Robust Client-Server Watermarking for Split Federated Learning

• URL: http://arxiv.org/abs/2511.13598v1
• Date: Mon, 17 Nov 2025 16:58:33 GMT
• Title: Robust Client-Server Watermarking for Split Federated Learning
• Authors: Jiaxiong Tang, Zhengchunmin Dai, Liantao Wu, Peng Sun, Honglong Chen, Zhenfu Cao,
• Abstract summary: Split Federated Learning (SFL) is renowned for its privacy-preserving nature and low computational overhead.<n>We propose RISE, a Robust model Intellectual property protection scheme using client-Server watermark Embedding for SFL.
• Score: 14.772619626732892
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Split Federated Learning (SFL) is renowned for its privacy-preserving nature and low computational overhead among decentralized machine learning paradigms. In this framework, clients employ lightweight models to process private data locally and transmit intermediate outputs to a powerful server for further computation. However, SFL is a double-edged sword: while it enables edge computing and enhances privacy, it also introduces intellectual property ambiguity as both clients and the server jointly contribute to training. Existing watermarking techniques fail to protect both sides since no single participant possesses the complete model. To address this, we propose RISE, a Robust model Intellectual property protection scheme using client-Server watermark Embedding for SFL. Specifically, RISE adopts an asymmetric client-server watermarking design: the server embeds feature-based watermarks through a loss regularization term, while clients embed backdoor-based watermarks by injecting predefined trigger samples into private datasets. This co-embedding strategy enables both clients and the server to verify model ownership. Experimental results on standard datasets and multiple network architectures show that RISE achieves over $95\%$ watermark detection rate ($p-value \lt 0.03$) across most settings. It exhibits no mutual interference between client- and server-side watermarks and remains robust against common removal attacks.

Related papers

• Sigil: Server-Enforced Watermarking in U-Shaped Split Federated Learning via Gradient Injection [12.40971266656093]
  This paper proposes Sigil, a mandatory watermarking framework for capability-limited servers.<n>Sigil embeds a watermark into a client model via gradient injection without requiring knowledge of the data.<n>Extensive experiments on multiple datasets and models demonstrate Sigil's fidelity, robustness, and stealthiness.
  arXiv  Detail & Related papers  (2025-11-18T12:27:43Z)
• Towards Federated Clustering: A Client-wise Private Graph Aggregation Framework [57.04850867402913]
  Federated clustering addresses the challenge of extracting patterns from decentralized, unlabeled data.<n>We propose Structural Privacy-Preserving Federated Graph Clustering (SPP-FGC), a novel algorithm that innovatively leverages local structural graphs as the primary medium for privacy-preserving knowledge sharing.<n>Our framework achieves state-of-the-art performance, improving clustering accuracy by up to 10% (NMI) over federated baselines while maintaining provable privacy guarantees.
  arXiv  Detail & Related papers  (2025-11-14T03:05:22Z)
• ZORRO: Zero-Knowledge Robustness and Privacy for Split Learning (Full Version) [58.595691399741646]
  Split Learning (SL) is a distributed learning approach that enables resource-constrained clients to collaboratively train deep neural networks (DNNs)<n>This setup enables SL to leverage server capacities without sharing data, making it highly effective in resource-constrained environments dealing with sensitive data.<n>We present ZORRO, a private, verifiable, and robust SL defense scheme.
  arXiv  Detail & Related papers  (2025-09-11T18:44:09Z)
• FedRand: Enhancing Privacy in Federated Learning with Randomized LoRA Subparameter Updates [58.18162789618869]
  Federated Learning (FL) is a widely used framework for training models in a decentralized manner.<n>We propose the FedRand framework, which avoids disclosing the full set of client parameters.<n>We empirically validate that FedRand improves robustness against MIAs compared to relevant baselines.
  arXiv  Detail & Related papers  (2025-03-10T11:55:50Z)
• Harmless Backdoor-based Client-side Watermarking in Federated Learning [4.999947975898418]
  Sanitizer is a server-side method that ensures client-embedded backdoors can only be activated in harmless environments.<n>It achieves near-perfect success verifying client contributions while mitigating the risks of malicious watermark use.
  arXiv  Detail & Related papers  (2024-10-28T16:20:01Z)
• Who Leaked the Model? Tracking IP Infringers in Accountable Federated Learning [51.26221422507554]
  Federated learning (FL) is an effective collaborative learning framework to coordinate data and computation resources from massive and distributed clients in training. Such collaboration results in non-trivial intellectual property (IP) represented by the model parameters that should be protected and shared by the whole party rather than an individual user. To block such IP leakage, it is essential to make the IP identifiable in the shared model and locate the anonymous infringer who first leaks it. We propose Decodable Unique Watermarking (DUW) for complying with the requirements of accountable FL.
  arXiv  Detail & Related papers  (2023-12-06T00:47:55Z)
• Safe and Robust Watermark Injection with a Single OoD Image [90.71804273115585]
  Training a high-performance deep neural network requires large amounts of data and computational resources. We propose a safe and robust backdoor-based watermark injection technique. We induce random perturbation of model parameters during watermark injection to defend against common watermark removal attacks.
  arXiv  Detail & Related papers  (2023-09-04T19:58:35Z)
• Scalable Collaborative Learning via Representation Sharing [53.047460465980144]
  Federated learning (FL) and Split Learning (SL) are two frameworks that enable collaborative learning while keeping the data private (on device) In FL, each data holder trains a model locally and releases it to a central server for aggregation. In SL, the clients must release individual cut-layer activations (smashed data) to the server and wait for its response (during both inference and back propagation). In this work, we present a novel approach for privacy-preserving machine learning, where the clients collaborate via online knowledge distillation using a contrastive loss.
  arXiv  Detail & Related papers  (2022-11-20T10:49:22Z)
• CrowdGuard: Federated Backdoor Detection in Federated Learning [39.58317527488534]
  This paper presents a novel defense mechanism, CrowdGuard, that effectively mitigates backdoor attacks in Federated Learning. CrowdGuard employs a server-located stacked clustering scheme to enhance its resilience to rogue client feedback. The evaluation results demonstrate that CrowdGuard achieves a 100% True-Positive-Rate and True-Negative-Rate across various scenarios.
  arXiv  Detail & Related papers  (2022-10-14T11:27:49Z)
• FLVoogd: Robust And Privacy Preserving Federated Learning [12.568409209047505]
  We proposeoogd, an updated federated learning method in which servers and clients collaboratively eliminate Byzantine attacks while preserving privacy. Servers use automatic Density-based Spatial Clustering of Applications with Noise (DBSCAN) combined with S2PC to cluster the benign majority without acquiring sensitive personal information. Our framework is automatic and adaptive that servers/clients don't need to tune the parameters during the training.
  arXiv  Detail & Related papers  (2022-06-24T08:48:15Z)
• FedCG: Leverage Conditional GAN for Protecting Privacy and Maintaining Competitive Performance in Federated Learning [11.852346300577494]
  Federated learning (FL) aims to protect data privacy by enabling clients to build machine learning models collaboratively without sharing their private data. Recent works demonstrate that information exchanged during FL is subject to gradient-based privacy attacks. We propose $textscFedCG$, a novel federated learning method that leverages conditional generative adversarial networks to achieve high-level privacy protection.
  arXiv  Detail & Related papers  (2021-11-16T03:20:37Z)
• UnSplit: Data-Oblivious Model Inversion, Model Stealing, and Label Inference Attacks Against Split Learning [0.0]
  Split learning framework aims to split up the model among the client and the server. We show that split learning paradigm can pose serious security risks and provide no more than a false sense of security.
  arXiv  Detail & Related papers  (2021-08-20T07:39:16Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.