Credits: 5

Schedule: 10.09.2019 - 03.12.2019

Contact information for the course (applies in this implementation): 

Samuel Marchal:

Office A111 (T building)

Teaching Period (valid 01.08.2018-31.07.2020): 

I-II, III-V (Autumn or Spring)

Learning Outcomes (valid 01.08.2018-31.07.2020): 

Students gain a deep understanding of an advanced topic in the computer, communication or information sciences. They learn to survey up-to-date research literature and technical documentation on a new topic, to analyze the information critically and to summarize it, to write a technical article or to discuss it with an engineering audience. The best students are also able to perform experiments to deepen their knowledge of the given topic, to solve a technical or scientific problem, and to present their own results.

Content (valid 01.08.2018-31.07.2020): 

The course addresses a broad range of current topics in the computer, communication and information science areas.

Details on the course content (applies in this implementation): 

Content: The course consists in several group discussion sessions (10 sessions planned). Two scientific papers on the topic of security and privacy of machine learning are presented and discussed during each session. These papers cover both attacks on machine learning systems and defenses to some of these attacks. One student presents and leads the discussion for each paper. The remaining of the students participate in the discussions. Each paper discussion will typically consist in the presentation of the paper (20 minutes) and an interactive discussion led by the presenter (30 minutes).

Learning Outcomes: After this course, you are expected to have the following new skills:

  • knowledge of the security and privacy threats to machine learning systems
  • ability to identify the threats to a given machine learning system (threat modelling)
  • ability to summarize and critically analyze findings/contributions from research papers
  • ability to make a sensible oral presentation of a research paper and to lead a critical discussion about it
  • new insights on good research methodology and on scientific writing (useful for MSc. thesis)



Assessment Methods and Criteria (valid 01.08.2018-31.07.2020): 

Active participation, defined in more details in the beginning of the course.

Elaboration of the evaluation criteria and methods, and acquainting students with the evaluation (applies in this implementation): 

Students are evaluated according to 3 components:

  1. Presenting and leading the discussion on a scientific paper (twice per student): 50% of the grade
  2. Participation in discussions: 25% of the grade
  3. Writing a learning diary to reflect on paper reading and discussion sessions: 25% of the grade

There is no exam.

Details on calculating the workload (applies in this implementation): 

The workload is 134 hours in total, spread over 2 periods and it consists in:
  • reading scientific papers (2 papers per week) - 25 papers x 3h = 75h
  • come and participate to discussion sessions (once a week) - 12 sessions x 2h = 24h
  • prepare the presentation and the discussion for 1 paper (twice over the course): 2 preparations x 10h = 20h
  • write a learning diary (0.5-1 page to fill once a week, after each session) - 10 sessions x 1.5h = 15h

Details on the course materials (applies in this implementation): 

Systematization of knowledge on security and privacy of machine learning

Research papers that we will discuss during the course.

Methodology for reading research papers.

Grading Scale (valid 01.08.2018-31.07.2020): 

0-5, may also be graded with pass/fail.

Further Information (valid 01.08.2018-31.07.2020): 

The content of the course varies.

Details on the schedule (applies in this implementation): 

One meeting per week over 2 periods

Tuesday 10/09 (12:15-14:00)        T5 (A133)        Introductory lecture: Course organization and topics overview
Friday 20/09 (12:15-14:00)T4 (A238)Discussion 1: Model evasion
Friday 27/09 (12:15-14:00)T4 (A238)Discussion 2: Defending model evasion
Friday 04/10 (12:15-14:00)T4 (A238)Discussion 3: Model poisoning
Friday 11/10 (12:15-14:00)T4 (A238)Discussion 4: Compromised training
Tuesday 15/10 (12:15-14:00)T5 (A133)General feedback on presentations + discussions already done
Friday 18/10 (12:15-14:00)T4 (A238)Discussion 5: Model confidentiality
Friday 01/11 (12:15-14:00)T4 (A238)Discussion 6: Intellectual property protection
Friday 08/11 (12:15-14:00)T4 (A238)Discussion 7: Training data privacy
Friday 15/11 (12:15-14:00)T5 (A133)Discussion 8: Privacy preserving distributed training
Friday 22/11 (12:15-14:00)T4 (A238)Discussion 9: Crypto-based privacy-preserving ML
Friday 29/11 (12:15-14:00)T4 (A238)Discussion 10: Fairness in ML prediction



Registration and further information