RobWE: Robust Watermark Embedding for Personalized Federated Learning Model Ownership Protection

The author presents RobWE as a solution to protect personalized model ownership in federated learning by decoupling watermark embedding and employing a detection mechanism to ensure robustness.

The content discusses the challenges of protecting model ownership in personalized federated learning (PFL) and introduces RobWE, a watermark embedding scheme. It addresses conflicts over private watermarks, malicious tampering, and proposes a detection mechanism. Experimental results show the superiority of RobWE in fidelity, reliability, and robustness compared to existing schemes. The paper also covers related work on watermarking in centralized and federated learning scenarios, highlighting the importance of ownership protection for AI models. It delves into the problem statement regarding tampering attacks and defines tasks for achieving PFL goals and watermark embedding. Furthermore, the proposed scheme is detailed with steps for system setup, watermark decoupled embedding, representation training, and tampered watermark detection. The experiments conducted evaluate RobWE's performance in terms of fidelity, reliability, and robustness under various scenarios like Non-IID data settings. The results demonstrate that RobWE outperforms FedIPR in maintaining model accuracy while embedding watermarks. It shows high reliability with improved detection rates for private watermarks. Additionally, it exhibits robustness against pruning attacks, fine-tuning attacks, and adaptive tampering attacks through dedicated defense mechanisms. Overall, the paper provides a comprehensive analysis of RobWE's effectiveness in protecting personalized model ownership in PFL through innovative watermark embedding techniques and robust detection mechanisms.

The accuracy ranges from 68.09% to 99.38% after embedding different bits of watermarks. The Gap values range from 0.14% to 8.85% when comparing model accuracies with and without embedded watermarks. Watermark detection rates are significantly higher for private watermarks compared to other clients' watermarks under different Non-IID settings. The watermark occupancy ratio ranges from 39.06% to 117%, showing effective watermark embedding capabilities. Detection performance metrics show high accuracy in identifying malicious clients under various attack scenarios.

"We propose the first robust model ownership protection framework for personalized federated learning." "RobWE effectively addresses the watermark interference issue arising from model aggregation." "Our scheme successfully safeguards personalized model ownership in PFL."