{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,29]],"date-time":"2026-05-29T20:03:32Z","timestamp":1780085012098,"version":"3.54.0"},"reference-count":134,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2023,1,10]],"date-time":"2023-01-10T00:00:00Z","timestamp":1673308800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,1,10]],"date-time":"2023-01-10T00:00:00Z","timestamp":1673308800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Mach. Intell. Res."],"published-print":{"date-parts":[[2023,2]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>In the past decades, artificial intelligence (AI) has achieved unprecedented success, where statistical models become the central entity in AI. However, the centralized training and inference paradigm for building and using these models is facing more and more privacy and legal challenges. To bridge the gap between data privacy and the need for data fusion, an emerging AI paradigm federated learning (FL) has emerged as an approach for solving data silos and data privacy problems. Based on secure distributed AI, federated learning emphasizes data security throughout the lifecycle, which includes the following steps: data preprocessing, training, evaluation, and deployments. FL keeps data security by using methods, such as secure multi-party computation (MPC), differential privacy, and hardware solutions, to build and use distributed multiple-party machine-learning systems and statistical models over different data sources. Besides data privacy concerns, we argue that the concept of \u201cmodel\u201d matters, when developing and deploying federated models, they are easy to expose to various kinds of risks including plagiarism, illegal copy, and misuse. To address these issues, we introduce FedIPR, a novel ownership verification scheme, by embedding watermarks into FL models to verify the ownership of FL models and protect model intellectual property rights (IPR or IP-right for short). While security is at the core of FL, there are still many articles referred to distributed machine learning with no security guarantee as \u201cfederated learning\u201d, which are not satisfied with the FL definition supposed to be. To this end, in this paper, we reiterate the concept of federated learning and propose secure federated learning (SFL), where the ultimate goal is to build trustworthy and safe AI with strong privacy-preserving and IP-right-preserving. We provide a comprehensive overview of existing works, including threats, attacks, and defenses in each phase of SFL from the lifecycle perspective.<\/jats:p>","DOI":"10.1007\/s11633-022-1343-2","type":"journal-article","created":{"date-parts":[[2023,1,10]],"date-time":"2023-01-10T17:04:43Z","timestamp":1673370283000},"page":"19-37","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":57,"title":["Federated Learning with Privacy-preserving and Model IP-right-protection"],"prefix":"10.1007","volume":"20","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-5059-8360","authenticated-orcid":false,"given":"Qiang","family":"Yang","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3444-7348","authenticated-orcid":false,"given":"Anbu","family":"Huang","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Lixin","family":"Fan","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Chee Seng","family":"Chan","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jian Han","family":"Lim","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9309-563X","authenticated-orcid":false,"given":"Kam Woh","family":"Ng","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Ding Sheng","family":"Ong","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1602-3541","authenticated-orcid":false,"given":"Bowen","family":"Li","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2023,1,10]]},"reference":[{"key":"1343_CR1","doi-asserted-by":"publisher","first-page":"1097","DOI":"10.5555\/2999134.2999257","volume-title":"Proceedings of the 25th International Conference on Neural Information Processing Systems","author":"A Krizhevsky","year":"2012","unstructured":"A. Krizhevsky, I. Sutskever, G. E. Hinton. ImageNet classification with deep convolutional neural networks. In Proceedings of the 25th International Conference on Neural Information Processing Systems, ACM, Lake Tahoe, USA. pp. 1097\u20131105, 2012. DOI: https:\/\/doi.org\/10.5555\/2999134.2999257."},{"key":"1343_CR2","doi-asserted-by":"publisher","first-page":"770","DOI":"10.1109\/CVPR.2016.90","volume-title":"Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition","author":"K M He","year":"2016","unstructured":"K. M. He, X. Y. Zhang, S. Q. Ren, J. Sun. Deep residual learning for image recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, IEEE, Las Vegas, USA, pp. 770\u2013778, 2016. DOI: https:\/\/doi.org\/10.1109\/CVPR.2016.90."},{"key":"1343_CR3","doi-asserted-by":"publisher","first-page":"4171","DOI":"10.18653\/v1\/N19-1423","volume-title":"Proceedings of Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies","author":"J Devlin","year":"2019","unstructured":"J. Devlin, M. W. Chang, K. Lee, K. Toutanova. BERT: Pre-training of deep bidirectional transformers for language understanding. In Proceedings of Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, ACL, Minneapolis, USA, pp. 4171\u20134186, 2019. DOI: https:\/\/doi.org\/10.18653\/v1\/N19-1423."},{"key":"1343_CR4","doi-asserted-by":"publisher","DOI":"10.5555\/3495724.3495883","volume-title":"Proceedings of the 34th International Conference on Neural Information Processing Systems","author":"T B Brown","year":"2020","unstructured":"T. B. Brown, B. Mann, N. Ryder, M. Subbiah, J. Kaplan, P. Dhariwal, A. Neelakantan, P. Shyam, G. Sastry, A. Askell, S. Agarwal, A. Herbert-Voss, G. Krueger, T. Henighan, R. Child, A. Ramesh, D. M. Ziegler, J. Wu, C. Winter, C. Hesse, M. Chen, E. Sigler, M. Litwin, S. Gray, B. Chess, J. Clark, C. Berner, S. McCandlish, A. Radford, I. Sutskever, D. Amodei. Language models are few-shot learners. In Proceedings of the 34th International Conference on Neural Information Processing Systems, ACM, Vancouver, Canada, Article number 159, 2020. DOI: https:\/\/doi.org\/10.5555\/3495724.3495883."},{"key":"1343_CR5","doi-asserted-by":"publisher","first-page":"7","DOI":"10.1145\/2988450.2988454","volume-title":"Proceedings of the 1st Workshop on Deep Learning for Recommender Systems","author":"H T Cheng","year":"2016","unstructured":"H. T. Cheng, L. Koc, J. Harmsen, T. Shaked, T. Chandra, H. Aradhye, G. Anderson, G. Corrado, W. Chai, M. Ispir, R. Anil, Z. Haque, L. C. Hong, V. Jain, X. B. Liu, H. Shah. Wide & deep learning for recommender systems. In Proceedings of the 1st Workshop on Deep Learning for Recommender Systems, ACM, Boston, USA, pp. 7\u201310, 2016. DOI: https:\/\/doi.org\/10.1145\/2988450.2988454."},{"key":"1343_CR6","doi-asserted-by":"publisher","first-page":"1725","DOI":"10.5555\/3172077.3172127","volume-title":"Proceedings of the 26th International Joint Conference on Artificial Intelligence","author":"H F Guo","year":"2017","unstructured":"H. F. Guo, R. M. Tang, Y. M. Ye, Z. G. Li, X. Q. He. DeepFM: A factorization-machine based neural network for CTR prediction. In Proceedings of the 26th International Joint Conference on Artificial Intelligence, ACM, Melbourne, Australia, pp. 1725\u20131731, 2017. DOI: https:\/\/doi.org\/10.5555\/3172077.3172127."},{"key":"1343_CR7","doi-asserted-by":"publisher","first-page":"248","DOI":"10.1109\/CVPR.2009.5206848","volume-title":"Proceedings of IEEE Conference on Computer Vision and Pattern Recognition","author":"J Deng","year":"2009","unstructured":"J. Deng, W. Dong, R. Socher, L. J. Li, K. Li, F. F. Li. ImageNet: A large-scale hierarchical image database. In Proceedings of IEEE Conference on Computer Vision and Pattern Recognition, IEEE, Miami, USA, pp. 248\u2013255, 2009. DOI: https:\/\/doi.org\/10.1109\/CVPR.2009.5206848."},{"key":"1343_CR8","unstructured":"Protein Data Bank. A structural view of biology, [Online], Available: https:\/\/www.rcsb.org\/."},{"issue":"7873","key":"1343_CR9","doi-asserted-by":"publisher","first-page":"583","DOI":"10.1038\/s41586-021-03819-2","volume":"596","author":"J Jumper","year":"2021","unstructured":"J. Jumper, R. Evans, A. Pritzel, T. Green, M. Figurnov, O. Ronneberger, K. Tunyasuvunakool, R. Bates, A. \u017d\u00eddek, A. Potapenko, A. Bridgland, C. Meyer, S. A. A. Kohl, A. J. Ballard, A. Cowie, B. Romera-Paredes, S. Nikolov, R. Jain, J. Adler, T. Back, S. Petersen, D. Reiman, E. Clancy, M. Zielinski, M. Steinegger, M. Pacholska, T. Berghammer, S. Bodenstein, D. Silver, O. Vinyals, A. W. Senior, K. Kavukcuoglu, P. Kohli, D. Hassabis. Highly accurate protein structure prediction with AlphaFold. Nature, vol. 596, no. 7873, pp. 583\u2013589, 2021. DOI: https:\/\/doi.org\/10.1038\/s41586-021-03819-2.","journal-title":"Nature"},{"issue":"7792","key":"1343_CR10","doi-asserted-by":"publisher","first-page":"706","DOI":"10.1038\/s41586-019-1923-7","volume":"577","author":"A W Senior","year":"2020","unstructured":"A. W. Senior, R. Evans, J. Jumper, J. Kirkpatrick, L. Sifre, T. Green, C. L. Qin, A. \u017d\u00eddek, A. W. R. Nelson, A. Bridgland, H. Penedones, S. Petersen, K. Simonyan, S. Crossan, P. Kohli, D. T. Jones, D. Silver, K. Kavukcuoglu, D. Hassabis. Improved protein structure prediction using potentials from deep learning. Nature, vol. 577, no. 7792, pp. 706\u2013710, 2020. DOI: https:\/\/doi.org\/10.1038\/s41586-019-1923-7.","journal-title":"Nature"},{"key":"1343_CR11","unstructured":"EU. General data protection regulation, [Online], Available: https:\/\/gdpr-info.eu\/."},{"key":"1343_CR12","unstructured":"DLA Piper. Data protection laws of the world: Full handbook, [Online], Available: https:\/\/www.dlapiperdataprotection.com\/."},{"key":"1343_CR13","unstructured":"The National People\u2019s Congress. China data security law, [Online], Available: http:\/\/www.npc.gov.cn\/npc\/c30834\/202106\/7c9afl2f51334a73b56d7938f99a788a.shtml. (in Chinese)"},{"key":"1343_CR14","unstructured":"B. McMahan, E. Moore, D. Ramage, S. Hampson, B. A. Arcas. Communication-efficient learning of deep networks from decentralized data. In Proceedings of the 20th International Conference on Artificial Intelligence and Statistics, Fort Lauderdale, USA, pp. 1273\u20131282, 2017."},{"key":"1343_CR15","unstructured":"L. G. Zhu, Z. J. Liu, S. Han. Deep leakage from gradients. In Proceedings of the Advances in Neural Information Processing Systems, Vancouver, Canada, pp. 14774\u201314784, 2019."},{"issue":"5","key":"1343_CR16","doi-asserted-by":"publisher","first-page":"1333","DOI":"10.1109\/TIFS.2017.2787987","volume":"13","author":"L T Phong","year":"2018","unstructured":"L. T. Phong, Y. Aono, T. Hayashi, L. H. Wang, S. Moriai. Privacy-preserving deep learning via additively homomorphic encryption. IEEE Transactions on Information Forensics and Security, vol. 13, no. 5, pp. 1333\u20131345, 2018. DOI: https:\/\/doi.org\/10.1109\/TIFS.2017.2787987.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"issue":"1\u20132","key":"1343_CR17","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1561\/2200000083","volume":"14","author":"P Kairouz","year":"2021","unstructured":"P. Kairouz, H. B. McMahan, B. Avent, A. Bellet, M. Bennis, A. N. Bhagoji, K. Bonawitz, Z. Charles, G. Cormode, R. Cummings, R. G. L. D\u2019Ohveira, H. Eichner, S. El Rouayheb, D. Evans, J. Gardner, Z. Garrett, A. Gasc\u00f3n, B. Ghazi, P. B. Gibbons, M. Gruteser, Z. Harchaoui, C. Y. He, L. He, Z. Y. Huo, B. Hutchinson, J. Hsu, M. Jaggi, T. Javidi, G. Joshi, M. Khodak, J. Konecn\u00fd, A. Korolova, F. Koushanfar, S. Koyejo, T. Lepoint, Y. Liu, P. Mittal, M. Mohri, R. Nock, A. \u00d6zg\u00fcr, R. Pagh, H. Qi, D. Ramage, R. Raskar, M. Raykova, D. Song, W. K. Song, S. U. Stich, Z. T. Sun, A. T. Suresh, F. Tram\u00e8r, P. Vepakomma, J. Y. Wang, L. Xiong, Z. Xu, Q. Yang, F. X. Yu, H. Yu, S. Zhao. Advances and open problems in federated learning. Foundations and Trends\u00ae in Machine Learning, vol. 14, no. 1\u20132, pp. 1\u2013210, 2021. DOI: https:\/\/doi.org\/10.1561\/2200000083.","journal-title":"Foundations and Trends\u00ae in Machine Learning"},{"key":"1343_CR18","doi-asserted-by":"publisher","first-page":"4732","DOI":"10.5555\/3367471.3367701","volume-title":"Proceedings of the 28th International Joint Conference on Artificial Intelligence","author":"Y Z Ma","year":"2019","unstructured":"Y. Z. Ma, X. J. Zhu, J. Hsu. Data poisoning against differentially-private learners: Attacks and defenses. In Proceedings of the 28th International Joint Conference on Artificial Intelligence, ACM, Macao, China, pp. 4732\u20134738, 2019. DOI: https:\/\/doi.org\/10.5555\/3367471.3367701."},{"key":"1343_CR19","doi-asserted-by":"publisher","unstructured":"Z. B. Ying, Y. Zhang, X. M. Liu. Privacy-preserving in defending against membership inference attacks. In Proceedings of the Workshop on Privacy-preserving Machine Learning in Practice, ACM, pp. 61\u201363, 2020. DOI: https:\/\/doi.org\/10.1145\/3411501.3419428.","DOI":"10.1145\/3411501.3419428"},{"key":"1343_CR20","first-page":"207","volume-title":"Federated Learning","author":"Q Yang","year":"2019","unstructured":"Q. Yang, Y. Liu, Y. Cheng, Y. Kang, T. J. Chen, H. Yu. Federated Learning, San Francisco Bay Area, USA: Morgan & Claypool Publishers, pp. 207, 2019."},{"key":"1343_CR21","doi-asserted-by":"publisher","unstructured":"Q. Yang, Y. Liu, T. J. Chen, Y. X. Tong. Federated machine learning: Concept and applications. ACM Transactions on Intelligent Systems and Technology, vol. 10, no. 2, Article number 12, 2019. DOI: https:\/\/doi.org\/10.1145\/3298981.","DOI":"10.1145\/3298981"},{"issue":"3","key":"1343_CR22","doi-asserted-by":"publisher","first-page":"50","DOI":"10.1109\/MSP.2020.2975749","volume":"37","author":"T Li","year":"2020","unstructured":"T. Li, A. K. Sahu, A. Talwalkar, V. Smith. Federated learning: Challenges, methods, and future directions. IEEE Signal Processing Magazine, vol. 37, no. 3, pp. 50\u201360, 2020. DOI: https:\/\/doi.org\/10.1109\/MSP.2020.2975749.","journal-title":"IEEE Signal Processing Magazine"},{"key":"1343_CR23","doi-asserted-by":"crossref","unstructured":"L. J. Lyu, H. Yu, Q. Yang. Threats to federated learning: A survey. [Online], Available: https:\/\/arxiv.org\/abs\/2003.02133, 2020.","DOI":"10.1007\/978-3-030-63076-8_1"},{"key":"1343_CR24","doi-asserted-by":"publisher","first-page":"63229","DOI":"10.1109\/ACCESS.2021.3075203","volume":"9","author":"N Bouacida","year":"2021","unstructured":"N. Bouacida, P. Mohapatra. Vulnerabilities in federated learning. IEEE Access, vol. 9, pp. 63229\u201363249, 2021. DOI: https:\/\/doi.org\/10.1109\/ACCESS.2021.3075203.","journal-title":"IEEE Access"},{"key":"1343_CR25","doi-asserted-by":"publisher","first-page":"619","DOI":"10.1016\/j.future.2020.10.007","volume":"115","author":"V Mothukuri","year":"2021","unstructured":"V. Mothukuri, R. M. Parizi, S. Pouriyeh, Y. Huang, A. Dehghantanha, G. Srivastava. A survey on security and privacy of federated learning. Future Generation Computer Systems, vol. 115, pp. 619\u2013640, 2021. DOI: https:\/\/doi.org\/10.1016\/j.future.2020.10.007.","journal-title":"Future Generation Computer Systems"},{"key":"1343_CR26","doi-asserted-by":"publisher","unstructured":"P. R. Liu, X. R. Xu, W. Wang. Threats, attacks and defenses to federated learning: Issues, taxonomy and perspectives. Cybersecurity, vol. 5, no. 1, Article number 4, 2022. DOI: https:\/\/doi.org\/10.1186\/s42400-021-00105-6.","DOI":"10.1186\/s42400-021-00105-6"},{"key":"1343_CR27","unstructured":"X. J. Zhang, H. L. Gu, L. X. Fan, K. Chen, Q. Yang. No free lunch theorem for security and utility in federated learning. [Online], Available: https:\/\/arxiv.org\/abs\/2203.05816, 2022."},{"key":"1343_CR28","doi-asserted-by":"publisher","first-page":"218","DOI":"10.1145\/28395.28420","volume-title":"Proceedings of the Nineteenth Annual ACM Symposium on Theory of Computing","author":"O Goldreich","year":"1987","unstructured":"O. Goldreich, S. Micali, A. Wigderson. How to play ANY mental game. In Proceedings of the Nineteenth Annual ACM Symposium on Theory of Computing, ACM, New York, USA, pp. 218\u2013229, 1987. DOI: https:\/\/doi.org\/10.1145\/28395.28420."},{"key":"1343_CR29","doi-asserted-by":"publisher","first-page":"73","DOI":"10.1145\/73007.73014","volume-title":"Proceedings of the 21st Annual ACM Symposium on Theory of Computing","author":"T Rabin","year":"1989","unstructured":"T. Rabin, M. Ben-Or. Verifiable secret sharing and multiparty protocols with honest majority. In Proceedings of the 21st Annual ACM Symposium on Theory of Computing, ACM, Seattle, USA, pp. 73\u201385, 1989. DOI: https:\/\/doi.org\/10.1145\/73007.73014."},{"key":"1343_CR30","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-540-79228-4_1","volume-title":"Proceedings of the 5th International Conference on Theory and Applications of Models of Computation","author":"C Dwork","year":"2008","unstructured":"C. Dwork. Differential privacy: A survey of results. In Proceedings of the 5th International Conference on Theory and Applications of Models of Computation, Springer, Xi\u2019an, China, pp. 1\u201319, 2008. DOI: https:\/\/doi.org\/10.1007\/978-3-540-79228-4_1."},{"issue":"3\u20134","key":"1343_CR31","doi-asserted-by":"publisher","first-page":"211","DOI":"10.1561\/0400000042","volume":"9","author":"C Dwork","year":"2014","unstructured":"C. Dwork, A. Roth. The algorithmic foundations of differential privacy. Foundations and Trends in Theoretical Computer Science, vol. 9, no. 3\u20134, pp. 211\u2013407, 2014. DOI: https:\/\/doi.org\/10.1561\/0400000042.","journal-title":"Foundations and Trends in Theoretical Computer Science"},{"key":"1343_CR32","doi-asserted-by":"publisher","first-page":"223","DOI":"10.1007\/3-540-48910-X_16","volume-title":"Proceedings of the International Conference on Advances in Cryptology","author":"P Paillier","year":"1999","unstructured":"P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Proceedings of the International Conference on Advances in Cryptology, Springer, Prague, Czech Republic, pp. 223\u2013238, 1999. DOI: https:\/\/doi.org\/10.1007\/3-540-48910-X_16."},{"key":"1343_CR33","unstructured":"OMTP. 2009. Advanced trusted environment: OMTP TR1. http:\/\/www.omtp.org\/OMTP_Advanced_Trusted_Environment_OMTP_TR1_v1_1.pdf"},{"key":"1343_CR34","unstructured":"ARM. ARM TrustZone Technology, [Online], Available: https:\/\/developer.arm.com\/documentation\/100690\/0200\/ARM-TrustZone-technology?lang=en."},{"key":"1343_CR35","doi-asserted-by":"publisher","first-page":"57","DOI":"10.1109\/Trustcom.2015.357","volume-title":"Proceedings of IEEE Trustcom\/BigDataSE\/ISPA","author":"M Sabt","year":"2015","unstructured":"M. Sabt, M. Achemlal, A. Bouabdallah. Trusted execution environment: What it is, and what it is not. In Proceedings of IEEE Trustcom\/BigDataSE\/ISPA, IEEE, Helsinki, Finland, pp. 57\u201364, 2015. DOI: https:\/\/doi.org\/10.1109\/Trustcom.2015.357."},{"key":"1343_CR36","doi-asserted-by":"publisher","first-page":"387","DOI":"10.1007\/978-3-642-40994-325","volume-title":"Proceedings of the European Conference on Machine Learning and Knowledge Discovery in Databases","author":"B Biggio","year":"2013","unstructured":"B. Biggio, I. Corona, D. Maiorca, B. Nelson, N. \u0160rndi\u0107, P. Laskov, G. Giacinto, F. Roli. Evasion attacks against machine learning at test time. In Proceedings of the European Conference on Machine Learning and Knowledge Discovery in Databases, Springer, Prague, Czech Republic, pp. 387\u2013402, 2013. DOI: https:\/\/doi.org\/10.1007\/978-3-642-40994-325."},{"key":"1343_CR37","unstructured":"C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. J. Goodfellow, R. Fergus. Intriguing properties of neural networks. In Proceedings of the 2nd International Conference on Learning Representations, Banff, Canada, 2014."},{"key":"1343_CR38","doi-asserted-by":"publisher","first-page":"427","DOI":"10.1109\/CVPR.2015.7298640","volume-title":"Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition","author":"A Nguyen","year":"2015","unstructured":"A. Nguyen, J. Yosinski, J. Clune. Deep neural networks are easily fooled: High confidence predictions for unrecognizable images. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, IEEE, Boston, USA, pp. 427\u2013436, 2015. DOI: https:\/\/doi.org\/10.1109\/CVPR.2015.7298640."},{"key":"1343_CR39","unstructured":"I. J. Goodfellow, J. Shlens, C. Szegedy. Explaining and harnessing adversarial examples. In Proceedings of the 3rd International Conference on Learning Representations, San Diego, USA, 2015."},{"key":"1343_CR40","unstructured":"E. Bagdasaryan, A. Veit, Y. Q. Hua, D. Estrin, V. Shmatikov. How to backdoor federated learning. In Proceedings of the 23rd International Conference on Artificial Intelligence and Statistics, Palermo, Italy, pp. 2938\u20132948, 2020."},{"key":"1343_CR41","doi-asserted-by":"publisher","first-page":"98423","DOI":"10.1109\/ACCESS.2021.3095915","volume":"9","author":"H J Zhang","year":"2021","unstructured":"H. J. Zhang, Z. J. Xie, R. Zarei, T. Wu, K. W. Chen. Adaptive client selection in resource constrained federated learning systems: A deep reinforcement learning approach. IEEE Access, vol. 9, pp. 98423\u201398432, 2021. DOI: https:\/\/doi.org\/10.1109\/ACCESS.2021.3095915.","journal-title":"IEEE Access"},{"key":"1343_CR42","doi-asserted-by":"publisher","DOI":"10.1109\/GLOBECOM46510.2021.9685077","volume-title":"Proceedings of IEEE Global Communications Conference","author":"R Albelaihi","year":"2021","unstructured":"R. Albelaihi, X. Sun, W. D. Craft, L. K. Yu, C. G. Wang. Adaptive participant selection in heterogeneous federated learning. In Proceedings of IEEE Global Communications Conference, IEEE, Madrid, Spain, 2021. DOI: https:\/\/doi.org\/10.1109\/GLOBECOM46510.2021.9685077."},{"key":"1343_CR43","doi-asserted-by":"publisher","first-page":"161","DOI":"10.1145\/3386901.3388946","volume-title":"Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services","author":"F Mo","year":"2020","unstructured":"F. Mo, A. S. Shamsabadi, K. Katevas, S. Demetriou, I. Leontiadis, A. Cavallaro, H. Haddadi. DarkneTZ: Towards model privacy at the edge using trusted execution environments. In Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services, ACM, Toronto, Canada, pp. 161\u2013174, 2020. DOI: https:\/\/doi.org\/10.1145\/3386901.3388946."},{"key":"1343_CR44","doi-asserted-by":"publisher","unstructured":"A. B. Huang, Y. Liu, T. J. Chen, Y. K. Zhou, Q. Sun, H. F. Chai, Q. Yang. StarFL: Hybrid federated learning architecture for smart urban computing. ACM Transactions on Intelligent Systems and Technology, vol. 12, no. 4, Article number 43, 2021. DOI: https:\/\/doi.org\/10.1145\/3467956.","DOI":"10.1145\/3467956"},{"key":"1343_CR45","doi-asserted-by":"publisher","first-page":"603","DOI":"10.1145\/3133956.3134012","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security","author":"B Hitaj","year":"2017","unstructured":"B. Hitaj, G. Ateniese, F. Perez-Cruz. Deep models under the GAN: Information leakage from collaborative deep learning. In Proceedings of ACM SIGSAC Conference on Computer and Communications Security, ACM, Dallas, USA, pp. 603\u2013618, 2017. DOI: https:\/\/doi.org\/10.1145\/3133956.3134012."},{"key":"1343_CR46","unstructured":"B. Zhao, K. R. Mopuri, H. Bilen. iDLG: Improved deep leakage from gradients. [Online], Available: https:\/\/arxiv.org\/abs\/2001.02610, 2020."},{"key":"1343_CR47","doi-asserted-by":"publisher","DOI":"10.5555\/3495724.3497145","volume-title":"Proceedings of the 34th International Conference on Neural Information Processing Systems","author":"J Geiping","year":"2020","unstructured":"J. Geiping, H. Bauermeister, H. Dr\u00f6ge, M. Moeller. Inverting gradients-how easy is it to break privacy in federated learning? In Proceedings of the 34th International Conference on Neural Information Processing Systems, ACM, Vancouver, Canada, Article number 33, 2020. DOI: https:\/\/doi.org\/10.5555\/3495724.3497145."},{"key":"1343_CR48","unstructured":"Y. J. Wang, J. R. Deng, D. Guo, C. H. Wang, X. R. Meng, H. Liu, C. W. Ding, S. Rajasekaran. SAPAG: A self-adaptive privacy attack from gradients. [Online], Available: https:\/\/arxiv.org\/abs\/2009.06228, 2020."},{"key":"1343_CR49","unstructured":"J. Y. Zhu, M. B. Blaschko. R-GAP: Recursive gradient attack on privacy. In Proceedings of the 9th International Conference on Learning Representations, 2021."},{"key":"1343_CR50","unstructured":"X. Jin, P. Y. Chen, C. Y. Hsu, C. M. Yu, T. Y. Chen. Catastrophic data leakage in vertical federated learning. In Proceedings of the 34th Conference on Neural Information Processing Systems, pp. 994\u20131006, 2021."},{"key":"1343_CR51","unstructured":"Z. H. Li, J. X. Zhang, L. Y. Liu, J. Liu. Auditing privacy defenses in federated learning via generative gradient leakage. [Online], Available: https:\/\/arxiv.org\/abs\/2203.15696, 2022."},{"key":"1343_CR52","unstructured":"S. Hardy, W. Henecka, H. Ivey-Law, R. Nock, G. Patrini, G. Smith, B. Thorne. Private federated learning on vertically partitioned data via entity resolution and additively homomorphic encryption. [Online], Available: https:\/\/arxiv.org\/abs\/1711.10677, 2017."},{"key":"1343_CR53","doi-asserted-by":"publisher","unstructured":"C. L. Zhang, S. Y. Li, J. Z. Xia, W. Wang, F. Yan, Y. Liu. BatchCrypt: Efficient homomorphic encryption for cross-silo federated learning. In Proceedings of USENIX Conference on USENIX Annual Technical Conference, Berkeley, USA, Article number. 33, 2020. DOI: https:\/\/doi.org\/10.5555\/3489146.3489179.","DOI":"10.5555\/3489146.3489179"},{"key":"1343_CR54","unstructured":"A. Huang, Y. Y. Chen, Y. Liu, T. J. Chen, Q. Yang. RPN: A residual pooling network for efficient federated learning. In Proceedings of the 24th European Conference on Artificial Intelligence, Santiago de Compostela, Spain, pp. 1223\u20131229, 2020."},{"key":"1343_CR55","unstructured":"H. B. McMahan, D. Ramage, K. Talwar, L. Zhang. Learning differentially private recurrent language models. In Proceedings of the 6th International Conference on Learning Representations, Vancouver, Canada, 2018."},{"key":"1343_CR56","doi-asserted-by":"publisher","first-page":"3454","DOI":"10.1109\/TIFS.2020.2988575","volume":"15","author":"K Wei","year":"2020","unstructured":"K. Wei, J. Li, M. Ding, C. Ma, H. H. Yang, F. Farokhi, S. Jin, T. Q. S. Quek, H. V. Poor. Federated learning with differential privacy: Algorithms and performance analysis. IEEE Transactions on Information Forensics and Security, vol. 15, pp. 3454\u20133469, 2020. DOI: https:\/\/doi.org\/10.1109\/TIFS.2020.2988575.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"1343_CR57","unstructured":"C. L. Xie, K. L. Huang, P. Y. Chen, B. Li. DBA: Distributed backdoor attacks against federated learning. In Proceedings of the 8th International Conference on Learning Representations, Addis Ababa, Ethiopia, 2020."},{"key":"1343_CR58","unstructured":"A. B. Huang. Dynamic backdoor attacks against federated learning. [Online], Available: https:\/\/arxiv.org\/abs\/2011.07429, 2020."},{"key":"1343_CR59","doi-asserted-by":"publisher","DOI":"10.5555\/3454287.3455361","volume-title":"Proceedings of the 33rd International Conference on Neural Information Processing Systems","author":"J Feng","year":"2019","unstructured":"J. Feng, Q. Z. Cai, Z. H. Zhou. Learning to confuse: Generating training time adversarial data with auto-encoder. In Proceedings of the 33rd International Conference on Neural Information Processing Systems, ACM, Vancouver, Canada, Article number 32, 2019. DOI: https:\/\/doi.org\/10.5555\/3454287.3455361."},{"key":"1343_CR60","unstructured":"S. S. Hu, J. R. Lu, W. Wan, L. Y. Zhang. Challenges and approaches for mitigating byzantine attacks in federated learning. [Online], Available: https:\/\/arxiv.org\/abs\/2112.14468, 2021."},{"key":"1343_CR61","doi-asserted-by":"publisher","DOI":"10.5555\/3489212.3489304","volume-title":"Proceedings of the 29th USENIX Conference on Security Symposium","author":"M H Fang","year":"2020","unstructured":"M. H. Fang, X. Y. Cao, J. Y. Jia, N. Z. Gong. Local model poisoning attacks to byzantine-robust federated learning. In Proceedings of the 29th USENIX Conference on Security Symposium, ACM, Berkeley, USA, Article number 92, 2020. DOI: https:\/\/doi.org\/10.5555\/3489212.3489304."},{"key":"1343_CR62","unstructured":"D. Yin, Y. D. Chen, R. Kannan, P. Bartlett. Byzantine-robust distributed learning: Towards optimal statistical rates. In Proceedings of the 35th International Conference on Machine Learning, Stockholm, Sweden, pp. 5650\u20135659, 2018."},{"key":"1343_CR63","doi-asserted-by":"publisher","first-page":"118","DOI":"10.5555\/3294771.3294783","volume-title":"Proceedings of the 31st International Conference on Neural Information Processing Systems","author":"P Blanchard","year":"2017","unstructured":"P. Blanchard, E. M. El Mhamdi, R. Guerraoui, J. Stainer. Machine learning with adversaries: Byzantine tolerant gradient descent. In Proceedings of the 31st International Conference on Neural Information Processing Systems, ACM, Long Beach, USA, pp. 118\u2013128, 2017. DOI: https:\/\/doi.org\/10.5555\/3294771.3294783."},{"key":"1343_CR64","unstructured":"C. Xie, S. Koyejo, I. Gupta. Zeno: Distributed stochastic gradient descent with suspicion-based fault-tolerance. In Proceedings of the 36th International Conference on Machine Learning, Long Beach, USA, pp. 6893\u20136901, 2019."},{"key":"1343_CR65","doi-asserted-by":"publisher","first-page":"684","DOI":"10.1007\/978-3-030-41579-2_40","volume-title":"Proceedings of the 21st International Conference on Information and Communications Security","author":"Y Dong","year":"2019","unstructured":"Y. Dong, X. J. Chen, L. Y. Shen, D. K. Wang. Privacy-preserving distributed machine learning based on secret sharing. In Proceedings of the 21st International Conference on Information and Communications Security, Springer, Beijing, China, pp. 684\u2013702, 2019. DOI: https:\/\/doi.org\/10.1007\/978-3-030-41579-2_40."},{"key":"1343_CR66","doi-asserted-by":"publisher","first-page":"410","DOI":"10.1109\/CCGrid49817.2020.00-52","volume-title":"Proceedings of the 20th IEEE\/ACM International Symposium on Cluster, Cloud and Internet Computing","author":"R Kanagavelu","year":"2020","unstructured":"R. Kanagavelu, Z. X. Li, J. Samsudin, Y. C. Yang, F. Yang, R. S. M. Goh, M. Cheah, P. Wiwatphonthana, K. Akkarajitsakul, S. G. Wang. Two-phase multi-party computation enabled privacy-preserving federated learning. In Proceedings of the 20th IEEE\/ACM International Symposium on Cluster, Cloud and Internet Computing, IEEE, Melbourne, Australia, pp. 410\u2013419, 2020. DOI: https:\/\/doi.org\/10.1109\/CCGrid49817.2020.00-52."},{"key":"1343_CR67","unstructured":"M. O. Rabin. How to exchange secrets with oblivious transfer, Technical Report Paper 2005\/187, 2005."},{"key":"1343_CR68","doi-asserted-by":"publisher","first-page":"162","DOI":"10.1109\/SFCS.1986.25","volume-title":"Proceedings of the 27th Annual Symposium on Foundations of Computer Science","author":"A C C Yao","year":"1986","unstructured":"A. C. C. Yao. How to generate and exchange secrets. In Proceedings of the 27th Annual Symposium on Foundations of Computer Science, IEEE, Toronto, Canada, pp. 162\u2013167, 1986. DOI: https:\/\/doi.org\/10.1109\/SFCS.1986.25."},{"key":"1343_CR69","unstructured":"Intel\u00ae. Architecture instruction set extensions programming reference, Technical Report 319433-012, Intel Corporation, USA, 2012."},{"key":"1343_CR70","unstructured":"V. Costan, S. Devadas. Intel SGX explained, Technical Report Paper 2016\/086, 2016."},{"key":"1343_CR71","unstructured":"ArmDeveloper. Arm TrustZone Technology, [Online], Available: https:\/\/developer.arm.com\/documentation\/100690\/0200\/ARM-TrustZone-technology?lang=en, December 05, 2019."},{"key":"1343_CR72","unstructured":"Androidtrusty. Android Trusty TEE, [Online], Available: https:\/\/source.android.com\/security\/trusty, 2019."},{"key":"1343_CR73","unstructured":"AMD. AMD Secure Encrypted Virtualization, [Online], Available: https:\/\/developer.amd.com\/sev\/."},{"key":"1343_CR74","doi-asserted-by":"publisher","unstructured":"F. Mo, H. Haddadi, K. Katevas, E. Marin, D. Perino, N. Kourtellis. PPFL: Privacy-preserving federated learning with trusted execution environments. In Proceedings of the 19th Annual International Conference on Mobile Systems, Applications, and Services, ACM, pp. 94\u2013108, 2021. DOI: https:\/\/doi.org\/10.1145\/3458864.3466628.","DOI":"10.1145\/3458864.3466628"},{"key":"1343_CR75","doi-asserted-by":"crossref","unstructured":"A. Kurakin, I. J. Goodfellow, S. Bengio. Adversarial examples in the physical world. In Proceedings of the 5th International Conference on Learning Representations, Toulon, France, 2017.","DOI":"10.1201\/9781351251389-8"},{"key":"1343_CR76","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1145\/3128572.3140444","volume-title":"Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security","author":"N Carlini","year":"2017","unstructured":"N. Carlini, D. Wagner. Adversarial examples are not easily detected: Bypassing ten detection methods. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, ACM, Dallas, USA, pp. 3\u201314, 2017. DOI: https:\/\/doi.org\/10.1145\/3128572.3140444."},{"key":"1343_CR77","doi-asserted-by":"publisher","first-page":"15","DOI":"10.1145\/3128572.3140448","volume-title":"Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security","author":"P Y Chen","year":"2017","unstructured":"P. Y. Chen, H. Zhang, Y. Sharma, J. F. Yi, C. J. Hsieh. ZOO: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, ACM, Dallas, USA, pp. 15\u201326, 2017. DOI: https:\/\/doi.org\/10.1145\/3128572.3140448."},{"key":"1343_CR78","unstructured":"A. Ilyas, L. Engstrom, A. Athalye, J. Lin. Black-box adversarial attacks with limited queries and information. In Proceedings of the 35th International Conference on Machine Learning, Stockholm, Sweden, pp. 2137\u20132146, 2018."},{"key":"1343_CR79","doi-asserted-by":"publisher","first-page":"135","DOI":"10.1145\/3133956.3134057","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security","author":"D Y Meng","year":"2017","unstructured":"D. Y. Meng, H. Chen. MagNet: A two-pronged defense against adversarial examples. In Proceedings of ACM SIGSAC Conference on Computer and Communications Security, ACM, Dallas, USA, pp. 135\u2013147, 2017. DOI: https:\/\/doi.org\/10.1145\/3133956.3134057."},{"key":"1343_CR80","doi-asserted-by":"publisher","first-page":"2574","DOI":"10.1109\/CVPR.2016.282","volume-title":"Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition","author":"S M Moosavi-Dezfooli","year":"2016","unstructured":"S. M. Moosavi-Dezfooli, A. Fawzi, P. Frossard. Deep Fool: A simple and accurate method to fool deep neural networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, IEEE, Las Vegas, USA, pp. 2574\u20132582, 2016. DOI: https:\/\/doi.org\/10.1109\/CVPR.2016.282."},{"key":"1343_CR81","doi-asserted-by":"publisher","first-page":"582","DOI":"10.1109\/SP.2016.41","volume-title":"Proceedings of IEEE Symposium on Security and Privacy","author":"N Papernot","year":"2016","unstructured":"N. Papernot, P. McDaniel, X. Wu, S. Jha, A. Swami. Distillation as a defense to adversarial perturbations against deep neural networks. In Proceedings of IEEE Symposium on Security and Privacy, IEEE, San Jose, USA, pp. 582\u2013597, 2016. DOI: https:\/\/doi.org\/10.1109\/SP.2016.41."},{"key":"1343_CR82","unstructured":"J. H. Metzen, T. Genewein, V. Fischer, B. Bischoff. On detecting adversarial perturbations. In Proceedings of the 5th International Conference on Learning Representations, Toulon, France, 2017."},{"key":"1343_CR83","unstructured":"K. Grosse, P. Manoharan, N. Papernot, M. Backes, P. McDaniel. On the (statistical) detection of adversarial examples. [Online], Available: https:\/\/arxiv.org\/abs\/1702.06280, 2017."},{"key":"1343_CR84","volume-title":"Proceedings of the 31st USENIX Security Symposium","author":"C Fu","year":"2022","unstructured":"C. Fu, X. H. Zhang, S. L. Ji, J. Y. Chen, J. Z. Wu, S. Q. Guo, J. Zhou, A. X. Liu, T. Wang. Label inference attacks against vertical federated learning. In Proceedings of the 31st USENIX Security Symposium, USENIX Association, Boston, USA, 2022."},{"key":"1343_CR85","unstructured":"Y. Liu, Z. H. Yi, T. J. Chen. Backdoor attacks and defenses in feature-partitioned collaborative learning. [Online], Available: https:\/\/arxiv.org\/abs\/2007.03608, 2020."},{"key":"1343_CR86","doi-asserted-by":"publisher","first-page":"181","DOI":"10.1109\/ICDE51399.2021.00023","volume-title":"Proceedings of the 37th IEEE International Conference on Data Engineering","author":"X J Luo","year":"2021","unstructured":"X. J. Luo, Y. C. Wu, X. K. Xiao, B. C. Ooi. Feature inference attack on model predictions in vertical federated learning. In Proceedings of the 37th IEEE International Conference on Data Engineering, IEEE, Chania, Greece, pp. 181\u2013192, 2021. DOI: https:\/\/doi.org\/10.1109\/ICDE51399.2021.00023."},{"key":"1343_CR87","doi-asserted-by":"publisher","DOI":"10.14722\/diss.2020.23004","volume-title":"Proceedings of the Workshop on Decentralized IoT Systems and Security","author":"A Pustozerova","year":"2020","unstructured":"A. Pustozerova, R. Mayer. Information leaks in federated learning. In Proceedings of the Workshop on Decentralized IoT Systems and Security, DISS, San Diego, USA, 2020. DOI: https:\/\/doi.org\/10.14722\/diss.2020.23004."},{"key":"1343_CR88","doi-asserted-by":"publisher","first-page":"269","DOI":"10.1145\/3078971.3078974","volume-title":"Proceedings of ACM International Conference on Multimedia Retrieval","author":"Y Uchida","year":"2017","unstructured":"Y. Uchida, Y. Nagai, S. Sakazawa, S. Satoh. Embedding watermarks into deep neural networks. In Proceedings of ACM International Conference on Multimedia Retrieval, ACM, Bucharest, Romania, pp. 269\u2013277, 2017. DOI: https:\/\/doi.org\/10.1145\/3078971.3078974."},{"key":"1343_CR89","doi-asserted-by":"publisher","unstructured":"L. X. Fan, K. W. Ng, C. S. Chan, Q. Yang, DeepIP: Deep neural network intellectual property protection with passports. IEEE Transactions on Pattern Analysis and Machine Intelligence, to be published. DOI: https:\/\/doi.org\/10.1109\/TPAMI.2021.3088846.","DOI":"10.1109\/TPAMI.2021.3088846"},{"key":"1343_CR90","doi-asserted-by":"publisher","first-page":"1615","DOI":"10.5555\/3277203.3277324","volume-title":"Proceedings of the 27th USENIX Conference on Security Symposium","author":"Y Adi","year":"2018","unstructured":"Y. Adi, C. Baum, M. Cisse, B. Pinkas, J. Keshet. Turning your weakness into a strength: Watermarking deep neural networks by backdooring. In Proceedings of the 27th USENIX Conference on Security Symposium, ACM, Baltimore, USA, pp. 1615\u20131631, 2018. DOI: https:\/\/doi.org\/10.5555\/3277203.3277324."},{"key":"1343_CR91","doi-asserted-by":"publisher","first-page":"310","DOI":"10.1109\/SRDS53918.2021.00038","volume-title":"Proceedings of the 40th International Symposium on Reliable Distributed Systems","author":"B G A Tekgul","year":"2021","unstructured":"B. G. A. Tekgul, Y. X. Xia, S. Marchal, N. Asokan. WAFFLE: Watermarking in federated learning. In Proceedings of the 40th International Symposium on Reliable Distributed Systems, IEEE, Chicago, USA, pp. 310\u2013320, 2021. DOI: https:\/\/doi.org\/10.1109\/SRDS53918.2021.00038."},{"key":"1343_CR92","unstructured":"B. W. Li, L. X. Fan, H. L. Gu, J. Li, Q. Yang. FedIPR: Ownership verification for federated deep neural network models. [Online], Available: https:\/\/arxiv.org\/abs\/2109.13236, 2022."},{"key":"1343_CR93","unstructured":"E. M. El Mhamdi, R. Guerraoui, S. Rouault. The hidden vulnerability of distributed learning in Byzantium. In Proceedings of the 35th International Conference on Machine Learning, Stockholm, Sweden, pp. 3521\u20133530, 2018."},{"key":"1343_CR94","doi-asserted-by":"publisher","unstructured":"Y. He, N. Yu, M. Keuper, M. Fritz. Beyond the spectrum: Detecting Deepfakes via re-synthesis. In Proceedings of the 30th International Joint Conference on Artificial Intelligence, Beijing, China, pp. 2534\u20132541, 2021. DOI: https:\/\/doi.org\/10.24963\/ijcai.2021\/349.","DOI":"10.24963\/ijcai.2021\/349"},{"key":"1343_CR95","doi-asserted-by":"publisher","first-page":"103","DOI":"10.1007\/978-3-030-58574-7_7","volume-title":"Proceedings of the 16th European Conference on Computer Vision","author":"L Chai","year":"2020","unstructured":"L. Chai, D. Bau, S. N. Lim, P. Isola. What makes fake images detectable? Understanding properties that generalize. In Proceedings of the 16th European Conference on Computer Vision, Springer, Glasgow, UK, pp. 103\u2013120, 2020. DOI: https:\/\/doi.org\/10.1007\/978-3-030-58574-7_7."},{"key":"1343_CR96","doi-asserted-by":"publisher","first-page":"8057","DOI":"10.1109\/CVPR42600.2020.00808","volume-title":"Proceedings of IEEE\/CVF Conference on Computer Vision and Pattern Recognition","author":"Z Z Liu","year":"2020","unstructured":"Z. Z. Liu, X. J. Qi, P. H. S. Torr. Global texture enhancement for fake face detection in the wild. In Proceedings of IEEE\/CVF Conference on Computer Vision and Pattern Recognition, IEEE, Seattle, USA, pp. 8057\u20138066, 2020. DOI: https:\/\/doi.org\/10.1109\/CVPR42600.2020.00808."},{"issue":"4","key":"1343_CR97","doi-asserted-by":"publisher","first-page":"1200","DOI":"10.1109\/TIFS.2011.2163627","volume":"6","author":"E Nezhadarya","year":"2011","unstructured":"E. Nezhadarya, Z. J. Wang, R. K. Ward. Robust image watermarking based on multiscale gradient direction quantization. IEEE Transactions on Information Forensics and Security, vol. 6, no. 4, pp. 1200\u20131213, 2011. DOI: https:\/\/doi.org\/10.1109\/TIFS.2011.2163627.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"issue":"6","key":"1343_CR98","doi-asserted-by":"publisher","first-page":"1403","DOI":"10.1109\/TIFS.2018.2878541","volume":"14","author":"H Fang","year":"2019","unstructured":"H. Fang, W. M. Zhang, H. Zhou, H. Cui, N. H. Yu. Screen-shooting resilient watermarking. IEEE Transactions on Information Forensics and Security, vol. 14, no. 6, pp. 1403\u20131418, 2019. DOI: https:\/\/doi.org\/10.1109\/TIFS.2018.2878541.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"issue":"6","key":"1343_CR99","doi-asserted-by":"publisher","first-page":"1432","DOI":"10.1109\/TIFS.2018.2879301","volume":"14","author":"H Mareen","year":"2019","unstructured":"H. Mareen, J. De Praeter, G. Van Wallendael, P. Lambert. A scalable architecture for uncompressed-domain watermarked videos. IEEE Transactions on Information Forensics and Security, vol. 14, no. 6, pp. 1432\u20131444, 2019. DOI: https:\/\/doi.org\/10.1109\/TIFS.2018.2879301.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"issue":"9","key":"1343_CR100","doi-asserted-by":"publisher","first-page":"2131","DOI":"10.1109\/TCSVT.2017.2712162","volume":"28","author":"M Asikuzzaman","year":"2018","unstructured":"M. Asikuzzaman, M. R. Pickering. An overview of digital video watermarking. IEEE Transactions on Circuits and Systems for Video Technology, vol. 28, no. 9, pp. 2131\u20132153, 2018. DOI: https:\/\/doi.org\/10.1109\/TCSVT.2017.2712162.","journal-title":"IEEE Transactions on Circuits and Systems for Video Technology"},{"issue":"1","key":"1343_CR101","doi-asserted-by":"publisher","first-page":"45","DOI":"10.1109\/TMM.2017.2721642","volume":"20","author":"M J Hwang","year":"2018","unstructured":"M. J. Hwang, J. Lee, M. Lee, H. G. Kang. SVD-based adaptive QIM watermarking on stereo audio signals. IEEE Transactions on Multimedia, vol. 20, no. 1, pp. 45\u201354, 2018. DOI: https:\/\/doi.org\/10.1109\/TMM.2017.2721642.","journal-title":"IEEE Transactions on Multimedia"},{"issue":"4","key":"1343_CR102","doi-asserted-by":"publisher","first-page":"840","DOI":"10.1109\/TIFS.2016.2636094","volume":"12","author":"Y Erfani","year":"2017","unstructured":"Y. Erfani, R. Pichevar, J. Rouat. Audio watermarking using spikegram and a two-dictionary approach. IEEE Transactions on Information Forensics and Security, vol. 12, no. 4, pp. 840\u2013852, 2017. DOI: https:\/\/doi.org\/10.1109\/TIFS.2016.2636094.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"issue":"6","key":"1343_CR103","doi-asserted-by":"publisher","first-page":"1393","DOI":"10.1109\/TIFS.2017.2661724","volume":"12","author":"A Nadeau","year":"2017","unstructured":"A. Nadeau, G. Sharma. An audio watermark designed for efficient and robust resynchronization after Analog playback. IEEE Transactions on Information Forensics and Security, vol. 12, no. 6, pp. 1393\u20131405, 2017. DOI: https:\/\/doi.org\/10.1109\/TIFS.2017.2661724.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"issue":"9","key":"1343_CR104","doi-asserted-by":"publisher","first-page":"2372","DOI":"10.1109\/TIFS.2018.2819122","volume":"13","author":"Z X Lin","year":"2018","unstructured":"Z. X. Lin, F. Peng, M. Long. A low-distortion reversible watermarking for 2D engineering graphics based on region nesting. IEEE Transactions on Information Forensics and Security, vol. 13, no. 9, pp. 2372\u20132382, 2018. DOI: https:\/\/doi.org\/10.1109\/TIFS.2018.2819122.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"1343_CR105","doi-asserted-by":"publisher","DOI":"10.5555\/3495724.3497620","volume-title":"Proceedings of the 34th International Conference on Neural Information Processing Systems","author":"J Zhang","year":"2020","unstructured":"J. Zhang, D. D. Chen, J. Liao, W. M. Zhang, G. Hua, N. H. Yu. Passport-aware normalization for deep model protection. In Proceedings of the 34th International Conference on Neural Information Processing Systems, ACM, Vancouver, Canada, Article number 1896, 2020. DOI: https:\/\/doi.org\/10.5555\/3495724.3497620."},{"key":"1343_CR106","doi-asserted-by":"crossref","unstructured":"H. Chen, B. D. Rohani, F. Koushanfar. DeepMarks: A digital fingerprinting framework for deep neural networks. [Online], Available: https:\/\/arxiv.org\/abs\/1804.03648, 2018.","DOI":"10.1145\/3323873.3325042"},{"key":"1343_CR107","unstructured":"B. D. Rohani, H. L. Chen, F. Koushanfar. DeepSigns: A generic watermarking framework for IP protection of deep learning models. [Online], Available: https:\/\/arxiv.org\/abs\/1804.00750, 2018."},{"issue":"13","key":"1343_CR108","doi-asserted-by":"publisher","first-page":"9233","DOI":"10.1007\/s00521-019-04434-z","volume":"32","author":"E Le Merrer","year":"2020","unstructured":"E. Le Merrer, P. P\u00e9rez, G. Tr\u00e9dan. Adversarial frontier stitching for remote neural network watermarking. Neural Computing and Applications, vol. 32, no. 13, pp. 9233\u20139244, 2020. DOI: https:\/\/doi.org\/10.1007\/s00521-019-04434-z.","journal-title":"Neural Computing and Applications"},{"key":"1343_CR109","doi-asserted-by":"publisher","first-page":"3629","DOI":"10.1109\/CVPR46437.2021.00363","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition","author":"D S Ong","year":"2021","unstructured":"D. S. Ong, C. S. Chan, K. W. Ng, L. X. Fan, Q. Yang. Protecting intellectual property of generative adversarial networks from ambiguity attacks. In Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition, IEEE, Nashville, USA, pp. 3629\u20133638, 2021. DOI: https:\/\/doi.org\/10.1109\/CVPR46437.2021.00363."},{"key":"1343_CR110","doi-asserted-by":"publisher","unstructured":"J. H. Lim, C. S. Chan, K. W. Ng, L. X. Fan, Q. Yang. Protect, show, attend and tell: Empowering image captioning models with ownership protection. Pattern Recognition, vol. 122, pp. 108285. DOI: https:\/\/doi.org\/10.1016\/j.patcog.2021.108285.","DOI":"10.1016\/j.patcog.2021.108285"},{"key":"1343_CR111","unstructured":"A. Radford, L. Metz, S. Chintala. Unsupervised representation learning with deep convolutional generative adversarial networks. In Proceedings of the 4th International Conference on Learning Representations, San Juan, Puerto Rico, 2016."},{"key":"1343_CR112","doi-asserted-by":"publisher","unstructured":"C. Ledig, L. Theis, F. Husz\u00e1r, J. Caballero, A. Cunningham, A. Acosta, A. Aitken, A. Tejani, J. Totz, Z. H. Wang, W. Z. Shi. Photo-realistic single image super-resolution using a generative adversarial network. In Proceedings of IEEE Conference on Computer Vision and Pattern Recognition, IEEE, Honolulu, USA, pp. 105\u2013114. DOI: https:\/\/doi.org\/10.1109\/CVPR.2017.19.","DOI":"10.1109\/CVPR.2017.19"},{"key":"1343_CR113","doi-asserted-by":"publisher","first-page":"2242","DOI":"10.1109\/ICCV.2017.244","volume-title":"Proceedings of IEEE International Conference on Computer Vision","author":"J Y Zhu","year":"2017","unstructured":"J. Y. Zhu, T. Park, P. Isola, A. A. Efros. Unpaired image-to-image translation using cycle-consistent adversarial networks. In Proceedings of IEEE International Conference on Computer Vision, IEEE, Venice, Italy, pp. 2242\u20132251, 2017. DOI: https:\/\/doi.org\/10.1109\/ICCV.2017.244."},{"key":"1343_CR114","doi-asserted-by":"publisher","first-page":"601","DOI":"10.5555\/3241094.3241142","volume-title":"Proceedings of the 25th USENIX Conference on Security Symposium","author":"F Tram\u00e8r","year":"2016","unstructured":"F. Tram\u00e8r, F. Zhang, A. Juels, M. K. Reiter, T. Ristenpart. Stealing machine learning models via prediction APIs. In Proceedings of the 25th USENIX Conference on Security Symposium, ACM, Austin, USA, pp. 601\u2013618, 2016. DOI: https:\/\/doi.org\/10.5555\/3241094.3241142."},{"key":"1343_CR115","doi-asserted-by":"publisher","first-page":"4949","DOI":"10.1109\/CVPR.2019.00509","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition","author":"T Orekondy","year":"2019","unstructured":"T. Orekondy, B. Schiele, M. Fritz. Knockoff nets: Stealing functionality of black-box models. In Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition, IEEE, Long Beach, USA, pp. 4949\u20134958, 2019. DOI: https:\/\/doi.org\/10.1109\/CVPR.2019.00509."},{"key":"1343_CR116","doi-asserted-by":"publisher","first-page":"506","DOI":"10.1145\/3052973.3053009","volume-title":"Proceedings of ACM on Asia Conference on Computer and Communications Security","author":"N Papernot","year":"2017","unstructured":"N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik, A. Swami. Practical black-box attacks against machine learning. In Proceedings of ACM on Asia Conference on Computer and Communications Security, ACM, Abu Dhabi, UAE, pp. 506\u2013519, 2017. DOI: https:\/\/doi.org\/10.1145\/3052973.3053009."},{"key":"1343_CR117","unstructured":"WeBank AI Department (2020-03-07). Federated AI Technology Enabler (FATE), 2020-03-07. [Online], Available: https:\/\/github.com\/FederatedAI\/FATE."},{"key":"1343_CR118","unstructured":"K. Bonawitz, H. Eichner, W. Grieskamp, D. Huba, A. In-german, V. Ivanov, C. Kiddon, J. Kone\u010dn\u00fd, S. Mazzocchi, B. McMahan, T. Van Overveldt, D. Petrou, D. Ramage, J. Roselander. Towards federated learning at scale: System design. In Proceedings of the 2nd SysML Conference, Stanford, USA, 2019."},{"key":"1343_CR119","unstructured":"Google. Tensorflow Federated (TFF), [Online], Available: https:\/\/tensorflow.google.cn\/federated."},{"key":"1343_CR120","unstructured":"OpenMined. PySyft, [Online], Available: https:\/\/github.com\/OpenMined."},{"key":"1343_CR121","unstructured":"T. Ryffel, A. Trask, M. Dahl, B. Wagner, J. Mancuso, D. Rueckert, J. Passerat-Palmbach. A generic framework for privacy preserving deep learning. [Online], Available: https:\/\/arxiv.org\/abs\/1811.04017, 2018."},{"key":"1343_CR122","unstructured":"G. A. Reina, A. Gruzdev, P. Foley, O. Perepelkina, M. Sharma, I. Davidyuk, I. Trushkin, M. Radionov, A. Mokrov, D. Agapov, J. Martin, B. Edwards, M. J. Sheller, S. Pati, P. N. Moorthy, S. H. Wang, P. Shah, S. Bakas. OpenFL: An open-source framework for federated learning. [Online], Available: https:\/\/arxiv.org\/abs\/2105.06413, 2021."},{"key":"1343_CR123","unstructured":"Intel. OpenFL \u2014 An open-source framework for federated learning, [Online], Available: https:\/\/github.com\/intel\/openfl."},{"key":"1343_CR124","unstructured":"H. Ludwig, N. Baracaldo, G. Thomas, Y. Zhou, A. Anwar, S. Rajamoni, Y. Ong, J. Radhakrishnan, A. Verma, M. Sinn, M. Purcell, A. Rawat, T. Minh, N. Holohan, S. Chakraborty, S. Whitherspoon, D. Steuer, L. Wynter, H. Hassan, S. Laguna, M. Yurochkin, M. Agarwal, E. Chuba, A. Abay. IBM federated learning: An enterprise framework white paper V0.1. [Online], Available: https:\/\/arxiv.org\/abs\/2007.10987, 2020."},{"key":"1343_CR125","unstructured":"Nvidia. Nvidia Clara, [Online], Available: https:\/\/developer.nvidia.com\/clara."},{"key":"1343_CR126","unstructured":"C. Y. He, S. Z. Li, J. So, X. Zeng, M. Zhang, H. Y. Wang, X. Y. Wang, P. Vepakomma, A. Singh, H. Qiu, X. H. Zhu, J. Z. Wang, L. Shen, P. L. Zhao, Y. Kang, Y. Liu, R. Raskar, Q. Yang, M. Annavaram, S. Avestimehr. Fed-ML: A research library and benchmark for federated machine learning. [Online], Available: https:\/\/arxiv.org\/abs\/2007.13518, 2020."},{"key":"1343_CR127","unstructured":"FedML-AI. FedML, [Online], Available: https:\/\/github.com\/FedML-AI\/FedML."},{"key":"1343_CR128","unstructured":"Bytedance. Fedlearner, [Online], Available: https:\/\/github.com\/bytedance\/fedlearner."},{"key":"1343_CR129","unstructured":"D. J. Beutel, T. Topal, A. Mathur, X. C. Qiu, J. Fernandez-Marques, Y. Gao, L. Sani, K. H. Li, T. Parcollet, P. P. B. de Gusm\u00e3o, N. D. Lane. Flower: A friendly federated learning research framework. [Online], Available: https:\/\/arxiv.org\/abs\/2007.14390, 2020."},{"key":"1343_CR130","unstructured":"PaddlePaddle. PaddleFL, [Online], Available: https:\/\/github.com\/PaddlePaddle\/PaddleFL."},{"key":"1343_CR131","unstructured":"Tencent. Angel PowerFL, [Online], Available: https:\/\/cloud.tencent.com\/solution\/powerfl."},{"key":"1343_CR132","unstructured":"S. Caldas, S. M. K. Duddu, P. Wu, T. Li, J. Kone\u010dn\u00fd, H. B. McMahan, V. Smith, A. Talwalkar. LEAF: A benchmark for federated settings. [Online], Available: https:\/\/arxiv.org\/abs\/1812.01097, 2018."},{"key":"1343_CR133","unstructured":"Sherpa.ai. Sherpa.ai, [Online], Available: https:\/\/sherpa.ai\/."},{"key":"1343_CR134","unstructured":"D. Romanini, A. J. Hall, P. Papadopoulos, T. Titcombe, A. Ismail, T. Cebere, R. Sandmann, R. Roehm, M. A. Hoeh. PyVertical: A vertical federated learning framework for multi-headed splitNN. [Online], Available: https:\/\/arxiv.org\/abs\/2104.00489, 2021."}],"container-title":["Machine Intelligence Research"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11633-022-1343-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s11633-022-1343-2\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11633-022-1343-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,1,10]],"date-time":"2023-01-10T17:40:56Z","timestamp":1673372456000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s11633-022-1343-2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,1,10]]},"references-count":134,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2023,2]]}},"alternative-id":["1343"],"URL":"https:\/\/doi.org\/10.1007\/s11633-022-1343-2","relation":{},"ISSN":["2731-538X","2731-5398"],"issn-type":[{"value":"2731-538X","type":"print"},{"value":"2731-5398","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,1,10]]},"assertion":[{"value":"2 March 2020","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"2 June 2020","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"10 January 2023","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}