FLClear: Visually Verifiable Multi-Client Watermarking for Federated Learning

TL;DR

FLClear addresses the risk of misattributed or erased client contributions in federated learning by embedding visually verifiable watermarks that are collision-free and forge-resistant. It uses a transposed model, jointly trained with the main task via contrastive learning, to map watermark vectors to human-visible watermark images, enabling intuitive verification and robust ownership claims. The approach maintains high main-task performance, achieves SSIM watermarks above 0.9, resists common model-modification and forgery attacks, and proves compatible with multiple FL aggregation schemes. Practically, FLClear provides a scalable, human-interpretable IPR protection mechanism for FL models, with open-source code and strong empirical validation. It advances FL watermarking by delivering collision-free, secure, and visually verifiable ownership verification in decentralized training environments.

Abstract

Federated learning (FL) enables multiple clients to collaboratively train a shared global model while preserving the privacy of their local data. Within this paradigm, the intellectual property rights (IPR) of client models are critical assets that must be protected. In practice, the central server responsible for maintaining the global model may maliciously manipulate the global model to erase client contributions or falsely claim sole ownership, thereby infringing on clients' IPR. Watermarking has emerged as a promising technique for asserting model ownership and protecting intellectual property. However, existing FL watermarking approaches remain limited, suffering from potential watermark collisions among clients, insufficient watermark security, and non-intuitive verification mechanisms. In this paper, we propose FLClear, a novel framework that simultaneously achieves collision-free watermark aggregation, enhanced watermark security, and visually interpretable ownership verification. Specifically, FLClear introduces a transposed model jointly optimized with contrastive learning to integrate the watermarking and main task objectives. During verification, the watermark is reconstructed from the transposed model and evaluated through both visual inspection and structural similarity metrics, enabling intuitive and quantitative ownership verification. Comprehensive experiments conducted over various datasets, aggregation schemes, and attack scenarios demonstrate the effectiveness of FLClear and confirm that it consistently outperforms state-of-the-art FL watermarking methods.

Figures (40)

• Figure 1: Limitations of existing FL watermarking
• Figure 2: FLClear framework
• Figure 3: Vector augmentation. \ref{['fig:va_a']} visualizes PCA projection of the augmented vectors, showing a balanced number of positive and negative vectors around the extraction vector. \ref{['fig:va_b']} illustrates the distribution of negative and positive vectors separated by the similarity threshold.
• Figure 4: Analysis of watermark non-collision across clients. Each parameter in the vector is randomly sampled from range $[-1, 1]$.
• Figure 5: Effect of contrastive learning on the watermark similarity. Darker regions indicate higher similarity between the forged watermark and the genuine one.