Model training is increasingly offered as a service for resource-constrained data owners to build customized models. Split Learning (SL) enables such services by offloading training computation under privacy constraints, and evolves toward serverless and multi-client settings where model segments are distributed across training clients. This cooperative mode assumes partial trust: data owners hide labels and data from trainer clients, while trainer clients produce verifiable training artifacts and ownership proofs. We present CliCooper, a multi-client cooperative SL framework tailored for cooperative model training services in heterogeneous and partially trusted environments, where one client contributes data, while others collectively act as SL trainers. CliCooper bridges the privacy and trust gaps through two new designs. First, differential privacy-based activation protection and secret label obfuscation safeguard data owners' privacy without degrading model performance. Second, a dynamic chained watermarking scheme cryptographically links training stages on model segments across trainers, ensuring verifiable training integrity, robust model provenance, and copyright protection. Experiments show that CliCooper preserves model accuracy while enhancing resilience to privacy and ownership attacks. It reduces the success rate of clustering attacks (which infer label groups from intermediate activation) to 0%, decreases inversion-reconstruction (which recovers training data) similarity from 0.50 to 0.03, and limits model-extraction-based surrogates to about 1% accuracy, comparable to random guessing.

翻译：模型训练日益成为一种服务，供资源受限的数据所有者构建定制化模型。分割学习（SL）通过在隐私约束下卸载训练计算来实现此类服务，并朝着无服务器和多客户端设置演进，其中模型分段分布在训练客户端之间。这种协同模式假设部分信任：数据所有者向训练客户端隐藏标签和数据，而训练客户端则生成可验证的训练工件和所有权证明。我们提出了CliCooper，这是一个专为异构和部分信任环境中的协同模型训练服务而设计的多客户端协同SL框架，其中一个客户端贡献数据，而其他客户端共同充当SL训练器。CliCooper通过两项新设计弥合了隐私与信任鸿沟。首先，基于差分隐私的激活保护和秘密标签混淆在不降低模型性能的前提下保障了数据所有者的隐私。其次，动态链式水印方案以密码学方式将训练器间模型分段上的训练阶段关联起来，确保可验证的训练完整性、稳健的模型溯源和版权保护。实验表明，CliCooper在保持模型精度的同时，增强了对隐私和所有权攻击的抵御能力。它将聚类攻击（从中间激活推断标签组）的成功率降至0%，将反演重建（恢复训练数据）的相似度从0.50降至0.03，并将基于模型提取的替代模型精度限制在约1%，与随机猜测相当。