As deep learning applications become more prevalent, the need for extensive training examples raises concerns for sensitive, personal, or proprietary data. To overcome this, Federated Learning (FL) enables collaborative model training across distributed data-owners, but it introduces challenges in safeguarding model ownership and identifying the origin in case of a leak. Building upon prior work, this paper explores the adaptation of black-and-white traitor tracing watermarking to FL classifiers, addressing the threat of collusion attacks from different data-owners. This study reveals that leak-resistant white-box fingerprints can be directly implemented without a significant impact from FL dynamics, while the black-box fingerprints are drastically affected, losing their traitor tracing capabilities. To mitigate this effect, we propose increasing the number of black-box salient neurons through dropout regularization. Though there are still some open problems to be explored, such as analyzing non-i.i.d. datasets and over-parameterized models, results show that collusion-resistant traitor tracing, identifying all data-owners involved in a suspected leak, is feasible in an FL framework, even in early stages of training.

翻译：随着深度学习应用的日益普及，对大量训练样本的需求引发了人们对敏感数据、个人数据或专有数据的担忧。为应对此问题，联邦学习（FL）实现了跨分布式数据所有者的协作模型训练，但这也给保护模型所有权及在发生泄露时溯源带来了挑战。本文在先前研究基础上，探索将黑白盒叛徒追踪水印技术适配于联邦学习分类器，以应对来自不同数据所有者的共谋攻击威胁。本研究表明：抗泄露的白盒指纹可直接实施，且受联邦学习动态特性的影响较小；而黑盒指纹则受到显著影响，丧失了叛徒追踪能力。为缓解此效应，我们提出通过丢弃正则化增加黑盒显著神经元的数量。尽管仍存在若干待探索的开放性问题（如分析非独立同分布数据集和过参数化模型），但结果表明：在联邦学习框架中实现抗共谋的叛徒追踪（识别涉嫌泄露事件涉及的所有数据所有者）是可行的，即使在训练早期阶段亦如此。