A Survey of Ownership Protection Schemes for Federated Learning Models

doi:10.3969/j.issn.1671-1122.2024.10.009

Abstract

Abstract:

In recent years, machine learning has emerged as a key technology driving development across various industries. Federated learning has achieved enhancements in both model generalization and data privacy protection in distributed secure multi-party machine learning by integrating local data training with online gradient iteration. Due to the high training costs associated with federated learning models, including computational power and datasets, protecting the ownership of these economically valuable models has become particularly important. This article surveyed existing ownership protection schemes for federated learning models. The researchers examined two fingerprinting schemes, eight black-box watermarking schemes, and five white-box watermarking schemes to analyze the current state of research on model ownership protection. Additionally, this article combined methods for protecting the ownership of deep neural network models and provided insights into the current research directions for protecting the ownership of federated learning models.

Key words: machine learning, federated learning, deep neural networks, ownership protection

CLC Number:

TP309

SA Qirui, YOU Weijing, ZHANG Yifei, QIU Weiyang, MA Cunqing. A Survey of Ownership Protection Schemes for Federated Learning Models[J]. Netinfo Security, 2024, 24(10): 1553-1561.

Figures/Tables 7

References 24

[1]	MCMAHAN H B, MOORE E, RAMAGE D, et al. Communication-Efficient Learning of Deep Networks from Decentralized Data[EB/OL]. (2023-01-26)[2024-05-23]. https://arxiv.org/abs/1602.05629v4.
[2]	LANSARI M, BELLAFQIRA R, KAPUSTA K, et al. When Federated Learning Meets Watermarking: A Comprehensive Overview of Techniques for Intellectual Property Protection[J]. Machine Learning and Knowledge Extraction, 2023, 5(4): 1382-1406.
[3]	YANG Qiang, LIU Yang, CHEN Tianjian, et al. Federated Machine Learning[J]. ACM Transactions on Intelligent Systems and Technology, 2019, 10(2): 1-19.
[4]	LI Tian, SAHU A K, TALWALKAR A, et al. Federated Learning: Challenges, Methods, and Future Directions[J]. IEEE Signal Processing Magazine, 2020, 37(3): 50-60. doi: 10.1109/MSP.2020.2975749
[5]	BISHOP C M. Pattern Recognition and Machine Learning[M]. New York: Springer, 2006.
[6]	KIM B, LEE S, LEE S, et al. Margin-Based Neural Network Watermarking[C]// PMLR. International Conference on Machine Learning. New York: PMLR, 2023: 16696-16711.
[7]	PENG Zirui, LI Shaofeng, CHEN Guoxing, et al. Fingerprinting Deep Neural Networks Globally via Universal Adversarial Perturbations[C]// IEEE. 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). New York: IEEE, 2022: 13420-13429.
[8]	TIAN Yulong, SUYA F, XU Fengyuan, et al. Stealthy Backdoors as Compression Artifacts[J]. IEEE Transactions on Information Forensics and Security, 2022, 17: 1372-1387.
[9]	LI Yiming, WU Baoyuan, JIANG Yong, et al. Backdoor Learning: A Survey[EB/OL]. (2020-08-21)[2024-05-23]. https://arxiv.org/abs/2007.08745v2.
[10]	ADI Y, BAUM C, CISSE M, et al. Turning Your Weakness into a Strength: Watermarking Deep Neural Networks by Backdooring[EB/OL]. (2018-06-11)[2024-05-23]. https://arxiv.org/abs/1802.04633v3.
[11]	CHEN Jinyin, LI Mingjun, CHENG Yao, et al. FedRight: An Effective Model Copyright Protection for Federated Learning[EB/OL]. (2023-09-26)[2024-05-23]. https://doi.org/10.1016/j.cose.2023.103504.
[12]	SHAO Shuo, YANG Wenyuan, GU Hanlin, et al. FedTracker: Furnishing Ownership Verification and Traceability for Federated Learning Model[J]. IEEE Transactions on Dependable and Secure Computing, 2024 (99): 1-18.
[13]	TEKGUL B G A, XIA Yuxi, MARCHAL S, et al. WAFFLE: Watermarking in Federated Learning[C]// IEEE. 2021 40th International Symposium on Reliable Distributed Systems (SRDS). New York: IEEE, 2021: 310-320.
[14]	YU Shuyang, HONG Junyuan, ZENG Yi, et al.Who Leaked the Model? Tracking IP Infringers in Accountable Federated Learning[EB/OL]. (2023-12-06)[2024-05-23]. https://arxiv.org/abs/2312.03205v1.
[15]	LI Bowen, FAN Lixin, GU Hanlin, et al. FedIPR: Ownership Verification for Federated Deep Neural Network Models[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2023, 45(4): 4521-4536.
[16]	NIE Hewang, LU Songfeng. FedCRMW: Federated Model Ownership Verification with Compression-Resistant Model Watermarking[EB/OL]. (2024-03-26)[2024-05-23]. https://www.sciencedirect.com/science/article/abs/pii/S0957417424006420?via%3Dihub.
[17]	NIE Hewang, LU Songfeng. PersistVerify: Federated Model Ownership Verification with Spatial Attention and Boundary Sampling[EB/OL]. (2024-03-21)[2024-05-23]. https://www.sciencedirect.com/science/article/abs/pii/S0950705124003101?via%3Dihub.
[18]	YANG Wenyuan, SHAO Shuo, YANG Yue, et al. Watermarking in Secure Federated Learning: A Verification Framework Based on Client-Side Backdooring[J]. ACM Transactions on Intelligent Systems and Technology, 2024, 15(1): 1-25.
[19]	YANG Wenyuan, YIN Yuguo, ZHU Gongxi, et al. FedZKP: Federated Model Ownership Verification with Zero-Knowledge Proof[EB/OL]. (2023-05-10)[2024-05-23]. https://arxiv.org/abs/2305.04507v2.
[20]	UCHIDA Y, NAGAI Y, SAKAZAWA S, et al. Embedding Watermarks into Deep Neural Networks[C]// ACM. Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval. New York: ACM, 2017: 269-277.
[21]	LI Fangqi, WANG Shilin, LIEW A W C. Watermarking Protocol for Deep Neural Network Ownership Regulation in Federated Learning[C]// IEEE. 2022 IEEE International Conference on Multimedia and Expo Workshops (ICMEW). New York: IEEE, 2022: 1-4.
[22]	YANG Wenyuan, ZHU Gongxi, YIN Yuguo, et al. FedSOV: Federated Model Secure Ownership Verification with Unforgeable Signature[EB/OL]. (2023-05-10)[2024-05-23]. https://arxiv.org/abs/2305.06085v1.
[23]	LIANG Junchuan, WANG Rong. FedCIP: Federated Client Intellectual Property Protection with Traitor Tracking[EB/OL]. (2023-06-02)[2024-05-23]. https://arxiv.org/abs/2306.01356v1.
[24]	XU Yang, TAN Yunlin, ZHANG Cheng, et al. RobWE: Robust Watermark Embedding for Personalized Federated Learning Model Ownership Protection[EB/OL]. (2024-02-29)[2024-05-23]. https://arxiv.org/abs/2402.19054v1.

方案	保真度	鲁棒性	通用性	计算开销	通信开销	IP追踪
WAFFLE方案	+ +	+	+ +	+ +	+	×
DUW方案	+ + +	+ +	+	+ +	+	×
FedTracker方案	+ +	+ +	+	+ +	+ + +	√
FedIPR方案	+ +	+	+	+ +	+	×
FedCRMW方案	+ +	+ + +	+	+ +	+	×
PersistVerify方案	+ + +	+ +	+ +	+ + +	+	×
文献[18]方案	+ +	+	+	+ + +	+ +	×
FedZKP方案	+	+	+	+ +	+ +	×

方案	保真度	鲁棒性	通用性	计算开销	通信开销	IP追踪
Merkle-Sign方案	+ +	+ +	+ +	+	+	×
FedIPR方案	+ +	+	+	+	+	×
FedSOV方案	+ +	+ +	+ + +	+ +	+	×
FedCIP方案	+ +	+ +	+ +	+ +	+ +	√
RobWE方案	+ + +	+ + +	+	+ + +	+ +	√