一种支持安全联邦学习的主动保护模型水印框架

doi:10.19678/j.issn.1000-3428.0068349

摘要/Abstract

摘要：

联邦学习作为一种新型的深度学习范式, 允许多个参与方在客户端本地共同训练模型, 极大地保护了用户的数据隐私, 得到了广泛关注和研究。然而, 联邦学习作为一种分布式学习方式, 极易遭受非法复制、恶意分发及客户端懒惰不作为等攻击。针对上述问题, 提出一种支持安全联邦学习的主动保护模型水印框架。首先, 设计了一个基于护照层水印的个性化参数聚合方法, 在解决水印冲突问题的同时防止懒惰客户端盗窃模型; 其次, 设计了一个基于向量承诺的全局水印聚合方法, 有效抵御了恶意攻击者伪造私有水印进行歧义攻击。实验结果表明, 与当前最好的FedIPR相比, 所提方法具有更高的水印容量, 可以支持更大型的联邦学习系统; 在差分隐私、客户端选择等安全联邦学习策略下能保持近100%的水印提取率, 在遭遇微调、剪枝等攻击时也能保持98%以上的水印提取率。

关键词: 版权保护, 联邦学习, 向量承诺, 歧义攻击, 懒惰客户端

Abstract:

As a new paradigm in deep learning, federated learning allows multiple parties to jointly train deep learning models while ensuring that data remains on the clients' local devices. This approach has greatly protected user data privacy and has gained widespread attention from researchers. However, as a distributed learning method, federated learning is highly vulnerable to illegal copying, malicious distribution, and free rider attacks. In response to these security issues in federated learning, this study proposes an active model watermarking framework for secure federated learning. First, the framework employs a personalized parameter aggregation method based on passport layer watermarking scheme, which resolves watermark conflicts while preventing free riders from obtaining usable models. Second, a global watermark aggregation algorithm based on vector commitment is proposed, which can effectively resist malicious attackers attempting to forge private watermarks for ambiguity attacks. Experimental results show that, compared to the state-of-the-art client-side federated learning watermarking scheme FedIPR, the proposed method has a higher watermark capacity, enabling support for larger federated learning systems. The proposed method maintains a near 100% watermark extraction rate under secure federated learning strategies such as differential privacy and client selection. It also maintains an extraction rate of over 98% when faced with attacks such as fine-tuning and pruning.

Key words: copyright protection, federated learning, vector commitment, ambiguity attack, lazy client

陈先意, 丁思哲, 王康, 闫雷鸣, 付章杰. 一种支持安全联邦学习的主动保护模型水印框架[J]. 计算机工程, 2025, 51(1): 138-147.

CHEN Xianyi, DING Sizhe, WANG Kang, YAN Leiming, FU Zhangjie. An Watermarking Framework of Active Protection Model for Secure Federated Learning[J]. Computer Engineering, 2025, 51(1): 138-147.

https://www.ecice06.com/CN/Y2025/V51/I1/138

图/表 11

图1 联邦学习版权威胁示意图

Fig.1 Schematic diagram of copyright threats in federated learning

图2 支持安全联邦学习的主动保护模型水印框架

Fig.2 The watermarking framework of an active protection model for secure federated learning

图3 基于默克尔树的向量承诺

Fig.3 Vector commitment based on Merkle tree

图4 全局水印重构

Fig.4 Reconstruction of global watermark

图5 含水印模型与无水印模型的主任务精度对比

Fig.5 Comparison of main task accuracy between watermarked and non-watermarked models

图6 在不同客户端数量下水印提取率对比

Fig.6 Comparison of watermark extraction rates under different client numbers

图7 在不同水印长度下水印提取率对比

Fig.7 Comparison of watermark extraction rates under different watermark lengths

参考文献 31

1	MCMAHAN H B, MOORE E, RAMAGE D, et al. Communication-efficient learning of deep networks from decentralized data[EB/OL]. [2023-08-01]. https://arxiv.org/pdf/1602.05629.
2	吴汉舟, 张杰, 李越, 等. 人工智能模型水印研究进展. 中国图象图形学报, 2023, 28 (6): 1792- 1810.
	WU H Z , ZHANG J , LI Y , et al. Overview of artificial intelligence model watermarking. Journal of Image and Graphics, 2023, 28 (6): 1792- 1810.
3	FAN L X, NG K W, CHAN C S. Rethinking deep neural network ownership verification: Embedding passports to defeat ambiguity attacks[EB/OL]. [2023-08-01]. https://arxiv.org/abs/1909.07830?context=cs.
4	FAN L X , NG K W , CHAN C S , et al. DeepIPR: deep neural network ownership verification with passports. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2022, 44 (10): 6122- 6139. doi: 10.1109/TPAMI.2021.3088846
5	LI B W , FAN L X , GU H L , et al. FedIPR: ownership verification for federated deep neural network models. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2023, 45 (4): 4521- 4536. doi: 10.1109/TPAMI.2022.3195956
6	SHAO S, YANG W Y, GU H L, et al. FedTracker: furnishing ownership verification and traceability for federated learning model[EB/OL]. [2023-08-01]. https://arxiv.org/abs/2211.07160v3.
7	UCHIDA Y, NAGAI Y, SAKAZAWA S, et al. Embedding watermarks into deep neural networks[C]//Proceedings of the ACM on International Conference on Multimedia Retrieval. New York, USA: ACM Press, 2017: 269-277.
8	WANG J F , WU H Z , ZHANG X P , et al. Watermarking in deep neural networks via error back-propagation. Electronic Imaging, 2020, 32 (4): 1- 9.
9	CHEN H L, ROUHANI B D, FU C, et al. DeepMarks: a secure fingerprinting framework for digital rights management of deep learning models[C]//Proceedings of the International Conference on Multimedia Retrieval. New York, USA: ACM Press, 2019: 105-113.
10	ADI Y, BAUM C, CISSE M, et al. Turning your weakness into a strength: watermarking deep neural networks by backdooring[EB/OL]. [2023-08-01]. https://arxiv.org/pdf/1802.04633.
11	GU T Y, DOLAN-GAVITT B, GARG S. BadNets: identifying vulnerabilities in the machine learning model supply chain[EB/OL]. [2023-08-01]. https://arxiv.org/pdf/1708.06733.
12	LIU Y Q, MA S Q, AAFER Y, et al. Trojaning attack on neural networks[C]//Proceedings of Network and Distributed System Security Symposium. Washington D. C., USA: IEEE Press, 2018: 1023-1031.
13	JIA H, CHOQUETTE-CHOO C A, CHANDRASEKARAN V, et al. Entangled watermarks as a defense against model extraction[C]//Proceedings of the 30th USENIX Security Symposium. [S. l. ]: USENIX Association, 2021: 1937-1954.
14	曾嘉忻, 张卫明, 张荣. 基于后门的鲁棒后向模型水印方法. 计算机工程, 2024, 50 (2): 132- 139. URL
	ZENG J X , ZHANG W M , ZHANG R . Robust backward model watermarking method based on backdoor. Computer Engineering, 2024, 50 (2): 132- 139. URL
15	TEKGUL B G A, XIA Y X, MARCHAL S, et al. WAFFLE: watermarking in federated learning[C]//Proceedings of the 40th International Symposium on Reliable Distributed Systems (SRDS). Washington D. C., USA: IEEE Press, 2021: 310-320.
16	CHEN J Y, LI M J, LI M J, et al. FedRight: an effective model copyright protection for federated learning[EB/OL]. [2023-08-01]. https://arxiv.org/abs/2303.10399?context=cs.
17	ZHAO J J , HU Q Y , LIU G Y , et al. AFA: adversarial fingerprinting authentication for deep neural networks. Computer Communications, 2020, 150, 488- 497. doi: 10.1016/j.comcom.2019.12.016
18	李璇, 邓天鹏, 熊金波, 等. 基于模型后门的联邦学习水印. 软件学报, 2024, 35 (7): 3454- 3468.
	LI X , DENG T P , XIONG J B , et al. Federated learning watermark based on model backdoor. Journal of Software, 2024, 35 (7): 3454- 3468.
19	WU T , LI X H , MIAO Y B , et al. CITS-MEW: multi-party entangled watermark in cooperative intelligent transportation system. IEEE Transactions on Intelligent Transportation Systems, 2023, 24 (3): 3528- 3540. doi: 10.1109/TITS.2022.3225116
20	LIANG J C, WANG R. FedCIP: federated client intellectual property protection with traitor tracking[EB/OL]. [2023-08-01]. https://arxiv.org/abs/2306.01356?context=cs.CR.
21	CARLINI N, LIU C, ERLINGSSON Ú, et al. The secret sharer: evaluating and testing unintended memorization in neural networks[EB/OL]. [2023-08-01]. https://arxiv.org/pdf/1802.08232v2.
22	SHOKRI R, STRONATI M, SONG C Z, et al. Membership inference attacks against machine learning models[C]//Proceedings of the IEEE Symposium on Security and Privacy (SP). Washington D. C., USA: IEEE Press, 2017: 3-18.
23	YANG Q , LIU Y , CHEN T J , et al. Federated machine learning. ACM Transactions on Intelligent Systems and Technology, 2019, 10 (2): 1- 19.
24	KAIROUZ P , MCMAHAN H B , AVENT B , et al. Advances and open problems in federated learning. Foundations and Trends^® in Machine Learning, 2021, 14 (1-2): 1- 210.
25	LI Y Z , CHEN C , LIU N , et al. A blockchain-based decentralized federated learning framework with committee consensus. IEEE Network, 2021, 35 (1): 234- 241. doi: 10.1109/MNET.011.2000263
26	FRABONI Y, VIDAL R, LORENZI M. Free-rider attacks on model aggregation in federated learning[EB/OL]. [2023-08-01]. https://arxiv.org/abs/2006.11901v5.
27	GEYER R C, KLEIN T, NABI M. Differentially private federated learning: a client level perspective[EB/OL]. [2023-08-01]. https://arxiv.org/pdf/1712.07557.
28	WEI K , LI J , DING M , et al. Federated learning with differential privacy: algorithms and performance analysis. IEEE Transactions on Information Forensics and Security, 2020, 15, 3454- 3469. doi: 10.1109/TIFS.2020.2988575
29	YI X, PAULET R, BERTINO E. Homomorphic encryption[M]//Tutorials on the Foundations of Cryptography. Berlin, Germany: Springer, 2014: 27-46.
30	FANG H K , QIAN Q . Privacy preserving machine learning with homomorphic encryption and federated learning. Future Internet, 2021, 13 (4): 94. doi: 10.3390/fi13040094
31	YANG W Y, ZHU G X, YIN Y G, et al. FedSOV: federated model secure ownership verification with unforgeable signature[EB/OL]. [2023-08-01]. https://arxiv.org/abs/2305.06085v1.

[1]	王圆圆, 王世谦, 王涵, 郭正宾, 胡显承. 基于纵向联邦学习的能源排放跨界智能分析[J]. 计算机工程, 2025, 51(1): 164-173.
[2]	潘恩元, 钟原, 李平. 联邦异质性数据下半监督颈椎MRI分割模型[J]. 计算机工程, 2024, 50(9): 367-376.
[3]	李红娇, 王宝金, 王朝晖, 胡仁豪. 基于模型相似度与本地损失的双重客户端选择算法[J]. 计算机工程, 2024, 50(8): 153-164.
[4]	顾永跟, 高凌轩, 吴小红, 陶杰. 非独立同分布下联邦半监督学习的数据分享研究[J]. 计算机工程, 2024, 50(6): 188-196.
[5]	熊世强, 何道敬, 王振东, 杜润萌. 联邦学习及其安全与隐私保护研究综述[J]. 计算机工程, 2024, 50(5): 1-15.
[6]	顾永跟, 李国笑, 吴小红, 陶杰, 张艳琼. 预算约束下多任务联邦学习激励机制[J]. 计算机工程, 2024, 50(5): 149-157.
[7]	张晓均, 李兴鹏, 唐伟, 郝云溥, 薛婧婷. 云-边融合的可验证隐私保护跨域联邦学习方案[J]. 计算机工程, 2024, 50(3): 148-155.
[8]	宋华伟, 李升起, 万方杰, 卫玉萍. 非独立同分布场景下的联邦学习优化方法[J]. 计算机工程, 2024, 50(3): 166-172.
[9]	刘少杰, 文斌, 王泽旭. 基于联邦学习的多技术融合数据交易方法[J]. 计算机工程, 2024, 50(3): 182-190.
[10]	曾嘉忻, 张卫明, 张荣. 基于后门的鲁棒后向模型水印方法[J]. 计算机工程, 2024, 50(2): 132-139.
[11]	郑晨俊, 曾艳, 袁俊峰, 张纪林, 王鑫, 韩猛. 基于联邦学习的船舶AIS轨迹预测算法[J]. 计算机工程, 2024, 50(2): 298-307.
[12]	张攀峰, 吴丹华, 董明刚. 基于粒子群优化的差分隐私深度学习模型[J]. 计算机工程, 2023, 49(9): 144-157.
[13]	郑美光, 杨泳. 基于互信息软聚类的个性化联邦学习算法[J]. 计算机工程, 2023, 49(8): 20-28.
[14]	温依霖, 赵乃良, 曾艳, 韩猛, 岳鲁鹏, 张纪林. 基于本地模型质量的客户端选择方法[J]. 计算机工程, 2023, 49(6): 131-143.
[15]	陈何雄, 罗宇薇, 韦云凯, 郭威, 杭菲璐, 何映军, 杨宁. 基于联邦学习的SDN异常流量协同检测技术[J]. 计算机工程, 2023, 49(3): 168-176.

选择文件类型/文献管理软件名称

选择包含的内容