Security & Privacy of Machine Learning
Introduction
This is the course space for the Aalto University Department of Computer Science Research seminar on security and privacy of machine learning (CS-E4001). The course is worth 4 credits,
which are earned by leading and participating in discussions about research papers. There is no exam.
Course staff: Samuel Marchal, Mika Juuti, N. Asokan.
The course staff can be reached by email individually at firstname.lastname@aalto.fi.
Registration
Discussions require all students to be involved and each student must
lead one discussion. Participants must be committed to completing the
course and commit to attend every group discussion session. Students
must register for the course through Oodi.
Pre-requisites
The course is designed for people who already have some knowledge on machine learning and security concepts. Especially, a background knowledge on supervised machine learning, deep neural networks and threat modelling is useful. Participants must have taken at least one course on machine learning before.Number of participants
We expect to have 12 or 24 participants for this course (for 12 papers to discuss and presented by 1 or 2 students each).Course Overview
Learning Outcomes
Learn about contemporary research topics in the domain of security and privacy of machine learning. Learn the methodology for scientific paper reading, analyzing and synthesizing information, and reporting the findings. Identifying strengths and weaknesses of contributions and expanding a discussion beyond the paper content. This course provides an experience in leading and participating in a discussion about a scientific paper. It also gives an overview and insights on good methodology for carrying research and writing research papers, which is useful for Master’s thesis writing.
Content
The course consists in several group discussion sessions (6 sessions planned). Two scientific papers on the topic of security and privacy of machine learning are discussed during each session. One student lead the discussion for each paper. Two students are designated to take notes about the discussion during each session. The remaining of the students participate in the discussions.
Each paper discussion will typically consist in the presentation of the paper (20 minutes) and an interactive discussion led by the presenter (30 minutes).
Preliminary list of papers to discuss
| Theme |
Title | Authors |
Year |
|---|---|---|---|
| Model evasion |
Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition |
Sharif et al. |
2016 |
| Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples | Athalye et al. |
2018 | |
| Model confidentiality |
Practical Black-Box Attacks against Machine Learning | Papernot et al. |
2017 |
| PRADA: Protecting against DNN Model Stealing Attacks | Juuti et al. |
2018 | |
| Model poisoning |
Towards Poisoning of Deep Learning Algorithms with Back-gradient Optimization | Munoz-Gonzalez et al. |
2017 |
| Manipulating Machine Learning: Poisoning Attacks and Countermeasures for Regression Learning | Jagielski et al. |
2018 | |
| Compromised training |
Turning Your Weakness Into a Strength: Watermarking Deep Neural Networks by Backdooring |
Adi et al. |
2018 |
| Machine Learning Models that Remember Too Much | Song et al. |
2017 |
|
| Attacks on input privacy |
Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures | Fredrikson et al. |
2015 |
| Membership Inference Attacks Against Machine Learning Models | Shokri et al. |
2016 | |
| Privacy-preserving ML |
Privacy-Preserving Deep Learning |
Shokri and Shmatikov |
2015 |
| Gazelle: A Low Latency Framework for Secure Neural Network Inference | Jukevar et al. |
2018 |
Evaluation
Students are evaluated according to 3 components:
- Leading a paper discussion (once per student): 40% of the grade
- Quality of notes taken (once per student for 1 session: 2 papers discussed): 30% of the grade
- Participation in discussions (4 times per student: during each meeting where they do not present or take notes): 30% of the grade
Workload
109 hours total:
- 16h meetings (6 x 2h-group discussions + introductory meeting + final meeting)
- 72h paper reading + preparing discussions
- 15h preparation of leading session
- 6h synthesis of discussion notes
Planned Schedule
Mandatory sessions:
- Introductory meeting: Tue 11/09
- 1st discussion: Fri 21/09
- 2nd discussion: Tue 25/09
- 3rd discussion: Tue 2/10
- 4th discussion: Fri 5/10
- 5th discussion: Tue 9/10
- 6th discussion: Fri 12/10
- Final meeting: Tue 16/10
Optional sessions (advice / feedback on request):
- Tue 18/09