Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

FedGMark: Certifiably Robust Watermarking for Federated Graph Learning

Yuxin Yang, Qiang Li, Yuan Hong, Binghui Wang

TL;DR

FedGMark is proposed, the first certified robust backdoor-based watermarking for FedGL, which leverages the unique graph structure and client information in FedGL to learn customized and diverse watermarks.

Abstract

Federated graph learning (FedGL) is an emerging learning paradigm to collaboratively train graph data from various clients. However, during the development and deployment of FedGL models, they are susceptible to illegal copying and model theft. Backdoor-based watermarking is a well-known method for mitigating these attacks, as it offers ownership verification to the model owner. We take the first step to protect the ownership of FedGL models via backdoor-based watermarking. Existing techniques have challenges in achieving the goal: 1) they either cannot be directly applied or yield unsatisfactory performance; 2) they are vulnerable to watermark removal attacks; and 3) they lack of formal guarantees. To address all the challenges, we propose FedGMark, the first certified robust backdoor-based watermarking for FedGL. FedGMark leverages the unique graph structure and client information in FedGL to learn customized and diverse watermarks. It also designs a novel GL architecture that facilitates defending against both the empirical and theoretically worst-case watermark removal attacks. Extensive experiments validate the promising empirical and provable watermarking performance of FedGMark. Source code is available at: https://github.com/Yuxin104/FedGMark.

FedGMark: Certifiably Robust Watermarking for Federated Graph Learning

TL;DR

FedGMark is proposed, the first certified robust backdoor-based watermarking for FedGL, which leverages the unique graph structure and client information in FedGL to learn customized and diverse watermarks.

Abstract

Federated graph learning (FedGL) is an emerging learning paradigm to collaboratively train graph data from various clients. However, during the development and deployment of FedGL models, they are susceptible to illegal copying and model theft. Backdoor-based watermarking is a well-known method for mitigating these attacks, as it offers ownership verification to the model owner. We take the first step to protect the ownership of FedGL models via backdoor-based watermarking. Existing techniques have challenges in achieving the goal: 1) they either cannot be directly applied or yield unsatisfactory performance; 2) they are vulnerable to watermark removal attacks; and 3) they lack of formal guarantees. To address all the challenges, we propose FedGMark, the first certified robust backdoor-based watermarking for FedGL. FedGMark leverages the unique graph structure and client information in FedGL to learn customized and diverse watermarks. It also designs a novel GL architecture that facilitates defending against both the empirical and theoretically worst-case watermark removal attacks. Extensive experiments validate the promising empirical and provable watermarking performance of FedGMark. Source code is available at: https://github.com/Yuxin104/FedGMark.

Paper Structure

This paper contains 27 sections, 2 theorems, 4 equations, 6 figures, 17 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. PRELIMINARIES
  3. Federated Graph Learning (FedGL)
  4. Backdoor-based Watermarking for GL
  5. Watermark Removal Attacks
  6. Threat Model
  7. FedGMark: Our Certified Robust Watermark for FedGL
  8. Motivation and Overview
  9. Customized Watermark Generator (CWG)
  10. Robust Model Loader (RML)
  11. Training the Proposed FedGL Model
  12. Model Ownership Verification
  13. Certified Robustness Guarantees against Layer-Perturbation Attacks
  14. Experiments
  15. Experimental Setup
  16. ...and 12 more sections

Key Result

Theorem 1

Let $\theta$, $\theta'$, $g$, and $G_w$ be above defined. Suppose $N_A$ and $N_B$ are the largest and second largest count outputted by $g$ on $G_w$, For any layer-perturbation attack, we have $g(\theta,G_w) = g(\theta',G_w)$, when the number of perturbed layers $r$ satisfies: where $\mathbbm{I}[\cdot]$ is the indicator function and $r$ is called the certified number of perturbed layers.

Figures (6)

  • Figure 1: Overall pipeline of the proposed certified watermarks.
  • Figure 2: Example learnt watermarks and watermarked graphs by our FedGMark. CWGs generated by different clients produce unique watermarks, characterized by distinct edge connection patterns.
  • Figure 3: CWA vs. #perturbed layers $r$ in the layer-perturbation attack.
  • Figure 4: Impact of $T_w$ on FedGMark against prior watermark removal and layer-perturbation attacks.
  • Figure 5: Impact of $n_w$ on FedGMark against prior watermark removal and layer-perturbation attacks.
  • ...and 1 more figures

Theorems & Definitions (2)

  • Theorem 1: Certified number of perturbed layers $r$.
  • Theorem 2: Tightness of $r^*$.