Encoder-decoder based watermarking for federated learning models

IF 6.2 2区计算机科学 Q1 COMPUTER SCIENCE, THEORY & METHODS

Future Generation Computer Systems-The International Journal of Escience Pub Date : 2025-10-01 DOI:10.1016/j.future.2025.108175

Yuling Luo , Yuanze Li , Xue Ouyang , Siyuan Zu , Zhaohui Chen , Qiang Fu , Sheng Qin , Junxiu Liu

{"title":"Encoder-decoder based watermarking for federated learning models","authors":"Yuling Luo , Yuanze Li , Xue Ouyang , Siyuan Zu , Zhaohui Chen , Qiang Fu , Sheng Qin , Junxiu Liu","doi":"10.1016/j.future.2025.108175","DOIUrl":null,"url":null,"abstract":"<div><div>Federated learning, as a significant branch of deep learning, addresses issues related to data silos, data privacy, security, and communication bandwidth. In terms of intellectual property, it faces similar challenges as deep neural networks, namely vulnerabilities in protecting model ownership. Currently, some protection schemes are available, but existing federated learning protection schemes lack concealment in embedded watermark information, failing to ensure high robustness and security. Moreover, after embedding a large amount of watermark information, the impact on model performance cannot be guaranteed. Therefore, this paper proposes a novel federated learning protection framework consisting of three steps: watermark information generation, embedding, and ownership detection. In the generation of watermark information, an encoder-decoder structure is used for embedding. For embedding watermark information, a threshold processing method is employed to embed watermarks simultaneously in convolutional layers and BN layers. Experimental results show that the use of an encoder-decoder structure ensures high robustness, security, and concealment. It also allows for embedding a large amount of watermark information with minimal impact on the model’s original task, as the accuracy only decreases by 1.16% after embedding watermark information in four types of models. In addition, it exhibits high robustness against various common attacks, including fine-tuning, pruning, and equivalent attacks.</div></div>","PeriodicalId":55132,"journal":{"name":"Future Generation Computer Systems-The International Journal of Escience","volume":"176 ","pages":"Article 108175"},"PeriodicalIF":6.2000,"publicationDate":"2025-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Future Generation Computer Systems-The International Journal of Escience","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167739X25004698","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 0

Abstract

Federated learning, as a significant branch of deep learning, addresses issues related to data silos, data privacy, security, and communication bandwidth. In terms of intellectual property, it faces similar challenges as deep neural networks, namely vulnerabilities in protecting model ownership. Currently, some protection schemes are available, but existing federated learning protection schemes lack concealment in embedded watermark information, failing to ensure high robustness and security. Moreover, after embedding a large amount of watermark information, the impact on model performance cannot be guaranteed. Therefore, this paper proposes a novel federated learning protection framework consisting of three steps: watermark information generation, embedding, and ownership detection. In the generation of watermark information, an encoder-decoder structure is used for embedding. For embedding watermark information, a threshold processing method is employed to embed watermarks simultaneously in convolutional layers and BN layers. Experimental results show that the use of an encoder-decoder structure ensures high robustness, security, and concealment. It also allows for embedding a large amount of watermark information with minimal impact on the model’s original task, as the accuracy only decreases by 1.16% after embedding watermark information in four types of models. In addition, it exhibits high robustness against various common attacks, including fine-tuning, pruning, and equivalent attacks.

查看原文本刊更多论文

基于编码器-解码器的联邦学习模型水印

联邦学习作为深度学习的一个重要分支，解决了与数据孤岛、数据隐私、安全性和通信带宽相关的问题。在知识产权方面，它面临着与深度神经网络相似的挑战，即在保护模型所有权方面存在漏洞。目前已有一些保护方案，但现有的联邦学习保护方案在嵌入的水印信息中缺乏隐蔽性，无法保证较高的鲁棒性和安全性。而且，在嵌入大量水印信息后，无法保证对模型性能的影响。为此，本文提出了一种新的联邦学习保护框架，该框架由三个步骤组成：水印信息生成、嵌入和所有权检测。在水印信息的生成中，采用编码器-解码器结构进行嵌入。在水印信息嵌入方面，采用阈值处理方法，在卷积层和BN层中同时嵌入水印。实验结果表明，采用编码器-解码器结构保证了高鲁棒性、安全性和隐蔽性。它还可以在对模型原任务影响最小的情况下嵌入大量的水印信息，在四种模型中嵌入水印信息后，准确率仅下降1.16%。此外，它对各种常见攻击（包括微调、修剪和等效攻击）具有很高的鲁棒性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Future Generation Computer Systems-The International Journal of Escience 工程技术-计算机：理论方法

CiteScore

19.90

自引率

2.70%

发文量

376

审稿时长

10.6 months

期刊介绍： Computing infrastructures and systems are constantly evolving, resulting in increasingly complex and collaborative scientific applications. To cope with these advancements, there is a growing need for collaborative tools that can effectively map, control, and execute these applications. Furthermore, with the explosion of Big Data, there is a requirement for innovative methods and infrastructures to collect, analyze, and derive meaningful insights from the vast amount of data generated. This necessitates the integration of computational and storage capabilities, databases, sensors, and human collaboration. Future Generation Computer Systems aims to pioneer advancements in distributed systems, collaborative environments, high-performance computing, and Big Data analytics. It strives to stay at the forefront of developments in grids, clouds, and the Internet of Things (IoT) to effectively address the challenges posed by these wide-area, fully distributed sensing and computing systems.