FedIPR: Ownership Verification for Federated Deep Neural Network Models
This addresses the risk of illegal copying and misuse in federated learning, providing a practical solution for model owners, but it is incremental as it builds on existing watermarking techniques applied to a new context.
The paper tackles the problem of protecting intellectual property rights in federated learning models by proposing a watermarking scheme for ownership verification, demonstrating that watermarks can be reliably embedded and detected without degrading model performance across various tasks and settings.
Federated learning models are collaboratively developed upon valuable training data owned by multiple parties. During the development and deployment of federated models, they are exposed to risks including illegal copying, re-distribution, misuse and/or free-riding. To address these risks, the ownership verification of federated learning models is a prerequisite that protects federated learning model intellectual property rights (IPR) i.e., FedIPR. We propose a novel federated deep neural network (FedDNN) ownership verification scheme that allows private watermarks to be embedded and verified to claim legitimate IPR of FedDNN models. In the proposed scheme, each client independently verifies the existence of the model watermarks and claims respective ownership of the federated model without disclosing neither private training data nor private watermark information. The effectiveness of embedded watermarks is theoretically justified by the rigorous analysis of conditions under which watermarks can be privately embedded and detected by multiple clients. Moreover, extensive experimental results on computer vision and natural language processing tasks demonstrate that varying bit-length watermarks can be embedded and reliably detected without compromising original model performances. Our watermarking scheme is also resilient to various federated training settings and robust against removal attacks.