Abstract:The training of high-precision federated learning model consumes a large number of users' local resources. The users who participate in the training can gain illegal profits by selling the joint trained model without others’ permissions. In this paper, we propose the concept of Federated Learning Watermark (FLWM) for the first time to protect users’ intellectual properties. Based on the feature of deep learning backdoor for keeping the accuracy of main tasks unchanged and only producing misclassification in a small number of trigger set samples, FLWM achieves the goal of integrating each participant’s private backdoor to the global model through the aggregation stage without affecting the accuracy of the global model. Since each user’s private watermark is unknown to the others, their watermarks may combat with each other in the global model. So a stepwise training method is designed to alleviate this possible conflict. Theoretical analysis proves the security of FLWM scheme, and experiments verify that the stepwise training method can embed multi-users’ watermarks effectively by only causing 1% accuracy loss of global model. Finally, model compression attacks and fine-tuning attacks are used to test FLWM. The results show that more than 80% of the watermarks can be retained when the model is compressed to 30%, and more than 90% of the watermarks can be retained under fine-tuning attacks, indicating the robustness of FLWM scheme under these attacks.