Please note! Course description is confirmed for two academic years, which means that in general, e.g. Learning outcomes, assessment methods and key content stays unchanged. However, via course syllabus, it is possible to specify or change the course execution in each realization of the course, such as how the contact sessions are organized, assessment methods weighted or materials used.


Students gain a deep understanding of an advanced topic in the computer, communication or information sciences. They learn to survey up-to-date research literature and technical documentation on a new topic, to analyze the information critically and to summarize it, to write a technical article or to discuss it with an engineering audience. The best students are also able to perform experiments to deepen their knowledge of the given topic, to solve a technical or scientific problem, and to present their own results.

Credits: 5

Schedule: 02.03.2021 - 28.05.2021

Teacher in charge (valid 01.08.2020-31.07.2022): Pekka Orponen

Teacher in charge (applies in this implementation): Samuel Marchal

Contact information for the course (valid 26.11.2020-21.12.2112):

Samuel Marchal:

Sebastian Szyller:

Office A111 (T building)

CEFR level (applies in this implementation):

Language of instruction and studies (valid 01.08.2020-31.07.2022):

Teaching language: English

Languages of study attainment: English


  • Valid 01.08.2020-31.07.2022:

    The course addresses a broad range of current topics in the computer, communication and information science areas.

  • Applies in this implementation:

    Content: The course consists of several group discussion sessions (9 sessions planned). Two scientific papers on the topic of security and privacy of machine learning are presented and discussed during each session. These papers cover both attacks on machine learning systems and defenses to some of these attacks. One student presents and leads the discussion for each paper. The remaining of the students participate in the discussions. Each paper discussion will typically consist in the presentation of the paper (20 minutes) and an interactive discussion led by the presenter (30 minutes). A small programing assignment introduces how to craft adversarial examples in order to perform evasion attacks.

    Learning Outcomes: After this course, you are expected to have the following new skills:

    • knowledge of the security and privacy threats to machine learning systems
    • ability to identify the threats to a given machine learning system (threat modelling)
    • ability to summarize and critically analyze findings/contributions from research papers
    • ability to make a sensible oral presentation of a research paper and to lead a critical discussion about it
    • new insights on good research methodology and on scientific writing (useful for MSc. thesis)

Assessment Methods and Criteria
  • Valid 01.08.2020-31.07.2022:

    Active participation, defined in more details in the beginning of the course.

  • Applies in this implementation:

    Students are assessed and graded according to 4 components:

    1. Presenting and leading the discussion on a scientific paper (twice per student): 50% of the grade
    2. Participation in discussions: 15% of the grade
    3. Writing paper takeaways and questions: 15% of the grade
    4. Programing assignment: 20% of the grade

    There is no exam.

  • Applies in this implementation:

    The workload is 135 hours in total, it is divided over 2 periods and it consists of:
    • reading research papers (2 papers per week) - 20 papers x 3h = 60h
    • participate to contact sessions (once a week) - 11 sessions x 2h = 22h
    • prepare the presentation and the discussion for 1 paper (twice over the course) - 2 preparations x 10h = 20h
    • write paper takeaways and questions (1 page to fill once a week, before each discussion session) - 9 sessions x 1h = 9h
    • a programing assignment to implement an evasion attack (generate adversarial examples) - 24h


Study Material
  • Applies in this implementation:

    Systematization of knowledge on security and privacy of machine learning.

    Research papers that we will discuss during the course.

    Methodology for reading research papers.


Details on the schedule
  • Applies in this implementation:

    Discussion 1: Model evasion
    Discussion 2: Model poisoning
    Discussion 3: Compromised training library/platform
    Discussion 4: Model stealing
    Discussion 5: Protecting Intellectual property of models
    Discussion 6: Training data leakage
    Discussion 7: Tracing training data
    Discussion 8: Privacy-preserving training
    Discussion 9: Fairness & bias in ML prediction