可追踪的黑盒水印在联邦学习中的应用 (Traceable Black-box Watermarks for Federated Learning)

Due to the distributed nature of Federated Learning (FL) systems, each local client has access to the global model, which poses a critical risk of model leakage. Existing works have explored injecting watermarks into local models to enable intellectual property protection. However, these methods either focus on non-traceable watermarks or traceable but white-box watermarks. We identify a gap in the literature regarding the formal definition of traceable black-box watermarking and the formulation of the problem of injecting such watermarks into FL systems. In this work, we first formalize the problem of injecting traceable black-box watermarks into FL. Based on the problem, we propose a novel server-side watermarking method, $\mathbf{TraMark}$, which creates a traceable watermarked model for each client, enabling verification of model leakage in black-box settings. To achieve this, $\mathbf{TraMark}$ partitions the model parameter space into two distinct regions: the main task region and the watermarking region. Subsequently, a personalized global model is constructed for each client by aggregating only the main task region while preserving the watermarking region. Each model then learns a unique watermark exclusively within the watermarking region using a distinct watermark dataset before being sent back to the local client. Extensive results across various FL systems demonstrate that $\mathbf{TraMark}$ ensures the traceability of all watermarked models while preserving their main task performance. The code is available at https://github.com/JiiahaoXU/TraMark.

翻译：由于联邦学习（FL）系统的分布式特性，每个本地客户端都能访问全局模型，这带来了模型泄露的关键风险。现有研究探索了在本地模型中注入水印以实现知识产权保护。然而，这些方法要么关注不可追踪的水印，要么关注可追踪但需白盒访问的水印。我们发现文献中缺乏对可追踪黑盒水印的形式化定义，以及将此类水印注入联邦学习系统的问题表述。在本工作中，我们首先形式化了在联邦学习中注入可追踪黑盒水印的问题。基于该问题，我们提出了一种新颖的服务器端水印方法$\mathbf{TraMark}$，该方法为每个客户端创建可追踪的水印模型，从而能够在黑盒设置下验证模型泄露。为实现这一目标，$\mathbf{TraMark}$将模型参数空间划分为两个不同的区域：主任务区域和水印区域。随后，通过仅聚合主任务区域并保留水印区域，为每个客户端构建个性化的全局模型。每个模型在发送回本地客户端之前，使用独特的水印数据集专门在水印区域内学习唯一的水印。在各种联邦学习系统中的大量实验结果表明，$\mathbf{TraMark}$确保了所有水印模型的可追踪性，同时保持了它们的主任务性能。代码可在https://github.com/JiiahaoXU/TraMark获取。