Federated learning (FL) is a distributed machine learning paradigm allowing multiple clients to collaboratively train a global model without sharing their local data. However, FL entails exposing the model to various participants. This poses a risk of unauthorized model distribution or resale by the malicious client, compromising the intellectual property rights of the FL group. To deter such misbehavior, it is essential to establish a mechanism for verifying the ownership of the model and as well tracing its origin to the leaker among the FL participants. In this paper, we present FedTracker, the first FL model protection framework that provides both ownership verification and traceability. FedTracker adopts a bi-level protection scheme consisting of global watermark mechanism and local fingerprint mechanism. The former authenticates the ownership of the global model, while the latter identifies which client the model is derived from. FedTracker leverages Continual Learning (CL) principles to embedding the watermark in a way that preserves the utility of the FL model on both primitive task and watermark task. FedTracker also devises a novel metric to better discriminate different fingerprints. Experimental results show FedTracker is effective in ownership verification, traceability, and maintains good fidelity and robustness against various watermark removal attacks.

翻译：联邦学习（FL）是一种分布式机器学习范式，允许多个客户端在不共享本地数据的情况下协作训练全局模型。然而，FL需要将模型暴露给多方参与者，这可能导致恶意客户端未经授权分发或转售模型，从而损害FL群体的知识产权。为遏制此类不当行为，必须建立机制来验证模型所有权并追溯其源头至FL参与者中的泄露者。本文提出FedTracker，这是首个同时提供所有权验证与可追溯性的FL模型保护框架。FedTracker采用双层保护方案，包括全局水印机制和局部指纹机制：前者用于验证全局模型的所有权，后者用于识别模型源自哪个客户端。FedTracker利用持续学习（CL）原则嵌入水印，以保持FL模型在原始任务和水印任务上的效用。同时，FedTracker还设计了一种新型指标以更好地区分不同指纹。实验结果表明，FedTracker在所有权验证、可追溯性方面表现有效，并且对各种水印移除攻击具有良好的保真度和鲁棒性。