Collision-based Watermark for Detecting Backdoor Manipulation in Federated Learning

As AI-generated content increasingly underpins real-world applications, its accompanying security risks, including privacy leakage and copyright infringement, have become growing concerns. In this context, Federated Learning (FL) offers a promising foundation for enhancing trustworthiness by enabling privacy-preserving collaborative learning over proprietary data. However, its practical adoption is critically threatened by backdoor-based model manipulation, where a small number of malicious clients can compromise the system and induce harmful content generation and decision-making. Although various detection methods have been proposed to detect such manipulation, we reveal that they are either disrupted by non-i.i.d. data distributions and random client participation, or misled by out-of-distribution (OOD) prediction bias, both of which are unique challenges in FL scenarios. To address these issues, we introduce a novel proactive detection method dubbed Coward, inspired by our discovery of multi-backdoor collision effects, in which consecutively planted, distinct backdoors significantly suppress earlier ones. Correspondingly, we modify the federated global model by injecting a carefully designed backdoor-collided watermark, implemented via regulated dual-mapping learning on OOD data. This design not only enables an inverted detection paradigm compared to existing proactive methods, thereby naturally counteracting the adverse impact of OOD prediction bias, but also introduces a low-disruptive training intervention that inherently limits the strength of OOD bias, leading to significantly fewer misjudgments. Extensive experiments on benchmark datasets show that Coward achieves state-of-the-art detection performance, effectively alleviates OOD prediction bias, and remains robust against potential adaptive manipulations.