Mohammed Lansari,Reda Bellafqira,Katarzyna Kapusta,Vincent Thouvenot,Olivier Bettan,Gouenou Coatrieux

2023-08-07

Abstract:Federated Learning (FL) is a technique that allows multiple participants to collaboratively train a Deep Neural Network (DNN) without the need of centralizing their data. Among other advantages, it comes with privacy-preserving properties making it attractive for application in sensitive contexts, such as health care or the military. Although the data are not explicitly exchanged, the training procedure requires sharing information about participants' models. This makes the individual models vulnerable to theft or unauthorized distribution by malicious actors. To address the issue of ownership rights protection in the context of Machine Learning (ML), DNN Watermarking methods have been developed during the last five years. Most existing works have focused on watermarking in a centralized manner, but only a few methods have been designed for FL and its unique constraints. In this paper, we provide an overview of recent advancements in Federated Learning watermarking, shedding light on the new challenges and opportunities that arise in this field.

Cryptography and Security,Machine Learning

Shuo Shao,Wenyuan Yang,Hanlin Gu,Zhan Qin,Lixin Fan,Qiang Yang,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2024.3390761

2022-01-01

Abstract:Federated learning (FL) is a distributed machine learning paradigm allowingmultiple clients to collaboratively train a global model without sharing theirlocal data. However, FL entails exposing the model to various participants.This poses a risk of unauthorized model distribution or resale by the maliciousclient, compromising the intellectual property rights of the FL group. To detersuch misbehavior, it is essential to establish a mechanism for verifying theownership of the model and as well tracing its origin to the leaker among theFL participants. In this paper, we present FedTracker, the first FL modelprotection framework that provides both ownership verification andtraceability. FedTracker adopts a bi-level protection scheme consisting ofglobal watermark mechanism and local fingerprint mechanism. The formerauthenticates the ownership of the global model, while the latter identifieswhich client the model is derived from. FedTracker leverages Continual Learning(CL) principles to embed the watermark in a way that preserves the utility ofthe FL model on both primitive task and watermark task. FedTracker also devisesa novel metric to better discriminate different fingerprints. Experimentalresults show FedTracker is effective in ownership verification, traceability,and maintains good fidelity and robustness against various watermark removalattacks.

Shuo Shao,Wei Yang,Hanlin Gu,Jian Lou,Qimin Zhan,Fan Li,Qiang Yang,Kui Ren

DOI: https://doi.org/10.48550/arxiv.2211.07160

2022-01-01

Abstract:Federated learning (FL) is a distributed machine learning paradigm allowing multiple clients to collaboratively train a global model without sharing their local data. However, FL entails exposing the model to various participants. This poses a risk of unauthorized model distribution or resale by the malicious client, compromising the intellectual property rights of the FL group. To deter such misbehavior, it is essential to establish a mechanism for verifying the ownership of the model and as well tracing its origin to the leaker among the FL participants. In this paper, we present FedTracker, the first FL model protection framework that provides both ownership verification and traceability. FedTracker adopts a bi-level protection scheme consisting of global watermark mechanism and local fingerprint mechanism. The former authenticates the ownership of the global model, while the latter identifies which client the model is derived from. FedTracker leverages Continual Learning (CL) principles to embedding the watermark in a way that preserves the utility of the FL model on both primitive task and watermark task. FedTracker also devises a novel metric to better discriminate different fingerprints. Experimental results show FedTracker is effective in ownership verification, traceability, and maintains good fidelity and robustness against various watermark removal attacks.

Sujie Shao,Yue Wang,Chao Yang,Yan Liu,Xingyu Chen,Feng Qi

DOI: https://doi.org/10.1038/s41598-024-70025-1

2024-08-21

Abstract:Federated learning (FL) enables users to train the global model cooperatively without exposing their private data across the engaged parties, which is widely used in privacy-sensitive business. However, during the life cycle of FL models, both adversaries' attacks and ownership generalization threaten the FL models' copyright and affect the models' reliability. To address these problems, existing model watermarking techniques can be used to verify FL model's ownership. However, due to the lack of credible binding from "model extracted watermarks" to "ownership verification", it is difficult to form a closed-loop watermarking framework for copyright protection. Therefore, starting from the shortcomings of the current watermark verification scheme, this article proposed WFB, a blockchain-empowered watermarking framework for ownership verification of federated models. Firstly, we propose a improved watermark generation algorithm to solve the credibility issue of watermarks. Secondly, we propose a watermark embedding method in federated learning, while blockchain technology is used to ensure the credible storage of watermark information throughout the process. Thirdly, the credibility of ownership verification is improved because of the watermark authenticity. Experimental results demonstrate the fidelity, effectiveness and robustness of WFB, with other superiorities such as improving process security and traceability.

Hewang Nie,Songfeng Lu

DOI: https://doi.org/10.1016/j.eswa.2024.123776

IF: 8.5

2024-01-01

Expert Systems with Applications

Abstract:Federated Learning is a collaborative machine learning paradigm that allows training models on decentralized data while preserving data privacy. It has gained significant attention due to its potential applications in various domains. However, the issue of protecting model copyright in the Federated Learning setting has become a critical concern. In this paper, we propose a novel watermarking framework called FedCRMW (Federal Learning Compression-Resistance Model Watermark) to address the challenge of model copyright protection in Federated Learning. FedCRMW embeds unique watermarks into client-contributed models, ensuring ownership, integrity, and authenticity. The framework leverages client-specific identifiers and exclusive logos to construct trigger sets for watermark embedding, enhancing security and traceability. One of the key advantages of FedCRMW is its optimization for the common data compression challenge in the Federated Learning scenario. By utilizing compressed data inputs for copyright verification, we achieve an efficient watermark validation process and reduce communication and storage overheads. Experimental results demonstrate the effectiveness of FedCRMW in terms of watermark success rate, imperceptibility, robustness against attacks, and resistance to model compression and pruning. Compared to existing watermarking methods, FedCRMW exhibits superior performance in the Federated Learning context.

Yuxin Yang,Qiang Li,Yuan Hong,Binghui Wang

2024-10-23

Abstract:Federated graph learning (FedGL) is an emerging learning paradigm to collaboratively train graph data from various clients. However, during the development and deployment of FedGL models, they are susceptible to illegal copying and model theft. Backdoor-based watermarking is a well-known method for mitigating these attacks, as it offers ownership verification to the model owner. We take the first step to protect the ownership of FedGL models via backdoor-based watermarking. Existing techniques have challenges in achieving the goal: 1) they either cannot be directly applied or yield unsatisfactory performance; 2) they are vulnerable to watermark removal attacks; and 3) they lack of formal guarantees. To address all the challenges, we propose FedGMark, the first certified robust backdoor-based watermarking for FedGL. FedGMark leverages the unique graph structure and client information in FedGL to learn customized and diverse watermarks. It also designs a novel GL architecture that facilitates defending against both the empirical and theoretically worst-case watermark removal attacks. Extensive experiments validate the promising empirical and provable watermarking performance of FedGMark. Source code is available at: <a class="link-external link-https" href="https://github.com/Yuxin104/FedGMark" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security

Yuying Liao,Rong Jiang,Bin Zhou

DOI: https://doi.org/10.3390/electronics13214306

IF: 2.9

2024-11-01

Electronics

Abstract:Heterogeneous federated learning, as an innovative variant of federated learning, aims to break through the constraints of vanilla federated learning on the consistency of model architectures to better accommodate the heterogeneity in mobile computing scenarios. It introduces heterogeneous and personalized local models, which effectively accommodates the heterogeneous data distributions and hardware resource constraints of individual clients, and thus improves computation and communication efficiency. However, it poses a challenge to model ownership protection, as watermarks embedded in the global model are corrupted to varying degrees when they are migrated to a user's heterogeneous model and cannot continue to provide complete ownership protection in the local models. To tackle these issues, we propose a dynamic black-box model watermarking method for heterogeneous federated learning, PWFed. Specifically, we design an innovative dynamic watermark generation method which is based on generative adversarial network technology and is capable of generating watermark samples that are virtually indistinguishable from the original carriers. This approach effectively solves the limitation of the traditional black-box watermarking technique, which only considers static watermarks, and makes the generated watermarks significantly improved in terms of stealthiness and difficult to detect by potential model thieves, thus enhancing the robustness of the watermarks. In addition, we design two watermark embedding strategies with different granularities in the heterogeneous federated learning environment. During the watermark extraction and validation phase, PWFed accesses watermark samples claiming ownership of the model through an API interface and analyzes the differences between their output and the expected labels. Our experimental results show that PWFed achieves a 99.9% watermark verification rate with only a 0.1–4.8% sacrifice of main task accuracy on the CIFAR10 dataset.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yang Xu,Yunlin Tan,Cheng Zhang,Kai Chi,Peng Sun,Wenyuan Yang,Ju Ren,Hongbo Jiang,Yaoxue Zhang

2024-02-29

Abstract:Embedding watermarks into models has been widely used to protect model ownership in federated learning (FL). However, existing methods are inadequate for protecting the ownership of personalized models acquired by clients in personalized FL (PFL). This is due to the aggregation of the global model in PFL, resulting in conflicts over clients' private watermarks. Moreover, malicious clients may tamper with embedded watermarks to facilitate model leakage and evade accountability. This paper presents a robust watermark embedding scheme, named RobWE, to protect the ownership of personalized models in PFL. We first decouple the watermark embedding of personalized models into two parts: head layer embedding and representation layer embedding. The head layer belongs to clients' private part without participating in model aggregation, while the representation layer is the shared part for aggregation. For representation layer embedding, we employ a watermark slice embedding operation, which avoids watermark embedding conflicts. Furthermore, we design a malicious watermark detection scheme enabling the server to verify the correctness of watermarks before aggregating local models. We conduct an exhaustive experimental evaluation of RobWE. The results demonstrate that RobWE significantly outperforms the state-of-the-art watermark embedding schemes in FL in terms of fidelity, reliability, and robustness.

Cryptography and Security,Artificial Intelligence

Xiyao Liu,Shuo Shao,Yue Yang,Kangming Wu,Wenyuan Yang,Hui Fang

DOI: https://doi.org/10.1109/smc52423.2021.9658998

2021-01-01

Abstract:Federated learning (FL) has become an emerging distributed framework to build deep learning models with collaborative efforts from multiple participants. Consequently, copyright protection of FL deep model is urgently required because too many participants have access to the joint-trained model. Recently, Secure FL framework is developed to address data leakage issue when central node is not fully trustable. This encryption process has made existing DL model watermarking schemes impossible to embed watermark at the central node. In this paper, we propose a novel client-side Federated Learning watermarking method to tackle the model verification issue under the Secure FL framework. In specific, we design a backdoor-based watermarking scheme to allow model owners to embed their pre-designed noise patterns into the FL deep model. Thus, our method provides reliable copyright protection while ensuring the data privacy because the central node has no access to the encrypted gradient information. The experimental results have demonstrated the efficiency of our method in terms of both FL model performance and watermarking robustness.

Yue Wang,Na Liu,Xingyu Chen

DOI: https://doi.org/10.21203/rs.3.rs-3291175/v1

2023-01-01

Abstract:Abstract Federated learning (FL) has become an emerging distributed framework to build deep learning models through the collaborative efforts from multiple participants without sharing training data across the engaged parties. However, during the whole life cycle of FL models, many unreliable participants may gain access and expose risks to them. Therefore, from the perspective of copyright protection, FedBack, a backdoor watermarking method based on trigger pre-processing is proposed to verify federated ownership on client side. First, clients embed their backdoor watermark information to the global model naturally at model training stage. Subsequently, federated ownership can be preliminarily verified through client detection and gain an outpouring of support through server mediation, without disclosing model privacy. Moreover, Trigger Pre-processing Algorithm is innovatively proposed to study watermark performance by changing watermark levels. Experimental results show that watermark detection rate of any level is high enough to credibly prove ownership verification result, with p-value providing more statistical evidence. This protection mechanism is deployed under two DNN architectures to prove watermark fidelity, significance and robustness. Overall, FedBack can credibly support the ownership verification result, with negligible impact on primitive classification tasks. It is also applicable to various federated training settings and robust to various model attacks.

Wenyuan Yang,Shuo Shao,Yue Yang,Xiyao Liu,Ximeng Liu,Zhihua Xia,Gerald Schaefer,Hui Fang

DOI: https://doi.org/10.1145/3630636

IF: 5

2024-01-01

ACM Transactions on Intelligent Systems and Technology

Abstract:Federated learning (FL) allows multiple participants to collaboratively build deep learning (DL) models without directly sharing data. Consequently, the issue of copyright protection in FL becomes important since unreliable participants may gain access to the jointly trained model. Application of homomorphic encryption (HE) in a secure FL framework prevents the central server from accessing plaintext models. Thus, it is no longer feasible to embed the watermark at the central server using existing watermarking schemes. In this article, we propose a novel client-side FL watermarking scheme to tackle the copyright protection issue in secure FL with HE. To the best of our knowledge, it is the first scheme to embed the watermark to models under a secure FL environment. We design a black-box watermarking scheme based on client-side backdooring to embed a pre-designed trigger set into an FL model by a gradient-enhanced embedding method. Additionally, we propose a trigger set construction mechanism to ensure that the watermark cannot be forged. Experimental results demonstrate that our proposed scheme delivers outstanding protection performance and robustness against various watermark removal attacks and ambiguity attack.

Bowen Li,Lixin Fan,Hanlin Gu,Jie Li,Qiang Yang

DOI: https://doi.org/10.1109/tpami.2022.3195956

IF: 23.6

2023-03-11

IEEE Transactions on Pattern Analysis and Machine Intelligence

Abstract:Federated learning models are collaboratively developed upon valuable training data owned by multiple parties. During the development and deployment of federated models, they are exposed to risks including illegal copying, re-distribution, misuse and/or free-riding. To address these risks, the ownership verification of federated learning models is a prerequisite that protects federated learning model intellectual property rights (IPR) i.e., FedIPR. We propose a novel federated deep neural network (FedDNN) ownership verification scheme that allows private watermarks to be embedded and verified to claim legitimate IPR of FedDNN models. In the proposed scheme, each client independently verifies the existence of the model watermarks and claims respective ownership of the federated model without disclosing neither private training data nor private watermark information. The effectiveness of embedded watermarks is theoretically justified by the rigorous analysis of conditions under which watermarks can be privately embedded and detected by multiple clients. Moreover, extensive experimental results on computer vision and natural language processing tasks demonstrate that varying bit-length watermarks can be embedded and reliably detected without compromising original model performances. Our watermarking scheme is also resilient to various federated training settings and robust against removal attacks.

computer science, artificial intelligence,engineering, electrical & electronic

Fang-Qi Li,Shi-Lin Wang,Alan Wee-Chung Liew

DOI: https://doi.org/10.1109/icmew56448.2022.9859395

2022-01-01

Abstract:With the wide application of deep learning models, it is important to verify an author’s possession over a deep neural network model by watermarks and protect the model. The development of distributed learning paradigms such as federated learning raises new challenges for model protection. Each author should be able to conduct independent verification and trace traitors. To meet those requirements, we propose a watermarking protocol, Merkle-Sign to meet the prerequisites for ownership verification in federated learning. Our work paves the way for generalizing watermark as a practical security mechanism for protecting deep learning models in distributed learning platforms.

Jinyin Chen,Mingjun Li,Mingjun Li,Haibin Zheng

2023-03-18

Abstract:Federated learning (FL), an effective distributed machine learning framework, implements model training and meanwhile protects local data privacy. It has been applied to a broad variety of practice areas due to its great performance and appreciable profits. Who owns the model, and how to protect the copyright has become a real problem. Intuitively, the existing property rights protection methods in centralized scenarios (e.g., watermark embedding and model fingerprints) are possible solutions for FL. But they are still challenged by the distributed nature of FL in aspects of the no data sharing, parameter aggregation, and federated training settings. For the first time, we formalize the problem of copyright protection for FL, and propose FedRight to protect model copyright based on model fingerprints, i.e., extracting model features by generating adversarial examples as model fingerprints. FedRight outperforms previous works in four key aspects: (i) Validity: it extracts model features to generate transferable fingerprints to train a detector to verify the copyright of the model. (ii) Fidelity: it is with imperceptible impact on the federated training, thus promising good main task performance. (iii) Robustness: it is empirically robust against malicious attacks on copyright protection, i.e., fine-tuning, model pruning, and adaptive attacks. (iv) Black-box: it is valid in the black-box forensic scenario where only application programming interface calls to the model are available. Extensive evaluations across 3 datasets and 9 model structures demonstrate FedRight's superior fidelity, validity, and robustness.

Cryptography and Security,Artificial Intelligence

Shufen Fang,Keke Gai,Jing Yu

DOI: https://doi.org/10.1007/978-981-97-5501-1_32

2024-01-01

Abstract:Federated Learning is a distributed machine learning framework, which is based on the principle of coordinating clients to train models on their private datasets through a centralized server without direct data exchange. It mitigates data privacy risks and improves efficiency, but there is still the risk of model theft, model plagiarism, and unauthorized distribution from adversaries. Watermarking is a well-known paradigm used to prevent these issues. It protects model intellectual property by providing proof of the violation issue's existence. Some recent studies have focused on embedding watermarks on either the client or the server side alone. However, in reality, both the server and clients have ownership of the model. In this paper, we propose a joint client-server watermark embedding framework to protect the intellectual property of both sides. White-box watermark is embedded on the client side and black-box watermark is on the server side. Clients and server can verify their embedded watermarks independently to claim ownership of the model. In addition, we employ continual learning to address the catastrophic forgetting issue. Our experimental results demonstrate that our proposed method can effectively deal with classical watermark removal attacks and is compatible with Differential Privacy.

Hewang Nie,Songfeng Lu

DOI: https://doi.org/10.1016/j.knosys.2024.111675

IF: 8.139

2024-01-01

Knowledge-Based Systems

Abstract:Federated learning, known for its emphasis on privacy and resource efficiency, has emerged as a transformative paradigm in the fields of artificial intelligence and industrial machine learning. However, with the advancement and widespread adoption of this technology, the concern of model theft in federated learning models becomes increasingly prominent. While current endeavors concentrate on protecting individual deep learning models, limited attention has been dedicated to those involved in federated learning, especially within decentralized environments. To fill this void, we introduce PersistVerify, an innovative approach for verifying model copyright within the federated learning framework. PersistVerify integrates boundary sample selection and spatial attention mechanisms, enhancing the robustness and confidentiality of neural network backdoor watermarks to ensure secure verification of model ownership. PersistVerify constructs a confidential and robust watermark dataset through three sequential steps: latent representation extraction, boundary sample selection, and spatial attention-based trigger embedding. Our research addresses the pervasive challenge of reliable model ownership verification in federated learning, demonstrating the efficacy of PersistVerify. This study provides valuable insights and methodologies to maintain the confidentiality and reliability of neural network backdoor watermarks in the domains of artificial intelligence and federated learning.

Miao Yan,Zhou Su,Yuntao Wang,Xiandong Ran,Yiliang Liu,Tom H. Luan

DOI: https://doi.org/10.1109/GLOBECOM54140.2023.10437312

2023-01-01

Abstract:Cross-silo federated learning, as a distributed learning paradigm, allows clients to collaboratively train an artificial intelligence (AI) model and jointly share the model ownership without local data transfer or exposure. However, the valuable AI models are facing fatal intellectual property (IP) infringement threats when offering AI services. Existing researches on IP protection mainly focus on the centralized models (i.e., single ownership), but leave federated models (i.e., shared ownership) unexplored. In this paper, we propose IPSF, a novel shared IP protection framework with all-round verification for multiple owners under cross-silo federated learning. Specifically, instead of embedding private watermarks individually, we adopt joint watermarks and soft labels as a conjoint fingerprint, and present a watermark generative adversarial network (WM-GAN) mechanism to fuse private watermarks and facilitate the integrated verification. We also design a diversity- and similarity-oriented assessment mechanism to support mutual evaluation between private and joint watermarks. Through the designed assessment mechanism, the correlation and variability between private and joint watermarks are dynamically maintained to ensure the stability of WM-GAN and the fairness among users in verification. Extensive experiments validates that our IPSF achieves desirable fidelity and high robustness under attacks.

Shuyang Yu,Junyuan Hong,Yi Zeng,Fei Wang,Ruoxi Jia,Jiayu Zhou

2023-12-06

Abstract:Federated learning (FL) emerges as an effective collaborative learning framework to coordinate data and computation resources from massive and distributed clients in training. Such collaboration results in non-trivial intellectual property (IP) represented by the model parameters that should be protected and shared by the whole party rather than an individual user. Meanwhile, the distributed nature of FL endorses a malicious client the convenience to compromise IP through illegal model leakage to unauthorized third parties. To block such IP leakage, it is essential to make the IP identifiable in the shared model and locate the anonymous infringer who first leaks it. The collective challenges call for \emph{accountable federated learning}, which requires verifiable ownership of the model and is capable of revealing the infringer's identity upon leakage. In this paper, we propose Decodable Unique Watermarking (DUW) for complying with the requirements of accountable FL. Specifically, before a global model is sent to a client in an FL round, DUW encodes a client-unique key into the model by leveraging a backdoor-based watermark injection. To identify the infringer of a leaked model, DUW examines the model and checks if the triggers can be decoded as the corresponding keys. Extensive empirical results show that DUW is highly effective and robust, achieving over $99\%$ watermark success rate for Digits, CIFAR-10, and CIFAR-100 datasets under heterogeneous FL settings, and identifying the IP infringer with $100\%$ accuracy even after common watermark removal attempts.

Cryptography and Security

Kaijing Luo,Ka-Ho Chow

2024-10-29

Abstract:Protecting intellectual property (IP) in federated learning (FL) is increasingly important as clients contribute proprietary data to collaboratively train models. Model watermarking, particularly through backdoor-based methods, has emerged as a popular approach for verifying ownership and contributions in deep neural networks trained via FL. By manipulating their datasets, clients can embed a secret pattern, resulting in non-intuitive predictions that serve as proof of participation, useful for claiming incentives or IP co-ownership. However, this technique faces practical challenges: client watermarks can collide, leading to ambiguous ownership claims, and malicious clients may exploit watermarks to inject harmful backdoors, jeopardizing model integrity. To address these issues, we propose Sanitizer, a server-side method that ensures client-embedded backdoors cannot be triggered on natural queries in harmful ways. It identifies subnets within client-submitted models, extracts backdoors throughout the FL process, and confines them to harmless, client-specific input subspaces. This approach not only enhances Sanitizer's efficiency but also resolves conflicts when clients use similar triggers with different target labels. Our empirical results demonstrate that Sanitizer achieves near-perfect success in verifying client contributions while mitigating the risks of malicious watermark use. Additionally, it reduces GPU memory consumption by 85% and cuts processing time by at least 5 times compared to the baseline.

Cryptography and Security

Wei Zhang,Wenxue Cui,Feng Jiang,Chifu Yang,Ran Li

DOI: https://doi.org/10.1109/trustcom53373.2021.00028

2021-01-01

Abstract:Deep neural network (DNN), as a key component of deep learning technology, plays a vital role in its development. Most major technology companies use deep neural network as a key component to build their artificial intelligence products and service. Building a deep neural network model requires us to pay a huge price: large-scale labeled data sets, a large number of computing resources, and highly specialized domain knowledge. Therefore, we believe that the model owner owns the intellectual property rights of the model, and it is very important to design a technology that protects the intellectual property rights of the deep neural network model and allows the owner to externally verify its copyright. Through statistical analysis of a large number of pre-trained network parameters, we propose an end-to-end network model protection framework-Deep Water based on the distribution of network model parameters. First, we propose a new research problem: embedding watermarks into deep neural networks. We also define the requirements for watermarking in deep neural networks, the embedding situation, and the types of attacks. Secondly, we propose a general framework for embedding the watermark into the parameter distribution function of each layer of the convolutional network. Our method does not harm the performance of the network where the watermark is placed, because the watermark is embedded when the host network is trained. Finally, we conducted a comprehensive experiment to reveal the potential of watermarking deep neural networks as the basis for this new research work. We proved that our framework can embed watermarks in the process of training deep neural networks from scratch and in the process of fine-tuning and distillation without compromising its performance. Even after migration learning and watermark overlay operations, the embedded watermark will not disappear. Even if 65% of the parameters are trimmed, the watermark remains intact.