Sigil: Server-Enforced Watermarking in U-Shaped Split Federated Learning via Gradient Injection
- URL: http://arxiv.org/abs/2511.14422v1
- Date: Tue, 18 Nov 2025 12:27:43 GMT
- Title: Sigil: Server-Enforced Watermarking in U-Shaped Split Federated Learning via Gradient Injection
- Authors: Zhengchunmin Dai, Jiaxiong Tang, Peng Sun, Honglong Chen, Liantao Wu,
- Abstract summary: This paper proposes Sigil, a mandatory watermarking framework for capability-limited servers.<n>Sigil embeds a watermark into a client model via gradient injection without requiring knowledge of the data.<n>Extensive experiments on multiple datasets and models demonstrate Sigil's fidelity, robustness, and stealthiness.
- Score: 12.40971266656093
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: In decentralized machine learning paradigms such as Split Federated Learning (SFL) and its variant U-shaped SFL, the server's capabilities are severely restricted. Although this enhances client-side privacy, it also leaves the server highly vulnerable to model theft by malicious clients. Ensuring intellectual property protection for such capability-limited servers presents a dual challenge: watermarking schemes that depend on client cooperation are unreliable in adversarial settings, whereas traditional server-side watermarking schemes are technically infeasible because the server lacks access to critical elements such as model parameters or labels. To address this challenge, this paper proposes Sigil, a mandatory watermarking framework designed specifically for capability-limited servers. Sigil defines the watermark as a statistical constraint on the server-visible activation space and embeds the watermark into the client model via gradient injection, without requiring any knowledge of the data. Besides, we design an adaptive gradient clipping mechanism to ensure that our watermarking process remains both mandatory and stealthy, effectively countering existing gradient anomaly detection methods and a specifically designed adaptive subspace removal attack. Extensive experiments on multiple datasets and models demonstrate Sigil's fidelity, robustness, and stealthiness.
Related papers
- Robust Client-Server Watermarking for Split Federated Learning [14.772619626732892]
Split Federated Learning (SFL) is renowned for its privacy-preserving nature and low computational overhead.<n>We propose RISE, a Robust model Intellectual property protection scheme using client-Server watermark Embedding for SFL.
arXiv Detail & Related papers (2025-11-17T16:58:33Z) - FLClear: Visually Verifiable Multi-Client Watermarking for Federated Learning [5.769453013343764]
Federated learning (FL) enables multiple clients to collaboratively train a shared global model.<n>Within this paradigm, the intellectual property rights (IPR) of client models are critical assets that must be protected.<n>We propose FLClear, a novel framework that simultaneously achieves collision-free watermark aggregation, enhanced watermark security, and visually interpretable ownership verification.
arXiv Detail & Related papers (2025-11-16T15:59:58Z) - SWAP: Towards Copyright Auditing of Soft Prompts via Sequential Watermarking [58.475471437150674]
We propose sequential watermarking for soft prompts (SWAP)<n>SWAP encodes watermarks through a specific order of defender-specified out-of-distribution classes.<n>Experiments on 11 datasets demonstrate SWAP's effectiveness, harmlessness, and robustness against potential adaptive attacks.
arXiv Detail & Related papers (2025-11-05T13:48:48Z) - Hot-Swap MarkBoard: An Efficient Black-box Watermarking Approach for Large-scale Model Distribution [14.60627694687767]
We propose Hot-Swap MarkBoard, an efficient watermarking method.<n>It encodes user-specific $n$-bit binary signatures by independently embedding multiple watermarks.<n>The method supports black-box verification and is compatible with various model architectures.
arXiv Detail & Related papers (2025-07-28T09:14:21Z) - Harmless Backdoor-based Client-side Watermarking in Federated Learning [4.999947975898418]
Sanitizer is a server-side method that ensures client-embedded backdoors can only be activated in harmless environments.<n>It achieves near-perfect success verifying client contributions while mitigating the risks of malicious watermark use.
arXiv Detail & Related papers (2024-10-28T16:20:01Z) - ModelShield: Adaptive and Robust Watermark against Model Extraction Attack [58.46326901858431]
Large language models (LLMs) demonstrate general intelligence across a variety of machine learning tasks.<n> adversaries can still utilize model extraction attacks to steal the model intelligence encoded in model generation.<n> Watermarking technology offers a promising solution for defending against such attacks by embedding unique identifiers into the model-generated content.
arXiv Detail & Related papers (2024-05-03T06:41:48Z) - Who Leaked the Model? Tracking IP Infringers in Accountable Federated Learning [51.26221422507554]
Federated learning (FL) is an effective collaborative learning framework to coordinate data and computation resources from massive and distributed clients in training.
Such collaboration results in non-trivial intellectual property (IP) represented by the model parameters that should be protected and shared by the whole party rather than an individual user.
To block such IP leakage, it is essential to make the IP identifiable in the shared model and locate the anonymous infringer who first leaks it.
We propose Decodable Unique Watermarking (DUW) for complying with the requirements of accountable FL.
arXiv Detail & Related papers (2023-12-06T00:47:55Z) - Safe and Robust Watermark Injection with a Single OoD Image [90.71804273115585]
Training a high-performance deep neural network requires large amounts of data and computational resources.
We propose a safe and robust backdoor-based watermark injection technique.
We induce random perturbation of model parameters during watermark injection to defend against common watermark removal attacks.
arXiv Detail & Related papers (2023-09-04T19:58:35Z) - Watermarking in Secure Federated Learning: A Verification Framework
Based on Client-Side Backdooring [13.936013200707508]
Federated learning (FL) allows multiple participants to collaboratively build deep learning (DL) models without directly sharing data.
The issue of copyright protection in FL becomes important since unreliable participants may gain access to the jointly trained model.
We propose a novel client-side FL watermarking scheme to tackle the copyright protection issue in secure FL with HE.
arXiv Detail & Related papers (2022-11-14T06:37:01Z) - Exploring Structure Consistency for Deep Model Watermarking [122.38456787761497]
The intellectual property (IP) of Deep neural networks (DNNs) can be easily stolen'' by surrogate model attack.
We propose a new watermarking methodology, namely structure consistency'', based on which a new deep structure-aligned model watermarking algorithm is designed.
arXiv Detail & Related papers (2021-08-05T04:27:15Z) - Deep Model Intellectual Property Protection via Deep Watermarking [122.87871873450014]
Deep neural networks are exposed to serious IP infringement risks.
Given a target deep model, if the attacker knows its full information, it can be easily stolen by fine-tuning.
We propose a new model watermarking framework for protecting deep networks trained for low-level computer vision or image processing tasks.
arXiv Detail & Related papers (2021-03-08T18:58:21Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.