Abstract: A method is provided for protecting a machine learning (ML) model from being copied. An input sample is provided to the ML model for an inference operation. Features from an internal layer of the ML model relating to the sample are selected. Positive gradients of the features to output logits of the ML model are selected. A summation of a product of the positive gradients and the features is computed to determine a feature contribution value. The input sample is a non-problem domain sample if the feature contribution value is less than or equal to a predetermined threshold feature contribution value. An attempt to copy the ML model is determined to be underway if a predetermined percentage of a plurality of input samples input to the ML model has a feature contribution value that is less than or equal to the predetermined threshold feature contribution value.

Abstract: A method is provided for protecting a machine learning (ML) model from a side channel attack (SCA). A permutation is performed of weights and biases for a first layer of the ML model. The permutated weights and biases of the first layer are scaled using a scaling factor greater than zero to generate scaled and permutated weights and biases for a first plurality of nodes of the first layer. The weights for a second layer immediately following the first layer are modified to compensate for the permutation and scaling of the weights and biases of the first layer. The modified weights and biases of the first and second layers are substituted for corresponding original weights and biases of the ML model. An inference engine of the ML model is executed using the modified weights and biases of the first and second layers for an inference operation.

Abstract: A method is described for analyzing an output of an object detector for a selected object of interest in an image. The object of interest in a first image is selected. A user of the object detector draws a bounding box around the object of interest. A first inference operation is run on the first image using the object detector, and in response, the object detect provides a plurality of proposals. A non-max suppression (NMS) algorithm is run on the plurality of proposals, including the proposal having the object of interest. A classifier and bounding box regressor are run on each proposal of the plurality of proposals and results are outputted. The outputted results are then analyzed. The method can provide insight into why an object detector returns the results that it does.

Abstract: A method is provided for protecting a machine learning (ML) model from a side channel attack (SCA). The method is executed by a processor in a data processing system. The method includes generating a first random bit. A first weighted sum is computed for a first connection between a node of a first layer and a node of a second layer of the ML model. The first weighted sum for the first connection is equal to a multiplication of the weight of the first connection multiplied by an input to the selected node. In the multiplication, one of the weight or the input is negated conditioned on a value of the random bit. A first output including the computed first weighted sum is provided to one or more nodes of a second layer of the plurality of layers.

Abstract: A method is provided for protecting a machine learning model from a side channel attack. A weighted sum vector having first and second elements is initialized. A weight vector for a connection between a node of a first layer and a node of a second layer is multiplied with an input vector to the node of the first layer. A first element of the weight vector includes a weight, and a first element of the input vector includes the input. A second element of the weight vector is a negation of the first element of the weight vector and the second element of the input vector equals the first element of the input vector. A multiplication result is added to the weighted sum vector to produce a computed weighted sum vector. An output vector including the computed weighted sum vector is provided to the node of the second layer.

Abstract: Tweakable block cipher encryption is described using a buffer identifier and a memory address.

Abstract: A method is provided for watermarking a machine learning model. In the method, a first subset of a labeled set of ML training samples is selected. The first subset is of a predetermined class of images. A first pixel pattern is selected and inserted into each sample of the first subset. One or more of a location, position, orientation, and transformation of the first pixel pattern is varied for each of the samples. Each sample of the first subset is relabeled to have a different label than the original label. The ML model is trained with the labeled set of ML training samples and the first subset of relabeled ML training samples. To detect the watermark, a second subset of training samples is selected, and the first pixel pattern is inserted into each sample. The second subset is used during inference operation to detect the presence of the watermark.

Abstract: A data processing system includes a rich execution environment, a hardware accelerator, a trusted execution environment, and a memory. The REE includes a processor configured to execute an application. A compute kernel is executed on the hardware accelerator and the compute kernel performs computations for the application. The TEE provides relatively higher security than the REE and includes an accelerator controller for controlling operation of the hardware accelerator. The memory has an unsecure portion coupled to the REE and to the TEE, and a secure portion coupled to only the TEE. The secure portion is relatively more secure than the unsecure portion. Data that is to be accessed and used by the hardware accelerator is stored in the secure portion of the memory. In another embodiment, a method is provided for securely executing an application is the data processing system.

Abstract: A data processing system has a processor, a system memory, and a hypervisor. The system memory stores program code and data in a plurality of memory pages. The hypervisor controls SLAT (second level address translation) read, write, and execute access rights of the plurality of memory pages. A portion of the plurality of memory pages are classified as being in a secure enclave portion of the system memory and a portion is classified as being in an unsecure memory area. The portion of the memory pages classified in the secure enclave is encrypted and a hash is generated for each of the memory pages. During an access of a memory page, the hypervisor determines if the accessed memory page is in the secure enclave or in the unsecure memory area based on the hash. In another embodiment, a method for accessing a memory page in the secure enclave is provided.

Abstract: A method is provided for watermarking a machine learning model used for object detection or image classification. In the method, a first subset of a labeled set of ML training samples is selected. The first subset is of a predetermined class of images. In one embodiment, the first pixel pattern is selected and sized to have substantially the same dimensions as each sample of the first subset or each bounding box in the case of an object detector. Each sample of the first subset is relabeled to have a different label than the original label. An opacity of the pixel pattern may be adjusted independently for different parts of the pattern. The ML model is trained with the labeled set of ML training samples and the first subset of relabeled ML training samples. Using multiple different opacity factors provides both reliability and credibility to the watermark.

Abstract: A method is provided for watermarking a machine learning model used for object detection or image classification. In the method, a first subset of a labeled set of ML training samples is selected. The first subset is of a predetermined class of images. In one embodiment, the first pixel pattern is selected and sized to have substantially the same dimensions as each sample of the first subset or each bounding box in the case of an object detector. Each sample of the first subset is relabeled to have a different label than the original label. An opacity of the pixel pattern may be adjusted independently for different parts of the pattern. The ML model is trained with the labeled set of ML training samples and the first subset of relabeled ML training samples. Using multiple different opacity factors provides both reliability and credibility to the watermark.

Abstract: A method for protecting a machine learning model is provided. In the method, a first machine learning model is trained, and a plurality of machine learning models derived from the first machine learning model is trained. Each of the plurality of machine learning models may be different from the first machine learning model. During inference operation, a first input sample is provided to the first machine learning model and to each of the plurality of machine learning models. The first machine learning model generates a first output and the plurality of machine learning models generates a plurality of second outputs. The plurality of second outputs are aggregated to determine a final output. The final output and the first output are classified to determine if the first input sample is an adversarial input. If it is adversarial input, a randomly generated output is provided instead of the first output.

Abstract: A method is provided for generating a visualization for explaining a behavior of a machine learning (ML) model. In the method, an image is input to the ML model for an inference operation. The input image has an increased resolution compared to an image resolution the ML model was intended to receive as an input. A resolution of a plurality of resolution-independent convolutional layers of the neural network are adjusted because of the increased resolution of the input image. A resolution-independent convolutional layer of the neural network is selected. The selected resolution-independent convolutional layer is used to generate a plurality of activation maps. The plurality of activation maps is used in a visualization method to show what features of the image were important for the ML model to derive an inference conclusion. The method may be implemented in a computer program having instructions executable by a processor.

Abstract: A method is provided for watermarking a machine learning model used for object detection. In the method, a first subset of a labeled set of ML training samples is selected. Each of one or more objects in the first subset includes a class label. A pixel pattern is selected to use as a watermark in the first subset of images. The pixel pattern is made partially transparent. A target class label is selected. One or more objects of the first subset of images are relabeled with the target class label. In another embodiment, the class labels are removed from objects in the subset of images instead of relabeling them. Each of the first subset of images is overlaid with the partially transparent and scaled pixel pattern. The ML model is trained with the set of training images and the first subset of images to produce a trained and watermarked ML model.

Abstract: Various embodiments relate to a method of producing a machine learning model with a fingerprint that maps an input value to an output label, including: selecting a set of extra input values, wherein the set of extra input values does not intersect with a set of training labeled input values for the machine learning model; selecting a first set of artificially encoded output label values corresponding to each of the extra input values in the set of extra input values, wherein the first set of artificially encoded output label values are selected to indicate the fingerprint of a first machine learning model; and training the machine learning model using a combination of the extra input values with associated first set of artificially encoded output values and the set of training labeled input values to produce the first learning model with the fingerprint.

Abstract: A method for protecting a first machine learning (ML) model is provided. In the method, a dataset of non-problem domain (NPD) data is selected from a large dataset using a second ML model. The second ML model classifies the large dataset into NPD classifications and PD classifications. The PD classified data is excluded. A distinguisher includes a third ML model that is trained using selected NPD data from the large dataset. The distinguisher receives input samples that are intended for the first ML model. The third ML model provides either a PD classification or NPD classification in response to receiving each input sample. An indication of a likely extraction attempt may be provided when a predetermined number of NPD classifications are provided. The method provides an efficient way to create a training dataset for a distinguisher and for protecting a ML model with the distinguisher.

Abstract: A method is provided for protecting a machine learning ensemble. In the method, a plurality of machine learning models is combined to form a machine learning ensemble. A plurality of data elements for training the machine learning ensemble is provided. The machine learning ensemble is trained using the plurality of data elements to produce a trained machine learning ensemble. During an inference operating phase, an input is received by the machine learning ensemble. A piecewise function is used to pseudo-randomly choose one of the plurality of machine learning models to provide an output in response to the input. The use of a piecewise function hides which machine learning model provided the output, making the machine learning ensemble more difficult to copy.

Abstract: A method is provided for watermarking a machine learning model used for object detection or image classification. In the method, a first subset of a labeled set of ML training samples is selected. The first subset is of a predetermined class of images. In one embodiment, the first pixel pattern is selected and sized to have substantially the same dimensions as each sample of the first subset or each bounding box in the case of an object detector. Each sample of the first subset is relabeled to have a different label than the original label. An opacity of the pixel pattern may be adjusted independently for different parts of the pattern. The ML model is trained with the labeled set of ML training samples and the first subset of relabeled ML training samples. Using multiple different opacity factors provides both reliability and credibility to the watermark.

Abstract: A method is described for analyzing an output of an object detector for a selected object of interest in an image. The object of interest in a first image is selected. A user of the object detector draws a bounding box around the object of interest. A first inference operation is run on the first image using the object detector, and in response, the object detect provides a plurality of proposals. A non-max suppression (NMS) algorithm is run on the plurality of proposals, including the proposal having the object of interest. A classifier and bounding box regressor are run on each proposal of the plurality of proposals and results are outputted. The outputted results are then analyzed. The method can provide insight into why an object detector returns the results that it does.

Abstract: A method is provided for analyzing a classification in a machine learning model (ML). In the method, the ML model is trained using a training dataset to produce a trained ML model. One or more samples are provided to the trained ML model to produce one or more prediction classifications. A gradient is determined for the one of more samples at a predetermined layer of the trained ML model. The one or more gradients and the one or more prediction classifications for each sample are stored. Also, an intermediate value of the ML model may be stored. Then, a sample is chosen to analyze. A gradient of the sample is determined if the gradient was not already determined when the at least one gradient is determined. Using the at least one gradient, and one or more of a data structure, a predetermined metric, and an intermediate value, the k nearest neighbors to the sample are determined. A report comprising the sample and the k nearest neighbors may be provided for analysis.