EE 8227: Secure Machine Learning
Fall 2023
Wednesday: 12:00-15:00
Room: VIC202 Classroom
Name: Dr. Reza Samavi
Office location: ENG457
Office hours: by appointment
E-mail: samavi@torontomu.ca
Website: https://www.ee.torontomu.ca/~samavi
Email Policy
Email is the main way to contact the instructor. In accordance with the Policy on TMU Student E-mail Accounts (Policy 157), TMU requires that any electronic communication by students to TMU’s faculty or staff be sent from their official TMU email account. All students in full and part-time graduate degree programs are required to activate and maintain their TMU online identity in order to regularly access TMU's e-mail, RAMSS, and my.ryerson.ca portal.
With the extensive proliferation of machine learning models (ML), specifically Generative models (GM), Large Language models (LLM) and ML for safety-critical systems, it is long overdue to study the security and trustworthiness of these models. To address this gap, this course focuses on the theories and techniques for enhancing the security and robustness of machine learning algorithms. Modern machine learning and deep learning models are shown to be vulnerable to a slight perturbation of input queries or training datasets. A number of machine learning algorithms can also memorize and expose private information about individuals. Disclosure of sensitive data not only leads to privacy breaches but also could result in discrimination or issues of fairness. This course is designed to fill this gap and specifically covers the following topics: privacy-preserving statistics and machine learning; adversarial machine learning; certified robustness; poisoning attacks and countermeasures; accountability, transparency and interpretability in machine learning, federated learning to support privacy; and considerations for trustworthy machine learning.
Prerequisites / co-requisites
The course is open to interested engineering graduate students with a solid undergraduate-level mathematical background. Undergraduate level knowledge of probability, statistics, algorithms and data structures, and machine learning is assumed.
Course Website
https://courses.torontomu.ca/d2l/home/783879
Course objectives and intended learning outcomes
This course provides a platform for students to strengthen their knowledge at the intersection of security and machine learning. At the end of this course, students will be able to:
Texts and readings
No textbooks are required for this class. All relevant materials will be made available online on the course website on D2L. The materials mainly come from seminal and recent papers in the field including (but not limited to) Neurips, ICML, ICLR, CCS and USENIX.
Teaching Methods
1. Students' participation and interaction is a major component of this course. Therefore, lectures are accompanied by student presentations and participation.
2. Notes/slides from the class lectures will be posted on D2L.
3. Classes are in person and, no Audio/video recordings of the lecture delivery will be posted on D2L.
4. If the university decides the courses to be delivered virtually, students are NOT required to turn ON their cameras during lectures. However, when a student presents a seminar topic, screen sharing and at minimum audio communication is required. The University has issued a minimum technology requirement for remote learning. Details can be found at: https://www.torontomu.ca/covid-19/students/ Please ensure you meet the minimum technology requirements as specified in this link.
Topics and Course Schedule*
Schedules and contents are tentative and subject to modifications before the semester starts or as we make our way through the course and based on the students' feedback.
|
Week |
|
Detailed Description |
Hours* |
|
1 |
Machine learning attack surface |
Course review, Introduction to information security |
3 |
|
2 |
Attacks on ML confidentiality and privacy |
3 |
|
|
3 |
Attacks on ML integrity - poisoning attacks and adversarial examples |
3 |
|
|
4 |
Attacks on ML availability and model stealing |
3 |
|
|
5 |
Defense against privacy attacks |
Foundations of Differential Privacy (DP): Laplace and Gaussian mechanisms, and beyond noise addition |
3 |
|
6 |
Implementing DP |
3 |
|
|
7 |
DP and synthetic data generation |
3 |
|
|
8 |
Implementing distributed DP: Federated Learning |
3 |
|
|
9 |
Homomorphic Encryption, SMPC, TEE |
3 |
|
|
10 |
Defense against poisoning attacks and adversarial examples |
Poisoning attacks on ML and Game theoretical approaches |
3 |
|
11 |
Machine learning robustness – empirical and certified methods |
3 |
|
|
12 |
Adversarial examples for physical worlds: robots security |
3 |
|
|
13 |
Future Research Directions |
Open research problems in Secure Machine Learning |
3 |
* Note – Any changes and additions to this schedule will be communicated in class and posted on the D2L site. The hours for each lecture is approximated and also includes time for students’ presentations.
Evaluation*
|
No. |
Title |
Value
|
Detail / general description |
|
1 |
Participation & Presentation |
25% |
Starting from Week 3, each week one or more students present an assigned paper and lead the class discussion. The presenters will be evaluated on their communication skills and critical thinking of the subject matter. Discussion on the presented topic of the week is a major component of this course. Other students will be evaluated for their participation in the seminar discussion. |
|
2 |
Project/ Research
paper |
35% |
Students
will complete an individual (or group) research project. The focus of the
projects is on developing new model, theory, or algorithms in one of the
subtopics of secure machine learning. The project can also be an
implementation of known algorithms on a new application domain. For
high-quality projects the instructor will help the student to publish the
work in one of the top-tier machine learning conferences. |
|
3 |
Assignments |
40% |
The exam consists of three take-home assignments completed by students during and at the end of the semester. |
* All evaluation items will be completed individually. For the project/research paper depending on the topic and the scope of the project, the instructor may approve the project to be completed by two students. Further information about project/research ideas and more details on the delivery of the exam (and access to graded items) will be provided by the instructor on the course website.
Students are reminded that they are required to adhere to all relevant university policies found in their online course shell in D2L and/or on the following URL: http://ryerson.ca/senate/course-outline-policies It is student’s responsibility to familiarise themselves with all relevant University academic policies.
The most relevant policies
For information on academic policies pertaining to issues such as course management, grading practices, and appeals, students are to refer to the TMU Senate Policies: Policy 164 – Graduate Status, Enrolment, and Evaluation, Policy 166 – Course Management Policy , and Policy 152 – Graduate Student Academic Considerations and Appeals
Academic Accommodation Support
Students are required to immediately inform their instructors of any situation which arises during the semester, which may have an adverse effect upon their academic performance, and must request any considerations and accommodations according to the relevant policies and well in advance. Failure to do so will jeopardize any academic appeals.
Academic Accommodation Support (AAS) is the university's disability services office. AAS works directly with incoming and returning students looking for help with their academic accommodations. AAS works with any student who requires academic accommodation regardless of program or course load.
● Learn more about Academic Accommodation Support
● Learn how to register with AAS
Academic Accommodations (for students with disabilities) and Academic Consideration (for students faced with extenuating circumstances that can include short-term health issues) are governed by two different university policies. Learn more about Academic Accommodations versus Academic Consideration and how to access each.
Accessibility
● Please study this accessibility statement. The instructor will do every effort to improve the accessibility of this course.
● In case of remote teaching, any technologies used in this course and any known accessibility features or barriers (if applicable) will be communicated ahead of time with the students.
● The students should email the instructor as soon as they discover an accessibility barrier with any course materials or technologies.
Turnitin
· Turnitin.com is a plagiarism prevention and detection service to which TMU subscribes. It is a tool to assist instructors in determining the similarity between students’ work and the work of other students who have submitted papers to the site (at any university), internet sources, and a wide range of books, journals and other publications. While it does not contain all possible sources, it gives instructors some assurance that students’ work is their own. No decisions are made by the service; it generates an “originality report,” which instructors will evaluate to judge if something is plagiarized.
· Students agree by taking this course that their written work will be subject to submission for textual similarity review to Turnitin.com. Instructors can opt to have student’s papers included in the Turnitin.com database or not. Use of the Turnitin.com service is subject to the terms-of-use agreement posted on the Turnitin.com website. Students who do not want their work submitted to this plagiarism detection service must, by the end of the second week of class, consult with their instructor to make alternate arrangements.
· Even when an instructor has not indicated that a plagiarism detection service will be used, or when a student has opted out of the plagiarism detection service, if the instructor has reason to suspect that an individual piece of work has been plagiarized, the instructor is permitted to submit that work in a non-identifying way to any plagiarism detection service.
Academic Integrity and Plagiarism
· TMU’s Policy 60 - Academic Integrity policy, applies to all students at the University. Forms of academic misconduct include plagiarism, cheating, supplying false information to the University, and other acts. The most common form of academic misconduct is plagiarism. Plagiarism is a serious academic offence and penalties can be severe. In any academic exercise, plagiarism occurs when one offers as one’s own work the words, data, ideas, arguments, calculations, designs or productions of another without appropriate attribution or when one allows one’s work to be copied.
· All academic work must be submitted using the citation style approved by the instructor. Students may refer to the TMU Library’s list of Citations and Style Guides for more information.
· It is assumed that all examinations and work submitted for evaluation and course credit will be the product of individual effort, except in the case of group projects arranged for and approved by the course instructor. Submitting the same work to more than one course, without instructor approval, is also considered a form of plagiarism.
· Furthermore, the unauthorized use of the intellectual property of others, including your professor, for distribution, sale, or profit is expressly prohibited. Intellectual property includes, but is not limited to: slides, lecture notes, presentation materials used in and outside of class, lab manuals, course packs, exams, etc.
· Students are advised that suspicions of academic misconduct may be referred to the Academic Integrity Office (AIO). Graduate students who are found to have committed academic misconduct will have a Disciplinary Notation (DN) placed and remain on their academic record, which will exclude them to be eligible for any scholarships and/or awards. In addition, they could be assigned one or more of the penalties ranging from a grade of “zero” (0) on the work, a grade of “F” in the course, to DA (Disciplinary action), DA-S (Disciplinary action with suspension), (DW) Disciplinary withdrawal, up to an expulsion or even revocation of a degree.
· For more detailed information on these issues, please refer to the full online text for the Ryerson Senate Policy 60: Academic Integrity. For more information on how to avoid academic misconduct situations, for clues and tips, visit the Academic Integrity website.
● The Library provides research workshops and individual assistance. If the University is open, there is a Research Help desk on the second floor of the library, or students can use the Library's virtual research help service at https://library.ryerson.ca/ask/ to speak with a librarian.
● Student Life and Learning Support offers group-based and individual help with writing, math, study skills, and transition support, as well as resources and checklists to support students as online learners.
● You can submit an Academic
Consideration Request when an extenuating circumstance has occurred that has
significantly impacted your ability to fulfill an academic requirement. You may
always visit the Senate website and select the blue
radial button on the top right hand side entitled: Academic Consideration
Request (ACR) to submit this request).
Please note that the Provost/ Vice President Academic and Dean's approved a
COVID-19 statement for Fall 2022 related to academic consideration.
This statement will be built into the Online Academic Consideration System
and will also be on the Senate website (www.ryerson.ca/senate) in time for the Fall term:
Policy 167: Academic Consideration for Fall 2022 due to COVID-19: Students who miss an assessment due to cold or flu-like symptoms, or due to self-isolation, are required to provide a health certificate. All absences must follow Senate Policy 167: Academic Consideration.
Also NOTE: Policy 167: Academic Consideration does allow for a once per term academic consideration request without supporting documentation if the absence is less than 3 days in duration and is not for a final exam/final assessment. If the absence is more than 3 days in duration and/or is for a final exam/final assessment, documentation is required. For more information please see Senate Policy 167: Academic Consideration.
● TMU COVID-19 Information and Updates for Students summarizes the variety of resources available to students during the pandemic.
● TMU COVID-19 Vaccination Policy
● In we switch to remote teaching, familiarize yourself with the tools you will need to use for remote learning. The Remote Learning guide for students includes guides to completing quizzes or exams in D2L Brightspace, with or without Respondus LockDown Browser and Monitor, using D2L Brightspace, joining online meetings or lectures, and collaborating with the Google Suite.
● Information on Copyright for Faculty and students.
At Toronto Metropolitan University (TMU), we recognize that things can come up throughout the term that may interfere with a student’s ability to succeed in their coursework. These circumstances are outside of one’s control and can have a serious impact on physical and mental well-being. Seeking help can be a challenge, especially in those times of crisis.
If you are experiencing a mental health crisis, please call 911 and go to the nearest hospital emergency room. You can also access these outside resources at anytime:
● Distress Line: 24/7 line for if you are in crisis, feeling suicidal or in need of emotional support (phone: 416–408–4357)
● Good2Talk: 24/7-hour line for postsecondary students (phone: 1-866-925-5454)
● Keep.meSAFE: 24/7 access to confidential support through counsellors via My SSP app or 1-844-451-9700
If non-crisis support is needed, you can access these campus resources:
● Centre for Student Development and Counselling: 416-979-5195 or email csdc@ryerson.ca
● Consent Comes First – Office of Sexual Violence Support and Education: 416-919-5000 ext: 553596 or email osvse@ryerson.ca
● Medical Centre: call (416) 979-5070 to book an appointment
We encourage all Toronto Metropolitan University community members to access available resources to ensure support is reachable. You can find more resources available through the Toronto Metropolitan University Mental Health and Wellbeing website.