Go to OpenReview Archive homepageA Server-Side Model Intellectual Property Protection Method for Federated Learning against Model Theft
Abstract: Federated Learning (FL) has gained significant attention for enabling collaborative model training while preserving data privacy. However, protecting the intellectual property (IP) of models in FL, particularly against model theft by malicious clients, remains a critical challenge. Existing works often employ watermarking techniques to embed watermarks into models for ownership verification, but most of them can only verify ownership after the model has been stolen and cannot proactively defend against malicious clients attempting to steal the model. To address this limitation, this paper proposes FedLock, a novel server-side watermarking mechanism designed to resist model theft and safeguard the IP of global models. Specifically, FedLock leverages Split Federated Learning (SFL) to partition the model, effectively preventing malicious clients from accessing the complete set of global model parameters. To enhance security, FedLock incorporates an autoencoder for label encoding, safeguarding the server-side model from reconstruction attacks. Furthermore, FedLock introduces an additional backdoor client to embed a black-box watermark into the global model, enabling remote verification of model ownership. Experimental results demonstrate that FedLock achieves robust watermarking with minimal impact on model performance, effectively resisting various attacks, including model theft, pruning, and fine-tuning.
Loading