Federated learning (FL), an effective distributed machine learning framework, implements model training and meanwhile protects local data privacy. It has been applied to a broad variety of practice areas due to its great performance and appreciable profits. Who owns the model, and how to protect the copyright has become a real problem. Intuitively, the existing property rights protection methods in centralized scenarios (e.g., watermark embedding and model fingerprints) are possible solutions for FL. But they are still challenged by the distributed nature of FL in aspects of the no data sharing, parameter aggregation, and federated training settings. For the first time, we formalize the problem of copyright protection for FL, and propose FedRight to protect model copyright based on model fingerprints, i.e., extracting model features by generating adversarial examples as model fingerprints. FedRight outperforms previous works in four key aspects: (i) Validity: it extracts model features to generate transferable fingerprints to train a detector to verify the copyright of the model. (ii) Fidelity: it is with imperceptible impact on the federated training, thus promising good main task performance. (iii) Robustness: it is empirically robust against malicious attacks on copyright protection, i.e., fine-tuning, model pruning, and adaptive attacks. (iv) Black-box: it is valid in the black-box forensic scenario where only application programming interface calls to the model are available. Extensive evaluations across 3 datasets and 9 model structures demonstrate FedRight's superior fidelity, validity, and robustness.

翻译：联邦学习作为一种高效的分布式机器学习框架，在实现模型训练的同时保护了本地数据隐私。由于其卓越的性能和可观的经济效益，已被广泛应用于各类实践领域。模型所有权归属问题以及如何保护版权已演变为现实挑战。直观而言，现有集中式场景下的产权保护方法（如水印嵌入和模型指纹）似乎是联邦学习的可行方案，但这些方法仍面临联邦学习分布式特性带来的数据不共享、参数聚合及联邦训练设置等多重挑战。本文首次系统阐述了联邦学习中的版权保护问题，并提出了基于模型指纹的FedRight方案——通过生成对抗样本作为模型特征提取的指纹载体。FedRight在四个关键维度上优于现有方案：（i）有效性：通过提取模型特征生成可迁移指纹，训练检测器以验证模型版权；（ii）保真性：对联邦训练过程的影响微乎其微，从而保证主任务性能；（iii）鲁棒性：在针对版权保护的恶意攻击（如微调、模型剪枝及自适应攻击）中展现出实证稳健性；（iv）黑盒性：在仅能通过应用程序编程接口访问模型的黑盒取证场景中依然有效。基于3个数据集和9种模型结构的广泛评估表明，FedRight在保真性、有效性和鲁棒性方面均具有显著优势。