Federated learning (FL) emerges as an effective collaborative learning framework to coordinate data and computation resources from massive and distributed clients in training. Such collaboration results in non-trivial intellectual property (IP) represented by the model parameters that should be protected and shared by the whole party rather than an individual user. Meanwhile, the distributed nature of FL endorses a malicious client the convenience to compromise IP through illegal model leakage to unauthorized third parties. To block such IP leakage, it is essential to make the IP identifiable in the shared model and locate the anonymous infringer who first leaks it. The collective challenges call for \emph{accountable federated learning}, which requires verifiable ownership of the model and is capable of revealing the infringer's identity upon leakage. In this paper, we propose Decodable Unique Watermarking (DUW) for complying with the requirements of accountable FL. Specifically, before a global model is sent to a client in an FL round, DUW encodes a client-unique key into the model by leveraging a backdoor-based watermark injection. To identify the infringer of a leaked model, DUW examines the model and checks if the triggers can be decoded as the corresponding keys. Extensive empirical results show that DUW is highly effective and robust, achieving over $99\%$ watermark success rate for Digits, CIFAR-10, and CIFAR-100 datasets under heterogeneous FL settings, and identifying the IP infringer with $100\%$ accuracy even after common watermark removal attempts.

翻译：联邦学习（FL）作为一种有效的协作学习框架，能够协调海量分布式客户端的计算与数据资源进行模型训练。这种协作产生的模型参数构成了需要由全体参与方而非单个用户共享和保护的重要知识产权（IP）。然而，FL的分布式特性为恶意客户端提供了便利，使其能够通过向未授权的第三方非法泄露模型来侵害知识产权。为阻止此类IP泄露，必须确保共享模型中的IP可识别，并定位首先泄露模型的匿名侵权者。这些挑战共同催生了"可问责联邦学习"——要求模型具备可验证的所有权，并能在泄露事件发生后揭露侵权者身份。本文提出可解码唯一水印（DUW）以满足可问责FL的需求。具体而言，在每轮联邦学习中向客户端发送全局模型前，DUW通过后门水印注入机制将客户端唯一密钥编码至模型中。为识别泄露模型的侵权者，DUW检测模型并验证触发器是否能解码为对应密钥。大量实验结果表明，DUW具有高效性和鲁棒性，在异构FL设置下对Digits、CIFAR-10和CIFAR-100数据集的水印成功率超过99%，即便经过常见的水印移除攻击后，仍能以100%的准确率识别知识产权侵权者。