Federated learning (FL) is a distributed machine learning paradigm allowing multiple clients to collaboratively train a global model without sharing their local data. However, FL entails exposing the model to various participants. This poses a risk of unauthorized model distribution or resale by the malicious client, compromising the intellectual property rights of the FL group. To deter such misbehavior, it is essential to establish a mechanism for verifying the ownership of the model and as well tracing its origin to the leaker among the FL participants. In this paper, we present FedTracker, the first FL model protection framework that provides both ownership verification and traceability. FedTracker adopts a bi-level protection scheme consisting of global watermark mechanism and local fingerprint mechanism. The former authenticates the ownership of the global model, while the latter identifies which client the model is derived from. FedTracker leverages Continual Learning (CL) principles to embed the watermark in a way that preserves the utility of the FL model on both primitive task and watermark task. FedTracker also devises a novel metric to better discriminate different fingerprints. Experimental results show FedTracker is effective in ownership verification, traceability, and maintains good fidelity and robustness against various watermark removal attacks.

翻译：联邦学习（FL）是一种分布式机器学习范式，允许多个客户端在不共享本地数据的情况下协作训练全局模型。然而，FL 需要将模型暴露给多方参与者，这可能导致恶意客户端未经授权分发或转售模型，从而损害 FL 参与群体的知识产权。为遏制此类不当行为，必须建立一种机制，既能验证模型所有权，又能溯源至 FL 参与者中的泄露者。本文提出 FedTracker，这是首个兼具所有权验证与溯源能力的 FL 模型保护框架。FedTracker 采用双层保护方案，结合全局水印机制与本地指纹机制：前者用于认证全局模型的所有权，后者用于识别模型源自哪个客户端。FedTracker 利用持续学习（CL）原理嵌入水印，从而在原始任务与水印任务上均保持 FL 模型的效用。FedTracker 还设计了一种新型度量指标，以更好地区分不同指纹。实验结果表明，FedTracker 在所有权验证、溯源方面有效，并能在抵御各类水印移除攻击时保持良好保真度与鲁棒性。