This work addresses the critical challenge of protecting intellectual property in graph neural networks (GNNs) by reliably detecting model copying under stringent conditions. The proposed CopyCop algorithm is the first to achieve robust identification of GNN replication even when the copied models differ in architecture, weights, and embedding dimensions, and are subjected to adversarial transformations. Built upon embedding similarity analysis and invariance modeling, CopyCop offers theoretical guarantees and strong adversarial robustness. Extensive experiments across 14 datasets and 5 GNN architectures demonstrate that CopyCop consistently attains high detection accuracy, significantly outperforming existing watermarking and fingerprinting approaches while effectively resisting a wide range of embedding transformations and adversarial attacks.

Given two GNNs that output node embeddings, how can we determine if they were trained independently? An adversary could have trained one GNN specifically to mimic the other GNN's embeddings. To obscure this relationship between the GNNs, the adversarial GNN might then transform its output embeddings. The two GNNs could have different architectures, weights, and embedding dimensions, and the adversary can transform the embeddings. Despite these stringent conditions, our algorithm (named CopyCop) can identify such copycat GNNs, unlike existing watermarking and fingerprinting methods. We also provide theoretical guarantees for CopyCop. Finally, experiments on 14 datasets and 5 GNN architectures demonstrate that CopyCop is accurate and robust against a broad class of adversarial attacks and transformations. Code is available at: https://anonymous.4open.science/r/CopyCop-Graph-Ownership-Verification-8143/README.md