CS-E400101 - Research Seminar in Computer Science D: Research Seminar on Security and Privacy of Machine Learning, Lectures, 1.3.2022-27.5.2022
This course space end date is set to 27.05.2022 Search Courses: CS-E400101
Topic outline
-
The seminar is cancelled this year because of not having enough participants.
Introduction
This is the course space for the Aalto University Department of Computer Science Research seminar on security and privacy of machine learning (CS-E400101). The course is worth 5 credits, which are earned by reading, analyzing, presenting and discussing research papers on the topic of security and privacy of machine learning systems. There is no exam.
Course staff: Samuel Marchal (responsible teacher - samuel.marchal@aalto.fi), Buse Gul Atli (teacher - buse.atlitekgul@aalto.fi), Sebastian Szyller (teacher - sebastian.szyller@aalto.fi).
Registration
Students must register for the course through Sisu by March 1, 2021. We expect around 10 participants for this course.
Pre-requisites
The course is designed for people who already have basic knowledge about Machine Learning and Security concepts. Knowing supervised machine learning including kernel methods and neural networks as well as threat modelling is useful. Having taken CS-E3210 - Machine Learning: Basic Principles (and optionally CS-C3130 - Information Security) is recommended.Commitment
Discussions require all students to be involved and each student must present one/two papers and lead a discussion about them. Participants must be committed to attend every group discussion session.Zoom Link & Passcode, Teams
All meetings will be hosted on Zoom.
Use the following link: https://aalto.zoom.us/j/67035584821?pwd=R2Z3WXFQdlRIQXBJSnRWbzNNSVdKZz09
Passcode: 112211
All course related discussion will happen on Microsoft Teams. Follow the link below to join the workspace: Microsoft Teams link
Course Overview
Learning Objectives
After this course, you are expected to have the following new skills:
- knowledge of the security and privacy threats to machine learning systems
- ability to identify the threats to a given machine learning system (threat modelling)
- ability to summarize and critically analyze findings/contributions from research papers
- ability to make a sensible oral presentation of a research paper and to lead a critical discussion about it
- new insights on good research methodology and on scientific writing (useful for MSc. thesis)
Content
The course consists of several group discussion sessions (5 sessions planned). Two scientific papers on the topic of security and privacy of machine learning are presented and discussed during each session. These papers cover both attacks on machine learning systems and defenses to some of these attacks. One student presents and leads the discussion for each paper. The remaining of the students participate in the discussions.
Each paper discussion will typically consist in the presentation of the paper (20 minutes) and an interactive discussion led by the presenter (30 minutes).
Two programming assignments cover crafting adversarial examples to perform evasion attacks, and watermarking of deep neural networks for the purpose of ownership verification.
Assessment and grading
Students are assessed and graded according to 4 components:
- Presenting and leading the discussion on a scientific paper (twice per student): 40% of the grade
- Participation in discussions: 15% of the grade
- Writing paper takeaways and questions: 15% of the grade
- Programing assignments: 30% of the grade
Workload: 132 hours
The workload is divided over 2 periods and it consists in:- reading research papers (3 papers per discussion) - 15 papers x 3h = 45h
- participate to contact sessions (once a week) - 9 sessions x 2h = 18h
- prepare the presentation and the discussion for 1 paper (twice over the course) - 2 preparations x 12h = 24h
- write paper takeaways and questions (1 page to fill once a week, before each discussion session) - 5 sessions x 1h = 5h
- two programing assignments - 2 x 20h = 40h
Planned schedule
Day Place Topic Friday, March 4 Zoom Introductory lecture: Course organization and topics overview Friday, March 11 Zoom Info session + Q&A for programming assignment Friday, March 25 Zoom Discussion 1: Model evasion (adversarial examples) Friday, April 8 Zoom Discussion 2: Model poisoning and backdoor Tuesday, April 19 Zoom General feedback on presentations + discussions already done Friday, April 22 Zoom Discussion 3: Model confidentiality and Intellectual property Friday, May 6 Zoom Discussion 4: Training data privacy Friday, May 20 Zoom Discussion 5: Privacy-preserving and verifiable training Friday, May 27 Zoom Final feedback session What students liked about the course last year (selected feedback)
- "It provides a good chance for me to read state-of-the-art articles, the presentation and discussion part also encourage me to think deeper and learn more actively."
- "The lecturers also helped the leader for discussion and opened new topics to discuss. They also assured that we can actually ask something that we are not sure and it is perfectly fine."
- "The discussions, research paper selection, presentations."
- "Experienced participants in the discussions who could contribute interesting points."
- "Really good feedback after our presentations."
- "Really constructive and detailed feedback on how to improve both content and communication."
- "Good feedback!"
- knowledge of the security and privacy threats to machine learning systems