Watermarking Protocol for Deep Neural Network Ownership Regulation in Federated Learning

Li, Fangqi; Wang, Shilin; Liew, Alan Wee-Chung

doi:10.1109/icmew56448.2022.9859395

Cited by 8 publications

(5 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Methods for improving the characteristics of deep learning watermarks, such as capacity and the robustness of the watermarks, have become a significant research focus (Zhu et al 2021;Lv et al 2021;Ye et al 2022). Recently, many works have extended the use of deep learning watermarks to various high-profile deep learning scenarios such as deep reinforcement learning (Chen et al 2021), federated learning (Li, Wang, and Liew 2022), and multi-task learning . Work from the adversarial perspective has drawn concerns that ambiguity attacks can compromise deep learning watermarks (Fan, Ng, and Chan 2019).…”

Section: Related Work Deep Learning Watermarkingmentioning

confidence: 99%

Resource Efficient Deep Learning Hardware Watermarks with Signature Alignment

Clements,

Lao

2024

AAAI

View full text Add to dashboard Cite

Deep learning intellectual properties (IPs) are high-value assets that are frequently susceptible to theft. This vulnerability has led to significant interest in defending the field's intellectual properties from theft. Recently, watermarking techniques have been extended to protect deep learning hardware from privacy. These technique embed modifications that change the hardware's behavior when activated. In this work, we propose the first method for embedding watermarks in deep learning hardware that incorporates the owner's key samples into the embedding methodology. This improves our watermarks' reliability and efficiency in identifying the hardware over those generated using randomly selected key samples. Our experimental results demonstrate that by considering the target key samples when generating the hardware modifications, we can significantly increase the embedding success rate while targeting fewer functional blocks, decreasing the required hardware overhead needed to defend it.

show abstract

Section: Related Work Deep Learning Watermarkingmentioning

confidence: 99%

Resource Efficient Deep Learning Hardware Watermarks with Signature Alignment

Clements,

Lao

2024

AAAI

View full text Add to dashboard Cite

show abstract

“…) where W denotes certain parameters in M WM (Nagai et al 2018) or the outputs of M WM 's intermediate neurons (Li et al 2022b). Considering m as a list of binary labels, f can be cross-entropy loss (Nagai et al 2018), hingle loss (Fan, Ng, and Chan 2019), or a neural network classification backend (Wang et al 2022).…”

Section: Preliminaries Dnn Watermarkmentioning

confidence: 99%

“…Spread-Transform Dither Modulation watermarking (STDM) (Li, Tondi, and Barni 2021) is a variant of Uchida et al's scheme with STDM activation function. MTLSign (Li et al 2022b) is a dynamic white-box scheme. Each bit of the identity message is retrieved from the prediction for a trigger returned from a binary classifier based on hidden neurons' responses.…”

Section: Settingsmentioning

confidence: 99%

Revisiting the Information Capacity of Neural Network Watermarks: Upper Bound Estimation and Beyond

Li,

Zhao,

et al. 2024

AAAI

View full text Add to dashboard Cite

To trace the copyright of deep neural networks, an owner can embed its identity information into its model as a watermark. The capacity of the watermark quantify the maximal volume of information that can be verified from the watermarked model. Current studies on capacity focus on the ownership verification accuracy under ordinary removal attacks and fail to capture the relationship between robustness and fidelity. This paper studies the capacity of deep neural network watermarks from an information theoretical perspective. We propose a new definition of deep neural network watermark capacity analogous to channel capacity, analyze its properties, and design an algorithm that yields a tight estimation of its upper bound under adversarial overwriting. We also propose a universal non-invasive method to secure the transmission of the identity message beyond capacity by multiple rounds of ownership verification. Our observations provide evidence for neural network owners and defenders that are curious about the tradeoff between the integrity of their ownership and the performance degradation of their products.

show abstract

“…The mainstream IP protection in FL is still based on watermarking [21][23] [22]. Specifically, Tekgul et al [21] proposed WAFFLE which achieves IP protection by embedding watermarks on the server.…”

Section: Ip Protection In Flmentioning

confidence: 99%

“…Bowen Li et al [23] proposed FedIPR which embeds and detects watermarks by each client independently. Fang et al [22] designed the Merkle-Sign watermarking framework, which combines the stateof-the-art watermarking scheme and a security mechanism designed for distributed storage to protect both privacy and ownership. However, they either surfer the inherent limitation of the watermarking scheme or pose changes to the training of federated learning, both of which lead to negative impact on the model performance.…”

Section: Ip Protection In Flmentioning

confidence: 99%

FedRight: An Effective Model Copyright Protection for Federated Learning

Chen¹,

Li²,

Zheng³

2023

Preprint

View full text Add to dashboard Cite

Federated learning (FL), an effective distributed machine learning framework, implements model training and meanwhile protects local data privacy. It has been applied to a broad variety of practical areas due to their great performance and appreciable profits. Who really owns the model, and how to protect the copyright has become a real problem. Intuitively, the existing property rights protection methods in centralized scenarios (e.g., watermark embedding and model fingerprints) are possible solutions for FL. But they are still challenged by the distributed nature of FL in aspects of the no data sharing, parameter aggregation, and federated training settings. For the first time we formalize the problem of copyright protection for FL, and propose FedRight to protect model copyright based on model fingerprints, i.e., extracting model features by generating adversarial examples as model fingerprints. FedRight outperforms previous works in four key aspects: (i) Validity -it extracts model features to generate transferable fingerprints to train a detector to verify the copyright of the model. (ii) Fidelity -it is with imperceptible impact on the federated training, thus promises good main task performance. (iii) Robustness -it is empirically robust against malicious attack on copyright protection, i.e., fine-tuning, model pruning and adaptive attacks. (iv) Black-box -it is valid in black-box forensic scenario where only application programming interface calls to the model are available. Extensive evaluations across 3 datasets and 9 model structures demonstrate FedRight's superior fidelity, validity and robustness.

show abstract

Watermarking Protocol for Deep Neural Network Ownership Regulation in Federated Learning

Cited by 8 publications

References 8 publications

Resource Efficient Deep Learning Hardware Watermarks with Signature Alignment

Resource Efficient Deep Learning Hardware Watermarks with Signature Alignment

Revisiting the Information Capacity of Neural Network Watermarks: Upper Bound Estimation and Beyond

FedRight: An Effective Model Copyright Protection for Federated Learning

Contact Info

Product

Resources

About