FedRight: An Effective Model Copyright Protection for Federated Learning

Abstract: Federated learning (FL), an effective distributed machine learning framework, implements model training and meanwhile protects local data privacy. It has been applied to a broad variety of practical areas due to their great performance and appreciable profits. Who really owns the model, and how to protect the copyright has become a real problem. Intuitively, the existing property rights protection methods in centralized scenarios (e.g., watermark embedding and model fingerprints) are possible solutions for FL.… Show more

“…Table 3 gives a clear overview of existing methods depending on the previously described characteristics. Black-Box Server -FedIPR [18] White-Box and Black-Box Client(s) FedTracker [94] White-Box and Black-Box Server -Liu et al [95] Black-Box Client --FedCIP [96] White-Box Client(s) FedRight [97] White-Box Server -Yang et al [98] Black-Box Client --FedZKP [96] White-Box Client(s) Merkle-Sign [99] White-Box and Black-Box Server -…”

“…FedRight [97] is a solution for the server to fingerprint the model in the FL framework (S 2 ). DNN fingerprinting is a process in which instead of embedding a watermark in the model, we extract a fingerprint to identify this model [104].…”

“…Even if with their solution they have no important impact on the watermarking, no testing has yet been performed on (S 1 ). Another attack that is specific to FL as described in FedRight [97] and WAFFLE [17], consists of the fact that multiple clients will use their models and private datasets. As mentioned in Section 4.1, an evasion attack works better when multiple datasets are used to train the detector.…”

When Federated Learning Meets Watermarking: A Comprehensive Overview of Techniques for Intellectual Property Protection

“…Table 3 gives a clear overview of existing methods depending on the previously described characteristics. Black-Box Server -FedIPR [18] White-Box and Black-Box Client(s) FedTracker [94] White-Box and Black-Box Server -Liu et al [95] Black-Box Client --FedCIP [96] White-Box Client(s) FedRight [97] White-Box Server -Yang et al [98] Black-Box Client --FedZKP [96] White-Box Client(s) Merkle-Sign [99] White-Box and Black-Box Server -…”

“…FedRight [97] is a solution for the server to fingerprint the model in the FL framework (S 2 ). DNN fingerprinting is a process in which instead of embedding a watermark in the model, we extract a fingerprint to identify this model [104].…”

“…Even if with their solution they have no important impact on the watermarking, no testing has yet been performed on (S 1 ). Another attack that is specific to FL as described in FedRight [97] and WAFFLE [17], consists of the fact that multiple clients will use their models and private datasets. As mentioned in Section 4.1, an evasion attack works better when multiple datasets are used to train the detector.…”

When Federated Learning Meets Watermarking: A Comprehensive Overview of Techniques for Intellectual Property Protection