This work addresses query-based model extraction attacks (MEAs) against graph neural networks (GNNs) in ML-as-a-Service settings. To overcome limitations of existing detection methods—including poor timeliness, insufficient robustness, and reliance on post-hoc verification—we propose the first real-time, dynamic, and evasion-resistant detection framework. Our method integrates sequential modeling with deep reinforcement learning to enable online discrimination of adversarial query behavior; introduces k-core embedding to capture structural evolution of graphs; and establishes a theory-driven analytical and optimization model for attacker query strategies. Extensive experiments on multiple real-world graph datasets demonstrate that our approach significantly outperforms state-of-the-art baselines, achieving high detection accuracy and strong temporal stability across time steps, while effectively defending against dynamically evolving graph-based MEA variants.

Graph Neural Networks (GNNs) have gained traction in Graph-based Machine Learning as a Service (GMLaaS) platforms, yet they remain vulnerable to graph-based model extraction attacks (MEAs), where adversaries reconstruct surrogate models by querying the victim model. Existing defense mechanisms, such as watermarking and fingerprinting, suffer from poor real-time performance, susceptibility to evasion, or reliance on post-attack verification, making them inadequate for handling the dynamic characteristics of graph-based MEA variants. To address these limitations, we propose ATOM, a novel real-time MEA detection framework tailored for GNNs. ATOM integrates sequential modeling and reinforcement learning to dynamically detect evolving attack patterns, while leveraging $k$-core embedding to capture the structural properties, enhancing detection precision. Furthermore, we provide theoretical analysis to characterize query behaviors and optimize detection strategies. Extensive experiments on multiple real-world datasets demonstrate that ATOM outperforms existing approaches in detection performance, maintaining stable across different time steps, thereby offering a more effective defense mechanism for GMLaaS environments.