Sigil: Server-Enforced Watermarking in U-Shaped Split Federated Learning via Gradient Injection

TL;DR

Sigil introduces a novel server-enforced watermarking method for split federated learning that embeds watermarks via gradient injection, ensuring intellectual property protection without compromising privacy or requiring data access.

Contribution

The paper presents Sigil, a new watermarking framework for capability-limited servers in split federated learning, using gradient injection and statistical constraints to enhance robustness and stealthiness.

Findings

Sigil effectively embeds watermarks without data access.

The watermark remains robust against gradient anomaly detection.

Sigil maintains high fidelity and stealthiness across datasets.

Abstract

In decentralized machine learning paradigms such as Split Federated Learning (SFL) and its variant U-shaped SFL, the server's capabilities are severely restricted. Although this enhances client-side privacy, it also leaves the server highly vulnerable to model theft by malicious clients. Ensuring intellectual property protection for such capability-limited servers presents a dual challenge: watermarking schemes that depend on client cooperation are unreliable in adversarial settings, whereas traditional server-side watermarking schemes are technically infeasible because the server lacks access to critical elements such as model parameters or labels. To address this challenge, this paper proposes Sigil, a mandatory watermarking framework designed specifically for capability-limited servers. Sigil defines the watermark as a statistical constraint on the server-visible activation space and embeds the watermark into the client model via gradient injection, without requiring any knowledge of the data. Besides, we design an adaptive gradient clipping mechanism to ensure that our watermarking process remains both mandatory and stealthy, effectively countering existing gradient anomaly detection methods and a specifically designed adaptive subspace removal attack. Extensive experiments on multiple datasets and models demonstrate Sigil's fidelity, robustness, and stealthiness.