Abstract: Using a deep learning inference system, respective similarities are measured for each of a set of intermediate representations to input information used as an input to the deep learning inference system. The deep learning inference system includes multiple layers, each layer producing one or more associated intermediate representations. Selection is made of a subset of the set of intermediate representations that are most similar to the input information. Using the selected subset of intermediate representations, a partitioning point is determined in the multiple layers used to partition the multiple layers into two partitions defined so that information leakage for the two partitions will meet a privacy parameter when a first of the two partitions is prevented from leaking information. The partitioning point is output for use in partitioning the multiple layers of the deep learning inference system into the two partitions.

Abstract: Embodiments of the invention include a computer-implemented method that uses a processor system to access a first machine learning (ML) model. The first ML model has been trained using data of a first server. A first performance metric of the first ML model is determined using data of a second server. A benefit analysis is performed to determine a benefit of the first ML server and the second ML server participating in a federated learning system, where the benefit analysis includes using the first performance metric.

Abstract: Indirect function call target identification in software is provided. A set of explicit data flows that pass a function address between software modules of a program is determined using an explicit data dependency analysis. A set of indirect function call targets is generated from results of the explicit data dependency analysis and a dynamic execution analysis of the program. The set of indirect function call targets is expanded by identifying similar target functions based on feature embeddings generated by a graph neural network.

Abstract: Mechanisms are provided to implement a neural flow attestation engine and perform computer model execution integrity verification based on neural flows. Input data is input to a trained computer model that includes a plurality of layers of neurons. The neural flow attestation engine records, for a set of input data instances in the input data, an output class generated by the trained computer model and a neural flow through the plurality of layers of neurons to thereby generate recorded neural flows. The trained computer model is deployed to a computing platform, and the neural flow attestation engine verifies the execution integrity of the deployed trained computer model based on a runtime neural flow of the deployed trained computer model and the recorded neural flows.

Abstract: Deep learning training service framework mechanisms are provided. The mechanisms receive encrypted training datasets for training a deep learning model, execute a FrontNet subnet model of the deep learning model in a trusted execution environment, and execute a BackNet subnet model of the deep learning model external to the trusted execution environment. The mechanisms decrypt, within the trusted execution environment, the encrypted training datasets and train the FrontNet subnet model and BackNet subnet model of the deep learning model based on the decrypted training datasets. The FrontNet subnet model is trained within the trusted execution environment and provides intermediate representations to the BackNet subnet model which is trained external to the trusted execution environment using the intermediate representations. The mechanisms release a trained deep learning model comprising a trained FrontNet subnet model and a trained BackNet subnet model, to the one or more client computing devices.

Abstract: A computer-implemented method, a computer program product, and a computer system for resource-limited federated learning using dynamic masking. A server in federated machine learning evaluates resources of respective agents in the federated machine learning to determine capacities of model training by the respective agents. The server masks weights of a full machine learning model to construct a masked machine learning model, based on the capacities. The server distributes the masked machine learning model to the respective agents which train the masked machine learning model. The server receives from the respective agents updated weights obtained through training the masked machine learning model. The server updates the full machine learning model, based on the updated weights.

Abstract: Mechanisms are provided to implement a neural flow attestation engine and perform computer model execution integrity verification based on neural flows. Input data is input to a trained computer model that includes a plurality of layers of neurons. The neural flow attestation engine records, for a set of input data instances in the input data, an output class generated by the trained computer model and a neural flow through the plurality of layers of neurons to thereby generate recorded neural flows. The trained computer model is deployed to a computing platform, and the neural flow attestation engine verifies the execution integrity of the deployed trained computer model based on a runtime neural flow of the deployed trained computer model and the recorded neural flows.

Abstract: Mechanisms are provided for detecting abnormal system call sequences in a monitored computing environment. The mechanisms receive, from a computing system resource of the monitored computing environment, a system call of an observed system call sequence for evaluation. A trained recurrent neural network (RNN), trained to predict system call sequences, processes the system call to generate a prediction of a subsequent system call in a predicted system call sequence. Abnormal call sequence logic compares the subsequent system call in the predicted system call sequence to an observed system call in the observed system call sequence and identifies a difference between the predicted system call sequence and the observed system call sequence based on results of the comparing. The abnormal call sequence logic generates an alert notification in response to identifying the difference.

Abstract: Indirect function call target identification in software is provided. A set of explicit data flows that pass a function address between software modules of a program is determined using an explicit data dependency analysis. A set of indirect function call targets is generated from results of the explicit data dependency analysis and a dynamic execution analysis of the program. The set of indirect function call targets is expanded by identifying similar target functions based on feature embeddings generated by a graph neural network.

Abstract: A system and method for achieving power isolation across different cloud tenants and workloads is provided. The system includes a model of per-workload power consumption and an approach for attributing power consumption for each container. It allows a cloud provider to detect abnormally high power usage caused by specific containers and/or tenants, and to neutralize the emerging power attacks that exploit information leakages in the public container cloud. The approach also enables the provider to bill tenants for their specific power usage. Thus, the technique herein provides a mechanism that operates to attribute power consumption data for each container to defend against emerging power attacks, as well as to make it feasible to develop a cloud billing model based on power usage. The mechanism defends against emerging power attacks in container cloud offerings by implementing in a power-based namespace workflow in an OS kernel.

Abstract: Mechanisms for identifying a pattern of computing resource activity of interest, in activity data characterizing activities of computer system elements, are provided. A temporal graph of the activity data is generated and a filter is applied to the temporal graph to generate one or more first vector representations, each characterizing nodes and edges within a moving window defined by the filter. The filter is applied to a pattern graph representing a pattern of entities and events indicative of the pattern of interest, to generate a second vector representation. The second vector representation is compared to the one or more first vector representations to identify one or more nearby vectors, and one or more corresponding subgraph instances are output to an intelligence console computing system as inexact matches of the temporal graph.

Abstract: Techniques for distributed federated learning leverage a multi-layered defense strategy to provide for reduced information leakage. In lieu of aggregating model updates centrally, an aggregation function is decentralized into multiple independent and functionally-equivalent execution entities, each running within its own trusted executed environment (TEE). The TEEs enable confidential and remote-attestable federated aggregation. Preferably, each aggregator entity runs within an encrypted virtual machine that support runtime in-memory encryption. Each party remotely authenticates the TEE before participating in the training. By using multiple decentralized aggregators, parties are enabled to partition their respective model updates at model-parameter granularity, and can map single weights to a specific aggregator entity. Parties also can dynamically shuffle fragmentary model updates at each training iteration to further obfuscate the information dispatched to each aggregator execution entity.

Abstract: Techniques for distributed federated learning leverage a multi-layered defense strategy to provide for reduced information leakage. In lieu of aggregating model updates centrally, an aggregation function is decentralized into multiple independent and functionally-equivalent execution entities, each running within its own trusted executed environment (TEE). The TEEs enable confidential and remote-attestable federated aggregation. Preferably, each aggregator entity runs within an encrypted virtual machine that support runtime in-memory encryption. Each party remotely authenticates the TEE before participating in the training. By using multiple decentralized aggregators, parties are enabled to partition their respective model updates at model-parameter granularity, and can map single weights to a specific aggregator entity. Parties also can dynamically shuffle fragmentary model updates at each training iteration to further obfuscate the information dispatched to each aggregator execution entity.

Abstract: Mechanisms are provided to implement an enhanced privacy deep learning system framework (hereafter “framework”). The framework receives, from a client computing device, an encrypted first subnet model of a neural network, where the first subnet model is one partition of multiple partitions of the neural network. The framework loads the encrypted first subnet model into a trusted execution environment (TEE) of the framework, decrypts the first subnet model, within the TEE, and executes the first subnet model within the TEE. The framework receives encrypted input data from the client computing device, loads the encrypted input data into the TEE, decrypts the input data, and processes the input data in the TEE using the first subnet model executing within the TEE.

Abstract: Mechanisms are provided to implement an enhanced privacy deep learning system framework (hereafter “framework”). The framework receives, from a client computing device, an encrypted first subnet model of a neural network, where the first subnet model is one partition of multiple partitions of the neural network. The framework loads the encrypted first subnet model into a trusted execution environment (TEE) of the framework, decrypts the first subnet model, within the TEE, and executes the first subnet model within the TEE. The framework receives encrypted input data from the client computing device, loads the encrypted input data into the TEE, decrypts the input data, and processes the input data in the TEE using the first subnet model executing within the TEE.

Abstract: Mechanisms are provided for detecting abnormal system call sequences in a monitored computing environment. The mechanisms receive, from a computing system resource of the monitored computing environment, a system call of an observed system call sequence for evaluation. A trained recurrent neural network (RNN), trained to predict system call sequences, processes the system call to generate a prediction of a subsequent system call in a predicted system call sequence. Abnormal call sequence logic compares the subsequent system call in the predicted system call sequence to an observed system call in the observed system call sequence and identifies a difference between the predicted system call sequence and the observed system call sequence based on results of the comparing. The abnormal call sequence logic generates an alert notification in response to identifying the difference.

Abstract: Adversarial input detection and purification (AIDAP) preprocessor and deep learning computer model mechanisms are provided. The deep learning computer model receives input data and processes it to generate a first pass output that is output to the AIDAP preprocessor. The AIDAP preprocessor determines a discriminative region of the input data based on the first pass output and transforms a subset of elements in the discriminative region to modify a characteristic of the elements and generate a transformed input data. The deep learning computer model processes the transformed input data to generate a second pass output that is output to the AIDAP preprocessor which detects an adversarial input or not based on a comparison of the first pass and second pass outputs. If an adversarial input is detected, a responsive action that mitigates effects of the adversarial input is performed.

Abstract: A method, apparatus and computer program product to protect a deep neural network (DNN) having a plurality of layers including one or more intermediate layers. In this approach, a training data set is received. During training of the DNN using the received training data set, a representation of activations associated with an intermediate layer is recorded. For at least one or more of the representations, a separate classifier (model) is trained. The classifiers, collectively, are used to train an outlier detection model. Following training, the outliner detection model is used to detect an adversarial input on the deep neural network. The outlier detection model generates a prediction, and an indicator whether a given input is the adversarial input. According to a further aspect, an action is taken to protect a deployed system associated with the DNN in response to detection of the adversary input.

Abstract: Mechanisms are provided for detecting abnormal system call sequences in a monitored computing environment. The mechanisms receive, from a computing system resource of the monitored computing environment, a system call of an observed system call sequence for evaluation. A trained recurrent neural network (RNN), trained to predict system call sequences, processes the system call to generate a prediction of a subsequent system call in a predicted system call sequence. Abnormal call sequence logic compares the subsequent system call in the predicted system call sequence to an observed system call in the observed system call sequence and identifies a difference between the predicted system call sequence and the observed system call sequence based on results of the comparing. The abnormal call sequence logic generates an alert notification in response to identifying the difference.

Abstract: An automated method for cyberattack detection and prevention in an endpoint. The technique monitors and protects the endpoint by recording inter-process events, creating an inter-process activity graph based on the recorded inter-process events, matching the inter-process activity (as represented in the activity graph) against known malicious or suspicious behavior (as embodied in a set of one or more pattern graphs), and performing a post-detection operation in response to a match between an inter-process activity and a known malicious or suspicious behavior pattern. Preferably, matching involves matching a subgraph in the activity graph with a known malicious or suspicious behavior pattern as represented in the pattern graph. During this processing, preferably both direct and indirect inter-process activities at the endpoint (or across a set of endpoints) are compared to the known behavior patterns.