Topic outline

  • Security & Privacy of Machine Learning

    Introduction

    This is the course space for the Aalto University Department of Computer Science Research seminar on security and privacy of machine learning (CS-E4001). The course is worth 5 credits, which are earned by reading, analyzing, presenting and discussing research papers on the topic of security and privacy of machine learning systems. There is no exam.

    Course staff: Samuel Marchal (responsible teacher - samuel.marchal@aalto.fi), Buse Gul Atli (co-organizer - buse.atlitekgul@aalto.fi), Sebastian Szyller (co-organizer - sebastian.szyller@aalto.fi).

    Registration

    Students must register for the course through Oodi by March 2, 2021. We expect 10-15 participants for this course.

    Pre-requisites
    The course is designed for people who already have basic knowledge about Machine Learning and Security concepts. Knowing supervised machine learning including kernel methods and neural networks as well as threat modelling is useful. Having taken CS-E3210 - Machine Learning: Basic Principles (and optionally CS-C3130 - Information Security) is recommended.

    Commitment
    Discussions require all students to be involved and each student must present one/two papers and lead a discussion about them. Participants must be committed to attend every group discussion session.

    Zoom Link & Passcode, Teams

    All meetings will be hosted on Zoom. Use the following link: https://aalto.zoom.us/j/61731561475?pwd=cDdMN3FqdkNTc1ZpRUhXSHMvMVlFdz09

    Passcode: 423792

    All course related discussion will happen on Microsoft Teams. Follow the link below to join the workspace: Microsoft Teams link


    Course Overview

    Learning Objectives

    After this course, you are expected to have the following new skills:

    • knowledge of the security and privacy threats to machine learning systems
    • ability to identify the threats to a given machine learning system (threat modelling)
    • ability to summarize and critically analyze findings/contributions from research papers
    • ability to make a sensible oral presentation of a research paper and to lead a critical discussion about it
    • new insights on good research methodology and on scientific writing (useful for MSc. thesis)

    Content

    The course consists of several group discussion sessions (9 sessions planned). Two scientific papers on the topic of security and privacy of machine learning are presented and discussed during each session. These papers cover both attacks on machine learning systems and defenses to some of these attacks. One student presents and leads the discussion for each paper. The remaining of the students participate in the discussions.

    Each paper discussion will typically consist in the presentation of the paper (20 minutes) and an interactive discussion led by the presenter (30 minutes).

    A small programing assignment introduces how to craft adversarial examples in order to perform evasion attacks

    Assessment and grading

    Students are assessed and graded according to 4 components:

    1. Presenting and leading the discussion on a scientific paper (twice per student): 50% of the grade
    2. Participation in discussions: 15% of the grade
    3. Writing paper takeaways and questions: 15% of the grade
    4. Programing assignment: 20% of the grade

    Workload: 135 hours

    The workload is divided over 2 periods and it consists in:
    • reading research papers (2 papers per week) - 20 papers x 3h = 60h
    • participate to contact sessions (once a week) - 11 sessions x 2h = 22h
    • prepare the presentation and the discussion for 1 paper (twice over the course) - 2 preparations x 10h = 20h
    • write paper takeaways and questions (1 page to fill once a week, before each discussion session) - 9 sessions x 1h = 9h
    • a programing assignment to implement an evasion attack (generate adversarial examples) - 24h

      Planned schedule

      Day
      		 Place
      		 Topic
      Tuesday, March 2   
      		Zoom        
      		Introductory lecture: Course organization and topics overview
      Friday, March 12
      		 Zoom Info session for programming assignment
      Friday, March 19  
      		Zoom            Discussion 1: Model evasion
      Friday, March 26 
      		Zoom            Discussion 2: Model poisoning
      Friday, April 2
      		 Zoom            Discussion 3: .....
      Friday, April 9  
      		Zoom            Discussion 3: Compromised training library/platform
      Tuesday, April 20 
      		Zoom            General feedback on presentations + discussions already done
      Friday, April 23
      		 Zoom        
      		 Discussion 4: Model stealing
      Friday, April 30  
      		Zoom            Discussion 5: Protecting Intellectual property of models
      Friday, May 7 
      		Zoom          
      		Discussion 6: Training data leakage + Tracing training data
      Friday, May 14  
      		Zoom          
      		Cancelled
      Friday, May 21  
      		Zoom          
      		Discussion 7: Privacy-preserving training + Fairness & bias in ML prediction


      What students liked about the course last year (selected feedback)

      • "It provides a good chance for me to read state-of-the-art articles, the presentation and discussion part also encourage me to think deeper and learn more actively."
      • "The lecturers also helped the leader for discussion and opened new topics to discuss. They also assured that we can actually ask something that we are not sure and it is perfectly fine."
      • "The discussions, research paper selection, presentations."
      • "Experienced participants in the discussions who could contribute interesting points."
      • "Really good feedback after our presentations."
      • "Really constructive and detailed feedback on how to improve both content and communication."
      • "Good feedback!"