WO2022081553A4 - Systems and methods for providing a systemic error in artificial intelligence algorithms - Google Patents

Systems and methods for providing a systemic error in artificial intelligence algorithms Download PDF

Info

Publication number
WO2022081553A4
WO2022081553A4 PCT/US2021/054542 US2021054542W WO2022081553A4 WO 2022081553 A4 WO2022081553 A4 WO 2022081553A4 US 2021054542 W US2021054542 W US 2021054542W WO 2022081553 A4 WO2022081553 A4 WO 2022081553A4
Authority
WO
WIPO (PCT)
Prior art keywords
model
adversarial
group
source
source model
Prior art date
Application number
PCT/US2021/054542
Other languages
French (fr)
Other versions
WO2022081553A1 (en
Inventor
Gharib GHARIBI
Babak Poorebrahim GILKALAYE
Riddhiman Das
Original Assignee
TripleBlind, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by TripleBlind, Inc. filed Critical TripleBlind, Inc.
Priority to CA3195434A priority Critical patent/CA3195434A1/en
Priority to EP21880894.7A priority patent/EP4229554A4/en
Priority claimed from US17/499,553 external-priority patent/US20220039127A1/en
Publication of WO2022081553A1 publication Critical patent/WO2022081553A1/en
Publication of WO2022081553A4 publication Critical patent/WO2022081553A4/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/096Transfer learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Abstract

Disclosed is a process for testing a suspect model to determine whether it was derived from a source model. An example method includes receiving, from a model owner node, a source model and a fingerprint associated with the source model, receiving a suspect model at a service node, based on a request to test the suspect model, applying the fingerprint to the suspect model to generate an output and, when the output has an accuracy that is equal to or greater than a threshold, determining that the suspect model is derived from the source model. Imperceptible noise can be used to generate the fingerprint which can cause predictable outputs from the source model and a potential derivative thereof.

Claims

AMENDED CLAIMS received by the International Bureau on 02 MAY 2022 (02.05.2022)
1. (Original) A method comprising: generating, based on a training dataset, a reference model and a surrogate model; selecting datapoints from the training dataset that are predicted correctly by a source model as a group of adversarial candidates; selecting, from the group of adversarial candidates, a sub-group of candidates that each have a low confidence score according to a threshold to yield a sub-group of adversarial candidates; adding noise to each candidate of the sub-group of adversarial candidates to yield a noisy group of adversarial examples; testing the noisy group of adversarial examples against the source model to obtain a set of source model outputs that the source model predicts correctly; testing the set of source model successful adversarial examples against the reference model to yield a set of reference model outputs; testing the set of source model successful adversarial examples against the surrogate model to yield a set of surrogate model outputs; and identifying a set of fingerprints based on which ones from the set of source model outputs, the set of reference model outputs and the set of surrogate model outputs pass as adversarial examples against the source model and the surrogate model, but not the reference model.
2. (Original) The method of claim 1, wherein the training dataset is from a same distribution of a source model dataset.
3. (Original) The method of claim 1, wherein the training dataset comprises at least some data from a source model dataset.
38
AMENDED SHEET (ARTICLE 19) Application/ Control Number: PCT/US2021/054542 Docket No.: 213-0106-PCT
4. (Original) The method of claim 1, wherein fingerprint candidates comprise ones of the noisy group of adversarial examples that lead to a fully successful adversarial attack accuracy against the source model.
5. (Original) The method of claim 1, further comprising: sharing a hashed version of the set of fingerprints with a trusted third party.
6. (Original) The method of claim 1, wherein generating the set of fingerprints further comprises constructing respective adversarial examples with the noise that causes a receiving model to misclassify an input.
7. (Original) The method of claim 6, wherein the noise is imperceptible noise.
8. (Original) The method of claim 1, further comprising: testing a suspect model by using the set of fingerprints against the suspect model to determine whether an overall accuracy operating on the set of fingerprints is equal to or greater than a testing threshold.
9. (Original) The method of claim 8, further comprising: determining, when the overall accuracy operating on the set of fingerprints is equal to or greater than the testing threshold, that the suspect model was derived from the source model.
10. (Original) A method comprising: receiving, from a model owner node, a source model and verification key at a service node; receiving a suspect model at the service node; transmitting a request to the model owner node for a proof of ownership relative to the suspect model; in response to the request, receiving a marking key at the service node from the model owner node; and
39
AMENDED SHEET (ARTICLE 19) Application/ Control Number: PCT/US2021/054542 Docket No.: 213-0106-PCT based on the marking key and the verification key, determining whether the suspect model was derived from the source model.
11. (Original) The method of claim 10, wherein determining whether the suspect model was derived from the source model further comprises testing the suspect model to determine whether a fingerprint produces a same output from both the source model and the suspect model.
12. (Original) The method of claim 11, wherein the fingerprint passes against the source model and a surrogate model, but not a reference model.
13. (Original) The method of claim 10, wherein at least one of the marking key and the verification key comprises added noise which causes a predictable output from the source model and surrogate models derived therefrom.
14. (Currently Amended) A method comprising: receiving, from a model owner node, a source model and a fingerprint associated with the source model; receiving a suspect model at a service node; based on a request to test the suspect model, applying the fingerprint to the suspect model to generate an output; and when the output has an accuracy that is equal to or greater than a threshold, determining that the suspect model is derived from the source model, wherein the fingerprint is generated by a process comprising: generating, based on a training dataset, a reference model and a surrogate model; selecting datapoints from the training dataset that are predicted correctly by the source model as a group of adversarial candidates; selecting from the group of adversarial candidates a sub-group of candidates that each have a low confidence score according to a threshold to yield a sub-group of adversarial candidates;
40
AMENDED SHEET (ARTICLE 19) Application/ Control Number: PCT/US2021/054542 Docket No.: 213-0106-PCT adding noise to each candidate of the sub-group of adversarial candidates to yield a noisy group of adversarial examples; testing the noisy group of adversarial examples against the source model to obtain a set of source model successful adversarial examples that the source model predicts correctly; testing the set of source model successful adversarial examples against the reference model to yield a set of reference model outputs; testing the set of source model successful adversarial examples against the surrogate model to yield a set of surrogate model outputs; and identifying the fingerprint based on which ones from the set of source model successful adversarial examples, the set of reference model outputs and the set of surrogate model outputs pass as adversarial examples against the source model and the surrogate model, but not the reference model.
15. (Cancelled) The method of claim 14, wherein the fingerprint is generated by a process comprising: generating, based on a training dataset, a reference model and a surrogate model; selecting datapoints from the training dataset that are predicted correctly by the source model as a group of adversarial candidates; selecting from the group of adversarial candidates a sub-group of candidates that each have a low confidence score according to a threshold to yield a sub-group of adversarial candidates; adding noise to each candidate of the sub-group of adversarial candidates to yield a noisy group of adversarial examples; testing the noisy group of adversarial examples against the source model to obtain a set of source model successful adversarial examples that the source model predicts correctly; testing the set of source model successful adversarial examples against the reference model to yield a set of reference model outputs;
41
AMENDED SHEET (ARTICLE 19) Application/ Control Number: PCT/US2021/054542 Docket No.: 213-0106-PCT testing the set of source model successful adversarial examples against the surrogate model to yield a set of surrogate model outputs; and identifying the fingerprint based on which ones from the set of source model successful adversarial examples, the set of reference model outputs and the set of surrogate model outputs pass as adversarial examples against the source model and the surrogate model, but not the reference model.
16. (Currently Amended) The method of claim 14, wherein the noisy group of adversarial examples comprises ones of the group of adversarial candidates that lead to a fully successful adversarial attack accuracy against the source model.
17. (Currently Amended) The method of claim 14, further comprising: sharing a hashed version of the fingerprint with a trusted third party.
18. (Currently Amended) The method of claim 14, wherein generating the fingerprint further comprises constructing respective adversarial examples with the noise that causes a receiving model to misclassify an input.
19. (Currently Amended) The method of claim 18, wherein the noise is imperceptible noise.
20. (Currently Amended) The method of claim 14, wherein the threshold is approximately 0.60.
AMENDED SHEET (ARTICLE 19)
PCT/US2021/054542 2020-10-13 2021-10-12 Systems and methods for providing a systemic error in artificial intelligence algorithms WO2022081553A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CA3195434A CA3195434A1 (en) 2020-10-13 2021-10-12 Systems and methods for providing a systemic error in artificial intelligence algorithms
EP21880894.7A EP4229554A4 (en) 2020-10-13 2021-10-12 Systems and methods for providing a systemic error in artificial intelligence algorithms

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US202063090933P 2020-10-13 2020-10-13
US63/090,933 2020-10-13
US17/499,553 US20220039127A1 (en) 2019-04-15 2021-10-12 Uplink Transmission Method and Communication Apparatus
US17/499,553 2021-10-12

Publications (2)

Publication Number Publication Date
WO2022081553A1 WO2022081553A1 (en) 2022-04-21
WO2022081553A4 true WO2022081553A4 (en) 2022-06-16

Family

ID=81208609

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2021/054542 WO2022081553A1 (en) 2020-10-13 2021-10-12 Systems and methods for providing a systemic error in artificial intelligence algorithms

Country Status (3)

Country Link
EP (1) EP4229554A4 (en)
CA (1) CA3195434A1 (en)
WO (1) WO2022081553A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115277065B (en) * 2022-06-15 2024-01-23 北京信息科技大学 Anti-attack method and device in abnormal traffic detection of Internet of things

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11163860B2 (en) * 2018-06-04 2021-11-02 International Business Machines Corporation Protecting deep learning models using watermarking
US11042611B2 (en) * 2018-12-10 2021-06-22 XNOR.ai, Inc. Digital watermarking of machine-learning models
US11409845B2 (en) * 2019-01-17 2022-08-09 Nxp B.V. Method for determining if a machine learning model has been copied
US11836256B2 (en) * 2019-01-24 2023-12-05 International Business Machines Corporation Testing adversarial robustness of systems with limited access
US20220108185A1 (en) * 2019-03-22 2022-04-07 Siemens Aktiengesellschaft Inverse and forward modeling machine learning-based generative design

Also Published As

Publication number Publication date
EP4229554A1 (en) 2023-08-23
EP4229554A4 (en) 2024-04-03
CA3195434A1 (en) 2022-04-21
WO2022081553A1 (en) 2022-04-21

Similar Documents

Publication Publication Date Title
US11526745B2 (en) Methods and apparatus for federated training of a neural network using trusted edge devices
US11599750B2 (en) Edge devices utilizing personalized machine learning and methods of operating the same
CN113066484A (en) System and method for distributed training of neural network models
CN111160749B (en) Information quality assessment and information fusion method and device
CN106295338B (en) SQL vulnerability detection method based on artificial neuron network
CN111046425A (en) Method and device for risk identification by combining multiple parties
CN110728328B (en) Training method and device for classification model
WO2021120854A1 (en) Model training method, and method and system for training member detection device
CN111061740B (en) Data synchronization method, device and storage medium
US10916254B2 (en) Systems, apparatuses, and methods for speaker verification using artificial neural networks
Razmjooei et al. A new approach to design a finite‐time extended state observer: uncertain robotic manipulators application
WO2022081553A4 (en) Systems and methods for providing a systemic error in artificial intelligence algorithms
Alvim et al. When not all bits are equal: Worth-based information flow
CN114581966A (en) Method, electronic device and computer program product for information processing
US7756802B2 (en) Combiner training and evaluation with random data partition
US11528259B2 (en) Systems and methods for providing a systemic error in artificial intelligence algorithms
US11967314B2 (en) Automatic generation of a contextual meeting summary
US10418024B1 (en) Systems and methods of speech generation for target user given limited data
KR102066264B1 (en) Speech recognition method and system using deep neural network
CN111308423B (en) Robust sound source positioning system and method thereof
Zhou et al. Simulation credibility evaluation based on multi-source data fusion
CN100574218C (en) A kind of method of setting up artificial distinct network
US11973743B2 (en) Systems and methods for providing a systemic error in artificial intelligence algorithms
Atashbar et al. Coherent l1‐SVD method for DOA estimation of wideband signals
Singh et al. A new trust model based on time series prediction and Markov model

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21880894

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 3195434

Country of ref document: CA

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2021880894

Country of ref document: EP

Effective date: 20230515