Data transmission with obfuscation for a data processing (dp) accelerator
US-2021075775-A1 · Mar 11, 2021 · US
Protection of neural networks by obfuscation of activation functions
US12099622B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12099622-B2 |
| Application number | US-202117553536-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 16, 2021 |
| Priority date | Dec 21, 2020 |
| Publication date | Sep 24, 2024 |
| Grant date | Sep 24, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Aspects of the present disclosure involve implementations that may be used to protect neural network models against adversarial attacks by obfuscating neural network operations and architecture. Obfuscation techniques include obfuscating weights and biases of neural network nodes, obfuscating activation functions used by neural networks, as well as obfuscating neural network architecture by introducing dummy operations, dummy nodes, and dummy layers into the neural networks.
First claim
Opening claim text (preview).
What is claimed is: 1. A method to execute a neural network model that includes a plurality of nodes, the method comprising: determining, by a processing device, based on parameters of a first node of the plurality of nodes, a weighted input into an activation function for the first node; selecting, by the processing device, an obfuscation function for the first node; determining, by the processing device, a first composite activation function for the first node, wherein the first composite activation function is formed by the activation function for the first node and the obfuscation function for the first node; applying, by the processing device, the first composite activation function to the weighted input to compute an obfuscated output of the first node; and providing, by the processing device, the obfuscated output of the first node to a second node of the plurality of nodes of the neural network. 2. The method of claim 1 , wherein the obfuscation function is an invertible function. 3. The method of claim 1 , wherein the weighted input into the activation function of the first node is obtained using a plurality of masked weights of the first node. 4. The method of claim 1 , further comprising: determining a weighted input into an activation function of the second node, by applying, to the provided obfuscated output of the first node, a weight of the second node composite with a de-obfuscation function. 5. The method of claim 4 , wherein the weighted input into the activation function of the second node is obtained using a plurality of masked weights of the second node. 6. The method of claim 1 , wherein the first composite activation function is one of a plurality of composite activation functions for the first node, each of the plurality of composite activation functions is based on a respective activation function of a plurality of activation functions for the first node and a respective obfuscation function of a plurality of obfuscation functions for the first node, the method further comprising: applying, by the processing device, each of the plurality of composite activation functions to the weighted input to compute a respective obfuscated output of a plurality of obfuscated outputs of the first node; and providing, by the processing device, each of the plurality of obfuscated outputs to the second node. 7. The method of claim 6 , further comprising: prior to providing each of the plurality of obfuscated outputs to the second node, masking, by the processing device, the plurality of obfuscated outputs. 8. The method of claim 7 , further comprising: unmasking, by the processing device, the masked plurality of obfuscated outputs, wherein the unmasking is composite with determining a weighted input into the second node. 9. The method of claim 8 , wherein the unmasking is further composite with one or more de-obfuscation functions. 10. A method comprising: identifying a neural network (NN) model to be protected against adversarial attacks, wherein the NN model includes a plurality of nodes; and modifying the NN model to obtain a modified NN model, wherein each of the NN model and the modified NN model is configured to output same target output based on same input, wherein the modified NN model comprises: determining, by a processing device, based on parameters of a first node of the plurality of nodes, a weighted input into an activation function for the first node; selecting, by the processing device, an obfuscation function for the first node; determining, by the processing device, a first composite activation function for the first node, wherein the first composite activation function is formed by the activation function for the first node and the obfuscation function for the first node; applying, by the processing device, the first composite activation function to the weighted input to compute an obfuscated output of the first node; and providing, by the processing device, the obfuscated output of the first node to a second node of the plurality of nodes of the neural network. 11. The method of claim 10 , wherein the weighted input into the activation function of the first node is obtained using a plurality of masked weights of the first node. 12. A system to execute a neural network model that includes a plurality of nodes, the system comprising: a memory device; and a processing device communicatively coupled to the memory device, the processing device to: determine, based on parameters of a first node of the plurality of nodes, a weighted input into an activation function for the first node; select an obfuscation function for the first node; determine a first composite activation function for the first node, wherein the first composite activation function is formed by the activation function for the first node and the obfuscation function for the first node; apply the first composite activation function to the weighted input to compute an obfuscated output of the first node; and provide the obfuscated output of the first node to a second node of the plurality of nodes of the neural network. 13. The system of claim 12 , wherein the obfuscation function is an invertible function. 14. The system of claim 12 , wherein the weighted input into the activation function of the first node is obtained using a plurality of masked weights of the first node. 15. The system of claim 12 , wherein the processing device is further to: determine a weighted input into an activation function of the second node, by applying, to the provided obfuscated output of the first node, a weight of the second node composite with a de-obfuscation function. 16. The system of claim 15 , wherein the weighted input into the activation function of the second node is obtained using a plurality of masked weights of the second node. 17. The system of claim 12 , wherein the first composite activation function is one of a plurality of composite activation functions for the first node, each of the plurality of composite activation functions is based on a respective activation function of a plurality of activation functions for the first node and a respective obfuscation function of a plurality of obfuscation functions for the first node, and wherein the processing device is further to: apply each of the plurality of composite activation functions to the weighted input to compute a respective obfuscated output of a plurality of obfuscated outputs of the first node; and provide each of the plurality of obfuscated outputs to the second node. 18. The system of claim 17 , wherein the processing device is further to: mask the plurality of obfuscated outputs prior to providing each of the plurality of obfuscated outputs to the second node. 19. The system of claim 18 , wherein the processing device is further to: perform unmasking of the masked plurality of obfuscated outputs, wherein the unmasking is composite with determining a weighted input into the second node. 20. The system of claim 19 , wherein the unmasking is further composite with one or more de-obfuscation functions.
Assignees
Inventors
Classifications
using neural networks · CPC title
against software analysis or reverse engineering, e.g. by obfuscation · CPC title
where protection concerns the structure of data, e.g. records, types, queries · CPC title
Neural networks · CPC title
Activation functions · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12099622B2 cover?
- Aspects of the present disclosure involve implementations that may be used to protect neural network models against adversarial attacks by obfuscating neural network operations and architecture. Obfuscation techniques include obfuscating weights and biases of neural network nodes, obfuscating activation functions used by neural networks, as well as obfuscating neural network architecture by int…
- Who is the assignee on this patent?
- Cryptography Res Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/6218. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Sep 24 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).