Welcome to the public page for the course on Security and Privacy in Machine Learning (SPML). The main objectives of the course are to introduce students to the principles of security and privacy in machine learning. The students become familiar with the vulnerabilities of machine learning in the training and inference phases and the methods to improve the robustness and privacy of machine learning models.
Course Logistics
Instructor
Amir Mahdi Sadeghzadeh
Office: CE-704
Lab: CE-502
Office Hours: By appointment (through Email)
Email: amsadeghzadeh_at_gmail.com
URL: amsadeghzadeh.github.io
Course Staff
Course Pages
Main References
The main references for the course are many research papers in top-tier conferences and journals in computer security (SP, CCS, Usenix Security, EuroSP) and machine learning (NeurIPS, ICLR, ICML, CVPR, ECCV). Three following books are used for presenting background topics in machine learning and deep learning in the first part of the course.
Grading Policy
Assignments (30%)
4 Quizzes (10%)
Presentation (10%)
Mid-term (20%)
Final (30%).
Course Policy
Academic Honesty
Sharif CE Department Honor Code (please read it carefully!)
Homework Submission
Submit your answers in .pdf or .zip file in course page on Quera website, with the following format: HW[HW#]-[FamilyName]-[std#] (For example HW3-Hoseini-401234567)
Important:
Late Policy
| # | Date | Topic | Content | Lecture | Reading | HWs | Quiz | |
|---|---|---|---|---|---|---|---|---|
| 1 | 7/19 | Course Intro. | The scope and contents of the course | Lec1 | Towards the Science of Security and Privacy in Machine Learning | |||
| 2 | 7/21 | Deep Learning Review | ML Intro., Perceptron, Logistic regression, GD, Regularization | Lec2 | Pattern Recognition and Machine Learning Ch.1 & Ch.4 Deep Learning Ch.5 & Ch.6 |
HW0 | ||
| 3 | 7/26 | Adversarial Examples | Properties of neural networks, Adversarial Example (L-BFGS), Type of Adversarial Attacks | Lec3 | Intriguing Properties of Neural Networks | |||
| 4 | 7/28 | Adversarial Examples | Fast Gradient Sign Method(FGSM) Attack, L_P Norms | Lec4 | Explaining and Harnessing Adversarial Examples | |||
| 5 | 8/3 | Adversarial Examples | C&W Attack | Lec5 | Towards Evaluating the Robustness of Neural Networks | |||
| 6 | 8/5 | Adversarial Examples | Projected Gradient Descent, Universal Adversarial Perturbations, Adversarial Patch | Lec6 | Universal Adversarial Perturbations Adversarial Patch |
Quiz1 | ||
| 7 | 8/10 | Adversarial Examples | Obfuscated Gradients, Adversarial Training, TRADES | Lec7 | Theoretically Principled Trade-off between Robustness and Accuracy Mitigating Adversarial Effects Through Randomization Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks |
|||
| 8 | 8/12 | Adversarial Examples | Certifiable Robustness, Randomized Smoothing | Lec8 | Certified Adversarial Robustness via Randomized Smoothing | |||
| 9 | 8/17 | AE | Lec9 | |||||
| 10 | 8/19 | - | - | |||||
| 11 | 8/24 | AE | Lec10 | |||||
| 12 | 8/26 | Black box | Lec11 | Quiz2 | ||||
| 13 | 9/1 | Poisoning | Lec12 | |||||
| 14 | 9/8 | Poisoning | Lec13 | |||||
| 15 | 9/10 | Model extraction | Lec14 | |||||
| 16 | 9/15 | MIA | Lec15 | |||||
| 17 | 9/17 | DP | Lec16 | |||||
| Exam | 9/20 9AM | Midterm | ||||||
| 18 | 9/22 | DP | Lec17 | Quiz3 | ||||
| 19 | 9/24 | DP | Lec18 | |||||
| 20 | 9/29 | Intro to LLM and challenges | Lec19 | |||||
| 21 | 10/1 | Hallucination | Lec20 | |||||
| 22 | 10/6 | Alignment(RLHF-DPO) | Lec21 | |||||
| 23 | 10/8 | Jailbreak of llm | Lec22 | |||||
| 24 | 10/15 | Jailbreak of vlm | Lec23 | Quiz4 | ||||
| 25 | 10/20 | - | Lec24 | |||||
| 26 | 10/22 | - | Lec25 | |||||
| Exam | 11/4 | Final |