Security & Privacy of Machine Learning

  • Security & Privacy of Machine Learning

    Introduction

    This is the course space for the Aalto University Department of Computer Science Research seminar on security and privacy of machine learning (CS-E4001). The course is worth 5 credits, which are earned by reading, analyzing, presenting and discussing research papers on the topic of security and privacy of machine learning systems. There is no exam.

    Course staff: Samuel Marchal (teacher - samuel.marchal@aalto.fi), Sebastian Szyller (teaching assistant - sebastian.szyller@aalto.fi).

    Registration

    Students must register for the course through Oodi. We expect 15-20 participants for this course

    Pre-requisites
    The course is designed for people who already have basic knowledge about Machine Learning and Security concepts. Knowing supervised machine learning including kernel methods and neural networks as well as threat modelling is useful. Having taken CS-E3210 - Machine Learning: Basic Principles (and optionally CS-C3130 - Information Security) is recommended.

    Commitment
    Discussions require all students to be involved and each student must present one/two papers and lead a discussion about them. Participants must be committed to attend every group discussion session.

    Course Overview

    Learning Objectives

    After this course, you are expected to have the following new skills:

    • knowledge of the security and privacy threats to machine learning systems
    • ability to identify the threats to a given machine learning system (threat modelling)
    • ability to summarize and critically analyze findings/contributions from research papers
    • ability to make a sensible oral presentation of a research paper and to lead a critical discussion about it
    • new insights on good research methodology and on scientific writing (useful for MSc. thesis)

    Content

    The course consists in several group discussion sessions (10 sessions planned). Two scientific papers on the topic of security and privacy of machine learning are presented and discussed during each session. These papers cover both attacks on machine learning systems and defenses to some of these attacks. One student presents and leads the discussion for each paper. The remaining of the students participate in the discussions.

    Each paper discussion will typically consist in the presentation of the paper (20 minutes) and an interactive discussion led by the presenter (30 minutes).

    Assessment and grading

    Students are assessed and graded according to 3 components:

    1. Presenting and leading the discussion on a scientific paper (twice per student): 50% of the grade
    2. Participation in discussions: 25% of the grade
    3. Writing a learning diary to reflect on paper reading and discussion sessions: 25% of the grade

    Workload: 134 hours

    The workload is spread over 2 periods and it consists in:
    • reading scientific papers (2 papers per week) - 25 papers x 3h = 75h
    • come and participate to discussion sessions (once a week) - 12 sessions x 2h = 24h
    • prepare the presentation and the discussion for 1 paper (twice over the course): 2 preparations x 10h = 20h
    • write a learning diary (0.5-1 page to fill once a week, after each session) - 10 sessions x 1.5h = 15h

      Planned schedule

      Day
      		 Place
      		 Topic
      Tuesday 10/09 (12:15-14:00)        
      		T5 (A133)        
      		Introductory lecture: Course organization and topics overview
      Friday 20/09 (12:15-14:00)
      		 T4 (A238) Discussion 1: Model evasion
      Friday 27/09 (12:15-14:00)
      		 T4 (A238) Discussion 2: Defending model evasion + Compromised training
      Friday 04/10 (12:15-14:00)
      		 T4 (A238) Discussion 3: Model poisoning
      Friday 11/10 (12:15-14:00)
      		 T4 (A238) Discussion 4: Model confidentiality
      Tuesday 15/10 (12:15-14:00)
      		 T5 (A133) General feedback on presentations + discussions already done
      Friday 18/10 (12:15-14:00)
      		 T4 (A238) Discussion 5: Model confidentiality
      Friday 01/11 (12:15-14:00)
      		 T4 (A238) Discussion 5: Intellectual property protection
      Friday 08/11 (12:15-14:00)
      		 T4 (A238) Discussion 6: Training data privacy
      Friday 15/11 (12:15-14:00)
      		 T5 (A133) Discussion 7: Privacy preserving distributed training
      Friday 22/11 (12:15-14:00)
      		 T4 (A238) Discussion 8: Crypto-based privacy-preserving ML + Fairness in ML prediction
      Friday 29/11 (12:15-14:00)
      		 T4 (A238) Discussion 10: Fairness in ML prediction


      What students liked about the course last year (selected feedback)

      • "It provides a good chance for me to read state-of-the-art articles, the presentation and discussion part also encourage me to think deeper and learn more actively."
      • "The lecturers also helped the leader for discussion and opened new topics to discuss. They also assured that we can actually ask something that we are not sure and it is perfectly fine."
      • "The discussions, research paper selection, presentations."
      • "Experienced participants in the discussions who could contribute interesting points."
      • "Really good feedback after our presentations."
      • "Really constructive and detailed feedback on how to improve both content and communication."
      • "Good feedback!"

    Course home

    Course home

    Next section

    Materials