A Joint Client-Server Watermarking Framework for Federated Learning

Federated Learning is a distributed machine learning framework, which is based on the principle of coordinating clients to train models on their private datasets through a centralized server without direct data exchange. It mitigates data privacy risks and improves efficiency, but there is still the risk of model theft, model plagiarism, and unauthorized distribution from adversaries. Watermarking is a well-known paradigm used to prevent these issues. It protects model intellectual property by providing proof of the violation issue's existence. Some recent studies have focused on embedding watermarks on either the client or the server side alone. However, in reality, both the server and clients have ownership of the model. In this paper, we propose a joint client-server watermark embedding framework to protect the intellectual property of both sides. White-box watermark is embedded on the client side and black-box watermark is on the server side. Clients and server can verify their embedded watermarks independently to claim ownership of the model. In addition, we employ continual learning to address the catastrophic forgetting issue. Our experimental results demonstrate that our proposed method can effectively deal with classical watermark removal attacks and is compatible with Differential Privacy.