Identifying Appropriate Intellectual Property Protection Mechanisms for Machine Learning Models: A Systematization of Watermarking, Fingerprinting, Model Access, and Attacks

The commercial use of Machine Learning (ML) is spreading; at the same time, ML models are becoming more complex and more expensive to train, which makes Intellectual Property Protection (IPP) of trained models a pressing issue. Unlike other domains that can build on a solid understanding of the threats, attacks and defenses available to protect their IP, the ML-related research in this regard is still very fragmented. This is also due to a missing unified view as well as a common taxonomy of these aspects. In this paper, we systematize our findings on IPP in ML, while focusing on threats and attacks identified and defenses proposed at the time of writing. We develop a comprehensive threat model for IP in ML, categorizing attacks and defenses within a unified and consolidated taxonomy, thus bridging research from both the ML and security communities

Coulomb dissociation of O-16 into He-4 and C-12

We measured the Coulomb dissociation of O-16 into He-4 and C-12 within the FAIR Phase-0 program at GSI Helmholtzzentrum fur Schwerionenforschung Darmstadt, Germany. From this we will extract the photon dissociation cross section O-16(alpha,gamma)C-12, which is the time reversed reaction to C-12(alpha,gamma)O-16. With this indirect method, we aim to improve on the accuracy of the experimental data at lower energies than measured so far. The expected low cross section for the Coulomb dissociation reaction and close magnetic rigidity of beam and fragments demand a high precision measurement. Hence, new detector systems were built and radical changes to the (RB)-B-3 setup were necessary to cope with the high-intensity O-16 beam. All tracking detectors were designed to let the unreacted O-16 ions pass, while detecting the C-12 and He-4

A Solve-RD ClinVar-based reanalysis of 1522 index cases from ERN-ITHACA reveals common pitfalls and misinterpretations in exome sequencing

Purpose Within the Solve-RD project (https://solve-rd.eu/), the European Reference Network for Intellectual disability, TeleHealth, Autism and Congenital Anomalies aimed to investigate whether a reanalysis of exomes from unsolved cases based on ClinVar annotations could establish additional diagnoses. We present the results of the “ClinVar low-hanging fruit” reanalysis, reasons for the failure of previous analyses, and lessons learned. Methods Data from the first 3576 exomes (1522 probands and 2054 relatives) collected from European Reference Network for Intellectual disability, TeleHealth, Autism and Congenital Anomalies was reanalyzed by the Solve-RD consortium by evaluating for the presence of single-nucleotide variant, and small insertions and deletions already reported as (likely) pathogenic in ClinVar. Variants were filtered according to frequency, genotype, and mode of inheritance and reinterpreted. Results We identified causal variants in 59 cases (3.9%), 50 of them also raised by other approaches and 9 leading to new diagnoses, highlighting interpretation challenges: variants in genes not known to be involved in human disease at the time of the first analysis, misleading genotypes, or variants undetected by local pipelines (variants in off-target regions, low quality filters, low allelic balance, or high frequency). Conclusion The “ClinVar low-hanging fruit” analysis represents an effective, fast, and easy approach to recover causal variants from exome sequencing data, herewith contributing to the reduction of the diagnostic deadlock

Leitfaden zur Auswahl einer backdoor basierten Model Watermarking Methode

Arbeit an der Bibliothek noch nicht eingelangt - Daten nicht geprüftAbweichender Titel nach Übersetzung der Verfasserin/des VerfassersDa die kommerzielle Nutzung von maschinellem Lernen (ML) immer weiter verbreitet ist und die steigende Komplexität von ML-Modellen aufwendiger und damit teurer zu trainieren wird, wächst auch die Dringlichkeit, geistiges Eigentums in diesen Modellen zu schützen. Im Vergleich zu Technologien, die sich auf ein solides Verständnis von Bedrohungen, Angriffen und Verteidigungsmöglichkeiten zum Schutz ihres geistigen Eigentums stützen können, ist die Forschung in dieser Hinsicht bei ML noch sehr fragmentiert. Dies ist mitunter auf das Fehlen einer einheitlichen Sichtweise und einer gemeinsamen Taxonomie dieser Aspekte zurückzuführen. In dieser Arbeit werden die Erkenntnisse zum Schutz des geistigen Eigentums in ML systematisiert, wobei der Schwerpunkt auf Bedrohungen und Angriffen liegt, die für einige der bisher bestehenden Systeme festgestellt wurden, sowie auf den bisher vorgeschlagenen Schutzmaßnahmen. Wir entwickeln ein umfassendes Bedrohungsmodell für das geistige Eigentum in ML und kategorisieren Angriffe und Abwehrmaßnahmen in einer einheitlichen und konzisen Taxonomie, um auf diese Weise die Brücke zwischen ML und zukunftsweisender Sicherheit zu schlagen. Später konzentrieren wir uns auf Backdoor-basiertes Watermarking für Deep Neural Networks zur Bildklassifizierung und definieren verschiedene Parameter für eine umfassende Studie dieser Ansätze. Dies ist von grundlegender Bedeutung für die Bewertung der verschiedenen Methoden und die Formulierung des Leitfadens. Schließlich wählen wir eine Teilmenge dieser Parameter aus und vergleichen die Methoden, um eine Empfehlung für eine Watermarking-Methode auf Basis eines ML-Settings zu geben.With commercial uses of Machine Learning (ML) becoming more wide-spread, while at the same time ML models becoming more complex and expensive to train, the Intellectual Property Protection (IPP) of trained models is becoming a pressing issue. Unlike other domains that can build on a solid understanding of the threats, attacks and defences available to protect their IP, the research in this regard in ML is still very fragmented. This is also due to a lack of a unified view and a common taxonomy of these aspects. In this thesis, we systematise findings on IPP in ML, focusing on threats and attacks identified on these systems and defences proposed to date. We develop a comprehensive threat model for IP in ML, and categorise attacks and defences within a unified and consolidated taxonomy, thus bridging research from both the ML and security communities. Later on, we focus on backdoor-based watermarking approaches for Deep Neural Networks for image classification and define different parameters and settings for a comprehensive study of these approaches. This will be fundamental for evaluating the different methods and formulating the selection guidelines. Finally, we choose a subset of these parameters and compare the methods in order to provide a recommendation for a watermarking method based on the ML setting.11

Clinical relevance of collagen protein degradation markers c3m and c4m in the serum of breast cancer patients treated with neoadjuvant therapy in the geparquinto trial

Background: Remodeling of extracellular matrix through collagen degradation is a crucial step in the metastatic cascade. The aim of this study was to evaluate the potential clinical relevance of the serum collagen degradation markers (CDM) C3M and C4M during neoadjuvant chemotherapy for breast cancer. Methods: Patients from the GeparQuinto phase 3 trial with untreated HER2-positive operable or locally advanced breast cancer were enrolled between 7 November 2007, and 9 July 2010, and randomly assigned to receive neoadjuvant treatment with EC/docetaxel with either trastuzumab or lapatinib. Blood samples were collected at baseline, after four cycles of chemotherapy and at surgery. Cutoff values were determined using validated cutoff finder software (C3M: Low ≤9.00 ng/mL, high >9.00 ng/mL, C4M: Low ≤40.91 ng/mL, high >40.91 ng/mL). Results: 157 patients were included in this analysis. At baseline, 11.7% and 14.8% of patients had high C3M and C4M serum levels, respectively. No correlation was observed between CDM and classical clinical-pathological factors. Patients with high levels of CDM were significantly more likely to achieve a pathological complete response (pCR, defined as ypT0 ypN0) than patients with low levels (C3M: 66.7% vs. 25.7%, p = 0.002; C4M: 52.7% vs. 26.6%, p = 0.031). Median levels of both markers were lower at the time of surgery than at baseline. In the multivariate analysis including clinical-pathological factors and C3M levels at baseline and changes in C3M levels between baseline and after four cycles of therapy, only C3M levels at baseline (p = 0.035, OR 4.469, 95%-CI 1.115–17.919) independently predicted pCR. In a similar model including clinical-pathological factors and C4M, only C4M levels at baseline (p = 0.028, OR 6.203, 95%-CI 1.220–31.546) and tumor size (p = 0.035, OR 4.900, 95%-CI 1.122–21.393) were independent predictors of pCR. High C3M levels at baseline did not correlate with survival in the entire cohort but were associated with worse disease-free survival (DFS; p = 0.029, 5-year DFS 40.0% vs. 74.9%) and overall survival (OS; p = 0.020, 5-year OS 60.0% vs. 88.3%) in the subgroup of patients randomized to lapatinib. In the trastuzumab arm, C3M did not correlate with survival. In the entire patient cohort, high levels of C4M at baseline were significantly associated with shorter DFS (p = 0.001, 5-year DFS 53.1% vs. 81.6%) but not with OS. When treatment arms were considered separately, the association with DFS was still significant (p = 0.014, 5-year DFS 44.4% vs. 77.0% in the lapatinib arm; p = 0.023, 5-year DFS 62.5% vs. 86.2% in the trastuzumab arm). Conclusions: Collagen degradation markers are associated with response to neoadjuvant therapy and seem to play a role in breast cancer