Patents by Inventor Wilhelmus Petrus Adrianus Johannus Michiels
Wilhelmus Petrus Adrianus Johannus Michiels has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 12086246Abstract: A method is provided for protecting a machine learning (ML) model from a side channel attack (SCA). The method is executed by a processor in a data processing system. The method includes generating a first random bit. A first weighted sum is computed for a first connection between a node of a first layer and a node of a second layer of the ML model. The first weighted sum for the first connection is equal to a multiplication of the weight of the first connection multiplied by an input to the selected node. In the multiplication, one of the weight or the input is negated conditioned on a value of the random bit. A first output including the computed first weighted sum is provided to one or more nodes of a second layer of the plurality of layers.Type: GrantFiled: July 1, 2022Date of Patent: September 10, 2024Assignee: NXP B.V.Inventors: Jan Hoogerbrugge, Wilhelmus Petrus Adrianus Johannus Michiels
-
Publication number: 20240249184Abstract: A method is provided for detecting non-problem domain (NPD) data in a machine learning (ML) model. The method includes training the ML model using problem domain (PD) training data. A second fully connected layer is added to the trained ML model in parallel with a first fully connected layer in the trained ML model. The trained ML model is retrained with NPD training data while preventing weights in the ML model from changing except for weights of the second fully connected layer. An inference operation is performed with the retrained ML model. Output vectors are received from the first and second fully connected layers via a Softmax layer. A metric is computed using the output vectors. The metric is compared to a threshold metric to determine if input samples are PD or NPD. An indication is provided when NPD data is detected. In another embodiment, a ML model is provided.Type: ApplicationFiled: January 19, 2023Publication date: July 25, 2024Inventors: Jan Hoogerbrugge, Wilhelmus Petrus Adrianus Johannus Michiels
-
Patent number: 12032690Abstract: A method is provided for protecting a machine learning model from a side channel attack. A weighted sum vector having first and second elements is initialized. A weight vector for a connection between a node of a first layer and a node of a second layer is multiplied with an input vector to the node of the first layer. A first element of the weight vector includes a weight, and a first element of the input vector includes the input. A second element of the weight vector is a negation of the first element of the weight vector and the second element of the input vector equals the first element of the input vector. A multiplication result is added to the weighted sum vector to produce a computed weighted sum vector. An output vector including the computed weighted sum vector is provided to the node of the second layer.Type: GrantFiled: July 1, 2022Date of Patent: July 9, 2024Assignee: NXP B.V.Inventors: Jan Hoogerbrugge, Wilhelmus Petrus Adrianus Johannus Michiels
-
Patent number: 12019759Abstract: A data processing system has a processor and a system memory. The system memory may be a dynamic random-access memory (DRAM). The processor includes an embedded memory. The system memory is coupled to the processor and is organized in a plurality of pages. A portion of the code or data stored in the plurality of memory pages is selected for permutation. A permutation order is generated and the memory pages containing the portion of code or data is permuted using a permutation order. The permutation order and/or a reverse permutation order to recover the original order may be stored in the embedded memory. Permuting the memory pages with a permutation order stored in the embedded memory prevents the code or data from being read during a freeze attack on the system memory in a way that is useful to an attacker.Type: GrantFiled: January 7, 2021Date of Patent: June 25, 2024Assignee: NXP B.V.Inventors: Wilhelmus Petrus Adrianus Johannus Michiels, Jan Hoogerbrugge, Ad Arts
-
Publication number: 20240202323Abstract: Systems and methods for protecting a Machine Learning (ML) model from extraction have been described. In an illustrative, non-limiting embodiment, a method may include: obtaining a plurality of input samples usable as part of an inference operation, wherein the inference operation is performed through execution of a machine learning (ML) model. The method may further include obtaining a plurality of outputs from the inference operation. The method may further include detecting a temporal inconsistency among at least one of: (a) the plurality of input samples, or (b) the plurality of outputs. Finally, the method may further include identifying an attempt to extract the ML model, based at least in part upon the determination.Type: ApplicationFiled: December 16, 2022Publication date: June 20, 2024Inventors: Jan Hoogerbrugge, Wilhelmus Petrus Adrianus Johannus Michiels
-
Patent number: 12013922Abstract: A method is provided for watermarking a machine learning model used for object detection. In the method, a first subset of a labeled set of ML training samples is selected. Each of one or more objects in the first subset includes a class label. A pixel pattern is selected to use as a watermark in the first subset of images. The pixel pattern is made partially transparent. A target class label is selected. One or more objects of the first subset of images are relabeled with the target class label. In another embodiment, the class labels are removed from objects in the subset of images instead of relabeling them. Each of the first subset of images is overlaid with the partially transparent and scaled pixel pattern. The ML model is trained with the set of training images and the first subset of images to produce a trained and watermarked ML model.Type: GrantFiled: July 30, 2021Date of Patent: June 18, 2024Assignee: NXP B.V.Inventors: Wilhelmus Petrus Adrianus Johannus Michiels, Frederik Dirk Schalij
-
Publication number: 20240143826Abstract: A method is provided for protecting a machine learning (ML) model from being copied. An input sample is provided to the ML model for an inference operation. Features from an internal layer of the ML model relating to the sample are selected. Positive gradients of the features to output logits of the ML model are selected. A summation of a product of the positive gradients and the features is computed to determine a feature contribution value. The input sample is a non-problem domain sample if the feature contribution value is less than or equal to a predetermined threshold feature contribution value. An attempt to copy the ML model is determined to be underway if a predetermined percentage of a plurality of input samples input to the ML model has a feature contribution value that is less than or equal to the predetermined threshold feature contribution value.Type: ApplicationFiled: November 1, 2022Publication date: May 2, 2024Inventors: Wilhelmus Petrus Adrianus Johannus Michiels, Jan Hoogerbrugge
-
Publication number: 20240126931Abstract: A method is provided for protecting a machine learning (ML) model from a side channel attack (SCA). A permutation is performed of weights and biases for a first layer of the ML model. The permutated weights and biases of the first layer are scaled using a scaling factor greater than zero to generate scaled and permutated weights and biases for a first plurality of nodes of the first layer. The weights for a second layer immediately following the first layer are modified to compensate for the permutation and scaling of the weights and biases of the first layer. The modified weights and biases of the first and second layers are substituted for corresponding original weights and biases of the ML model. An inference engine of the ML model is executed using the modified weights and biases of the first and second layers for an inference operation.Type: ApplicationFiled: October 14, 2022Publication date: April 18, 2024Inventors: Jan Hoogerbrugge, Wilhelmus Petrus Adrianus Johannus Michiels
-
Patent number: 11961314Abstract: A method is described for analyzing an output of an object detector for a selected object of interest in an image. The object of interest in a first image is selected. A user of the object detector draws a bounding box around the object of interest. A first inference operation is run on the first image using the object detector, and in response, the object detect provides a plurality of proposals. A non-max suppression (NMS) algorithm is run on the plurality of proposals, including the proposal having the object of interest. A classifier and bounding box regressor are run on each proposal of the plurality of proposals and results are outputted. The outputted results are then analyzed. The method can provide insight into why an object detector returns the results that it does.Type: GrantFiled: February 16, 2021Date of Patent: April 16, 2024Assignee: NXP B.V.Inventors: Gerardus Antonius Franciscus Derks, Wilhelmus Petrus Adrianus Johannus Michiels, Brian Ermans, Frederik Dirk Schalij
-
Publication number: 20240004998Abstract: A method is provided for protecting a machine learning (ML) model from a side channel attack (SCA). The method is executed by a processor in a data processing system. The method includes generating a first random bit. A first weighted sum is computed for a first connection between a node of a first layer and a node of a second layer of the ML model. The first weighted sum for the first connection is equal to a multiplication of the weight of the first connection multiplied by an input to the selected node. In the multiplication, one of the weight or the input is negated conditioned on a value of the random bit. A first output including the computed first weighted sum is provided to one or more nodes of a second layer of the plurality of layers.Type: ApplicationFiled: July 1, 2022Publication date: January 4, 2024Inventors: Jan Hoogerbrugge, Wilhelmus Petrus Adrianus Johannus Michiels
-
Publication number: 20240004994Abstract: A method is provided for protecting a machine learning model from a side channel attack. A weighted sum vector having first and second elements is initialized. A weight vector for a connection between a node of a first layer and a node of a second layer is multiplied with an input vector to the node of the first layer. A first element of the weight vector includes a weight, and a first element of the input vector includes the input. A second element of the weight vector is a negation of the first element of the weight vector and the second element of the input vector equals the first element of the input vector. A multiplication result is added to the weighted sum vector to produce a computed weighted sum vector. An output vector including the computed weighted sum vector is provided to the node of the second layer.Type: ApplicationFiled: July 1, 2022Publication date: January 4, 2024Inventors: Jan Hoogerbrugge, Wilhelmus Petrus Adrianus Johannus Michiels
-
Publication number: 20230418478Abstract: Tweakable block cipher encryption is described using a buffer identifier and a memory address.Type: ApplicationFiled: June 23, 2022Publication date: December 28, 2023Inventors: Wilhelmus Petrus Adrianus Johannus Michiels, Jan Hoogerbrugge, Paul Kimelman
-
Patent number: 11809531Abstract: A method is provided for watermarking a machine learning model. In the method, a first subset of a labeled set of ML training samples is selected. The first subset is of a predetermined class of images. A first pixel pattern is selected and inserted into each sample of the first subset. One or more of a location, position, orientation, and transformation of the first pixel pattern is varied for each of the samples. Each sample of the first subset is relabeled to have a different label than the original label. The ML model is trained with the labeled set of ML training samples and the first subset of relabeled ML training samples. To detect the watermark, a second subset of training samples is selected, and the first pixel pattern is inserted into each sample. The second subset is used during inference operation to detect the presence of the watermark.Type: GrantFiled: February 3, 2020Date of Patent: November 7, 2023Assignee: NXP B.V.Inventor: Wilhelmus Petrus Adrianus Johannus Michiels
-
Patent number: 11783055Abstract: A data processing system includes a rich execution environment, a hardware accelerator, a trusted execution environment, and a memory. The REE includes a processor configured to execute an application. A compute kernel is executed on the hardware accelerator and the compute kernel performs computations for the application. The TEE provides relatively higher security than the REE and includes an accelerator controller for controlling operation of the hardware accelerator. The memory has an unsecure portion coupled to the REE and to the TEE, and a secure portion coupled to only the TEE. The secure portion is relatively more secure than the unsecure portion. Data that is to be accessed and used by the hardware accelerator is stored in the secure portion of the memory. In another embodiment, a method is provided for securely executing an application is the data processing system.Type: GrantFiled: October 26, 2020Date of Patent: October 10, 2023Assignee: NXP B.V.Inventors: Jan Hoogerbrugge, Wilhelmus Petrus Adrianus Johannus Michiels, Ad Arts
-
Patent number: 11782744Abstract: A data processing system has a processor, a system memory, and a hypervisor. The system memory stores program code and data in a plurality of memory pages. The hypervisor controls SLAT (second level address translation) read, write, and execute access rights of the plurality of memory pages. A portion of the plurality of memory pages are classified as being in a secure enclave portion of the system memory and a portion is classified as being in an unsecure memory area. The portion of the memory pages classified in the secure enclave is encrypted and a hash is generated for each of the memory pages. During an access of a memory page, the hypervisor determines if the accessed memory page is in the secure enclave or in the unsecure memory area based on the hash. In another embodiment, a method for accessing a memory page in the secure enclave is provided.Type: GrantFiled: October 8, 2020Date of Patent: October 10, 2023Assignee: NXP B.V.Inventors: Jan Hoogerbrugge, Wilhelmus Petrus Adrianus Johannus Michiels
-
Patent number: 11699208Abstract: A method is provided for watermarking a machine learning model used for object detection or image classification. In the method, a first subset of a labeled set of ML training samples is selected. The first subset is of a predetermined class of images. In one embodiment, the first pixel pattern is selected and sized to have substantially the same dimensions as each sample of the first subset or each bounding box in the case of an object detector. Each sample of the first subset is relabeled to have a different label than the original label. An opacity of the pixel pattern may be adjusted independently for different parts of the pattern. The ML model is trained with the labeled set of ML training samples and the first subset of relabeled ML training samples. Using multiple different opacity factors provides both reliability and credibility to the watermark.Type: GrantFiled: March 12, 2021Date of Patent: July 11, 2023Assignee: NXP B.V.Inventors: Wilhelmus Petrus Adrianus Johannus Michiels, Frederik Dirk Schalij
-
Patent number: 11640646Abstract: A method is provided for watermarking a machine learning model used for object detection or image classification. In the method, a first subset of a labeled set of ML training samples is selected. The first subset is of a predetermined class of images. In one embodiment, the first pixel pattern is selected and sized to have substantially the same dimensions as each sample of the first subset or each bounding box in the case of an object detector. Each sample of the first subset is relabeled to have a different label than the original label. An opacity of the pixel pattern may be adjusted independently for different parts of the pattern. The ML model is trained with the labeled set of ML training samples and the first subset of relabeled ML training samples. Using multiple different opacity factors provides both reliability and credibility to the watermark.Type: GrantFiled: March 12, 2021Date of Patent: May 2, 2023Assignee: NXP B.V.Inventors: Wilhelmus Petrus Adrianus Johannus Michiels, Frederik Dirk Schalij
-
Patent number: 11636380Abstract: A method for protecting a machine learning model is provided. In the method, a first machine learning model is trained, and a plurality of machine learning models derived from the first machine learning model is trained. Each of the plurality of machine learning models may be different from the first machine learning model. During inference operation, a first input sample is provided to the first machine learning model and to each of the plurality of machine learning models. The first machine learning model generates a first output and the plurality of machine learning models generates a plurality of second outputs. The plurality of second outputs are aggregated to determine a final output. The final output and the first output are classified to determine if the first input sample is an adversarial input. If it is adversarial input, a randomly generated output is provided instead of the first output.Type: GrantFiled: April 9, 2019Date of Patent: April 25, 2023Assignee: NXP B.V.Inventors: Christine Van Vredendaal, Nikita Veshchikov, Wilhelmus Petrus Adrianus Johannus Michiels
-
Publication number: 20230040470Abstract: A method is provided for generating a visualization for explaining a behavior of a machine learning (ML) model. In the method, an image is input to the ML model for an inference operation. The input image has an increased resolution compared to an image resolution the ML model was intended to receive as an input. A resolution of a plurality of resolution-independent convolutional layers of the neural network are adjusted because of the increased resolution of the input image. A resolution-independent convolutional layer of the neural network is selected. The selected resolution-independent convolutional layer is used to generate a plurality of activation maps. The plurality of activation maps is used in a visualization method to show what features of the image were important for the ML model to derive an inference conclusion. The method may be implemented in a computer program having instructions executable by a processor.Type: ApplicationFiled: August 9, 2021Publication date: February 9, 2023Inventors: Brian Ermans, Peter Doliwa, Gerardus Antonius Franciscus Derks, Wilhelmus Petrus Adrianus Johannus Michiels, Frederik Dirk Schalij
-
Publication number: 20230029578Abstract: A method is provided for watermarking a machine learning model used for object detection. In the method, a first subset of a labeled set of ML training samples is selected. Each of one or more objects in the first subset includes a class label. A pixel pattern is selected to use as a watermark in the first subset of images. The pixel pattern is made partially transparent. A target class label is selected. One or more objects of the first subset of images are relabeled with the target class label. In another embodiment, the class labels are removed from objects in the subset of images instead of relabeling them. Each of the first subset of images is overlaid with the partially transparent and scaled pixel pattern. The ML model is trained with the set of training images and the first subset of images to produce a trained and watermarked ML model.Type: ApplicationFiled: July 30, 2021Publication date: February 2, 2023Inventors: Wilhelmus Petrus Adrianus Johannus Michiels, Frederik Dirk Schalij