FedRight: An effective model copyright protection for federated learning

Federated learning (FL), an effective distributed machine learning framework, implements model training and meanwhile protects local data privacy. It has been applied to a broad variety of practical areas due to their great performance and appreciable profits. Who really owns the model, and how to protect the copyright has become a real problem. Intuitively, the existing property rights protection methods in centralized scenarios (e.g., watermark embedding and model fingerprints) are possible solutions for FL. But they are still challenged by the distributed nature of FL in aspects of the no data sharing, parameter aggregation, and federated training settings. For the first time we formalize the problem of copyright protection for FL, and propose FedRight to protect model copyright based on model fingerprints, i.e., extracting model features by generating adversarial examples as model fingerprints. FedRight outperforms previous works in four key aspects: (i) Validity it extracts model features to generate transferable fingerprints to train a detector to verify the copyright of the model. (ii) Fidelity it is with imperceptible impact on the federated training, thus promises good main task performance. (iii) Robustness it is empirically robust against malicious attack on copyright protection, i.e., fine-tuning, model pruning and adaptive attacks. (iv) Black-box it is valid in black-box forensic scenario where only application programming interface calls to the model are available. Extensive evaluations across 3 datasets and 9 model structures demonstrate FedRight's superior fidelity, validity and robustness.