Watermarking Federated Deep Neural Network Models
Loading...
URL
Journal Title
Journal ISSN
Volume Title
Perustieteiden korkeakoulu |
Master's thesis
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.
Authors
Date
2020-03-16
Department
Major/Subject
Security and Cloud Computing
Mcode
SCI3084
Degree programme
Master’s Programme in Computer, Communication and Information Sciences
Language
en
Pages
69
Series
Abstract
Training DNN models is expensive in terms of computational power, collection of a large amount of labeled data, and human expertise. Thus, DNN models constitute intellectual property (IP) and business value for their owners. Embedding digital watermarks into model training allows model owners to later demonstrate ownership, which can effectively protect the IP of their models. Recently, federated learning has been proposed as a new framework for machine learning development, which distributes the training of a global deep neural network (DNN) model over a large number of participants. Therefore, federated learning is advantageous than traditional DNN training in terms of data privacy, computational resources and a distributed optimization. However, there is no prior work investigating a solution for watermarking federated DNN models. The main challenge is that the distributed training causes the separation of training data (on participants' side) and watermark set (on aggregator's side), which does not satisfy the condition of traditional watermarking techniques that requires both training data and watermark set to be stored in the same place. In this thesis, we introduce two novel federated watermarking approaches which can embed watermark into federated DNN models by backdooring with low communication and computational overhead. In our approaches, the embedding of watermark is completed by the aggregator while the training is done by participants. We prove that our approaches embed a watermark with a high accuracy (100%) while keeping the functionality of the model. Moreover, the embedded watermarks in DNN models are resistant to post-processing techniques. We also propose a new watermark generation method and evaluate its efficacy in terms of unremovability, model utility and computational cost aspects.Description
Supervisor
Asokan, N.Thesis advisor
Marchal, SamuelTekgul, Buse Gul Atli
Keywords
federated learning, watermarking, deep learning, backdoor