Watermarking Federated Deep Neural Network Models

Loading...
Thumbnail Image

URL

Journal Title

Journal ISSN

Volume Title

Perustieteiden korkeakoulu | Master's thesis

Date

2020-03-16

Department

Major/Subject

Security and Cloud Computing

Mcode

SCI3084

Degree programme

Master’s Programme in Computer, Communication and Information Sciences

Language

en

Pages

69

Series

Abstract

Training DNN models is expensive in terms of computational power, collection of a large amount of labeled data, and human expertise. Thus, DNN models constitute intellectual property (IP) and business value for their owners. Embedding digital watermarks into model training allows model owners to later demonstrate ownership, which can effectively protect the IP of their models. Recently, federated learning has been proposed as a new framework for machine learning development, which distributes the training of a global deep neural network (DNN) model over a large number of participants. Therefore, federated learning is advantageous than traditional DNN training in terms of data privacy, computational resources and a distributed optimization. However, there is no prior work investigating a solution for watermarking federated DNN models. The main challenge is that the distributed training causes the separation of training data (on participants' side) and watermark set (on aggregator's side), which does not satisfy the condition of traditional watermarking techniques that requires both training data and watermark set to be stored in the same place. In this thesis, we introduce two novel federated watermarking approaches which can embed watermark into federated DNN models by backdooring with low communication and computational overhead. In our approaches, the embedding of watermark is completed by the aggregator while the training is done by participants. We prove that our approaches embed a watermark with a high accuracy (100%) while keeping the functionality of the model. Moreover, the embedded watermarks in DNN models are resistant to post-processing techniques. We also propose a new watermark generation method and evaluate its efficacy in terms of unremovability, model utility and computational cost aspects.

Description

Supervisor

Asokan, N.

Thesis advisor

Marchal, Samuel
Tekgul, Buse Gul Atli

Keywords

federated learning, watermarking, deep learning, backdoor

Other note

Citation