Abstract: A method is provided for detecting copying of a machine learning model. In the method, the first machine learning model is divided into a plurality of portions. Intermediate outputs from a hidden layer of a selected one of the plurality of portions is compared to corresponding outputs from a second machine learning model to detect the copying. Alternately, a first seal may be generated using the plurality of inputs and the intermediate outputs from nodes of the selected portion. A second seal from a suspected copy that has been generated the same way is compared to the first seal to detect the copying. If the first and second seals are the same, then there is a high likelihood that the suspected copy is an actual copy. By using the method, only the intermediate outputs of the machine learning model outputs have to be disclosed to others, thus protecting the confidentiality of the model.

Abstract: A method and data processing system are provided for determining if a machine learning model has been copied. The machine learning model has a plurality of nodes, the plurality of nodes is organized as a plurality of interconnected layers, and the plurality of interconnected layers includes an input layer and an output layer. The output layer has a predetermined number of output nodes for classifying input samples into a predetermined number of categories, where each output node corresponds to a category. An additional watermarking node is added to the output layer. The model is trained to classify the input data into the predetermined number of categories and into an additional category for the additional node. The additional node may be added to another model to determine if the another model is a copy or clone of the ML model.

Abstract: A method and data processing system for making a machine learning model more resistant to adversarial examples are provided. In the method, an input for a machine learning model is provided. A randomly generated mask is added to the input to produce a modified input. The modified input is provided to the machine learning model. The randomly generated mask negates the effect of a perturbation added to the input for causing the input to be an adversarial example. The method may be implemented using the data processing system.

Abstract: A method is provided for detecting copying of a machine learning model. A plurality of inputs is provided to a first machine learning model. The first machine learning model provides a plurality of output values. A sequence of bits of a master input is divided into a plurality of subsets of bits. The master input may be an image. Each subset of the plurality of subsets of bits corresponds to one of the plurality of output values. An ordered sequence of the inputs is generated based on the plurality of subsets of bits. The ordered sequence of the inputs is inputted to a second machine learning model. It is then determined if output values from the second machine learning model reproduces the predetermined master input. If the predetermined master input is reproduced, the second machine learning model is a copy of the first machine learning model.

Abstract: A method is provided for protecting a software program from copying. The method includes providing a first implementation of the software program. A second implementation of the software program is then provided. The second implementation provides a same functionality as the first implementation, and wherein the second implementation includes a plurality of dummy operations to increase a number of operations and an execution time of the second implementation compared to the first implementation. The dummy operations are encoded. The second implementation may then be compared to another software program to determine if the another software program is a copy of the first implementation of the software program. This allows a copy of the first implementation to be detected without disclosing the first implementation.

Abstract: A method is provided for protecting a software program from copying. The method includes providing a first implementation of the software program. A second implementation of the software program is then provided. The second implementation provides a same functionality as the first implementation, and wherein the second implementation includes a plurality of dummy operations to increase a number of operations and an execution time of the second implementation compared to the first implementation. The dummy operations are encoded. The second implementation may then be compared to another software program to determine if the another software program is a copy of the first implementation of the software program. This allows a copy of the first implementation to be detected without disclosing the first implementation.

Abstract: A method and data processing system are provided for determining if a machine learning model has been copied. The machine learning model has a plurality of nodes, the plurality of nodes is organized as a plurality of interconnected layers, and the plurality of interconnected layers includes an input layer and an output layer. The output layer has a predetermined number of output nodes for classifying input samples into a predetermined number of categories, where each output node corresponds to a category. An additional watermarking node is added to the output layer. The model is trained to classify the input data into the predetermined number of categories and into an additional category for the additional node. The additional node may be added to another model to determine if the another model is a copy or clone of the ML model.

Abstract: A method for processing information includes transforming first information based on a first function, transforming second information based on a second function, processing the first transformed information using a first machine-learning model to generate a first result, processing the second transformed information using a second machine-learning model to generate a second result, and aggregating the first result and the second result to generate a decision. The first and second information may be the same information. The first function may be different from the second function. The first machine-learning model may be based on a first algorithm, and the second machine-learning algorithm may be based on a second algorithm.

Abstract: A method is provided for detecting copying of a machine learning model. In the method, the first machine learning model is divided into a plurality of portions. Intermediate outputs from a hidden layer of a selected one of the plurality of portions is compared to corresponding outputs from a second machine learning model to detect the copying. Alternately, a first seal may be generated using the plurality of inputs and the intermediate outputs from nodes of the selected portion. A second seal from a suspected copy that has been generated the same way is compared to the first seal to detect the copying. If the first and second seals are the same, then there is a high likelihood that the suspected copy is an actual copy. By using the method, only the intermediate outputs of the machine learning model outputs have to be disclosed to others, thus protecting the confidentiality of the model.

Abstract: A method and data processing system for making a machine learning model more resistant to adversarial examples are provided. In the method, an input for a machine learning model is provided. A randomly generated mask is added to the input to produce a modified input. The modified input is provided to the machine learning model. The randomly generated mask negates the effect of a perturbation added to the input for causing the input to be an adversarial example. The method may be implemented using the data processing system.

Abstract: A method is provided for detecting copying of a machine learning model. A plurality of inputs is provided to a first machine learning model. The first machine learning model provides a plurality of output values. A sequence of bits of a master input is divided into a plurality of subsets of bits. The master input may be an image. Each subset of the plurality of subsets of bits corresponds to one of the plurality of output values. An ordered sequence of the inputs is generated based on the plurality of subsets of bits. The ordered sequence of the inputs is inputted to a second machine learning model. It is then determined if output values from the second machine learning model reproduces the predetermined master input. If the predetermined master input is reproduced, the second machine learning model is a copy of the first machine learning model.

Abstract: A method of computing a message authentication code (MAC) for a message having a common part and an independent part using a constrained processor, including: performing a MAC function on the common part of the message using a first secret key to produce a first output; performing a pseudorandom function on the independent part of the message using a second key to produce a second output, wherein the computation time of the pseudorandom function is significantly less than the computation time of the MAC function; and combining the first output and the second output to produce a computed MAC for the message.

Abstract: A method of computing a message authentication code (MAC) for a message having a common part and an independent part using a constrained processor, including: performing a MAC function on the common part of the message using a first secret key to produce a first output; performing a pseudorandom function on the independent part of the message using a second key to produce a second output, wherein the computation time of the pseudorandom function is significantly less than the computation time of the MAC function; and combining the first output and the second output to produce a computed MAC for the message.