Topic outline

  • Security & Privacy of Machine Learning

    The seminar is cancelled this year because of not having enough participants.

    Introduction

    This is the course space for the Aalto University Department of Computer Science Research seminar on security and privacy of machine learning (CS-E400101). The course is worth 5 credits, which are earned by reading, analyzing, presenting and discussing research papers on the topic of security and privacy of machine learning systems. There is no exam.

    Course staff: Samuel Marchal (responsible teacher - samuel.marchal@aalto.fi), Buse Gul Atli (teacher - buse.atlitekgul@aalto.fi), Sebastian Szyller (teacher - sebastian.szyller@aalto.fi).

    Registration

    Students must register for the course through Sisu by March 1, 2021. We expect around 10 participants for this course.

    Pre-requisites
    The course is designed for people who already have basic knowledge about Machine Learning and Security concepts. Knowing supervised machine learning including kernel methods and neural networks as well as threat modelling is useful. Having taken CS-E3210 - Machine Learning: Basic Principles (and optionally CS-C3130 - Information Security) is recommended.

    Commitment
    Discussions require all students to be involved and each student must present one/two papers and lead a discussion about them. Participants must be committed to attend every group discussion session.

    Zoom Link & Passcode, Teams

    All meetings will be hosted on Zoom.

    Use the following link: https://aalto.zoom.us/j/67035584821?pwd=R2Z3WXFQdlRIQXBJSnRWbzNNSVdKZz09

    Passcode: 112211

    All course related discussion will happen on Microsoft Teams. Follow the link below to join the workspace: Microsoft Teams link


    Course Overview

    Learning Objectives

    After this course, you are expected to have the following new skills:

    • knowledge of the security and privacy threats to machine learning systems
    • ability to identify the threats to a given machine learning system (threat modelling)
    • ability to summarize and critically analyze findings/contributions from research papers
    • ability to make a sensible oral presentation of a research paper and to lead a critical discussion about it
    • new insights on good research methodology and on scientific writing (useful for MSc. thesis)

    Content

    The course consists of several group discussion sessions (5 sessions planned). Two scientific papers on the topic of security and privacy of machine learning are presented and discussed during each session. These papers cover both attacks on machine learning systems and defenses to some of these attacks. One student presents and leads the discussion for each paper. The remaining of the students participate in the discussions.

    Each paper discussion will typically consist in the presentation of the paper (20 minutes) and an interactive discussion led by the presenter (30 minutes).

    Two programming assignments cover crafting adversarial examples to perform evasion attacks, and watermarking of deep neural networks for the purpose of ownership verification.

    Assessment and grading

    Students are assessed and graded according to 4 components:

    1. Presenting and leading the discussion on a scientific paper (twice per student): 40% of the grade
    2. Participation in discussions: 15% of the grade
    3. Writing paper takeaways and questions: 15% of the grade
    4. Programing assignments: 30% of the grade

    Workload: 132 hours

    The workload is divided over 2 periods and it consists in:
    • reading research papers (3 papers per discussion) - 15 papers x 3h = 45h
    • participate to contact sessions (once a week) - 9 sessions x 2h = 18h
    • prepare the presentation and the discussion for 1 paper (twice over the course) - 2 preparations x 12h = 24h
    • write paper takeaways and questions (1 page to fill once a week, before each discussion session) - 5 sessions x 1h = 5h
    • two programing assignments - 2 x 20h = 40h

      Planned schedule

      Day
      Place
      Topic
      Friday, March 4   
      Zoom        
      Introductory lecture: Course organization and topics overview
      Friday, March 11
      Zoom Info session + Q&A for programming assignment
      Friday, March 25  
      Zoom            Discussion 1: Model evasion (adversarial examples)
      Friday, April 8 
      Zoom            Discussion 2: Model poisoning and backdoor
      Tuesday, April 19  
      Zoom            General feedback on presentations + discussions already done
      Friday, April 22 
      Zoom            Discussion 3: Model confidentiality and Intellectual property
      Friday, May 6
      Zoom        
      Discussion 4: Training data privacy
      Friday, May 20  
      Zoom            Discussion 5: Privacy-preserving and verifiable training
      Friday, May 27
      Zoom Final feedback session


      What students liked about the course last year (selected feedback)

      • "It provides a good chance for me to read state-of-the-art articles, the presentation and discussion part also encourage me to think deeper and learn more actively."
      • "The lecturers also helped the leader for discussion and opened new topics to discuss. They also assured that we can actually ask something that we are not sure and it is perfectly fine."
      • "The discussions, research paper selection, presentations."
      • "Experienced participants in the discussions who could contribute interesting points."
      • "Really good feedback after our presentations."
      • "Really constructive and detailed feedback on how to improve both content and communication."
      • "Good feedback!"