基于结构嵌入的可溯源联邦学习版权保护方法

doi:10.19678/j.issn.1000-3428.0070029

计算机工程 ›› 2026, Vol. 52 ›› Issue (2): 253-264. doi: 10.19678/j.issn.1000-3428.0070029

• 网络空间安全 • 上一篇

基于结构嵌入的可溯源联邦学习版权保护方法

陈先意^1,2, 糜慧³, 何俊杰¹, 付章杰^1,2

1. 南京信息工程大学计算机学院、网络空间安全学院, 江苏南京 210044;
2. 南京信息工程大学数字取证教育部工程研究中心, 江苏南京 210044;
3. 南京信息工程大学软件学院, 江苏南京 210044

收稿日期:2024-06-24 修回日期:2024-08-09 发布日期:2024-11-14
作者简介:陈先意(CCF会员),男,副教授、博士,主研方向为区块链安全、大数据安全、人工智能安全;糜慧(通信作者，E-mail:mihui_nuist@163.com)、何俊杰,硕士研究生;付章杰,教授、博士。
基金资助:
国家重点研发计划(2021YFB2700900);国家自然科学基金(62172232,62172233);江苏省杰出青年基金(BK20200039)。

Traceable Federated Learning Copyright Protection Method Based on Structural Embedding

CHEN Xianyi^1,2, MI Hui³, HE Junjie¹, FU Zhangjie^1,2

1. School of Computer Science, School of Cyber Security and Engineering, Nanjing University of Information Science and Technology, Nanjing 210044, Jiangsu, China;
2. Engineering Research Center of Digital Forensics, Ministry of Education, Nanjing University of Information Science and Technology, Nanjing 210044, Jiangsu, China;
3. School of Software, Nanjing University of Information Science and Technology, Nanjing 210044, Jiangsu, China

Received:2024-06-24 Revised:2024-08-09 Published:2024-11-14

摘要/Abstract

摘要： 由于参与联邦学习联合训练的客户端并非完全可信,从而带来联邦学习模型的版权泄露风险,而当前由中央服务器嵌入水印的方法面临许多难题,例如难以适用于安全联邦学习架构、溯源能力不足、服务器计算负担过重等。针对上述问题,提出一种基于正交约束的可溯源安全联邦学习版权保护方案FedSOW。首先,服务器复制待嵌入水印的卷积层形成双层通道,作为初始化水印层;然后,根据施密特正交化原理设计正交约束规则并以不同的规则约束局部模型水印层的输出特征;最后,客户端通过训练反向引导水印层形成具有不同正交结构的可溯源局部模型。实验结果表明,与现有的水印方案相比,FedSOW具有较好的水印持续性,确保能在安全联邦学习框架的训练过程中进行版权验证,在可溯源性、保真度和抗攻击能力等方面表现出卓越的性能。

关键词: 联邦学习, 版权保护, 可溯源性, 鲁棒性, 机器学习

Abstract: Owing to the risk of copyright leakage in Federated Learning (FL) models caused by untrustworthy clients participating in joint training, current watermark embedding methods used by the central server face several challenges, such as incompatibility with secure FL architectures, insufficient traceability, and excessive server computational burden. Therefore, this study proposes a traceable and secure FL copyright protection scheme based on orthogonal constraints, abbreviated as FedSOW. Initially, the server replicates the convolutional layer embedded in the watermark to form a dual-channel layer and selects this dual-channel layer as the initial watermark layer. Subsequently, forward constraint rules are designed based on the principle of Schmidt orthogonalization, guiding the output features of the watermark layer of the client model using the orthogonal constraint. Finally, the client trains the watermark layer to form traceable local models with different orthogonal structures. Experimental results show that, compared with existing watermarking schemes, FedSOW demonstrates strong watermark persistence, ensuring copyright verification in the training round within the secure FL framework. Moreover, FedSOW exhibits excellent performance in terms of traceability, fidelity, and attack resistance.

Key words: Federated Learning (FL), copyright protection, traceability, robustness, machine learning

中图分类号:

TP309

陈先意, 糜慧, 何俊杰, 付章杰. 基于结构嵌入的可溯源联邦学习版权保护方法[J]. 计算机工程, 2026, 52(2): 253-264.

CHEN Xianyi, MI Hui, HE Junjie, FU Zhangjie. Traceable Federated Learning Copyright Protection Method Based on Structural Embedding[J]. Computer Engineering, 2026, 52(2): 253-264.

https://www.ecice06.com/CN/Y2026/V52/I2/253

参考文献

[1] 李耀墀, 蔡庆生. 迅速发展中的机器学习[J]. 计算机科学, 1988, 18(1): 30-34. LI Y C, CAI Q S. The rapid development of machine learning[J]. Computer Science, 1988, 18(1): 30-34. (in Chinese)
[2] KONECN AY＇G J, MCMAHAN H B, RAMAGE D, et al. Federated optimization: distributed machine learning for on-device intelligence[EB/OL].[2024-05-15]. http://arxiv.org/abs/1610.02527.
[3] KONECNY J, MCMAHAN H B, YU F X, et al. Federated learning: strategies for improving communication efficiency[EB/OL].[2024-05-15]. http://arxiv.org/abs/1610.05492.
[4] WANG Z B, SONG M K, ZHANG Z F, et al. Beyond inferring class representatives: user-level privacy leakage from federated learning[C]//Proceedings of the IEEE Conference on Computer Communications. Washington D. C., USA: IEEE Press, 2019: 2512-2520.
[5] YIN H X, MALLYA A, VAHDAT A, et al. See through gradients: image batch recovery via GradInversion[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Washington D. C., USA: IEEE Press, 2021: 16337-16346.
[6] ZHAO B, MOPURI K R, BILEN H. IDLG: improved deep leakage from gradients[EB/OL].[2024-05-15]. http://arxiv.org/abs/2001.02610.
[7] TRAMER F, KURAKIN A, PAPERNOT N, et al. Ensemble adversarial training: attacks and defenses[EB/OL].[2024-05-15]. http://arxiv.org/abs/1705.07204.
[8] 张春田, 苏育挺. 信息产品的版权保护技术——数字水印[J]. 电信科学, 1998, 14(12): 16-18. ZHANG C T, SU Y T. Copyright protection technology for information products: digital watermarking[J]. Telecommunication Science, 1998, 14(12): 16-18. (in Chinese)
[9] 孙圣和, 陆哲明. 数字水印处理技术[J]. 电子学报, 2000, 38(8): 85-90. SUN S H, LU Z M. Digital watermarking processing techniques[J]. Acta Electronica Sinica, 2000, 38(8): 85-90. (in Chinese)
[10] UCHIDA Y, NAGAI Y, SAKAZAWA S, et al. Embedding watermarks into deep neural networks[C]//Proceedings of the ACM International Conference on Multimedia Retrieval. New York, USA: ACM Press, 2017: 269-277.
[11] ADI Y, BAUM C, CISSE M, et al. Turning your weakness into a strength: watermarking deep neural networks by backdooring[C]//Proceedings of the 27th USENIX Security Symposium. Washington D. C., USA: IEEE Press, 2018: 1615-1631.
[12] FAN L X, NG K W, CHAN C S, et al. DeepIP: deep neural network intellectual property protection with passports[J]. IEEE Transactions on Pattern Analysis & Machine Intelligence, 2021, 58(2): 325-334.
[13] ZHAO Y, PANG T, DU C, et al. A recipe for watermarking diffusion models[EB/OL].[2024-05-15]. http://arxiv.org/abs/2303.10137.
[14] 袁程胜, 郭强, 付章杰. 基于差分隐私的深度伪造指纹检测模型版权保护算法[J]. 通信学报, 2022, 43(9): 181-193. YUAN C S, GUO Q, FU Z J. Copyright protection algorithm based on differential privacy deep fake fingerprint detection model[J]. Journal on Communications, 2022, 43(9): 181-193. (in Chinese)
[15] LI B W, FAN L X, GU H L, et al. FedIPR: ownership verification for federated deep neural network models[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 45(4): 4521-4536.
[16] SHAO S, YANG W, GU H, et al. FedTracker: furnishing ownership verification and traceability for federated learning model[EB/OL].[2024-05-15]. http://arxiv.org/abs/2211.07160.
[17] AHMADI M, NOURMOHAMMADI R. zkFDL: an efficient and privacy-preserving decentralized federated learning with zero knowledge proof[C]//Proceedings of the 3rd IEEE International Conference on AI in Cybersecurity. Washington D. C., USA: IEEE Press, 2024: 1-10.
[18] YANG W, ZHU G, YIN Y, et al. FedSOV: federated model secure ownership verification with unforgeable signature[EB/OL].[2024-05-15]. http://arxiv.org/abs/2305.06085.
[19] WU T, LI X H, MIAO Y B, et al. CITS-MEW: multi-party entangled watermark in cooperative intelligent transportation system[J]. IEEE Transactions on Intelligent Transportation Systems, 2022, 24(3): 3528-3540.
[20] NIE H W, LU S F. FedCRMW: federated model ownership verification with compression-resistant model watermarking[J]. Expert Systems with Applications, 2024, 249: 123776.
[21] TEKGUL B G A, XIA Y X, MARCHAL S, et al. WAFFLE: watermarking in federated learning[C]//Proceedings of the 40th International Symposium on Reliable Distributed Systems. Washington D. C., USA: IEEE Press, 2021: 310-320.
[22] ZHENG X, DONG Q H, FU A M. WMDefense: using watermark to defense Byzantine attacks in federated learning[C]//Proceedings of the IEEE Conference on Computer Communications Workshops. Washington D. C., USA: IEEE Press, 2022: 1-6.
[23] YANG Q, LIU Y, CHEN T J, et al. Federated machine learning[J]. ACM Transactions on Intelligent Systems and Technology, 2019, 10(2): 1-19.
[24] 周修廉. 分布式计算机体系结构[J]. 哈尔滨科学技术大学学报, 1980, 2(1): 48-55. ZHOU X L. Distributed computer architecture[J]. Journal of Harbin University of Science and Technology, 1980, 2(1): 48-55. (in Chinese)
[25] 原野, 田园, 蒋七兵. 一种深度神经网络的分布式训练方法[J]. 电子技术应用, 2023, 49(3): 48-53. YUAN Y, TIAN Y, JIANG Q B. Distributed training method for deep neural networks[J]. Application of Electronic Technique, 2023, 49(3): 48-53. (in Chinese)
[26] MCMAHAN B, MOORE E, RAMAGE D, et al. Federated learning deep networks using model averaging[EB/OL].[2024-05-15]. http://arxiv.org/abs/1602.05629.
[27] WU Y, CAI S, XIAO X, et al. Privacy preserving vertical federated learning for tree-based models[EB/OL].[2024-05-15]. http://arxiv.org/abs/2008.06170.
[28] YANG H W, HE H, ZHANG W Z, et al. FedSteg: a federated transfer learning framework for secure image steganalysis[J]. IEEE Transactions on Network Science and Engineering, 2020, 8(2): 1084-1094.
[29] NASR M, SHOKRI R, HOUMANSADR A. Comprehensive privacy analysis of deep learning[C]//Proceedings of the 2019 IEEE Symposium on Security and Privacy. Washington D. C., USA: IEEE Press, 2018: 433-445.
[30] PAILLER P. Public-key cryptosystems based on composite degree residuosity classes[M]. Berlin, Germany: Springer, 1999.
[31] DWORK C, MCSHERRY F, NISSIM K, et al. Calibrating noise to sensitivity in private data analysis[M]. Berlin, Germany: Springer, 2006.
[32] CRAMER R, SHOUP V. Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption[C]//Proceedings of the International Conference on Theory and Applications of Cryptographic Techniques. Berlin, Germany: Springer, 2002: 45-64.
[33] MASHHADI P S, NOWACZYK S, PASHAMI S. Parallel orthogonal deep neural network[J]. Neural Networks, 2021, 140: 167-183.
[34] SIMONYAN K, ZISSERMAN A. Very deep convolutional networks for large-scale image recognition[EB/OL].[2024-05-15]. http://arxiv.org/abs/1409.1556.
[35] RUSSAKOVSKY O, DENG J, SU H, et al. ImageNet large scale visual recognition challenge[J]. International Journal of Computer Vision, 2015, 115(3): 211-252.
[36] KRIZHEVSKY A, SUTSKEVER I, HINTON G E. ImageNet classification with deep convolutional neural networks[C]//Proceedings of the Advances in Neural Information Processing Systems. Cambridge, USA: MIT Press, 2015: 25-33.
[37] KRIZHEVSKY A. Learning multiple layers of features from tiny images[D]. Toronto, Canada: University of Toronto, 2009.
[38] MCMAHAN B, MOORE E, RAMAGE D, et al. Communication-efficient learning of deep networks from decentralized data[EB/OL].[2024-05-15]. http://arxiv.org/abs/1602.05629.
[39] HOADLEY B. Asymptotic properties of maximum likelihood estimators for the independent not identically distributed case[J]. The Annals of Mathematical Statistics, 1971, 42(6): 1977-1991.

选择文件类型/文献管理软件名称

选择包含的内容

基于结构嵌入的可溯源联邦学习版权保护方法

Traceable Federated Learning Copyright Protection Method Based on Structural Embedding

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价

[1]	武子璇, 刘银华. 基于瞳孔直径动态数字分析的情感评估[J]. 计算机工程, 2026, 52(2): 110-124.
[2]	齐峰毅, 张新有, 冯力, 邢焕来. 基于CSI特征指纹的无线设备识别方案[J]. 计算机工程, 2026, 52(2): 236-244.
[3]	左欣怡, 马双宝, 李少青, 王振宇, 刘威, 张洋. MS PUF：抗机器学习建模攻击的多维协同强PUF设计[J]. 计算机工程, 2025, 51(8): 62-73.
[4]	赵楷, 胡煜环, 闫俊桥, 毕雪华, 张琳琳. 基于区块链的版权保护研究综述[J]. 计算机工程, 2025, 51(8): 1-15.
[5]	雷一凡, 陈晓红. 隐私保护的去中心联邦多视图聚类[J]. 计算机工程, 2025, 51(7): 180-189.
[6]	王浩, 高锦涛, 王杰. 基于机器学习的数据库多表连接顺序选择研究综述[J]. 计算机工程, 2025, 51(7): 31-46.
[7]	姚玉鹏, 魏立斐, 张蕾. 一种隐私保护的抗投毒攻击联邦学习方案[J]. 计算机工程, 2025, 51(6): 223-235.
[8]	施永辉, 代琪, 陈丽芳, 韩阳. 基于自然最近邻的联邦聚合算法[J]. 计算机工程, 2025, 51(6): 236-244.
[9]	邓泽先, 张云贵, 张琳. 基于预训练递归Transformer-Mixer的多维时间序列分类研究[J]. 计算机工程, 2025, 51(5): 154-165.
[10]	庄紫薇, 朱俊国. 面向多源文本的越南语文本检错方法[J]. 计算机工程, 2025, 51(5): 93-102.
[11]	沈忱, 何勇, 彭安浪. 鲁棒物联网多维时序数据预测方法[J]. 计算机工程, 2025, 51(4): 107-118.
[12]	赵宏, 宋馥荣, 李文改. 基于SE-AdvGAN的图像对抗样本生成方法研究[J]. 计算机工程, 2025, 51(2): 300-311.
[13]	吴小红, 李佩, 顾永跟, 陶杰. 基于EMD最优匹配的分层联邦学习算法[J]. 计算机工程, 2025, 51(2): 170-178.
[14]	吴若岚, 陈玉玲, 豆慧, 张洋文, 龙钟. 抗攻击的联邦学习隐私保护算法[J]. 计算机工程, 2025, 51(2): 179-187.
[15]	王华华, 黄烨霞, 李玲, 王嘉程. 无蜂窝网络中的联邦学习用户调度与资源优化[J]. 计算机工程, 2025, 51(12): 255-267.

模态框（Modal）标题

选择文件类型/文献管理软件名称

选择包含的内容

基于结构嵌入的可溯源联邦学习版权保护方法

Traceable Federated Learning Copyright Protection Method Based on Structural Embedding

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价