Guard Against Infringement: An Anti-Distillation Federated Learning Watermarking Framework

To balance the gap between data privacy and the need for data fusion, federated learning (FL) has been proposed and has become a hot-point method to address data silos and privacy issues. However, AI models exchanged in FL face risks such as illegal copying, redistribution and/or free-riding. To address these risks, FL watermarking frameworks have been proposed to assert and protect the intellectual property (IP) of models, which are resistant to popular watermark removal attacks. Knowledge distillation has recently been of significant contribution to FL convergence performance optimization but brings vulnerability to FL watermark robustness with distillation attack, which enables attackers to maintain high performance on the main task while erasing the watermarks. In response, we introduce a new FL watermarking framework called FedRW, which focuses specifically on anti-distillation. FedRW employs model regularization techniques to bind the main task parameters with the watermark task parameters, thereby enhancing resistance to distillation attacks. Extensive experiments confirm the threat of distillation attacks in FL and demonstrate that FedRW is more resistant to distillation compared to existing FL watermarking frameworks.