node classification and graph classification tasks, and on some datasets such as AIDS, it approaches zero under the original configuration. This indicates that the current CEBW design is more resistant to data-cleansing defenses than to model-cleaning defenses. The supplementary fine-tuning analysis further shows that this vulnerability can be partially mitigated by increasing the watermark injection strength, such as jointly increasing the poisoning rate, the number of trigger nodes, and the trigger feature strength. However, such mitigation also requires a trade-off among resistance to fine-tuning, clean-task performance, and watermark stealthiness.

Overall, these results show that CEBW provides a practical approach to graph dataset infringement verification for open-source data sharing. Its main advantage lies in combining strong verification performance with reduced direct security risk to legitimate users through the class-expansion mechanism. At the same time, the current method still has limitations in expanded label space usability and in robustness against model-cleaning defenses such as fine-tuning, although the supplementary analysis suggests that stronger watermark injection configurations can provide a preliminary mitigation direction. These issues point to important directions for future improvement.

7. Conclusions

In this paper, we propose CEBW, a graph dataset infringement verification method based on a class-expansion mechanism. By assigning watermarked samples to a dedicated expansion-class $y_w$ that does not exist in the original dataset, the proposed method separates watermark learning from the original task and reduces the direct security risks caused by conventional backdoor watermarking in open-source settings.

Extensive experiments in both node classification and graph classification settings demonstrate that CEBW achieves effective infringement verification while largely preserving normal model utility. The results further show that the proposed method reduces the direct security risk to legitimate users relative to conventional methods and remains effective under several data-cleansing defenses. For model-cleaning defenses such as fine-tuning, the original configuration is still vulnerable, but the supplementary analysis shows that increasing the watermark injection strength can partially mitigate this weakness with limited impact on clean-task performance.

Overall, this study provides a practical technical solution for black-box graph dataset infringement verification in open-source data-sharing scenarios. Nevertheless, the practical impact of the expanded label space still requires further investigation. In addition, the trade-off among resistance to fine-tuning, clean-task performance, and watermark stealthiness also needs to be further studied. Future work will focus on further improving the robustness and stealth of the watermark in more complex real-world environments, while extending CEBW to larger-scale and heterogeneous graph settings.