Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Exploring Federated Learning Dynamics for Black-and-White-Box DNN Traitor Tracing

Elena Rodriguez-Lois, Fernando Perez-Gonzalez

TL;DR

It is revealed that leak-resistant white-box fingerprints can be directly implemented without a significant impact from FL dynamics, while the black-box fingerprints are drastically affected, losing their traitor tracing capabilities.

Abstract

As deep learning applications become more prevalent, the need for extensive training examples raises concerns for sensitive, personal, or proprietary data. To overcome this, Federated Learning (FL) enables collaborative model training across distributed data-owners, but it introduces challenges in safeguarding model ownership and identifying the origin in case of a leak. Building upon prior work, this paper explores the adaptation of black-and-white traitor tracing watermarking to FL classifiers, addressing the threat of collusion attacks from different data-owners. This study reveals that leak-resistant white-box fingerprints can be directly implemented without a significant impact from FL dynamics, while the black-box fingerprints are drastically affected, losing their traitor tracing capabilities. To mitigate this effect, we propose increasing the number of black-box salient neurons through dropout regularization. Though there are still some open problems to be explored, such as analyzing non-i.i.d. datasets and over-parameterized models, results show that collusion-resistant traitor tracing, identifying all data-owners involved in a suspected leak, is feasible in an FL framework, even in early stages of training.

Exploring Federated Learning Dynamics for Black-and-White-Box DNN Traitor Tracing

TL;DR

It is revealed that leak-resistant white-box fingerprints can be directly implemented without a significant impact from FL dynamics, while the black-box fingerprints are drastically affected, losing their traitor tracing capabilities.

Abstract

As deep learning applications become more prevalent, the need for extensive training examples raises concerns for sensitive, personal, or proprietary data. To overcome this, Federated Learning (FL) enables collaborative model training across distributed data-owners, but it introduces challenges in safeguarding model ownership and identifying the origin in case of a leak. Building upon prior work, this paper explores the adaptation of black-and-white traitor tracing watermarking to FL classifiers, addressing the threat of collusion attacks from different data-owners. This study reveals that leak-resistant white-box fingerprints can be directly implemented without a significant impact from FL dynamics, while the black-box fingerprints are drastically affected, losing their traitor tracing capabilities. To mitigate this effect, we propose increasing the number of black-box salient neurons through dropout regularization. Though there are still some open problems to be explored, such as analyzing non-i.i.d. datasets and over-parameterized models, results show that collusion-resistant traitor tracing, identifying all data-owners involved in a suspected leak, is feasible in an FL framework, even in early stages of training.
Paper Structure (23 sections, 9 equations, 6 figures, 2 tables)

This paper contains 23 sections, 9 equations, 6 figures, 2 tables.

Table of Contents

  1. Introduction and Previous Works
  2. Watermarking FL models
  3. Fingerprint leak through model updates
  4. Dynamics of the main task compared to the traitor-tracing capabilities
  5. Watermarking Scheme
  6. Black-Box Fingerprinting with $q$-ary Tardos Codes
  7. White-Box Fingerprinting with Orthogonal Codes
  8. Implementation and Experimental Results
  9. DNN Architecture and Main Task
  10. Watermarking Configuration
  11. Black-box fingerprints
  12. White-box fingerprints
  13. Training Strategies
  14. No WM
  15. Vanilla WM
  16. ...and 8 more sections

Figures (6)

  • Figure 1: Black-and-white traitor tracing framework for an FL model: training with different fingerprinted models \ref{['fig:FL_diagram']}, individual \ref{['fig:post_training_attack_diagram']} and collusion \ref{['fig:collusion_attack_diagram']} attacks to the watermark, black-box verification through API \ref{['fig:blackbox_verification_diagram']}, and white-box verification for one \ref{['fig:whitebox_verification_1_diagram']} or several \ref{['fig:whitebox_verification_2_diagram']} guilty participants.
  • Figure 2: Training evolution of FL models.
  • Figure 3: Training evolution of FL models with different trigger sets $\mathcal{T}_j$.
  • Figure 4: Histogram of features $\textbf{f}_{conv3}$ for the trigger set $\mathcal{T}$.
  • Figure 5: Experimental distribution of $t^*$ according to different DNN attacks after collusion.
  • ...and 1 more figures