Creators of machine learning models can use watermarking as a technique to demonstrate their ownership if their models are stolen. Several recent proposals watermark deep neural network (DNN) models using backdooring: training them with additional mislabeled data. Backdooring requires full access to the training data and control of the training process. This is feasible when a single party trains the model in a centralized manner, but not in a federated learning setting where the training process and training data are distributed among several parties. In this paper, we introduce WAFFLE, the first approach to watermark DNN models in federated learning. It introduces a re-training step after each aggregation of local models into the global model. We show that WAFFLE efficiently embeds a resilient watermark into models with a negligible test accuracy degradation (-0.17%), and does not require access to the training data. We introduce a novel technique to generate the backdoor used as a watermark. It outperforms prior techniques, imposing no communication, and low computational (+2.8%) overhead.
翻译:机器学习模型的创建者可以将水标记作为一种技术,在模型失窃时展示其所有权。最近提出的若干提案使用后门式的水标记深神经网络模型:用额外的标签错误的数据培训这些模型。后门要求充分获得培训数据并控制培训过程。当单方以集中方式培训模型时,这样做是可行的,但不能在培训过程和培训数据在多个缔约方之间分布的联邦学习环境中这样做。在本文件中,我们引入了WAFFLE,这是在联合学习中对水标记DNN模型的第一个方法。它引入了在每个地方模型集成到全球模型之后的再培训步骤。我们表明WAFFLE有效地将一个弹性的水标记嵌入模型,其测试精度退化微乎其微(-0.17 % ),而不需要获得培训数据。我们引入了一种新技术来生成用作水标记的后门。它超越了先前的技术,没有进行通信,低计算(+2.8 % ) 的顶部。