Abstract: A neural network is augmented to enhance robustness against adversarial attack. In this approach, a fully-connected additional layer is associated with a last layer of the neural network. The additional layer has a lower dimensionality than at least one or more intermediate layers. After sizing the additional layer appropriately, a vector bit encoding is applied. The encoding comprises an encoding vector for each output class. Preferably, the encoding is an n-hot encoding, wherein n represents a hyperparameter. The resulting neural network is then trained to encourage the network to associated features with each of the hot positions. In this manner, the network learns a reduced feature set representing those features that contain a high amount of information with respect to each output class, and/or to learn constraints between those features and the output classes. The trained neural network is used to perform a classification that is robust against adversarial examples.

Abstract: A processor-implemented method generates adversarial example objects. One or more processors represent an adversarial input generation process as a graph. The processor(s) explore the graph, such that a sequence of edges on the graph are explored. The processor(s) create, based on the exploring, an adversarial example object, and utilize the created adversarial example object to harden an existing process model against vulnerabilities.

Abstract: A method to detect anomalous behavior in a computing system begins by training a graph neural network (GNN) in an unsupervised manner by applying contrastive representation learning on sets of positive samples and negative samples derived from one or more heterogeneous graphs using meta-path sampling. Following training, a temporal graph derived from system-generated events is received. The GNN is used to embed the temporal graph into a vector representation in a vector space. The trained GNN is also used to embed a set of attack pattern graphs into corresponding vector representations in the vector space. For anomaly detection, the representation corresponding to the temporal graph is compared to the representations corresponding to the attack pattern graphs. In one embodiment, the comparison is implemented using a fuzzy pattern matching algorithm. If a fuzzy match is found, an indication that the temporal graph is associated with a potential attack on the computing system is then output.

Abstract: Techniques for distributed federated learning leverage a multi-layered defense strategy to provide for reduced information leakage. In lieu of aggregating model updates centrally, an aggregation function is decentralized into multiple independent and functionally-equivalent execution entities, each running within its own trusted executed environment (TEE). The TEEs enable confidential and remote-attestable federated aggregation. Preferably, each aggregator entity runs within an encrypted virtual machine that support runtime in-memory encryption. Each party remotely authenticates the TEE before participating in the training. By using multiple decentralized aggregators, parties are enabled to partition their respective model updates at model-parameter granularity, and can map single weights to a specific aggregator entity. Parties also can dynamically shuffle fragmentary model updates at each training iteration to further obfuscate the information dispatched to each aggregator execution entity.

Abstract: Adaptive verifiable training enables the creation of machine learning models robust with respect to multiple robustness criteria. In general, such training exploits inherent inter-class similarities within input data and enforces multiple robustness criteria based on this information. In particular, the approach exploits pairwise class similarity and improves the performance of a robust model by relaxing robustness constraints for similar classes and increasing robustness constraints for dissimilar classes. Between similar classes, looser robustness criteria (i.e., smaller ?) are enforced so as to minimize possible overlap when estimating the robustness region during verification. Between dissimilar classes, stricter robustness regions (i.e., larger ?) are enforced. If pairwise class relationships are not available initially, preferably they are generated by receiving a pre-trained classifier and then applying a clustering algorithm (e.g., agglomerative clustering) to generate them.

Abstract: A neural network is augmented to enhance robustness against adversarial attack. In this approach, a fully-connected additional layer is associated with a last layer of the neural network. The additional layer has a lower dimensionality than at least one or more intermediate layers. After sizing the additional layer appropriately, a vector bit encoding is applied. The encoding comprises an encoding vector for each output class. Preferably, the encoding is an n-hot encoding, wherein n represents a hyperparameter. The resulting neural network is then trained to encourage the network to associated features with each of the hot positions. In this manner, the network learns a reduced feature set representing those features that contain a high amount of information with respect to each output class, and/or to learn constraints between those features and the output classes. The trained neural network is used to perform a classification that is robust against adversarial examples.