Shuo Shao,Wei Yang,Hanlin Gu,Jian Lou,Qimin Zhan,Fan Li,Qiang Yang,Kui Ren

DOI: https://doi.org/10.48550/arxiv.2211.07160

2022-01-01

Abstract:Federated learning (FL) is a distributed machine learning paradigm allowing multiple clients to collaboratively train a global model without sharing their local data. However, FL entails exposing the model to various participants. This poses a risk of unauthorized model distribution or resale by the malicious client, compromising the intellectual property rights of the FL group. To deter such misbehavior, it is essential to establish a mechanism for verifying the ownership of the model and as well tracing its origin to the leaker among the FL participants. In this paper, we present FedTracker, the first FL model protection framework that provides both ownership verification and traceability. FedTracker adopts a bi-level protection scheme consisting of global watermark mechanism and local fingerprint mechanism. The former authenticates the ownership of the global model, while the latter identifies which client the model is derived from. FedTracker leverages Continual Learning (CL) principles to embedding the watermark in a way that preserves the utility of the FL model on both primitive task and watermark task. FedTracker also devises a novel metric to better discriminate different fingerprints. Experimental results show FedTracker is effective in ownership verification, traceability, and maintains good fidelity and robustness against various watermark removal attacks.

Lan Zhang,Chen Tang,Huiqi Liu,Haikuo Yu,Xirong Zhuang,Qi Zhao,Lei Wang,Wenjing Fang,Xiang-Yang Li

DOI: https://doi.org/10.1109/icdcs60910.2024.00081

2024-01-01

Abstract:Machine learning models are increasingly recognized as valuable intellectual property (IP), prompting the development of a range of watermarking techniques aimed at safeguarding the IP of these models. However, in the context of federated learning (FL) models involving multiple owners, such as the participants in FL model training, conventional techniques designed for single-owner models prove ineffective due to limitations in their capacity and robustness. Few work has explored how to effectively embed watermarks to FL models for multiple-owners, which is non-trivial, especially when the number of owners is large. To fill this gap, we first analyze the capacity of existing watermarking methods. Second, we propose FedMark, a general large-capacity watermarking mechanism for FL, which leverages the Bloom Filter to achieve conflict-free watermarking of a large number of participants. Moreover, we propose a secret-sharing-based verification method to improve the watermarking robustness against false positives caused by Bloom Filter. Finally, comprehensive experiments show that our design can support over 150 participants to embed watermarks while the model accuracy varies within 1 %, and is robust to non-independent identical distributed data, different participant selection rates, model modifications, permutation attacks, scaling attacks and forging attacks.

Jinyin Chen,Mingjun Li,Mingjun Li,Haibin Zheng

2023-03-18

Abstract:Federated learning (FL), an effective distributed machine learning framework, implements model training and meanwhile protects local data privacy. It has been applied to a broad variety of practice areas due to its great performance and appreciable profits. Who owns the model, and how to protect the copyright has become a real problem. Intuitively, the existing property rights protection methods in centralized scenarios (e.g., watermark embedding and model fingerprints) are possible solutions for FL. But they are still challenged by the distributed nature of FL in aspects of the no data sharing, parameter aggregation, and federated training settings. For the first time, we formalize the problem of copyright protection for FL, and propose FedRight to protect model copyright based on model fingerprints, i.e., extracting model features by generating adversarial examples as model fingerprints. FedRight outperforms previous works in four key aspects: (i) Validity: it extracts model features to generate transferable fingerprints to train a detector to verify the copyright of the model. (ii) Fidelity: it is with imperceptible impact on the federated training, thus promising good main task performance. (iii) Robustness: it is empirically robust against malicious attacks on copyright protection, i.e., fine-tuning, model pruning, and adaptive attacks. (iv) Black-box: it is valid in the black-box forensic scenario where only application programming interface calls to the model are available. Extensive evaluations across 3 datasets and 9 model structures demonstrate FedRight's superior fidelity, validity, and robustness.

Cryptography and Security,Artificial Intelligence

Sujie Shao,Yue Wang,Chao Yang,Yan Liu,Xingyu Chen,Feng Qi

DOI: https://doi.org/10.1038/s41598-024-70025-1

2024-08-21

Abstract:Federated learning (FL) enables users to train the global model cooperatively without exposing their private data across the engaged parties, which is widely used in privacy-sensitive business. However, during the life cycle of FL models, both adversaries' attacks and ownership generalization threaten the FL models' copyright and affect the models' reliability. To address these problems, existing model watermarking techniques can be used to verify FL model's ownership. However, due to the lack of credible binding from "model extracted watermarks" to "ownership verification", it is difficult to form a closed-loop watermarking framework for copyright protection. Therefore, starting from the shortcomings of the current watermark verification scheme, this article proposed WFB, a blockchain-empowered watermarking framework for ownership verification of federated models. Firstly, we propose a improved watermark generation algorithm to solve the credibility issue of watermarks. Secondly, we propose a watermark embedding method in federated learning, while blockchain technology is used to ensure the credible storage of watermark information throughout the process. Thirdly, the credibility of ownership verification is improved because of the watermark authenticity. Experimental results demonstrate the fidelity, effectiveness and robustness of WFB, with other superiorities such as improving process security and traceability.

Xiyao Liu,Shuo Shao,Yue Yang,Kangming Wu,Wenyuan Yang,Hui Fang

DOI: https://doi.org/10.1109/smc52423.2021.9658998

2021-01-01

Abstract:Federated learning (FL) has become an emerging distributed framework to build deep learning models with collaborative efforts from multiple participants. Consequently, copyright protection of FL deep model is urgently required because too many participants have access to the joint-trained model. Recently, Secure FL framework is developed to address data leakage issue when central node is not fully trustable. This encryption process has made existing DL model watermarking schemes impossible to embed watermark at the central node. In this paper, we propose a novel client-side Federated Learning watermarking method to tackle the model verification issue under the Secure FL framework. In specific, we design a backdoor-based watermarking scheme to allow model owners to embed their pre-designed noise patterns into the FL deep model. Thus, our method provides reliable copyright protection while ensuring the data privacy because the central node has no access to the encrypted gradient information. The experimental results have demonstrated the efficiency of our method in terms of both FL model performance and watermarking robustness.

Hewang Nie,Songfeng Lu

DOI: https://doi.org/10.1016/j.eswa.2024.123776

IF: 8.5

2024-01-01

Expert Systems with Applications

Abstract:Federated Learning is a collaborative machine learning paradigm that allows training models on decentralized data while preserving data privacy. It has gained significant attention due to its potential applications in various domains. However, the issue of protecting model copyright in the Federated Learning setting has become a critical concern. In this paper, we propose a novel watermarking framework called FedCRMW (Federal Learning Compression-Resistance Model Watermark) to address the challenge of model copyright protection in Federated Learning. FedCRMW embeds unique watermarks into client-contributed models, ensuring ownership, integrity, and authenticity. The framework leverages client-specific identifiers and exclusive logos to construct trigger sets for watermark embedding, enhancing security and traceability. One of the key advantages of FedCRMW is its optimization for the common data compression challenge in the Federated Learning scenario. By utilizing compressed data inputs for copyright verification, we achieve an efficient watermark validation process and reduce communication and storage overheads. Experimental results demonstrate the effectiveness of FedCRMW in terms of watermark success rate, imperceptibility, robustness against attacks, and resistance to model compression and pruning. Compared to existing watermarking methods, FedCRMW exhibits superior performance in the Federated Learning context.

Hewang Nie,Songfeng Lu

DOI: https://doi.org/10.1016/j.knosys.2024.111675

IF: 8.139

2024-01-01

Knowledge-Based Systems

Abstract:Federated learning, known for its emphasis on privacy and resource efficiency, has emerged as a transformative paradigm in the fields of artificial intelligence and industrial machine learning. However, with the advancement and widespread adoption of this technology, the concern of model theft in federated learning models becomes increasingly prominent. While current endeavors concentrate on protecting individual deep learning models, limited attention has been dedicated to those involved in federated learning, especially within decentralized environments. To fill this void, we introduce PersistVerify, an innovative approach for verifying model copyright within the federated learning framework. PersistVerify integrates boundary sample selection and spatial attention mechanisms, enhancing the robustness and confidentiality of neural network backdoor watermarks to ensure secure verification of model ownership. PersistVerify constructs a confidential and robust watermark dataset through three sequential steps: latent representation extraction, boundary sample selection, and spatial attention-based trigger embedding. Our research addresses the pervasive challenge of reliable model ownership verification in federated learning, demonstrating the efficacy of PersistVerify. This study provides valuable insights and methodologies to maintain the confidentiality and reliability of neural network backdoor watermarks in the domains of artificial intelligence and federated learning.

Bowen Li,Lixin Fan,Hanlin Gu,Jie Li,Qiang Yang

DOI: https://doi.org/10.1109/tpami.2022.3195956

IF: 23.6

2023-03-11

IEEE Transactions on Pattern Analysis and Machine Intelligence

Abstract:Federated learning models are collaboratively developed upon valuable training data owned by multiple parties. During the development and deployment of federated models, they are exposed to risks including illegal copying, re-distribution, misuse and/or free-riding. To address these risks, the ownership verification of federated learning models is a prerequisite that protects federated learning model intellectual property rights (IPR) i.e., FedIPR. We propose a novel federated deep neural network (FedDNN) ownership verification scheme that allows private watermarks to be embedded and verified to claim legitimate IPR of FedDNN models. In the proposed scheme, each client independently verifies the existence of the model watermarks and claims respective ownership of the federated model without disclosing neither private training data nor private watermark information. The effectiveness of embedded watermarks is theoretically justified by the rigorous analysis of conditions under which watermarks can be privately embedded and detected by multiple clients. Moreover, extensive experimental results on computer vision and natural language processing tasks demonstrate that varying bit-length watermarks can be embedded and reliably detected without compromising original model performances. Our watermarking scheme is also resilient to various federated training settings and robust against removal attacks.

computer science, artificial intelligence,engineering, electrical & electronic

Mohammed Lansari,Reda Bellafqira,Katarzyna Kapusta,Vincent Thouvenot,Olivier Bettan,Gouenou Coatrieux

2023-08-07

Abstract:Federated Learning (FL) is a technique that allows multiple participants to collaboratively train a Deep Neural Network (DNN) without the need of centralizing their data. Among other advantages, it comes with privacy-preserving properties making it attractive for application in sensitive contexts, such as health care or the military. Although the data are not explicitly exchanged, the training procedure requires sharing information about participants' models. This makes the individual models vulnerable to theft or unauthorized distribution by malicious actors. To address the issue of ownership rights protection in the context of Machine Learning (ML), DNN Watermarking methods have been developed during the last five years. Most existing works have focused on watermarking in a centralized manner, but only a few methods have been designed for FL and its unique constraints. In this paper, we provide an overview of recent advancements in Federated Learning watermarking, shedding light on the new challenges and opportunities that arise in this field.

Cryptography and Security,Machine Learning

Yang Xu,Yunlin Tan,Cheng Zhang,Kai Chi,Peng Sun,Wenyuan Yang,Ju Ren,Hongbo Jiang,Yaoxue Zhang

2024-02-29

Abstract:Embedding watermarks into models has been widely used to protect model ownership in federated learning (FL). However, existing methods are inadequate for protecting the ownership of personalized models acquired by clients in personalized FL (PFL). This is due to the aggregation of the global model in PFL, resulting in conflicts over clients' private watermarks. Moreover, malicious clients may tamper with embedded watermarks to facilitate model leakage and evade accountability. This paper presents a robust watermark embedding scheme, named RobWE, to protect the ownership of personalized models in PFL. We first decouple the watermark embedding of personalized models into two parts: head layer embedding and representation layer embedding. The head layer belongs to clients' private part without participating in model aggregation, while the representation layer is the shared part for aggregation. For representation layer embedding, we employ a watermark slice embedding operation, which avoids watermark embedding conflicts. Furthermore, we design a malicious watermark detection scheme enabling the server to verify the correctness of watermarks before aggregating local models. We conduct an exhaustive experimental evaluation of RobWE. The results demonstrate that RobWE significantly outperforms the state-of-the-art watermark embedding schemes in FL in terms of fidelity, reliability, and robustness.

Cryptography and Security,Artificial Intelligence

Shuyang Yu,Junyuan Hong,Yi Zeng,Fei Wang,Ruoxi Jia,Jiayu Zhou

2023-12-06

Abstract:Federated learning (FL) emerges as an effective collaborative learning framework to coordinate data and computation resources from massive and distributed clients in training. Such collaboration results in non-trivial intellectual property (IP) represented by the model parameters that should be protected and shared by the whole party rather than an individual user. Meanwhile, the distributed nature of FL endorses a malicious client the convenience to compromise IP through illegal model leakage to unauthorized third parties. To block such IP leakage, it is essential to make the IP identifiable in the shared model and locate the anonymous infringer who first leaks it. The collective challenges call for \emph{accountable federated learning}, which requires verifiable ownership of the model and is capable of revealing the infringer's identity upon leakage. In this paper, we propose Decodable Unique Watermarking (DUW) for complying with the requirements of accountable FL. Specifically, before a global model is sent to a client in an FL round, DUW encodes a client-unique key into the model by leveraging a backdoor-based watermark injection. To identify the infringer of a leaked model, DUW examines the model and checks if the triggers can be decoded as the corresponding keys. Extensive empirical results show that DUW is highly effective and robust, achieving over $99\%$ watermark success rate for Digits, CIFAR-10, and CIFAR-100 datasets under heterogeneous FL settings, and identifying the IP infringer with $100\%$ accuracy even after common watermark removal attempts.

Cryptography and Security

Yuxin Yang,Qiang Li,Yuan Hong,Binghui Wang

2024-10-23

Abstract:Federated graph learning (FedGL) is an emerging learning paradigm to collaboratively train graph data from various clients. However, during the development and deployment of FedGL models, they are susceptible to illegal copying and model theft. Backdoor-based watermarking is a well-known method for mitigating these attacks, as it offers ownership verification to the model owner. We take the first step to protect the ownership of FedGL models via backdoor-based watermarking. Existing techniques have challenges in achieving the goal: 1) they either cannot be directly applied or yield unsatisfactory performance; 2) they are vulnerable to watermark removal attacks; and 3) they lack of formal guarantees. To address all the challenges, we propose FedGMark, the first certified robust backdoor-based watermarking for FedGL. FedGMark leverages the unique graph structure and client information in FedGL to learn customized and diverse watermarks. It also designs a novel GL architecture that facilitates defending against both the empirical and theoretically worst-case watermark removal attacks. Extensive experiments validate the promising empirical and provable watermarking performance of FedGMark. Source code is available at: <a class="link-external link-https" href="https://github.com/Yuxin104/FedGMark" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security

Wenyuan Yang,Shuo Shao,Yue Yang,Xiyao Liu,Ximeng Liu,Zhihua Xia,Gerald Schaefer,Hui Fang

DOI: https://doi.org/10.1145/3630636

IF: 5

2024-01-01

ACM Transactions on Intelligent Systems and Technology

Abstract:Federated learning (FL) allows multiple participants to collaboratively build deep learning (DL) models without directly sharing data. Consequently, the issue of copyright protection in FL becomes important since unreliable participants may gain access to the jointly trained model. Application of homomorphic encryption (HE) in a secure FL framework prevents the central server from accessing plaintext models. Thus, it is no longer feasible to embed the watermark at the central server using existing watermarking schemes. In this article, we propose a novel client-side FL watermarking scheme to tackle the copyright protection issue in secure FL with HE. To the best of our knowledge, it is the first scheme to embed the watermark to models under a secure FL environment. We design a black-box watermarking scheme based on client-side backdooring to embed a pre-designed trigger set into an FL model by a gradient-enhanced embedding method. Additionally, we propose a trigger set construction mechanism to ensure that the watermark cannot be forged. Experimental results demonstrate that our proposed scheme delivers outstanding protection performance and robustness against various watermark removal attacks and ambiguity attack.

Junchuan Liang,Rong Wang

2023-06-02

Abstract:Federated learning is an emerging privacy-preserving distributed machine learning that enables multiple parties to collaboratively learn a shared model while keeping each party's data private. However, federated learning faces two main problems: semi-honest server privacy inference attacks and malicious client-side model theft. To address privacy inference attacks, parameter-based encrypted federated learning secure aggregation can be used. To address model theft, a watermark-based intellectual property protection scheme can verify model ownership. Although watermark-based intellectual property protection schemes can help verify model ownership, they are not sufficient to address the issue of continuous model theft by uncaught malicious clients in federated learning. Existing IP protection schemes that have the ability to track traitors are also not compatible with federated learning security aggregation. Thus, in this paper, we propose a Federated Client-side Intellectual Property Protection (FedCIP), which is compatible with federated learning security aggregation and has the ability to track traitors. To the best of our knowledge, this is the first IP protection scheme in federated learning that is compatible with secure aggregation and tracking capabilities.

Cryptography and Security

Qiang Yang,Anbu Huang,Lixin Fan,Chee Seng Chan,Jian Han Lim,Kam Woh Ng,Ding Sheng Ong,Bowen Li

DOI: https://doi.org/10.1007/s11633-022-1343-2

2023-01-11

Machine Intelligence Research

Abstract:In the past decades, artificial intelligence (AI) has achieved unprecedented success, where statistical models become the central entity in AI. However, the centralized training and inference paradigm for building and using these models is facing more and more privacy and legal challenges. To bridge the gap between data privacy and the need for data fusion, an emerging AI paradigm federated learning (FL) has emerged as an approach for solving data silos and data privacy problems. Based on secure distributed AI, federated learning emphasizes data security throughout the lifecycle, which includes the following steps: data preprocessing, training, evaluation, and deployments. FL keeps data security by using methods, such as secure multi-party computation (MPC), differential privacy, and hardware solutions, to build and use distributed multiple-party machine-learning systems and statistical models over different data sources. Besides data privacy concerns, we argue that the concept of "model" matters, when developing and deploying federated models, they are easy to expose to various kinds of risks including plagiarism, illegal copy, and misuse. To address these issues, we introduce FedIPR, a novel ownership verification scheme, by embedding watermarks into FL models to verify the ownership of FL models and protect model intellectual property rights (IPR or IP-right for short). While security is at the core of FL, there are still many articles referred to distributed machine learning with no security guarantee as "federated learning", which are not satisfied with the FL definition supposed to be. To this end, in this paper, we reiterate the concept of federated learning and propose secure federated learning (SFL), where the ultimate goal is to build trustworthy and safe AI with strong privacy-preserving and IP-right-preserving. We provide a comprehensive overview of existing works, including threats, attacks, and defenses in each phase of SFL from the lifecycle perspective.

Xicong Shen,Ying Liu,Fu Li,Chunguang Li

DOI: https://doi.org/10.1109/jiot.2023.3288886

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) has attracted widespread attention in the Internet of Things domain recently. With FL, multiple distributed devices can cooperatively train a global model by transmitting model updates without disclosing the original data. However, the distributed nature of FL makes it vulnerable to data poisoning attacks. In practice, malicious clients can launch the label-flipping attack (LFA) by simply tampering with the labels of local data, thus causing the global model to misclassify the samples of a selected class as the target class. Although some defense mechanisms have been proposed, they rely on specific assumptions about data distribution, and their performance degrades significantly when the data on clients are non-IID. Besides, most existing methods require clients to upload model updates in plaintext so that the server can identify and remove the malicious updates. But, direct transmission of model updates may still reveal private information. Considering these issues, we develop a label-flipping-robust and privacy-preserving FL (LFR-PPFL) algorithm, which is applicable to both independent and identically distributed (IID) and non-IID data. We first propose a detection method based on temporal analysis on cosine similarity to distinguish malicious clients from benign clients. Then, we propose a privacy-preserving computation protocol based on homomorphic encryption to implement this detection method and perform federated aggregation while protecting the privacy of clients. Besides, a detailed theoretical analysis is given to demonstrate the privacy guarantee of the proposed protocol. Experimental results on real-world data sets show that the proposed algorithm can effectively defend against LFAs under various data distributions.

Yong Li,Gaochao Xu,Xutao Meng,Wei Du,Xianglin Ren

DOI: https://doi.org/10.3390/e26050353

IF: 2.738

2024-04-24

Entropy

Abstract:In the realm of federated learning (FL), the exchange of model data may inadvertently expose sensitive information of participants, leading to significant privacy concerns. Existing FL privacy-preserving techniques, such as differential privacy (DP) and secure multi-party computing (SMC), though offering viable solutions, face practical challenges including reduced performance and complex implementations. To overcome these hurdles, we propose a novel and pragmatic approach to privacy preservation in FL by employing localized federated updates (LF3PFL) aimed at enhancing the protection of participant data. Furthermore, this research refines the approach by incorporating cross-entropy optimization, carefully fine-tuning measurement, and improving information loss during the model training phase to enhance both model efficacy and data confidentiality. Our approach is theoretically supported and empirically validated through extensive simulations on three public datasets: CIFAR-10, Shakespeare, and MNIST. We evaluate its effectiveness by comparing training accuracy and privacy protection against state-of-the-art techniques. Our experiments, which involve five distinct local models (Simple-CNN, ModerateCNN, Lenet, VGG9, and Resnet18), provide a comprehensive assessment across a variety of scenarios. The results clearly demonstrate that LF3PFL not only maintains competitive training accuracies but also significantly improves privacy preservation, surpassing existing methods in practical applications. This balance between privacy and performance underscores the potential of localized federated updates as a key component in future FL privacy strategies, offering a scalable and effective solution to one of the most pressing challenges in FL.

physics, multidisciplinary

Fang-Qi Li,Shi-Lin Wang,Alan Wee-Chung Liew

DOI: https://doi.org/10.1109/icmew56448.2022.9859395

2022-01-01

Abstract:With the wide application of deep learning models, it is important to verify an author’s possession over a deep neural network model by watermarks and protect the model. The development of distributed learning paradigms such as federated learning raises new challenges for model protection. Each author should be able to conduct independent verification and trace traitors. To meet those requirements, we propose a watermarking protocol, Merkle-Sign to meet the prerequisites for ownership verification in federated learning. Our work paves the way for generalizing watermark as a practical security mechanism for protecting deep learning models in distributed learning platforms.

Yuying Liao,Rong Jiang,Bin Zhou

DOI: https://doi.org/10.3390/electronics13214306

IF: 2.9

2024-11-01

Electronics

Abstract:Heterogeneous federated learning, as an innovative variant of federated learning, aims to break through the constraints of vanilla federated learning on the consistency of model architectures to better accommodate the heterogeneity in mobile computing scenarios. It introduces heterogeneous and personalized local models, which effectively accommodates the heterogeneous data distributions and hardware resource constraints of individual clients, and thus improves computation and communication efficiency. However, it poses a challenge to model ownership protection, as watermarks embedded in the global model are corrupted to varying degrees when they are migrated to a user's heterogeneous model and cannot continue to provide complete ownership protection in the local models. To tackle these issues, we propose a dynamic black-box model watermarking method for heterogeneous federated learning, PWFed. Specifically, we design an innovative dynamic watermark generation method which is based on generative adversarial network technology and is capable of generating watermark samples that are virtually indistinguishable from the original carriers. This approach effectively solves the limitation of the traditional black-box watermarking technique, which only considers static watermarks, and makes the generated watermarks significantly improved in terms of stealthiness and difficult to detect by potential model thieves, thus enhancing the robustness of the watermarks. In addition, we design two watermark embedding strategies with different granularities in the heterogeneous federated learning environment. During the watermark extraction and validation phase, PWFed accesses watermark samples claiming ownership of the model through an API interface and analyzes the differences between their output and the expected labels. Our experimental results show that PWFed achieves a 99.9% watermark verification rate with only a 0.1–4.8% sacrifice of main task accuracy on the CIFAR10 dataset.

engineering, electrical & electronic,computer science, information systems,physics, applied

Shufen Fang,Keke Gai,Jing Yu

DOI: https://doi.org/10.1007/978-981-97-5501-1_32

2024-01-01

Abstract:Federated Learning is a distributed machine learning framework, which is based on the principle of coordinating clients to train models on their private datasets through a centralized server without direct data exchange. It mitigates data privacy risks and improves efficiency, but there is still the risk of model theft, model plagiarism, and unauthorized distribution from adversaries. Watermarking is a well-known paradigm used to prevent these issues. It protects model intellectual property by providing proof of the violation issue's existence. Some recent studies have focused on embedding watermarks on either the client or the server side alone. However, in reality, both the server and clients have ownership of the model. In this paper, we propose a joint client-server watermark embedding framework to protect the intellectual property of both sides. White-box watermark is embedded on the client side and black-box watermark is on the server side. Clients and server can verify their embedded watermarks independently to claim ownership of the model. In addition, we employ continual learning to address the catastrophic forgetting issue. Our experimental results demonstrate that our proposed method can effectively deal with classical watermark removal attacks and is compatible with Differential Privacy.