Abstract
Federated learning (FL) allows multiple participants to collaboratively build deep learning (DL) models without directly sharing data. Consequently, the issue of copyright protection in FL becomes important since unreliable participants may gain access to the jointly trained model. Application of homomorphic encryption (HE) in a secure FL framework prevents the central server from accessing plaintext models. Thus, it is no longer feasible to embed the watermark at the central server using existing watermarking schemes. In this article, we propose a novel client-side FL watermarking scheme to tackle the copyright protection issue in secure FL with HE. To the best of our knowledge, it is the first scheme to embed the watermark to models under a secure FL environment. We design a black-box watermarking scheme based on client-side backdooring to embed a pre-designed trigger set into an FL model by a gradient-enhanced embedding method. Additionally, we propose a trigger set construction mechanism to ensure that the watermark cannot be forged. Experimental results demonstrate that our proposed scheme delivers outstanding protection performance and robustness against various watermark removal attacks and ambiguity attack.
- [1] . 2018. Turning your weakness into a strength: Watermarking deep neural networks by backdooring. In Proceedings of 2018 USENIX Security Symposium. 1615–1631.Google Scholar
- [2] . 2022. Federated learning and differential privacy for medical image analysis. Scientific Reports 12, 1 (2022), 1–10.Google ScholarCross Ref
- [3] . 2022. Federated learning for healthcare: Systematic review and architecture proposal. ACM Transactions on Intelligent Systems and Technology (TIST) 13, 4 (2022), 1–23.Google ScholarDigital Library
- [4] . 2017. Privacy-preserving deep learning via additively homomorphic encryption. IEEE Transactions on Information Forensics and Security 13, 5 (2017), 1333–1345.Google Scholar
- [5] . 2020. How to backdoor federated learning. In Proceedings of 2020 International Conference on Artificial Intelligence and Statistics. 2938–2948.Google Scholar
- [6] . 2017. Homomorphic encryption for arithmetic of approximate numbers. In Proceedings of 2017 International Conference on the Theory and Application of Cryptology and Information Security. 409–437.Google ScholarCross Ref
- [7] . 2022. Federated learning for electronic health records. ACM Transactions on Intelligent Systems and Technology (TIST) (2022).Google ScholarDigital Library
- [8] . 2022. Copyright protection of deep neural network models using digital watermarking: A comparative study. Multimedia Tools and Applications (2022), 1–15.Google Scholar
- [9] . 2017. BadNets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733 (2017).Google Scholar
- [10] . 2018. Watermarking deep neural networks for embedded systems. In Proceedings of 2018 IEEE/ACM International Conference on Computer-Aided Design. 1–8.Google ScholarDigital Library
- [11] . 2021. Fine-tuning is not enough: A simple yet effective watermark removal attack for DNN models. In Proceedings of 2021 International Joint Conference on Artificial Intelligence.Google ScholarCross Ref
- [12] . 2015. Learning both weights and connections for efficient neural network. In Advances in Neural Information Processing Systems, Vol. 28.Google Scholar
- [13] . 2018. Federated learning for mobile keyboard prediction. arXiv preprint arXiv:1811.03604 (2018).Google Scholar
- [14] . 2015. Delving deep into rectifiers: Surpassing human-level performance on ImageNet classification. In Proceedings of 2015 IEEE International Conference on Computer Vision. 1026–1034.Google ScholarDigital Library
- [15] . 2009. Learning multiple layers of features from tiny images. Tech. Rep. (2009).Google Scholar
- [16] . 1998. Gradient-based learning applied to document recognition. In Proceedings of the IEEE, Vol. 86. 2278–2324.Google ScholarCross Ref
- [17] . 2021. Federated learning on non-IID data silos: An experimental study. arXiv preprint arXiv:2102.02079 (2021).Google Scholar
- [18] . 2022. ENIGMA: Low-latency and privacy-preserving edge inference on heterogeneous neural network accelerators. In 2022 IEEE 42nd International Conference on Distributed Computing Systems (ICDCS’22). IEEE, 458–469.Google ScholarCross Ref
- [19] . 2022. Privacy-preserving DNN model authorization against model theft and feature leakage. In ICC 2022-IEEE International Conference on Communications. IEEE, 5633–5638.Google ScholarCross Ref
- [20] . 2019. How to prove your model belongs to you: A blind-watermark based framework to protect intellectual property of DNN. In Proceedings of 2019 Annual Computer Security Applications Conference. 126–137.Google ScholarDigital Library
- [21] . 2020. Reflection backdoor: A natural backdoor attack on deep neural networks. In Proceedings of 2020 European Conference on Computer Vision. 182–199.Google ScholarDigital Library
- [22] . 2022. Privacy-preserving federated learning based on multi-key homomorphic encryption. International Journal of Intelligent Systems (2022).Google ScholarDigital Library
- [23] . 2021. Dataset inference: Ownership resolution in machine learning. In Proceedings of 2021 International Conference on Learning Representations.Google Scholar
- [24] . 2017. Communication-efficient learning of deep networks from decentralized data. In Proceedings of 2017 International Conference Artificial Intelligence and Statistics. 1273–1282.Google Scholar
- [25] . 2021. MobileViT: Light-weight, general-purpose, and mobile-friendly vision transformer. In International Conference on Learning Representations.Google Scholar
- [26] . 2020. Adversarial frontier stitching for remote neural network watermarking. Neural Computing and Applications 32, 13 (2020), 9233–9244. Google ScholarCross Ref
- [27] . 2020. Fedfast: Going beyond average for faster training of federated recommender systems. In Proceedings of 2020 ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 1234–1242.Google ScholarDigital Library
- [28] . 1999. Public-key cryptosystems based on composite degree residuosity classes. In Proceedings of 1999 International Conference on the Theory and Applications of Cryptographic Techniques. 223–238.Google ScholarCross Ref
- [29] . 2022. Privacy-preserving federated learning using homomorphic encryption. Applied Sciences 12, 2 (2022), 734.Google ScholarCross Ref
- [30] . 2021. Protecting artificial intelligence IPs: A survey of watermarking and fingerprinting for machine learning. CAAI Transactions on Intelligence Technology 6, 2 (2021), 180–191. Google ScholarDigital Library
- [31] . 2022. DeepSight: Mitigating backdoor attacks in federated learning through deep model inspection. In Proceedings of 2022 Network and Distributed System Security Symposium.
DOI: Google ScholarCross Ref - [32] . 1978. On data banks and privacy homomorphisms. Foundations of Secure Computation 4, 11 (1978), 169–180.Google Scholar
- [33] . 2021. On the robustness of backdoor-based watermarking in deep neural networks. In Proceedings of the 2021 ACM Workshop on Information Hiding and Multimedia Security. ACM, Virtual Event Belgium, 177–188.
DOI: Google ScholarDigital Library - [34] . 2014. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014).Google Scholar
- [35] . 2021. Federated reconstruction: Partially local federated learning. Advances in Neural Information Processing Systems 34 (2021).Google Scholar
- [36] . 2021. DAWN: Dynamic adversarial watermarking of neural networks. In Proceedings of 2021 ACM International Conference on Multimedia. 4417–4425.Google ScholarDigital Library
- [37] . 2021. WAFFLE: Watermarking in federated learning. In Proceedings of 2021 International Symposium on Reliable Distributed Systems. 310–320.Google ScholarCross Ref
- [38] . 2017. Embedding watermarks into deep neural networks. In Proceedings of 2017 ACM International Conference on Multimedia Retrieval. 269–277.Google ScholarDigital Library
- [39] . 2021. RIGA: Covert and robust white-box watermarking of deep neural networks. In Proceedings of 2021 Web Conference. 993–1004.Google ScholarDigital Library
- [40] . 2022. Active intellectual property protection for deep neural networks through stealthy backdoor and users’ identities authentication. Applied Intelligence (2022), 1–15.Google Scholar
- [41] . 2010. MNIST Handwritten Digit Database. (2010). http://yann.lecun.com/exdb/mnist/Google Scholar
- [42] . 2020. Federated recommendation systems. In Federated Learning. Springer, 225–239.Google ScholarCross Ref
- [43] . 2019. Federated machine learning: Concept and applications. ACM Transactions on Intelligent Systems and Technology 10, 2 (2019), 1–19.Google ScholarDigital Library
- [44] . 2019. Federated learning. Synthesis Lectures on Artificial Intelligence and Machine Learning 13, 3 (2019), 1–207.Google ScholarCross Ref
- [45] . 2019. Bayesian nonparametric federated learning of neural networks. In Proceedings of 2019 International Conference on Machine Learning. 7252–7261.Google Scholar
- [46] . 2018. Protecting intellectual property of deep neural networks with watermarking. In Proceedings of 2018 Asia Conference on Computer and Communications Security. 159–172.Google ScholarDigital Library
- [47] . 2020. Empirical studies of institutional federated learning for natural language processing. In Proceedings of 2020 Conference on Empirical Methods in Natural Language Processing: Findings. 625–634.Google ScholarCross Ref
Index Terms
- Watermarking in Secure Federated Learning: A Verification Framework Based on Client-Side Backdooring
Recommendations
A robust watermarking technique for copyright protection using discrete wavelet transform
The arrival of digital world coming soon, the digital media content can be easily altered, duplicated, and spread, which causes the copyright of media are violated. Therefore, attention is to discuss the protection of the intellectual property (IP) ...
An image adaptive, wavelet-based watermarking of digital images
In digital management, multimedia content and data can easily be used in an illegal way-being copied, modified and distributed again. Copyright protection, intellectual and material rights protection for authors, owners, buyers, distributors and the ...
A Novel Blind Video Watermarking Scheme Based on Independent Dynamic Component
Video copyright protection has become important as it is possible to make unlimited copies of digital video without quality loss. Video watermark is the main method of video copyright protection. A novel blind video watermarking scheme is proposed in ...
Comments