ML Security PapersFLClear: Visually Verifiable Multi-Client Watermarking for Federated Learning
Chen Gu , Yingying Sun , Yifan She , Donghui Hu
Published on arXiv
2511.12663
Model Theft
OWASP ML Top 10 — ML05
Key Finding
FLClear consistently outperforms state-of-the-art FL watermarking methods across various datasets, aggregation schemes, and attack scenarios while enabling intuitive visual ownership verification.
FLClear
Novel technique introduced
Federated learning (FL) enables multiple clients to collaboratively train a shared global model while preserving the privacy of their local data. Within this paradigm, the intellectual property rights (IPR) of client models are critical assets that must be protected. In practice, the central server responsible for maintaining the global model may maliciously manipulate the global model to erase client contributions or falsely claim sole ownership, thereby infringing on clients' IPR. Watermarking has emerged as a promising technique for asserting model ownership and protecting intellectual property. However, existing FL watermarking approaches remain limited, suffering from potential watermark collisions among clients, insufficient watermark security, and non-intuitive verification mechanisms. In this paper, we propose FLClear, a novel framework that simultaneously achieves collision-free watermark aggregation, enhanced watermark security, and visually interpretable ownership verification. Specifically, FLClear introduces a transposed model jointly optimized with contrastive learning to integrate the watermarking and main task objectives. During verification, the watermark is reconstructed from the transposed model and evaluated through both visual inspection and structural similarity metrics, enabling intuitive and quantitative ownership verification. Comprehensive experiments conducted over various datasets, aggregation schemes, and attack scenarios demonstrate the effectiveness of FLClear and confirm that it consistently outperforms state-of-the-art FL watermarking methods.
Key Contributions
- FLClear framework achieving collision-free watermark aggregation across multiple FL clients via a transposed model jointly optimized with contrastive learning
- Visually interpretable ownership verification using both visual inspection and structural similarity (SSIM) metrics reconstructed from the transposed model
- Empirical demonstration of robustness against watermark removal attacks across multiple datasets and aggregation schemes, outperforming state-of-the-art FL watermarking methods
🛡️ Threat Analysis
Watermarks are embedded IN THE MODEL (via a jointly trained transposed model) to assert and verify ownership when a malicious FL server attempts to erase client contributions or falsely claim sole ownership — classic model IP theft defense.