Unharmful Backdoor-based Client-side Watermarking in Federated Learning
Protecting intellectual property (IP) in federated learning (FL) is increasingly important as clients contribute proprietary data to collaboratively train models. Model watermarking, particularly through backdoor-based methods, has emerged as a popular approach for verifying ownership and contributi...
Gespeichert in:
| Hauptverfasser: | , |
|---|---|
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | |
| container_volume | |
| creator | Luo, Kaijing Chow, Ka-Ho |
| description | Protecting intellectual property (IP) in federated learning (FL) is
increasingly important as clients contribute proprietary data to
collaboratively train models. Model watermarking, particularly through
backdoor-based methods, has emerged as a popular approach for verifying
ownership and contributions in deep neural networks trained via FL. By
manipulating their datasets, clients can embed a secret pattern, resulting in
non-intuitive predictions that serve as proof of participation, useful for
claiming incentives or IP co-ownership. However, this technique faces practical
challenges: client watermarks can collide, leading to ambiguous ownership
claims, and malicious clients may exploit watermarks to inject harmful
backdoors, jeopardizing model integrity. To address these issues, we propose
Sanitizer, a server-side method that ensures client-embedded backdoors cannot
be triggered on natural queries in harmful ways. It identifies subnets within
client-submitted models, extracts backdoors throughout the FL process, and
confines them to harmless, client-specific input subspaces. This approach not
only enhances Sanitizer's efficiency but also resolves conflicts when clients
use similar triggers with different target labels. Our empirical results
demonstrate that Sanitizer achieves near-perfect success in verifying client
contributions while mitigating the risks of malicious watermark use.
Additionally, it reduces GPU memory consumption by 85% and cuts processing time
by at least 5 times compared to the baseline. |
| doi_str_mv | 10.48550/arxiv.2410.21179 |
| format | Article |
| fullrecord | <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_2410_21179</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2410_21179</sourcerecordid><originalsourceid>FETCH-arxiv_primary_2410_211793</originalsourceid><addsrcrecordid>eNpjYJA0NNAzsTA1NdBPLKrILNMzMgEKGBkamltyMriH5mUkFuWmleYoOCUmZ6fk5xfpJiUWp6YoOOdkpuaV6BZnpqQqhCeWpBblJhZlZ-alK2TmKbilpqQWAcVSFHxSE4vygKI8DKxpiTnFqbxQmptB3s01xNlDF2xlfEFRJlB7ZTzI6niw1caEVQAAqBE5Nw</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Unharmful Backdoor-based Client-side Watermarking in Federated Learning</title><source>arXiv.org</source><creator>Luo, Kaijing ; Chow, Ka-Ho</creator><creatorcontrib>Luo, Kaijing ; Chow, Ka-Ho</creatorcontrib><description>Protecting intellectual property (IP) in federated learning (FL) is
increasingly important as clients contribute proprietary data to
collaboratively train models. Model watermarking, particularly through
backdoor-based methods, has emerged as a popular approach for verifying
ownership and contributions in deep neural networks trained via FL. By
manipulating their datasets, clients can embed a secret pattern, resulting in
non-intuitive predictions that serve as proof of participation, useful for
claiming incentives or IP co-ownership. However, this technique faces practical
challenges: client watermarks can collide, leading to ambiguous ownership
claims, and malicious clients may exploit watermarks to inject harmful
backdoors, jeopardizing model integrity. To address these issues, we propose
Sanitizer, a server-side method that ensures client-embedded backdoors cannot
be triggered on natural queries in harmful ways. It identifies subnets within
client-submitted models, extracts backdoors throughout the FL process, and
confines them to harmless, client-specific input subspaces. This approach not
only enhances Sanitizer's efficiency but also resolves conflicts when clients
use similar triggers with different target labels. Our empirical results
demonstrate that Sanitizer achieves near-perfect success in verifying client
contributions while mitigating the risks of malicious watermark use.
Additionally, it reduces GPU memory consumption by 85% and cuts processing time
by at least 5 times compared to the baseline.</description><identifier>DOI: 10.48550/arxiv.2410.21179</identifier><language>eng</language><subject>Computer Science - Cryptography and Security</subject><creationdate>2024-10</creationdate><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,776,881</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/2410.21179$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.2410.21179$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Luo, Kaijing</creatorcontrib><creatorcontrib>Chow, Ka-Ho</creatorcontrib><title>Unharmful Backdoor-based Client-side Watermarking in Federated Learning</title><description>Protecting intellectual property (IP) in federated learning (FL) is
increasingly important as clients contribute proprietary data to
collaboratively train models. Model watermarking, particularly through
backdoor-based methods, has emerged as a popular approach for verifying
ownership and contributions in deep neural networks trained via FL. By
manipulating their datasets, clients can embed a secret pattern, resulting in
non-intuitive predictions that serve as proof of participation, useful for
claiming incentives or IP co-ownership. However, this technique faces practical
challenges: client watermarks can collide, leading to ambiguous ownership
claims, and malicious clients may exploit watermarks to inject harmful
backdoors, jeopardizing model integrity. To address these issues, we propose
Sanitizer, a server-side method that ensures client-embedded backdoors cannot
be triggered on natural queries in harmful ways. It identifies subnets within
client-submitted models, extracts backdoors throughout the FL process, and
confines them to harmless, client-specific input subspaces. This approach not
only enhances Sanitizer's efficiency but also resolves conflicts when clients
use similar triggers with different target labels. Our empirical results
demonstrate that Sanitizer achieves near-perfect success in verifying client
contributions while mitigating the risks of malicious watermark use.
Additionally, it reduces GPU memory consumption by 85% and cuts processing time
by at least 5 times compared to the baseline.</description><subject>Computer Science - Cryptography and Security</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNpjYJA0NNAzsTA1NdBPLKrILNMzMgEKGBkamltyMriH5mUkFuWmleYoOCUmZ6fk5xfpJiUWp6YoOOdkpuaV6BZnpqQqhCeWpBblJhZlZ-alK2TmKbilpqQWAcVSFHxSE4vygKI8DKxpiTnFqbxQmptB3s01xNlDF2xlfEFRJlB7ZTzI6niw1caEVQAAqBE5Nw</recordid><startdate>20241028</startdate><enddate>20241028</enddate><creator>Luo, Kaijing</creator><creator>Chow, Ka-Ho</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20241028</creationdate><title>Unharmful Backdoor-based Client-side Watermarking in Federated Learning</title><author>Luo, Kaijing ; Chow, Ka-Ho</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-arxiv_primary_2410_211793</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Computer Science - Cryptography and Security</topic><toplevel>online_resources</toplevel><creatorcontrib>Luo, Kaijing</creatorcontrib><creatorcontrib>Chow, Ka-Ho</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Luo, Kaijing</au><au>Chow, Ka-Ho</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Unharmful Backdoor-based Client-side Watermarking in Federated Learning</atitle><date>2024-10-28</date><risdate>2024</risdate><abstract>Protecting intellectual property (IP) in federated learning (FL) is
increasingly important as clients contribute proprietary data to
collaboratively train models. Model watermarking, particularly through
backdoor-based methods, has emerged as a popular approach for verifying
ownership and contributions in deep neural networks trained via FL. By
manipulating their datasets, clients can embed a secret pattern, resulting in
non-intuitive predictions that serve as proof of participation, useful for
claiming incentives or IP co-ownership. However, this technique faces practical
challenges: client watermarks can collide, leading to ambiguous ownership
claims, and malicious clients may exploit watermarks to inject harmful
backdoors, jeopardizing model integrity. To address these issues, we propose
Sanitizer, a server-side method that ensures client-embedded backdoors cannot
be triggered on natural queries in harmful ways. It identifies subnets within
client-submitted models, extracts backdoors throughout the FL process, and
confines them to harmless, client-specific input subspaces. This approach not
only enhances Sanitizer's efficiency but also resolves conflicts when clients
use similar triggers with different target labels. Our empirical results
demonstrate that Sanitizer achieves near-perfect success in verifying client
contributions while mitigating the risks of malicious watermark use.
Additionally, it reduces GPU memory consumption by 85% and cuts processing time
by at least 5 times compared to the baseline.</abstract><doi>10.48550/arxiv.2410.21179</doi><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | DOI: 10.48550/arxiv.2410.21179 |
| ispartof | |
| issn | |
| language | eng |
| recordid | cdi_arxiv_primary_2410_21179 |
| source | arXiv.org |
| subjects | Computer Science - Cryptography and Security |
| title | Unharmful Backdoor-based Client-side Watermarking in Federated Learning |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-08T21%3A39%3A22IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Unharmful%20Backdoor-based%20Client-side%20Watermarking%20in%20Federated%20Learning&rft.au=Luo,%20Kaijing&rft.date=2024-10-28&rft_id=info:doi/10.48550/arxiv.2410.21179&rft_dat=%3Carxiv_GOX%3E2410_21179%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |