research-article

Watermarking in Secure Federated Learning: A Verification Framework Based on Client-Side Backdooring

Authors:

Gerald Schaefer,

Hui FangAuthors Info & Claims

ACM Transactions on Intelligent Systems and Technology, Volume 15, Issue 1

Article No.: 5, Pages 1 - 25

https://doi.org/10.1145/3630636

Published: 19 December 2023 Publication History

Abstract

Federated learning (FL) allows multiple participants to collaboratively build deep learning (DL) models without directly sharing data. Consequently, the issue of copyright protection in FL becomes important since unreliable participants may gain access to the jointly trained model. Application of homomorphic encryption (HE) in a secure FL framework prevents the central server from accessing plaintext models. Thus, it is no longer feasible to embed the watermark at the central server using existing watermarking schemes. In this article, we propose a novel client-side FL watermarking scheme to tackle the copyright protection issue in secure FL with HE. To the best of our knowledge, it is the first scheme to embed the watermark to models under a secure FL environment. We design a black-box watermarking scheme based on client-side backdooring to embed a pre-designed trigger set into an FL model by a gradient-enhanced embedding method. Additionally, we propose a trigger set construction mechanism to ensure that the watermark cannot be forged. Experimental results demonstrate that our proposed scheme delivers outstanding protection performance and robustness against various watermark removal attacks and ambiguity attack.

References

[1]

Yossi Adi, Carsten Baum, Moustapha Cisse, Benny Pinkas, and Joseph Keshet. 2018. Turning your weakness into a strength: Watermarking deep neural networks by backdooring. In Proceedings of 2018 USENIX Security Symposium. 1615–1631.

[2]

Mohammed Adnan, Shivam Kalra, Jesse C. Cresswell, Graham W. Taylor, and Hamid R. Tizhoosh. 2022. Federated learning and differential privacy for medical image analysis. Scientific Reports 12, 1 (2022), 1–10.

[3]

Rodolfo Stoffel Antunes, Cristiano André da Costa, Arne Küderle, Imrana Abdullahi Yari, and Björn Eskofier. 2022. Federated learning for healthcare: Systematic review and architecture proposal. ACM Transactions on Intelligent Systems and Technology (TIST) 13, 4 (2022), 1–23.

Digital Library

[4]

Yoshinori Aono, Takuya Hayashi, Lihua Wang, Shiho Moriai, et al. 2017. Privacy-preserving deep learning via additively homomorphic encryption. IEEE Transactions on Information Forensics and Security 13, 5 (2017), 1333–1345.

[5]

Eugene Bagdasaryan, Andreas Veit, Yiqing Hua, Deborah Estrin, and Vitaly Shmatikov. 2020. How to backdoor federated learning. In Proceedings of 2020 International Conference on Artificial Intelligence and Statistics. 2938–2948.

[6]

Jung Hee Cheon, Andrey Kim, Miran Kim, and Yongsoo Song. 2017. Homomorphic encryption for arithmetic of approximate numbers. In Proceedings of 2017 International Conference on the Theory and Application of Cryptology and Information Security. 409–437.

[7]

Trung Kien Dang, Xiang Lan, Jianshu Weng, and Mengling Feng. 2022. Federated learning for electronic health records. ACM Transactions on Intelligent Systems and Technology (TIST) (2022).

Digital Library

[8]

Alaa Fkirin, Gamal Attiya, Ayman El-Sayed, and Marwa A. Shouman. 2022. Copyright protection of deep neural network models using digital watermarking: A comparative study. Multimedia Tools and Applications (2022), 1–15.

[9]

Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. 2017. BadNets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733 (2017).

[10]

Jia Guo and Miodrag Potkonjak. 2018. Watermarking deep neural networks for embedded systems. In Proceedings of 2018 IEEE/ACM International Conference on Computer-Aided Design. 1–8.

Digital Library

[11]

Shangwei Guo, Tianwei Zhang, Han Qiu, Yi Zeng, Tao Xiang, and Yang Liu. 2021. Fine-tuning is not enough: A simple yet effective watermark removal attack for DNN models. In Proceedings of 2021 International Joint Conference on Artificial Intelligence.

[12]

Song Han, Jeff Pool, John Tran, and William Dally. 2015. Learning both weights and connections for efficient neural network. In Advances in Neural Information Processing Systems, Vol. 28.

[13]

Andrew Hard, Kanishka Rao, Rajiv Mathews, Swaroop Ramaswamy, Françoise Beaufays, Sean Augenstein, Hubert Eichner, Chloé Kiddon, and Daniel Ramage. 2018. Federated learning for mobile keyboard prediction. arXiv preprint arXiv:1811.03604 (2018).

[14]

Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2015. Delving deep into rectifiers: Surpassing human-level performance on ImageNet classification. In Proceedings of 2015 IEEE International Conference on Computer Vision. 1026–1034.

Digital Library

[15]

Alex Krizhevsky, Geoffrey Hinton, et al. 2009. Learning multiple layers of features from tiny images. Tech. Rep. (2009).

[16]

Yann LeCun, Léon Bottou, Yoshua Bengio, and Patrick Haffner. 1998. Gradient-based learning applied to document recognition. In Proceedings of the IEEE, Vol. 86. 2278–2324.

[17]

Qinbin Li, Yiqun Diao, Quan Chen, and Bingsheng He. 2021. Federated learning on non-IID data silos: An experimental study. arXiv preprint arXiv:2102.02079 (2021).

[18]

Qiushi Li, Ju Ren, Xinglin Pan, Yuezhi Zhou, and Yaoxue Zhang. 2022. ENIGMA: Low-latency and privacy-preserving edge inference on heterogeneous neural network accelerators. In 2022 IEEE 42nd International Conference on Distributed Computing Systems (ICDCS’22). IEEE, 458–469.

[19]

Qiushi Li, Ju Ren, Yuezhi Zhou, and Yaoxue Zhang. 2022. Privacy-preserving DNN model authorization against model theft and feature leakage. In ICC 2022-IEEE International Conference on Communications. IEEE, 5633–5638.

[20]

Zheng Li, Chengyu Hu, Yang Zhang, and Shanqing Guo. 2019. How to prove your model belongs to you: A blind-watermark based framework to protect intellectual property of DNN. In Proceedings of 2019 Annual Computer Security Applications Conference. 126–137.

Digital Library

[21]

Yunfei Liu, Xingjun Ma, James Bailey, and Feng Lu. 2020. Reflection backdoor: A natural backdoor attack on deep neural networks. In Proceedings of 2020 European Conference on Computer Vision. 182–199.

Digital Library

[22]

Jing Ma, Si-Ahmed Naas, Stephan Sigg, and Xixiang Lyu. 2022. Privacy-preserving federated learning based on multi-key homomorphic encryption. International Journal of Intelligent Systems (2022).

Digital Library

[23]

Pratyush Maini, Mohammad Yaghini, and Nicolas Papernot. 2021. Dataset inference: Ownership resolution in machine learning. In Proceedings of 2021 International Conference on Learning Representations.

[24]

Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Aguera y Arcas. 2017. Communication-efficient learning of deep networks from decentralized data. In Proceedings of 2017 International Conference Artificial Intelligence and Statistics. 1273–1282.

[25]

Sachin Mehta and Mohammad Rastegari. 2021. MobileViT: Light-weight, general-purpose, and mobile-friendly vision transformer. In International Conference on Learning Representations.

[26]

Erwan Le Merrer, Patrick Perez, and Gilles Trédan. 2020. Adversarial frontier stitching for remote neural network watermarking. Neural Computing and Applications 32, 13 (2020), 9233–9244.

[27]

Khalil Muhammad, Qinqin Wang, Diarmuid O’Reilly-Morgan, Elias Tragos, Barry Smyth, Neil Hurley, James Geraci, and Aonghus Lawlor. 2020. Fedfast: Going beyond average for faster training of federated recommender systems. In Proceedings of 2020 ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 1234–1242.

Digital Library

[28]

Pascal Paillier. 1999. Public-key cryptosystems based on composite degree residuosity classes. In Proceedings of 1999 International Conference on the Theory and Applications of Cryptographic Techniques. 223–238.

[29]

Jaehyoung Park and Hyuk Lim. 2022. Privacy-preserving federated learning using homomorphic encryption. Applied Sciences 12, 2 (2022), 734.

[30]

Francesco Regazzoni, Paolo Palmieri, Fethulah Smailbegovic, Rosario Cammarota, and Ilia Polian. 2021. Protecting artificial intelligence IPs: A survey of watermarking and fingerprinting for machine learning. CAAI Transactions on Intelligence Technology 6, 2 (2021), 180–191.

Digital Library

[31]

Phillip Rieger, Thien Duc Nguyen, Markus Miettinen, and Ahmad-Reza Sadeghi. 2022. DeepSight: Mitigating backdoor attacks in federated learning through deep model inspection. In Proceedings of 2022 Network and Distributed System Security Symposium. DOI:

[32]

Ronald L. Rivest, Len Adleman, Michael L. Dertouzos, et al. 1978. On data banks and privacy homomorphisms. Foundations of Secure Computation 4, 11 (1978), 169–180.

[33]

Masoumeh Shafieinejad, Nils Lukas, Jiaqi Wang, Xinda Li, and Florian Kerschbaum. 2021. On the robustness of backdoor-based watermarking in deep neural networks. In Proceedings of the 2021 ACM Workshop on Information Hiding and Multimedia Security. ACM, Virtual Event Belgium, 177–188. DOI:

Digital Library

[34]

Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014).

[35]

Karan Singhal, Hakim Sidahmed, Zachary Garrett, Shanshan Wu, John Rush, and Sushant Prakash. 2021. Federated reconstruction: Partially local federated learning. Advances in Neural Information Processing Systems 34 (2021).

[36]

Sebastian Szyller, Buse Gul Atli, Samuel Marchal, and N. Asokan. 2021. DAWN: Dynamic adversarial watermarking of neural networks. In Proceedings of 2021 ACM International Conference on Multimedia. 4417–4425.

Digital Library

[37]

Buse G. A. Tekgul, Yuxi Xia, Samuel Marchal, and N. Asokan. 2021. WAFFLE: Watermarking in federated learning. In Proceedings of 2021 International Symposium on Reliable Distributed Systems. 310–320.

[38]

Yusuke Uchida, Yuki Nagai, Shigeyuki Sakazawa, and Shin’ichi Satoh. 2017. Embedding watermarks into deep neural networks. In Proceedings of 2017 ACM International Conference on Multimedia Retrieval. 269–277.

Digital Library

[39]

Tianhao Wang and Florian Kerschbaum. 2021. RIGA: Covert and robust white-box watermarking of deep neural networks. In Proceedings of 2021 Web Conference. 993–1004.

Digital Library

[40]

Mingfu Xue, Shichang Sun, Yushu Zhang, Jian Wang, and Weiqiang Liu. 2022. Active intellectual property protection for deep neural networks through stealthy backdoor and users’ identities authentication. Applied Intelligence (2022), 1–15.

[41]

Y. LeCun, C. Cortes, and C. Burges. 2010. MNIST Handwritten Digit Database. (2010). http://yann.lecun.com/exdb/mnist/

[42]

Liu Yang, Ben Tan, Vincent W. Zheng, Kai Chen, and Qiang Yang. 2020. Federated recommendation systems. In Federated Learning. Springer, 225–239.

[43]

Qiang Yang, Yang Liu, Tianjian Chen, and Yongxin Tong. 2019. Federated machine learning: Concept and applications. ACM Transactions on Intelligent Systems and Technology 10, 2 (2019), 1–19.

Digital Library

[44]

Qiang Yang, Yang Liu, Yong Cheng, Yan Kang, Tianjian Chen, and Han Yu. 2019. Federated learning. Synthesis Lectures on Artificial Intelligence and Machine Learning 13, 3 (2019), 1–207.

[45]

Mikhail Yurochkin, Mayank Agarwal, Soumya Ghosh, Kristjan Greenewald, Nghia Hoang, and Yasaman Khazaeni. 2019. Bayesian nonparametric federated learning of neural networks. In Proceedings of 2019 International Conference on Machine Learning. 7252–7261.

[46]

Jialong Zhang, Zhongshu Gu, Jiyong Jang, Hui Wu, Marc Ph Stoecklin, Heqing Huang, and Ian Molloy. 2018. Protecting intellectual property of deep neural networks with watermarking. In Proceedings of 2018 Asia Conference on Computer and Communications Security. 159–172.

Digital Library

[47]

Xinghua Zhu, Jianzong Wang, Zhenhou Hong, and Jing Xiao. 2020. Empirical studies of institutional federated learning for natural language processing. In Proceedings of 2020 Conference on Empirical Methods in Natural Language Processing: Findings. 625–634.

Cited By

Sharma AMarchang N(2024)A review on client-server attacks and defenses in federated learningComputers and Security10.1016/j.cose.2024.103801140:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103801
Kazmi SQamar FHassan RNisar KAl-Betar M(2024)Security of federated learning in 6G era: A review on conceptual techniques and software platforms used for research and analysisComputer Networks10.1016/j.comnet.2024.110358245(110358)Online publication date: May-2024
https://doi.org/10.1016/j.comnet.2024.110358
Liao JYi LShi WYang WFang YYang X(2024)Imperceptible backdoor watermarks for speech recognition model copyright protectionVisual Intelligence10.1007/s44267-024-00055-w2:1Online publication date: 30-Jul-2024
https://doi.org/10.1007/s44267-024-00055-w
Show More Cited By

Index Terms

Watermarking in Secure Federated Learning: A Verification Framework Based on Client-Side Backdooring
1. Computing methodologies
  1. Artificial intelligence
2. Security and privacy

Recommendations

A robust watermarking technique for copyright protection using discrete wavelet transform

The arrival of digital world coming soon, the digital media content can be easily altered, duplicated, and spread, which causes the copyright of media are violated. Therefore, attention is to discuss the protection of the intellectual property (IP) ...
An image adaptive, wavelet-based watermarking of digital images

In digital management, multimedia content and data can easily be used in an illegal way-being copied, modified and distributed again. Copyright protection, intellectual and material rights protection for authors, owners, buyers, distributors and the ...
A Novel Blind Video Watermarking Scheme Based on Independent Dynamic Component

Video copyright protection has become important as it is possible to make unlimited copies of digital video without quality loss. Video watermark is the main method of video copyright protection. A novel blind video watermarking scheme is proposed in ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Intelligent Systems and Technology

ACM Transactions on Intelligent Systems and Technology Volume 15, Issue 1

February 2024

533 pages

EISSN:2157-6912

DOI:10.1145/3613503

Editor:
Huan Liu
Arizona State University, USA

Issue’s Table of Contents

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 December 2023

Online AM: 30 October 2023

Accepted: 25 September 2023

Revised: 10 July 2023

Received: 12 December 2022

Published in TIST Volume 15, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Key R&D Program of China
National Natural Science Foundation of China
Science and Technology Innovation Program of Hunan Province
Special Foundation for Distinguished Young Scientists of Changsha
111 Project
High Performance Computing Center of Central South University

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
547
Total Downloads

Downloads (Last 12 months)547
Downloads (Last 6 weeks)71

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Sharma AMarchang N(2024)A review on client-server attacks and defenses in federated learningComputers and Security10.1016/j.cose.2024.103801140:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103801
Kazmi SQamar FHassan RNisar KAl-Betar M(2024)Security of federated learning in 6G era: A review on conceptual techniques and software platforms used for research and analysisComputer Networks10.1016/j.comnet.2024.110358245(110358)Online publication date: May-2024
https://doi.org/10.1016/j.comnet.2024.110358
Liao JYi LShi WYang WFang YYang X(2024)Imperceptible backdoor watermarks for speech recognition model copyright protectionVisual Intelligence10.1007/s44267-024-00055-w2:1Online publication date: 30-Jul-2024
https://doi.org/10.1007/s44267-024-00055-w
Fang SGai KYu J(2024)A Joint Client-Server Watermarking Framework for Federated LearningKnowledge Science, Engineering and Management10.1007/978-981-97-5501-1_32(424-436)Online publication date: 16-Aug-2024
https://dl.acm.org/doi/10.1007/978-981-97-5501-1_32

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Full Text

View this article in Full Text.

Media

Figures

Other

Tables

View full text|Download PDF

View Issue’s Table of Contents